Living with Windows NT
Windows 2000 is here and some companies are starting to deploy it. But Windows NT 4.0, like its non-Windows predecessors, won’t be ushered out the network door anytime soon.
Microsoft Corp. (www.microsoft.com) has taken two stances on the deployment of Windows 2000. The first is that migrating to a "pure" Windows 2000 environment, one in which both desktops and servers run the new operating system, will enable companies to fully realize the benefits and lower total cost of ownership Windows 2000 was engineered to provide.
The second is that Windows 2000 was built for incremental upgrades, as well. Microsoft claims companies that start deploying Windows 2000 Professional now but wait to migrate their servers will also see benefits -- albeit not to the extent they would in a pure Windows 2000 environment.
Resisting Microsoft's two-pronged push, a number of analyst firms have vocally and frequently suggested that companies wait until the first or second Service Pack is issued, depending on the success of Service Pack 1, before migrating to the operating system.
Whether users take the advice of analyst firms or decide on their own to go slow based on the Microsoft’s history of unacceptable 1.0 releases, doesn’t matter. Most companies will opt for the incremental upgrade to Windows 2000. Very few large enterprises, in fact, are likely to migrate immediately to the pure Windows 2000 environment.
Joe Biggs, director of the Microsoft consulting practice at ePresence Inc. (www.epresence.com) -- formerly Banyan Worldwide Inc. -- says most of his clients are in wait-and-see mode when it comes to Windows 2000 deployment.
Some companies make no bones about wanting to let other organizations venture into the unknown territory of the Microsoft operating system, and then learn from others' mistakes. Some companies will wait until an application they want to deploy, perhaps Exchange 2000, becomes available before moving to a new platform.
Brian Gilpatrick, the IS operations manager at Ciber Inc. (www.ciber.com), which delivers services for enabling e-business, says his company just began the evaluation of Windows 2000. Ciber has 40 NT 4.0 servers with SP5 installed at the corporate office, and one NT 4.0 server with SP5 installed at each of the firm's 57 remote offices across North America, connected via frame-relay network with links back to the corporate office. This infrastructure supports about 2,000 users on the internal network and 5,000 consultants accessing their mail and the intranet via the Internet. Desktop and laptop computers run operating systems including Windows NT 4.0 and Windows 95/98.
Ciber plans to install a test server next month and then develop a plan to roll out Windows 2000 to the enterprise. The actual roll out will not be until the end of the year, after SP1, Gilpatrick says. Even then, the company plans to rollout the new operating system incrementally.
"Usually, upgrading incrementally works just fine," he says. "But Active Directory may have an impact."
Gilpatrick says his company will move to Windows 2000 for the benefits of Active Directory and security enhancements, as well as to stay current.
Some companies will not upgrade to a pure Windows 2000 environment anytime soon. A source at a major worldwide corporation with 125,000 clients says his company wants to move to Windows 2000 as soon as possible, but it's not always easy.
"Due to the large corporate scale of our NT environment [Multiple Master Domains], and tightly integrated Unix DNS [not Dynamic DNS], our Windows 2000 deployment is limited to workstations and clients," the source says. "We have not deployed any domain controllers at this time."
The irony in this customer’s instance is that company testing says Windows 2000 is far more stable than any other Windows operating system.
Other companies will begin the upgrade process naturally, by buying Windows 2000 preinstalled on new machines because they don’t want to invest in an old operating system.
As a result, most companies will have a mix of Windows systems that includes not only the older versions, but also Windows NT 4.0 along with one of its service packs, Windows 2000 Professional and Windows 2000 Server or Advanced Server. Not to mention Unix, Linux, or any of a number of IBM operating systems and mainframes.
As companies move toward Windows 2000, NT will not go away. Instead, companies will end up living with NT for some time to come.
Domain Modes of Windows
Craig Beilinson, lead product manager for Windows 2000 at Microsoft, says Microsoft realizes customers won’t flip a switch and be deployed in a pure Windows 2000 environment overnight, and that was factored into the company's designing of W2K for incremental upgrades.
Windows 2000 can be incrementally upgraded in a number of ways. Companies can move to Windows 2000 Professional only, or they can begin using Windows 2000 Server or Advanced Server as well as, for file and print, application, or Web servers.
Depending on the upgrade path a company chooses, Windows 2000 operates in two domain modes: mixed mode and native mode.
A domain is considered to be in the intermediate operational state known as mixed mode when the primary domain controller (PDC) is upgraded to Windows 2000 but not all backup domain controllers (BDCs) are upgraded, or the PDC and all BDCs have all been upgraded but the native mode switch is not enabled. Until users actually switch the domain to native mode, the domain remains in mixed mode even if all the BDCs are Windows 2000 Server or Advanced Server systems.
Microsoft says that users and computers using previous versions of Windows begin to benefit from the transitive trusts of Active Directory, and, with proper authorization, can access resources anywhere in the forest. Although previous versions of Windows do not support the Kerberos security protocol, the pass-through authentication provided by the domain controllers allows users and computers to be authenticated in any domain in the forest. This enables users to access resources in any domain in the forest for which they have the appropriate permissions. Other than the enhanced access to any other domains in the forest, clients will not be aware of any changes in the domain.
Even if all the BDCs in a network have been upgraded to Windows 2000, customer can still choose to leave the environment in mixed mode. The main advantage here is that it is still possible to revert back to NT 4.0. Be careful, once the network is switched to native mode, there is no turning back easily.
Native mode is the final operational state of a Windows 2000 domain, enabled by setting a switch on the user interface. It means that the upgraded domain is now considered a Windows 2000 domain and can take advantage of the full range of Windows 2000 features.
Careful Planning is the Key
Microsoft’s Beilinson says that customers need to plan carefully for Windows 2000, no matter which upgrade path they choose.
"Because Windows 2000 was designed to be deployed incrementally, customers need to sit down and think about the way they are going to deploy, figure where they want to spend their time and energy first, as well as where they have the resources and expertise," he says. "Companies really need to make sure they get incremental benefits from Windows 2000."
Lieutenant Colonel William A. Hose, deputy chief of staff for information management at the Minnesota Army National Guard (www.dma.state.mn.us), is migrating to Windows 2000. He runs a network across 84 locations with 1,200 NT workstations, 110 NT servers, and four Unix minicomputers. Hose plans to migrate his network to Windows 2000 within 18 months or so. He has already seen incremental benefits from upgrading.
"Windows 2000 Professional versus NT Workstation 4.0 is more user-friendly, requires less reboots, has far fewer BSODs, and is easier to set up," he says. "Servers seem to be extremely stable."
Hose says Windows NT and Windows 2000 work fine together in the Minnesota Army National Guard’s network. "We just don’t get the enhanced features of the new model," he says.
Windows NT is unable to take advantage of some of the more significant new features of Windows 2000, particularly Active Directory. Unfortunately, most of the benefits of Windows 2000 manifest themselves via the Active Directory, such as better management of systems, accounts, and clients.
Using NT 4.0 in a Windows 2000 environment, however, will provide companies with some benefits, such as better reliability and volume management. But it takes Active Directory to reap the full rewards of Windows 2000.
Microsoft’s Beilinson points out that running Windows 2000 in native mode creates a situation where the whole is bigger than the sum of its parts. For instance, companies not only have servers that are easier to manage, but they can also implement group policies to lockdown desktops. They can also use Active Directory to drag a user from the human resources department and drop that person into the finance department, and have the user's desktop change automatically.
While the operating systems get along, applications are another story. Hose, for instance, says that he has run into some drivers that are not available for Windows 2000, both on desktop and server systems.
If an application that currently runs on NT 4.0 or another server overwrites the system DLL on Windows 2000, fatal problems can arise. Windows 2000 will reboot, notice the overwritten DLL, and automatically fix it. If the customer doesn’t have access to the application’s source code for whatever reason -- perhaps the manufacturer went out of business -- the customer is out of luck.
EPresence’s Biggs says his company encourages its clients to begin the planning process as soon as possible.
"Active Directory is not going to dramatically change with future service packs, so any planning done now will be effective into the future," he says.
NT: The Next Legacy System
Legacy systems die hard. Take IBM Corp.’s (www.ibm.com) System 36, the predecessor to the AS/400. This box is all but forgotten, but five years ago, there were 250,000 of them out there in use, though IBM didn’t know where they were. The point is that when companies have mission-critical data or applications on a system, they need a really compelling reason to move away from that machine. Even then, they have to be able to run that software elsewhere.
In the grand scheme of computing history, NT has only been around a short time. But as companies move forward, over the next several years, Windows NT will likely be relegated to the near prehistoric computing status that mainframes have achieved of late. That is to say, NT will still be around, probably housing mission-critical data and homegrown applications that are tricky enough to convert to Windows 2000 and subsequent Windows versions, that companies will end up leaving them on the original NT box for which they were written -- following in the footsteps of other legacy systems.
Granted, this doesn’t apply to desktop PCs, only to the server-side of things. But Banyan’s Biggs says his customers have NT boxes that they’ll keep for a while.
The Minnesota National Guard’s Hose echoes that sentiment. "We’ll probably keep some NT 4.0 Terminal Servers with Citrix for the applications that have a problem running on W2K," he says.
Mix and Match
Windows 2000 features available in mixed mode
|Feature|| ||Available in Mixed Mode?|
|Transitive trusts for Kerberos authentication|| ||Yes. Windows 2000 Server and Windows 2000 Professional use Kerberos services available on the Windows 2000 domain controller.|
|Active Directory organizational units|| ||Yes, but only visible using Windows 2000 administration tools. Cannot be administered from Windows NT BDCs or member servers.|
|Active Directory security groups|| ||No, only Global and Local groups available.|
|IntelliMirror|| ||Yes, but only for client computers running Windows 2000 Professional in an Active Directory environment.|
|Windows Installer|| ||Yes.|
|64-bit memory architecture|| ||Yes, with hardware support.|
|Active Directory scalability|| ||Yes, but only when all BDCs have been upgraded and are running Active Directory. Be cautious when taking advantage of this feature because new Windows NT BDCs can still be added while the domain is in mixed mode. This feature might be an important part of your fallback planning, so it must not be compromised.|
|Kerberos authentication|| ||Yes, for Windows 2000 computers running Active Directory.|
|Microsoft Management Console|| ||Yes.|
|Group Policy|| ||Yes, but only for client computers running Windows 2000 Professional in an Active Directory environment.|
|Security configuration and analysis|| ||Yes.|
|Active Directory multiple-master replication|| ||Yes, between the PDC and BDCs that have been upgraded.|
Source: Microsoft Corp.