Kerberos authentication. Windows 2000 systems can employ an authentication mechanism that has been available to Unix users for a while. This mechanism is based on the Kerberos secure login system, which uses session tickets, rather than an account and a password, to identify user logins. By sending tickets that can be recognized only by the receiver and sender, you increase the security of your network. The ticket mechanism eases authentications across network domains and separates the authentication load from the domain controllers. It can allow limited time login sessions as well as control which servers the user can connect to. Thus the Kerberos system makes it easy to scale Windows 2000 Servers to the enterprise.
The downside, again, is that this feature is currently limited to Windows 2000 systems. With Kerberos, Windows 2000 also uses a completely different network login system than NT 4, so the two authentication systems are incompatible. However, NT 4 systems can still authenticate by way of the Windows 2000 Active Directory servers since they also support theolder Netlogon system of NT.
Directory and related services
Active Directory. Active Directory is one of the most significant changes introduced in Windows 2000. Active Directory can have any number of servers sharing all directory information equally, rather than the limited master-slave components of the NT domain controller system. The directory can store any kind of user and application information in an object database; thus, it's easier and yet more secure to access system information from applications. The structural hierarchy of Active Directory also makes it feasible to scale to tens of thousands of users and servers.
Although it supports standard cross-platform protocols such as the Lightweight Directory Access Protocol (LDAP), Active Directory is still very Windows specific. As seems to be Microsoft's way, enhancements to the system make it slightly incompatible with other directory services. To interface Active Directory with Novell Directory Services or Unix-based directories, you need a third-party tool such as a metadirectory or a directory translator. A future standard for exchanging directory information in an XML-based schema is in the works but still far off.
You will need Active Directory to deploy Windows 2000 on a large scale. It can support the functions of an NT domain controller, thus obviating a need for the older systems. However, NT and Windows 9x systems will not be able to take full advantage of Active Directory. Overall, Active Directory is an important feature to have, but it's also complicated to implement and not commonlysupported on all systems yet.
Dynamic Domain Name System. The DDNS server supports a newer protocol that allows dynamic changes to the previously static IP host name; these changes address mapping tables needed by any system that uses the Internet or TCP/IP. DDNS solves mapping problems when client desktops are dynamically assigned temporary IP addresses while using the network. It also allows clustered Web servers to reassign Website addresses to secondary servers when the primary Web server fails. Thus, DDNS solves problems and enables new features to be supported, but it maintains full compatibility with all existing hosts. DDNS is also a requirement for Active Directory services and thus will be on your network if you implement Active Directory.
Group policies. One other feature that Active Directory enables is the new group policy system. The new system replaces the earlier per-system and user policies of NT, and the policy information is now stored in Active Directory. You can associate a policy with almost any Active Directory object and restrict its use according to the specific policies. There are several levels of policies in a system, a local domain, and the global tree of all domains. The NT method of having to replicate policies across several domains in a multiple master domain controller is inefficient compared with this new system.
Group policies are going to be very useful if you plan to run a tight network of servers. Since it is based on the authentication and access-control services associated with Active Directory, it can be used anywhere on the network that Windows 2000 is deployed. This means that if your NT and Windows 9x accounts are stored on the Windows 2000 server, you can also use this method to control their access.
Fewer reboots. Although it hasn't implemented a new technology in this case, Microsoft has designed Windows 2000 to require fewer reboots. For example, changing network parameters or loading new drivers no longer requires a reboot, thanks to the new plug-and-play system. Changing the status of a system from a directory controller to a standalone server can also be done without rebooting the machine, so it's easier to service those systems. Fewer reboots does not make the system less susceptible to crashes, but it does help reduce system downtime.
Without a doubt, Windows 2000 offers a number of useful new services for your network. Most of these help large organizations simplify the management -- and improve the scalability -- of the OS across many more servers and systems. Microsoft has also reduced the overall number of events that will require you to reboot the computer, thus improving uptime.
On the other hand, a theme that recurs throughout a discussion of Windows 2000's new features is that it requires you to switch much of your current environment to Windows 2000 to get the full benefit. Although it does not completely leave behind Windows 9x and NT systems, Microsoft seems to have delivered a less-than subtle suggestion to upgrade to Windows 2000 Professional at the same time you upgrade your servers. Requiring such changes in the basic nature of the NT security system, file system, directory services, and application system, these new features in Windows 2000 can constitute a new realm of compatibility problems.
Another theme is Windows 200's incompatibility with other platforms. Although Microsoft offers services that stay in step with other offerings, and in some cases even offers optional packages that provide cross-platform integration services, this latest release continues Microsoft's philosophy of "embrace and extend" with regards to emerging standards.
The new features do come with direct and indirect costs. Windows 2000 needs a faster processor and more memory to run the same applications than a Windows NT machine. Although Microsoft says that Windows 2000 can run on a 133-MHz Pentium with 64 MB of RAM, it will become painfully obvious that a desktop machine will more likely need a 350-MHz Pentium II or 400-MHz Celeron or better, and 128 MB of RAM per desktop. The operating system is larger and makes better use of memory for caching objects. Thus, although the price per seat of Windows 2000 (compared with the price for NT) is not a significant barrier, the indirect cost of purchasing new desktops for your network may be high.
Some of the new features are going to take careful consideration of how your computer network, and even your business, is organized. If you implement RIS and IntelliMirror, you might consider improving the path between the desktop clients and the servers that host those services, to speed their operation. QoS or IPSec will have the greatest success if you also upgrade your network hardware to allow those services to function properly. Active Directory changes not only how the domain controller services work but also how you should design the hierarchy of objects in your directory. That includes all user profiles, applications, and system settings. Although you can start this work on smaller subnetworks, if you plan to move entirely to Windows 2000, you should plan for the entire network.
Furthermore, if you have mixed networks such as NetWare or Unix systems, you will need to look at the cost of integrating this new platform. Because of the new features -- Active Directory in particular -- you cannot assume that the existing integration methods used for NT will work fine under Windows 2000. Thus, the cost of implementing these new features can have a dramatic effect on your IT budget.
If you take into account the high probability of bugs appearing over the coming months and the prudent tactic of waiting for the first Service Pack, you may need more than a few months to get Windows 2000 working correctly on your network. There are immediate benefits to using Windows 2000, but for the true long-term benefits that Microsoft is advertising, you will need to put in for more than just the cost of the product and upgrade services. Before you unwrap that new box and start installing Windows 2000, you should ask yourself how much value the new features and services are worth to your network for the amount of work you will have to put into it.