Architectural Improvements in Windows 2000

[Previous] [Next]

Architectural improvements in Windows 2000 include changes to the types of server roles available and to the type of domain trusts that are used; new support for devices, Plug and Play (PnP), and power management; and, of course, the addition of the Active Directory service. However, all these changes mean that some existing applications and drivers may not work under the new Windows 2000 architecture.

Domain Controllers and Server Roles in Windows 2000

In Windows 2000, the types of server roles are slightly different from those available under Windows NT. Windows NT 4 servers can have one of four roles: primary domain controller (PDC), backup domain controller (BDC), member server, and stand-alone server.

Windows NT domains are single-master based, with the PDC serving as the master repository for a given domain. All changes to the domain must be carried out by the PDC. BDCs serve as working backups to the PDC and also reduce the load on the PDC by serving client requests themselves. BDCs maintain a current copy of the domain by synchronizing periodically with the PDC and can be upgraded to the PDC if that server fails or is taken out of service.

Member servers are simply Windows NT servers that belong to a Windows NT domain and usually perform file sharing or print sharing or run some other type of server software, such as Web, Domain Name System (DNS), or Dynamic Host Configuration Protocol (DHCP) server software.

Stand-alone servers are Windows NT servers that do not belong to a Windows NT domain and are instead part of a workgroup. It is important to understand that although a stand-alone server doesn't belong to a Windows NT domain, it isn't limited in its duties as a server. It can still act as a DNS, DHCP, or other type of server, but by definition it can't be a PDC or BDC.

The member server and stand-alone server roles are the same in Windows 2000 as in Windows NT, but the PDC and BDC roles are replaced with a single domain controller role. Yes, domains in Windows 2000 are finally multiple-master based, with all Windows 2000 domain controllers acting as peers to one another. Any domain controller can make changes to the domain at will. All domain information is stored in Active Directory, which handles replication between all domain controllers. The trade-off is that Windows 2000 domain controllers cannot exist on a Windows NT domain until the PDC of the domain has been upgraded to Windows 2000. This issue is covered in greater detail later in this chapter, in the section "Planning a Domain Upgrade."

Windows 2000 member servers and stand-alone servers can be promoted to domain controller status, and domain controllers can be demoted to member servers or stand-alone servers without reinstalling the operating system—the only way to demote a BDC under Windows NT. However, as always, it's preferable not to make more role changes than necessary.

Active Directory

Active Directory is probably the most important new feature in the Windows 2000 Server family. It is a scalable, easily administered, and fault-tolerant directory service that is required by Windows 2000 domain controllers and is also recommended for use on Windows 2000 DNS servers. Active Directory is covered in detail in Chapters 10 and 11, so we will address it only briefly in this chapter. It is useful to review a few points before entering into a discussion about upgrading Windows NT domains to Windows 2000.

Active Directory Domains

Although Active Directory doesn't make fundamental changes to the way domains work for end users in Windows 2000, it does introduce some important domain structures that affect the way one should approach domain design. Active Directory, like the directory service in Windows NT, uses domains as the core unit of logical structure. Domains help organize the network structure to match the organization of the company, either politically or geographically. Each domain requires at least one domain controller (and preferably more) to store the domain information, with each domain controller being a master of the domain. See Chapter 3 for more on domain planning.

Windows 2000 domains, unlike Windows NT domains, use DNS names for domain names. Like DNS domains, Windows 2000 domains are hierarchically organized. In Active Directory, hierarchically organized groups of domains with a contiguous namespace are called trees, while groupings of trees with noncontiguous namespaces are called forests.

Sites, Structural Domains, and Organizational Units

Active Directory also introduces the concepts of sites, structural domains, and organizational units. A site is defined as a group of one or more Internet Protocol (IP) subnets that share LAN connectivity. Within a site there can be one or more domains, or a single domain can span multiple sites. See "Planning the Site Topology" later in this chapter for further information.

Structural domains are domains that contain no accounts; they simply serve as a root to lower-level child domains. As such, structural domains make it easy to restructure child domains, and they also make replication between domains easier and faster, as all domains simply replicate with the structural domain, which serves as a sort of replication hub. For a further discussion, see the Real World note "Using Structural Domains," in section "Planning the Site Topology."

Organizational units (OUs) are very similar to domains in that they are containers for network objects such as user accounts and resources. Unlike domains, however, they do not mark a security boundary, and they don't require domain controllers. OUs in Active Directory provide an excellent way to provide organization within a domain without the need for additional security policies and domain controllers. They can also easily be converted to domains, and domains can easily be converted to OUs, making them very flexible. You'll find more on the uses and creation of organizational units in Chapter 11.

Trust Relationships in Active Directory

Trust relationships complicate life in an enterprise with multiple Windows NT domains. Windows 2000 takes a big step toward simplification, although, as is often the case with improvements, things may get worse before they get better.

Simply stated, a trust relationship is a mechanism by which users in one domain can be authenticated by a domain controller in another domain. Among and between Windows NT domains, all trusts are nontransitive, meaning that each trust is a one-way relationship that must be established explicitly. For two domains to trust each other, two separate trust relationships must be established—one for each direction. A nontransitive trust is also strictly limited. For example, suppose that the domain Finance trusts the domain Administration, and the domain Manufacturing trusts the domain Administration. When nontransitive trusts are involved, this statement tells you only that both Finance and Manufacturing allow the domain controller in Administration to authenticate users. It does not tell you anything about the relationship between Finance and Manufacturing. Nor does it indicate whether Administration, in turn, allows either Finance or Manufacturing to authenticate users. Each trust relationship must be established separately and explicitly.

Windows 2000 allows the concept of transitive trusts. Transitive trusts are always two-way. In addition, when a Windows 2000 child domain is created, an automatic transitive trust is established between the child domain and the parent domain. However, transitive trusts don't enter the picture until all of the Windows NT controllers are removed from the domain and the domain is explicitly switched to native mode. As long as Windows NT controllers are active, the domain is in the default mixed mode, which is necessary for Windows 2000 domain controllers to replicate with Windows NT BDCs. The switch from mixed mode to native mode is discussed later in this chapter.

REAL WORLD  Whom Do You Trust?
The question of transitive trusts arises in large multidomained enterprises. But even there, it's not an issue until all of the Windows NT domain controllers have been permanently removed from a domain. Although there are advantages to having all domains be Windows 2000 domains, it's not necessary to be in a great rush to reach that point. In the meantime, the existing trusts remain in place during the upgrade process, and the only trusts that are added will be the nontransitive ones that you explicitly and deliberately set. This means that if you are creating a new Windows 2000 domain, you will have to manually create trusts with existing Windows NT domains.

Table 7-1 shows the possible trust relationships between different types of domains.

Table 7-1. Trust relationships between domains of different types

Windows NT Domain Windows 2000 Domain (same forest) Windows 2000 Domain (different forest)
Windows NT Domain One-way trust* One-way trust* One-way trust*
Windows 2000 Domain One-way trust* Two-way transitive trust only One-way trust*

*A one-way trust can be established in both directions.

Hardware Support

Without dispute, Windows NT has always been very particular about hardware. Users of Windows 95 and Windows 98 have long enjoyed broad device driver support, PnP, Power Management, IEEE 1394 (Firewire), and Universal Serial Bus (USB)—the latter in Windows 95 OSR 2.1 and Windows 98. Windows NT users essentially lack all of the above, although they have had other advantages.

Windows 2000 introduces top-of-the-line support for PnP, USB, IEEE 1394 (Firewire), and Advanced Configuration Power Interface (ACPI) device configuration and power management. Device support is also vastly improved, although Windows 2000 still supports fewer devices than Windows 95/98. (There are exceptions, such as printer support. Almost all printers supported under Windows 98 and Windows NT 4 are supported in Windows 2000.) In most cases if the device was supported under Windows NT 4, it will be supported under Windows 2000. However, the same is not always true for Windows 95/98, so check the Hardware Compatibility List (HCL) or contact the device manufacturer to determine whether the device is supported under Windows 2000.

An up-to-date, ACPI-compatible BIOS is required for full use of PnP and Power Management. Legacy Advanced Power Management (APM) and PnP BIOSs are supported, but their features are limited.

Device drivers in Windows 2000 have changed to enhance system stability and to increase the number of devices supported. The Win32 Driver Model (WDM) is now supported, enabling many drivers to work interchangeably with Windows 2000 and Windows 98. Device Driver Signing is also supported, and drivers that haven't been tested and digitally signed by Microsoft trigger an alert when installed. (Administrators can also create policies preventing unsigned drivers from being installed.) Changes have also been made to the driver model to prevent system instability and to facilitate PnP and Power Management, which unfortunately prevents some Windows NT drivers from working in Windows 2000. In addition, power management and PnP aren't available with Windows NT 4 drivers.

As in Windows NT 4, device drivers written for Windows 95, 3.x, or MSDOS will not work in Windows 2000.

Software Support

Software support is an area in which Windows 2000 has some compatibility issues. Like Windows NT 4, Windows 2000 may experience compatibility problems with MS-DOS and Windows 3.x programs (especially any that directly access the hardware). Windows 95/98 applications that don't explicitly support Windows NT or Windows 2000 may also run into problems. Nearly all Windows NT 4 applications run under Windows 2000.

Upgrading an existing Windows 95/98-based system presents additional complexities because vendors often have different versions of their software for Windows 95/98 and Windows NT/2000, or because the same application is installed differently depending on the operating system involved. Consequently, many applications require vendor-provided migration files (upgrade packs) during the operating system upgrade.

Microsoft Windows 2000 Server Administrator's Companion, Vol. 1
Microsoft Windows 2000 Server Administrators Companion (IT-Administrators Companion)
ISBN: 1572318198
EAN: 2147483647
Year: 2000
Pages: 366 © 2008-2017.
If you may any questions please contact us: