Microsoft Can Not Support NDS for NT on Windows NT Server

Copy of statement, since removed from Microsoft's web site.

NDS for NT: Not the Right Long-term Choice for Windows NT Server Customers

On January 5, Novell released NDS for NT, a product that replaces the Windows NT Directory and Security infrastructure in Windows NT Server 4.0. To be clear, NDS for NT is not an interoperability solution. It is an "all NDS" solution masked as a way to interoperate with Windows NT Server and BackOffice. With NDS for NT, Novell chose to replace pieces of Windows NT Server.

This method of "directory interoperability" is very different from Microsoft's: Microsoft, by building on industry standards, prefers to use protocols and interfaces to accomplish interoperability with other directories. Further, Microsoft is committed to directory interoperability by incorporating Internet standards into Windows NT Server 5.0, such as LDAP and Dynamic DNS, and building tools to help customers manage a mixed directory environment.

NDS for NT makes significant changes to the operating system. As a result, Microsoft today announced that it can not support Windows NT Server running Novell's NDS for NT. At first glance, it may appear that Microsoft is doing this to protect its investment in its own directory service technologies in the soon-to-be released Windows NT Server 5.0. This is in fact not true. Microsoft can not support Windows NT Server running NDS for NT because it is implemented into Windows NT Server in a way that is detrimental for customers. Customers investigating NDS for NT need to understand that NDS for NT is fundamentally flawed in the following ways:

By replacing critical system DLLs, NDS for NT makes serious technical changes to Windows NT Server, rendering the system less secure, and potentially less reliable. NDS for NT will break the upgrade from Windows NT Server 4.0 to Windows NT Server 5.0. NDS for NT is not an interoperability solution.

These are very serious technical issues. What follows is more detail on what NDS for NT does and why Microsoft cannot support Windows NT Server running NDS for NT.

NDS for NT Poses Serious Technical Concerns

NDS for NT makes customer's systems less secure NDS for NT replaces two key system DLLs on Windows NT Server. These two DLLs are integral to the Windows NT Server 4.0 security subsystem. By replacing these key pieces of the security infrastructure, NDS for NT violates the integrity of the Trusted Computer Base . Installing NDS for NT means that Windows NT Server 4.0 will not be trustable to enforce any security function, raising serious security concerns for our customers. Moreover, a Windows NT Server running NDS for NT is not C2-certifiable.

Over the past year, Microsoft has addressed some security issues with Windows NT, including adding significant new functionality such as filtering for strong passwords. While we have done so aggressively and with great speed, it is clear that it is much easier for Microsoft to address these security issues than for a third party to do so. With NDS for NT, customers must be willing to accept that Novell understands Windows NT Server and its security infrastructure well enough that it can support and troubleshoot it without introducing security flaws in the process. Further, customers must also accept that Novell will be able to keep NDS for NT in step with the coming releases of Windows NT Server.

NDS for NT breaks service packs

NDS for NT replaces DLLs that have been improved by every Windows NT Server Service Pack since Windows NT Server 3.51 SP 3. It is very likely that Microsoft's future Service Packs will also touch these same DLLs. Windows NT Server customers who deploy NDS for NT will not be able to apply future Service Packs.

NDS for NT not tested

NDS for NT is not a part of the Microsoft Windows NT Server or Microsoft BackOffice(tm) test configurations. This means that Microsoft has never officially tested NDS for NT. For customers who deploy NDS for NT, this means that Microsoft cannot guarantee that their Windows NT Server or BackOffice installations will function properly.

NDS for NT Breaks the Upgrade to Windows NT Server 5.0

Windows NT Server 4.0 customers will not have a smooth upgrade to Windows NT Server 5.0 because the changes NDS for NT makes to the system will not be recognized by the Windows NT Server 5.0 upgrade routines. The upgrade from Windows NT 4.0 to Windows NT 5.0 converts the Security Accounts Manager (SAM) by reading it directly. It is unclear that this will be possible on a system on which the SAM has been disabled or modified by a third party. This means that there will be some data, for example, local machine accounts, that will not be upgraded. This is a very significant concern for our customers who will want to upgrade their operating system but cannot because of NDS for NT.

NDS for NT is not an interoperability solution

NDS for NT is not an interoperability solution. Novell chose to replace pieces of Windows NT Server to build this solution, similar to replacing the engine of a car and then asking the original manufacturer to service it. This method of "directory interoperability" is very different from Microsoft's: Microsoft, by building on Internet standards, prefers to use protocols and interfaces to accomplish interoperability with other directories. For example, take Directory Service Manager for NetWare (DSMN), which enables NetWare 3.x customers to centrally manage their mixed NetWare 3.x/Windows NT Server environment from the Windows NT Directory Services. DSMN replaces no code on Novell's servers to enable this interoperability. This is a better solution for customers as it allows them to continue leveraging their investment in NetWare without ripping and replacing any Novell code.

Specific scenarios Microsoft can not support

NDS for NT makes very serious changes to Windows NT Server. As a result, Microsoft can not provide technical support for Windows NT Server customers who have deployed NDS for NT on questions related to the following:

Security or authentication issues of any kind. Blue screens where the SAMSRV.dll and SAMLIB.dll are in the stack trace.

There may also be other scenarios that arise from the use of NDS for NT that have not yet been identified for which Microsoft can not provide technical support.

Conclusion

While there may be Windows NT Server customers who will deploy NDS for NT, it is very important that they do so with all the facts and understanding that Microsoft cannot support this configuration. What Novell is promising about NDS for NT is not true. NDS for NT is a bad solution for Windows NT Server customers because it makes significant changes to the operating system, particularly its security infrastructure; it breaks the upgrade from Windows NT Server 4.0 to Windows NT Server 5.0; and it is not an interoperability solution. The importance of LDAP shows that customers want directory interoperability built on industry standards not proprietary solutions like NDS for NT that significantly alter another vendor's operating system. NDS for NT is not the solution for customers' directory needs.