Amazing Feast! Windows 2000 on the Table

Seems like you’ve waited years for your reservation to be called, but Windows 2000 Server is almost ready for your dining pleasure. Here’s a sampling of its delights.

You made reservations years ago; now it’s almost time to feast. Your table is ready, and Windows 2000 Server is about to be served up at the local Win2K bistro. Like other great culinary delights, Windows 2000 Server took time to develop and deliver. But it comes highly recommended: For starters, the main course, Active Directory, is to die for. Let me take you through a sampling of the culinary delights that await you, along with some insider secrets that I’ve gleaned in the course of working with this product over the last year.

A Brief History of Time

If you’re new to the MCP community, the timeline included with this article will help you understand the long journey associated with Windows 2000 Server. Think about it: Babies born to MCPs when Cairo/Windows NT 5.0/Windows 2000 was announced, are now halfway through their first year of Montessori or Waldorf School.

Windows 2000 Server’s birth follows a gestation period of over three years. Compare that to whales (12 months) and even elephants (22 months), and you begin to understand that creating the 25 million-plus lines of code in Windows 2000 Server was a big deal. All told, conceiving and carrying off Windows 2000 Server was a huge undertaking for the development team at Microsoft. It’s a journey marked by distinct trimesters: Windows NT 5.0, then The Period of Darkness, and finally Reworked Windows 2000 Server.

Initially, Windows NT 5.0 was going to be the ultimate directory-based enterprise-level network operating system (NOS). Frustrated in its attempts to break into true enterprise markets such as global corporations and finding the door shut in mission-critical environments such as 24 x 7 hospitals, Microsoft set out to do the impossible with Windows NT Server 5.0. It eventually became obvious that trying to be everything to everybody wouldn’t work.

Enter the Dark Ages of the second trimester. Here, the Microsoft development team scaled back expectations, drifted from the original directory-based NOS paradigm, and generally became depressed—something that was apparent to even the casual observer. Heads rolled, re-orgs happened, and one codebase change later, a reworked Windows 2000 Server with a realistic end-of-millennium ship date and a new name emerged. It’s this version that’s now being readied to serve.

You should also be aware that other flavors of Windows 2000 exist beyond the Server release. Windows 2000 Professional replaces Windows NT Workstation 4.0 and is positioned for professional and technical users at the desktop or notebook. Windows 2000 Advanced Server allows clustering and larger memory and processor and storage configurations. Windows 2000 Datacenter Server is focused on demanding application server environments (such as electronic commerce) and includes everything in Advanced Server plus even greater processor scalability and processor configurations.

But this article focuses on Windows 2000 Server, which many of us affectionately call Win2K. Are you ready to be feted on this 10-course feast? If so, allow me to be your culinary guide.

First Course: MMC
Hors D’oeuvres and Oysters

You may already be familiar with the first course, the Microsoft Management Console (MMC). Introduced to most MCPs in NT Server 4.0’s Option Pack, the MMC provides a new, consistent interface to manage common tasks when running Windows 2000 Server. Name a task and chances are you’ll find an MMC snap-in for it. You can use snap-ins to populate the MMC with the tools you want. There are snap-ins from A (Active Directory) to W (WMI Control). Perhaps the best thing about the MMC is that you can customize it, creating and distributing your own MMCs as needed. Better yet, you can restrict others to “user mode” when using your custom MMC, which prevents modifications.

Many program items in the Administrative Tools program group launch MMCs, so it’s easy to learn about and use MMCs right away. An example is Event Viewer. You can also take the Swiss-Army-knife approach and type MMC at the command line to display a naked MMC. Select Add/Remove Snap-in from the Console menu, then select from an array of pre-defined snap-ins or add your own custom one. When you save the MMC you’ve created, the MMC title will appear as an option in the Administrative Tools program group. Nice touch!

  • Master Tip
    Many MMCs have advanced views that allow you to view and perform tasks in ways you might not know about. For example, the Active Directory Users and Computers MMC (launched when you select Active Directory Users and Computers from the Administrative Tools program group) has the initial view shown in Figure 1. However, select Advanced Features from the View menu, and the MMC displays additional information, such as the LostAndFound container for orphaned objects (see Figure 2).

Figure 1. Many Microsoft Management Console snap-ins have several views. This MMC, the Active Directory Users and Computers, has both a default view, shown here…

Figure 2. …and an “advanced features” MMC view.

Second Course: Improved Internet Connectivity
Consommé Olga

In some ways, it seems as if Windows 2000 Server stole some of the coolest features from its little brother, Small Business Server. One area in which this is evident is Windows 2000 Server’s Internet Connection Wizard, shown in Figure 3. Admittedly, MCPs working in smaller organizations will benefit from this and many new wizards included in Windows 2000 Server. MCPs at the enterprise level may or may not be able to take advantage of wizards, given the uniqueness and complexity of enterprise environments.

Figure 3. The Internet Connection Wizard is one idea in Win2K that might have been borrowed from Microsoft Small Business Server.
  • Master Tip
    My absolute favorite Internet connection-related wizard tool is the “Connect to a private network through the Internet” radio button on the Network Connection Wizard shown in Figure 4. Creating a virtual private network (VPN) connection has been demystified via a simple wizard that guides you through five setup screens. Note that VPN activity under Windows 2000 Server is more secure with the use of Layer 2 Tunneling Protocol (L2TP), which is more secure than the Point-to-Point Tunneling Protocol (PPTP) used in NT 4.0. Windows 2000 Server’s Internet Protocol Security (IPSec) also contributes to overall VPN security. If you’re interested in having your Windows 2000 Server support inbound VPN connections, I describe that process using the Routing and Remote Access MMC in the Windows 2000 Server Secrets book excerpt that accompanies this article.

Figure 4. Creating a VPN connection is easy—no, really!—with the Internet radio button in the Network Connection Wizard.

Third Course: Group Policies
Poached Salmon and Mousseline Sauce, Cucumbers

OK, so you and I struggled with Policy Editor in the legacy NT days. You wondered if you actually had a positive return on investment once you considered all the time spent creating and managing policies vs. making visits to configure each workstation manually. And maybe you even tried to McGyver policies into your NT network via the Security Configuration Editor (SCE) found in the NT Server 4.0 Option Pack.

That’s all behind us with Group Policies in Windows 2000 Server. Group Policies is positioned as the centralized management paradigm in the new world of Windows 2000 Server. Ironically, given this important role, you’d expect to find a Group Policies program item in the Administrative Tools program group. Such is not the case; you’ll need to launch a naked MMC and select the Group Policy snap-in. This Group Policy snap-in is really a wizard that allows you to add different types of Group Policy objects, as shown in Figure 5. The final result, the Group Policy MMC, is shown in Figure 6.

Figure 5. Configuring the Group Policy MMC. The upper left portion of the screen displays the Select Group Policy Object that’s launched when you select the Group Policy snap-in. The lower right portion of the screen displays the available Group Policy objects in the Browse for a Group Policy Object dialog box.

Figure 6. Here’s the final result of the wizard shown in Figure 5, a configured Group Policy MMC.
  • Master Tip
    It’s not well known that Group Policies in Windows 2000 Server are intended for homogenous Windows 2000 networks. The intent is that you have (and have only) Windows 2000 Server and Professional machines on your network. Nearly all of the Group Policy features and functions won’t be available to Windows 98/95 or Macintosh clients. Ouch!

Windows 2000 Server Secrets:
Excerpt from Chapter 8, "Internet Secrets""
Obviously the history of the Internet has been covered in more texts than you or I care to count, so I’ll leave that topic alone. But it is interesting to note that the Internet is creating its own history each day. Its short life to date suggests that there are untold opportunities for you to capitalize on the Internet. But for you to do that, you first need to successfully attach your Windows 2000 server to the Internet. You have several ways to do this. In this chapter, after installing Remote Access Service, I’ll proceed with the dial-up approach and work toward more complex Internet configurations.

Configure Remote Access Service
Hail to Windows 2000 Server, for it has simplified many tasks from its NT predecessors, including the installation and configuration of Remote Access Service (RAS). But first, a quick history lesson. You will recall that Remote Access Server (RAS) has been part of the remote networking solution set in Microsoft’s networking family since the earliest days of Windows NT Server (at which time it would only interact with the NetBEUI protocol).

Note: RAS has made something of a political comeback in the networking community. For years, RAS enjoyed mixed reviews at best for its unreliable support for modem-based dial-in and dial-out activity. However, with the advent of Virtual Private Networks (VPNs), RAS is back. It actually manages the VPN function very well in Windows 2000 Server, and I will discuss this later in this chapter.

Well, RAS has come a long way in Windows 2000 Server. The RAS installation is much more intuitive, starting with the Windows 2000 Configure Your Server screen. Following are the steps to configure Remote Access Service for inbound Internet-based traffic. This sets the foundation for the Virtual Private Networking (VPN) discussion later.

Steps to Configure Remote Access Service
From the Windows 2000 Configure Your Server screen, select the Networking link in the left pane and then select Remote Access. Select the “Open” link to launch the Routing and Remote Access MMC.

Step 1. Right-click the server object in the left pane (for example, TCI1) and select Configure and Enable Routing and Remote Access from the secondary menu (see Figure A).

Figure A. Configure and Enable Routing and Remote Access selection.

Step 2. The Welcome screen of the Routing and Remote Access Server Setup Wizard appears. Click Next.

Step 3. The Common Configurations screen appears (see Figure B). Select Remote access server. Click Next.

Figure B. Remote access server

Step 4. The Remote Client Protocols screen appears. Select the appropriate button to accept or elect to add more networking protocols for remote access. Click Next.

Step 5. The IP Address Assignment screen appears. After making your selection, click Next.

Step 6. The Managing Multiple Remote Access Servers screen appears. The screen allows you to elect to manage all RAS servers from a central point. This election clearly depends on whether you are managing a smaller LAN with only one RAS server (in which case the answer would be “No”) or managing a RAS server farm (in which case the answer would be “Yes”). Make a selection and click Next.

Step 7. Click Finish on the Completing the Routing and Remote Access Server Setup Wizard to complete the RAS configuration. You will be returned to the Routing and Remote Access MMC.

Caution: Be very careful about selecting the Network router option. First of all, there are many compelling reasons, such as advanced configuration management, to use true routers (such as Cisco) on your Windows 2000 network. Second, it enables two-way routing of network traffic to and from the Internet (if you’re connected directly to the Internet) and may override the safeguards imposed by Microsoft Proxy Server’s local address table (LAT).

Fourth Course: Dynamic DNS
Sauté of Chicken, Lyonnaise

Microsoft is using Windows 2000 Server to shift away from NetBIOS naming conventions and limitations and join the Internet community’s host naming approach. This is evident in two places. First and foremost is the introduction of Dynamic DNS. Second is the de-emphasis on the Windows Internet Naming Service (WINS).

You’ve probably already heard of Dynamic DNS (Domain Naming Service). Based on RFC 2136, Dynamic DNS provides a “means of dynamically updating zone data on a zone’s primary server when a server requests an update.” That’s according to the soon-to-be-released Windows 2000 Resource Kit. So instead of manually entering zone records, which map IP addresses to host names, Dynamic DNS automatically performs this administrative function for you.

But I like to think of Dynamic DNS as something like a difficult child: It’s easily heard but hard to find. Dynamic DNS simply does its thing in the background, effectively providing a replacement for WINS databases. It’s the underlying vehicle for migrating a network based on NetBIOS names (and WINS) to host names (based on DNS). One of the few places you can actually “see” Dynamic DNS is the General tab for a zone’s property sheet, as shown in Figure 7. The “Allow dynamic updates?” field allows you to invoke Dynamic DNS by selecting Yes.

Figure 7. To configure Dynamic DNS, select Yes in response to the Allow dynamic updates? field. This will implement Dynamic DNS for a zone in Windows 2000 Server.
  • Master Tip
    Dynamic DNS and WINS aren’t mutually exclusive. In fact, there are important reasons to run both. The first reason is that you’re probably running a mixed mode network with legacy NT Server 4.0 machines (and the NetBIOS naming convention). However, be advised that legacy NT machines will automatically take advantage of Windows 2000 Server’s DNS implementation if the name being resolved is over 15 characters or contains a period.

Fifth Course: Active Directory
Lamb, Mint Sauce

This is the main course, and rightly so. Perhaps no other feature of Windows 2000 Server has received more press coverage than Active Directory. With Microsoft positioning Windows 2000 Server as a bona fide enterprise networking solution, much of the early attention paid to the product has been on Active Directory.

What is AD? At its core Active Directory is the long-awaited directory services package that other network operating systems, such as NetWare with NDS, have offered for years. Active Directory addresses legacy NT Server weaknesses like non-transitive trusts and a lack of low-level administrator accounts.

But stepping back from the Active Directory hoopla, I offer up the following advice. Manage your expectations of Active Directory. It’s a first-generation directory services offering, which means it contains warts and all. Speaking plainly, both you and I are going to discover shortcomings with Active Directory as we roll out Windows 2000 Server. I suspect you’ll be surprised to discover that Active Directory isn’t just organizational units, trees, and forests—it’s also politics and MBAs working side by side with MCSEs. Get ready to engage in lots of Active Directory expectation management. And I’d be sure to under-promise what Active Directory can do.

  • Master Tip
    With Active Directory, my advice is KISS: Keep It Simple, Smarty. Start with a single organizational unit (OU) as you roll out Active Directory (see Figure 8), then justify each and every additional object. This zero-based approach will prevent you from creating an unmanageable multi-headed hydra beast in your Active Directory organization.

Figure 8. Try rolling out a single Organizational Unit, like the Marketing OU shown here.

Sixth Course: Terminal Services
Punch Romaine

I’ll share a personal secret with you. Terminal Services is one of my favorite additions to Windows 2000 Server because it’s so pragmatic. You might not expect to hear that, given other larger and more glamorous Windows 2000 Server components. But if you’ve used NT Server 4.0, Terminal Server edition in the past, you know just how cool it is. And the good news is, Terminal Services is included in the base purchase of Windows 2000 Server. It’s not an expensive add-on, which is a reason why it’s one of my favorite additions.

Terminal Services is a remote control application that allows remote users and thin clients to pass session screens back and forth, much like PCAnywhere operates. However, it’s multi-session, meaning one Windows 2000 Server can facilitate multiple Terminal Services sessions. Consider that the next time you stare at a row of computers, each able to run only one PCAnywhere session.

Configuring Terminal Services is exactly the same as configuring NT-based Terminal Server. However, with Win2K, you create two client disks to install the necessary components for the workstation to attach and initiate a session with Terminal Services (see Figure 9).

Figure 9. A client-side Terminal Services session appears as shown.
  • Master Tip
    The client-side of Terminal Services has improved dramatically. You can now print to a local client-side printer while manipulating information in the Terminal Services session window. You can also cut and paste information, such as text from the Terminal Services session window, to a local application. Call it the Citrix MetaFrame killer if you want; but with NT, you had to implement MetaFrame with its ICA protocol to achieve that level of functionality. And MetaFrame, in many cases, cost more than the legacy Terminal Server Edition itself.

Seventh Course: Clustering
Roast Squab and Cress

Next-generation clustering is here with Windows 2000. Clustering is the ability to load- balance activity and mirror storage across servers on your network. Clustering is considered essential in mission-critical environments that demand high availability. Remember that hospital I mentioned earlier in this article? Clustering is targeted toward exactly that type of implementation. It also helps with managing upgrades in demanding environments. Take an online e-commerce site that simply can’t afford to be down. Clustering allows network administrators to perform an upgrade, such as installing a service pack, to one of the cluster partners while it’s offline. The cluster partner then replicates its environment to its other cluster partners when it goes back online.

  • Master Tip
    Clustering is available only with Windows 2000 Advanced Server and Windows 2000 Datacenter Server.

Eighth Course: Improved Management
Cold Asparagus Vinaigrette

First, it was Microsoft Diagnostics (MSD) back in the old days of DOS. Then it was WinMSD in the days of NT. Now it’s the Computer Management MMC, which is a dramatic improvement over the old MSD-based management tools. The design goal behind the Computer Management MMC is to bring together, in one place, the typical and critical tools you’re likely to use in managing your Windows 2000 Server network.

One of the long-awaited additions to Win2K is Device Manager. One way to access Device Manager is via the Computer Management MMC, as shown in Figure 10. This “is” your Windows 98/95 Device Manager, a statement I make with the highest honors and compliments to the chef. It reflects the commitment on the part of the creators of Windows 2000 Server to Plug-and-Play (PNP) hardware technology. However, you’ll still need to configure your legacy ISA-based hardware devices manually.

Figure 10. Device Manager in the Computer Management MMC.
  • Master Tip
    Performance Monitor (also known as System Monitor), another network management tool, now runs as a service when logging in (instead of as an application). That means Performance Monitor doesn’t stop running when you log off the server machine. You also don’t need to run some convoluted utility from the Resource Kit to turn Performance Monitor into a service. Those days are gone, thank goodness!

Ninth Course: Improved Security
Pate de Foie Gras

No discussion of Windows 2000 Server is complete without honoring the security improvements that have been made. No fewer than four major security enhancements separate Windows 2000 Server from its NT predecessor. These improvements include Kerberos v5 protocol support, Encrypted File System (EFS), Smart Card support, and Internet security improvements (IPSec and Internet Authentication Service).

Kerberos V5 is the underlying security protocol for authentication in a Windows 2000 Server domain (yes, you still log on to domains). Both the identity of the user and network services are mutually authenticated. [For more information on Kerberos, refer to “A Matter of Security,” by Michael Chacon in the May/June 1997 issue.—Ed.]

  • Master Tip
    My favorite security feature is Encrypted File System. EFS solves a big problem in the world I live in as a consultant. By encrypting information at the file level, a security hole has been removed—the hole created in NT Server when you performed a parallel installation of NT to access files on an NTFS partition. This is especially beneficial for securing information on laptops (since they can easily be stolen) and small servers, which, I know from experience, can disappear in the middle of the night, given their relatively small size and weight.

EFS is implemented from the Advanced button of the folder Properties dialog box, as shown in Figure 11.

Figure 11. File encryption in Win2K is handled by EFS. Select Encrypt contents to secure data checkbox.

Tenth Course: Improved Storage Management
Waldorf Pudding

I’ll end our look at the exquisite cuisine of Windows 2000 Server with a mention of storage management improvements. First and foremost, disk quotas come to mind. Long desired, but not delivered until Win2K, disk quotas are implemented via the volume Properties sheet, resulting in the quota entries shown in Figure 12.

Figure 12. The quota entries shown are implemented via the volume Properties sheet.

Acknowledging that NTFS volumes suffer fragmentation, Microsoft has included a disk defragmentation utility in Windows 2000 Server. But before directing too much praise to the Big M, you should know that it was provided by Executive Software and is really a dumbed down version of Diskeeper, a disk defrag application. But it works for me and most likely you too.

  • Master Tip
    The native backup application in Win2K is greatly improved over its predecessor, NTBACKUP.EXE. Native support for tape library devices has been added, and you can now back up to media other than a tape device, such as Jaz drives. More important, you can now schedule your backups directly inside the backup application, as shown in Figure 13. You no longer need to use the AT command at the command line to schedule backups. (I enjoy the traditional 30-day tape backup calendar—it’s so easy to understand!)

Figure 13. The native backup application allows you to schedule your backups directly inside the backup application.

Final Review

Sure, I have a couple of complaints about this meal: Untested directory services under intense real-world conditions. No native virus protection. Emergency Repair Disk (ERD) is still dependent on a 25-cent floppy instead of more stable media such as a writeable CD disc. Default share permissions are still too generous (EVERYONE = Full Control).

But right now I say, let the Windows 2000 Server celebration begin! I hope you’ve enjoyed this 10-course offering. Needless to say, most of us in the MCSE crowd have a lot to learn about Win2K Server, so manage your expectations accordingly. Don’t try to implement every new feature immediately or you’ll spend so much time fixing the damage you’ve created that you’ll miss the rigorous Windows 2000 Server recertification requirements looming over all of us legacy MCSEs.