Compaq Details Internal Deployment of Windows 2000

Every other night at Compaq Computer Corp., administrators run a six-hour process to check that all the trust links among the company’s Windows NT domains are up.

With 13 master domains, and roughly 1,700 resource domains -- nobody knows for sure how many there are -- simple management tasks can take a long time.

"If you know anything at all about NT, you can imagine the great problem that this is to administer such a large environment," says Brent Harman, senior corporate operating environment architect at Compaq (www.compaq.com). Harman is looking forward to the day sometime in 2001 when everyone in Compaq is in a Windows 2000 domain.

Last month Compaq detailed its internal deployment of Windows 2000 -- one of the largest deployments of the operating system thus far outside of Microsoft Corp.'s (www.microsoft.com) internal deployment. Compaq’s Windows 2000 efforts will no doubt be a centerpiece of the company’s efforts to sell its expertise for Windows 2000 migration services.

Compaq's approach contained several surprises, a nod to the complexity of a Windows NT 4.0 to Windows 2000 migration and an example of how quickly Microsoft technologies spin beyond Redmond's intended deployment.

For one thing, calling the deployment a migration would be misleading. It’s a parallel creation.

The goal is to scrap the maze that is Compaq's current Windows NT 4.0 network. Compaq, Tandem, and Digital each had mature Windows NT 4.0 networks when the firms merged converged.

"We don’t want to upgrade our NT network," Harman says. "It’s an accretion of the problems of several different companies. If we upgrade this, what we’re really going to do is prolong the agony."

In addition to the six-hour trust checking process every other night, the complicated network also requires Harman to keep three distinct IT operations in 24X7 administration centers that map to the networks of the old Compaq, Digital, and Tandem organizations. "Reaching into the master domain is generally not a problem," Harman says. "If we have to reach down into one of those resource domains, in many cases that’s a problem."

Instead of upgrading, Compaq is rebuilding. "Early on we have a duplication of hardware," Harman says. Eventually, however, Compaq hopes the jump to Windows 2000 will reduce the amount of hardware, possibly cutting costs but definitely improving administration.

So far, Compaq has at least 13,000 PCs running Windows 2000 Professional and 300 servers running Windows 2000 Server or Advanced Server. When the conversion is complete -- scheduled for July 2001 -- Compaq will have about 200,000 PCs running Windows 2000 worldwide.

The company's server infrastructure will eventually have 340 Windows 2000 servers, including Domain Controllers, WINS servers, DHCP servers, DNS servers, and file and print servers. Compaq plans to limit the number of servers as much as possible by using of eight-way Compaq ProLiant servers and Windows 2000 Datacenter Server when it comes out.

Harman stresses that the server consolidation Compaq is undertaking may not cause hardware costs to fall. Such consolidation requires expensive redundant hardware, and the company has made a massive commitment to the quality and availability of its WAN links, he says.

When most Compaq users are switched to Windows 2000, they will be in native mode, meaning they will log into Windows 2000 Domain Controllers. Only in native mode can IT shops implement windows 2000's cost-saving desktop lockdowns and group policies or take advantage of the security improvements. For now, the vast majority of the Windows 2000 PCs at Compaq log into NT domains. Only about 100 PCs are now running Windows 2000 Professional in native mode at Compaq.

"We're doing very mean things to them and testing out group policies so that we can understand Windows 2000 in a group environment," Harman jokes about the native mode users.

Compaq, a Joint Development Program (JDP) partner with Microsoft for Windows 2000 and a company that has worked closely with Microsoft on Windows 2000 for several years, diverged from recommended practice in another area of its Windows 2000 deployment.

Compaq developed a domain structure that puts a small group of about 20 enterprise administrators in their own Windows 2000 domain, the parent to all other Windows 2000 domains at Compaq.

"Microsoft is very ambivalent about the concept," says Harman, who is also the JDP lead for Compaq.

System architects at Compaq saw several advantages to the approach. For one, enterprise administrators who have the ability to do everything across the corporation except change security logs need to have more stringent passwords than everyone else, Harman says. Password policy can only be set at the domain boundary in Windows 2000.

Putting omnipotent administrators in a single domain will allow Compaq to require an 11-characters-or-longer password that includes upper case, lower case, and non-printing characters that expires every 30 days for those specific administrators without setting such onerous requirements for regular users.

In an organization with the kind of internal clashes that Compaq has, the administrative domain will bring other benefits for central IT. Compaq is traditionally a lock-down desktop, centralized-IT kind of place. Compaq's acquisitions Digital and Tandem are not. "Users felt like, `This is my domain, my machine,'" Harman says.

By creating group policies in the parent administrator domain and linking the child domains to those group policies, Compaq can prevent administrators in the child domains from being able to circumvent corporate policies.

One example will be Compaq's policy of requiring real-time virus scanning software to be running on every machine. Currently, Compaq has no way to enforce the rule. With Windows 2000, Compaq plans to set the virus scanning requirement as a group policy in the administrator domain and link the child domains to the policy.

Beneath the administrator domain, Compaq has plans for three child domains: an Americas domain, a Europe/Middle East/Africa domain, and an Asia/Pacific domain. Compaq will provide room for up to 50 domains beneath those geographic domains, but central IT will heavily favor the use of Organizational Units rather than sub-domains, Harman says. Possible exceptions may be resource domains for such critical applications as SAP.