NIST's guidance for a Zero Trust Architecture

Active Directory Fundamentals

Comparison of Active Directory and Windows NT

Difference between Active Directory and Windows NT 

What you will learn:

Windows NT and Active Directory, at the core, are network operating systems (NOS) developed by Microsoft for centralized management of network devices. Active Directory is the successor to Windows NT. In this article, we will discuss in brief the network operating systems, take a look at what directory services are, and go through the key differences between Active Directory and Windows NT directory services. 

Network operating systems in a nutshell 

An operating system is software that manages available hardware resources to provide software applications with the necessary resources to perform their function. One of the types of operating systems is a network operating system (NOS). Network operating systems are operating systems that connect and manage multiple computer devices across a network. Windows N and, Windows Server 2016 are examples of NOS. There are two types of NOS based on the two types of networks:

  • Peer-to-peer NOS

  • Client-server NOS 

Peer-to-peer OS works for peer-to-peer networks. In this network system, all computers in the network are equally capable and share the same functionalities. There is no centralized computer managing the whole network. 

Client-server OS works on client-server networks where there are two types of computers, which are client computers and server computers. The server computer manages all the client computers in the network. Windows NT and successive versions of Windows Server are examples of Client-server NOS. 

What is a directory service? 

A directory service, as the name suggests, is a network repository that maps information about all the devices in a network for identification, management, and resource sharing. In the computer world, there are standard directory service protocols that instruct on how a directory service should function. X.500 Directory Access protocol, and later the Lightweight Directory Access Protocol (LDAP) are commonly accepted standards that form the basis for many directory services, such as Windows Active Directory and Windows NT directory services. 

What is Windows NT? 

Windows NT is a directory service network operating system introduced by Microsoft in 1990. It was in Windows NT that the concept of domains was first introduced for resource management. A Windows NT domain is a container that can be used to group users, computers, and groups under a single entity. This domain concept has also been carried forward to Windows Active Directory. Windows NT directory service soon became unscalable as it did not contain many functionalities that organizations demanded from their directory services such as more comprehensive delegation of administrative roles, and a scalable hierarchical structure for organizing objects. This is where Microsoft introduced Windows Active Directory. 

What is Windows Active Directory? 

Like Windows NT, Windows Active Directory is also a directory service, and the operating systems are called Windows Server. Active Directory solved many of the limitations that Windows NT had, such as the size limit of 40MB and 40,000 objects. Active Directory also had a scalable hierarchical structure for the organization of objects, and it could delegate roles to objects without an all-or-nothing condition. Active Directory is based on the LDAP protocol, and it provides everything that was expected out of a directory service such as:

  • User and Resource management

  • Security Services

  • Centralized directory management

  • Directory enabled infrastructure

  • Directory enabled applications 

Comparison of Active Directory and Windows NT 

Being the successor to Windows NT, the Active directory obviously had many advantages. For example, while the schema of Windows NT is fixed and did not support the addition of new objects, AD has a flexible schema that allows the addition of new objects that allowed for better scaling functionality. Also, Windows NT was based on and supported only Microsoft’s in-house API for access and management, while Active Directory was based on a more standard LDAP protocol. 

Another key difference was the change in the trust systems between domains within the network. Windows NT domains had a simple trust relationship, where there are no automatic transitive trusts formed between domains. Active Directory changed that and allowed transitive trusts to occur between domains. For example, In Windows NT, if domain A trusts domain B, and domain B trusts domain C, it does not mean that domain A will trust domain C. In Active Directory, however, this transitive trust occurs and domain A will automatically trust domain C. 

There are several other key differences such as the use of NetBIOS and WINS for naming resolution in Windows NT versus DNS in Active Directory, and the difference in replication methodologies. The differences between Windows NT and Active Directory are listed below. 

Functionalities

Windows NT

Active Directory

Scalability

The maximum database size is 40 MB with a maximum of 40,000 users.

The maximum database size is 16 TB with millions of objects per forest.

Schema Extensibility

Does not support the addition of new objects.

Schema is fully extensible.

Access methodologies

Supports Microsoft API.

Supports LDAP-based access to objects. LDAP is the standard protocol used by directories.

Replication

Replication is by the single master replication method only.

Replication is done using the multi-master replication method across the domain controllers.

Administration

Done on a per-domain basis

Administration boundaries can vary from the entire forest level to the individual attribute level of an object

Name Resolution

NetBIOS and WINS are used.

DNS is used.

Trust relationship

Only simple trust relationships are formed.

For example, if domain A trusts domain B and if domain B trusts domain C, there is no automatic trust created between domains A and C.

Transitive trust relationships occur between domains.

For example, if domain A trusts domain B and if domain B trusts domain C, there is an automatic trust created between domains A and C.

 

The smallest unit of partitioning is a domain.

The smallest unit of partitioning is a naming context.

 

The domain serves as a boundary for replication, policy implementation, and security as well.

For replication and policy implementation, domains are the boundaries. For security, however, a forest is the boundary.

 

System policies can either be set locally on the computers or be implemented on a domain level.

System policies, called group policies, are centrally managed and can be implemented on a domain, site, or OU level. Further, with the arrival of Windows Server 2008, fine-grained password policies allow for a more comprehensive and customized implementation of policies.

 

Related posts
Active Directory Fundamentals

Active Directory Groups: An explanation

Active Directory Fundamentals

What is Azure Active Directory?

Active Directory Fundamentals

Active Directory Basics: Everything you need to know

Active Directory Fundamentals

DNS and Active Directory

Leave a Reply

Your email address will not be published. Required fields are marked *