TechTalks Transcript
Planning for Windows 2000 in Higher Education: Some Starting Questions and Answers
 Howard Strauss [HS] |
 Richard Jones [RJ] |
 Paul Hill [PH] |
 David Bodnar [DB] |
November 30, 2000
Audio
• Streaming
MP3
• Download
MP3 (Download
Tips)
RJ: Welcome to the CREN Tech Talk series for the fall of 2000 and to this session on Planning for Windows 2000 in Higher Education: Some Starting Questions and Answers. You are here because it is time to discuss the core technologies for your future campus. This is Richard Jones, your CREN host for today and a previous Tech Talk expert on our topic today. I would like to thank our CREN member institutions and Microsoft Higher Education for their sponsorship of today's Tech Talk. Be sure and check the links on today's events Web page to connect to Microsoft's Ten Reasons Why You Should Upgrade to Windows 2000. Let me welcome Howard Strauss of Princeton as the technology anchor for Tech Talk. Howard is well known in Web technology and portals. Welcome, Howard.
HS: Thank you, Richard. I'm Howard Strauss, the technology anchor for the Tech Talk series of technology webcasts. In this webcast, I invite you to join Richard and me in a lively technical dialogue with our guest experts, Paul Hill and David Bodnar that will answer the questions you'd like answered and ask those very important follow-up questions. You can join in this dialogue by sending your questions via e-mail to expert@cren.net anytime during this webcast. If we don't get to your questions during the webcast, we'll provide an answer in the webcast archive.
We all worried for months about Y2K. We planned, examined all of our old systems, wrote lots of code, hired consultants who we planned to blame if things didn't work and hoped that somehow-in spite of the dire warnings-things would be okay. They were! And we all breathed a sigh of relief on January the second, 2000, as our software continued to work as usual. But just when we thought it was safe to come out from under our desks, there is something more ominous than Y2K. It was W2K, Microsoft's new Windows 2000 operating system. Unlike the Y2K threat, no one is predicting that W2K will stop electricity from being generated anywhere in the solar system, but W2K will have a major effect on those who adopt it, and few will be able to resist it for very long.
Ambrose Bierce (that's B-I-E-R-C-E) said "An inventor is a person who makes an ingenious arrangement of wheels, levers and springs and believes it's civilization." W2K does not pretend to be something that will change civilization, but it is a giant step forward from previous Microsoft NT offerings. W2K is actually at least four flavors of an NT operating system. Its professional version is for users of desktop and laptop machines, all of whom-like your parents, spouse and children-are, of course, professionals. Hence its name. If you try this version of W2K, it will look and behave very much like Windows 98 and you might therefore be fooled into thinking that changing to W2K is a no-brainer, a snap, a simple decision that anyone who wishes to keep up with technology would just naturally make.
As President Dwight Eisenhower pointed out, "Things are more like they are now than they ever were before." For the professional version, that might be true, but there is a great deal of additional power and loads of new features and concepts in all of the W2K server versions that should give you pause. W2K domains, policies, Active Directories and a host of other neat features require a level of planning and expertise in NT operating systems that you likely have never had to develop in the past. But if you are just starting out, you'll have the benefit of the experience of many other companies and universities who are much further down the road. Albert Einstein assures us that "the most incomprehensible thing about the world is that it is all comprehensible." We'll make the mysteries of W2K comprehensible to you so that W2K will be no more deadly than Y2K on today's webcast of Tech Talk. Richard?
RJ: Thank you, Howard. Let me introduce our two experts today. We're fortunate to have Paul Hill from MIT and Dave Bodnar from the University of Colorado. I'm at the University of Colorado, and Dave and I both work together in the same department.
Paul is a Senior Programmer Analyst at MIT and he is heading up two projects, MIT's Project Pismere and the MIT Information System's Windows 2000 Deployment project. Paul is also a co-leader of MIT's Kerberos development team and very involved in a number of middleware projects. He is a contributing author to the Osborne McGraw-Hill Windows 2000 Security Handbook. Paul is returning to Tech Talks as well.
Our second expert today, Dave Bodnar, is with Information Technology Services at the University of Colorado at Boulder and he just became involved in the Windows 2000 deployment effort earlier this year after the rapid deployment project that I headed up handed it off to Dave. His primary role is to coordinate the deployment effort and to develop resources to provide ongoing support on campus. Welcome back to CREN Tech Talks, Paul, and a first welcome to you, Dave.
DB: Thank you, good to be here
HS: Paul, Dave, one of the things I alluded to in my opening was that we really have four operating systems, or at least four versions of the operating system. Could you tell us what the four versions are and how they're different.
DB: Okay, well, we've got-as you mentioned-the Windows 2000 Pro which is the desktop version of the OS.
HS: Okay, when you say "desktop," obviously it'll run on laptops as well.
DB: Right.
HS: So we need some other word. It's the non-server version, right?
DB: Right. And then the other three flavors are basically server-based products. We have the Standard Server which is good for most of the server applications we're going to use it for. Goes up to Advanced Server for higher demand. At that point, you're supporting clustering and multiple processors and then you go on to the Data Center Server, for really large, critical applications and further support of clustering and multiple processors.
HS: Which of those various things are universities using? I mean, is it only big commercial places that are using the big server version, the Data Center Server.
DB: Speaking for CU, I don't see us deploying a Data Center Server anytime soon. At present, the most we're using in the basic Server.
HS: And not even the advanced server?
DB: Not at this point.
HS: And what about at MIT?
PH: We're in the same situation. The basic Server is good enough for our applications at the moment. I'm not aware of anyone on campus who's thinking about any applications that would demand the Data Center Server. There are a few people who are thinking about the Advanced Server, but I'm not sure that they actually need it.
HS: And you think that's going to be true for most universities, that the regular Server version is going to be sufficient?
PH: I would think so, at least initially. You know, if someone decides to actually go down the path of replacing their mainframe or maybe some other UNIX clusters that they have, then it might be interesting to them, but I don't know of anyone who's actually committed on that path yet.
HS: So you think that Microsoft is just providing those just for big corporate systems, then, the Advanced Server and Data Center Server.
PH: Yeah, I think they do have some customers. They just haven't seen any in higher ed at this point.
HS: Could you describe how Windows 2000 fits in with the other operating systems that Microsoft offers, like 95, Windows 95, 98, all the NT's, Windows CE and all that kind of stuff? Where does this fit in the product line?
PH: I think I'll take a stab at this one. Windows 2000 they're gearing as the business side of their operating system families, so in Windows 2000, they're gearing that as the enterprise-wide solution. We start with Windows 2000 Pro for laptops and desktops and then we move on through the servers and then, from the other side, we've got things like Win 98-which is converting into Windows ME-and I guess the way I view that is ME we're viewing as a home or a gamer's operating system and probably the end of the line for the 9X product family. I think part of what we're seeing here is Microsoft's strategy to move their users to the NT platform, essentially.
HS: So if you were to look at your university, or any university, say a year from now, you'd imagine that the only Microsoft operating system that would be used would be W2K? Is that it?
DB: That's what we're anticipating.
RJ: What about laptops? We know that NT didn't run too well on laptops so businesses were keeping them at WIN 98. What about Pro on laptops?
DB: I think it's a great operating system for laptops. In addition to all the other benefits you get when you're attached to the network and taking advantage of those enterprise-wide services when you take the machine on the road, there are quite a few things in there that make it better. The improved power management, the offline files, all that good stuff, so we're actually encouraging people if they're thinking about moving to Windows 2000, a laptop is a good first choice to get familiar with the product and get some of the benefits right up front.
HS: Could you tell us more about those? I think that many, many universities having lots of their students-in some cases, all of their students-move to laptops, and I've walked around a lot of universities now where people have laptops on their desk as their only machine and they just take them around with them. So I think that the whole area of laptops has become very important. You mentioned offline files and some kind of special power control. Could you say a little bit more about some of those things?
DB: Yeah, Paul, did you want to weigh in on this one?
PH: Well, actually, I was going to say, an earlier part of the question was do we think that we're exclusively going to see Windows 2000 as the Microsoft operating system of choice. MIT still doesn't feel that's going to happen. There's still going to be people that are going to be using the other operating systems as well. A lot of our students like to play games in the dorm room, things like that, so they may still have software that doesn't work on 2000. There's just such a wide variety on a campus, as opposed to a corporation, that I don't see this conversion going as fast as we might want it to. The other thing is, not all departments renew their hardware as often, so older generations of hardware are still going to have problems with Windows 2000, especially older versions of laptops. However, if you look at any machine that's been manufactured probably in the last year, then that's probably an ideal candidate for installing Windows 2000.
HS: Okay, I'd like to pick up on that a little bit later, the whole question of the requirements for running this, but can we go back and just talk about this whole mobility, laptop kind of thing. What are these, I think you said "remote files" or something like that and some kind of advanced power management.
DB: Okay, Microsoft and a lot of the vendors got together and designed a new power management system and Windows 2000 supports that. So it just gives you a better battery lifetime because they can start to manage better the spin-up and spin-down of the hard disk, managing idle CPU time better, things like that, to reduce the power requirements. So it does give a better experience for the laptop user in that regard.
HS: And that'll require that you have a newer laptop, so that's a hardware-dependent thing?
DB: Yes, yes. Some laptops just require like a BIOS update, but in most cases, it requires a fairly modern laptop that's compliant with the standards that Microsoft is expecting to be on the hardware.
RJ: You mentioned games and Windows 98 vs. Windows 2000. What other kinds of software problems are there for people that want to move to Windows 2000?
PH: I've seen some problems with low-end digital cameras, you know, really things that were manufactured a couple of years ago and you can pick up out of excess inventory for, you know, a hundred dollars or less at this point. We've had some users on campus that have had problems with them. The drivers work fine under 98, but they don't work under 2000. But pretty much, modern hardware works very well.
HS: We have a question, actually, that goes into that a bit from Melissa Foster from the University of Richmond. And Melissa says, "What implementation problems do you expect to encounter when moving from Windows 95 to 2000 in a computer lab environment?" Does a computer lab environment give you some special problems and is 95 a more difficult thing than 98? Paul? David?
PH: I don't see the lab environment being the problem, as long as you're not stuck with hardware that's, for example, four years old. If you have current generation of hardware and you're supporting kind of the typical type of applications that I would expect to see in a lab environment, you shouldn't encounter any problems. The difficulty will be if you're relying on some software that's older and tries to write directly to the hardware, either screen or files, ancient software that still doesn't support long filenames might give you a problem, things like that.
DB: And I think the other thing you may run into there and one of the things we've experienced is if our lab managers weren't familiar with an NT environment, there's a steeper learning curve when going to Windows 2000 and then back on the technical side, you know, there are the increased hardware requirements. You can't take anything for granted in terms of software compatibility so you've got to be real diligent about doing the testing and make sure that software's current, things along those lines.
HS: Okay, you both alluded to the fact that you need a modern computer or you need an adequate computer or something, so I get the feeling that what you're saying is it takes a certain amount of disk and memory and processor speed, whatever, to make this thing run-perhaps a lot more than was required for 95 or 98. Could you talk about what kind of machine it takes to run, say, the Professional Version or the Server Version.
DB: Well, Pro, for instance, Microsoft is saying you can get by with a Pentium running at 133 megahertz. I tend to believe that's a little bit optimistic and we've sort of jumped up what we consider the minimum specs to be, like, a P2 running at 266 and potentially as much as 128 meg of RAM. I'd be interested to hear what Paul-if you have similar feeling on that or not.
PH: That's a similar feeling. I mean, a few users can get away with a slower machine if you give a trade-off and put in more memory, but those tend to be the users that will only use one application at a time and it won't be a particularly CPU-intensive application. But for most people, yeah, we're recommending somewhere about 200 megahertz. We try to encourage people to go with 128 meg of RAM so I think we're both seeing pretty similar, real-world situations there.
HS: When we talk about Windows 2000, especially the Server version-in fact, specifically the Server version, it seems you've made it clear that this is really different than dealing with NT 4, that it really requires a different level of administration because it does things on a broader level. Could we talk about some of those issues? Why is it so different?
PH: I think it's really different if you want to use all the features. You know, a lot of people looked at NT 4 and the domain model and managing user accounts and things like that, and it was a pretty good solution for departments. But I'm not aware of a lot of places that went off and tried to make a single domain for the entire site. On the other hand, Windows 2000 was really developed with that model in mind, trying to have the domain really affect the entire site and not be a departmental solution. Well, when you try to use it in that fashion, you also have to worry about the interactions with all the other systems on your campus. Trying to have a consistent name space for your user accounts. What do you do about group memberships across different operating systems?
HS: So does Windows 2000 take over management of all the domains on campus? Is that what it's doing?
PH: Well, it can. I mean, even in corporations, we're seeing people say, "Well, let's get out of the departmental solution and let's try to create a domain model that covers our entire corporation." Now, the thing is, if you just do a simple march step of migrating your NT 4 domains into that model without a lot of planning and some redesign, you can end up with a very ugly implementation that's very difficult to manage and very difficult to resolve problems. So it requires a lot of thought and pre-planning.
HS: And if you're going to use the server at all, you have to face this problem, then. You have to face this-�
PH: No, this is really if you're going into the domain model. I mean, you could always have an isolated server, but then you're talking about local account management, which of course doesn't scale up to a large number of users. But that still may be applicable for some specific applications.
HS: So the whole Windows 2000 domain name space becomes something that's just going to require a lot of university-wide planning, then.
PH: Yeah, and some of it enters into politics.
HS: Because some people control other systems? That kind of thing?
PH: Yeah, interactions with DNS servers and the DNS name space. If you have an existing Kerberos infrastructure, what are the implications there? How are you going to manage it? If you have an existing LDAP directory infrastructure or some other directory infrastructure, what are your plans on making these either interact or replace?
HS: Could you talk more about Kerberos and Windows 2000? Is it an integral part of it? Does one, if you have Windows 2000, does that mean you have to use Kerberos for authentication?
PH: Well, Kerberos is the default. Kerberos version 5 is the default authentication mechanism for Windows 2000 in the domain model, so if you have a Windows 2000 domain , automatically you're running a Microsoft Kerberos server. That is a large piece of the functionality of the domain controller. So this helps in terms of network security in an awful lot of areas. However, there are times where Windows 2000 is not doing Kerberos authentication, it's negotiating back to the older forms of authentication, and some of those may introduce a weakness. You can also make, if you have an existing Kerberos infrastructure, you can make the Windows 2000 systems interoperate with your existing Kerberos infrastructure.
RJ: Isn't that what we're doing here at CU, Dave?
DB: Yeah, well that's what we've been working on for quite a bit of time here.
HS: Why is it taking so long? What's the difficulty there?
DB: Well, I think part of the point that ought to be stressed here is you would think that if you had an existing Kerberos infrastructure, in particular a Kerberos 5 infrastructure, that that would make life easier.
HS: Yes, that's what you would think.
DB: But in fact, it complicates it quite a bit. You've got to preserve the functionality in that existing infrastructure, introduce a new implementation and then get those two to play nicely together and I think that's where-and I believe Paul's in the same boat-that's where we spent a lot of time trying to address the interoperability issues in keeping those two realms from conflicting with each other.
HS: There's another area that seems new in Windows 2000 and that's the whole Active Directory area. You mentioned LDAP. Does the Active Directory play a role in LDAP? Does it replace it, does it extend it? How's that fit in?
DB: Well, the Active Directory, again, we've got to remember that Microsoft's taking this enterprise-wide approach, that Windows 2000 is going to be all things to all computer users in this environment essentially. And the Active Directory is providing these core directory services and that's basically bringing together traditional LDAP and X.500 functionality and also some of the DNS domain naming conventions into it. So it is compatible, but there is the possibility that your services are conflicting at that point and you've got to basically keep those separate and implemented in such a way that you preserve the existing functionality while you bring the new stuff online.
HS: But at MIT and at Colorado, is your plan to have LDAP reside on W2K? Is that where your LDAP directory is going to be?
DB: Not at CU.
PH: At MIT, we don't have an existing LDAP infrastructure so probably the first populated LDAP server on campus will, in fact, be the Windows 2000 Active Directory. However, in the long run, I wouldn't expect to have all the other systems on campus that might be trying to use active-or to be using LDAP to point at the Microsoft LDAP server. We'll probably have multiple LDAP servers on campus, multiple implementations.
HS: So if the Active Directory is not going to be used for LDAP, what's it going to be used for?
PH: It is used within the context of the Windows 2000 domain. We're actually not using Active Directory as the system of record here. We have existing data warehouses and meta-directories and we actually are building data feeds and propagating virtually all of Active Directory's data from those other systems of record.
HS: Okay, we have a question-actually, three questions here, the first of which has to do with Active Directories from Steve Ostrov from the University of Maryland. Perhaps we could take those right now. Steve, first about Active Directories says, "Do either of you know the best practices document for initially setting up the Active Directory?"
PH: I don't because every site tends to have some different needs and it's pretty complicated on figuring out what the best choices are for your particular needs.
DB: Yeah, I would agree with that. I think the Microsoft documentation will give you an idea of what questions you need to be asking before you start an implementation of the AD and define what the role of the AD is going to be on your campus. But I don't think there's a document that would apply to all these specific situations.
HS: Okay, so I assume-�
PH: I would have said look out for case studies and then try to find a case study that looks like they might be in a similar situation to what you face.
HS: Do you know of some university that's making extensive use of Active Directories? I mean, is there some university you could point Steve too? Or he'll just have to poke around.
PH: Well, I mean, we're at the point where we're soon going to be deploying and we do have a fairly large Active Directory. I mean, right now, the test domain controller in my office has about 70,000 objects in the Active Directory. I don't know if that would meet University of Maryland's needs. I suspect that since we're propagating all the information from different warehouses and different systems that it's probably a very different situation.
HS: Well, I suppose, then, the answer to his second question is the same. He says, "Do you know of a definitive document for employing Active Directories in conjunction with an MIT Kerberos 5 KDC?" I suppose that's the same answer. Is that correct?
PH: There are lots of small documents that talk about certain aspects of it. Nobody has written, you know, kind of the book that goes into all the different details and ramifications. There are certainly publishers interested in publishing such a book.
HS: So there's a real opportunity for listeners! If you can write that book, there's none out there, right?
PH: Right.
RJ: Let me step in and remind people that they can ask questions by e-mailing expert@cren.net.
HS: Okay, Steve's third question was, Steve says, "I believe that both of your schools have a Microsoft Technical Account Manager." He wonders if you feel they're worth the expense in terms of the kind of things they can offer. Do you both have TM's?
DB: No.
PH: Yes.
HS: Yes, no, okay, you don't both.
DB: I don't.
HS: Well the person who has one, is that a good thing?
PH: I think there's potentially a fair amount of value there. I don't think we've had enough experience. We've changed hands, they've changed the individual serving in that capacity a couple times, so I don't know that we have enough experience with our current TAM to say whether we think it's a good value or not. I think it certainly has the potential to be. I think it depends in large part on the individual that's in that capacity.
HS: Okay, and we've just been reminded by Terry Calhoun, one of our colleagues here, that on Tech Talk we have actually done several Tech Talks just on directories and the sessions are archived, so you can go off to www.cren.net and if you have some additional questions on directories here, you're bound to find some interesting information on them out there.
Okay, we have a bunch more questions, which is really great! People are really sending these things in, which is good. There's a question from Josh Harmon from TCU-wherever that is. I'm not sure. But he wonders if you could talk about compatibility issues with Windows 2000 domains and Pathworks, whatever Pathworks is.
DB: Is that the old [inaudible]?
PH: It's the product that runs on the VAX DMS stuff, as I recall. I haven't done anything with interoperability there. I know that Pathworks, at one point, supported Kerberos version 4. As far as I know, they never implemented any Kerberos 5 compatibility, so there wouldn't be much compatibility in that particular area.
HS: Talking about compatibility of things, Mohammed Betts from Oklahoma State University wonders about compatibility with Publisher 2000 and perhaps we could talk about that in general. Are there some problems? You mentioned games, but are there other problems with compatibility with other software products that you know about?
PH: I have never worked with Publisher 2000. I have encountered a couple of problems with Office 2000. And they tend to be related to access control issues, so if you install Office 2000 and the end user that's trying to use it is not a local administrator on the machine where it's executing, sometimes you'll get funny errors and a lot of this can be traced back to how the machine was originally installed and some assumptions that the Office group apparently made.
If you upgraded the machine from an earlier Microsoft operating system, it ends up with a different set of default permissions than if you did the install of Windows 2000 from scratch. And you'll actually get a difference in behavior when you install Office 2000 on those two different situations. It turns out that the older default file permissions were not as restrictive as they are today.
Also, if the user's hard disk is formatted as a fat system, you really don't have true access control at the file level and so you don't see any of the problems with Office 2000. On the other hand, when the file permissions are stricter-which should be better from the manager's perspective or the system administrator's perspective-people are running into some odd errors and I don't remember all the particulars in the errors or the solutions today, but those should be listed in some of the Microsoft knowledge bases.
HS: Okay, to take a slightly different tack here, if somebody's planning to migrate to Windows 2000, what are the organizational issues and the human resources, the people, the kinds of people and how many are required to do this?
DB: Okay, I think the first thing you have to get a handle on is the fact that it is an enterprise-wide solution and if you're going to deploy an Active Directory, you're going to need enterprise-wide coordination of the effort. You can't let it just happen. And with that said, I think it also means you've got to bring in somebody that outranks me, for instance, to lend credibility to the project. When we started kicking it off at University of Colorado, our director took a very active role, said, "Hey, this is going to happen, Windows 2000 is coming!" And basically made it a priority within our organization so that people wouldn't be going, "Uhh, another Microsoft product! Why do we have to pay attention to this." Basically defining the role of individuals within the unit for it, and at the same time selling it to campus, that this represents a major shift in direction for the campus and how does this tie into the other things we're trying to accomplish. So I think the first thing is you need somebody in a position of influence to sort of embrace it, endorse it and-�
HS: And that's at least head of IT on campus, whether that's-�
DB: In our situation, it was the head of IT and I think that was an appropriate level for it to go to.
RJ: You said it represented a shift. Could you-�
DB: Well, we were banking on Windows 2000 to help us make headway in a couple different areas. For instance, we didn't provide any centralized organized NT or Novell support. We actually used to do Novell support and we cut it off and the campus was sort of left going, "Okay, what's ITS's role, our department's role in supporting desktop computers on the campus?" And it was unclear. And this was an opportunity to basically start with a clean slate and say, "Okay, we're going to provide these services centrally. These responsibilities are going to be distributed." One of the other big things we had and we wanted to accomplish was we don't have any standards on this campus so we keep seeing our support costs, you know, going through the roof because we're trying to provide some level of support for all these different operating systems. And this was an opportunity to say, "Okay, let's see how much we can consolidate our operating system choices and promote an operating system and then sort of drive down our total cost of ownership that way and promote standards." And for us, promoting standards is a little bit difficult. We don't have any real enforcement authority in that area so you have to do the soft sell, essentially.
HS: Okay, you talked about sort of organizational issues. What about some of the people? Did you have to go off and hire some specialists or get new skills or-what kind of folks, could you just take the regular folks and retrain them?
DB: Well, we gained some benefits from being part of the rapid deployment project with Microsoft. They actually sent a Microsoft consultant out to work with us and I think Richard probably knows these numbers better. But I think we had him about 30 hours a week for a good six or eight months. And, you know, the expertise they brought really helped us get through the planning phase of the project. And then from there, we dedicated a couple of staff from our microcomputing group to work exclusively on the Windows 2000 deployment. The other thing that played into is, you know, we had to draw on our Central and UNIX services personnel quite a bit. You know, that's where we're handling Kerberos, DNS, etc., and that's where the director came in. You had to make time in your day to help with the Windows 2000 deployment because some of the services are in your area, actually.
HS: Yeah, Brenda Shatner from Wright State University asks a question along these lines. She wonders if you're utilizing people that are trained by Microsoft or are you just doing a learn-as-you-go kind of thing when you get people to work on this.
DB: I think the majority of it is learn-as-you-go. You know, one of the disadvantages of adopting it early on is the training materials and the training opportunities aren't as good. Now we see that those are coming around, but you know, six months, a year ago, there were many fewer training opportunities. So a lot of it was learn-as-you-go.
RJ: But I think today, wouldn't you encourage people to take advantage of the training that's now available, even though we didn't have it?
DB: Oh, absolutely! I mean, if it's available, you definitely want to make training a priority because you're going to learn it one way or the other. Taking a class is a lot cheaper than trying to learn it as you deploy.
HS: Could either of you sketch out your implementation plan? You know, how are you going to get from where you are to where you're going, wherever it is you're going with this?
PH: That's kind of an open-ended question! I mean, if you look on the website for our project page you have our initial scope statement and there is a gateway into the e-mail messages that talk about our biweekly status reports and things like that.
HS: Well, let me back off and let me tell you why I'm asking this thing so that maybe you can answer the question that I really think I'm asking. And that is, I'm thinking of people who are sitting out there and saying, "Okay, what should our implementation plan look like? What should we do first? What should we do in the middle? What should we do toward the end?" I mean, that kind of thing. Do you go out and just through Professional onto all your lab machines? How do you-�
DB: No. Again, I think it requires careful planning and Microsoft actually provided a very useful tool for us. They have a project planning paradigm that they shared with us and we actually followed it pretty closely. And they basically break it down into four phases.
They have an envisioning phase, you know, what do you have now? And what do you want your computing environment to look like in the future? And that's a pretty healthy exercise to go through.
And then you get into a planning phase where you tackle the technical details, how are we going to actually implement this? You know, what are the technical details of the deployment?
And then you get into a whole phase of testing, testing anything and everything, and then basically wrap it up with the deployment.
By the time you get to the deployment, you should have a pretty high degree of confidence that what you're deploying makes sense and you understand the issues. But I think the biggest point there is you do have to have a structured process for such a large-scale project and if you cut any one of those phases short, you're probably going to pay the price later on. In fact, we felt like we did a pretty thorough job on planning and then we'd get toward the implementation of the testing side of things and know that we had to go back to the planning phase and re-address some of those details.
HS: Kevin Schalla from Illinois Institute of Technology has a question here. He says it's his understanding that Win 2000 trusts completely all device drivers, and he says, "Doesn't this mean that users must be extremely careful which device drivers they use and from where they get them?" Is that true?
PH: Not a hundred percent. The device drivers are now signed and Microsoft has also given out tools for evaluating them better, although those are aimed at the developers. But there's a lot of device drivers where an end user, if they tried to install them, just would not install correctly. However, there are some cases where that's not true. I'm just thinking there was just an article I came across in the past few days that talked about some of these issues involved. I'm trying to remember where that was. On the other hand, I do believe that all the device drivers are running out of the same, shared memory space at this point. That was actually something that happened with NT 4 so if you did have a device driver that had some bugs in it, it still is possible to take out a large portion of the system.
HS: Okay, in the Microsoft site that we talk about, they list the ten top reasons-I know this sounds like a late night show here-the ten top reasons to move to Win 2000. Could we just comment on some of those briefly? For example, the first one they mention is value. Their claim in the website is that it's going to reduce directly-related IT costs by 15%, unproductive time by 41%, etc. and so forth. Are people really saying this? Is that true?
PH: I can't confirm those figures because we don't have a good way of measuring that.
HS: I mean, forgetting whether it's 15% or whether it's whatever, but is it really cheaper somehow to run this thing? Does it really save money to run NT? Sorry, not NT, Windows 2000?
DB: I think Microsoft is certainly trying to position it that was and gearing it for the enterprise in providing a lot of management tools that should make it a heck of a lot easier and a lot more cost-effective to manage multiple desktops.
HS: Okay, so your expectation is that you're actually going to see that. You're going to actually see-�
DB: We're hoping so. I mean, you know, this is one of those front loaded projects where you've got to sink a lot of resources on the front end before you ever see any of the benefits so because we've sunk those resources in, we're banking on there being a payoff later on, yes.
HS: And when they say they're going to reduce unproductive time, what are they talking about?
PH: I think that's related to kind of the instability of a lot of their other operating systems, where a user installs a piece of software and suddenly everything stops working and the user calls up the helpdesk and the quickest solution is "Reinstall the operating system from scratch." You know, that only has to happen a couple of times for an awful lot of time to be chewed up.
HS: Oh, yeah, and tears a lot of hair out, too.
PH: Yeah! And you really shouldn't run into that situation at all-or at least it should be very rare.
HS: I mean, another of their claims is that it's a lot more reliable, they say, up to 50 times that of Win 98. So again, are we saying that it's a much more reliable, stable operating system? Have they really made big improvements in that area?
PH: Yeah, that's been my impression, and in fact, I've gotten some people who were traditionally UNIX users who had tried 98 and NT a couple of times and really weren't happy with it and finally got them to install 2000 and they came back after a week and were kind of like, "You know, this meets my needs! And I don't need to run UNIX any more."
DB: Yeah, we have been pretty pleased also. We think it is considerably more reliable and stable than previous OS's.
HS: They also claim that they have some things that make it much better with respect to security. Could you comment on that briefly?
PH: Well, part of it is using the Kerberos authentication. That certainly helps, considering some of the older Microsoft vulnerabilities. The other thing is, we alluded to it before. If you do a clean installation, the default file permissions that are placed on the system are much more secure. You're not going to have the random application being able to write to your system directory and replace system DOL's is one example. The other thing is with NT, lots of times we had to grant end users administrative privileges just so they could install a new application, or else they had to go and get a designated system administrator to come and maintain their system. Today, using group policies and things like that in the domain, we can actually deploy specific applications to end users and not require them to have administrative privileges. The installer service that comes in 2000 will actually run at the elevated privilege just for the duration of doing that installation. But that same service can't be just-an end user can't take an arbitrary application and run it that way.
HS: One of the things we've heard about are these things called policies, which I assume is one of the other benefits of W2K. Could you tell us a little bit about policies?
PH: Okay, policies are basically a way of centrally managing the configuration management. How to push out all sorts of settings, like what events do you want to audit? What software do you want to make available to the end users on their machines? Who should be able to log in, at what time? How many times is a user allowed to type in the wrong password before they get locked out? All of these type of things can be controlled with policies.
RJ: That smells like taking control of my desktop. Is that true? Is there a big move to centralization of control in Windows 2000 compared to the others?
DB: I think you're actually in a position to get the best of both worlds. You can centralize the things that make sense to be managed ��
HS: It makes sense to IT people, right?
RJ: Well, that's certainly true ��
HS: I mean, you're going to hear complaints from users.
DB: Right, but the reality is, when we're looking at these large enterprise installations, it makes sense to have some of that centralized and uniform across the board and then through the OU's, you get to delegate-�
HS: The OU's?
DB: Organizational units. You get to delegate, you know, that lower level, finer grained issues down closer to the user, closer to the local administrator for them to manage. So it actually solves both problems, the concerns of the enterprise and the central support organization vs. the local administrator and the end users. You basically get to delegate the authority in a fashion that makes pretty good sense.
HS: SMS is going to do some of that, too. Has SMS or other things like it changed or improved in W2K?
PH: Well, a lot of the features that you used to get out of SMS are actually built into Windows 2000 now. But there's still an awful lot that SMS gives you that is not in 2000. All of the inventory management, the ability to do some of the remote monitoring of what a user is doing or what they've installed on a particular machine, that still comes out of SMS. The ability to manage other operating systems, all of the Windows 2000 features are really used to manage Windows 2000 but not the other Microsoft operating systems. If you need to do that, you know, deploy applications onto ME or 98 or 95, you're going to want to use SMS.
HS: What about the integration of W2K with other operating systems, specifically UNIX operating systems and Mac operating systems. Has that gotten better?
PH: Ahh-some people will say it has. I don't feel that it's improved very much. One of the problems they have with the current Macintosh support is that Microsoft actually didn't update any of the security mechanisms, so if you're using a Windows machine to serve up Macintosh files, you're actually not taking advantage of Kerberos authentication. You're backing off all the way down to the original LAN manager authentication. And for us, this is a problem. On the UNIX side, they have some new products, application suites, things like Services for UNIX that help some, but if you look at something like SAMBA, again, SAMBA does not do the Kerberos version 5 authentication that Windows 2000 supports so you're backing off to an older authentication mechanism.
HS: But I'd heard that there were lots of things, lots of programs and things that ran in UNIX that had been now ported to W2K so that you could make W2K look familiar to UNIX folks.
PH: Yeah, and part of that is the Microsoft Services for UNIX suite. There's-a lot of those tools have been available for NT 4 as well, though. I can't think, off the top of my head, of any UNIX applications that require Windows 2000 that couldn't run on NT 4.
RJ: Isn't Microsoft giving more command line abilities in Windows 2000 than they did in NT 4, though? That was one of their promises.
PH: Yes, yes, there's a lot of that. The other thing is, where they haven't provided a command line interface, they have generally provided a COM interface, so if you're using one of the scripting languages, Active Pearl, the Microsoft Scripting Host, Visual Basic and there's probably a bunch of others that can actually support COM, then you can write a command line utility to manipulate those interfaces, so even where they haven't given you natively a command line tool, you can create your own.
HS: Is W2K going to replace Novell as an operating system, or UNIX as an operating system on people's campuses?
DB: Well, on our campus it would probably replace Novell. I think it's a long shot to think that it's going to take much of a bite out of the services we're providing through UNIX.
HS: And why not? It sounds like it does a lot of the things that UNIX does. It might even do some of them better.
DB: Well, I think time will tell. I think in the short run, you know, you have these well developed processes and methodologies for delivering these services through UNIX and not the least of those is security. You also have, you know, large scale account management, things like that. In particular on the security side, I don't think we have that confidence yet in Windows 2000. Maybe that will come over time, but I don't think it's there and I think it takes years to develop some of that.
PH: It also takes years to develop the staff skills and, you know, schools tend to have a lot of people with strong UNIX skills and that's one of the obstacles for Microsoft adoption at this point.
HS: Is another problem the Linux problem in that, I mean, Linux is kind of a roll-your-own, take care of it your own kind of thing and that's really some distance from W2K.
PH: Yeah, and at a higher ed site, especially ones with strong computer science programs, you're going to find a lot of people being encouraged to use the roll-your-own operating systems because part of their education is to go into the operating system at such a low level. So it becomes more attractive. Windows 2000 is really an application server. You're trying to isolate the user from the operating system as much as possible, so that has some advantages and at a higher ed institution, a research university, it also has some disadvantage.
HS: Okay, we're about five minutes over the end of time here already, but I'd still like to get a couple more questions in anyway, and I should remind folks that if we did not answer your question that you sent to expert@cren.net or if you send in questions now, we will get them answered for you in the archive. Paul and David, it sounds like you've had by and large a pretty good experience with W2K, but were there any disappointments that you could tell us about?
DB: I don't know that I'd label them disappointments, you know. Maybe lack of information and resources early on would be a disappointment. Overall, I think we're pretty pleased with the product and the promise of, you know, trying to bring some of these new features and functions into our environment. So all in all, it's been a pretty positive experience.
HS: So you really don't see any downside to this thing? This is just-this has all been a real good thing?
PH: I'd say MIT has some disappointments, but maybe they're MIT-specific and we shouldn't talk about them in this forum.
HS: Okay, I mean, one of the things I think that's obvious is that it does take more hardware. I mean, not that that's a surprise and hardware is getting cheaper and things, but is it fair to say that if you're going to do this, that your machines are going to have to be more modern, bigger, that kind of thing?
PH: Yeah, but that tends to be true almost any solution that you go to today, we're all depending on more as well. We're trying to deliver more features that the end users want.
HS: Yeah, when-my point, though, is just that you alluded earlier that folks at home were going to probably use ME, that wasn't going to be used much on campus, and I think you said that because, well, the machines at home tended to be smaller, less powerful and things. Is that going to be a problem, the fact that we have different operating systems on home machines that people are using in the university than we have at the university?
PH: Well, I think that's the same problem that we've been facing for a number of years now. In some cases, I think the problem's going to be less because you are starting to see some of the features on all these different operating systems, even including UNIX, starting to converge.
HS: Okay, one last question if we could here, which we actually had planned to ask earlier but I kind of moved it all the way to the back here because I wanted to end on kind of a future note here. And that is, I've heard about some operating system called Whistler which is supposed to be a follow-on to Windows 2000. Could you tell us what's going to be happening once we get past all of this?
PH: Dave, have you ever played with it yet?
DB: Well, I haven't played with it, but basically Whistler's the next major release of the Windows 2000 Pro and, you know, what they're touting in there is a few changes to the user interface, couple additional features, the personal server, terminal services, the revised handling of DLL's, things like that. I think the most interesting thing about Whistler is that this is where Microsoft is putting their toe in the dot-net strategy pool and I think that's one of the things we're all going to watch with a great deal of curiosity and interest as to what that really means and how that plays out and what-�
HS: But you're not going to tell us what you think it means, this dot-net stuff?
DB: I think it's too soon to tell. I mean, what Microsoft will tell you is this is a move toward getting away from Windows-centric operating systems and moving toward Internet-centric computing environments and I think it holds a lot of promise, but I think we have to take a wait-and-see attitude and see how it's implemented and what their interpretation is.
HS: So you can all come back when Whistler is out or when the dot-net stuff is out so we can do this thing again?
DB: Sure.
HS: Okay. Richard, I think it's time for us to wrap up.
RJ: Do you have any final comment?
HS: No, I think that we've ended on an interesting tone here. We've found no disappointments here. This sounds like a pretty good experience, something I think that our listeners are going to get involved in. So perhaps we should just wrap up.
RJ: Sure. Well, I want to thank all of our web participants for being with us today. If you have questions, you can still send them to expert@cren.net and let me remind you to check the event web page. There are links on there to both MIT and the University of Colorado sites that describe Windows 2000 and there's also a link to the Microsoft Higher Ed site that lists their top reasons for moving to Windows 2000.
Our next session, two weeks from today on December 14th, features Jim Jokal of the University of Virginia on a very popular topic selected from a survey, an update on How and When It's Good to Use Data, Voice and Video Streaming Technologies. So be sure and join us for that session.
Many thanks to all the institutions who support these Tech Talks and to Microsoft for today's support. And thanks to all the Tech Talk folks who helped make this event possible. A special thanks to our two experts, Paul Hill and Dave Bodnar, and to technology anchor Howard Strauss. And to Terry Calhoun, the Tech Talk web guru: Jason Russell, Gayle Terkeurst and a nice support team at Merit; and to Susie Berneis, the audio file transcriber. And finally, thanks to all of you for being here. You were here because it's time. Bye, Paul. Bye, Dave. Bye, Howard.
HS: Bye-bye, take care. Bye-bye.
END OF WEBCAST
