The long-awaited successor to Windows NT is finally seeing the light of day. We tested the final code Microsoft Corp. shipped to manufacturing late last month. Most of the bells and whistles work as advertised, but planning for, testing and deploying Windows 2000 is going to be a slow and daunting process.
We looked at Windows 2000 Server and Advanced Server editions. Enterprise installations won't reap the full benefits from server upgrades unless they also put Win 2000 on all their desktop machines. Most of the useful features of Windows 2000 Server - IntelliMirror, group policy management and Kerberos security - are confined to networks that are homogeneously Win 2000.
Active Directory is central to security, resource access, IntelliMirror features, administrative control and the availability of network resources.
You can correct mistakes and manipulate Active Directory information easily using Active Directory Microsoft Management Console (MMC) snap-ins, but you're better off getting it right the first time.
Each Win 2000 server can play one of three roles in the Active Directory infrastructure: stand-alone server, member server or domain controller.
Servers can run in a mixed NT and Win 2000 mode or in native Win 2000 mode, which precludes relationships with NT domains except through directory brokerage services. Running Win 2000 in "native" mode removes many of the widely publicized NT/LAN Manager security problems and will make access to resources quicker and easier for end users and administrators.
Because the directory service is based upon an extension to the Internet Domain Name System, DNS must be present and working on the network where a domain controller for Active Directory is deployed. If you don't have a DNS infrastructure in place, you can install the service that is bundled with Windows 2000 Server editions. We suggest examining the settings Microsoft chooses for the domain name server because several times we found the settings weren't correct for intranet deployments.
A Microsoft utility called Lightweight Directory Inter-Face can import Lightweight Directory Access Protocol information from any LDAP-enabled directory into Active Directory. There are many Active Directory fields to populate. With any luck, you will already have that information sitting in a database somewhere on your network. However, even importing existing data can raise issues because the directory fields available with NT 4.0 fill only a fraction of Active Directory's fields.
MMC is the administrative nexus for the directory. It's considerably easier to use than the cadre of tools required to manage NT domains.
Once you have Active Directory in place, you can begin to deploy IntelliMirror, a group of server and client-side features that help manage desktop configurations.
With IntelliMirror's client-side file/folder caching service for mobile users, you can make server folders available offline by caching them on the desktop machine. You can set IntelliMirror to synchronize the cache on a user's desktop at logon, logoff or during idle time on the host PC.
We tested this feature extensively and found that while it offers enormous convenience, it's not a substitute for workgroup/activity management environments such as Lotus Notes or Microsoft Exchange. IntelliMirror is hampered by several practical limitations, including the datalink speed of a mobile connection. We found that synchronization at logon or logoff tested our patience.
IntelliMirror also supports roaming user profiles, allowing Win 2000 desktop settings to be cached on a server. That means you can log on to a different machine and still see your own desktop icons.
The drawback of this scheme is that applications are not available unless they've been packaged and published by a network administrator.
The portable desktop worked fairly well in our environment. It took Word and Excel 2000 12 minutes to download onto an otherwise empty Win 2000 PC over a Fast Ethernet intranet.
An important consideration for any network operating system is security.
The Kerberos system in Win 2000 generates Ticket Granting Tickets when a user logs on to Active Directory. The tickets are used as shortcuts to authenticate users to other domain controllers without forcing them to log on again.
Win 2000 supports a file-signing service called Authenticode, which verifies that a file hasn't been tampered with. If your users are running Internet Explorer, you can screen software downloads through the Active Directory group policy mechanism.
A new Encrypting File System lets users encrypt their files and folders. The process of decrypting files is transparent to the user. Fortunately, the administrator gets a data recovery certificate so files can be decrypted upon the untimely exit of a user. We found that Encrypting File System worked easily but would prefer that the service was not available by default.
With Win 2000, you can also delegate administration tasks based on Active Directory groups. It's possible to create administrative authorities for specific individuals by making them part of groups within the directory.
Performance and availability
Microsoft has made several improvements in performance and availability.
We tested file I/O using Windows 2000 Professional edition clients against differing servers with bulk folder and file copying. We found performance of both Windows 2000 Server editions to be comparable for gigabyte file transfers and approximately 18% faster than the exact same platform using NT 4.0 with Service Pack 5 applied.
Win 2000 lets you cluster two nodes in the Advanced Server edition for high availability. We found connecting two Compaq 3000R servers together into a cluster was surprisingly simple. Unfortunately, few applications can take advantage of Microsoft's clustering.
We ran Microsoft SQL Server 7 with Service Pack 1 on our cluster. When we simulated a server failure, the surviving member of a cluster took just 30 seconds to pick up the duties of the failed server. That is a 20% reduction in failover time over a similar test conducted on a pair of NT 4.0 servers.
Microsoft has simplified the installation process. We tested Windows 2000 Server and Advanced Server on several platforms. This simplification is due mainly to new plug-and-play support that enables hardware discovery and integration.
Microsoft has finally delivered on a long list of features that it began building more than five years ago. Making appropriate choices on how you will use Win 2000 in your enterprise network is going to take some time. And although it's possible to drop a Win 2000 server into an existing network, we don't recommend doing so until you've jumped through every planning hoop possible.
Henderson is principal researcher at ExtremeLabs in Indianapolis. He can be reached at thenderson@ compuserve.com.