Virtual Directory Server vs Metadirectory

  • Last Post 02 July 2015
sa.anupam posted this 22 June 2015

What drawbacks that AD LDS normally may have which can be addressed by implementing another Virtual Directory server (ACL is something that I heard of). And why would a company opt for Virtual Directory Server over Meta Directory software like FIM.

Order By: Standard | Newest | Votes
mcasey posted this 22 June 2015

Below is a quick breakdown of my opinions on the two questions:
"drawbacks that AD LDS normally may have which can be addressed by implementing another Virtual Directory server"?
     Two primary drawbacks come to mind for me when the goal is to provide a unified directory composed of objects from disparate domains. 
           1. Typically the ADLDS instance will require a synchronization process of some form to create, update, delete objects from ADLDS.  This means that the data in the ADLDS instance will only be as current as the most recent sync so data consistency across directories can be considered a drawback.  A virtual directory can provide real time connections to the back end directories thereby improving the data consistency. 
           2. If you are synchronizing passwords instead of leveraging user proxy objects in ADLDS then the consistency of user credentials can also be a drawback.  A virtual directory can simply proxy the auth/bind requests to the back end directory to ensure users have consistent credentials between directories.
           3. You mentioned ACLs in your question: ADLDS can store local groups that contain security principals from synchronized domains. A virtual directory can provide basically the same capability.  Based on my experience with both, I think the virtual directory(depending on vendor) can provide much more flexibility here by limiting access based on users, groups, computers, IP address ranges, etc..
           4. I'm sure if you shopped the websites of virtual directory vendors you will identify a number of other potential drawbacks of ADLDS that can be addressed using a virtual directory.  I've only had one cup of coffee so the above 3 is all i have for now.
"why would a company opt for Virtual Directory Server over Meta Directory"?
     I don't personally feel that a virtual directory or meta directory would necessarily negate the need for the other where instead these solutions can co-exist and potentially augment one other. 
    Meta Directory: Meta directories provide a means to consolidate data, such as user identity data, from numerous data sources (e.g. AD, applications, NAC solutions) to a central point where a holistic view can be mode of users' identities and the access they have. The meta directory can then be used to push data out to connected systems, keeping identity related data in sync, and potentially/hopefully drive intelligent access control decisions.
    Virtual Directory:  A virtual directory typically merges disparate directories into a unified and potentially real-time 'view'.  Depending on the needs of downstream services, logic can be applied within the views of the directory to solve for data consistency issues across the internal back end systems (e.g. an example may be delivering a single UPN suffix across a dozen back end domains). 
    A common need for a virtual directory is having a global organization comprised of numerous AD domains, or other user directories, where there is a no plan or desire to consolidate.  The same organization may have needs to deploy globally available applications in a consistent manner instead of requiring unique integrations with the numerous internal domains. Deploying a virtual directory can provide a single integration point for applications where the authentication and search requests are simply proxied off to the back end directories. This use can be potentially be solved with a unified ADLDS instance but again you face some of the drawbacks covered in my response to your first question.


neil.ruston posted this 23 June 2015

To add to the below:Many of the VDS products available offer the 'abstraction' of multiple directories into a unified view but also provide the option of a metaverse too. If real time searches are required across multiple, disparate directories, for example, then one approach is to provide that functionality via a metaverse. As ever 'it depends' on what your requirements and use cases are but VDS and a product such as FIM are not necessarily competing for the same space and can be used to complement each other. neil 


barkills posted this 02 July 2015

I wrote a blog post 5 years ago which addresses some of this. See In specific, the section which lists high-level business use cases which a virtual directory enables would be highly relevant to your question.