Who needs it?

ITworld.com – Windows 2000 marks a big change in direction for Microsoft's business-class platform. The focus of the new generation is to more easily support large-scale networks of users and computers. Microsoft hopes this new version will eliminate criticisms about the poor performance of Windows NT in the enterprise arena. A major part of the company's efforts was directed at enabling the OS to run better on larger servers and at supporting more memory and faster and more complex peripheral devices. Windows 2000 has made improvements not only in the type of hardware it can support, but also in the number of features it has added. Microsoft says that, with the new features, the OS can scale across the platforms in your enterprise, from desktops to workstations to workgroup servers and enterprise servers alike. Furthermore, its improvements will make managing the system easier.

Microsoft's claims aside, are the new features useful to you now? If so, will you need to change your current environment to take advantage of them? How difficult are they to implement? And what effect will they have on existing systems? With these questions in mind, we'll explore a number of Windows 2000's purported advantages.

Management and remote administration

Microsoft Management Console MMC consolidates all the administration tools in Windows 2000. It incorporates both new and existing management tools into a single interface that covers every aspect of the system. And once you adjust to how MMC works, you will find that it has incorporated the earlier tools into the system so that they operate very much as they did before. This keeps things familiar for the administrator and makes it easier to improve the interface for management, event logging, and report generation. In addition, some administrator tasks can, in a simple way, be delegated to lower-level administrators or less-privileged operators. By giving you easier access to all the administration tasks, this unified tool can reduce the amount of time needed to solve problems.

Windows Terminal Server. Although not really a new feature, WTS is now included as part of Windows 2000 Server rather than as a separate package. The new version maintains full compatibility with the Remote Desktop Protocol (RDP) used in NT 4, and will thus allow Windows 9x or NT systems to connect to the Windows 2000 Server through the WTS client software. This allows older Windows machines to access software on the server and thus can support a migration path from the older systems to newer software services that are supported only on Windows 2000. It also implements a thin-client model of computing, reducing the amount of software management required on desktops. That should make it a valuable addition to the Windows Server platform for any site.

IntelliMirror.This new service lets users roam from desktop to desktop while maintaining full access to their personal environments and files. The service replicates software installed on one machine onto others, based on a user profile maintained on a Windows 2000 server. So users' files and applications move with them. Although the replication can take time -- especially if the application software is not installed -- the software runs locally once it is in place. The system is thus faster than a remote display technology such as Windows Terminal Server.

The downside is that IntelliMirror works only for Windows 2000 desktops, so it's of limited use if you're planning to start only with a server migration. Furthermore, it works best if users don't move constantly between machines, since that increases the amount of replication needed. IntelliMirror will appeal to organizations whose users run a closely defined set of applications, but only if those organizations are planning to move large numbers of workstations over to Windows 2000 Professional. Those with existing Windows 9x and NT desktops should probably wait to get excited about IntelliMirror until the next upgrade cycle for all the desktops

Remote OS installation. The capability to do remote installations can be valuable when you have to deploy large numbers of desktop systems. The desktop OS can be installed from a server over the network, complete with personalized configuration information. However, this feature works only with Windows 2000 Professional desktops and not the Server editions or any of the earlier desktop OSs. Furthermore, the desktops require special network cards that support the Intel Portable Execution Environment (PXE) to allow network booting. Another drawback is that you cannot <em>upgrade</em> the operating system remotely, only perform fresh installations. As with IntelliMirror, these issues combined make this service of little use unless you are planning to deploy Windows 2000 Professional on the desktop.

Service Pack Slip-Streaming. Microsoft has finally fixed its limited method of performing OS upgrades through service pack releases. With existing NT systems, the service pack cannot be removed once it is applied. You need to reinstall the operating system from an earlier service pack to get it back to the condition it was originally in. This is a concern because Microsoft has repeatedly released service packs that have caused existing services to break or have created new problems when installed. With Service Pack Slip-Streaming, you can install and remove Service Packs as you need to, thus saving an enormous amount of time. This is definitely a useful tool because you will undoubtedly be installing a Service Pack for Windows 2000 in the future. Too bad Microsoft couldn't put this capability into NT 4 systems.

Network and hardware services

Asynchronous Transfer Mode. ATM network services are new in Windows 2000. Previously, you had to rely on custom drivers from each ATM network card vendor. With standardized drivers, you can now directly use pure ATM services, as well as IP over ATM. Unfortunately, a number of factors make this capability less important than it might have been at one time. First, ATM for the desktop has not caught on. Competing technologies such as Fast and Gigabit Ethernet are cheaper and easier to implement. Second, ATM network speeds start at around 155 Mbps (not including the desktop technologies), and go up to 10 Gbps at the high end, rates that require high-performance system buses to transfer data. Not only do most PC systems and servers lack the necessary bus speeds, but high-speed network traffic also causes a lot of processing overhead in Windows that reduces actual throughput. Although ATM-based Windows products will probably still emerge, this feature isn't much of a draw for most administrators.

Virtual private networks. VPNs are in high demand in these days of extranets and remote offices with Internet access. A VPN lets a single remote desktop or an entire branch office communicate on a par with systems on the corporate network. In days of yore, remote clients had to be restricted because of the security risks they presented. Today, with encryption technologies it is possible to pass data among sites without anyone being able to intercept and view it. Secure VPN technology is built in to the Windows 2000 network and remote access services, since it implements the IP Security (IPSec) protocol for communicating over the Internet. Windows did have earlier technologies that allowed VPNs, including Point-to-Point Tunneling Protocol (PPTP) and Layer-2 Tunneling Protocol (L2TP), but these did not offer secure encrypted communications.

There is a catch to IPSec in Windows 2000, though. IPSec was designed so that any two hosts running any OS platform could communicate with each other. The Windows 2000 IPSec implementation, however, requires that you also use L2TP to authenticate users on remote machines as well as support other non-IP protocols. This breaks compatibility with other platforms, most of which do not use Microsoft's L2TP system. Thus, Microsoft-flavored VPN technology can work only among Windows 2000 systems, severely limiting its use in heterogeneous environments.

Quality of service. QoS is a new arrival for IP network communications in general. QoS attempts to define a guaranteed level of quality for communications between two IP hosts,on top of the nonguaranteed protocol services of IP. The Internet standard for setting up such services is the Resource Reservation Protocol (RSVP), but for any appreciable results, RSVP needs to be supported on as many of the network nodes located between the end-points as possible. QoS is thus lagging in wide deployment. Network administrators don't use it because most of their desktop and server systems don't support QoS. This ends in a catch-22: The network doesn't have it because the systems don't, and the systems can't really make use of it until the network implements it. The good news is that Windows 2000 now supports the standard method for supporting QoS. The bad news is that older Windows systems do not. Thus QoS becomes a useful feature only if you plan to have lots of Windows 2000 -- or non-Windows systems that support QoS -- on your network.

Plug and play. Plug and play is nothing new for Windows 9x users, but NT Workstation users will be happy that it is now available for Windows 2000 systems. Furthermore, the Windows driver model used in Windows 2000 is similar to that in Windows 9x, making it easier for vendors to port device drivers to the new platform. This means greater support for adapters and other devices that go into your system. Everyone wins with this new feature.

Power and configuration management. Advanced power and configuration management brings more relief for NT Workstation users. This feature allows Windows 2000 Professional to use the battery systems in laptops more efficiently, giving longer work times between recharges while you're on the go. Again, a great addition.

Security services

Encrypting File System. EFS is a new feature for the safety conscious. Using this file system, any data stored on the disk can be accessed and read only by the owner of the data. Saved data are automatically encrypted; your owner information and local host information generate a local certificate. Other users cannot read even plain text files, even if they have access to your directory. Especially important is that EFS is integrated into the NTFS 5.0 file system architecture and thus works with all software. This encryption/decryption process adds overhead and delay to accessing files, but except for very large files, it offers a greater value in security than the seconds it makes you wait. Network users can access information if they have been authenticated properly and have proper access to the directory and files. EFS is a good new feature to have on an enterprise operating system, especially as users become more privacy conscious.

Distributed File System. With DFS, you can make a single tree of all public files and directories on your network and hide the identities of the servers and drives they refer to. This makes it much simpler to access any file without having to remember which server and drive it was stored on. In other words, Windows finally catches up to the distributed file system tree capabilities of Unix and NFS.

On the other hand, DFS can confuse an end user because of changes in file-access procedures. Although the benefits of using DFS are numerous, users may be used to the existing Common Internet File System (CIFS) method of mounting a remote drive as a new drive letter. Worse yet, CIFS information may be encoded into the data and application files, making it difficult to switch to the new system. DFS is handy, but it will probably come into use slowly.

Kerberos authentication. Windows 2000 systems can employ an authentication mechanism that has been available to Unix users for a while. This mechanism is based on the Kerberos secure login system, which uses session tickets, rather than an account and a password, to identify user logins. By sending tickets that can be recognized only by the receiver and sender, you increase the security of your network. The ticket mechanism eases authentications across network domains and separates the authentication load from the domain controllers. It can allow limited time login sessions as well as control which servers the user can connect to. Thus the Kerberos system makes it easy to scale Windows 2000 Servers to the enterprise.

The downside, again, is that this feature is currently limited to Windows 2000 systems. With Kerberos, Windows 2000 also uses a completely different network login system than NT 4, so the two authentication systems are incompatible. However, NT 4 systems can still authenticate by way of the Windows 2000 Active Directory servers since they also support theolder Netlogon system of NT.

Directory and related services

Active Directory. Active Directory is one of the most significant changes introduced in Windows 2000. Active Directory can have any number of servers sharing all directory information equally, rather than the limited master-slave components of the NT domain controller system. The directory can store any kind of user and application information in an object database; thus, it's easier and yet more secure to access system information from applications. The structural hierarchy of Active Directory also makes it feasible to scale to tens of thousands of users and servers.

Although it supports standard cross-platform protocols such as the Lightweight Directory Access Protocol (LDAP), Active Directory is still very Windows specific. As seems to be Microsoft's way, enhancements to the system make it slightly incompatible with other directory services. To interface Active Directory with Novell Directory Services or Unix-based directories, you need a third-party tool such as a metadirectory or a directory translator. A future standard for exchanging directory information in an XML-based schema is in the works but still far off.

You will need Active Directory to deploy Windows 2000 on a large scale. It can support the functions of an NT domain controller, thus obviating a need for the older systems. However, NT and Windows 9x systems will not be able to take full advantage of Active Directory. Overall, Active Directory is an important feature to have, but it's also complicated to implement and not commonlysupported on all systems yet.

Dynamic Domain Name System. The DDNS server supports a newer protocol that allows dynamic changes to the previously static IP host name; these changes address mapping tables needed by any system that uses the Internet or TCP/IP. DDNS solves mapping problems when client desktops are dynamically assigned temporary IP addresses while using the network. It also allows clustered Web servers to reassign Website addresses to secondary servers when the primary Web server fails. Thus, DDNS solves problems and enables new features to be supported, but it maintains full compatibility with all existing hosts. DDNS is also a requirement for Active Directory services and thus will be on your network if you implement Active Directory.

Group policies. One other feature that Active Directory enables is the new group policy system. The new system replaces the earlier per-system and user policies of NT, and the policy information is now stored in Active Directory. You can associate a policy with almost any Active Directory object and restrict its use according to the specific policies. There are several levels of policies in a system, a local domain, and the global tree of all domains. The NT method of having to replicate policies across several domains in a multiple master domain controller is inefficient compared with this new system.

Group policies are going to be very useful if you plan to run a tight network of servers. Since it is based on the authentication and access-control services associated with Active Directory, it can be used anywhere on the network that Windows 2000 is deployed. This means that if your NT and Windows 9x accounts are stored on the Windows 2000 server, you can also use this method to control their access.

Fewer reboots. Although it hasn't implemented a new technology in this case, Microsoft has designed Windows 2000 to require fewer reboots. For example, changing network parameters or loading new drivers no longer requires a reboot, thanks to the new plug-and-play system. Changing the status of a system from a directory controller to a standalone server can also be done without rebooting the machine, so it's easier to service those systems. Fewer reboots does not make the system less susceptible to crashes, but it does help reduce system downtime.

Act now?

Without a doubt, Windows 2000 offers a number of useful new services for your network. Most of these help large organizations simplify the management -- and improve the scalability -- of the OS across many more servers and systems. Microsoft has also reduced the overall number of events that will require you to reboot the computer, thus improving uptime.

On the other hand, a theme that recurs throughout a discussion of Windows 2000's new features is that it requires you to switch much of your current environment to Windows 2000 to get the full benefit. Although it does not completely leave behind Windows 9x and NT systems, Microsoft seems to have delivered a less-than subtle suggestion to upgrade to Windows 2000 Professional at the same time you upgrade your servers. Requiring such changes in the basic nature of the NT security system, file system, directory services, and application system, these new features in Windows 2000 can constitute a new realm of compatibility problems.

Another theme is Windows 200's incompatibility with other platforms. Although Microsoft offers services that stay in step with other offerings, and in some cases even offers optional packages that provide cross-platform integration services, this latest release continues Microsoft's philosophy of "embrace and extend" with regards to emerging standards.

The new features do come with direct and indirect costs. Windows 2000 needs a faster processor and more memory to run the same applications than a Windows NT machine. Although Microsoft says that Windows 2000 can run on a 133-MHz Pentium with 64 MB of RAM, it will become painfully obvious that a desktop machine will more likely need a 350-MHz Pentium II or 400-MHz Celeron or better, and 128 MB of RAM per desktop. The operating system is larger and makes better use of memory for caching objects. Thus, although the price per seat of Windows 2000 (compared with the price for NT) is not a significant barrier, the indirect cost of purchasing new desktops for your network may be high.

Some of the new features are going to take careful consideration of how your computer network, and even your business, is organized. If you implement RIS and IntelliMirror, you might consider improving the path between the desktop clients and the servers that host those services, to speed their operation. QoS or IPSec will have the greatest success if you also upgrade your network hardware to allow those services to function properly. Active Directory changes not only how the domain controller services work but also how you should design the hierarchy of objects in your directory. That includes all user profiles, applications, and system settings. Although you can start this work on smaller subnetworks, if you plan to move entirely to Windows 2000, you should plan for the entire network.

Furthermore, if you have mixed networks such as NetWare or Unix systems, you will need to look at the cost of integrating this new platform. Because of the new features -- Active Directory in particular -- you cannot assume that the existing integration methods used for NT will work fine under Windows 2000. Thus, the cost of implementing these new features can have a dramatic effect on your IT budget.

If you take into account the high probability of bugs appearing over the coming months and the prudent tactic of waiting for the first Service Pack, you may need more than a few months to get Windows 2000 working correctly on your network. There are immediate benefits to using Windows 2000, but for the true long-term benefits that Microsoft is advertising, you will need to put in for more than just the cost of the product and upgrade services. Before you unwrap that new box and start installing Windows 2000, you should ask yourself how much value the new features and services are worth to your network for the amount of work you will have to put into it.

What’s wrong? The new clean desk test
You Might Like
Join the discussion
Be the first to comment on this article. Our Commenting Policies