TechTalks Transcript
Interoperability and Deployment of Windows 2000
 Judith Boettcher [JB] |
 Howard Strauss [HS] |
 Len Lanphar [LL] |
 Richard Jones [RJ] |
December 9, 1999
Audio
• Streaming
MP3
• Download
MP3 (Download
Tips)
JB: This is Judith Boettcher, your CREN host for today, and welcome to the CREN TechTalk series for fall of 1999 and to this session on Interoperability and Deployment of Windows 2000. You are here because it's time to discuss the core technologies for your future campus.
Let me give a special thanks today for the support of today's event to Microsoft's Higher Education Group, and in particular to Roberto Bamberger and to John Dubois. Let me also now welcome the technology anchor for TechTalk, Howard Strauss of Princeton. Howard is a well-known, very energetic Web and Renaissance-like information technology expert. I gave you a new intro today, Howard.
HS: That's terrific.
JB: Welcome.
HS: Thank you, Judith. I can see we're all going to have trouble saying "interoperability" today.
JB: Hmm, yes! Um-hum.
HS: But anyway, I'm Howard Strauss. I'm the technology anchor for the TechTalk series of CREN Webcasts, and as the technology anchor, I'll engage our guest experts in a lively technical dialogue that will answer the questions you'd like answered and ask those very important follow-up questions.
You can ask our guest experts, Richard A. Jones and Len Lanphar, your own questions by sending e-mail to expert@cren.net at any time during this Webcast. If we don't get to your questions -- and we might not, because we've had lots of questions, which is wonderful -- but if we don't get to them during the Webcast, we'll provide answers in the Webcast archives.
On February 17, 1902, the singer Marian Anderson was born. Sixty-one years later, Michael Jordan was born, on February 17, 1963. The first February 17 of the new millennium will see the birth of a new operating system that almost everyone involved in computing has anticipated for many years: The official release date for Windows 2000 (and it looks like this is really the real thing this time) this Thursday, February 17, 2000.
While Windows 2000 -- formerly known as NT 5.0 -- remained safely on the horizon, we could follow its development with trepidation or glee, but we really didn't have to do anything about it (and besides, we had lots of Y2K problems to worry about). With the release of Windows 2000 -- and never call it W2K! -- around the corner, there are lots of questions that we need answers to, and we need those answers very quickly.
The answer to the question, "Can we just ignore it?" is almost certainly "No." While it may not replace every Unix and Novell server on campus and appear on every desktop, it will very likely have a very strong presence there. Windows 2000 is not just another release of an old operating system. It is a family of operating systems that are designed to work as workstation servers, and a sophisticated enterprise IT server called Windows 2000 Datacenter Server that supports up to 32-way symmetric multiprocessing and up to 64 gigabytes of physical memory.
Windows potentially affects every IT service and application you offer, including your most basic services such as e-mail, directory services, data management, IP address assignment, security and authentication. That you are probably doing all these things already on a variety of different operating systems makes moving to or coexisting with Windows 2000 more challenging. While some places might be able to just move all their servers and workstations to Windows 2000, few of us will be able to weather the political and financial costs of such a recommendation, even if we thought it made sense.
That means that Windows 2000 will have to interoperate with your existing Unix systems, Novell networks and NEC's as well as the variety of platforms and microprocessors they use. Windows 2000 claims to be an open system. By "open," Microsoft means that it's portable, scalable and it interoperates with most of the systems we use. If there is some operating system standard that you have heard of -- PCP/IP, LDAP, IPX, DHCP, BT, CGI, FTP, ODBC, SQL, POP, IMAP, X400, SMT and dozens more -- chances are, they're part of Windows 2000.
In addition, Unix interoperability extends from supporting Unix functions to actually letting you execute Unix commands and utilities on a Windows 2000 server. If you can't give up using your Unix GNU commands, for example, they can still be used in Windows 2000. So it may seem that the task of working with Windows 2000 has been made as easy as possible. Well, that was certainly the intention.
Because of the many new features and new ways of doing things in Windows 2000, there are many basic issues that need to be re-thought before Windows 2000 servers blossom on your campus. How should your existing directory structure and management, for example, be redesigned to work with Windows 2000 Active Directories? This will not just be a matter of moving some text around and doing some conversions. It will actually require some high-level system planning before plunging ahead. How will you handle name serving in this new environment? What's your security plan? How will you train your server administrators to use this very new software? Do you even have the ability to do it? These are just a few of the difficult questions you'll be facing.
You may recall that the NT in Windows NT stood for New Technology. While Microsoft has dropped the NT designation from its newest operating system, this new operating system is loaded with new technology. Rich and Len will give you some insight in dealing with this new baby, due on the 17th of February, on today's Webcast of TechTalk.
Judith?
JB: Well, thank you very much, Howard, and I think everyone participating today can just see that we may be awash in acronyms today, and I hope that we will do our best --
HS: I think I covered them all!
JB: Yes, I think so. I hope that we'll do our best here to be as clear as we can about those acronyms and not drown in them.
As you can tell from what Howard just said, we could probably have enough content for many TechTalks with all the questions that might come up on Windows 2000 today, but we will be focusing on getting started on some very specific ones.
To help us do that, let me introduce our two experts today. Richard Jones is from the University of Colorado, and he's the manager of the Rapid Deployment Program for their Windows 2000 project on that campus. The Rapid Deployment Program is often referred to as RDP, and Richard may slip into Acronym Land occasionally during the TechTalk today with that. Our second expert today is Len Lanphar from Carnegie-Mellon, and Len is an expert in authentication and Kerberos capabilities of Windows 2000, and also has expertise in the area of issues in software distribution.
Welcome, Len and Richard. Thanks so much for being here.
LL: Good to be here.
RJ: Yes, it's nice to be here. Thanks.
JB: Okay, great. You're ready for this experience, huh?
HS: Okay. Rich, Len --
HS: One of the things perhaps we could do to just get started is I mentioned that Windows 2000 actually is a family of operating systems. It comes in at least -- is it three flavors or four flavors? At any rate, could you describe what those different products are and how they're used?
RJ: Sure. There are going to be three products released on the 17th of February. Professional, which you can think of as the successor to NT 4.0 Workstation. Server, the basic level of Windows 2000 Server, and then one called Advanced Server, which offers support for more CPU's and the start of clustering. And then, 60 days or so after that, they've said they will release their Datacenter Server, which offers even higher levels of CPU and clustering support. So there are three main products, two versions of the Server and the desktop version.
HS: Well, it sounds like there is one desktop version and three Server versions.
RJ: Right, there's that third one coming later.
HS: Right, but that's just coming a month or so later?
JB: No, 60 days, you said. I'm sorry.
HS: All right. The desktop version of the thing. Is that going to turn out to be a replacement for Windows 98 as well? Are people -- I've heard that that's going to be the migration path from Windows 98 to Windows 2000.
RJ: I think Microsoft is clearly positioning it to do that in the business/corporate environment. And so the Windows 95/98 and this successor to it, that will be home computer systems.
And in the corporate environment, they are pushing Windows 2000 Professional as the desktop. And they can do that a lot more persuasively now because there's really good laptop support in it, which has been a problem with people trying to standardize on NT 4.0 Workstation and then still having to deal with 95/98 on their laptops. So with Windows 2000, you could move totally away from Windows 95/98, if you wanted to, to Windows 2000 Professional.
HS: But it sounds like you're suggesting there is going to be a successor to Windows 98 which is not going to be Windows 2000, something for home use?
RJ: That's what we understand, that the successor to Windows 98 will be one more release aimed at the home use. And then the scuttlebutt is that at some point after that, they will have a Windows 2000 Lite ready that will be easy to configure for home use. But that -- it's taken them so long to get Windows 2000 out the door that that's been pushed back a long ways.
HS: Yeah, that's actually -- I heard that you're doing this Rapid Deployment stuff. It sounded like it was rather slow "Rapid Deployment".
JB: How long has the Rapid Deployment project been going on, Richard?
RJ: Well, probably I shouldn't even admit. It was a little over a year ago that we had -- we first started negotiating with them. Like anyone in a university can appreciate, it took 90 days or more to do the legal part, to sign a couple of contracts. And so we really started, I think, in the middle or end of March. And we started gearing up at the beginning of April, so we've been at it six or seven months heavily, and especially when the summer came -- June -- we really started working on it.
HS: So in looking at this product, if you're a college or university out there, does it look like what we ought to be telling people to do is to think about replacing their desktop systems with Windows 2000 Professional, and replacing their servers -- at least their NT 4.0 servers -- with Windows 2000? That's what people ought to be doing.
RJ: Let's see. I think we want to -- we're recommending here that people seriously consider moving from NT 4.0 Workstation or Win 95/98 to Professional in the current environment they're in, which could be a work group, could be an NT 4.0 domain, Novell setup or whatever. You need to check the application compatibility issues and any hardware compatibility issues, and if there are no problems, then you get a lot better product. You get something that's a lot more stable and robust.
HS: How big a machine do I need to run this new product?
RJ: A little bigger than an NT 4.0 workstation, but not a lot. Microsoft has the minimum configurations and then recommended. And I think for -- if you bought a machine in the last year or two, you might want to put enough memory to get to, say, 128 megs. But you'll have a fine machine for Professional.
JB: So basically, if people have 64 meg, they can run the operating system, and then they really want to double that?
RJ: Yeah, because Microsoft's recommendations for good performance of the OS -- and you need to factor in what kind of applications you run and what kind of memory they use, so if you like to have a lot of things open, you're going to need more memory.
HS: One of the problems that folks have had in the past with some Microsoft operating systems is that they tended to crash and lock up a bit, and I've heard that Windows 2000 has done some things to address that problem. Could you tell us if your experience has been that these things are more reliable, or do you know things in Windows 2000 that make the thing more reliable?
RJ: Our experience is that it's much, much more reliable. Len, what's your experience at CMU?
LL: We've had good reliability here as well, both with the OS and with the underlying applications. It's looking pretty promising.
HS: Have there been things that they have done to the thing very specifically to address some of those problems, to make the thing more stable and more reliable? I don't care who answers. Take the floor, somebody!
RJ: Yes, they have.
HS: Would you like me to prefix anything I say with a name? I'll do that, and then you can always pass it on to the other person.
RJ: They've tried to minimize "DLL hell" as much as possible, so that if you install an application and it tries to overwrite a new DLL with an old one, it will either do it and then refresh it back to the right version, or it will tell you. So they've really tried to deal with that problem, which is one of the nightmares of NT and having desktop people just start installing stuff.
JB: And in your Rapid Deployment Program at Colorado, Richard, have you replaced and put the Windows 2000 into the labs?
RJ: We have one lab that's been running Windows 2000 for a couple of months. Our plan for, and it's not -- you see, it's sort of a special lab so we have more flexibility of breaking it and fixing it and trying things out.
The standard student computer labs that you think of more have to be in production while classes are underway. We hope to upgrade them this summer, but we haven't converted any of them.
And then we have a new building that's just being finished, the faculty have moved in and everything's ready and there'll be classes in there in January. And it has a lab and we're putting Windows 2000 in that. And it has -- the faculty in this classroom are foreign languages, especially Oriental languages, and so we're putting a feature in there of Windows 2000 that -- an enormous win for those people and so they're real excited about it. And the capability I'm talking about is the ability to enter text and edit text in several different languages in the same document, in particular Chinese and Japanese. So these Oriental language professors can deal with all three languages -- English, Chinese and Japanese (or actually I think there are five different versions of Chinese). They can deal with all of those in the single document, whereas in the past they've had to have, you might say, Japanese machines and Chinese machines and they couldn't deal with it in the same place.
JB: Sounds like a really tremendous, as you say, win for those faculty.
RJ: Yeah, when we started showing them this last summer, they got real excited, and so that's making it easier for us to roll out Windows 2000 there, even though it might be not in the final form of our campus architecture.
JB: And you haven't had any -- so your experience with the crashes that Howard was talking about before, your experience has been very positive with that?
RJ: Yes, definitely. We've, in our test environment of a dozen or so machines which we reconfigure and play around with a lot, we've really only had one serious crash. And just like every other network manager, we weren't really prepared for it because this was our test lab. But we did recover the machine, get it back in the row and everything. But other than that one machine, we've done all of these things with machines changing their roles, trying different pieces of software, with really no significant failure problems.
HS: In looking at the difference between 4.0 and 5.0, or Windows 2000, what do you see as the really big changes that Microsoft has made here?
LL: I think for us, one of the biggest changes has been the integration of Kerberos and also the Active Directory. That, for us, those are the two biggest wins they're pursuing.
HS: Could we talk a little bit about both of those things? I mean, what is new that they have done with Kerberos?
LL: Well, they've brought it into the OS level. Previously here on campus, we have Windows machines that are doing Kerberos, but it's as an add-on. It's not tied into the operating system at all. So if someone sits down at, say, our public lab machines and logs in, we have to get some glue in there so that they can log into NT, have NT credentials, and then get Kerberos credentials as well to operate with our existing environments.
And so what this is doing for us is allowing us to do a clear implementation of that and allow us to start having users log into the machine itself with their Kerberos credentials and have stuff that will work for them in Windows 2000 and also for our existing Kerberos infrastructure.
HS: What does that do for -- I mean, we're already running Kerberos and lots of other people are running Kerberos. We're not running it on an NT server right now, so how does a place that's running, say, Kerberos on some Unix server somewhere put this thing in and take advantage of it?
LL: Well, the great thing about this is that the interoperability -- there's my one use of "interoperability" --
HS: I think interop's going to be okay.
LL: The interop of the Microsoft Kerberos implementation with the, sort of the stock MIT implementations has been great. We've been using them both here, back and forth, with good results.
Basically, they give you two things you can do. You can take a Windows 2000 workstation or domain and have it trusting version 5.0 well. And you can also, from, say, a Unix machine, where you have your Kerberos software installed, you can use that to sort of [inaudible] against the KDC that's supplied with the domain in Windows 2000.
And so that's sort of the higher level view of that. This has been a nebulous area for a lot of people. There's been some questions about this as to how it actually works in day-to-day use.
JB: Can you give us an example of that right now, Len?
LL: Yes. Basically, see, you have -- like us here, we have about, you know, 19,000 [inaudible] already exists in our Kerberos database. And we want to be able to access these via these Windows 2000 machines. There's still this issue of you have to be -- on Windows 2000, you have to be logged in as somebody. And with the implementation they give you for the Kerberos, you can do one of two things. You can basically say, "This user, this Kerberos user maps to this Windows 2000 user," or you can say, "This Kerberos -- or these Kerberos users map to, for instance, a guest account in the Windows 2000 domain."
JB: To a guest account? So it could be very flexible if they do it that way.
LL: Yes.
JB: Okay.
LL: And so basically what we're doing here is we are populating one of our domains with all of our Kerberos credentials. And basically what we're doing is mapping. We're doing a one-to-one mapping from our existing Kerberos onto that domain. So users will be able to sit down at the machine and log in and be a Kerberos user and a bona fide Windows 2000 user as well.
JB: On the same machine, or on the same realm area?
LL: On the same machine. And if they start doing things with Kerberos -- for instance, if they fire up a client that uses Kerberos, we can have it so that it can use those credentials that they already used in the process of logging into the machine.
HS: Okay, one -- we have a few questions on Kerberos from Scott Smith at Penn State University. We may have covered some of them, but since they're brief, let me just go through them real quickly, if we could. Scott's first question is will Windows 2000 interoperate with IBM's DCE Kerberos 5.0?
LL: Okay, we are not doing anything with DCE here so I can't answer that firsthand. I have heard of other sites that have been using it successfully. So that's the best data point I can --
HS: Okay, his next question is what does Windows 2000 do with Kerberos 5.0 tickets that control access to databases?
RJ: I think that question and some of the next ones about ACL's, my understanding is that DCE took advantage of empty spots in the Kerberos protocol to put their ACL information in there. And Microsoft does the same thing. They put the credentials you need to access files or give you the privileges and authority you have inside the Windows domain. They put those in the ticket in a similar way, so I think that they both took advantage of the same flexibility of Kerberos.
HS: Okay, then in that case, let's go to Scott's last question. He says, "Is Microsoft providing specifications on how to interface with their implementation of Kerberos, and if so, where can we find them?"
LL: There's some documentation on the Windows 2000 Server page in the technical documents area. I believe there's a link to that off of the CREN page regarding this talk. But there's a good white paper that gives a good overview of the implementation. As far as getting more technical, [inaudible] like the FDK [inaudible] the information on ESSPI, the security services provider interface, which is the Windows 2000 way of accessing Kerberos credentials and using them for applications.
HS: Okay.
JB: Howard, before we move off of the Kerberos set of questions, do we want to go back. And there is one question that says, "Which standard features of Windows 2000 will make use of the authentication and Kerberos capabilities?" Have we answered that one yet? Len?
LL: I don't believe we have. I don't have a definitive list right in front of me, but for instance, the LDAP functionality of the Active Directory Server will use those credentials. I believe, though I'm not positive, that the Telnet server implementation in their services for Unix pack will also use the Kerberos credentials for authentication purposes.
JB: Okay.
RJ: I think that's built in, any time they do authentication, they'd use Kerberos because it's pervasive in the system of Windows 2000. So pretty much every process that needs to authenticate to another one will do it with Kerberos. We just won't ever see it.
JB: Well, you know, we just got another very quick question that came in from Jay Galman from Georgia Tech, also asking a Kerberos-related question, saying, "Can the mapping be automated?"
LL: Well, there's a few different ways to answer that question. In with the resource kit for Windows 2000, there will be a command called KSETUP. We can use that to enter information about the KDC's for your MIT [inaudible] and so forth. And one of the switches you can give on there is a MAPUSER command which you can use to map credentials, or map [inaudible] from the Kerberos realm onto an NT identity. And you can do what I said, you can do a specific name to a specific name or you can do all names to, say, a guest account. I believe you can also just say, for instance, KSETUP MAPUSER **, where for instance, if you have your domain users and your realm users, that those things are synonymous, you could just do that KSETUP command and it should map the network.
JB: Okay, well, good.
HS: Getting away from Kerberos --
JB: Yes.
HS: I think you wanted to make another comment. Go ahead.
RJ: There's at least one company, CyberSafe, who's releasing a product that will sink accounts from the two realms and also passwords, so that if you change your password on either side, it's changed on the other side. So they've clearly been working with Microsoft. They know some of these API's and they're scheduled to release something about the same time as Windows 2000.
JB: Okay, great.
HS: Yeah. I mean, I think Kerberos is one of those areas we really could, and we might have had a whole TechTalk on -- we could do [inaudible].
But not to minimize the importance of Kerberos, but just to try to cover some other issues, we have another electronic mail from Bob Morgan, and Bob Morgan talks a little bit about the two different ways that Windows 2000 looks. Let me just read his question. He says, "In our discussion of Windows 2000 deployment, there seem to be two different agendas at work. One is a departmental view, which starts from existing NT deployment and hopes that Windows 2000 will provide a better way of interconnecting them. The other is the central services view, which starts from campus scale authentication, e-mail and Web services and hopes that Windows 2000 will support desktop integration with the services." And he wants to know, how do you resolve these two different views? Len? Rich?
RJ: Well, we've wrestled with those issues here. Let me say the way I interpret his question is the departmental view is easy to see coming from the NT 4.0 domain setup, so it's real easy for someone on campus to set up their own little NT 4.0 domain, do whatever it is they need to do and not have to really deal with any big infrastructure.
That changes radically with Windows 2000. You can no longer just sort of do your own little thing. Because Microsoft has adopted these standards -- in particular Kerberos, DNS and DHCP -- there are implications in bringing up a Windows 2000 domain if you already have those systems running in your infrastructure. Well, we all do! We all have DNS running. So you can't just rip off the shrink wrap and do something in the same way you could with NT 4.0.
For example, one of the first questions you have to decide if you're going to bring up a Windows 2000 domain is what's the name? Well, because they're adopting DNS, that name has to be a DNS name. It has to live in your DNS space. And so all of a sudden, you have to deal with the infrastructure that exists.
HS: So DNS has the names of all the servers and all the domains and everything?
RJ: And subdomains, yeah. So the name of your Windows 2000 domain has to look like a DNS domain name, so it could be, in our example, "colorado.edu". Or it could be a subdomain of colorado.edu, but I can't just call it my server's or whatever, my department name, which I could do with NT 4.0.
So there's a big change of viewpoint there that I think is going to surprise a lot of people. Or the sooner they learn it, then the more they can understand these things and understand why it's important from the campus level to develop the right infrastructure so that the departmental people can use Windows 2000.
JB: You know, it sounds like that would be a particular problem on campuses that have, then, had much more distributed computing infrastructures in place than those that are, you know, managed more centrally. Len, what about you at Carnegie-Mellon? I think, if I recall, Carnegie-Mellon is pretty distributed.
LL: We are fairly distributed. On the other hand, we -- well, specifically with the NT end of things, we haven't been doing much with [inaudible] supporting NT server in our environments. So with Windows 2000 coming out, then we're really taking active steps to look at providing a good solid infrastructure for that on campus.
RJ: I'd say that's exactly what we're doing here.
JB: Okay.
LL: One of the issues we've been able to avoid as far as what other groups are doing, but a lot of the core campus support -- I mean, we have, for instance, the CS department who go off and maintain their own network. But as far as the main campus network, a lot of the maintenance, a lot of DHCP, DNS stuff is centralized.
JB: But that certainly is -- I'm sorry, Howard, go ahead.
HS: No, go ahead!
HS: Okay. Well, it sounds like when you're talking about this DNS issue, that there's something more general going on here. And that is it sounds like you're suggesting that the transition from NT 4.0 to 5.0, especially for the people who have to administer it, is really quite a big jump. Is that the case?
LL: It definitely is.
HS: What order of things, besides this -- I mean, this DNS issue sounds like something where you really have to sit down and do some high-level planning. What other things are like that?
LL: Well, there's sort of in tandem with DNS, there is the NT Active Directory.
HS: Could you tell us -- we've mentioned Active Directories sort of in passing here and there. Could you tell us what's active about Active Directories or what's different about them than regular old directories?
LL: Well, I mean, it's a unified store for lots of things. But [inaudible] the stuff you're storing, you know, users and groups and computers and group policies you can apply to affect user and machine policies and things like that.
HS: What's a group policy?
LL: A group policy is, for those who are familiar with NT 4.0 and the policy editor and things like that, it's an attempt to better bring together all those disparate ways of affecting machine policies -- you know, users can't run applications, users can't change their desktop, you know. These restrictions on this workstation from the -- those sorts of things. So the group policy is a way of bringing information together into one unified interface and advertising that via the Active Directory.
RJ: Having built that central store, then they start using it everywhere, so you can -- if you want to use Microsoft's DNS server, you can configure it so that it's integrated into the Active Directory rather than having any separate config files. And because they have this multi-master replication scheme amongst Active Directory domain controllers, that information is on all of them. And so you can essentially run, for example, DNS on several domain controllers and you reduce points of failure. You don't have a single point of failure and your management is easier. You don't have to manage the configuration files for DNS. You just let Windows 2000 do it [inaudible] in the Active Directory.
HS: Wait. Was it -- a domain controller, is that another server?
RJ: A domain controller is a machine where the Active Directory store exists, so in NT 4.0 jargon we had a primary domain controller and we had backup domain controllers. And the primary was a single point of failure in some respects. They removed that by making all domain controllers equal and doing a replication system among them, and so you don't have a single point of failure. If you can find any domain controller, then you're just as good as you could be if you could find the one you normally looked to or something.
HS: Okay, but I assume there's still some master because you're going to update one of them and that's going to be replicated?
RJ: No, but --
HS: Or you can update any of them?
RJ: Yeah, wherever the update occurs, it replicates to all the other domain controllers. So they have this constant incremental update system going and they can -- it's all time-stamped and sequence numbered so that if there is some kind of failure while -- before they're all in sync, it can quickly get back in sync without losing any information.
JB: I'm trying to envision what the environment might look like at Colorado with these domain controllers, Richard. How many of these do you have on your campus right now as part of, you know, the testing process you've been doing?
RJ: Well, in our test environment, we have two, but then the people in the group have done them in their offices in different parts of campus, so we have two or three more. But in terms of deployed architecture for the campus, we're thinking that we'd want three as a minimum and we have, compared to a lot of corporations, we have high bandwidth around the entire campus so their location isn't as important. But we'd spread them out geographically into three different parts of campus.
JB: Let me see if I can ask a potentially dumb question here. In terms of -- am I understanding it right when you're saying, then, that you would be having an Active Directory on these domain controllers?
RJ: Yes, the Active Directory exists on each domain controller.
JB: But then don't we have to worry about security of those files and security of that Active Directory?
RJ: Right. And so our view is similar to a lot of Unix services. You wouldn't do other things on these domain controllers. They would do the Active Directory and the services that you wanted to go along with that, but you wouldn't use them as application servers or print servers or anything like that.
JB: Okay, I think we had a question that came in from someone regarding the design of the Active Directory name space. Yes, it was Paul Hill at MIT. He asked, "Has anyone looked at having a flat name space for their users, but placing machines into smaller groups?"
LL: We have been pursuing a flat name space here for users. Basically, our goal right now is to have essentially a domain that acts like a user resource where we have all of our campus users who are in this domain. And if people want to bring up other domains and what-not, they can reference that for the accounts instead of having to create duplicate accounts.
So we're looking at creating all those in one domain and for the way much of our campus is structured, it's not really logical for us to start breaking them up into organizational units. It's just, the overhead of doing that and just the fact that it doesn't really map well to all of our users. We're pursuing putting everything in a flat name space here. So right now, we have some 19,000 users just thrown into the domain. That is something I have been looking at possibly changing. There's nothing --
HS: Yeah, but if it's flat, isn't it very wide?
LL: Well, the big issue that we have with it is just performance issues. Bringing up a browser for a user ID if you have the [inaudible] tends to hit a few brick walls here and there. There are a few places where, for instances, the list of users is limited to 2,000 and so, you know, it just bottoms out after so many users in there.
RJ: We've seen similar problems and I think Microsoft is aware of them, and hopefully there will be tools that improve those coming out.
Inside the RDP project, we've also kind of compared notes with other places. And, for example, Boeing Corporation, which either has 40 or 60,000 users, they're pursuing a very flat name space. And we're doing it and Carnegie-Mellon's doing it and Microsoft is recommending, do it as flat as you can. And so we're all thinking, well, it's going to work pretty much this way. Maybe we'll have to break it up a little bit, but it offers -- it's a simplification in terms of management if it'll work that way.
HS: What tools does Windows 2000 have to help you manage the Active Directory?
RJ: Well, they have -- let's see, in Windows 2000 you manage everything pretty much through an MMC, a Microsoft Management Console snap-in, so they've taken that idea that started in NT 4.0 and pretty much standardized on it. So you have, I think there's at least three different snap-ins to deal with the domain and --
HS: Is a snap-in like a plug-in?
JB: Thanks for asking that question, Howard!
RJ: Well, the Management Console is sort of like a frame. And so the content are these snap-ins which actually do something for you, and the framework is just a standard way to present it and have an interface. So you have some of these tools to deal with your Active Directory.
There are also quite a few command line tools available (and more coming) to manage a lot of things. So people, Unix people especially, who are real command line oriented are going to find that they can do many more things in Windows 2000 than they could in NT that way. That also allows you to start generating batch scripts and stuff like that and automate it, which we all have done a lot of on the Unix side.
HS: How does LDAP play with Active Directories? I mean, I assume that your Active Directory is also your LDAP directory?
LL: There is really an LDAP interface to the Active Directory, so you can access it doing standard LDAP queries.
JB: Have you actually -- we had a question coming in from Michael Geddes asking one of you or both of you whether you've tried synchronizing the Active Directory with other LDAP directories? Can you address that specifically?
RJ: We haven't done anything along that line.
JB: Okay, Len?
LL: We have done a little bit of testing here and there, nothing -- I don't have any information on that readily available to say anything about that, but basically we've just done very cursory testing on that.
JB: Okay.
HS: Okay, we've had another question on this general area from Timothy Beils from the University of Minnesota, and Tim says, "We have several small NT 4.0 domains distributed on our campus. Does Windows 2000 support domains in Active Directory at the same time?" He also asks, "Is there a way to migrate NT 4.0 domains into the Active Directory?"
RJ: Yes and yes! Now, Windows 2000 has a domain structure, and inside a domain you can have this OU, Organizational Unit structure. And we see that as the way to go. But you can also have subdomains, just as you can in NT 4.0. But you don't have to have them to solve the problems that you used them in NT 4.0, where you typically created a user domain and then you had subdomains containing resources.
With Windows 2000, you can do all of that inside of a single domain with Organizational Units. And, yes, Microsoft has tools to migrate from NT 4.0 domains to Windows 2000 domains or actually integrate and then migrate in. I mean, you can convert one or you can join an NT 4.0 domain into Windows 2000 and migrate it in there.
HS: How does -- we were talking about DNS a bit before and it sounded like DNS was somehow integrated into the Active Directory. How will these things work together?
RJ: Well, if you think of Unix DNS, you have these files that when BIND starts up, it reads and it builds all of its tables so you have all the host records, pointer records, all these other things. In Windows 2000, if you choose to integrate DNS into the Active Directory, that information is stored in the Active Directory and not in these files.
And the win, from Microsoft's view, is because it's in the Active Directory, it's now replicated on your other domain controllers so if they're running DNS also, they're all seeing the same data and it's managed actively by their processes and you don't have to go build these config files. They use dynamic updates, which is a feature of DNS that BIND has started to adopt. And so you don't have to create static files and load them into DNS. Dynamic updates take care of that, if you want to go that route.
HS: Talking about dynamic things, another thing that lots of folks use on campus and that is part of Windows 2000 is DHCP. Has that changed at all in Windows 2000?
RJ: Well, the DHCP has the ability to do the dynamic updates to DNS, and Microsoft has taken advantage of that. So if you're running a Unix-based DHCP server and you want to use it then you need to investigate whether it supports what's called Option 81 in the DHCP jargon. And that means the ability to give out the IP address to the client machine and then turn around and give dynamic DNS information to the DNS server.
HS: If we're already using DHCP, does this -- how do you make this work with what we're doing right now? Do we have to move our DHCP to an NT server or do we have to change anything about the way we're doing things?
RJ: If you don't want to move, you shouldn't have to. But if you want to take advantage of the dynamic capability from your Windows 2000 machines, then you need to upgrade your DNS -- or your DHCP server -- to support this Option 81 capability. And I think the latest version that people are running will do it, but it's probably not compiled in because we haven't been doing it. So it's a new piece of DHCP to learn about and maybe re-compile and then reconfigure what you're doing. But the software you're running on the Unix side should be able to handle it.
JB: There's a couple more questions. We're getting close to the time where we usually wrap up, but we do have a couple other questions I think that we should probably consider taking.
We had a question that came in very early on, asking about the resource requirements for running videoconferencing with Net Meeting under Windows 2000, and specifically (it was a question from Chuck at Mississippi State) multicast videoconferencing. Can you address that?
RJ: We haven't done anything. Have you done anything, Len?
LL: No, we haven't tackled that here at all.
JB: Okay, so that's something to be discovered, resource requirement, then. What about another question that came in from Michael again, asking about your disappointments. What have you found so far with Windows 2000 that you wish might be a little different or that you're waiting to come down the pike? Richard, do you want to start with that one?
RJ: Sure. I guess the ability to manage an organizational unit where we've stuffed 35,000 users in it. Len referred to that. That's still a little awkward, but hopefully it will get better. Otherwise, if you're not a Microsoft basher, if you're open to the way they do things, then Windows 2000 looks a lot better than NT 4.0 or Win 9x.
So it's more cornucopia of tools and strategies that you can use. I mean, we didn't talk about remote installation services and things that we see as real valuable in maintaining our computer labs, where if a particular machine gets trashed, we can rebuild it easily, quickly, sort of automatically. So there's a lot of things like that in Windows 2000 that look really good.
HS: But that sounds just like SMS. Is there a thing that's a replacement for SMS in Windows 2000?
RJ: I think you could say that SMS Lite, so to speak, is built in, and then there will still be an SMS that gives you more control and more power in how you roll out things.
HS: Okay, so what you're calling SMS Lite is really just this thing you were also referring to as remote installation services?
RJ: Well, the whole suite of that -- they call it CCM, Change Control Method -- and then something, and used to be called -- I mean, Intellimer is another word that they've used that they sort of dropped.
There's a whole bunch of pieces to that technology. And they're actually different ways. I think they're probably three different ways to do remote installations of the OS, and in some cases, you would pick one over the other. We're right now favoring RIS, that's the one we worked with the most and it may actually involve using GHOST, which is a product many people use. So it will work together with that.
HS: Had you worked with SMS before?
RJ: We haven't here.
LL: Neither have we.
HS: Okay, because I just wondered what were the things that SMS could do that were not part of Windows 2000.
RJ: One piece that comes with Windows 2000 that's great for administrators is that they give you the terminal server ability and they give it to you free for administrative use. So if you want to run a terminal server machine serving applications that way, you still have to buy the licenses, but essentially, you get the ability to see -- to log into another machine free with administrative terminal server use.
My thought is that every administrator that has machines even in the next room, much less the next building, will definitely use that, so that's a great advance compared to NT 4.0 where you had to buy SMS to start getting functionality or you had to buy TC Anywhere or something like that.
HS: Hm! That sounds very, very interesting. We are getting close to the time we are going to have to end this. I'm thinking in terms of closing questions here. In terms of people thinking about going to Windows 2000, what are the most important things they ought to be thinking about right now to make the transition? Len, Richard?
LL: Well, before you start talking about Windows 2000 server at your organization, I think you have to visit your infrastructure and look at what are you doing currently with DHCP? What are you doing currently with DNS? What, if anything, are you doing currently with Kerberos? And have a plan mapped out for how you're going to keep those services running as you start rolling out Windows 2000 and start rolling out those domains in your environment.
So it's -- the big thing is planning right now. You know, an NT 4.0 server, you could, you know -- for all intents and purposes, you could pull it out of the box and just set it up on your network and for the most part, it will work. That's not quite the case anymore, so you have to have a good plan for that, going into this.
HS: One of the things that people run on NT servers and Unix servers are Web servers. Have there been some changes or improvements in, I think it's IIS, Microsoft's Web server for Windows 2000?
RJ: We haven't really done much with it, but they list a whole bunch of improvements over IIS 4.0, including using Kerberos authentication and some other things. So, but we haven't actually done much with it to be specific about benefits or improvements.
HS: Is there anything out there in Windows 2000 that is going to make you switch functions from Unix servers over to Windows 2000? I mean, are folks going to be doing that? They're going to see something in Windows 2000 that says, you know, now is finally the time I get rid of this Unix box and replace it with Windows 2000 because it now looks good enough?
RJ: Well, I think that option is there, in terms of DNS, DHCP, there's a bunch of things like that. Then the question is, as well, do I want to take this the day they ship it and do that or do I want to watch it for awhile. But that question, we've never faced the question before, so I would think for a lot of smaller institutions that have a simpler structure or want to keep it as simple as possible, they might decide to start moving DNS, for example, over to Windows 2000. But they'll, of course, want to test it and evaluate it very carefully and make sure that its performance is what they want before they do it. But the capability of making that decision is suddenly there with Windows 2000.
HS: In terms of Windows Professional, you said if one's going to go to Windows 2000, one of the server versions, we ought to do some planning, thinking, whatever. But in just going from NT or Windows 98 to Windows 2000 Professional, is that just, you know, install the new operating system and everything is fine kind of thing? Don't have to think about that much. Is that the case?
RJ: If you check your application compatibility and your hardware compatibility and you don't have any problems, then moving to Windows 2000 Professional in your current domain structure -- whatever that is -- is a good thing to do because you get a lot better reliability and robustness.
JB: You mentioned the application interoperability a couple of different times, Richard. Is there a place on Microsoft's Website where they've got a list of the tested, you know, applications that they have tested and that appear to be running just fine under Windows 2000?
RJ: They have a big matrix list somewhere on their site of applications and where they are, and I think if you look at it, a lot of them are checked as DON'T KNOW or NOT TESTED yet. That's the same thing of the hardware compatibility list that they keep updating, and if you look at that you'll see that they've gone through and tested lots and lots of hardware. And I think between now and February 17, a lot of the applications stuff will move in that direction. Application vendors will announce that their product is Windows 2000 compliant or they will have an update that is or something like that.
JB: Okay, so --
HS: So after hearing about everything being Y2K compliant, we're going to hear about everything being Windows 2000 compliant.
RJ: Right. But let me mention prices because I just thought of it with this. We got select prices or estimated select prices --
HS: Select prices are the educational prices.
RJ: Right. Select is a program of Microsoft and they have an educational version, and I don't know how many institutions participate but lots do. And if that's the way you buy your licenses now, the estimated price for Windows 2000 looks to be roughly ten percent higher than the equivalent price, Workstation to Pro, NT 4.0 server to Windows 2000 server. So the affordability or the cost of Windows is not going to change very much from NT 4.0 to Windows 2000.
HS: Well, that's good news.
JB: Yes, that is good. Do we want to wrap up and have a closing question or comment, Howard?
HS: Well, I just think that we're all kind of going to be anticipating February 17 here, and it should be very interesting. It sounds like the product is going to be more challenging to use, but it sounds like it has lots of features that a lot of us have been waiting for. We hope we have the good experiences that you seem to have had with it.
RJ: Yeah, I want to reiterate what Len said, that planning now until then and until you know how you want to deploy it and what kind of infrastructure you want to build or how you want to integrate it into yours, is the most important thing. And so the more of the white papers and deployment guides and walk-throughs that you look at on the Microsoft Website, the better you'll understand all these issues and be ready on the 18th. I see the 17th as a good day. The 18th is going to be the bad day because they're all going to come back with it and rip the shrink wrap off, and then they're going to call the central IT organization and ask what to do with it or how to start using it.
HS: And before we close, I think that it might be good just to comment -- do you want to comment further about what you're doing as far as setting up a campus-wide policy and then communicating that to deal with that problem, Richard?
RJ: Sure. We had a meeting this morning with our network managers on campus, people in departments that run Novell or NT 4.0 domains or things and we told them, Pro is good, Server is good, but don't try to do any Windows 2000 domain stuff until we are ready for it. And we sort of promised them that before February 17, we would have a clear plan in place. We're hashing it out right now, about what we will do, how we will deal with DNS and DHCP and those issues and when we will be ready to invite them to plug into that infrastructure.
JB: Okay, and we also then talked during our prep session that you might be willing to share that kind of an announcement at the CREN site when you have that ready. Is that --
RJ: Sure. We're building a Website right now and you can put it on the CREN site. It's www.colorado.edu/its/windows2000. And as we get these documents, planning documents and deployment documents, we'll be putting them there.
JB: Okay. All right, we'll put a link up for that. Len, do you have a final comment?
LL: Just to reiterate what Rich was saying about go to the Microsoft Windows 2000 server Web page. There's a link to it off the CREN site. Lots of very, very, very good, useful documents there. White papers, all sorts of things. That's a tremendous place to start if you're looking for information on some of the technologies and how to start thinking about dealing with them in your environment.
JB: Okay, Howard, are we ready?
HS: Yep, we're ready.
JB: Okay, well, let me just say thanks to everyone who sent in all the questions. There were questions we didn't get to. We will try and address those individually offline. Our experts have volunteered to do that. Other than that, thanks to everyone for being with us here today for this time with our expert panel, and you can send even follow-up questions for another 24 hours to expert@cren.net.
Be sure and mark your calendars for December 16, which is just one week from today, when the guest experts will be Karie Masterson and Ruth Sabean from UCLA discussing course Websites and issues in building, maintaining and archiving -- basically life cycling of course Websites.
As always, we welcome suggestions and feedback on what and whom you would like to see and hear on TechTalk. Thanks to all the institutions who help to support these TechTalks already, and I invite your institution to help support these TechTalks by becoming a member, if you are not already.
Thanks also to everyone else who made the event possible today, including our vendor sponsor, Microsoft; to our guest experts, Richard Jones and Len Lanphar; our standby expert, Mark Garcia, who I guess we didn't need today, huh? We had all the questions answered. To Howard Strauss, technology anchor; to Terry Calhoun, event page producer; to David Smith and Patty Gaul of CREN; to Julia O'Brien, Jason Russell, Carol Wadsworth and the whole support team at MERIT Network; to Susan Berneis, audio file transcriber; to Laurel Erickson, transcript editor and indexer. And finally again, a thanks to all of you for being here. You were here because it's time.
Good-bye, Richard. Good-bye, Len.
RJ: 'Bye.
LL: 'Bye�
JB: And 'bye, Howard.
HS: 'Bye-bye.
JB: Thanks, all. 'Bye-bye.
