In-Depth
Amazing Feast! Windows 2000 on the Table
Seems like you’ve waited years for your reservation to be called, but Windows 2000 Server is almost ready for your dining pleasure. Here’s a sampling of its delights.
You made reservations years ago; now it’s almost time
to feast. Your table is ready, and Windows 2000 Server
is about to be served up at the local Win2K bistro. Like
other great culinary delights, Windows 2000 Server took
time to develop and deliver. But it comes highly recommended:
For starters, the main course, Active Directory, is to
die for. Let me take you through a sampling of the culinary
delights that await you, along with some insider secrets
that I’ve gleaned in the course of working with this product
over the last year.
A Brief History of Time
If you’re new to the MCP community, the timeline included
with this article will help you understand the long journey
associated with Windows 2000 Server. Think about it: Babies
born to MCPs when Cairo/Windows NT 5.0/Windows 2000 was
announced, are now halfway through their first year of
Montessori or Waldorf School.
Windows 2000 Server’s birth follows a gestation period
of over three years. Compare that to whales (12 months)
and even elephants (22 months), and you begin to understand
that creating the 25 million-plus lines of code in Windows
2000 Server was a big deal. All told, conceiving and carrying
off Windows 2000 Server was a huge undertaking for the
development team at Microsoft. It’s a journey marked by
distinct trimesters: Windows NT 5.0, then The Period of
Darkness, and finally Reworked Windows 2000 Server.
Initially, Windows NT 5.0 was going to be the ultimate
directory-based enterprise-level network operating system
(NOS). Frustrated in its attempts to break into true enterprise
markets such as global corporations and finding the door
shut in mission-critical environments such as 24 x 7 hospitals,
Microsoft set out to do the impossible with Windows NT
Server 5.0. It eventually became obvious that trying to
be everything to everybody wouldn’t work.
Enter the Dark Ages of the second trimester. Here, the
Microsoft development team scaled back expectations, drifted
from the original directory-based NOS paradigm, and generally
became depressed—something that was apparent to even the
casual observer. Heads rolled, re-orgs happened, and one
codebase change later, a reworked Windows 2000 Server
with a realistic end-of-millennium ship date and a new
name emerged. It’s this version that’s now being readied
to serve.
You should also be aware that other flavors of Windows
2000 exist beyond the Server release. Windows 2000 Professional
replaces Windows NT Workstation 4.0 and is positioned
for professional and technical users at the desktop or
notebook. Windows 2000 Advanced Server allows clustering
and larger memory and processor and storage configurations.
Windows 2000 Datacenter Server is focused on demanding
application server environments (such as electronic commerce)
and includes everything in Advanced Server plus even greater
processor scalability and processor configurations.
But this article focuses on Windows 2000 Server, which
many of us affectionately call Win2K. Are you ready to
be feted on this 10-course feast? If so, allow me to be
your culinary guide.
First Course: MMC
Hors D’oeuvres and Oysters
You may already be familiar with the first course, the
Microsoft Management Console (MMC). Introduced to most
MCPs in NT Server 4.0’s Option Pack, the MMC provides
a new, consistent interface to manage common tasks when
running Windows 2000 Server. Name a task and chances are
you’ll find an MMC snap-in for it. You can use snap-ins
to populate the MMC with the tools you want. There are
snap-ins from A (Active Directory) to W (WMI Control).
Perhaps the best thing about the MMC is that you can customize
it, creating and distributing your own MMCs as needed.
Better yet, you can restrict others to “user mode” when
using your custom MMC, which prevents modifications.
Many program items in the Administrative Tools program
group launch MMCs, so it’s easy to learn about and use
MMCs right away. An example is Event Viewer. You can also
take the Swiss-Army-knife approach and type MMC at the
command line to display a naked MMC. Select Add/Remove
Snap-in from the Console menu, then select from an array
of pre-defined snap-ins or add your own custom one. When
you save the MMC you’ve created, the MMC title will appear
as an option in the Administrative Tools program group.
Nice touch!
-
Master Tip
Many MMCs have advanced views that allow you to view
and perform tasks in ways you might not know about.
For example, the Active Directory Users and Computers
MMC (launched when you select Active Directory Users
and Computers from the Administrative Tools program
group) has the initial view shown in Figure 1. However,
select Advanced Features from the View menu, and the
MMC displays additional information, such as the LostAndFound
container for orphaned objects (see Figure 2).
 |
| Figure 1. Many Microsoft Management
Console snap-ins have several views. This MMC, the
Active Directory Users and Computers, has both a default
view, shown here… |
 |
| Figure 2. …and an “advanced features”
MMC view. |
Second Course: Improved Internet
Connectivity
Consommé Olga
In some ways, it seems as if Windows 2000 Server stole
some of the coolest features from its little brother,
Small Business Server. One area in which this is evident
is Windows 2000 Server’s Internet Connection Wizard, shown
in Figure 3. Admittedly, MCPs working in smaller organizations
will benefit from this and many new wizards included in
Windows 2000 Server. MCPs at the enterprise level may
or may not be able to take advantage of wizards, given
the uniqueness and complexity of enterprise environments.
 |
| Figure 3. The Internet Connection
Wizard is one idea in Win2K that might have been borrowed
from Microsoft Small Business Server. |
-
Master Tip
My absolute favorite Internet connection-related wizard
tool is the “Connect to a private network through
the Internet” radio button on the Network Connection
Wizard shown in Figure 4. Creating a virtual private
network (VPN) connection has been demystified via
a simple wizard that guides you through five setup
screens. Note that VPN activity under Windows 2000
Server is more secure with the use of Layer 2 Tunneling
Protocol (L2TP), which is more secure than the Point-to-Point
Tunneling Protocol (PPTP) used in NT 4.0. Windows
2000 Server’s Internet Protocol Security (IPSec) also
contributes to overall VPN security. If you’re interested
in having your Windows 2000 Server support inbound
VPN connections, I describe that process using the
Routing and Remote Access MMC in the Windows 2000
Server Secrets book excerpt that accompanies this
article.
 |
| Figure 4. Creating a VPN connection
is easy—no, really!—with the Internet radio button
in the Network Connection Wizard. |
Third Course: Group Policies
Poached Salmon and Mousseline
Sauce, Cucumbers
OK, so you and I struggled with Policy Editor in the
legacy NT days. You wondered if you actually had a positive
return on investment once you considered all the time
spent creating and managing policies vs. making visits
to configure each workstation manually. And maybe you
even tried to McGyver policies into your NT network via
the Security Configuration Editor (SCE) found in the NT
Server 4.0 Option Pack.
That’s all behind us with Group Policies in Windows 2000
Server. Group Policies is positioned as the centralized
management paradigm in the new world of Windows 2000 Server.
Ironically, given this important role, you’d expect to
find a Group Policies program item in the Administrative
Tools program group. Such is not the case; you’ll need
to launch a naked MMC and select the Group Policy snap-in.
This Group Policy snap-in is really a wizard that allows
you to add different types of Group Policy objects, as
shown in Figure 5. The final result, the Group Policy
MMC, is shown in Figure 6.
 |
| Figure 5. Configuring the Group
Policy MMC. The upper left portion of the screen displays
the Select Group Policy Object that’s launched when
you select the Group Policy snap-in. The lower right
portion of the screen displays the available Group
Policy objects in the Browse for a Group Policy Object
dialog box. |
 |
| Figure 6. Here’s the final result
of the wizard shown in Figure 5, a configured Group
Policy MMC. |
Windows
2000 Server Secrets:
Excerpt from Chapter 8, "Internet
Secrets"" |
| Obviously the history of
the Internet has been covered in more
texts than you or I care to count, so
I’ll leave that topic alone. But it is
interesting to note that the Internet
is creating its own history each day.
Its short life to date suggests that there
are untold opportunities for you to capitalize
on the Internet. But for you to do that,
you first need to successfully attach
your Windows 2000 server to the Internet.
You have several ways to do this. In this
chapter, after installing Remote Access
Service, I’ll proceed with the dial-up
approach and work toward more complex
Internet configurations.
Configure Remote
Access Service
Hail to Windows 2000 Server, for it
has simplified many tasks from its NT
predecessors, including the installation
and configuration of Remote Access Service
(RAS). But first, a quick history lesson.
You will recall that Remote Access Server
(RAS) has been part of the remote networking
solution set in Microsoft’s networking
family since the earliest days of Windows
NT Server (at which time it would only
interact with the NetBEUI protocol).
Note:
RAS has made something of a political
comeback in the networking community.
For years, RAS enjoyed mixed reviews
at best for its unreliable support
for modem-based dial-in and dial-out
activity. However, with the advent
of Virtual Private Networks (VPNs),
RAS is back. It actually manages the
VPN function very well in Windows
2000 Server, and I will discuss this
later in this chapter.
Well, RAS has come a long way in Windows
2000 Server. The RAS installation is
much more intuitive, starting with the
Windows 2000 Configure Your Server screen.
Following are the steps to configure
Remote Access Service for inbound Internet-based
traffic. This sets the foundation for
the Virtual Private Networking (VPN)
discussion later.
Steps to Configure
Remote Access Service
From the Windows 2000 Configure Your
Server screen, select the Networking
link in the left pane and then select
Remote Access. Select the “Open” link
to launch the Routing and Remote Access
MMC.
Step 1.
Right-click the server object in the
left pane (for example, TCI1) and select
Configure and Enable Routing and Remote
Access from the secondary menu (see
Figure A).
 |
| Figure A.
Configure and Enable Routing
and Remote Access selection. |
Step 2.
The Welcome screen of the Routing and
Remote Access Server Setup Wizard appears.
Click Next.
Step 3.
The Common Configurations screen appears
(see Figure B). Select Remote access
server. Click Next.
 |
| Figure B.
Remote access server |
Step 4.
The Remote Client Protocols screen appears.
Select the appropriate button to accept
or elect to add more networking protocols
for remote access. Click Next.
Step 5.
The IP Address Assignment screen appears.
After making your selection, click Next.
Step 6.
The Managing Multiple Remote Access
Servers screen appears. The screen allows
you to elect to manage all RAS servers
from a central point. This election
clearly depends on whether you are managing
a smaller LAN with only one RAS server
(in which case the answer would be “No”)
or managing a RAS server farm (in which
case the answer would be “Yes”). Make
a selection and click Next.
Step 7.
Click Finish on the Completing the Routing
and Remote Access Server Setup Wizard
to complete the RAS configuration. You
will be returned to the Routing and
Remote Access MMC.
Caution:
Be very careful about selecting the
Network router option. First of all,
there are many compelling reasons,
such as advanced configuration management,
to use true routers (such as Cisco)
on your Windows 2000 network. Second,
it enables two-way routing of network
traffic to and from the Internet (if
you’re connected directly to the Internet)
and may override the safeguards imposed
by Microsoft Proxy Server’s local
address table (LAT).
|
|
|
Fourth Course: Dynamic DNS
Sauté of Chicken, Lyonnaise
Microsoft is using Windows 2000 Server to shift away
from NetBIOS naming conventions and limitations and join
the Internet community’s host naming approach. This is
evident in two places. First and foremost is the introduction
of Dynamic DNS. Second is the de-emphasis on the Windows
Internet Naming Service (WINS).
You’ve probably already heard of Dynamic DNS (Domain
Naming Service). Based on RFC 2136, Dynamic DNS provides
a “means of dynamically updating zone data on a zone’s
primary server when a server requests an update.” That’s
according to the soon-to-be-released Windows 2000 Resource
Kit. So instead of manually entering zone records, which
map IP addresses to host names, Dynamic DNS automatically
performs this administrative function for you.
But I like to think of Dynamic DNS as something like
a difficult child: It’s easily heard but hard to find.
Dynamic DNS simply does its thing in the background, effectively
providing a replacement for WINS databases. It’s the underlying
vehicle for migrating a network based on NetBIOS names
(and WINS) to host names (based on DNS). One of the few
places you can actually “see” Dynamic DNS is the General
tab for a zone’s property sheet, as shown in Figure 7.
The “Allow dynamic updates?” field allows you to invoke
Dynamic DNS by selecting Yes.
 |
| Figure 7. To configure Dynamic
DNS, select Yes in response to the Allow dynamic updates?
field. This will implement Dynamic DNS for a zone
in Windows 2000 Server. |
-
Master Tip
Dynamic DNS and WINS aren’t mutually exclusive. In
fact, there are important reasons to run both. The
first reason is that you’re probably running a mixed
mode network with legacy NT Server 4.0 machines (and
the NetBIOS naming convention). However, be advised
that legacy NT machines will automatically take advantage
of Windows 2000 Server’s DNS implementation if the
name being resolved is over 15 characters or contains
a period.
Fifth Course: Active Directory
Lamb, Mint Sauce
This is the main course, and rightly so. Perhaps no other
feature of Windows 2000 Server has received more press
coverage than Active Directory. With Microsoft positioning
Windows 2000 Server as a bona fide enterprise networking
solution, much of the early attention paid to the product
has been on Active Directory.
What is AD? At its core Active Directory is the long-awaited
directory services package that other network operating
systems, such as NetWare with NDS, have offered for years.
Active Directory addresses legacy NT Server weaknesses
like non-transitive trusts and a lack of low-level administrator
accounts.
But stepping back from the Active Directory hoopla, I
offer up the following advice. Manage your expectations
of Active Directory. It’s a first-generation directory
services offering, which means it contains warts and all.
Speaking plainly, both you and I are going to discover
shortcomings with Active Directory as we roll out Windows
2000 Server. I suspect you’ll be surprised to discover
that Active Directory isn’t just organizational units,
trees, and forests—it’s also politics and MBAs working
side by side with MCSEs. Get ready to engage in lots of
Active Directory expectation management. And I’d be sure
to under-promise what Active Directory can do.
-
Master Tip
With Active Directory, my advice is KISS: Keep It
Simple, Smarty. Start with a single organizational
unit (OU) as you roll out Active Directory (see Figure
8), then justify each and every additional object.
This zero-based approach will prevent you from creating
an unmanageable multi-headed hydra beast in your Active
Directory organization.
 |
| Figure 8. Try rolling out a single
Organizational Unit, like the Marketing OU shown here. |
Sixth Course: Terminal Services
Punch Romaine
I’ll share a personal secret with you. Terminal Services
is one of my favorite additions to Windows 2000 Server
because it’s so pragmatic. You might not expect to hear
that, given other larger and more glamorous Windows 2000
Server components. But if you’ve used NT Server 4.0, Terminal
Server edition in the past, you know just how cool it
is. And the good news is, Terminal Services is included
in the base purchase of Windows 2000 Server. It’s not
an expensive add-on, which is a reason why it’s one of
my favorite additions.
Terminal Services is a remote control application that
allows remote users and thin clients to pass session screens
back and forth, much like PCAnywhere operates. However,
it’s multi-session, meaning one Windows 2000 Server can
facilitate multiple Terminal Services sessions. Consider
that the next time you stare at a row of computers, each
able to run only one PCAnywhere session.
Configuring Terminal Services is exactly the same as
configuring NT-based Terminal Server. However, with Win2K,
you create two client disks to install the necessary components
for the workstation to attach and initiate a session with
Terminal Services (see Figure 9).
 |
| Figure 9. A client-side Terminal
Services session appears as shown. |
-
Master Tip
The client-side of Terminal Services has improved
dramatically. You can now print to a local client-side
printer while manipulating information in the Terminal
Services session window. You can also cut and paste
information, such as text from the Terminal Services
session window, to a local application. Call it the
Citrix MetaFrame killer if you want; but with NT,
you had to implement MetaFrame with its ICA protocol
to achieve that level of functionality. And MetaFrame,
in many cases, cost more than the legacy Terminal
Server Edition itself.
Seventh Course: Clustering
Roast Squab and Cress
Next-generation clustering is here with Windows 2000.
Clustering is the ability to load- balance activity and
mirror storage across servers on your network. Clustering
is considered essential in mission-critical environments
that demand high availability. Remember that hospital
I mentioned earlier in this article? Clustering is targeted
toward exactly that type of implementation. It also helps
with managing upgrades in demanding environments. Take
an online e-commerce site that simply can’t afford to
be down. Clustering allows network administrators to perform
an upgrade, such as installing a service pack, to one
of the cluster partners while it’s offline. The cluster
partner then replicates its environment to its other cluster
partners when it goes back online.
Eighth Course: Improved Management
Cold Asparagus Vinaigrette
First, it was Microsoft Diagnostics (MSD) back in the
old days of DOS. Then it was WinMSD in the days of NT.
Now it’s the Computer Management MMC, which is a dramatic
improvement over the old MSD-based management tools. The
design goal behind the Computer Management MMC is to bring
together, in one place, the typical and critical tools
you’re likely to use in managing your Windows 2000 Server
network.
One of the long-awaited additions to Win2K is Device
Manager. One way to access Device Manager is via the Computer
Management MMC, as shown in Figure 10. This “is” your
Windows 98/95 Device Manager, a statement I make with
the highest honors and compliments to the chef. It reflects
the commitment on the part of the creators of Windows
2000 Server to Plug-and-Play (PNP) hardware technology.
However, you’ll still need to configure your legacy ISA-based
hardware devices manually.
 |
| Figure 10. Device Manager in
the Computer Management MMC. |
-
Master Tip
Performance Monitor (also known as System Monitor),
another network management tool, now runs as a service
when logging in (instead of as an application). That
means Performance Monitor doesn’t stop running when
you log off the server machine. You also don’t need
to run some convoluted utility from the Resource Kit
to turn Performance Monitor into a service. Those
days are gone, thank goodness!
Ninth Course: Improved Security
Pate de Foie Gras
No discussion of Windows 2000 Server is complete without
honoring the security improvements that have been made.
No fewer than four major security enhancements separate
Windows 2000 Server from its NT predecessor. These improvements
include Kerberos v5 protocol support, Encrypted File System
(EFS), Smart Card support, and Internet security improvements
(IPSec and Internet Authentication Service).
Kerberos V5 is the underlying security protocol for authentication
in a Windows 2000 Server domain (yes, you still log on
to domains). Both the identity of the user and network
services are mutually authenticated. [For more information
on Kerberos, refer to “A Matter of Security,” by Michael
Chacon in the May/June 1997 issue.—Ed.]
-
Master Tip
My favorite security feature is Encrypted File System.
EFS solves a big problem in the world I live in as
a consultant. By encrypting information at the file
level, a security hole has been removed—the hole created
in NT Server when you performed a parallel installation
of NT to access files on an NTFS partition. This is
especially beneficial for securing information on
laptops (since they can easily be stolen) and small
servers, which, I know from experience, can disappear
in the middle of the night, given their relatively
small size and weight.
EFS is implemented from the Advanced button of the folder
Properties dialog box, as shown in Figure 11.
 |
| Figure 11. File encryption in
Win2K is handled by EFS. Select Encrypt contents to
secure data checkbox. |
Tenth Course: Improved Storage
Management
Waldorf Pudding
I’ll end our look at the exquisite cuisine of Windows
2000 Server with a mention of storage management improvements.
First and foremost, disk quotas come to mind. Long desired,
but not delivered until Win2K, disk quotas are implemented
via the volume Properties sheet, resulting in the quota
entries shown in Figure 12.
 |
| Figure 12. The quota entries
shown are implemented via the volume Properties sheet. |
Acknowledging that NTFS volumes suffer fragmentation,
Microsoft has included a disk defragmentation utility
in Windows 2000 Server. But before directing too much
praise to the Big M, you should know that it was provided
by Executive Software and is really a dumbed down version
of Diskeeper, a disk defrag application. But it works
for me and most likely you too.
-
Master Tip
The native backup application in Win2K is greatly
improved over its predecessor, NTBACKUP.EXE. Native
support for tape library devices has been added, and
you can now back up to media other than a tape device,
such as Jaz drives. More important, you can now schedule
your backups directly inside the backup application,
as shown in Figure 13. You no longer need to use the
AT command at the command line to schedule backups.
(I enjoy the traditional 30-day tape backup calendar—it’s
so easy to understand!)
 |
| Figure 13. The native backup
application allows you to schedule your backups directly
inside the backup application. |
Final Review
Sure, I have a couple of complaints about this meal:
Untested directory services under intense real-world conditions.
No native virus protection. Emergency Repair Disk (ERD)
is still dependent on a 25-cent floppy instead of more
stable media such as a writeable CD disc. Default share
permissions are still too generous (EVERYONE = Full Control).
But right now I say, let the Windows 2000 Server celebration
begin! I hope you’ve enjoyed this 10-course offering.
Needless to say, most of us in the MCSE crowd have a lot
to learn about Win2K Server, so manage your expectations
accordingly. Don’t try to implement every new feature
immediately or you’ll spend so much time fixing the damage
you’ve created that you’ll miss the rigorous Windows 2000
Server recertification requirements looming over all of
us legacy MCSEs.