The Microsoft Windows NT Platform: Enterprise Interoperability with UNIX
|Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.|
On This Page
Network Connectivity and Services
Application Interoperabilityand Data Transactions
Cross-Platform Application Development
COM and Related Technologies
The Future OF Windows NT 5.0
This paper describes the features and components in Microsoft® Windows NT® Server 4.0 that enable broad interoperability with UNIX-based systems, data, and applications. Using Windows NT Server and its fully integrated system services, customers can build interoperable solutions to satisfy their goals for lowering total cost of ownership and maximizing business value. This document is designed for technical IT managers interested in more detail than what is covered in Window NT and UNIX Interoperability. Microsoft and Compaq® co-authored this paper.
Interoperability is essential in today's increasingly heterogeneous computing environments. It begins with network protocols and directory security, and extends to heterogeneous, distributed enterprise applications, and network and system management. Layered in the middle are data access and sharing, application porting, and cross-platform application access.
Rather than advocate replacing equipment in a piecemeal fashion, Microsoft helps customers evolve their information technology infrastructures in ways that capitalize on new technologies and products. This solution improves information sharing, reduces computing costs, and capitalizes on past investments. This paper focuses on broad enterprise interoperability with UNIX by elaborating on the network, data, applications, and management framework put forth in Windows NT and Unix Interoperability.
Specifically, this White Paper describes Microsoft's enterprise interoperability with UNIX for Microsoft® Windows NT® Server version 4.0 in five major areas:
Network connectivity and services, including directory services, and security
Information access such as messaging, and file and print sharing
Cross-platform user, system, and network management
Application interoperability, including access to relational databases
Distributed cross-platform application development
Network Connectivity and Services
The first level of interoperability begins with having computers that can talk to each other in a network. This means that the computers must use the same protocol and there must be some way of identifying resources on the network.
Achieving the most basic level of integration between Microsoft Windows® -based PCs and UNIX workstations requires reliable network connectivity between the two environments. Windows NT provides this foundation through built-in support for TCP/IP, the standard suite of network transport protocols used in UNIX environments. By featuring TCP/IP support, a Windows NT-based server is able to communicate with UNIX systems natively over enterprise networks and the Internet. Built-in support for services such as Domain Name System (DNS), Dynamic Host Configuration Protocol (DHCP), BOOTP, and Remote Procedure Call (RPC)—the building blocks of TCP/IP-based enterprise networks—ensures that Windows NT-based servers can provide the necessary infrastructure to deploy and manage these networks.
Another benefit of the common TCP/IP infrastructure across Windows NT- and UNIX-based systems is support for services such as FTP, HTTP, and Telnet. Through FTP and HTTP services, users can copy files across networks of heterogeneous systems and then manipulate them locally as text files or even Microsoft Word documents. In addition to copying UNIX files, PC users can access character-based UNIX applications through the Windows NT support for remote logon. By running terminal emulation software built into the Windows 95 and Windows NT operating systems, a user of a Windows-based PC can log on to a UNIX timesharing server in a manner similar to a dial-up connection. After entering an authorized user name and password, PC users will be able to employ character-based applications residing on the remote UNIX workstation as if they were logged on to the system directly.
PC users can manipulate data between applications running in separate windows on the display, even when that data is generated by applications on different operating systems. For example, imagine a user accessing a UNIX engineering package from a desktop running Windows, using an X Windows emulation package. There are several X Windows emulation solutions (such as those offered by Hummingbird Communications and WRQ) that can address this customer requirement. Such a user can display, select, and Cut a drawing from an application running on the UNIX system, and Paste that data into a Windows-based application, such as Microsoft Word for Windows. For example, technical documentation might be written in an engineering group where some key data is on UNIX systems and managed by UNIX applications, but where documentation is authored on Windows NT Workstations using Microsoft Word for Windows.
DNS and WINS Integration
DNS is used on most UNIX systems and on the Internet for resolving names to Internet addresses. Essentially DNS is a set of protocols and services on a TCP/IP network that allows users of the network to employ hierarchical user-friendly names when looking for other computers instead of having to remember IP addresses.
For example, suppose the FTP site at Microsoft had an IP address of 18.104.22.168. Most people would reach this computer by specifying FTP.microsoft.com instead of the less memorable IP address. Besides being easier to recall, the name is more reliable. The numeric address could change for any number of reasons, but the word can always be used. If you have used a Web browser, Telnet application, FTP utility, or other similar TCP/IP utilities on the Internet, then you have probably used a DNS server.
Windows NT Server 4.0 has a built-in DNS service that is standards-based (IETF RFC 1053). Because the DNS in Windows NT Server 4.0 is RFC-based, administrators can easily migrate from their existing DNS to the Windows NT Server DNS, or coexist with a non-Microsoft DNS.
Windows NT 4.0 Server DNS Service provides a Windows Internet Naming Service (WINS) lookup feature. WINS dynamically manages the mapping between friendly names and IP addresses of network resources in a Windows NT Server-based network. For example, if the name cannot be resolved using DNS, the name request is forwarded to WINS for resolution. The WINS Lookup feature provided as part of the Windows NT Server DNS service reduces administrative costs by eliminating some of the manual name and address tracking administrative tasks associated with the current network DNS systems.
This form of dynamic name resolution is only available on networks with computers running Windows NT Server with DNS and WINS enabled.
For a complete discussion of DNS and WINS integration, see Chapter 3, "Implementation Considerations" in the Microsoft Windows NT Server 4.0 Networking Supplement.
One of the challenges of working within a large, distributed computing environment is identifying and locating resources such as users, groups, and documents. A directory service provides a way to locate and identify the users and resources available in the system.
Most enterprises already have many directories in place. For example, network operating systems, electronic mail systems, and groupware products all have their own directories. So each has an API set for accessing and managing the directory. When a single enterprise deploys multiple directories, many issues arise including usability, data consistency, development cost, and support cost.
Active Directory Service Interfaces
Microsoft developed Active Directory Service Interfaces (ADSI) to make it easier for developers to write directory-enabled applications using high-level tools such as the Microsoft Visual Basic® programming system, Java, C, or the Visual C++® development system. This frees developers from having to worry about underlying differences between the different namespaces.
For example, with ADSI, UNIX developers can create applications to enumerate and manage LDAP-, X.500-, NDS-, Notes-, and Windows NT-based directories with a single interface as long as the appropriate service providers are available. An ADSI provider maintains the implementation of objects and dependent objects for a particular namespace. With ADSI, clients need be concerned only with getting and using interfaces on an object, and not with the details of where add how the software of an object is implemented.
Customers and independent software vendors can download the Active Directory Service Interfaces (ADSI) Software Development Kit (SDK). Microsoft has also implemented ADSI in Java, which makes it easy to create directory management applications in Java.
Microsoft is attentive to heterogeneous security in the case of interoperation with UNIX systems. For example, Microsoft will provide one-way, encrypted password synchronization with Windows NT Services for UNIX. This add-on pack allows users of Windows NT Workstation to log on to a Windows NT-based domain and gain access to file resources hosted on a UNIX server without being prompted for another user ID and password. Windows NT Services for UNIX is currently in beta testing. Read the press release for more information.
Advanced Server for UNIX (ASU) further extends interoperability between Windows NT and UNIX. For example, it provides full Windows NT domain controller support on UNIX. The UNIX system can be either a Primary Domain Controller or Backup Domain Controller in a Windows NT environment. This means that the users can log on to the Windows NT network once and gain access to resources distributed between a UNIX server and Windows NT Server on the network. AT&T exclusively licenses the ASU technology to virtually all major UNIX suppliers, such as Compaq®, Hewlett-Packard, Data General, Fujitsu-ICL, and Siemens-Nixdorf.
Advanced Server supports Windows NT file permissions and local and global group permissions. When Windows-based clients gain access to a disk share or print share on your UNIX box, the UNIX server checks the user's access permissions against the Windows NT permissions. Optionally, you can force users to go through two levels of permissions (first Windows NT and then UNIX) for tighter security. ASU also supports Windows NT local and global groups, allowing easier segmentation of user access across Windows NT and UNIX resources.
Compaq has added a password-management utility to the Advanced Server for DIGITAL UNIX product. This utility helps users manage their UNIX, NIS, and Windows NT passwords to help keep these in sync. When users of Windows 95 or Windows NT change their Windows network password, they can also have that password change affect their DIGITAL UNIX or Network Information Service (NIS) password.
Security Support Provider Interface
The Microsoft Security Support Provider Interface (SSPI) is a well-defined common API for obtaining integrated security services for authentication, message integrity, message privacy, and security quality of service for any distributed application protocol. Application protocol designers can take advantage of this interface to obtain different security services without modification to the protocol itself.
Windows NT version 5.0 will natively incorporate security technologies such as Kerberos authentication, public key cryptography, digital certificate support, native encryption of files, and smart card support.
The next level of interoperability is to enable information access in a heterogeneous environment. This means interoperability between mail environments, allowing users to gain access to file shares and printers regardless of server environment.
Full and comprehensive support of all important protocols is the key to seamless interoperability between messaging systems on UNIX and Windows NT. Microsoft Exchange Server version 5.5 supports the necessary protocols as follows:
The Exchange Internet Mail Service (IMS) is a full-function Simple Mail Transfer Protocol (SMTP) mail server. Messages can be sent between Microsoft Exchange Server and any UNIX SMTP-based mail server. The IMS incorporates many high-end features, including the ability to block "spam" and unsolicited commercial e-mail (UCE). IMS also supports SMTP extensions such as extended turn (ETRN), important when fetching mail held by an Internet Service Provider.
The Exchange Internet News Server (INS) supports bidirectional exchange of Network News Transfer Protocol (NNTP) newsfeeds. Users who post messages to newsgroups hosted on UNIX servers can have the messages fed to an Exchange server, where they will be kept in a public folder. Exchange users can post to the public folder, in which case their messages will feed, using NNTP, to the newsgroup on the UNIX server.
The Exchange Information Store supports client access through a range of protocols including MAPI, POP3, IMAP4, and HTTP or HTML. No native MAPI client is available for UNIX, but native POP3 or IMAP4 clients can be used to connect directly to mailboxes hosted on an Exchange server. Message content is provided to these clients in their native format and no conversion is necessary.
Outlook Web Access (OWA), a server-side application executed by Microsoft Windows NT Server Internet Information Server (IIS) services enables Web browsers running on UNIX workstations to gain access to Microsoft Exchange Server mailboxes, public folders, and calendars. The browser must be able to support frames and Java or Visual Basic script. In this configuration, code contained in a set of active pages that make up the OWA application is executed on the server, and the results are rendered into standard HTML and sent back to the browser for display.
SSL, the Secure Sockets Layer, can be used to secure the connection between clients and Microsoft Exchange Server. SSL is supported for secure HTTP, POP3, IMAP4, and LDAP connections. Exchange limits the use of TCP/IP ports for client connectivity, so controlled access through a firewall is fully supported.
Microsoft Exchange Server 5.5 supports S/MIME digital signatures and encryption. This means that anyone equipped with a set of S/MIME keys (such as those issued by http://www.verisign.com) can send signed or encrypted messages to recipients, no matter whether they connect to Exchange or a UNIX mail server. Client extensions are also available to allow Exchange clients, such as Microsoft Outlook™ messaging and collaboration client, to use PGP-based encryption.
With such a choice of protocols, Microsoft Exchange Server can be connected into a UNIX messaging environment, or users can be migrated from a UNIX mail server to Exchange. In the latter situation, users can continue to employ the same client. Migration utilities to move the contents of mailboxes for sendmail-type systems are included in the Exchange Resource Kit.
File and Print Services
Users who frequently share files between UNIX and Microsoft environments find the standard File Transfer Protocol to be too cumbersome. For them, there are alternative approaches: Server Message Block (SMB) and Network File System (NFS).
SMB A Microsoft-oriented approach is generally a better choice when Windows NT is to be the primary platform while maintaining connectivity to existing UNIX systems. In that case, a Windows NT networking for UNIX solution (SMB), such as Compaq's Advanced Server for UNIX product, can enable access to UNIX files from desktops running Windows NT.
NFS All major UNIX operating systems—including DIGITAL UNIX—have built-in NFS file sharing capabilities. Customers are likely to use NFS when adding Windows NT to an environment where UNIX is the primary platform. It is likely that NFS is already familiar to UNIX users as a means of allowing desktops running Windows NT to gain access to files on UNIX systems or of allowing Windows NT Servers to share files with UNIX desktops.
Network File System
NFS allows users to mount remote directories and disks so that they appear as local drives. All major UNIX operating systems—including DIGITAL UNIX—have built-in NFS file-sharing capabilities.
Using NFS to Share Data Between UNIX and Windows NT Platforms
NFS for Windows platforms comes in two flavors. NFS client products for Windows, Windows 95, Windows 98, and Windows NT operating environments allow clients to gain access to files and printers that exist on UNIX servers. NFS server products—most commonly for Windows NT Server environments–allows UNIX workstations and servers to gain access to files and printers on systems running Windows NT.
Microsoft provides both NFS Server and NFS Client software in its Windows NT Services for UNIX add-on pack. The add-on pack has other useful features including one-way password synchronization, more than 25 UNIX scripting commands, and the UNIX Korn Shell. One-way password synchronization allows users to maintain a common password between their Windows NT- and UNIX-based machines. The UNIX scripting commands and Korn shell give users the ability to automate common processes and administrative tasks across both Windows NT and UNIX. Customers who want to install NFS on desktops running Windows 95 or Windows 98 can take advantage of products from third-party vendors such as Hummingbird, WRQ, and many others.
Most vendors of NFS for Windows products have integrated NFS into the PC desktop. PC users can gain access to NFS shares from Windows Explorer, My Computer, or the Windows File Manager. Users can browse through their NFS tree for file shares that are available for mounting. Most implementations also support UNC format, such as \\system\sharename, to map NFS network drives.
NFS Gateways for Windows NT is a recent offering from many vendors. The approach is very straightforward: NFS Gateway software is loaded on a Windows NT Server. The server uses NFS to mount file and print resources on UNIX, and then re-shares those resources with the Windows NT community using the SMB protocol. The gateway appears to the UNIX system as another UNIX system, with terminals accessing files. No additional software is required on the UNIX system, the UNIX administrator maintains file-level security, and the administrator of Windows NT Server controls access to connections. The first release of Windows NT Services for UNIX does not include an NFS Gateway, but the second release of the add-on pack will.
Networking with Microsoft Windows
There are a number of products based on the SMB protocol that provide an alternative to the NFS-style of file and print sharing. This option is often preferred in Windows NT-based sites that are expanding and adding UNIX servers to their predominantly Windows NT-based systems environment, or UNIX sites that want to standardize on Windows NT-style file and print services. SMB provides a smooth transition from the existing base of UNIX servers, thereby allowing organizations to capitalize on their existing investments in hardware, software, and skills.
Sharing Data Between UNIX and Windows NT
Running the SMB protocol on UNIX servers and workstations, UNIX systems can gain access to files managed by Windows NT Server. However, using Windows-based clients to gain access to files held on UNIX servers is more common. Windows-oriented networking on UNIX ranges from a freeware port known as "Samba," to the Microsoft-licensed Advanced Server for UNIX, to independent software products such as Syntax Corporation's TotalNET Advanced Server and SCO's VisionFS product.
Because the SMB protocol on UNIX products is implemented as a server to support native Microsoft clients, no additional software is required on Windows-based clients. Instead, the software is installed, configured, and managed on the centrally administered UNIX server.
The SMB protocol on UNIX applications allows end users to gain access to the UNIX server in much the same way as they employ their Windows-based network servers from their PCs. For example, a user can double-click on Network Neighborhood and see the UNIX server represented alongside the Windows NT Server-based system. The user can also browse the UNIX server for available shares and print resources, and can move files from Windows-based shares to UNIX shares using a drag-and-drop operation in Windows 95 Explorer or the Windows for Workgroups File Manager.
The administration of UNIX SMB products differs greatly, from the UNIX-centric configuration file approach offered by "Samba," to the ASU implementation of management using the default administrative tools in Windows NT Server, to Syntax's TotalNET Advanced Server's Web-based interface.
What is "Samba"?
"Samba" is a suite of programs that work together to allow a client to gain access to a server's files and printers through SMB. "Samba" is freeware that is distributed in source form, and it runs on DIGITAL UNIX and most UNIX variants.
"Samba" allows the user to redirect disks and printers to UNIX disks and printers from LAN Manager clients, Windows for Workgroups version 3.11 clients, Windows NT clients, Linux clients, and OS/2 clients. A generic UNIX client program is supplied as part of the "Samba" suite. This program allows UNIX users to employ an interface resembling FTP to gain access to files and printers on any other SMB servers.
System administrators are increasingly faced with the necessity of providing interoperability between systems supporting different network protocols. With the Windows family, system integrators receive support for protocols such as TCP/IP, NetBEUI, IPX/SPX, NetWare Core Protocol, systems network architecture, LAN Manager, X Window System, and NFS.
SNMP-based System Management
To integrate Windows with UNIX systems, Microsoft provides Simple Network Management Protocol (SNMP) service in Windows NT, Windows 95, and Windows 98. Network administrators of UNIX systems can thus use SNMP management software such as HP OpenView to manage systems based on Windows.
The SNMP service in Windows NT provides support for the Internet Management Information Base-II (MIB-II) and LanMan MIB II. Future support is planned for the Ethernet MIB, X.25 MIB, and Host MIB.
HP OpenView and IBM NetView are examples of SNMP–based management software available on the Windows family. Using such products, system administrators on Windows NT Server can manage UNIX clients.
Systems and Network Management
Across the board, support for the SNMP in Windows NT has reached critical mass, with HP OpenView, Ca UniCenter TNG, and IBM Tivoli available on the Windows NT operating system. In addition, Windows NT Server and Windows NT Workstation both include complete support for SNMP Management Information Base (MIB) files, allowing them to be managed through these consoles.
For administrators trained in the management of UNIX systems, Windows NT can now offer the same management paradigm by means of tools from MKS and Softway Systems. Both vendors offer UNIX-style commands, utilities, and shell environments that make a Windows NT-based system look, act, and feel like a UNIX-based system. Administrators uncomfortable without tools such as awk,grep, and ps can now be productive immediately when managing a Windows NT-based system. Windows NT 5.0 will offer a full range of built-in command-line and scriptable management capabilities providing true "lights out" management of a Windows NT-based system.
User, File, and Print Service Management
Advanced Server for UNIX has the ability to perform system management tasks affecting UNIX servers directly from native Windows NT Server management tools. For instance:
System administrators can add users to their UNIX and Windows NT user databases in a single step from the User Manager for Domains tool, which ships with the Windows NT operating system.
A file share that is visible to both PC users and UNIX NFS users can be created on UNIX in a single step using the Manager Tool in Windows NT Server.
The Windows NT System Policy Editor can be used to establish policies that define the environment for specific computers, users, or groups of users across the UNIX and Windows NT operating environments.
By supporting the back-end Microsoft management calls on the UNIX server, Advanced Server helps eliminate the need for system administrators trained on Windows NT-based tools to learn two sets of tools for daily administration.
Application Interoperabilityand Data Transactions
Universal Data Access
A major challenge faced by developers of enterprise application software is deciding how to best integrate applications they create with the many available data sources. Not only are there usually many sources of information, but also the sources change constantly as new tools are introduced and numerous computing platforms are used. This changing environment causes applications to break down, or quickly become obsolete and require rewriting.
Applications need a flexible way to access information across platforms and across data sources that they can count on over time. To meet this need, the software industry has developed a number of technologies to separate the access to data and information from the particular format and data sources. One of the most popular approaches is to use Open Database Connectivity (ODBC) software. This software is now available for Windows NT and DIGITAL UNIX systems. . With ODBC, an application developer can now create applications that gain access to data sources across platforms and databases independently of the database of the operating environment on which it will run. This allows the user to write application code that can be used on either DIGITAL UNIX or Windows NT in exactly the same way. The application can connect to databases running on either platform, regardless of the platform on which it will run. Users now have the flexibility to employ both UNIX and Windows NT platforms as appropriate for the organization's needs.
The current generation of ODBC software has matured, and now there are many software developers who are experienced with ODBC. In addition, the software technology provides good performance across a variety of databases. Developers can get an ODBC SDK for UNIX drivers from INTERSOLV. ODBC drivers and related data access software for DIGITAL UNIX can be found at http://www.unix.digital.com/data-access.
Over the past year, Microsoft has invested in developing a new generation of Data Access software. The new software technology is OLE-DB and Active Data Object (ADO). ADO is a new programming interface used to gain access to data sources. The ADO interface brings to developers a simpler programming interface to work with, across a broader range of data sources. OLE-DB is the new technology for how data users connect to data sources. OLE-DB technology allows the support of a broader range of data sources and supports easier integration of multiple data sources to an application. ADO and OLE-DB technologies are being deployed across Windows NT, Windows 95, Windows 98, and DIGITAL UNIX..
For application developers working with Java, the software industry has developed JDBC. This software is similar to ODBC, but provides support for Java applications to gain access to data sources and databases across platforms. Both DIGITAL UNIX and Windows NT provide support for JDBC with Java applications connecting to a variety of databases.
Microsoft Transaction Server 2.0 (Enhanced Support for Oracle 7.3)
Microsoft Transaction Server (MTS) is a component-based transaction processing system of Windows NT that combines the features of a TP monitor and an object request broker. It defines a programming model and provides a run-time environment and graphical administration tool for managing enterprise applications. Microsoft Message Queue Server allows applications to communicate with other application programs by sending and receiving messages.
Today, Oracle databases can participate in MTS-based transactions. This is possible because Oracle version 7.3.3 for Windows NT supports XA1, and Microsoft has enhanced the Microsoft Oracle ODBC driver to work with Microsoft Transaction Server.
Microsoft Transaction Server also works with Oracle 8 databases. However, users must gain access to the Oracle 8 database server by using the Oracle 7.3 client. Customers must use the Microsoft Oracle ODBC Driver supplied with Microsoft Transaction Server version 2.0 with Oracle database because it is the only Oracle OBDC driver that works with MTS.
ODBC connection pooling works with Oracle databases. Connection pooling is built into the ODBC 3.0 and 3.5 Driver Managers. Therefore, connection pooling works, provided that the Oracle ODBC Driver you use is thread-safe. Oracle database connections are pooled when you use the Microsoft Oracle ODBC Driver.
Users can access Oracle databases on UNIX and other operating environments, and these databases can participate in transactions. For example, users can update a Microsoft SQL Server™ based database on one Windows NT-based system, an Oracle database on another Windows NT-based system, and an Oracle database on a UNIX system under a single atomic transaction. If the transaction commits, all three databases are updated. If the transaction quits, all work performed on all three databases is backed out. Microsoft Transaction Server interoperates with any Oracle platform accessible from Windows NT, Windows 95, or Windows 98. During the Microsoft Transaction Server 2.0 beta program, Microsoft Transaction Server was used with Oracle databases on the following platforms: DIGITAL UNIX, HP-UX, IBM AIX, Windows NT, and Sun Solaris.
Microsoft Distributed Transaction Coordinator (DTC) does not have to be running on UNIX and other non-Windows NT platforms in order for an MTS component to update Oracle databases. All of the updates made by the component can be performed under the control of a single distributed atomic transaction. This is possible because the DTC running on Windows NT Server acts as the transaction coordinator. The DTC communicates with the Microsoft Oracle ODBC driver running on the Windows NT-based system to tell it the transaction's outcome. The ODBC driver relays this information to the Oracle database on the UNIX or other system. The Oracle database then commits or quits the transaction as necessary.
Whether Tuxedo, Top End, or Encina are needed to gain access to Oracle databases on UNIX and other platforms, using transactions is a frequent question. The answer is "no," because in this case, Microsoft Distributed Transaction Coordinator running on Windows NT Server is acting as the transaction manager.
Cross-Platform Application Development
Component model technology defines an environment to support reusable application components, or multitier distributed object applications. Components are prefabricated elements of application code that can be assembled into working application systems.
This technology capitalizes on one of the most important benefits provided by object technology: reuse. COM facilitates the reassembly of application components into new applications. Developers can tie together pieces of existing applications and create new applications that inherit the behavioral characteristics of the "parents." This improves a developer's and an organization's overall productivity, because fewer and fewer applications have to be re-coded from scratch.
COM and Related Technologies
COM, the Component Object Model, is Microsoft's own specification for developing distributed transaction-based applications and defining the manner by which objects interact through an exposed interface. Microsoft Interface Definition Language (MIDL) is analogous to Common Object Request Broker Architecture (CORBA) IDL as a language for specifying these interfaces. Although COM mirrors other component model methodologies by allowing independently developed cross-language software applications or components to interact with each other, COM differs in its strict focus on the Microsoft 32-bit platform set.
Released in Windows NT 4.0 in August 1997, Distributed COM (DCOM) is the foundation for Microsoft's Internet and component strategy, where the ActiveX® technologies platform plays the role of a DCOM object. As an efficient distributed object model, DCOM extends the COM model and provides applications with a way to interact remotely over a network.
Using this programming model, a programmer using Visual C++ development system, Visual Basic, or Java encapsulates an application into software component objects. A component object is a reusable piece of binary code, written to the standards defined by COM that can connect with other component objects also written to the standard. Thus, a programmer can write an application once and make its capabilities available to other applications. With DCOM, the programmer's client application can be used by other applications on remote servers.
Native DCOM on UNIX
Microsoft continues to work closely with partners to gain engineering, integration, and marketing experience in order to move COM and DCOM into the enterprise. To this end, Microsoft has been working closely with many partners to port DCOM onto non-Microsoft platforms. Programmers who develop on Windows NT-only environments will find the same DCOM Application Programmer Interface (API) and the same behavior in a heterogeneous environment with clients running Windows NT Server and UNIX servers.
Employing DCOM on UNIX, users can:
Port DCOM server applications from Windows NT operating environments to UNIX operating environments.
Create wrappers for existing UNIX applications, providing DCOM access to the applications by clients running Windows.
Develop new distributed UNIX applications that take advantage of the DCOM distribution mechanism. These applications can make the most of the DCOM reuse, version independence, and language independence capabilities.
As a strategic partner, Compaq Computer Corporation™ provides a native version of DCOM on DIGITAL UNIX. The Compaq implementation provides all the basic functions, libraries, and tools that a DCOM application in a heterogeneous Windows NT client/DIGITAL UNIX server environment requires.
For more information on non-Microsoft platforms that support COM, visit: http://www.microsoft.com/com.
Amid proliferation of multiple component model technologies, a number of mechanisms have arisen that facilitate the interoperability of these technologies. The Object Management Group (OMG) has written a specification for integrating DCOM and CORBA. The definition of the DCOM to CORBA mapping is the process whereby a request is made on what is considered a DCOM object, and this request is routed through Internet Inter-ORB Protocol (IIOP) to the correct CORBA implementation object. The first phase of this translation is actually binding a DCOM object reference to the corresponding CORBA implementation object. The second phase involves correctly routing individual requests to the object and handling exception and termination conditions.
Compaq was the first to provide this mapping to its market-leading CORBA product, ObjectBroker, with the ObjectBroker Desktop Connection. Based on bridging technology from Canadian-based Visual Edge Inc., it offered ObjectBroker users OMG-compliant bi-directional CORBA-Active connectivity for seamless integration of UNIX and OpenVMS™ data and information into Win32® based desktop documents and Web-enabled applications. Now owned by Compaq partner, BEA Systems, the CORBA-COM functionality is being incorporated into a number of strategic future products.
A leading CORBA provider, Iona Technologies, recently licensed COM from Microsoft Corporation, and introduced COMet to build a bridge between CORBA and COM. OrbixCOMet provides bidirectional integration between COM and CORBA applications, and complete support for COM-CORBA mapping along with Automation-CORBA mapping. It provides a client-side bridge, enabling COM/Automation clients to talk directly to CORBA servers with support for callbacks. OrbixCOMet Desktop gives developers the ability to build heterogeneous systems using COM and CORBA components with minimum performance impact. Developers can use the tools familiar to them, whether it be Visual Basic, PowerBuilder, Delphi or Active Server Pages, thus boosting developer productivity by minimizing the learning curve associated with working with a new object model. Developers gain access to the CORBA world through COM interfaces and, for the most part, do not need to know anything about CORBA.
The Future OF Windows NT 5.0
Windows NT version 5.0 will include services that further enhance the interoperability of the Windows NT operating system.
Active Directory Service
The Active Directory is a directory service that is completely integrated with Windows NT Server and offers the hierarchical view, extensibility, scalability, and distributed security required by all business customers. Network administrators, developers, and users gain access to a directory service that:
Is seamlessly integrated with both Internet and intranet environments.
Provides simple, intuitive naming for the objects it contains.
Scales from a small business to the largest enterprise.
Works with familiar tools, such as Web browsers.
Provides simple, powerful, open application programming interfaces.
The Active Directory is a critical part of the distributed system. It allows administrators and users to take advantage of the directory service as a source of information and an administrative service.
A Unified Directory
The Active Directory integrates the Internet concept of a namespace with the operating system's directory services. It uses the lightweight directory access protocol (LDAP) as its core protocol and can work across operating system boundaries, integrating numerous namespaces. The Active Directory uses LDAP as the client access protocol (ADSI is used for programming access) and supports the X.500 information model without requiring systems to host the overhead implied in a full implementation of the X.500 model. Active Directory can freely interoperate, for example, with other LDAP-based UNIX directories. This lets enterprises unify and manage the multiple namespaces that now exist in corporate networks. The result is the high level of interoperability required for administering the heterogeneous software and hardware environments.
A Single Point of Administration
The Active Directory allows a single point of administration for all published resources, which can include files, peripheral devices, host connections, databases, Web access, users, other arbitrary objects, services, and so forth. It uses the Internet Directory Namespace as its locator service, organizes objects in domains into a hierarchy of organizational units, and allows multiple domains to be connected into a tree structure. Administration is further simplified because there is no notion of a primary domain controller (PDC) or backup domain controller (BDC). The Active Directory uses domain controllers (DCs) only, and all DCs are peers. An administrator can make changes to any DC, and the updates will be replicated on all others.
Microsoft has developed general-purpose directory services that scale from a small installation with a few hundred to a few thousand objects, to a very large installation with millions of objects. The Active Directory supports multiple stores and can hold more than 10 million objects per store, thus offering scalability while maintaining a simple hierarchical structure and ease of administration. When combined with the Microsoft Distributed File System, the Active Directory will bring networks even closer to the goal of a single global namespace.
Active Directory combines the best of the DNS as a locator service and LDAP as its core protocol. This facilitates work with Directory Services from other vendors running on non-Microsoft operating systems. This Directory Service can support more than 10 million objects offering unparalleled scalability. In addition to LDAP, Microsoft's plans include support in the Active Directory for the following X.500 protocols:
Subsets of the 1993 Directory Access Protocol (DAP)
1993 Directory System Protocol (DSP)
Directory Information Shadowing Protocol (DISP)
Active Directory is the store for security principals in the Windows NT operating system, including user accounts, groups, and domains. Active Directory, then, replaces the registry account database and is a trusted component of the Local Security Authority.
Active Directory permits both authenticated and unauthenticated access to the Directory Service for clients talking over LDAP. With unauthenticated access, clients can gain access to objects that have ACLS that allow everyone (or unauthenticated users) to gain access to them. Active Directory allows administrators to set ACLS on entries as a whole and on attributes within entries.
Authenticated access of the Active Directory over LDAP supports both private key and public key-based authentication. The MIT Kerberos version 5 authentication protocol is supported with extensions for public key-based authentication and password-based authentication. Internet clients can also be authenticated by using X.509 v3 Public Key Certificates. Active Directory supports impersonation, after a client is authenticated, using the appropriate authentication scheme. This provides for a tight integration with the rest of the security system in Windows NT.
Kerberos Authentication Protocol
The Kerberos authentication protocol defines the interactions between a client and a network Authentication Service, known as a Key Distribution Center (KDC). Windows NT implements a KDC as the authentication service on each Domain Controller. The Windows NT domain is equivalent to a Kerberos realm but will continue to be referred to as a domain. The Windows NT Kerberos implementation is based on the Internet RFC 1510 definition of the Kerberos protocol. The Kerberos client run time is implemented as a security provider based on the SSPI. Initial Kerberos authentication is integrated with the WinLogon single sign-on architecture. The Kerberos server (KDC), integrated with existing Windows NT security services running on the Domain Controller, uses the Windows NT Active Directory as the account database for users (principals) and groups.
The Kerberos authentication protocol enhances the underlying security features of Windows NT and provides the following features:
Faster server authentication performance during initial connection establishment. The application server does not have to connect to the domain controller to authenticate the client. This allows application servers to scale better when handling a large number of client connection requests.
Delegation of authentication for multitier client/server application architectures. When a client connects to a server, the server impersonates the client on that system. But if the server needs to make a network connection to another back-end server to complete the client transaction, the Kerberos protocol allows delegation of authentication for the first server to connect to another server on behalf of the client. The delegation allows the second server to also impersonate the client.
Transitive trust relationships for interdomain authentication. Users can authenticate to domains anywhere in the domain tree because the KDCs in each domain trust tickets issued by other KDCs in the tree. Transitive trust simplifies domain management for large networks with multiple domains.
The Kerberos version 5 authentication protocol defined in RFC 1510 has gone through a wide industry review and is well-known in security interest groups.
Interoperability between Windows NT and UNIX is necessary in today's heterogeneous computing environments. Data, applications, management layers, tools, and technologies from the network allow these systems to interoperate. These tools are either built into Windows NT or are readily available from increasing numbers of third-party vendors.
Microsoft, together with its strategic partners such as Compaq Computer Corporation, is totally committed to interoperability because customers want to integrate Windows with their existing UNIX and mainframe environments. Customers want to capitalize on past investments in applications and systems, and at the same time, take advantage of the benefits that distributed computing offers.
With Microsoft and its strategic partners, customers can build interoperable solutions to satisfy their goals for lowering total cost of ownership and maximizing business value. Customers will see continued advances in these technologies, making it even easier to deploy and manage heterogeneous networks running UNIX and Windows NT Server.
Customers can find more information on interoperability in Microsoft TechNet and the Windows NT Server Web site.
Delivered by the world's most experienced Windows NT integration service provider.
You made the call, and you are going to integrate Windows NT with your UNIX environment—building the open, scalable environment your business needs to stay competitive. Choosing the right service provider is critical to the success of your project, so now is the time to ask tough questions.
A solid foundation is built on knowledge.
When it comes to building the foundation of your new integrated infrastructure running Windows NT Server and UNIX, a thorough approach will pay off. And to get the quality execution you need from your chosen solution provider, you must ask the tough questions up front:
How many integrations of Windows NT Server and UNIX have you actually performed?
How many of your engineers are trained and experienced in both Windows NT and UNIX?
Will you help educate our staff when you are finished?
Are you experienced in all major UNIX operating systems?
The Compaq AllConnect™ multivendor integration program for UNIX and Windows NT Server is designed to address the issues. AllConnect is the most comprehensive Windows NT integration program ever assembled. Backed by thousands of engineers with real-world Windows NT and UNIX integration experience, AllConnect delivers unrivaled flexibility, reliability, and scalability.
AllConnect combines the top-rated Compaq service organization (rated No.1 in customer satisfaction, Computer World, 1997); leading-edge software from Compaq; and products from our business partners. Compaq has even designed knowledge transfer into the program to help you keep things running—and growing—long after we're finished.
Compaq has invested in a massive program over the past five years to ensure that our most experienced engineers—including our UNIX, NetWare, and VINES, experts—possess the in-depth training and experience in Windows NT Server needed to meet your integration needs. We recognize that "textbook skills" are not adequate for real-world deployment of complex integration solutions, so we test our solutions internally before we deliver them to you.
With such an investment, it's no surprise that we've already seen serious results. Compaq enjoys a proven track record of success where the competition is just getting underway, with more than 1.5 million users supported by our AllConnect for UNIX, Affinity for OpenVMS, and NOS Migration services.
Compaq has developed substantial expertise in both Windows NT and all major UNIX operating systems, such as DIGITAL UNIX, Solaris and HP-UX.
This is possible because Compaq has been deeply involved in the Windows NT explosion since its first beta release five years ago, when few competitors saw its enormous potential. Furthermore, we've strategically aligned ourselves with Microsoft to share technologies and develop Next Generation Windows NT 64-bit and Clustering Technologies.
And, it's possible because of our firsthand experience developing DIGITAL UNIX – the World's most robust and fully executed 64-bit UNIX Operating System.
Moreover, our Windows NT experts boast the lowest turnover rate in the business—just 8 percent versus an industry average of 25 percent—facilitating greater continuity of service when you choose AllConnect. And perhaps most important of all, we transfer knowledge to your people so they can maintain and build your environment as you grow.
AllConnect: Comprehensive Solutions for Windows NT to Multivendor UNIX Integration
Every Windows NT integration is unique. Some are focused on specific problems and issues, others affect the entire enterprise IT environment. AllConnect is built around a series of integration suites, which can be custom-deployed to meet your particular requirements.
These integration suites include:
Enterprise File and Print
Network and Systems Management
Compaq AllConnect—masterfully building your future operating environment.
It comes down to this. We know the issues involved in integrating Windows NT with your existing and future computing environments. We have a customer-driven business that allows you to use as much or as little of our help as you need. And we have a rock-solid deployment plan that has been proven thousands of times for millions of users.
Moreover, our program engineers have accumulated thousands of engineer-years of real-world Windows NT to UNIX integration experience, while the competition is still reading manuals. And that hard-won experience will continue to benefit you for years to come because no one is better at transferring knowledge—ensuring that you become the expert who can maintain and grow your solution. Without question, when your enterprise-computing environment is on the line, you need someone you can trust at the controls. You need Compaq AllConnect for multivendor UNIX to Windows NT integration.
This White Paper was jointly produced by Microsoft and COMPAQ Computer Corporation.
Compaq believes the information in this publication is accurate as of its publication date; such information is subject to change without notice. Compaq is not responsible for any inadvertent errors.
©1998 Compaq Computer Corporation. COMPAQ, the Compaq logo, DIGITAL, the DIGITAL logo, AllConnect, Alpha, AlphaServer, OpenVMS and TruCluster are registered in U.S. Patent and Trademark Office.
1 XA is the two-phase commit protocol defined by the X/Open DTP group. XA is natively supported by many UNIX databases, including Informix, Oracle, and DB2.