Planning for Windows 2000 Server N o matter how small your network or your needs, you should not install Windows 2000 without preparing an implementation and deployment plan. This chapter covers planning for Windows 2000 Server and takes you through the steps required to formulate and execute a deployment plan. Steps to Implementation Many of you are probably following the advice of your peers: Microsoft should release the first service pack or two to Windows 2000 before you touch it. Here’s your wake-up call: You need to install Windows 2000 Server now. Not after one or two service packs. Now. Are we paid Microsoft supporters? No. We just want to make sure you get on the train when it stops at your station. By “now,” we do not mean you have to rush out and install it in a production environment. But you have to start testing now, understanding now, and learning now. You have to plan for Windows 2000 Server, and this advice is aimed at not only the multi-national company with 432,981 employees in 65 countries, but also at the single-person company that you’ll find around the next corner. Why the rush? Windows 2000 Server is a shocker. It is more stable at release time than NT 4.0 was, and in many cases, even without its advanced functionality, it is preferable to install Windows 2000 than Windows NT 4.0. It is not only years ahead 4 4 CHAPTER ✦✦✦✦ In This Chapter Steps to Implementation Implementing a Deployment Plan ✦✦✦✦ 4667-8 ch04.f.qc 5/15/00 1:58 PM Page 97 98 Part II ✦ Planning, Installation, and Configuration of its time, it is also more stable without its first service pack than Windows NT 4.0 at service pack 5.0 and higher. However, there is something else you need to know. Don’t be fooled into thinking that the competition, even another department in your company, is adopting the wait-and-see position. Windows 2000 provides such a huge competitive advantage, when wisely adopted, that the early implementers could end up well ahead of you and their competition: on the Web, in office productivity, in security, in lowering TCO, in administration, and more. In fact, we have recently talked to administrators who are choosing com- panies they would like to work for based on their early adoption of Windows 2000. Got the message? So if you are wondering, “Where do I begin?” this is the chapter that takes you down the Yellow Brick Road. Put your worries and neuroses behind you and get cracking. Formulate a Plan The first step you need to take is to formulate a plan of attack. You can be very sci- entific about your planning for Windows 2000 Server, and you can also overdo it. We urge you to keep the planning simple. The cliché that works for Windows 2000 Server is to make sure you can see all the trees and all the forests. If you already have a well-organized domain, you have lots of time; Windows 2000 is not going away. You must come up with a formal document for management, proposing a project to evaluate and plan an upgrade or conversion to Windows 2000 Server. If you take the CEO or CTO a 1,200-page tome, he or she will freak out. Managers will want to know how Windows 2000 Server is going to save them money, make them more competi- tive, and keep them secure. Most executives need nothing more than an executive summary with which to begin. Migrate. This is the first and the last time you will see the term migrate in this book because it is a misnomer when referring to moving to Windows 2000 Server. We don’t want you to use it because it has negative connotations. Migrating implies that you can go back to where you came from. Migrating is not possible with Windows 2000. If you’re trying to go back, then you’re in disaster recovery mode. Your domains can coexist, which most of you will be doing for a while, and you will convert. But if you follow the advice in this book and in the next few chap- ters in particular, you will not have to climb down from Windows 2000 and rein- stall Windows NT. If you think we are playing petty semantics, you are wrong. In many languages and cultures, migration is a temporary thing. Once you convert your last Windows NT Domain Controller, there is no reversion; you are done . . . dead or alive. Note 4667-8 ch04.f.qc 5/15/00 1:58 PM Page 98 99 Chapter 4 ✦ Planning for Windows 2000 Server There are many ways to approach a project and a plan. And we do not intend to teach project science here, so whatever works for you, or is required by your organization, is fine with us. We are not going to offer you the best way to approach the conversion. We will give you some pointers culled from many years of doing needs analyses and syntheses. It is important that in the early days of the planning and testing phase, you only choose a handful of energetic people to evaluate Windows 2000 Server. You don’t want too many people doing their own thing and becoming unproductive and uncoordinated. In the beginning, there will be little time for managing all the egos and eager beavers. If too many people join the project or you have subsidiaries and divisions setting up their own projects, the company on the whole will lose out because you’ll end up with disjointed installations everywhere and the project will drown under the weight of everyone’s two ounces of input. Incidentally, there were five people involved in the Windows 2000 development project that this book is based on. Three were employed almost full-time in lab work. The following is a suggested plan of attack. It is the one we followed when testing Windows 2000 Server for this book, and it is the plan we used to evaluate Windows 2000 for our own customers, clients, and companies, from our six-person insurance company to our huge multi-national distributors. Like you, back in early 1999, we knew very little about Windows 2000. We were too busy keeping our NT networks in check. Our respective clients wanted to wait until late 2000 before considering Windows 2000 . . . and then everyone changed their minds when they started seeing the fruits of our labor. Phased Implementation Phased implementation is a big phrase that represents a logical course to complet- ing a difficult transition from one state to another. In the example here, our objec- tives are to move from state zero (no Windows 2000 Server) to tests in the lab, pilot project, conversion, and rollout. Depending on the nature of the implementation and your objectives, your project phases may vary or be very different from ours. Each phase may itself become highly nested with sub-phases, milestones and sanity checks. Phased implementation allows us to stop at checkpoints along the way, assess results, and make changes, as required. Our Windows 2000 Server project consisted of several phases, illustrated in Figure 4-1. Some phases overlap and others are ongoing. Tip 4667-8 ch04.f.qc 5/15/00 1:58 PM Page 99 100 Part II ✦ Planning, Installation, and Configuration Figure 4-1: Phase implementation plan (drawing of plan) There are also several steps within each phase. The conversion step is in itself a phased-implementation effort. However, take care not to over-nest your project with too many phases. Our suggested phase-implementation structure is as follows: ✦ Phase 1: Analysis and Ramp-up ✦ Phase 2: Labs ✦ Phase 3: Sanity Check ✦ Phase 4: Pilot ✦ Phase 5: Conversion Here are the suggested steps that span all five phases, outlined in Table 4-1: Table 4-1 Planning Steps Phase Step Phase 1 Step 1: Establish a Timeline for Your Project Phase 1 Step 2: Understand the Technology Phase 1 Step 3: Understand How Your Enterprise is Currently Positioned Phase 1 Step 4: Establish Budget Phase 2 Step 5: Create the Lab Ramp-up Phased implementation time line LABS Sanity Check Pilot Conversion 4667-8 ch04.f.qc 5/15/00 1:58 PM Page 100 101 Chapter 4 ✦ Planning for Windows 2000 Server Phase Step Phase 2 Step 6: Design the Logical and Physical Structures Phase 2 Step 7: Secure the Lab Phase 2 Step 8: Test Phase 2 Step 9: Position the Enterprise on Windows 2000 (Gap Analysis) Phase 3 Step 10: Evaluate Phase 4 Step 11: Create Pilot Projects Phase 5 Step 12: Begin Conversions Step 1: Timelines Establish a timeline for your project. For the record, plan on at least six months for a team of about three people. The ideal length of time from assessment to rollout will be about 40 weeks. And that should cover everything to integrate or infiltrate Windows 2000 into core functions of your IT and telecom structures. You might get away with a shorter timeline for a small company using Win32- compliant software or proven or ironed-out IT processes. By small, we are referring to not more than 20 people. Just because a company is small does not mean it is not performing mission-critical work comparable to a unit in a Fortune 500 com- pany. Remember, if a unit in a large company goes offline for a few days, it might hardly be noticed. Take a small company offline for a few days, and it could go insolvent. It will take a large company about two years to completely convert to a Windows 2000 Server, and Microsoft concurs. Smaller companies will require less time, but no less than 24 weeks. You may be able to rush it, but you’ll be studying every day, seven days a week. You could also take classes and do an MSCE in the middle, but that would not get you anywhere faster. An MCSE is a good idea in parallel with this project, but take classes so you can interact with your instructors and clarify stick- ing points. Step 2: Understand the Technology If you have Windows NT experience, you can draw on that, and you can draw on any general IT/IS experience you have, but for the most part, you’ll be learning a lot of new stuff. It is also not sufficient to say you now know all there is to know about Windows 2000 after six months of shining a flashlight under the covers; that’s impos- sible, but it is vital that you understand the technology, what Windows 2000 is, and how it achieves its objectives. Note 4667-8 ch04.f.qc 5/15/00 1:58 PM Page 101 102 Part II ✦ Planning, Installation, and Configuration Prerequisites Windows 2000 architecture is highly complex. Our joke is “ZAW = Zero Administrators for Windows.” Key to understanding the technology is having a good grounding in general computer science and network engineering, but be willing to specialize. You are going to need expertise on your team, and the members of the team should be prepared to show proficiency in several IT areas. They will need a complete understanding and experience in all of the following: TCP/IP, DNS, WINS, DHCP, Server Hardware Platforms, Storage, Windows NT Server administration and deployment experience, NT and Windows 9x workstation expe- rience, Internet practices, and tons more. After you have established the timelines and have picked a team of experts, you need to spend no less than two months, possibly four, understanding everything about the technology and the architecture, Active Directory (six to eight weeks). Trust us, we work with engineers all day long, and they are very good at what they do, but on some Windows 2000 subjects, they still have to scratch their heads. Where do you start? Besides this book to break ground, the best place to start is the Microsoft Web site. There are tons of white papers there and documents that will get you started on both the easy and difficult stuff. The Deployment planning guide in the Windows 2000 Resource Kit is also a worthwhile document to read, as long as you have lots of Alka-Seltzer handy. Avoid books that are nothing but a rehash of the Windows 2000 Help Files. They may have worked in the past. But not only are the Help Files very thorough, they are also “mind-blowingly” vast, covering many different functions and features of the server. And, before you interject, you can take them “anywhere” you can take this book . . . on your Windows Pocket PC or CE handheld, which puts you directly on the server, as Chapter 25 explains. Also avoid books that attempt to teach you about subjects not really germane to Windows 2000 Server or that have been covered more times than the Oscars. For example, you won’t find instructions on how to format a hard disk in this book, or what constitutes an IP address, or a crash course on HTML. If you don’t already know this stuff, you’re not qualified to be involved in planning for and installing Windows 2000 Server. You will also need new equipment, but more about that later. For the first few weeks, you need to read, read, read. There are going to be payoffs. You’ll find that people caught off guard will start turning to you in desperate need of help to under- stand a complex Windows 2000 issue. Your peers who scoffed when you plastered your office with thousands of Windows 2000 white papers won’t be laughing now. 4667-8 ch04.f.qc 5/15/00 1:58 PM Page 102 103 Chapter 4 ✦ Planning for Windows 2000 Server Step 3: Understand How Your Enterprise Is Positioned to Exploit Windows 2000 Server We know this is difficult to do in the early stages of the project, but it is very impor- tant to prepare yourself to take your early findings to management. Although many projects are sanctioned or sponsored by people high up in the management chan- nels, unless you come up with specific reasons to make changes to or enhance the existing IT infrastructure, your project may come to an abrupt end. No matter how big or small the organization, change is always difficult, and there is the risk of business or work stoppages resulting from unanticipated events that result directly from your conversion attempts. Believe it or not, many companies are doing just fine on Windows NT. Management, especially the CIO/CTO or MIS, is focused on keeping the business systems running. Without the systems, the business fails. Nine times out of ten, most senior executives will cite the “wait until service pack 1” rule. Your job is to convince them to start testing now and then to get the initial sponsorship and bud- get for the project. And the only way to do that is to become an informed evangelist in less than two full moons. Step 4: Establish Budget You’ll need several stages of financing for your project, so think like an entrepreneur. The early stages can probably be catered to out of existing equipment, unused servers, hard disks, and so on. If you don’t have surplus hardware, you’ll need to get a few servers. And we don’t need to tell you that the best means of providing servers for a project like this is to buy the pieces and assemble the hardware in your lab. You’ll not only learn about Windows 2000 hardware compatibility, but you’ll end up saving a lot of money in the early stages. Older brand servers, like Compaqs or Dells, are as risky for Windows 2000 (if not more so) than flea market finds. The only failed installation we battled with for this book was on a Compaq 6000, as discussed in Chapter 5. Step 5: Create a Lab With your initial budget, you need to set up a lab. This should be a secure area where you can set up a number of servers, workstations, printers, and a slew of net- work components, such as routers and hubs. Depending on the size of your organi- zation and the project, you will want your lab to emulate an enterprise-wide domain structure, both physical and logical. In which case, you’ll need to set up several domain controllers, role servers like DNS and DHCP, and so on. Caution 4667-8 ch04.f.qc 5/15/00 1:58 PM Page 103 104 Part II ✦ Planning, Installation, and Configuration Obtain a space in which you can comfortably fit about 12 full-tower servers and all collateral network equipment and printers. You might get away with a lot less, and you might need a lot more. One company we know built a test domain complete with domain controllers for 24 remote centers — that’s 24 domain controllers. Follow Chapter 5 for specifics on installing the servers. Step 6: Design the Logical and Physical Structures Once you have a budget and you are ramped up on the technology, you can begin designing your logical and physical domain structures in the lab. You will need to set up key role servers such as domain controllers, certificate servers, license servers, DNS, and so on. In the next chapter, we discuss issues directly related to the domain controllers and role servers. The logical and physical designs are discussed in Part III, Active Directory Services. Step 7: Secure the Lab Pay particular attention to security during all phases of the test project. In other words, experiment with various levels of encryption and security practice (such as using smart cards). You will also be setting up initial user accounts for your admin- istrators and a selection of mock users for your organizational units (OUs) and groups in Active Directory. Step 8: Test After you have designed and created a logical and physical structure and applied security, it is time to test. You will be testing authentication, policies, DNS, WINS, DHCP, storage, files and folder access, and so on. During your tests, you should also pay attention to the position your enterprise is currently in. Moving directly from Step 8 to Step 9 will allow you to perform insightful gap analysis. Gap analysis is used to determine the technology gap between the company of the present and the company of the future. Step 9: Position the Enterprise on Windows 2000 Server During your test project and lab work, you need to assess the position your organi- zation now finds itself in and the position it can be in during and after conversion. Also, list all the situations the company would not like to be in during and after the conversion and phased implementation. The first situation we would not like to be in that comes to mind is being offline; another is being up but finding that users have lost access to their resources. This is discussed a little more, later in this chapter. 4667-8 ch04.f.qc 5/15/00 1:58 PM Page 104 105 Chapter 4 ✦ Planning for Windows 2000 Server Step 10: Evaluate You need to stop at predetermined intervals or milestones along the way for sanity checks and to evaluate how far you have come, how far you have to go, deadlines that may have been missed, and other problems. Towards the end of the project, you will need to make the decision with your sponsors and management to move forward with a test or pilot project in which you will be deploying servers in pro- duction environments. Step 11: Create Pilot Projects The pilot projects can take on many forms. They could be limited to the installation of a role server, many role servers, the beginnings of Active Directory in the organi- zation, and more. More on this in a later section. Step 12: Begin Conversions On the basis of successful pilot projects, you will be able, with the blessings of man- agement or your own confidence, to move forward with rollout and conversion. Our strategy for a phased implementation is discussed shortly. There is a lot of material floating around that covers planning. The material in the Windows 2000 Deployment Planning Guide is extensive. However, we found it too detailed in parts and too verbose for the majority of installations. Many sections call for teams of experts (a way of picking up the fallout from defunct Y2K projects?) that most companies would not be able to afford. Indeed, a team of such experts, even for a month, would be beyond the budgets of all but a few companies. The previous steps are a starting point, something on which you can build. The fol- lowing planning guide worked for us, suited our environment, and is based on many projects that came before Windows 2000. Each step along the way was fully docu- mented and evaluated. Indeed, you are holding much of the research and lab work we did between these covers. Now let’s kick our implementation into high gear. Analysis and Ramp-up There is a huge difference between learning about Windows 2000 Server and under- standing what the technology means for the enterprise, and, as components of Phase 1 described earlier, analysis and ramp-up set out to achieve both in logical order. We touched on this a little earlier in this chapter, and in Chapter 1, where we placed Windows 2000 Server in the middle of Microsoft’s architectural feast. Your planning efforts should thus be based on the following objectives: 1. Understanding how to use the technology 2. Installing and deploying Windows 2000 Server with that knowledge Tip 4667-8 ch04.f.qc 5/15/00 1:58 PM Page 105 106 Part II ✦ Planning, Installation, and Configuration Understanding the Technology Only after you have a thorough understanding of the technology and the architec- ture will you be in a position to determine the benefits for the enterprise. Granted, you may have heard how wonderful Active Directory is. But you have probably heard rumors that it is “overkill for a small company.” How do you know if that statement is invalid until you fully understand how Active Directory works and what it can do for your company, no matter what the size? Just because Active Directory can hold a billion objects does not mean it should not hold a hundred. It is also important to understand the various services that play domain roles. Official documentation, for example, refers to three roles a server can play. The server can be any of the following, and it is important to understand the differences: 1. A Windows 2000 server can be a standalone server, which means that it is not joined to any domain and stands alone in its own workspace. Understanding how this server interacts or participates on the network will provide you with the information you need to assess needs and cater to them with the estab- lishment of standalone servers. A standalone server, for example, is an ideal bastion. And it can be used as a firewall or proxy server without having to be part of a domain. A certificate server, established for a public key infrastruc- ture (PKI), is a good example of a standalone server. There are millions of Windows NT and 2000 servers on the Internet, and they are not part of any Windows domains. The machine is thus more secure as a standalone server than as a member server because standalone servers are not given domain accounts nor are they authenticated on the domain. They can also be print servers, and so on, but their resources cannot be published in Active Directory, short of mapping them to IP addresses (see Chapter 23). If you are in a hurry to install Windows 2000 Server, do not try to join it to any domain or promote it to a domain controller. Make it a standalone server that logs into its own workgroup. 2. Windows 2000 can be a member server, which means that it has an account in the domain. Now, that account can be in a Windows NT domain or a Windows 2000 domain. As long as it is a member server, you can access its resources via the authentication mechanisms of Windows NT and the NTLM authentica- tion service (see Chapter 3), or via Kerberos on a Windows 2000 network. This means that the Windows 2000 member server can play certain worth- while roles in an NT domain. We will discuss such roles shortly. 3. A domain controller loads the Active Directory support infrastructure. You can install a Windows 2000 domain controller when you are ready to begin learn- ing about Active Directory, or when you are building your test domains in the lab. You can also install a Windows 2000 domain controller server into a Windows NT domain. Tip 4667-8 ch04.f.qc 5/15/00 1:58 PM Page 106 [...]... 107 Chapter 4 ✦ Planning for Windows 2000 Server Good examples of understanding the technology are coming to the conclusion that Windows 2000 Server- DNS, Windows 2000 Server- WINS, and Windows 2000 ServerDHCP are ideal role servers to install in the existing environment, be it Windows NT or something else and figuring out how to integrate them In fact, this is the design technique that forms the basis... connecting the NT 4.0 server to the Windows 2000 server, and to test the ability of the Windows NT 4.0 server to obtain WINS information, name services, and account privileges from the Windows 2000 network CITYHALL CITYHALL is the first-level domain This network contains the domain controller for CITYHALL, a DNS server, WINS, DHCP, and a RAS server for the low bandwidth link to DITT The RAS server is also... ✦ Planning for Windows 2000 Server The how-to material and extensive Help files on Windows 2000 have a point of diminishing return You can’t read all of the information, but you have to start somewhere The number of document pages at Microsoft covering Windows 2000 runs into the millions and would take you much more than a year to read Baptism by fire, as the saying goes, maketh a good network and Windows. .. 121 Chapter 4 ✦ Planning for Windows 2000 Server Role Description DHCP This is the DHCP server for assigning IP address leases You can also install this service to the DNS/WINS server However, it should be installed on a separate machine, especially on a busy network Please pay attention to the specific health tips offered for this server in Chapter 5 IIS This is the Internet Information Server or IIS... Planning, Installation, and Configuration Table 4-2 (continued) Role Description BACKOFFICE Windows 2000 Server is the base or host operating system for all Microsoft BackOffice products, such as Exchange, SQL Server, SMS, SNA, and so on RIS RIS is the service that performs remote installation of Windows 2000 Professional It should be set up as a dedicated member server We discuss options for RIS server. .. the host server for Active Directory It is recommended that this server be dedicated to directory services (flexible for small domains) and mirrored (see Chapter 9 for health tips for this server) with replication partners for redundancy DNS This is the Domain Name System (DNS) server DNS services should be installed on a dedicated server (although this is also flexible in small companies) DNS servers... Consult Chapter 10 for information on setting up users and groups, and Chapter 9 for specifics regarding installation of Active Directory 4667-8 ch04.f.qc 5/15/00 1:58 PM Page 123 Chapter 4 ✦ Planning for Windows 2000 Server The next server to install is the DNS server, then DHCP, WINS, and so on The flow charts in Figure 4-4 suggest the logical progression of installing these services or servers Remember,... balancing, especially application servers DATABASE This server can be set up to cater to database environments such as SQL Server 2000 and others You do not need to install anything special, but we suggest architecture and configuration for base requirements of database servers in Chapter 5 MAIL The server can be set up to route and forward e-mail See Chapter 24 for information on setting up SMTP services... problem has to be sent all the way back to the lab phase for a resolution Conclusion of Phased Implementation There is no conclusion to implementation New projects, lab work, pilots, and so on, need to be conducted all the time Get ready for the next service pack Coming to Grips with Windows 2000 Server You may not be ready for Windows 2000 Server for any number of reasons You also might not be in a position... chapters and Windows 2000 documentation before you start any lab work, but please read on for reference only Note The next chapter, Installing Windows 2000 Server, also caters to the ramp-up phase, the lab phase, and the pilot phase You cannot consider yourself ready to begin designing and testing until you have logged a hundred or more hours of study And then not until you have installed role servers at . Server Good examples of understanding the technology are coming to the conclusion that Windows 2000 Server- DNS, Windows 2000 Server- WINS, and Windows 2000. a Windows 2000 domain controller server into a Windows NT domain. Tip 4667-8 ch04.f.qc 5/15/00 1:58 PM Page 106 107 Chapter 4 ✦ Planning for Windows 2000