The Windows 2000 Server Family

 < Day Day Up > 



While Windows NT was a good start, it failed to scale high enough to tempt most large enterprises to migrate mission-critical systems. As a result, Microsoft invested many years of research into its next major server operating system release — Windows 2000 Server. The Windows 2000 Server operating systems mark a significant upgrade over previous Microsoft products in terms of both reliability and feature set. Though based on the NT kernel, Windows 2000 is still a major upgrade, is far more stable than NT, and is designed to eliminate DLL errors when applications are installed (a problem in NT that earned it the nickname "DLL hell").

Windows 2000 Server has added Plug-and-Play support for the first time, making it much easier to add peripherals compared with its predecessor. More importantly, it has brought with it the release of Active Directory, which replaced NT's domain system and makes network administration much easier.

In sharp contrast to the relatively small download of NT (although three CDs were required), Windows 2000 Server represents around 30 million lines of code; consequently, it requires more than 1 GB of disk space and a whole lot of RAM compared with NT. It comes in a client version as well as three server versions: Windows 2000 Server, Windows 2000 Advanced Server, and Windows 2000 Datacenter Server.

Windows 2000 Server

Microsoft Windows 2000 Server is a multipurpose network operating system that can be used by businesses of all sizes. It is probably best suited for workgroup file, print, Web, and communication servers. It has improved management, reliability, and scalability features and can function as a multipurpose network operating system for businesses of all sizes. The Windows 2000 Server operating system was designed with the intention of increasing the value of existing IT investments while lowering overall computing costs. It is easier to deploy, configure, and use because it provides centralized, customizable management services. The new management services also work well with most existing management solutions.

A Configure Your Server Wizard cuts the time it takes to build a server and minimizes errors. Other wizards make it easier to create Web sites and virtual directories and to manage security settings and security certificates. The Windows 2000 Server Resource Kit is also helpful in setting up Windows 2000 Server, reducing server configuration times and including plenty of readymade scripts for a number of commonly used administrative functions, such as log-on scripting. Additionally, Windows 2000 Server has made it far easier to configure a network. In addition to providing support for Plug-and-Play network adapters, services that manage the trust relationships between organizational domains, it also provides automated replication and local caching of domain name system (DNS) and dynamic host configuration protocol (DHCP) information. Windows 2000 Server is also equipped with more powerful management services through AD (more on AD later) as well as such infrastructure tools as:

  • IntelliMirror, which is a set of Windows 2000 features used for desktop change and configuration management. IntelliMirror allows data, applications, and settings to follow roaming users. Administrators can use it for total control over client data, applications, and system settings.

  • Group Policy, which is based on AD and is a component of IntelliMirror. It allows control of user access to desktop settings and applications by groups rather than by individual users or computers. Group Policy lets an administrator define and control the amount of access users have to data, applications, and other resources.

  • Windows Management Instrumentation (WMI), which provides unified access and event services, providing the ability to control and monitor Windows-based environments, Simple Network Management Protocol (SNMP) devices, and all host environments that support the Web-Based Enterprise Management (WBEM) standards initiative of the Distributed Management Task Force (DMTF).

  • Windows Script Host (WSH), which allows users to automate and integrate common tasks using a variety of scripting platforms such as Microsoft Visual Basic, Scripting Edition (VBScript), Microsoft Jscript, and Perl. This includes direct scripting to AD and WMI.

  • Microsoft Management Console (MMC), which is also available on NT and is a user interface presentation tool to integrate all the necessary Windows-based and Web-based administration components necessary to fulfill a specific task.

  • Active Server Pages (ASP), which was first introduced on NT and allows organizations to create dynamic personalized Web sites. The implementation of Active Server Pages in Windows 2000 Server has been upgraded; it is faster, more reliable, scalable, and runs better on multiprocessor hardware.

Windows 2000 also includes integrated support for such developments as Extensible Markup Language (XML) and streaming media.

Certified for Windows 2000 Logo

Microsoft was smart enough to make its Certified for Windows 2000 program quite difficult for third-party vendors. Even though it took many months to qualify and was a far stricter certification program than Windows NT, thousands of business applications are now compatible to run on Windows 2000 Server. During the heyday of Windows 95 and NT, the Certified for Windows logo was little more than a marketing gimmick to broadcast the wide range of Windows-compatible applications available. As product qualifications were fairly lax, the program provided no worthwhile comparison of one third-party application with another. That all changed with Windows 2000. Microsoft has wisely revamped the Certified for Windows 2000 program as if to emphasize that Windows 2000 is not the same as Windows 9x and NT. Certification had vendors jumping through hoops trying to meet the stringent requirements. Seven months into the certification evolution, with the operating system already released, only nine workstation and nine server products had managed to meet the Windows 2000 application specification.

This application specification for Windows 2000 ensures that compliant products provide users with a more manageable, reliable, and secure experience. Only software that bears the logo is fully equipped to take advantage of features such as Microsoft Software Installer (MSI), component sharing, data and settings management, support for OnNow power management, user interface/accessibility support, and AD. MSI, for instance, permits installation without reboot, as well as comprehensive monitoring of all system installations, minimizing the types of DLL conflicts that occasionally crop up on Windows installs/uninstalls.

The tests for the Certified for Windows 2000 program were conducted for Microsoft by Lionbridge's VeriTest Labs. Initially, third-party software had to comply with each point of a 500-page checklist (for server applications, the checklist is around 200 pages longer). Those applications that met this new specification have been licensed by Microsoft to bear the Certified for Windows 2000 logo.

Although Microsoft issued three levels of certification for Windows 2000, two are mainly cosmetic, with only one having real value. At the bottom of the pile comes Planned, signifying nothing more than the vendor's intention to one day make a product compliant. Next comes the misleadingly titled Ready, which can mean anything from "we believe we are compatible with Windows 2000" to "submitted for approval" to "failed the VeriTest inspection." Officially, however, this designation indicates that the independent software vendor (ISV) has tested the application for Windows 2000 compatibility and will offer Windows 2000-related product support. Unfortunately, some vendors are capitalizing on consumer ignorance by advertising their wares as "Windows 2000 Ready" as though it carries some additional weight. The only classification that can be depended upon, therefore, is Certified, which confirms that the application has met all standards in the Windows 2000 Application Specification, has passed all Windows 2000 compliance testing by both the ISV and VeriTest, and has been approved by Microsoft. Certified is the highest ranking and the only one that matters in product comparison or purchasing.

The value of Certified applications was highlighted in a recent Gartner Group study. Total cost of ownership (TCO) reductions of as much as $1675 per desktop were attributed to exclusive deployment of Certified applications on Windows 2000. Essentially, in creating a strong logo requirement, Microsoft has made the logo valuable to enterprises, which will be able to use certification as a condition for use of that application in the enterprise. Gartner Group states that enterprises that use only applications that conform to the specification have the potential to increase the stability of their systems and lower their TCO.

Microsoft eventually relaxed its hard-line stance with regard to Windows 2000 certification. Prior to the release, it emphasized the value of becoming certified, but after a few months the company toned down its message and appeared happy to have vendors assume the Ready label. This is a shame, as insistence on maintaining a Certified designation, with no Ready category option, would have gone a long way toward completely eliminating the DLL conflicts and inexplicable crashes that once were the bugbears of Windows.

Windows 2000 Advanced Server

Windows 2000 Advanced Server is somewhat similar to Windows NT Enterprise Edition in that it supports clustering and failover. This server operating system is basically designed for business applications and E-commerce. It includes all the features and application availability of Windows 2000 Server, with additional features that make it rugged enough to keep business-critical applications up and running under demanding conditions. It also supports larger numbers of users and data. Advanced Server lets users increase server performance and capacity by adding processors and memory (i.e., scaling up; see Chapter 12). Advanced Server also includes enhanced SMP support and better memory capabilities, with memory scalable up to 8 GB.

Two clustering technologies are available in Advanced Server: cluster service and Network Load Balancing (NLB). Cluster service is used to link individual servers in the performance of common tasks. If one server fails, the workload is shifted to another server. NLB, on the other hand, ensures a server is always available to handle requests. NLB spreads incoming requests among multiple servers linked together to support a specific application. As traffic increases, these servers can scale out to meet capacity needs.

Windows 2000 Datacenter Server

Windows 2000 Datacenter Server is the King Kong of the Windows 2000 family. It offers support for up to 32 processors and up to 64 GB of memory, enhanced native clustering (up to a 4-node server cluster), dramatic reliability improvements, performance that some analysts consider to be on a par with Solaris and other high-end UNIX systems, as well as greater support from the vendor community. It is specifically intended for high-end and data-center applications that demand high levels of availability and scalability. It is ideal for running mission-critical databases, enterprise resource planning (ERP) software, and high-volume, real-time transaction processing.

Before the release of Windows Server 2003, Windows 2000 Datacenter Server was the most powerful and functional server operating system ever offered by Microsoft. It supports up to 32-way SMP and up to 32 GB of physical memory. It provides both 4-node clustering and load-balancing services. Datacenter Server is a good candidate for large-scale server consolidation projects.

According to analysts at D.H. Brown Associates, Inc. (Port Chester, New York), the scalability and reliability improvements introduced in Windows 2000 Datacenter Server helped greatly in narrowing Microsoft's enterprise credibility gap and underscored the Windows platform's price/performance advantages over UNIX. The analyst group believes that Windows 2000 Datacenter Server is especially good for large data warehouses, econometric analysis, large-scale scientific and engineering simulations, and online transaction processing for customers with large-scale server needs.

While many users are attracted to Datacenter Server's server consolidation potential, Microsoft has developed several other ways to soup up its data center operating system. Winsock Direct allows standard Winsock applications to operate in a clustered environment using TCP/IP (Transmission Control Protocol/Internet Protocol) without having to be modified. This boost to system I/O and interprocess communication (IPC) increases response times while allowing more users on the system.

The value of these Windows 2000 Datacenter enhancements has been substantiated in various enterprise tests. For instance, testing of a Datacenter Server cluster on the Transaction Processing Performance Council's TPC-C database benchmark reached a stable peak throughput of 505,303 transactions per minute. During peak throughput, the cluster handled queries and updates from 432,000 simultaneously connected users while maintaining response times of under 2.3 seconds for 90 percent of requests. Dozens of other benchmarks have been done showing similar or even better scores.

Datacenter Server User Study

One company that found success implementing Datacenter Server (with two-node clusters) is FreeMarkets of Pittsburgh, Pennsylvania. FreeMarkets conducts business-to-business online auctions for industrial parts, raw materials, commodities, and services. Over 7000 suppliers in the Americas, Europe, and Asia compete in real time for orders from the likes of BP Amoco, the U.S. Defense Logistics Agency, John Deere, and Alcoa. FreeMarkets' business-to-business (B2B) E-marketplace conducted 1690 auctions of industrial parts during a single quarter, representing $3 billion in goods and services. This was an increase in market volume of 34 percent over the previous quarter and 302 percent over the same period the previous year. The number of hits has soared to over 400,000 on a busy day.

According to the IT director of FreeMarkets, the need for a stable, reliable system with the scalability to keep pace with expansion determined the choice of Windows 2000 Datacenter Server. The company began by replacing NT servers with Datacenter Server. Two-node clusters utilized Compaq ProLiant 8500 machines with 550-MHz processors and 16-GB RAM. Each cluster was attached to a Compaq StorageWorks EMA 12000. One two-node cluster replaced on average about six noncluster NT servers. The company consolidated almost two dozen NT servers onto three Windows 2000 Datacenter Servers.

As FreeMarkets already experienced a 99.999 percent uptime rate, it is difficult to envision a Datacenter implementation improving upon that figure, but, according to the IT director, it is not that simple. In the real world, maintaining that rate required a high degree of system maintenance. On NT, each server received one to two hours of scheduled downtime each month. With more than almost a dozen machines, that amounts to almost a day of work each month dedicated to keeping the system performance at its peak. Due to Windows 2000 Datacenter Server's clustering and load balancing, however, FreeMarkets finds that scheduling downtime for routine maintenance is no longer necessary. Despite a substantial increase in traffic load, the company is using no more than 20 to 25 percent of the CPU power of the Datacenter Server during peak times. The system has also contributed to an increase in IT efficiency of around 20 percent, according to FreeMarkets, with an overall payback for the system of about six months.

In addition to the operating system's stability and reliability enhancements, Datacenter Server's new Process Control tool allows system administrators to tweak system performance by allowing them to assign a process or groups of processes to be handled as a single unit. This feature makes it possible to assign or specify limits of system resources for specific applications and processes. The Process Control tool enhances management and allocation of critical server resources. Scheduling priority can be assigned to processes, CPUs can be used for dedicated functions, and administrators can define how individual processes are handled within clusters. Application of this feature also allows administrators to place a limit on CPU or memory usage for a process or group of processes which prevents resource-intensive applications from depriving other programs of needed system resources. The Process Control tool was not available on any earlier Microsoft operating systems.

Additionally, Datacenter Server has built-in features that enable the system to utilize much larger quantities of RAM than previous Windows versions could support. The Enterprise Memory Architecture (EMA) of Windows 2000 Datacenter Server, for example, increases the Physical Address Extension (PAE) capabilities. Whereas Windows 2000 Advanced Server supports 8 GB of physical memory, Datacenter Server will support up to 64 GB. To help developers fully utilize PAE, Microsoft has developed a new application programming interface called Address Windowing Extensions (AWE). With these APIs, the applications can access 64 GB of memory. The additional physical memory is mapped within an AWE window automatically after four system calls. Loading data into RAM reduces response time that would be slowed by writing and reading the data to and from a page file on the disk.

Unlike earlier efforts by Microsoft to enter the enterprise arena, the Datacenter Server Program is designed as a complete hardware, software, and support service package, as discussed in the previous chapter. It is only available through a partnered dealer and is preloaded on third-party hardware. A rigorous training and certification process is undertaken prior to an OEM becoming licensed to sell and support Datacenter 2000. As a result, the newest Windows 2000 operating system is never going to be on sale in every mom-and-pop computer store in the neighborhood. For certification, an OEM must minimally ensure 99.9 percent uptime for customers and a four-hour response time window, 24/7. OEMs are also responsible for handling updates and change control. Another requirement for the OEM is that it must set up a joint support center that will be staffed by both Microsoft and OEM personnel. In this way, a single point of contact is used for support issues. The call is then routed accordingly for resolution.

Several renewable support/service level agreements are available for the Datacenter program. The idea is for customers to be able to make just one phone call for any problem, whether it is hardware or software related, something that signifies a big change from the old finger-pointing days. But, to enter the higher end, Microsoft had to provide the same level of consolidated service to which UNIX, and especially mainframe customers, have grown accustomed.

Datacenter Server, though, does have some drawbacks. Initial costs are very steep, and it is still a relatively very young OS. Below are some important points for those considering Datacenter Server:

  • To achieve higher levels of scalability and reliability, Microsoft has narrowed its areas of compatibility. Rather than providing an operating system that works with a large variety of hardware configurations, its focus is on performance. Thus, it is proving more difficult for hardware/software designers to utilize the breadth of functionality on this OS compared with previous Windows versions.

  • The shortage of available device drivers certified for Windows 2000 Datacenter Server must be taken into account, although this issue is not as critical as it was a couple of years ago. As the product has matured, driver availability has become a relatively minor issue.

  • Many applications may have to be tailored to fully utilize Datacenter Server; however, certified or not, even untailored applications will likely show better performance or stability.

  • It will be difficult to find support resources outside such certified OEMs as Hewlett-Packard and Unisys; however, this is not a problem as long as the service agreement is in force.

In a recent profile, technical research and consulting firm Aberdeen Group, Inc. (Boston, Massachusetts) warned that Datacenter Server will require a large investment in new hardware, software, and services. If IS managers are unprepared to make this financial commitment, then they should not attempt to deploy Datacenter Server. According to Aberdeen, although Datacenter Server solutions beyond eight-way clusters are likely to cost twice that of a cluster with equal processing power, many IS managers are expected to be willing to pay the price. The payback for the high ticket is more processing power for large-scale applications and simpler manageability of multiple distributed systems.

No doubt Datacenter Server is a much-improved product over NT and other versions of Windows 2000; however, prudence would dictate a thorough evaluation of the compatibility of any needed applications before making the jump. When hardware and software manufacturers start designing products that adhere to the strict requirements and better harness the capabilities of Datacenter 2000, the decision to migrate will become much easier to make. Meanwhile, Datacenter Server should be stringently evaluated before jumping into an ill-considered upgrade. Poor planning could turn an envisioned fairy tale into a data center nightmare. But, for those who can comfortably afford the price of admission, Datacenter Server goes a long way toward providing a Windows-based platform that functions well in mid-range and some high-end environments.

The Rigors of Windows 2000 Migration

It is never easy to switch an enterprise over to a new operating system, and Windows 2000 is no different. Such deployments typically take six months to two years to execute, especially where one is implementing Active Directory, the crown jewel of the new operating system, according to Gartner Group. At the same time, Windows 2000 has become the most widely deployed server operating system in the Microsoft arsenal, while still grabbing a big share of the enterprise desktop space. So, while the migration path is not an easy one, many have followed it. What does it take to realize the full benefits of Windows 2000? Essentially, success depends on proper deployment.

One must realize from the outset that the Windows 2000 operating system is a mix of Microsoft technology and many bits and pieces licensed from other vendors. For example, Windows Terminal Services (WTS) is based on technology licensed from Citrix Systems, Inc. (Ft. Lauderdale, Florida), and the Active Directory Migration Tool (ADMT) is licensed from Net IQ Corporation (San Jose, California). Some of these tools are good enough for enterprise use but others are inadequate. In many cases, third-party migration products are a necessity for successful Windows 2000 migrations.

Anyone moving to Microsoft Exchange 2000, for example, is forced to deploy AD, as that system is designed to operate strictly with Active Directory and lacks its own directory. AD compatibility is also a requirement for third-party products applying for Windows 2000 certification. Similarly, Microsoft made AD an integral part of the Windows 2000 network architecture to serve as a single location to store, access, and manage information. This eliminates the multiple user accounts and passwords associated with multiple directories, as well as the duplicative steps and middleware needed to manage them.

Active Directory incorporates a hierarchical, object-oriented structure. Related network objects, such as users, machines, devices, and applications, are grouped in "containers" that are organized in a tree structure. Objects within a container can have attributes assigned to them as a group, rather than individually. For example, all personnel in the engineering department may be given access to a CAD application at the same time. They would share the privileges of any higher containers within which the engineering department is contained. Then, because the engineering department is part of the manufacturing division, if all people in manufacturing have access to the ERP system, anyone in engineering would have access to it. The engineering staff would also have privileges for companywide applications such as e-mail.

When a user is created within a container, that user automatically assumes all its attributes. When someone leaves the company, deleting that person from one location automatically removes each point of access, thus eliminating a common security hole: former employees still being listed within an overlooked directory. Transferring an employee means a drag and drop from one container to another.

Active Directory has several additional advantages over NT's directory. For one thing, it can accommodate many more objects. While an NT domain has a 40,000 object limit, 85 million users have been placed in one AD domain on one server. AD also uses a multimaster structure, as opposed to the Primary Domain Controller/Backup Domain Controller of NT.

Another valuable AD feature is assigning limited administrative privileges; that is, a manager can reset employee passwords within one office without having the authority to reconfigure servers. Other features include single log on, remote software installation, remote desktop access, and the ability to access applications from anywhere in the network rather than being tied to a certain machine.

The Three Active Directory States: Native Mode, Mixed Mode, and Parallel Mode

Migration nirvana, when it comes to Windows 2000, is manifested in a state known as native mode. In Windows 2000, few users have attained this hallowed state, which involves complete utilization of AD; most have had to settle for lesser planes known as mixed mode or parallel mode. Following is an explanation of these various states and their default settings:

  • Native mode: Allows all domain controllers to run Windows 2000.

    • Pluses — Native mode offers all the benefits of all AD features.

    • Minuses — Native mode requires upgrade of all domain controllers; once you flip the switch, falling back to mixed mode operation or support for NT domain controllers is not possible.

  • Mixed mode: Supports both Windows 2000 and NT domain controllers under AD.

    • Pluses — Administrators can roll domain controllers back to Window NT, which is useful when some servers, such as application servers, cannot be upgraded immediately to Windows 2000.

    • Minuses — Advanced features such as universal groups, interdomain group membership, and group nesting are lacking.

  • Parallel mode: Creates separate domains for different groups of servers.

    • Pluses — Parallel mode can operate the Windows 2000 domain in AD native mode without migrating all enterprise domain controllers to Windows 2000.

    • Minuses — Separate domains are difficult to administer and support.

Mixed mode is the default server setting. It is used when only some of the domain controllers have been fully upgraded to Windows 2000, while the rest are still using Windows NT. The switch to native mode is made when all the domain controllers have been upgraded to Windows 2000, at which point all the new Windows 2000 features are available. The third option, parallel mode, involves setting up separate domains running in either NT or Windows 2000 which allows the servers in the Windows 2000 domain to be in native mode, but it also requires the added work of running the separate domains.

Unless the enterprise simultaneously migrates all servers to Windows 2000, a risky choice at best, it will have to get used to the idea of spending quite some time in mixed mode. Mixed mode has the advantage of being able to roll the server back to NT when something goes wrong during the migration. But, an organization still will want to minimize mixed mode time as much as possible, because the full benefits of Windows 2000 are not experienced until the network is completely translated into native mode. For example, users cannot take advantage of AD's ability to create universal and nested groups. Similarly, verifying dial-in IDs and applying static routes will not work.

Additionally, mixed mode creates new security problems in terms of administrative privileges for NT domain controllers. One administrator, for example, gave help desk personnel access to the Windows 2000 Admin Tools pack so they could change passwords in AD. Unfortunately, he also inadvertently gave the help desk the ability to do DHCP scopes and WINS entries on the remaining NT 4.0 servers.

On top of these considerations is the major headache of simultaneously managing and supporting multiple operating systems, separate directories, and different versions of certain applications. For some, mixed mode is a tough place to be, and one they are glad to have behind them.

Beyond native mode and mixed mode is the third AD state, parallel mode, which consists of running separate mixed mode and native mode Windows 2000 domains. Part of the organization can then run in native mode if everything cannot be switched over right away. The drawback is having to maintain separate domains and operating systems. If the goal is to arrive in native mode, get there as quickly as possible.

For these and other reasons, a fast and complete migration, including setting up AD, is generally the best option. Now, let us take a look at the tools used to achieve native mode.

Windows 2000 Migrations Tools

To help organizations make the switch, Microsoft has included the ADMT utility with Windows 2000. The lack of enterprise functionality of this tool, however, is demonstrated by the fact that a Giga Information Group survey determined that 70 percent of enterprises using Windows 2000 were having trouble implementing AD. Giga strongly recommended the use of a third-party migration tool to ensure success with the AD migration. After all, ADMT is really just a stripped-down version of Net IQ's Domain Migration Administrator. It can be used for simple migrations, but it lacks features that are part of the full-featured, third-party migration suite. Among these are the ability to model the migration beforehand and ways to efficiently migrate user passwords, exclude disabled/expired accounts, and clean up the security ID (SID) history. If one is migrating anything other than the simplest small network, therefore, it is simpler and less expensive in the long run to purchase a third-party migration tool. The administrative burden incurred by attempting to use the free ADMT tool makes it unwieldy in an enterprise of any size.

What are the choices? In addition to Net IQ, several other vendors offer excellent migration tools. These include Aelita Software Corporation's (Powell, Ohio) Controlled Migration Suite and Quest Software, Inc.'s (Irvine, California) FastLane Suite. Using these tools, of course, means higher migration costs overall. Factor in about $10 extra per user migrated, sometimes a little more.

Making the Transition to Native Mode

Before you purchase migration tools, several steps should be taken to ensure a smooth transition to AD. The first step to native mode is not technical, but organizational. Active Directory will not straighten out fundamentally flawed organizational structures or policies. These must be addressed before proposed changes can be modeled and tested. Next, directories must be prepared for the shift, including clearing out old identities, resolving conflicts, and updating SID histories. Finally, for anything but the simplest organizations, migration to native mode requires migration tools in addition to well-trained resources.

The recommended steps are:

  1. Thoroughly study AD. Various courses and books are available that adequately cover this subject. Newsgroups, user groups, and conferences may also provide the necessary information.

  2. Acquire a consultant experienced in AD migration. So many variables are involved and the repercussions of getting it wrong are so severe that it is best to bring in someone who has been through it all and can advise you on the best way to go about it. Select someone who can provide numerous references who can verify his qualifications and record of success.

  3. Select and install a migration tool that meets your needs. Dozens of these are out there so it is easy to choose the wrong one. Speak to the consultant you bring in as well as current users of the migration tools on your short list, and ask enough questions to determine which tool would work best in your environment. Price is one factor to consider, certainly, but you also want a tool that is robust enough to handle thousands of users with ease during a migration.

  4. Plan the migration. This may involve redesigning aspects of the network or setting new policies. Again, talk to your consultant, speak to those who have been through it, and make the changes that add the most value to both the migration and the organization.

  5. Model and test offline. Roll back failed migration tests and work out what went wrong before proceeding. Many who have been through a native mode transition strongly recommend establishing a test area where everything is piloted prior to executing anything on the corporate systems.

  6. Clean up existing directories. Get rid of old or expired passwords and accounts. This is an essential step — why move these old vulnerabilities to the new system?

  7. Create and populate the AD.

  8. Install Windows 2000 on servers.

  9. Promote domain controllers to native mode when everything is running well.

The above sequence is only a general guide, so be sure to discuss your systems with peers and industry experts and make sure your homework is complete.

Consolidating Directories

Another factor must be taken into account in a native mode migration — the reality of multiple directories. AD will reduce the number of directories, but it will not consolidate everything into one directory; therefore, it is recommended to implement some kind of metadirectory or directory synchronization software to reduce the time and expense involved in manually populating and updating directories. Numerous options are available, such as Microsoft Metadirectory Services (MMS), Novell's DirSync, or Computer Associates' Unicenter TNG Directory Management Option. If Unicenter is already being used, its directory management module may be best, whereas a Microsoft shop might lean toward MMS, just as a Novell NDS business would opt for DirSync. To consolidate directories:

  1. Consolidate or eliminate any excess directories.

  2. Install a metadirectory or directory synchronization tool; this may require restructuring some directories into compatible data structures.

  3. Eliminate "orphan" directories that must be manually updated or, if some are necessary, establish and enforce policies for updating them.

  4. Review security procedures on a regular basis.

Windows 2000 Migration Case Studies

Cincinnati State Technical and Community College

Windows 2000 Active Directory deployments can take much longer than expected. Cincinnati State Technical and Community College, for example, started planning the switch to Windows 2000 and AD in November 2001, before moving 6000 student users over spring break 2002, but the migration for the administration departments was interrupted by a million-dollar storage equipment donation. Cincinnati State configured the new storage first, before consolidating the entire school, including upwards of 8000 students and staff accounts, into a single AD in the fall of 2002. In the interim, the school had a native mode Windows 2000 domain for the students, and the school administration has Windows 2000 application servers running under Windows NT 4.0 domain controllers.

Such time frames are not unusual, as AD migrations take a lot longer than most organizations anticipate, but until all domain controllers are upgraded to Windows 2000, enterprises are in the state of directory limbo known as mixed mode, in which directory features from Windows NT domain controllers remain enabled while new AD features, such as the ability to create universal and nested groups, are unavailable. New security problems arise when administrative privileges for NT domain controllers are operating in mixed mode. AD dial-in options — such as verifying caller ID and applying static routes — will not work. In addition, network administrators must support multiple operating systems, multiple directories, and, in some cases, multiple versions of applications. Due to the complexity of managing mixed mode domains, experienced IT managers say it is best to make the switch as quickly as possible. The proper tools and methodologies can make the transition to native mode faster and easier and help to manage a mixed mode domain.

Cincinnati State received consultant help from Quest Software, Inc. (Irvine, California) to model the college's migration. As a result, the organization set up backup domain controllers (BDCs), replicated the domain structure on these machines, upgraded them to primary domain controller status, and created a duplicate domain. The duplicate domain was used to model different scenarios. This allowed the college to write a comprehensive domain migration plan within a few days.

The college did not utilize Windows 2000's built-in Active Directory Migration Tool utility, as it is primarily designed for simple migrations. Theoretically, it can scale up to 10,000 users, but Cincinnati State did not find it feasible to utilize ADMT. The college initially modeled the change with ADMT then moved to Quest's FastLane tool as it was easier and faster and could scale better. FastLane also included roll back and recovery functionality that proved necessary during the migration. Whenever a mistake was made, it proved relatively simple to roll the system back to a previous state and eliminate the error. ADMT also lacks such features as user password migration, migration modeling, exclusion of disabled/expired accounts, and the ability to clean up the security ID history. Also, it supports only native mode AD servers. If an enterprise wants to consolidate its NT directories in preparation for an AD migration, for example, ADMT will not oblige; a third-party tool, in this case, is essential. AD domain migration and policy-based management tools are must-haves, not options, in many AD migrations. Unfortunately, they are not inexpensive. Some are reported to add about 25 to 30 percent to overall upgrade costs. Others say $10 per user should be added to costs to cover the purchase of migration tools.

CVS Corporation

Managers can reduce the time spent in mixed mode by thorough planning and testing and by using domain migration tools. At least that is the experience of pharmacy retailer CVS Corporation (Woonsocket, Rhode Island). Prior to migrating 5000 workstations and 120 servers at CVS headquarters in 2002, the IS manager set up a lab to test migration. He opted for Controlled Migration Suite by Aelita Software Corporation and used it to model the directory migration before it began. The result was a smooth domain controller transition to Windows 2000 and AD over two weekends followed by an in-place upgrade of other NT servers to Windows 2000 Server. During the process, however, the company discovered a security problem. The account operators group had access to the Windows 2000 administrative tools for password changes, and the IS manager realized that those users were able to create DHCP scopes and WINS entries on NT 4.0 servers. CVS immediately upgraded the servers to Windows 2000 to eliminate the problem.

Pioneer Hi-Bred, Inc.

Even the best-laid migration plans sometimes go astray. Despite extensive planning and design, nothing turned out exactly as envisioned by the senior network engineer at Pioneer Hi-Bred, Inc., a biotechnology firm in Des Moines, Iowa. He set up a test lab to review migration tools but was not able to fully model his network's 18 domains and 4000-plus groups and test all the procedures prior to beginning the implementation. He wished he could have done so, but he also realized that until the actual process has begun it is impossible to predict exactly how things will pan out. His company spent many months in the middle of an AD migration that encompassed 5000 users at hundreds of locations. For a long time, Pioneer ran in parallel mode: one NT domain that covered one group of sites and another Windows 2000 domain running AD in native mode for another group. However, this setup led to confusion by creating two structures for controlling shared resources. Security administrators had trouble determining which structure a given user fell under and what groups/object access rights they should have. These issues were eventually resolved using Domain Migration Administrator (DMA) by Net IQ Corporation to manage the changeover.

Mt. Sinai NYU Health: Managing AD in a Hybrid Network

While administering a network in mixed mode can be tough, it gets even more complicated with hybrid networks. Take the case of Mt. Sinai New York University Health (MSNYU), a healthcare organization composed of six hospitals in New York City. It manages a network that includes AD for Exchange 2000, Windows 2000 workstations accessing mainframe applications through IBM's Systems Network Architecture (SNA), and servers running NetWare, as well as a few storage area networks (SANs) and some virtual private networks (VPNs). The MSNYU network contains 6000 workstations, 300 to 400 servers, and 12,000 users spread out among the hospitals. The entire system is tied together with Novell Directory Services (NDS) eDirectory. Because the main applications are mainframe, rather than client/server, and most of the servers are running NetWare, MSNYU does not intend to make the switch to native mode. It uses Novell's DirXML synchronization tool to coordinate the user IDs in AD and NDS so users can enjoy single sign on. As the organization adds additional products that use AD it will use DirXML to keep everything in sync. MSNYU also uses bvAdmin by BindView Corporation (Houston, Texas), which provides a single view of an entire network operating on different directories. With this tool, it is possible to manage both NDS and AD trees from a single GUI. BindView can also provide a single management interface for both the Windows NT and 2000 portions of networks undergoing Windows 2000 migrations.



 < Day Day Up > 



Server Disk Management in a Windows Enviornment
Server Disk Management in a Windows Enviornment
ISBN: N/A
EAN: N/A
Year: 2003
Pages: 197

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net