Windows 2000: A Complex Server

SAN MATEO (05/08/2000) - In this article, I examined the business impact of integrating a network of PCs connected to a Microsoft Corp. Windows 2000 file-and-print server into an existing enterprise environment. In this scenario, the large company, Bigcorp, has just acquired a small start-up, Smallco. I examined the pros and cons of integrating the two networks, including training and support costs. I found Windows 2000 Advanced Server to require more work than the other NOSes in this report. Nonetheless, your prospects for success in a similar situation are reasonable. I rate Windows 2000's interoperability Good.

The smaller company set up a network of PCs connected to a Windows 2000 Advanced Server machine to do its file-and-printer sharing. It used a workgroup security model with the Windows 2000 server setup in stand-alone mode.

The challenge is to get this new set of users and PCs up and running on the Bigcorp network in as quick and efficient a manner as possible. Integral to this transition will be to get Smallco's users hooked up to the Bigcorp NetWare server for access to files and to the Lotus Domino 5 server for their email needs.

The steps needed to perform the LDAP integration of Smallco's Windows 2000 server and to get it to connect to Bigcorp's existing infrastructure depend heavily on Smallco's current setup. Smallco could have its Windows 2000 server set up in one of two ways. The first is to use a workgroup model for file-and-print sharing. Using this method, Smallco would have user accounts and groups set up on its Windows 2000 server and on each client machine that is set up to share resources.

In this simple scenario, user and group accounts can be set up on the server and security can be configured. When users connect to shared folders on the server, they give their user names and passwords and are then authenticated.

This is the starting situation I used when testing the interoperability for this story. I'll outline the steps involved and pitfalls I found later.

The other possible setup is that Smallco could have installed Windows 2000 with all the bells and whistles. The company could have Active Directory installed, all users and groups set up to be replicated across machines, and all services configured to talk to the server. This greatly complicates matters, as our Bigcorp-Smallco LDAP integration can't be done in conjunction with a fresh Active Directory installation.

Instead, you'll need third-party tools to handle directory synchronization between the Smallco Active Directory and Bigcorp LDAP servers. A scenario such as this can greatly complicate matters and would raise the integration costs as well as the time involved in getting the networks in sync.

Because Smallco hadn't yet set up Active Directory on its server, my first step in the integration with Bigcorp was to prepare this. I went into the Configure Your Server wizard in the Administrative Tools folder on Smallco's Windows 2000 server and selected Active Directory. Using the Active Directory setup wizard, I configured it to use the same domain information as the existing Bigcorp LDAP server. Once this process was complete, I rebooted the server (some things never change with Windows) and Active Directory was enabled.

I then went in and verified that Active Directory was working properly. I could log in from client machines, using the user names and passwords that were pulled in from the original setup of the Windows 2000 server.

This is where the road got rough for Windows 2000. When testing Linux, I could go in and set up a replication agreement between the two servers, and all of the directory synchronization was taken care of automatically. With Windows 2000, I was able to get this to work in one direction, pulling the Windows 2000 information into the existing LDAP server. However, I had difficulty moving users and groups from the Solaris LDAP server into Active Directory. I eventually got the synchronization to work using some special features designed for Windows NT integration in the iPlanet Netscape Directory Server.

Getting Smallco's users set up on the Bigcorp NetWare network wasn't difficult.

Once I installed and configured the NetWare client software and got the users set up in the NetWare directory, they were all set. This gave all of Smallco's users access to the files and documents from Bigcorp, and they could maintain their existing connections to the Windows 2000 server.

E-mail services were similarly easy to get up and running. Smallco had been using the e-mail accounts provided by its ISP, with Outlook Express as the e-mail client software. I configured Outlook Express to connect to the Bigcorp Domino server via POP3, and the users were ready to go.

This should work great as an intermediary step until the full Lotus Notes R5 client software can be rolled out to these users. It also gives mobile users convenient access to their corporate e-mail while traveling, without having Notes installed on their mobile device.

By integrating the network infrastructure of Smallco into that of Bigcorp, management hopes to reduce the overall administration costs. The time and resources needed to maintain these network separately would place a large burden on the IT department of Bigcorp. It would also force end-users to keep track of their user information for the various networks and to develop work-arounds for resources they can't easily access.

Although I encountered some problems in getting Active Directory to communicate with Bigcorp's LDAP server, overall the integration was a success. Although Windows 2000 works great in a Windows-only environment and is starting to have wider standards support, there is still work to be done. Specifically, Active Directory needs more robust support for external LDAP server synchronization and updating. On balance, I give Windows 2000 Advance Server an interoperability score of Good.

You can reach associate technical director Kevin Railsback at


Windows 2000 Advanced Server interoperabilityBusiness Case: Forcing Windows 2000 Advanced Server to integrate into an existing network can be an expensive proposal. It works, but you should expect your IT staff to spend extra hours getting the LDAP replication working properly. Overall, the benefits of bringing Windows 2000 into the existing network outweigh the costs involved.

Technology Case: Windows 2000, and specifically Active Directory, support the LDAP directory protocol. However, idiosyncrasies in Microsoft's implementation of the protocol make it difficult to replicate with other LDAP server platforms.


+ Administration interface familiar to IT staff+ Easy to set up for NT usersCons:

- Complicated LDAP replication setup

- Requires Active Directory to support LDAP- Third-party tools needed for some migration scenariosMicrosoft Corp., Redmond, Washington; (425) 882-8080;