Ken Van Voorhees
Hewlett-Packard
The Windows 2000 family of tools and operating systems is central to Microsoft's strategy for the enterprise. Microsoft products have historically competed for the PC desktop and department file server. MSDOS, Windows 3.x, NT versions up through 4.0 have been an important and growing component of nearly every large organization's computing infrastructure.
Despite Windows' successes on the desktop, most organizations have been reluctant to host mission-critical applications on NT. Many would argue that NT does not have the scalability, reliability or manageability essential to mission-critical enterprise applications. For a variety of reasons, many if not most enterprise applications are on UNIX and proprietary mini or mainframe computing architectures.
The enterprise represented a substantial new-business growth opportunity for Microsoft. Keys to success in this environment would have to include answers to customer concerns as well as credibility as a provider of enterprise solutions. These are provided in part by the new features built into Windows 2000 and in part by the successes of Microsoft's Exchange messaging application. Microsoft Exchange has been increasingly found handling the messaging needs of many large organizations. Exchange can arguably be said to represent Microsoft's foothold in the enterprise market. This is relevant because many of the key advances of Windows 2000 leverage the work done in Microsoft Exchange. Combined with key technologies from Exchange, Microsoft adopted and extended many of the technologies of the Internet to bolster scalability, security and interoperability of Windows 2000. In addition, Microsoft created tools to address many of the support issues normally associated with Windows NT. Remote installation of OS and applications, remote management of computers and users, patch, driver and service pack management, network management and security issues of wide area networking were all factors leading to the current set of tools and technologies associated with Microsoft Windows 2000.
So just what is Windows 2000? Win2K is a family of operating systems and tools targeted at the needs of Internet-connected large enterprises. There are four members:
An upgrade for Windows NT Workstation. Supports up to 2 processors.
Fills the role of "member server". Supports up to 4 processors.
Windows 2000 Advanced
Server
A domain controller. Supports up to 8 processors and 32 GB of main memory. Also supports clustering.
A new category, supports up to 32 processors and 64 GB of main memory. Intended to host data warehousing applications.
The minimum hardware required to run Win2K Professional is a Pentium 166 with 32 MB of memory and 685 MB of free disk space. The minimum for Win2K Server (for five users) is a Pentium 166 with 64 MB of memory and 685 MB of disk space. It's good to keep in mind that these represent Microsoft minimums, below which the OS is not supported. Recommended configurations should start at approximately twice the above capacities.
There are many equally valid ways to divide up such a vast topic. I tried to keep this as simple as possible. The remainder of this paper is in two sections; New Choices for Organizing Your Network and New Tools for Network Administration. Subtopics are further divided into sections on "What's New", "Migration Issues" and "Best Practices". It’s hoped that this simple partitioning of the subject and subset of Windows 2000 features will ease you transition to this new operating system.
New Choices for
Network Organization
What's New
Active Directory and Directory Services
AD combines the information source (directory) with a set of functions enabling administrators to define, arrange and manage directory objects such that they are available to users and applications. There are three main criteria for the design of Active Directory:
AD organizes the directory into sections, making possible millions of objects.
Through use of a common, editable schema new types of objects can be added. The Schema is a set of definitions for AD objects. The Schema also makes it possible to add or modify attributes of existing objects.
All AD names are compliant with the RFC's of DNS. DNS is used as the name service for AD. This integration makes possible the exchange of information between AD and other directory services which support LDAP v2 and v3. AD uses LDAP to share information between directories and applications.
One of the single most important new developments in Microsoft Windows 2000 is Active Directory. AD is a hierarchical database of objects and containers representing network resources and how they are organized for administration. AD takes a very "object oriented" view of all the elements of a network. Everything in the network is abstracted into some kind of object. Objects follow "object oriented" principles of inheritance. Objects are organized by placing them in containers. Containers can be nested, i.e. one container can contain or be contained by some other container. The entire arrangement of objects, object attributes, classes and containers is described in the Schema.
Consider some examples. AD comes with several default objects and classes. One class of objects is "Users". Whenever an Administrator adds a new user to the Active Directory, she is "instantiating" an object of the "Users" class. This class of objects has several "properties" or "attributes" such as username, password, home directory and so fourth. Another object might be a network printer. This would be a member of the "Printers" class and have properties such as "Name", "IP Address", "Make and Model" and "Location”. Yet another object could be a computer. The computer's properties might be such things as "Processor", "Name", "OS Version" etc.
Active Directory name
formats.
There are essentially four different name formats supported by AD; RFC 822, HTTP URL, UNC and LDAP URL. Here are some examples:
RFC 822 ken@vanvoorhees.com
HTTP URL http://vanvoorhees.com/path-to-page
UNC \\vanvoorhees.com\xl\budget.xls
LDAP URL ldap://servername.vanvoorhees.com/CN=kvanvoorhees, OU=sys, OU=product, OU=division, DC=development
As the numbers of objects increases, there becomes a need to organize them for administration. NT 4.0 organized network resources into several different Domain Models. Single Domain, Master Domain, Resource Domain and others were originally devised to make administration of large numbers of users manageable. These multiple domain models were also necessary to work around the fact that NT 4.0 domains couldn't contain over 40,000 computer or accounts. (The NT 4.0 Security Accounts Database couldn't be over 40 MB in size.) Since many organizations had much larger numbers of accounts, they had to be divided into multiple domains. The AD database can be up to 17 Terabytes in size. This represents a theoretical limit of ten million objects. It has been tested above one million.
The implication for network administrators is that even the largest organization can be contained within a single Windows 2000 domain. Windows 2000 capacity limits are no longer a consideration in deciding what kind of domain structure to implement. It's now possible, and probably desirable, for administrators to consider collapsing existing multiple NT domain structures into a single Active Directory Domain. Now decisions regarding domain structures are driven by issues around whether it's necessary to have separate security domains for different parts of an enterprise.
· Rethink the logical design of your network. Consider how Organization Units might be used in place of Resource Domains. What are the business drivers behind your existing network architecture and how has that architecture been affected by NT 4 directory limitations?
· What is your network administrative model? Determine how OU’s might help delegate some administrative tasks.
AD Logical Structure:
DNS Domains, Organization Units, Domain Trees and Forests
An interesting and important shift in Microsoft's strategy is to incorporate open standards in the core functionalities of their network products. While maintaining legacy support for proprietary NT LAN Manager (NTLM) network security protocol and Netbios naming conventions, Windows 2000 provides full support for a number of open industry standards such as Kerberos, Secure Sockets Layer (SSL), as well as DNS name resolution services. The domain is central to the logical structure of active directory. The domain forms the security boundary within a Windows 2000 network. The domain administrator has rights to perform administration only within her "home" domain. Administrators can perform administration in other domains only if explicitly granted that right.
Windows 2000 uses DNS naming for objects on the network. The use of Fully Qualified Domain Names (FQDN) for objects in the Win2K network brings the Microsoft network in line with Internet naming and consistent with current trends in the industry on domain structures, directory services and security. In addition to using DNS for the name service, Win2K extends the domain model by implementing domain trees and domain forests.
Within a domain, it's often helpful to organize network resources to simplify and delegate administration. Organization Units (OU's) are intended for this purpose. Similar to NT 4.0 "Resource Domains" OU's are collections of network resources that are administered locally. OU's can contain any kind of AD object. Users, computers and printers are commonly collected into an OU structure that mirrors the company's administrative model or organizational structure. An OU structure based on the administrative model might collect all users into one OU and all printers into another. A structure base on the corporate organization might put the Marketing Department's users, computers and printers into one OU and the Accounting Department's users, computers and printers into another. The enterprise architect is free to structure OU's according to greatest administrative convenience. In implementing OU's, try to construct them according to categories which will stay relatively stable. I.e. avoid OU's for transient projects or taskforces.
An important characteristic of OU's is the ability to delegate administrative control of objects and attributes within the OU. E.g. one user could be assigned the rights to add or delete users while another could be given the right to only modify e-mail information for users.
Simply put, a domain tree is a logical structure of a single parent, or root domain associated with any number of child domains all having a contiguous namespace. An example of a domain tree could include the domain; mycompany.com as the parent. Child domains of mycompany.com could be sales.mycompany.com and market.mycompany.com. Below these one could create america.sales.mycompany.com and asia.sales.mycompany.com. Kerberos two-way transitive trusts are implemented among all domains in the tree. A user authenticated in any domain in the tree, would have controlled access to resources in any other domain. All domains within a tree share a common Schema and Global Catalog. The Schema is a formal set of definitions for every object within the Active Directory, including domain objects. The Global Catalog is a searchable database of selected attribute information about every object in Active Directory.
Sometimes it is not possible or desirable for domains to maintain contiguous namespaces but would still like to have a common Schema and Global Catalog. This is accomplished using domain forests. In a forest, the root domain of each tree is connected by two-way transitive trust to the root domain of every other tree. Thus the domain tree hp.com could be connected to newco.com and form a forest. The two trees would have independent name spaces but could still share applications and objects with one another.
The logical structures made possible by Active Directory have major implications for how Windows 2000 networks are organized. There are also important implications for migration from NT 4 to Windows 2000.
The new domain and OU structures, coupled with the capacity of AD to hold over one million objects, free the network architect to create a network organization independent of the constraints of the network operating system. Past domain models such as Master Domain and Multi-Master Domain were often a result of the 40,000-account limit of NT 4.0. With these new structures, it's possible for the largest NT 4.0 multiple domain model to be collapsed into a single Windows 2000 domain. Resource domains can be migrated into OU's. Network administration can be delegated in a highly granular way.
Using DNS as the name service for Active Directory has many positive implications. One challenge, however, will the Net BIOS names of existing computers. DNS names are constrained in the characters that they may use. There is no support, for example, for the underscore character in a DNS name. One issue therefore will be how to translate existing Net BIOS names to RFC1123-compliant DNS names.
It is also possible to design a network of multiple domains, organized into trees and forests according to the needs of the business.
· For each NT 4 domain create or select a Backup Domain Controller (BDC) that can be taken off line and kept separate from the network. Synchronize this BDC and take it offline. Keep it separate from the network to be used as a method of reversing the migration to Windows 2000 "Native Mode".
· The first step of Windows 2000 Migration is to plan the domain and OU structures that the organization will ultimately need.
· Base OU's on stable aspects of the network, e.g. buildings or geography.
· Set up a lab for testing the migration. This lab should model the production environment without being connected to it.
· Replace all 16-bit device drivers with 32-bit versions.
· Upgrade all the NT 4 Primary Domain Controllers (PDC's) to Windows 2000 operating in "Mixed Mode"
· Try to keep the Active Directory database on a separate physical disk drive.
· Upgrade each of the BDC's to Windows 2000.
· Using service packs and add-ons, make each network client "Active Directory" aware.
· Switch the Windows 2000 PDC to "Native Mode".
· If desired, move resources from old "Resource Domains" to OU's designed for this purpose. Remove the resource domains.
· Evaluate the existing Net BIOS name space. Determine the tradeoffs between renaming systems and implementing full Unicode character support on DNS services.
AD Physical
Structure: Sites, Domain Controllers and Global Catalog Servers
One of the challenges faced by network administrators of wide-area NT 4 domains was managing replication across slow links. This was due, in part, because there was no easy means of separating the logical and physical structures of NT 4. Windows 2000 makes it possible to separately configure the physical and logical aspects of the network. The physical arrangement of computers can typically be described as multiple groups of systems. Each group is characterized by high-speed network connections. These groups are typically connected to one another by some slower (and more expensive) long-distance connection. Window 2000 calls these groups "Sites". A site is generally characterized by an available average bandwidth of 128 Kbps (some have said 512 Kbps) or higher.
Site structure is independent of AD logical structures. Sites can contain computers from multiple domains and a single domain can contain multiple sites. The purpose of sites is to optimize network replication and logon traffic.
Other aspects of Windows 2000 physical structure include the number and placement of Domain Controllers (DC's) and Global Catalog Servers (GCS's). A DC contains a read/write copy of the AD. Note that here we no longer have PDC's and BDC's. All DC's are equal and use multi-master replication to keep the directory database in synch. A GCS is a DC containing a copy of the Global Catalog. Every site should contain at least one DC and one GCS. This will minimize the amount of logon and resource lookup traffic crossing long-distance connections.
The main implications of AD physical structure and the ability of network administrators to configures sites is that the management of replication and logon traffic just got a lot easier. Configuring a site and placing a domain controller in that site can assure the network administrator assured that all logon traffic will go to the site local domain controller. And by explicitly configuring the site connection object, directory replication traffic can be set to take maximum advantage of long distance cost functions.
· Organize your computers into sites. Configure the site connections to make optimum use of long distance connections.
· Place one or more Domain Controllers at each site.
· Place a Global Catalog Server at each site.
New Tools for Network
Administration
Group Policy Objects
What's New
One of the nicest administrative features of Windows 2000 is the Group Policy Object. Very similar in function to the "System Policies" of NT 4, group policies allow administrators to apply policy to users or computers within sites, domains or OU's. Group policies can be applied to:
Administrative Templates Registry-based policy settings (most similar to the NT 4, System Policies).
Security Options for changes to the local computer, domain and network.
Software Central management of software installation, management and removal.
Scripts Scripts for computer startup and shutdown as well as user logon logoff.
Folder Redirection Mechanism for specifying a network location for user home folders.
Group Policy Objects can be created in two different ways, through "Active Directory Users and Computers" MMC snap in or, for site GPO's "Active Directory Sites and Services". In either case, the idea is to select the appropriate "container" (domain, OU, site or object) and drill down to the properties and then group policies tab for that object. On the group policies tab there will be a "new" or "add" option.
GPO's attach to containers; domains, OU's, sites. The default behavior of GPO's is to propagate down through all child containers and object of the parent. This is the key to efficient and highly granular administration.
The most important implication of Group Policy Objects is that, with Windows 2000, network administrators have much more flexibility in configuring and controlling their users experience with the network. It also means that, through delegation, administrators can allow down level administrators or users control many aspects of their computing environment without causing harm to the rest of the network.
· Use GPO's to configure the user and computer object consistent with organization business and security policies.
· Delegate administration as close as possible to the resource.
· Place GPO's high in the Site-Domain-OU inheritance hierarchy.
More a toolbox than a tool, the Microsoft Management Console is a container for component tools called “snap-ins”. The MMC can be started empty, in “author mode”. Microsoft and third-party snap ins are then added to determine this console’s functionality. Think of the Handyman who has a different toolbox for different kinds of repair job. For plumbing work, he has a toolbox with pipe wrenches, plumbers putty, Teflon tape and pipe cutter. For electrical work, he has another toolbox. This one contains electrical tape, a voltmeter, wire stripper, several sizes of wire nuts and a special new hot wire tester. This is the logic behind Microsoft’s Management Console. If one is working on some aspect of Active Directory, there’s no likely need for a hard disk partitioning tool. Notice also that MMC’s are customizable through the addition of third-party snap ins. For example, Hewlett-Packard provides a very nice “Manage X” MMC snap in. Other companies will also provide a host of specialty MMC snap ins. This variety of tools that can be unified with the MMC “toolbox” provides network administrators with increased flexibility in creating tools to manage their networks.
Once the MMC has been assembled, it can be saved in “user mode”. This user mode MMC can be limited in functionality and in who has rights to use it. This ability to limit administrative functionality and use of a toolset is another aspect of the “delegated administration” model possible with Windows 2000.
Much of the functionality contained in NT’s “Administrative Tools” has been encapsulated and extended in the MMC. The migration issue with MMC’s is a new administrative paradigm. Administrators must rethink all their current tasks and determine what can be delegated and to whom.
· Create MMC’s to delegate non-critical administrative tasks.
· Customize these MMC’s to delegate only those tasks that are consistent with the organization’s administrative and security policies.
· Continually scan the environment for new third party snap ins that would be a good addition to one or another MMC “toolbox”
Distribution and maintenance of software is a big issue in many organizations. Troubleshooting and reinstallation of corrupted applications take up a fair amount of administrator’s time. Win2k software deployment is designed to address these customer issues.
There's a great deal on new technology surrounding Window 2000 and software distribution. Microsoft views application software as having a four stage life cycle; preparation, deployment, maintenance and removal. Win2K software distribution technology mirrors this partitioning.
Installation starts with a Windows installer package (.msi file). The Windows Installer package replaces "setup.exe" and allows demand-bases installation, "resilient applications" and clean application removal. There are versions of the Windows Installer for Windows 95, Windows 98 and NT 4.
Once the .msi file is acquired (usually from the software vendor), an Administrator can associate the file with GPO's to; install the application when the user logs on or when the computer is turned on, upgrade applications or apply Service Packs of patches or remove the application.
All this is fairly straightforward. The Administrator acquires the .msi file and places on a shared folder. He or she then edits appropriate GPO's to reference the .msi and select a deployment method; mandatory, optional, removal or upgrade.
Since automated distribution of application software has no precursor in NT 4.0, migration issues are straightforward.
· Decide upon a software distribution policy. How will you use .msi packages and the software distribution options of OU’s to control distribution, maintenance and removal of software.
· Which software packages will be Published and which will be Assigned?
· Who will have authority to Publish or Assign new packages?
· How will OU’s and software distribution be used to manage licenses?
· Deploy, upgrade, remove and manage software using software installation group policies.
What's New
Creating and sharing file and print resources is central to the original purpose of Microsoft Windows NT. Windows 2000 extends this functionality by using the Active Directory to advertise shared resources and help users locate them on the network. In NT 4, creating a shared folder was as simple creating the folder in Windows Explorer and setting the "sharing" property for that folder. The process in Win2K is a little different. The Win2K process is to first create the shared folder and then publish it in Active Directory. New shared folders are created using an Administrative Tool, File Service Management. Once created, Active Directory Manager is used to select a domain or OU on which to publish the share, and then assign a name and UNC path to the folder.
Printer sharing is a bit easier. Shared printers are created using the Add Printer wizard. Shared printers are automatically published in the Active Directory.
Distributed file system (Dfs) was originally introduced in the NT 4 option pack. Dfs allows the administrator to configure a file system that spans disk drives and systems. The essential component is a file holding the Dfs topology. In the first releases of Dfs, this file was hosted on a single computer. In addition to the original Dfs model, Windows 2000 also supports hosting the Dfs topology information in Active Directory. AD thus creates a "fault-tolerant" Dfs.
Another new capability of the Windows 2000 NTFS file system is the ability to locally encrypt a folder or file. NTFS uses the Encrypting File System to make possible transparent background encryption and decryption of files on the local hard disk. Files and folders are encrypted by setting an encrypt property for the folder. This is done using Windows Explorer.
Finally, Windows 2000 now offers disk defragmentation. It’s accessed as an Administrative Tool under System Management. Fairly straightforward, Disk Defragmenter can defragment FAT, FAT32 and NTFS volumes.
· Determine the importance of “fault-tolerant” Dfs and folder/file encryption for your organization.
· Education of users and administrator on the advantages of disk defragmentation.
· Create customized MMC tools for local system management.
· Host WEB pages on mirrored fault-tolerant Dfs volumes.
· Use Dfs to allow users to find resources without having to know physical details of the network
· Use "fault-tolerant" Dfs roots.
Microsoft Windows 2000 is coming. Sometime within the next year, network administrators all aver the world will be dealing with Microsoft’s next release of the Windows operating system. Some will find it tempting to shake their fist at the storm. Others will learn to use these new technologies to provide higher service levels and improved financial returns for their organizations.
It’s been the purpose of this paper to stimulate thinking about ways to take best advantage of the next wave from Redmond.
For further information and training, consult the coming avalanche the books and magazines about Microsoft Windows 2000. Microsoft will soon (as of this writing) release several new Microsoft Official Curriculum (MOC) training courses. It’s currently planned that there will be three different course tracks; “New to Microsoft Windows 2000”, “Experienced Windows NT Professional” and the “Enterprise Architect”.
New to Microsoft Windows 2000
MOC 1556 Administering Microsoft Windows 2000 (3 Days)
MOC 1557 Installing and Configuring Microsoft Windows 2000 (5 Days)
MOC 1558 Advanced Administration for Microsoft Windows 2000 (3 Days)
Experienced Windows NT Professional
MOC 1560 Updating support Skills from Microsoft Windows NT to Microsoft Windows 2000 (5 Days)
Enterprise Architect
MOC 1560 Updating support Skills from Microsoft Windows NT to Microsoft Windows 2000 (5 Days)
MOC 1561 Designing a Microsoft Windows 2000 Directory Services Infrastructure (5 Days)
MOC 1562 Designing a Microsoft Windows 2000 Networking Services Infrastructure (4 Days)
MOC 1563 Designing a Change and Configuration Management Infrastructure of Microsoft Windows 2000 Professional (3 Days).