Planning for
Windows 2000
Server
N
o matter how small your network or your needs, you
should not install Windows 2000 without preparing an
implementation and deployment plan. This chapter covers
planning for Windows 2000 Server and takes you through the
steps required to formulate and execute a deployment plan.
Steps to Implementation
Many of you are probably following the advice of your peers:
Microsoft should release the first service pack or two to
Windows 2000 before you touch it. Here’s your wake-up call:
You need to install Windows 2000 Server now. Not after one or
two service packs. Now. Are we paid Microsoft supporters?
No. We just want to make sure you get on the train when it
stops at your station.
By “now,” we do not mean you have to rush out and install it
in a production environment. But you have to start testing
now, understanding now, and learning now. You have to plan
for Windows 2000 Server, and this advice is aimed at not only
the multi-national company with 432,981 employees in 65
countries, but also at the single-person company that you’ll
find around the next corner.
Why the rush? Windows 2000 Server is a shocker. It is more
stable at release time than NT 4.0 was, and in many cases, even
without its advanced functionality, it is preferable to install
Windows 2000 than Windows NT 4.0. It is not only years ahead
4
4
CHAPTER
✦✦✦✦
In This Chapter
Steps to
Implementation
Implementing a
Deployment Plan
✦✦✦✦
4667-8 ch04.f.qc 5/15/00 1:58 PM Page 97
98
Part II ✦ Planning, Installation, and Configuration
of its time, it is also more stable without its first service pack than Windows NT 4.0
at service pack 5.0 and higher. However, there is something else you need to know.
Don’t be fooled into thinking that the competition, even another department in your
company, is adopting the wait-and-see position.
Windows 2000 provides such a huge competitive advantage, when wisely adopted,
that the early implementers could end up well ahead of you and their competition:
on the Web, in office productivity, in security, in lowering TCO, in administration,
and more. In fact, we have recently talked to administrators who are choosing com-
panies they would like to work for based on their early adoption of Windows 2000.
Got the message? So if you are wondering, “Where do I begin?” this is the chapter
that takes you down the Yellow Brick Road. Put your worries and neuroses behind
you and get cracking.
Formulate a Plan
The first step you need to take is to formulate a plan of attack. You can be very sci-
entific about your planning for Windows 2000 Server, and you can also overdo it.
We urge you to keep the planning simple. The cliché that works for Windows 2000
Server is to make sure you can see all the trees and all the forests. If you already
have a well-organized domain, you have lots of time; Windows 2000 is not going
away.
You must come up with a formal document for management, proposing a project to
evaluate and plan an upgrade or conversion to Windows 2000 Server. If you take the
CEO or CTO a 1,200-page tome, he or she will freak out. Managers will want to know
how Windows 2000 Server is going to save them money, make them more competi-
tive, and keep them secure. Most executives need nothing more than an executive
summary with which to begin.
Migrate. This is the first and the last time you will see the term migrate in this
book because it is a misnomer when referring to moving to Windows 2000 Server.
We don’t want you to use it because it has negative connotations. Migrating
implies that you can go back to where you came from. Migrating is not possible
with Windows 2000. If you’re trying to go back, then you’re in disaster recovery
mode. Your domains can coexist, which most of you will be doing for a while, and
you will convert. But if you follow the advice in this book and in the next few chap-
ters in particular, you will not have to climb down from Windows 2000 and rein-
stall Windows NT.
If you think we are playing petty semantics, you are wrong. In many languages and
cultures, migration is a temporary thing. Once you convert your last Windows NT
Domain Controller, there is no reversion; you are done . . . dead or alive.
Note
4667-8 ch04.f.qc 5/15/00 1:58 PM Page 98
99
Chapter 4 ✦ Planning for Windows 2000 Server
There are many ways to approach a project and a plan. And we do not intend to
teach project science here, so whatever works for you, or is required by your
organization, is fine with us. We are not going to offer you the best way to approach
the conversion. We will give you some pointers culled from many years of doing
needs analyses and syntheses.
It is important that in the early days of the planning and testing phase, you only
choose a handful of energetic people to evaluate Windows 2000 Server. You don’t
want too many people doing their own thing and becoming unproductive and
uncoordinated. In the beginning, there will be little time for managing all the egos
and eager beavers. If too many people join the project or you have subsidiaries
and divisions setting up their own projects, the company on the whole will lose
out because you’ll end up with disjointed installations everywhere and the project
will drown under the weight of everyone’s two ounces of input. Incidentally, there
were five people involved in the Windows 2000 development project that this
book is based on. Three were employed almost full-time in lab work.
The following is a suggested plan of attack. It is the one we followed when testing
Windows 2000 Server for this book, and it is the plan we used to evaluate Windows
2000 for our own customers, clients, and companies, from our six-person insurance
company to our huge multi-national distributors. Like you, back in early 1999, we
knew very little about Windows 2000. We were too busy keeping our NT networks
in check. Our respective clients wanted to wait until late 2000 before considering
Windows 2000 . . . and then everyone changed their minds when they started seeing
the fruits of our labor.
Phased Implementation
Phased implementation is a big phrase that represents a logical course to complet-
ing a difficult transition from one state to another. In the example here, our objec-
tives are to move from state zero (no Windows 2000 Server) to tests in the lab, pilot
project, conversion, and rollout. Depending on the nature of the implementation
and your objectives, your project phases may vary or be very different from ours.
Each phase may itself become highly nested with sub-phases, milestones and sanity
checks.
Phased implementation allows us to stop at checkpoints along the way, assess
results, and make changes, as required. Our Windows 2000 Server project consisted
of several phases, illustrated in Figure 4-1. Some phases overlap and others are
ongoing.
Tip
4667-8 ch04.f.qc 5/15/00 1:58 PM Page 99
100
Part II ✦ Planning, Installation, and Configuration
Figure 4-1: Phase implementation plan (drawing of plan)
There are also several steps within each phase. The conversion step is in itself a
phased-implementation effort. However, take care not to over-nest your project
with too many phases. Our suggested phase-implementation structure is as follows:
✦ Phase 1: Analysis and Ramp-up
✦ Phase 2: Labs
✦ Phase 3: Sanity Check
✦ Phase 4: Pilot
✦ Phase 5: Conversion
Here are the suggested steps that span all five phases, outlined in Table 4-1:
Table 4-1
Planning Steps
Phase Step
Phase 1 Step 1: Establish a Timeline for Your Project
Phase 1 Step 2: Understand the Technology
Phase 1 Step 3: Understand How Your Enterprise is Currently Positioned
Phase 1 Step 4: Establish Budget
Phase 2 Step 5: Create the Lab
Ramp-up
Phased implementation time line
LABS
Sanity Check
Pilot
Conversion
4667-8 ch04.f.qc 5/15/00 1:58 PM Page 100
101
Chapter 4 ✦ Planning for Windows 2000 Server
Phase Step
Phase 2 Step 6: Design the Logical and Physical Structures
Phase 2 Step 7: Secure the Lab
Phase 2 Step 8: Test
Phase 2 Step 9: Position the Enterprise on Windows 2000 (Gap Analysis)
Phase 3 Step 10: Evaluate
Phase 4 Step 11: Create Pilot Projects
Phase 5 Step 12: Begin Conversions
Step 1: Timelines
Establish a timeline for your project. For the record, plan on at least six months for
a team of about three people. The ideal length of time from assessment to rollout
will be about 40 weeks. And that should cover everything to integrate or infiltrate
Windows 2000 into core functions of your IT and telecom structures.
You might get away with a shorter timeline for a small company using Win32-
compliant software or proven or ironed-out IT processes. By small, we are referring
to not more than 20 people. Just because a company is small does not mean it is
not performing mission-critical work comparable to a unit in a Fortune 500 com-
pany. Remember, if a unit in a large company goes offline for a few days, it might
hardly be noticed. Take a small company offline for a few days, and it could go
insolvent.
It will take a large company about two years to completely convert to a Windows
2000 Server, and Microsoft concurs. Smaller companies will require less time, but
no less than 24 weeks. You may be able to rush it, but you’ll be studying every day,
seven days a week. You could also take classes and do an MSCE in the middle, but
that would not get you anywhere faster. An MCSE is a good idea in parallel with this
project, but take classes so you can interact with your instructors and clarify stick-
ing points.
Step 2: Understand the Technology
If you have Windows NT experience, you can draw on that, and you can draw on any
general IT/IS experience you have, but for the most part, you’ll be learning a lot of
new stuff. It is also not sufficient to say you now know all there is to know about
Windows 2000 after six months of shining a flashlight under the covers; that’s impos-
sible, but it is vital that you understand the technology, what Windows 2000 is, and
how it achieves its objectives.
Note
4667-8 ch04.f.qc 5/15/00 1:58 PM Page 101
102
Part II ✦ Planning, Installation, and Configuration
Prerequisites
Windows 2000 architecture is highly complex. Our joke is “ZAW = Zero Administrators
for Windows.” Key to understanding the technology is having a good grounding in
general computer science and network engineering, but be willing to specialize. You
are going to need expertise on your team, and the members of the team should be
prepared to show proficiency in several IT areas.
They will need a complete understanding and experience in all of the following:
TCP/IP, DNS, WINS, DHCP, Server Hardware Platforms, Storage, Windows NT Server
administration and deployment experience, NT and Windows 9x workstation expe-
rience, Internet practices, and tons more.
After you have established the timelines and have picked a team of experts, you
need to spend no less than two months, possibly four, understanding everything
about the technology and the architecture, Active Directory (six to eight weeks).
Trust us, we work with engineers all day long, and they are very good at what they
do, but on some Windows 2000 subjects, they still have to scratch their heads.
Where do you start?
Besides this book to break ground, the best place to start is the Microsoft Web site.
There are tons of white papers there and documents that will get you started on
both the easy and difficult stuff. The Deployment planning guide in the Windows
2000 Resource Kit is also a worthwhile document to read, as long as you have lots
of Alka-Seltzer handy.
Avoid books that are nothing but a rehash of the Windows 2000 Help Files. They
may have worked in the past. But not only are the Help Files very thorough, they
are also “mind-blowingly” vast, covering many different functions and features of
the server. And, before you interject, you can take them “anywhere” you can take
this book . . . on your Windows Pocket PC or CE handheld, which puts you directly
on the server, as Chapter 25 explains.
Also avoid books that attempt to teach you about subjects not really germane to
Windows 2000 Server or that have been covered more times than the Oscars. For
example, you won’t find instructions on how to format a hard disk in this book, or
what constitutes an IP address, or a crash course on HTML. If you don’t already
know this stuff, you’re not qualified to be involved in planning for and installing
Windows 2000 Server.
You will also need new equipment, but more about that later. For the first few
weeks, you need to read, read, read. There are going to be payoffs. You’ll find that
people caught off guard will start turning to you in desperate need of help to under-
stand a complex Windows 2000 issue. Your peers who scoffed when you plastered
your office with thousands of Windows 2000 white papers won’t be laughing now.
4667-8 ch04.f.qc 5/15/00 1:58 PM Page 102
103
Chapter 4 ✦ Planning for Windows 2000 Server
Step 3: Understand How Your Enterprise Is Positioned
to Exploit Windows 2000 Server
We know this is difficult to do in the early stages of the project, but it is very impor-
tant to prepare yourself to take your early findings to management. Although many
projects are sanctioned or sponsored by people high up in the management chan-
nels, unless you come up with specific reasons to make changes to or enhance the
existing IT infrastructure, your project may come to an abrupt end.
No matter how big or small the organization, change is always difficult, and there
is the risk of business or work stoppages resulting from unanticipated events that
result directly from your conversion attempts. Believe it or not, many companies
are doing just fine on Windows NT.
Management, especially the CIO/CTO or MIS, is focused on keeping the business
systems running. Without the systems, the business fails. Nine times out of ten,
most senior executives will cite the “wait until service pack 1” rule. Your job is to
convince them to start testing now and then to get the initial sponsorship and bud-
get for the project. And the only way to do that is to become an informed evangelist
in less than two full moons.
Step 4: Establish Budget
You’ll need several stages of financing for your project, so think like an entrepreneur.
The early stages can probably be catered to out of existing equipment, unused
servers, hard disks, and so on. If you don’t have surplus hardware, you’ll need to get
a few servers. And we don’t need to tell you that the best means of providing servers
for a project like this is to buy the pieces and assemble the hardware in your lab.
You’ll not only learn about Windows 2000 hardware compatibility, but you’ll end up
saving a lot of money in the early stages.
Older brand servers, like Compaqs or Dells, are as risky for Windows 2000 (if not
more so) than flea market finds. The only failed installation we battled with for this
book was on a Compaq 6000, as discussed in Chapter 5.
Step 5: Create a Lab
With your initial budget, you need to set up a lab. This should be a secure area
where you can set up a number of servers, workstations, printers, and a slew of net-
work components, such as routers and hubs. Depending on the size of your organi-
zation and the project, you will want your lab to emulate an enterprise-wide domain
structure, both physical and logical. In which case, you’ll need to set up several
domain controllers, role servers like DNS and DHCP, and so on.
Caution
4667-8 ch04.f.qc 5/15/00 1:58 PM Page 103
104
Part II ✦ Planning, Installation, and Configuration
Obtain a space in which you can comfortably fit about 12 full-tower servers and all
collateral network equipment and printers. You might get away with a lot less, and
you might need a lot more. One company we know built a test domain complete
with domain controllers for 24 remote centers — that’s 24 domain controllers.
Follow Chapter 5 for specifics on installing the servers.
Step 6: Design the Logical and Physical Structures
Once you have a budget and you are ramped up on the technology, you can begin
designing your logical and physical domain structures in the lab. You will need to
set up key role servers such as domain controllers, certificate servers, license
servers, DNS, and so on. In the next chapter, we discuss issues directly related
to the domain controllers and role servers. The logical and physical designs are
discussed in Part III, Active Directory Services.
Step 7: Secure the Lab
Pay particular attention to security during all phases of the test project. In other
words, experiment with various levels of encryption and security practice (such as
using smart cards). You will also be setting up initial user accounts for your admin-
istrators and a selection of mock users for your organizational units (OUs) and
groups in Active Directory.
Step 8: Test
After you have designed and created a logical and physical structure and applied
security, it is time to test. You will be testing authentication, policies, DNS, WINS,
DHCP, storage, files and folder access, and so on. During your tests, you should also
pay attention to the position your enterprise is currently in. Moving directly from
Step 8 to Step 9 will allow you to perform insightful gap analysis. Gap analysis is
used to determine the technology gap between the company of the present and
the company of the future.
Step 9: Position the Enterprise on
Windows 2000 Server
During your test project and lab work, you need to assess the position your organi-
zation now finds itself in and the position it can be in during and after conversion.
Also, list all the situations the company would not like to be in during and after the
conversion and phased implementation. The first situation we would not like to be
in that comes to mind is being offline; another is being up but finding that users have
lost access to their resources. This is discussed a little more, later in this chapter.
4667-8 ch04.f.qc 5/15/00 1:58 PM Page 104
105
Chapter 4 ✦ Planning for Windows 2000 Server
Step 10: Evaluate
You need to stop at predetermined intervals or milestones along the way for sanity
checks and to evaluate how far you have come, how far you have to go, deadlines
that may have been missed, and other problems. Towards the end of the project,
you will need to make the decision with your sponsors and management to move
forward with a test or pilot project in which you will be deploying servers in pro-
duction environments.
Step 11: Create Pilot Projects
The pilot projects can take on many forms. They could be limited to the installation
of a role server, many role servers, the beginnings of Active Directory in the organi-
zation, and more. More on this in a later section.
Step 12: Begin Conversions
On the basis of successful pilot projects, you will be able, with the blessings of man-
agement or your own confidence, to move forward with rollout and conversion. Our
strategy for a phased implementation is discussed shortly.
There is a lot of material floating around that covers planning. The material in the
Windows 2000 Deployment Planning Guide is extensive. However, we found it too
detailed in parts and too verbose for the majority of installations. Many sections call
for teams of experts (a way of picking up the fallout from defunct Y2K projects?)
that most companies would not be able to afford. Indeed, a team of such experts,
even for a month, would be beyond the budgets of all but a few companies.
The previous steps are a starting point, something on which you can build. The fol-
lowing planning guide worked for us, suited our environment, and is based on many
projects that came before Windows 2000. Each step along the way was fully docu-
mented and evaluated. Indeed, you are holding much of the research and lab work
we did between these covers. Now let’s kick our implementation into high gear.
Analysis and Ramp-up
There is a huge difference between learning about Windows 2000 Server and under-
standing what the technology means for the enterprise, and, as components of
Phase 1 described earlier, analysis and ramp-up set out to achieve both in logical
order. We touched on this a little earlier in this chapter, and in Chapter 1, where we
placed Windows 2000 Server in the middle of Microsoft’s architectural feast. Your
planning efforts should thus be based on the following objectives:
1. Understanding how to use the technology
2. Installing and deploying Windows 2000 Server with that knowledge
Tip
4667-8 ch04.f.qc 5/15/00 1:58 PM Page 105
106
Part II ✦ Planning, Installation, and Configuration
Understanding the Technology
Only after you have a thorough understanding of the technology and the architec-
ture will you be in a position to determine the benefits for the enterprise. Granted,
you may have heard how wonderful Active Directory is. But you have probably
heard rumors that it is “overkill for a small company.” How do you know if that
statement is invalid until you fully understand how Active Directory works and
what it can do for your company, no matter what the size? Just because Active
Directory can hold a billion objects does not mean it should not hold a hundred. It
is also important to understand the various services that play domain roles. Official
documentation, for example, refers to three roles a server can play. The server can
be any of the following, and it is important to understand the differences:
1. A Windows 2000 server can be a standalone server, which means that it is not
joined to any domain and stands alone in its own workspace. Understanding
how this server interacts or participates on the network will provide you with
the information you need to assess needs and cater to them with the estab-
lishment of standalone servers. A standalone server, for example, is an ideal
bastion. And it can be used as a firewall or proxy server without having to be
part of a domain. A certificate server, established for a public key infrastruc-
ture (PKI), is a good example of a standalone server.
There are millions of Windows NT and 2000 servers on the Internet, and they
are not part of any Windows domains. The machine is thus more secure as a
standalone server than as a member server because standalone servers are
not given domain accounts nor are they authenticated on the domain. They
can also be print servers, and so on, but their resources cannot be published
in Active Directory, short of mapping them to IP addresses (see Chapter 23).
If you are in a hurry to install Windows 2000 Server, do not try to join it to any
domain or promote it to a domain controller. Make it a standalone server that logs
into its own workgroup.
2. Windows 2000 can be a member server, which means that it has an account in
the domain. Now, that account can be in a Windows NT domain or a Windows
2000 domain. As long as it is a member server, you can access its resources
via the authentication mechanisms of Windows NT and the NTLM authentica-
tion service (see Chapter 3), or via Kerberos on a Windows 2000 network.
This means that the Windows 2000 member server can play certain worth-
while roles in an NT domain. We will discuss such roles shortly.
3. A domain controller loads the Active Directory support infrastructure. You can
install a Windows 2000 domain controller when you are ready to begin learn-
ing about Active Directory, or when you are building your test domains in the
lab. You can also install a Windows 2000 domain controller server into a
Windows NT domain.
Tip
4667-8 ch04.f.qc 5/15/00 1:58 PM Page 106
107
Chapter 4 ✦ Planning for Windows 2000 Server
Good examples of understanding the technology are coming to the conclusion that
Windows 2000 Server-DNS, Windows 2000 Server-WINS, and Windows 2000 Server-
DHCP are ideal role servers to install in the existing environment, be it Windows NT
or something else . . . and figuring out how to integrate them. In fact, this is the
design technique that forms the basis of our evangelism in this book in general,
and in Parts II and III in particular.
We call this technique “conversion by subversion.” Sun Tzu would be proud. The
process is straightforward:
1. Target the service that can be overthrown.
2. Move the role server into a position where it can perform the role of the
target.
3. Take over the role.
4. Shut down the subverted server.
Let’s look at this concept more closely. Take WINS. On NT, it’s a stinker; causing
more headaches for every new segment you have to roll out. Let’s face it: It is a
Band-Aid for a service that was not meant to be used the way it is being used, and
we are talking about NetBIOS.
After years of complaints from thousands of IT managers, Microsoft has rolled out a
new WINS. Managed behind the MMC, it’s a new wave for a service that will not last
more than a few more years.
We have zoomed in on all of the WINS servers at one of our clients (19 servers to
be precise). That’s 19 targets to take over. After tests proved that the Windows 2000
WINS servers would work well in their new environments, we began a conversion
project to take the legacy servers out one by one. Why were we able to deploy in
this fashion? Because WINS 2000 is not for pure Windows 2000 . . . it’s for Windows
NT, Windows 9x, and clients needed to resolve NetBIOS names to IP addresses (see
Chapters 12 and 14).
Focus on Capabilities, Not Features
We take this understanding philosophy further and implore you to focus on capabili-
ties as opposed to features. If you focus on features, you lose sight of your enter-
prise needs and become a royal pain to everyone on your team. Rather than coming
up with “did you know...?” lines day in and day out, focus on, for example, why WINS
2000 should be implemented now, because it supports persistent connections.
If you support a large WAN with multiple sites, you’ll be glad to know that your days
of endless forced replicating between “sterile” WINS servers is over. Does this mean
much for the enterprise? It does if your sites are interconnected over low bandwidth
4667-8 ch04.f.qc 5/15/00 1:58 PM Page 107
108
Part II ✦ Planning, Installation, and Configuration
WAN (56K circuits). It does not take much to fix broken WINS server services using
the old WINS. But when users call because they cannot find their network shares
and when automatic file transfers fail, WINS 2000 may be one of the first new servers
you try to get into production and deployment, as we earlier explained.
Needs Analyses-Needs Syntheses
A needs analysis or need synthesis is a study of the needs of an enterprise for cer-
tain technology or solutions. This can and should be done during the planning phase
and before testing efforts and pilot projects are complete. This is your opportunity
to “sell” Windows 2000 Server to your enterprise.
Here is a good example of a needs synthesis. One of our clients is a large multi-
national that is about to embark on the complex process of merging the IT depart-
ments of two recent acquisitions into its own IT infrastructure. Mergers and
acquisitions can collapse if IT cannot get it right, and merging the network infras-
tructures and domains of once-competing companies can cause your cholesterol
levels to skyrocket.
For the foreseeable future, at least two years, the companies will have to operate
as separate entities while IT converts key services and infrastructure into the
acquiring, now parent, corporation.
Between the three companies, there are 9,000 employees. Each company has a col-
lection of Windows NT domains. The domains between the three companies num-
ber about 45, many still from earlier acquisitions, and acquisitions of acquisitions,
and all 45 need to be managed holistically. Many of the domains are NT account
domains, collectively containing some 13,622 accounts. This is a daunting task. For
starters, under Windows NT all the domains interconnect over a large WAN and
thus all need to be related to each other with complex Windows NT domain bi- and
uni-directional trusts.
Investigating the processes shows that several thousand folders need to be also
shared between the entities. One of the biggest problems anticipated by all is the
translocation of key employees, many of them from their old company to the new
HQ. The translocated employees need to be given new user IDs and be able to log
on to the new “HQDOMAIN.” However, they still need access to their old folders and
shares back at the old offices where they logged in (for example, EXDOMAIN).
This means that administrators from both domains will have to cooperate, long dis-
tance, to make the resources available to the users. The effort is made much more
difficult because the administrators from the acquired domains do not trust their
peers. So administrators in HQDOMAIN have to create user groups for the translo-
cated souls, and the administrators from the old domains have to implicitly add the
new groups to the resources, such as groups that need access to share-points.
4667-8 ch04.f.qc 5/15/00 1:58 PM Page 108
109
Chapter 4 ✦ Planning for Windows 2000 Server
The needs synthesis shows how Active Directory should be used to consolidate the
file and folder resources and make them easier to access in a Windows 2000 domain
hierarchy. This means that folders would be published in Active Directory and
made available to the users no matter where they log on.
The project, as you can imagine, is extensive. So between now and Part III in this
book, take some time to ponder how you would go about such a project, and where
you would start.
Do Not Overlook Your Present Needs
It is important while planning that you do not lose focus of what brings in the bread
and butter today. Many companies are so busy with current projects that they can-
not spare anyone to work on a Windows 2000 Server planning project.
This can be either a minus or a plus, depending on your circumstances. The previ-
ous example in the needs synthesis indicates how Windows 2000 can cater to pre-
sent needs. On the other hand, you should not suggest or deploy Windows 2000
without first ensuring that you are not risking present systems; your lab work and
pilot projects will ensure that.
Assess Your Future Needs
Looking to the future will help you and the team, and especially the managers who
need to come up with the money, understand where Windows 2000 technology will
come in. If you can show, as we did in the previous needs synthesis, that investing
in Active Directory will cut six to eight months off the merger process, you will
make a lot of people sit up and take notice. If you can show how much you will
save, and how you will pave the way for the next big acquisition, which is expected
to add another thousand accounts to the absorption process, you will probably get
double the funding you need to take your project to the next level.
Assess Your Strengths and Weaknesses
We cannot stress how important it is to assess your strengths and weaknesses
before you take your planning project to the second phase. This assessment must
be done on several levels, specifically:
✦ Support from management
✦ Available funds
✦ Available time
✦ Material resources
4667-8 ch04.f.qc 5/15/00 1:58 PM Page 109
110
Part II ✦ Planning, Installation, and Configuration
✦ Human resources
✦ Technical expertise
✦ Network infrastructure
✦ Technology or systems already in place
✦ Direction of the company
✦ What the competition is doing
Support from management
Without champions, you’re dead. In one company, we know the project was blocked
from higher up because of the investment in Novell Directory Services (NDS). Don’t
take that the wrong way. NDS has been out there a lot longer than Active Directory
and is a fine product, but the company was not willing to change to Active Directory
in the middle of an NDS rollout. In such a case, it would be prudent not to focus on
competing technology, but to get support for other services, such as printing sup-
port, IIS, DNS, telephony, media, and so on (remember, conversion by subversion).
See Chapters 2 and 7 for information on the coexistence of NDS with Active
Directory in particular, and about meta-directories in general.
Available funds
Microsoft has made Windows 2000 available for 120-day trials. We do not believe
that this is sufficient time for a comprehensive project. Many companies we know
have unused Windows NT 3.5 and 4.0 licenses lying around. If you need more time,
a cost-effective option is to buy the Windows 2000 Server upgrade. Installing the
upgrade, even on a virgin machine, is a painless process, as we explain in Chapter 5,
as long as you have the original CDs.
You still have to invest in servers, hardware, and time. Make a list of everything
you need and then estimate costs. Then ask management for twice the amount of
money and work backward from there. Having money left over is far better than
having to go back to management for another shot in the arm.
You may think this is “seat-of-the-pants” budgeting, and it is, but given that IT peo-
ple can be terrible at costing and that you need to cater to unknowns, you must
take care not to underestimate, even if you think it will all go smoothly. After all,
even though Windows 2000 seems ahead of its time . . . Microsoft did promise it
several years ago.
Also, if you are struggling with budget and need to buy a few months, consider mak-
ing the leap to terminal services as opposed to buying Windows 2000 Professional.
Microsoft gives you three months to deploy an application server before enforcing
its licensing restrictions. See Chapter 25.
Note
Cross-
Reference
4667-8 ch04.f.qc 5/15/00 1:58 PM Page 110
111
Chapter 4 ✦ Planning for Windows 2000 Server
Available time
Be sure you have the time to be involved in such a project. If you are planning a
comprehensive technology assessment, test lab, pilot project, the whole thing, then
nothing short of full-time and a team of several souls will do. Work out how much
time you need to complete the job, then double that and work backward from there.
We understand this might not be realistic for many companies and individuals that
often wish they could multithread all the work processes they have.
Material resources
You need space, a test lab, hub space, rack space, monitors, storage, workbenches,
tape backup units, cartridges, CD burners (for cutting auto installation CDs), and
so on. Many companies have a lot of stuff lying around, so before you put pencil to
paper to get a budget, first see how much can be “borrowed” from the other depart-
ments or divisions.
You may still have to invest in new hardware, however, because Windows 2000
exploits new hardware services the major manufacturers are bringing out on their
new platforms. These include Plug and Play, Advanced Configuration and Power
Interface (ACPI), and the Boot Information Negotiation Layer (BINL), which is the
service that enables remote booting.
Human resources
You cannot hope to complete a full-scale Windows 2000 Server test or planning
project on your own. This is tough on smaller companies that do not have many
employees to spare, and trust us, the MSCE on Windows 2000 will not prepare you
sufficiently to convert a considerable infrastructure. You need hands on, all the
time. Microsoft invested millions of person-hours on Windows 2000. Also, do not
forget to allow for time off, sick leave, and so on.
Technical expertise
This is not the same as the previous (HR). Our projects would have traveled a lot
faster had several peer technicians been available. For example, the mainframe and
mid-range integration efforts had to be pushed back because people were tied up in
Y2K efforts.
Network infrastructure
This one can be tough. Collateral operating systems, protocols, topology, legacy
applications, and legacy Windows (there are still many copies of Windows 3.11 in
use) will all have an impact on the design process. Your enterprise and gap analy-
ses will need to “discover” all the components. For example, a so-called barrier to
entry is the steep learning curve of DNS for many administrators who have never
needed to touch it before.
4667-8 ch04.f.qc 5/15/00 1:58 PM Page 111
112
Part II ✦ Planning, Installation, and Configuration
If you support a highly complex network infrastructure, you should use products
like Microsoft System Management Server (SMS) to help you discover what you
have. If you have not worked with discovery tools, you need to factor in ramp-up
time and learning curve to learn how to use such productivity or administration
tools. By the time you are finished, you’ll have an equation not even Pierre de
Fermat can solve.
And now for some words on Windows domains: Windows NT domains are not easily
merged into Windows 2000 domains. Due to the limitations of the earlier technol-
ogy, many companies were forced to create several domains to avoid blowing up
the SAM database. You might be tempted to upgrade the Windows NT domain to an
Active Directory domain, but it is not an easy process and is risky because the NT
domain controller is converted to an Active Directory domain controller and just
not simply copied.
We have mixed sentiments about the conversion of Windows NT domain controllers
(PDCs and BDCs) to Windows 2000, and we believe Microsoft should have provided
more tools to import accounts to the Active Directory, as opposed to converting
the whole primary domain controller. We go into this in some depth in Chapters 5
and 9, where you benefit from a first-hand account of a disastrous PDC conversion.
If you have large and complex domains, you should explore using ADSI (Active
Directory Services Interface) to programmatically copy user accounts to the
Windows 2000 domain. Your user accounts can be exported from the SAM database
and then imported to Active Directory. You can also build a simple tool, using
Microsoft’s database technologies, such as the Active Data Objects (ADO) and the
Active Directory OLEDB service provider to perform your import. This is much
harder than it looks, especially if your network administrators do not write soft-
ware, and most don’t.
Regardless of how you plan to transfer user accounts to Active Directory from NT
4.0 domains, there is no getting away from the amount of work it will be. Thus, you
should plan now with Active Directory in mind, even if your conversion project will
only begin a year down the road.
If you have investigated Active Directory really well, you will notice that many
attributes or properties of the user account objects are very different from the
attributes of user accounts in NT (meaning all versions of NT). NT user accounts,
for example, do not contain attributes for new services such as Terminals Services
sessions, or new fields for properties such as User Principal Names (UPNs); and
home directories, policies, profiles, and passwords are all radically different in
Active Directory. You thus need to consider if your NT domain should be phased
over, rather than converted by the promotion of the domain controller. While con-
version may appear to be more desirable, there are caveats.
4667-8 ch04.f.qc 5/15/00 1:58 PM Page 112