Operating Systems:Microsoft’s Windows 2000 Advanced Server

Microsoft’s Windows 2000: this is something different

Microsoft Corp. had a very good reason for renaming its planned Windows NT 5.0 operating system Windows 2000. The new network-based OS is far, far different than the NT 4.0 that IT managers have come to know over the past several years and five service packs.

Compared to its predecessor, NT 4.0 Enterprise Edition, Win 2000 Advanced Server is much more complex and admits much greater degrees of control. It also requires more intensive and deep networking knowledge than I suspect many IT departments can muster.

Based on a Microsoft training course I took recently, it’s clear that most NT administrators and network designers are going to need extensive training right from the get-go to implement Windows 2000. Course instructor Ed Fandery of Productivity Point International pointed out that learning and implementing Advanced Server is like NT 4.0 Enterprise plus the entire BackOffice suite of servers — and then some.

Log me on, Scotty!

The new Windows 2000 Advanced Server requires that a surprising number of different server engines be set up redundantly and operating.

Even the simple act of logging on works totally differently. Under NT 4.0, a log-on request generates a broadcast call to locate the server or primary domain controller (PDC). That’s simple enough but perhaps creates more network traffic than is desirable.

Under Windows 2000, that same log-on request invokes a single direct call to the Domain Name Server (DNS) for IP address resolution. If the DNS isn’t accessible, for whatever reason, no log-on is possible, even though the server is waiting. Almost all interfaces with servers are via names at the user level and via IP addresses underneath, meaning that DNS is everywhere.

What’s in a name?

The organization of Windows 2000 networks is somewhat different from NT, and hard to explain for two reasons.

First, much of it is non-hierarchical in nature, relating to considerations such as location and bandwidth. Second, there exist several different sets of network nomenclature that are intermingled and used together, not just in the teaching and reference material but in the on-screen dialogue boxes as well.

The serious problem is that none of these metaphoric terms exactly match up to one another, and sometimes they don’t reflect the networks’ real structure. Here is some of the lexicon that Microsoft introduced us to:

The basics: site, domain, organizational unit. These are the fundamental network building blocks. Domains are managed by Domain Controllers and contain subdomains and Organizational Units (OU). OUs are administrative units whose administration can be delegated, and OUs can be nested within OUs, but you don’t want to go over 12 levels of nesting or else the system will start slowing dramatically.

Those two are hierarchical, while a Site is a collection of domains with “good network connectivity” that’s defined as LAN speed.

Your organization may have a Halifax office and a London shop; they’re part of the same Forest, but you’ll want to make them separate sites, each with its own copy of the global catalogue (which is a subset of the Active Directory). If you don’t, a lookup request to find a London e-mail address may itself have to cross the Atlantic. But a domain can be part of several sites, too.

The out-of-sights: users, resources, groups. These vital objects are there because they must be, but they’re quite different. Users is really just a folder containing information about individual user accounts; it’s not subject to Windows 2000’s group policies and is just there as a holding tank during migration. Normally users are made part of an Organizational Unit.

Resources are things like printers. A group is a collection of users and resources for the purposes of administering permissions and for e-mail segmentation. An OU, however, is subject to Group Policies in what permissions its members have.

The family values: parent, child, sibling. These familiar terms depict relationships between objects. Simple enough, but, based on what I saw, uncle, brother-in-law, and second-cousin-twice-removed should make the list any day now.

The woodies: forest, tree, root. These are important but non-intuitive concepts. A forest is a grouping of one or more related domains, characterized by sharing the same structure of attributes (called a schema) and by trusting one another. The root, as in Unix, is the start of everything. Tree seems to mean a subgrouping of related domains within a forest; it isn’t much used and imparts no distinctive attributes.

It’s company policy

What’s the difference between a right and a permission? Under Windows 2000, a permission gives access to a system resource, such as to use a printer or read a file, while a right allows the user to do some system task, such as log on, delegate rights, administer a specific group, and so forth.

Confused? Wait until you find out that the two must be separately administered using different tools. All rights are granted through a Group Policy, which as you might suspect applies to a group (of users).

It appears to be entirely possible for domain administrators to shoot themselves in the foot, i.e., to lock themselves out of the domain entirely such that the only recourse is to reinstall Windows 2000 Advanced Server and reconfigure the network. (“Warning: this is only done by trained professionals; do not attempt this in your living room.”) Another place where Windows 2000 administration has a serious gap is in documenting its own structure.

Say you delegate the administration of OUs to other people, then you leave the company. There’s no simple way to tell who is in charge of those OUs.

Finders keepers

How do you look up a user in a directory? You don’t. Even if you’re the domain administrator, unless you know what directory to look into, the only way to find a user is through a Search command.

It works fairly well, but it’s still just a search command. Behind the scenes, it actually invokes two different mechanisms: DNS for locating the proper domain and server, and Lightweight Directory Access Protocol (LDAP) for finer granularity of attributes.

Unless they’re planning a quick trip into another profession, savvy IT managers who currently have NT in their job description had better plan on taking some fairly heavy-duty training courses on the innards of Windows 2000. Microsoft’s own certification program is being revamped for Windows 2000, and current Microsoft Certified Systems Engineers (MCSE) will have to take at least two or three more exams to be certified for Windows 2000.

– IDG News Service