Whether you love or hate Microsoft, one thing's for sure: Windows 2000 migrations can ease your financial pain during the current economic slowdown. Now that Windows 2000 has been around for a year or so, and the first wave of patches is available, many Windows NT network managers are making the move to Windows 2000 Advanced Server.
Just ask Rory and Jeff (not their real names), two seasoned network managers who recently got their hands dirty deploying Windows 2000 Advanced Server and its bundled directory service, known as Active Directory. Rory is a consultant with Master Certified Novell Engineer (MCNE) and Microsoft Certified Systems Engineer (MCSE) qualifications. He helped a midsize manufacturing company (15 sites and 3,200 users) move from an NT-based network to Windows 2000 and Active Directory. After completing the upgrade, he was hired on as the network architect, reporting to the VP of operations. Jeff is a senior network administrator for an insurance company that was running a mixed NT and Novell NetWare network that spans roughly 1,100 users. He led the company's migration to Windows 2000 and Active Directory.
Why make the move? The answers are quite simple. Generally speaking, Windows 2000 Advanced Server is more stable than NT Server 4.0. Moreover, Windows 2000 allows customers to move to Active Directory. The new Microsoft directory has several rough edges compared with Novell Directory Services and eDirectory (SP, Oct. 16, 2000, p. 48, www.smartpartnermag.com/issues), but Active Directory is a vast improvement over NT 4.0's antiquated domain-based system.
Here's why: Under Windows NT Server 4.0, each domain has separate users — if a user needs resources in several domains, they must have accounts and passwords for each domain. Permissions for administration across multiple domains, known as trust relationships, must be established between each domain, creating a very complex web of relationships. Each domain must have a primary domain controller (PDC) — a server that keeps all of the information on the domain. There's no simple way to back up all domain information for multiple domains at once. Applications that provide management services typically maintain their own databases, producing a large number of disparate databases that must be kept up to date.
With Active Directory, all users and objects on the network (servers, shared disk space, printers, etc.) are organized in a single hierarchical directory. Approved users have to log in only once to gain access to any network resource. Administrators can be granted rights to ad minister any network object, no matter where it's located. The directory tree exists as a single database that can be backed up and replicated, ensuring that all corporate data is easily protected. Simply put, Active Directory provides a central repository for consolidating network management information.
The problem with directory services is essentially the same as the advantage — it is an entirely new way of doing things for NT administrators and systems integrators. Customers will welcome the potential savings in server consolidation, easier management and improved desktop control. But, as with any major upgrade, the journey to Windows 2000 can be challenging.
Ironically, one of the best resources for integrators who are anxious to add expertise in directory services is the Certified Novell Engineer (CNE) program. CNEs already are familiar with directories, in the form of eDirectory and/or NDS. While there are differences between Novell's version and Microsoft's, the similarities may give CNEs a leg up over Microsoft Certified Engineers during a Windows 2000 Advanced Server installation.
Just ask Rory and Jeff. Both Windows 2000 experts say the hardest part of the upgrade was the planning phase, which included translating their existing network structure to a directory-based structure and educating networking staff as well as users on what the changes would mean. Both customers had multiple NT domains per site, which made for a complicated migration.
Says Rory: "The nicest part of moving to AD was that we could create an entirely new directory structure, based on logical groups, rather than server logins and geographic boundaries. It was harder to explain to network administrators than to users. I also loved that we could assign administrative rights at any level, in a very granular way."
In Jeff's case, management's original mandate was to move from NT domains and Novell Directory Services (NDS) to AD. Instead, the team convinced management to use NDS for NT to consolidate the NT domains, and then move everything over to AD.
"NDS for NT works well enough that it wouldn't have been a problem to leave NDS in place," concedes Jeff. "But management wanted to remove the requirement for NetWare servers and the special Novell clients required to administer NDS. By using NDS for NT to consolidate NT domains and handle the migration, we were able to leverage our existing experts in NDS to merge the domains into our existing directory structure, then move the whole thing over to AD."
There are two basic approaches to consolidating NT domains: merging them before the upgrade, generally through the use of tools such as NDS for NT or Domain Migrator, which Microsoft acquired from Mission Critical Software (now NetIQ); or moving everything to AD, and then consolidating the domains.
"The best part about consolidating the domains first was that we were able to try a couple of different organizational structures in the real world, transparently to the users," Jeff says. "Using NDS for NT, we were able to keep the existing domain structure in place for users, and merge all the information into NDS without impacting users. We tried a couple of different directory structures, one based on company units, the other on organizational units (such as marketing, sales, engineering), all without impacting users, since their existing groups and organizations were retained. Once we settled on a directory structure, we used ZENworks to roll out W2K Pro to all the desktops, merged NDS over to AD, and everyone had the new system in place within a few days."
Rory used the alternate approach. His team decided on the network directory structure, upgraded everyone to Windows 2000 Pro, then migrated from NT domains to the new AD structure. "We liked the idea of staged deployment," says Rory. "We upgraded all workstations to Pro first, let everyone get used to that, then deployed the new primary AD server, then moved all the PDCs over, then the rest of the servers. Finally, after that was all done and verified, we started consolidating groups and moving resources around. It took us about six months to get the whole thing ironed out, but we felt it was safer than an overnight upgrade."
Rory says creating a new root AD server, rather than converting the PDCs directly to Active Directory, was well worth the expense of the extra server because it let them have both the previous domain structure and the new AD structure in place simultaneously.
Jeff ran into some problems with updating and replicating Active Directory over WAN links. The insurance company had a large number of sales offices connected via dialup, ISDN or DSL. Most had a local NT server that also served as one user's workstation. When the domains were consolidated and the local workstations were all converted to Windows 2000 Professional, most of the remote offices were left authenticating over WAN links.
That caused many problems when the WAN links were down for any reason, or when large numbers of changes to the directory came through. They eventually solved the issue by making one workstation at each site a Windows 2000 server, and replicating the directory locally.
Understanding the strategies for moving from domains to AD is important, and not necessarily easy. In a network with a complex domain structure, just mapping the changes from a geographically based user- and re- source domain structure to the logical organization of a directory structure can be exceedingly complex. For instance, ensuring that the four "lsmith" user IDs in four different domains are the same user (or not, as the case may be) gets complicated.
In a large company, a complete listing of all network resources and objects (users, printers, groups, file-share volumes, etc.) can be many thousands of objects. In a domain-based network, many of the objects can be either multiple instances of the same object, such as one user with logins in multiple domains. They also may be multiple actual devices with the same name in different domains, such as a printer_1 entry in several different domains that identifies different printers in each case. All of these entries must be found and uniquely identified.
Usually the best time for the rollout coincides with business cycles. Get an early view on the developments on the applications side, both commercial and internal, that can change your schedule. Don't forget to include the testing time for any new software in your plans.
In companies with multiple locations, an important step is the geographic layout of the systems. That's when the systems and network people need to be in the same room. Remote locations will have their own domain controller and/or a catalog controller. The communications links must be able to handle the normal traffic of the location plus the replication traffic, or clients will be unhappy.
Microsoft is concerned enough about migration from do mains to AD that it acquired Zoomit Corp., a meta-directory company, and, as stated earlier, aquired technology from Mission Critical Software. Both the former Zoomit product and Mission Critical's Domain Migrator can help ease the transition from domains to AD. Check out the simulation tools.
There are also a number of other tools available to help consolidate domains and ready an BindView; Directory and Resource Administrator, Domain Migra-tion Administrator, and Server Consolidator from NetIQ; and DM/Active Roles, DM/Manager, DM/Re porter, DM/Consolidator and DM/Reconfigure from FastLane Technologies.
Those companies provide tools that can be used to manage existing NT domain-based networks, as well as Active Directory networks, and to ease the transition between the two. The products can produce lists of network objects, help discover duplicate entries in multiple domains, help establish naming conventions for the new AD structure, and allow management of both existing domains and Active Directory from a single console, allowing some domain-based structures to be retained and managed easily.
Since the Microsoft juggernaut moved into the networking arena a few years ago, finding experienced CNEs has become easier, though they are still in demand.
CNEs with NetWare 4 or NetWare 5 experience should make the transition to AD relatively painlessly. Administrators with a Vines or Streettalk background are also familiar with directory concepts and may make the transition to Active Directory more easily than experienced Microsoft admins without directory training or experience.
Partnering with other providers to fill in gaps in expertise could include working with Microsoft itself (Microsoft Consulting Services), Internet service providers, consultancies, and some of the software vendors that make consolidation tools. Given the cost of hiring experienced network managers, finding partners may be a more cost-effective solution, as long as you can verify some real experience in the areas in which you're looking.
Regardless of who does the work, make sure that the job is segmented into measurable chunks and that milestones, when met, are communicated to the client. It's essential to don your project management hat.
It's unlikely that Microsoft will develop and give away a tool that simplifies the transition from NT to Windows 2000, so there should be excellent opportunities for integrators to provide the needed expertise. If you can develop and retain that expertise, it's bound to add to your bottom line.
When installing a domain controller, Win2K Server gets cranky if it can't find a DNS server that handles SRV (service) records. The DNS servers for most major ISPs run BIND (short for Berkeley Internet Name Domain) v8.1 or later, which handles the records correctly. (As of this writing, the latest version of BIND is 9.0.1.)
The problem comes if you connect through a "minor" ISP that hasn't updated its DNS software. Not only will Win2K complain, but none of the Win2K Professional systems will be able to "see" the domain, even though you can ping the servers from the workstation.
The solution is to have the IP addresses of known-good DNS servers, install DNS on the domain controller, and forward the DNS through the domain controller to the known-good servers until the ISP updates its DNS servers.
High-Techno Altitude Headache
While it may be the toughest part of the implementation, the action's not just at the Windows 2000 Server. You need to be running Windows 2000 Pro at the desktop to make full use of the features of Active Directory. Need help? Even being a Microsoft rapid deployment partner (RDP) doesn't mean Windows 2000 appears everywhere overnight. Just ask Boeing Corp.
According to Bob Jorgensen, the director of public relations at the company's shared services group, Boeing currently has about 5,000 desktops running Win2K Professional and a percentage of machines running versions of Win2K Server, all installed during 2000.
Although rolling out that many copies of Win2K is significant, Jorgensen admits Boeing has a way to go. That's because Boeing is a big company. "Many people think of airplanes when they think of Boeing. We're also the world's largest defense contractor and big into satellites, too," Jorgensen declares.
With the acquisition of McDonnell Douglas, Rockwell's aerospace unit, portions of Hughes Electronics' business, Iridium, and a few other small companies, Boeing's total workforce exceeds 195,000 employees and the company plans to have more than 150,000 desktop systems in use over the next three years.
Given that most of Boeing's current desktops are two to three years old, the company decided it was not cost-effective to upgrade the old systems to run the new OS. Hence, Win2K Professional usually goes on machines in new deployments.
Although the decision to move to Win2K was centralized, the judgment on when to deploy new systems was left to divisional managers. Factors influencing the decision include whether each division's suppliers and customers use Win2K and the cost of the new systems.
With the average price of a new desktop with all licenses running approximately $1,500, it's certainly not chump change.
Availability and staging the rollouts are also factors. Both manufacturers and purchasers need a timely process for handling orders for 150,000 desktop machines.
As to the future, Jorgensen's shared the schedule. "Today, it's 5,000 desktops. Ask me a year from now and it should be 50,000 desktops, 100,000 by the end of 2002, and the last of the 150,000 within another 18 months." Jorgensen also confided that Boeing is pondering another problem — what to do with all of those old computers when the new ones are deployed.
Windows 2000 Professional is easy to install, and most integrators or technicians stave off boredom during the 30- to 60-minute installation process by using automated tools like Microsoft's Zero Administration Kit or programs like Symantec's Ghost to place the new OS onto machines.
Although some of these tools can roll out new versions of applications, like Office 2000 or Lotus Notes, the tools don't migrate the legacy applications to a machine when doing a fresh OS install. Nor do these programs migrate settings or data from a legacy app into a new version, such as Office 97 into Office 2000. The same challenge applies to moving OS settings that range from mouse-click speed to taskbar settings.
Rather than getting bogged down manually touching each desktop, consider adding migration tools to your arsenal. Several products like Tranxition Corp.'s Tranxport Professional, Miramar's DesktopDNA and Virtual Access Networks' The Van can save and restore the "personality" of a computer and its application during a migration.
These products move the information from most forms of Windows 9x/NT and popular major applications to the Windows 2K environment. Be aware these migration products are works-in-progress, and specifics such as the OS version, applications and the depth of the migration — from just a few settings to the thousands of settings for each OS or application — vary among the products.
Licenses run between $30 and $50 per seat, depending upon quantity purchased. The products are huge timesavers and can drop migration costs from International Data Corp.'s estimated $300 a system to well under a third of that figure. That's a savings that can be passed on to the customer and could be the deciding factor in a bidding situation.
A caveat: These migration products don't solve every "opportunity" involved in migration to Windows 2000 Professional. They don't handle Apple computers and do not cover the settings from every major application, and you can forget about most of the second-tier applications. However, you can reduce the cost for your client's migration and free up your time to handle more customers (or larger customer engagements) by adding these migration
products to your stable.
- Get some real experience implementing AD, even if it's with your own network.
- Be completely familiar with the recommended ways of moving from domains to AD.
- Develop expertise with the available third-party tools for helping with migration.
- Leverage knowledge from your personnel who have worked with other directory products, such as NDS or Streettalk.
- If you don't have these abilities, find a partner that does have the expertise.
While the actual migration process is not that difficult, getting to the point where you can migrate users and other network objects is a painstaking exercise. You'll need to brush up on your ambassadorial, political and power-brokering skills, in addition to your network administration expertise. Think we jest? Check out for a mind-numbing look at everything involved in a Windows 2000 Server implementation. Then, start planning for successbut don't forget the pain pills.
-- Eric Carr