Eye On: Compaq's Internal Windows 2000 Rollout
- By Scott Bekker
Compaq Computer Corp. this week detailed its internal deployment of Windows 2000 - one of the largest deployments thus far outside of Microsoft Corp.'s own internal deployment.
Compaq's approach contained several surprises, nods to the
complexity of a Windows NT 4.0 to Windows 2000 migration and an example of how
quickly Microsoft technologies spin beyond Microsoft's intentions for their deployment.
In raw numbers, Compaq (www.compaq.com) already has at least 13,000 PCs running Windows 2000 Professional and 300 servers running Windows 2000 Server or Advanced Server. When the conversion is complete by July 2001, Compaq will have roughly 200,000 PCs running Windows 2000 worldwide.
The company's server infrastructure will eventually comprise
340 Windows 2000 servers, including Domain Controllers, WINS servers, DHCP
servers, DNS servers, and file and print servers.
When most Compaq users are switched to Windows 2000, they
will be in native mode, meaning they will log into Windows 2000 Domain Controllers. Only in native mode can IT shops implement the cost-saving desktop lockdowns and group policies or take advantage of the security improvements in Windows 2000. For now, the vast majority of the Windows 2000 PCs at Compaq log into NT domains. Only about 100 PCs are currently running Windows 2000 Professional in native mode at Compaq.
"We're doing very mean things to them and testing out group
policies so that we can understand Windows 2000 in a group environment," Brent
Harman, Compaq senior corporate operating environment architect, jokes about
the native mode users.
Compaq, a Joint Development Program (JDP) partner with
Microsoft for Windows 2000, and a company that has worked closely with
Microsoft on Windows NT 5.0/Windows 2000 for several years, diverged from recommended practice in several areas of its Windows 2000 deployment.
For one, Compaq developed a domain structure that puts
a small group of about 20 enterprise administrators in their own Windows 2000
domain, the parent to all other Windows 2000 domains at Compaq.
"Microsoft is very ambivalent about the concept," says
Harman, who is also the JDP lead for Compaq.
System architects at Compaq saw several advantages to the
approach. For one, enterprise administrators who have the ability to do
everything across the corporation except change security logs need to have more
stringent passwords than everyone else, says Harman. Password policy can only
be set at the domain boundary in Windows 2000.
Putting omnipotent administrators in a single domain will
allow Compaq to require an 11-characters-or-longer password that includes upper
case, lower case and non-printing characters and expires every 30 days for
those admins without setting such onerous requirements for regular users.
In an organization with the kind of cultural clashes that
Compaq has, the administrative domain will bring other benefits for central IT.
Compaq is traditionally a lock-down desktop, centralized-IT kind of place.
Compaq acquisitions Digital and Tandem are not. "Users felt like, `This is my
domain, my machine,'" Harman says."
By creating group policies in the parent administrator domain and linking the child domains to those group policies, Compaq can prevent administrators in the child domains from being able to circumvent corporate policies.
One example will be Compaq's policy of requiring real-time
virus scanning software to be running on every machine. Currently, Compaq has
no way to enforce the rule. With Windows 2000, Compaq plans to set the virus
scanning requirement as a group policy in the administrators domain and link the child domains to the policy.
Beneath the administrator domain, Compaq has plans for three
child domains: an Americas domain, a Europe/Middle East/Africa domain, and an
Asia/Pacific domain. Compaq will provide room for up to 50 domains beneath
those geographic domains but central IT will heavily favor the use of
Organizational Units (OUs) rather than sub-domains, Harman says. Possible
exceptions may be resource domains for such critical applications as SAP.
The goal is to scrap the ugly maze that is Compaq's current
Windows NT 4.0 network. Compaq, Tandem and Digital each had mature Windows NT
4.0 networks when they converged. The result is an enterprise with 13 master
domains and somewhere around 1,700 resource domains. "Nobody really knows for
sure," Harman says. "If you know anything at all about NT, you can imagine the
great problem that this is to administer such a large environment."
Partly to accomplish that, Compaq's approach involves
building its Windows 2000 environment with completely different machines,
entirely in parallel to its Windows NT 4.0 environment.
"Early on we have a duplication of hardware," Harman says.
Eventually, however, Compaq hopes the jump to Windows 2000 will drastically
reduce Compaq's amount of hardware, possibly reducing hardware costs but
definitely improving ease of administration.
For example, when Compaq's Americas domain migration is
complete, the company plans to have two pairs of clustered DHCP servers in
Houston compared with the 40 DHCP servers currently providing the services
across the area now.
Harman stresses that the hardware
cost may not fall. Such consolidation requires expensive redundant hardware,
and the company has made a massive commitment to the quality and availability
of its WAN links. - Scott Bekker
[For more coverage of the Compaq rollout, see ENT's
upcoming Feb. 9 issue]
Scott Bekker is editor in chief of Redmond Channel Partner magazine.