In-Depth
Sonic Boom! Windows 2002 Smashes the Barrier
The next version of Windows is a worthy upgrade from Windows 2000, addressing several weaknesses and adding needed functionality. A Windows expert briefs you on the features and the limitations.
- By Bill Boswell
- July 01, 2001
If you’ve ever taken a leisurely
cross-country drive, you may have gone through
the little town of Alton, Illinois. What makes
Alton special is that it lies at the confluence
of the two greatest rivers in North America, the
Mississippi and the Missouri. When you stand at
the bank where the two rivers mix, you feel part
of a grand natural history. You also get a glimpse
of the goo that’s been dumped in the rivers upstream
of where you stand. Windows 2002 represents a
great confluence as well, the merging of two 32-bit
code bases that began life as Windows NT and Windows
95. All future Windows platforms will have the
reliability and performance of the Windows 2000
code base, and the features and functionality
of Windows Me. That’s not to say Windows 2002
is without its flaws. You’ll find more than a
little goo here as well. But for now let’s focus
on the dramatic parts of the scenery.
What’s
in a Name?
Before we talk about features, let’s talk
about names. Microsoft’s officially dubbed the
desktop version of the OS “Windows XP,” as in
“eXPerience the difference.” There will be two
XP versions: XP Professional, designed for corporate
desktops, and XP Home Edition, designed for consumer
desktops. The Home Edition lacks many of the features
needed for corporate network environments, like
the ability to join a domain or take advantage
of group policies to maintain a “managed” environment.
(See “Windows XP: The Most Stable
OS Yet.”)
For the server line, Microsoft’s
decided to retain the year designator, so the
products will be released as Windows 2002 Server,
Advanced Server and Datacenter Server.
To avoid confusion, I’ll refer to
the general product line as Windows 2002 and use
the name XP only when specifically discussing
the desktop products. The features I discuss here
are based on Windows 2002 beta 2, build 2462.
| What
About Windows 2002? |
|
So, now that you’re furiously
preparing for your Windows 2000
certification before the clock
strikes midnight on your Windows
NT 4.0 title, are you starting
to wonder if that, too, will
be gone with the wind once Windows
2002 goes into heavy adoption?
Not to fear, IT pros. Microsoft’s
latest pronouncements on the
subject indicate that you should
keep on your present path. Once
you update your NT certification
to 2000, it won’t be in any
danger of quick extinction.
According to Microsoft’s training
and certification site (www.microsoft.
com/ trainingandservices),
“MCSEs in the Windows 2000 track
will not be required to pass
Windows XP Professional/Whistler
exams to retain MCSE certification.”
Microsoft adds that if you’re
already working on your Win2K
certification and want to upgrade
to Windows 2002, you have that
option. You can go solely for
2002 exams to finish up, or
mix Win2K and 2002 exams. It
won’t matter as far as your
certification’s concerned.
Microsoft also says that skipping
Win2K certification altogether
and going straight to 2002 certification
would be a mistake. Windows
2002 is built on top of Win2K,
and you need grounding in the
Win2K technologies to successfully
use the next version. In other
words, learn to walk before
trying to run.
Of course, there aren’t any
Windows 2002 exams available
yet, and there’s no telling
at this point when they’ll be
available. The product, along
with Windows XP, was scheduled
to be released in the second
half of this year, but that
timetable (surprise!) appears
to be slipping, to the point
where Microsoft is now making
noises about a Windows 2002
release in the first half of,
appropriately enough, 2002.
—Keith Ward
[As of July 2001, Microsoft has another name for Whistler. It's now to be called Windows .NET Server.—Ed.]
|
|
|
Improving
Active Directory
Active Directory (AD) is the cornerstone
of all current Windows server products. Windows
2002 makes nearly 400 changes to AD. Most involve
housekeeping updates. Some support added features.
Many of those AD changes modify
the contents of the AD schema. This means that
upgrading a Win2K domain controller (DC) to Windows
2002 involves upgrading the schema as well. Like
a classic NT domain, you must first upgrade the
PDC Emulator. The schema changes replicate outward
from there and are compatible with Win2K.
Two major AD changes in Windows
2002 correct subtle flaws in the initial release.
One flaw involves the way connections are calculated
between sites. In AD replication, one DC in each
site has responsibility for mapping out connections
between bridgeheads in its site to bridgeheads
in other sites. This DC is called the Inter-Site
Topology Generator, or ISTG; it’s generally the
first DC promoted in the site. A service called
the Knowledge Consistency Checker (KCC) running
on the ISTG determines the necessary connections
between bridgeheads based on a spanning-tree algorithm.
The KCC service runs every 15 minutes and calculates
the connection map for sites within the forest.
Large Win2K-based organizations
with hundreds of sites can experience problems
if the KCC calculations exceed the time allotted
to them. If this happens, connections must be
created and managed manually. Windows 2002 streamlines
the inter-site connection calculations and dramatically
improves the scalability of the directory replication
infrastructure.
Another problem affects organizations
of all sizes. It involves the way AD replicates
the member attribute for groups. In Win2K, the
member attribute replicates as a single entity.
This causes problems if multiple administrators
change the membership of the same group during
the same replication cycle. For example, one administrator
might add user Sally to the Sales group while,
at the same time, another administrator might
add user Henry to the same group. Only one of
those modifications eventually ends up in all
AD replicas. The other is lost.
Understandably, this causes distress
to the user who expected to get new security permissions
or to be included in an Exchange e-mail distribution
list. Microsoft fixed the problem in Windows 2002
by separately replicating each Distinguished Name
(DN) in the member list. Now, when Sally is added
to the Sales group at the same time that Henry
is added by another administrator, both updates
end up in all AD replicas.
Unfortunately, these changes to
the Windows 2002 replication engine are incompatible
with Win2K. If you want the added functionality
Windows 2002 server provides, you must first upgrade
all your DCs to Windows 2002 then bump up the
Functionality Level of the forest to enable the
replication changes. Win2K AD is assigned Functionality
Level 0. Windows 2002 can go to Level 1 once all
DCs have been upgraded. This change to the Functionality
Level is done at the command line using NTDSUTIL.
Forest
Management — Or Lack Thereof
One badly needed AD feature may not make
it into Windows 2002: a prune-and-graft utility
for moving domains into and out of an existing
forest. Granted, the technological challenges
of altering a forest are formidable. In a merge
operation, two different AD schemas must be cross-connected,
compared, copied, collated and combined without
corrupting the AD database. In a prune operation,
unique identifiers must be changed while retaining
full functionality in the resultant forests. Future
betas will probably include the ability to delete
Class and Attribute objects from the schema, an
action that isn’t currently supported. This ability
might mature into a full-blown prune-and-graft
utility.
Windows 2002 includes a stopgap
until Microsoft (or a talented third-party company)
can devise a prune-and-graft utility. The stopgap
is a new trust type called a Forest Trust. This
type of trust combines the two-way, transitive
Kerberos authentication that makes a single forest
so flexible with an external trust relationship
similar to a classic NT trust.
Using a Forest Trust, you can create
a two-way relationship between forests so that
security principals from all domains in one forest
can be placed on Access Control Lists (ACLs) in
all domains in the other forest and vice versa.
Names and Security IDs (SIDs) are published and
not allowed to overlap. Organizations with diverse
IT groups that don’t coordinate with each other—universities
and governments come to mind, as do corporate
conglomerates and outsourcing firms—can use Forest
Trusts to knit together disparate pieces of their
AD. Like the changes to the replication engine,
Forest Trusts also require Functionality Level
1, meaning that all DCs must be running Windows
2002.
Forest Trusts aren’t a panacea for
inter-forest operations. For one thing, they aren’t
transitive between multiple forests; Forest A
and Forest C can’t share security principals through
a common trust with Forest B. Forests connected
by Forest Trusts also don’t share a common schema,
making it difficult to deploy applications and
management tools that rely on AD.
The remaining AD improvements aren’t
nearly as obvious as those previously mentioned,
but they go a long way toward making Windows 2002
a desirable upgrade from Win2K. They include:
-
The ability to cache Global Catalog (GC) queries
at a standard DC. Under Win2K, users can’t log
on without physical connectivity to a GC. In
Windows 2002, users with access to a local DC
can continue to log on even if they’ve lost
contact to a GC.
-
The ability to create an ad-hoc Naming Context
(NC) to hold application objects that don’t
need to be replicated throughout a forest.
- An improved
version of the AD Migration Tool that can preserve
passwords and profiles when
migrating users between domains.
- Support
for RFC 2589 dynamic LDAP entries. This permits
putting time-dependent information in the Directory,
such as a user’s current location.
- Support for RFC 2830 secure
connections over Transport Layer Security (TLS)
when sending LDAP queries to a DC.
- The ability to use a tape
backup of the AD database (NTDS.DIT) to populate
the database on a new DC. This greatly simplifies
DC deployments in situations where it’s not
practical to ship an entire server.
- Increasing the maximum
number of objects stored in the Directory to
more than a billion. Replicating updates to
such a monster database might turn into something
of a strain, but all that headroom is reassuring.
Windows
2002 Answers The 64-Bit Question
In spite of a long and sometimes painful
path to market, platforms based on Intel’s new
Itanium processor will be debuting soon. Without
an operating system, these 64-bit Intel Architecture
(IA-64) systems would be nothing more than expensive
plant stands, so much of the impetus in getting
Windows 2002 out the door is to have a Windows
operating system ready for Itanium. After all,
64-bit distributions of Linux are already circulating
in alpha/beta form.
As you might expect, IA-64 systems
function quite a bit differently than their IA-32
cousins. One difference that will have an immediate
effect on system administrators is the Extensible
Firmware Interface, or EFI. The EFI configures
the system, stores this configuration information,
and reports it to the OS upon request. If you’ve
ever worked with Alpha or RISC systems, you’ll
be comfortable working with the EFI.
One EFI function is to prepare the
system’s mass storage devices. IA-64 systems use
a new disk partitioning scheme called GUID Partition
Tables, or GPTs. GPT disks can host large partitions
more effectively than Master Boot Record (MBR)
disks. They also don’t have many of the special
gimmicks and hidden partitions that litter the
MBR disk landscape.
A GPT disk partition contains a
Globally Unique Identifier, or GUID, that acts
as a reference for cataloging the partition in
the operating system’s object namespace. This
eliminates name collisions. The partition header
also contains a “friendly name” similar to the
volume name on MBR disks, along with a code that
identifies the partition’s purpose. For example,
every GPT disk has a single EFI System Partition
(ESP) that contains the operating system’s bootstrap
files. It also has a single Microsoft Reserved
Partition (MSR) that contains the database used
to manage dynamic disks and an OEM partition that
contains disk utilities provided by the hardware
vendor (similar in function to the system partitions
used by Compaq). There are data partitions, as
well. As IA-64 systems gain market share, you
can expect to see updates to the classic disk-management
tools.
You can get more information about
GPT disks at www.microsoft.com/hwdev/
storage/Windows 2002-GPT_FAQ.htm. For more
information on IA-64 systems and EFI, visit developer.intel.com/design/
IA-64/presentation.htm.
Server
Administration In Your PJs
In The Legend of Sleepy Hollow,
Washington Irving told of a mysterious apparition
that could ride a horse just like an ordinary
man even though he had no head. I’m sure Irving
would be proud to know that he could inspire a
feature in a piece of technology as foreign to
18th- century New England as chocolate-covered
bananas on a stick.
A headless server has no mouse,
no keyboard and no video card. The goal of headless
server technology is to deliver “lights-out” server
room operation. Barring hardware failures, you
should be able to sit at home and manage any Windows
2002 system. If you have a broadband connection,
you can configure your server room and download
a movie trailer for The Lord of the Rings at the
same time.
You communicate with a headless
server in one of three ways: Remote Desktop, a
terminal server session providing full User Interface
(UI); Console Management, which gives access through
a telnet session or remote shell console; and
Out-of-Band Management, which works through a
serial port console.
Remote
Control
The core operating system components of
both Windows 2002 and Win2K incorporate the multi-user
architecture initially developed by Citrix. (Citrix
is still going strong with add-on products that
leverage their ICA communications protocol. See
www.citrix.com
for details.) In Windows 2002 the technology has
been given a new name, Remote Desktop, and an
expanded feature set.
The two-session remote administration
mode that was introduced as an option in the Win2K
Server family has been made a fixed component
for every Windows 2002 server. You don’t need
to install any additional services or pay additional
license fees. You only pay a fee if you install
terminal services in Application Sharing mode.
In addition, every XP Professional
desktop supports a single-session Remote Desktop
connection. This permits an administrator to connect
to the desktop to resolve problems or install
software. XP also has a Remote Assistance feature
that permits a user to “invite” an administrator
to interact with the local desktop. This lets
a Help Desk technician with appropriate permissions
connect to the user’s desktop and troubleshoot
or demonstrate how to use an application.
The underlying Remote Desktop Protocol
(RDP) has been enhanced with features that have,
up until now, only been available with Citrix
MetaFrame and ICA clients, including true 24-bit
color and high-resolution video instead of the
256-color, 800x600 sessions currently supported
by terminal services; automatic client drive,
printer, and serial port redirection, enabling
a user with a Remote Desktop session from a PC
to see the PC’s peripherals from within the Remote
Desktop session; and audio redirection.
With these enhancements, you can
manage all aspects of a server (or an XP desktop,
for that matter) from a terminal session. Figure
1 shows an example of the MMC-based Remote Desktop
console. With appropriate VPN connections through
your firewall, you can manage your entire server
farm across the Internet at virtual wire speeds.
 |
| Figure 1. The MMC-based
remote desktop console in Windows 2002 can
maintain multiple connections. (Click image
to view larger version.) |
Command
Performance
In the past Microsoft has been—well, let
me be kind—a little reluctant to support a command-line
environment. After all, Windows is all about sizzling
graphics and cool special effects. But for rapid,
efficient server management, you just can’t beat
a console session.
In the last couple of years, Microsoft
has done an about-face and added many features
to improve console administration. Windows Script
Host, for example, provides native support for
VBscript and Jscript along with the ability to
call other script engines. If you’ve taken a look
at the Win2K Server Resource Kit, you’ll find
a copy of ActivePERL and a pile of PERL scripts.
Getting command-line access is easier, too. All
versions of Win2K and Windows 2002, except for
XP Home Edition, ship with a decent telnet service.
(Note: Unfortunately, Microsoft
didn’t provide a Secure Socket Layer (SSL) version
of telnet in either Win2K or Windows 2002. So,
while you can use NTLM authentication to initiate
a telnet session, the ongoing telnet communication
isn’t encrypted. This means that security-conscious
administrators still need third-party telnet tools
that don’t reveal data streams.)
Microsoft improves console functionality
still more in Windows 2002 by including lots and
lots of new command-line utilities in the core
product, rather than tossing them in the Resource
Kit. This means the utilities are supported and
documented and have a consistent syntax. Many
of the utilities permit you to specify another
computer with alternate credentials to simplify
enterprise management. The list of new command-line
utilities includes:
- Bootcfg—Manage the
contents of BOOT.INI so you can change the boot
order from a command line.
- Tasklist—A much-enhanced
version of the tlist utility that displays the
executable, PID, status, memory usage, user
name and session number (for processes running
in multi-user terminal service sessions).
- Driverquery—Dumps
a list of the running drivers (as opposed to
the processes shown in Tasklist) and their parameters.
- DS utilities—A set
of utilities for adding, modifying, removing,
querying and moving directory service objects.
- Event log utilities—A
set of utilities that allows you to initiate
an executable or script in response to an Event
Log entry, to create your own ad-hoc log entries,
look for a specific type of Event Log entry,
then execute a particular executable or script
if it occurs. This has been a long time coming.
- RSOP—Windows 2002
includes a Resultant Set of Policies MMC snap-in
that calculates and displays the policies applied
to any user or computer based on their position
in AD. A command-line version of this tool,
GPResult, produces a command-line output of
the same information. This utility is an absolute
must for troubleshooting group policies.
- FSUtil—A quick way
to handle various common file system chores.
For example, if you wanted to turn off short
file name generation, you could enter:
fsutil
behavior set disable8dot3 on
- Windows Management Instrumentation
Commands (WMIC)—For my money, the most exciting
of all the new technologies that have come from
Microsoft in the last few years is Windows Management
Instrumentation (WMI). You can learn just about
anything about a system from a properly constructed
WMI script. For those administrators who’d rather
open an artery than do programming, Windows
2002 includes a console utility called WMIC
that permits you to get a quick listing of any
of the WMI base classes. Figure 2 shows a telnet
session with a partial list of the available
classes. Just enter the class name and, voilá,
out comes a columnized report of all the properties.
 |
| Figure 2. This telnet
console shows the WMI classes available in
WMIC. (Click image to view larger version.) |
Out-of-Band
Management
Remote Desktop and telnet can keep you
in command of a server only so long as you have
a network connection to it. But what to do if
a server has a problem that prevents it from coming
up on the network? You need an Out-Of-Band (OOB)
management interface to do your diagnostic work.
Windows 2002 includes an OOB feature
set called Emergency Management Services, or EMS.
You enable EMS by placing a couple of redirect
statements in BOOT.INI. If you’ve ever worked
with a debug session on NT or Win2K, you’ll quickly
get the hang of EMS.
The primary interface to EMS is
a serial port console called the Special Administration
Console, or SAC. You can connect to the SAC console
using another PC via a null-modem cable, or you
can use a modem or a port on a classic serial-interface
terminal server. The current beta doesn’t include
support for USB or FireWire connections.
The SAC console provides a suite
of functions such as killing a process or restarting
the system. Figure 3 shows the SAC console seen
from HyperTerminal. EMS also includes a !SAC console
that gives OOB access in the event of a system
failure. You can use !SAC to view log entries
then restart the server. The shift from SAC to
!SAC happens automatically in the event of a blue
screen stop.
 |
| Figure 3. The SAC console
seen from HyperTerminal. (Click image to view
larger version.) |
Windows 2002 includes native support
for using the Remote Installation Service, or
RIS, to install servers. You can also use RIS
to install Windows 2002 on a headless server.
Windows 2002 has a special Startrom.com image
that redirects the OSChooser menus and character-based
output to the server’s serial port. You connect
to the serial port, select an image from the installation
list, then let the RIS client do its thing. With
a properly prepared RIS setup script in place,
Setup will finish its chores automatically. In
30 to 40 minutes you can make a Remote Desktop
or telnet connection to the server and finish
configuring it.
A Quick Recovery
When the drive or array holding the OS decides
to go to that big spindle in the sky—notice I
say “when,” not “if” (I’m pretty cynical about
these things)—you find yourself in something of
a quandary. To restore the operating system, you
must first install an OS so you can install your
tape backup software, mount last night’s tape
and restore the original contents of the drive.
Installing a fresh OS takes time, and if your
server uses an OEM HAL or needs special drivers,
you’ll spend even more time rooting around for
driver disks.
What’s needed is a quick and easy
way to recover the OS drive. Nearly all third-party
backup applications have an emergency recovery
feature of one form or another, and Microsoft
includes one in Windows 2002. The feature is called
Automated System Recovery (ASR).
ASR takes a snapshot of the operating
system partition and saves it to tape (or a file,
if you choose). ASR also saves configuration information
to a floppy. To perform an ASR restore, boot to
the Setup CD and press F5 when prompted. This
starts the ASR Wizard. You then mount the ASR
tape in the tape drive and the configuration floppy
in the floppy drive, click a couple of items in
the Wizard, and sit back. The ASR routine partitions
the drive based on the original partition information
and restores the operating system from the files
on the tape. If you’ve made any changes since
the last ASR snapshot, you can go on to restore
the partition from the last tape backup.
ASR requires that you have an attached
tape drive or a drive with media that can be read
by the files loaded by the Setup CD. This could
require you to install a SCSI card (or FireWire
board, or some other mass storage interface) temporarily
into the server. That’s still faster than doing
a full-blown OS install.
ASR isn’t a replacement for a true
image backup such as eSupport Essentials from
Previo Inc. (formerly, Stac Software). It does,
however, give you a fast, straightforward way
to get your system back on the road to wellness.
Best Of The
Rest
Every list has a miscellaneous section. For example,
whenever I’m asked to list the Seven Dwarves,
I always say, “Grumpy, Dopey, Sneezy, Doc, and
miscellaneous.” The term miscellaneous may make
you think trivial, but frankly, when it comes
to simplifying day-to-day administrative chores,
I find myself relying quite a bit on little miscellaneous
features. Here are a few in Windows 2002.
Without question, the most difficult
part of designing an AD domain is deciding how
best to configure DNS. Integrating AD into an
existing DNS infrastructure can sometimes cause
strain in even the most collegial IT groups.
One way of getting around DNS hassles
is setting up a Windows DNS server that’s authoritative
for the AD domain and forwards all other requests
to the main DNS server. This can be difficult
to configure, though, if the organization has
several DNS domains or maintains extranet connections
to outside organizations with their own DNS infrastructure.
Windows 2002 DNS makes it possible
to configure forwarding to particular servers
based on the domain name associated with the query.
For instance, you can forward queries for a subsidiary
domain to that subsidiary’s DNS server and all
other requests to the main DNS server or to an
ISP’s DNS server. Figure 4 shows what this configuration
looks like in DNS Management console.
 |
| Figure 4. The Forwarders
tab from the DNS Management console, showing
conditional forwarding. |
Credentials
Caching
It seems that no matter how well you construct
your AD forest, you end up with servers that aren’t
members of a domain in the forest. You may have
standalone servers in your DMZ or application
servers whose owners refuse to join them to a
domain. Or you may work in an outsource firm with
VPN connections to customer servers in a variety
of domains. For whatever reason, at some point
you find yourself in multiple password purgatory.
Windows 2002 alleviates some of
the problems of handling multiple passwords by
storing them in a special credentials cache. The
cache stores alternate credentials for servers
that aren’t in your domain or forest.
The credentials cache is encrypted
with the user’s master encryption key and stored
in the non-roaming portion of the user profile,
similar to the way the system handles Encrypting
File System keys.
Device Driver
Rollback
How many times have you updated a device driver
and watched your system disappear into the Blue
Screen of Death? Win2K has a few recovery options.
You can try booting to the Last Known Good Configuration,
but this only restores the old Registry key, not
the original driver. Blue screen again. You can
try booting to Safe Mode, but if the driver was
part of the initial critical system drivers, it’s
hello, Mr. Blue Screen once again. Ultimately,
you can boot to the Recovery Console and disable
the service or replace or rename the driver. This
leaves you with the chore of replacing the driver
with the original, which might not be readily
available.
Windows 2002 has a new feature called
driver rollback. When you replace a device driver,
the old driver and its associated Registry entries
are saved. If the new driver causes problems,
you can boot to Safe Mode, open the properties
for the device, and roll back to the original
driver. Figure 5 shows the rollback option for
a network card driver. If the driver affects a
critical system function, you can boot to the
Recovery Console, rename the driver to get past
the blue screen, then use rollback to restore
the original driver.
 |
| Figure 5. The device
driver rollback option in Device Manager.
|
NTFS Permissions
Calculator
The introduction of inheritable permissions in
Win2K added a lot of flexibility to managing large
and complex NTFS file systems. Flexibility is
inextricably linked to complexity, though, and
it can be a little frustrating to determine who
has what permissions at any given point in a deep
NTFS directory structure.
Windows 2002 improves this situation
quite a bit by including an Effective Permissions
window as part of the ACL editor. Figure 6 shows
an example. All you need to do is open the Security
properties for a particular folder or file, select
the Effective Permissions tab, and enter the name
of a user or group; the display shows you the
permissions that would be applied.
 |
| Figure 6. The Effective
Permissions tab of the NTFS Security Settings
window. |
What’s Not
So Hot
At the beginning of this article, I said there
was some goo as well as glory in Windows 2002.
One of the gooiest, stickiest and messiest of
the new features involves copy protection.
There’s no doubt whatsoever that
piracy runs rampant throughout the world. Who
knows how many millions of copies of software
are used daily without a nickel going to the vendor
that created and marketed that software? Vendors
have tried many forms of copy protection over
the years to control this unlicensed use of their
products. Except for niche, high-value products,
though, the marketplace has rejected most copy
protection schemes—not because users in the marketplace
like stealing software, but because most copy
protection schemes place an inordinate burden
on the administration of the product.
Starting with Windows 2002 (and
Office XP as well), Microsoft has decided to cross
the copy protection Rubicon with a product activation
feature designed to ensure that each particular
copy of Windows 2002 is installed on one—and only
one—computer. Each retail copy of Windows 2002
must be activated within 30 days of installation.
If you fail to activate the product, it’ll cease
to function in any way except to support the product
activation process.
Activation’s managed by a service
called Out-of-Box-Experience, or OOBE. The interface
for the service takes the form of an Activation
Wizard. During the initial operating system installation,
Setup prompts for the 25-character Product Key
printed on the jewel box or CD sleeve. This uniquely
identifies a single instance of the product.
At the first logon following Setup,
the Activation Wizard launches and calculates
an Installation ID. This ID is derived from certain
key hardware items. Microsoft hasn’t (and probably
won’t) reveal which components go into the algorithm.
More on this in a moment.
The Wizard then contacts an activation
center clearinghouse to obtain an Activation ID.
This can be done across the Internet if you have
an existing connection or by modem. The ID can
also be obtained from a customer support center,
which has a local phone number in almost every
country. The Activation Wizard prompts you with
the Installation ID and gives you a place to enter
the (very long) Activation ID. Figure 7 shows
an example.
 |
| Figure 7. The Product
Activation Wizard, showing Installation ID
and entry form for Activation ID. (Click image
to view larger version.) |
The good news, at least for corporate
users, is that product activation is only required
for retail versions of Windows 2002. Products
purchased under volume agreements or master licensing
arrangements are exempt from per-seat activation.
The master license itself must be activated, but
only once.
There are dozens of issues involved
in product activation, most of them centering
around privacy and maintenance. Let me cover a
few highlights.
If the work doesn’t affect hardware
used to calculate the activation algorithm, then
nothing happens. Microsoft won’t say exactly what
hardware goes into the calculation, but it doesn’t
appear to include network cards, video boards,
or the like.
If you reinstall the operating system
on the same machine, then reactivation takes place
automatically (if you have an Internet or modem
connection). Somewhere in the bowels of Microsoft,
the Activation Wizard modifies a database record
to indicate that Product Key XXXXXXX has been
reinstalled using the same Activation ID and that’s
that. The same is true if you phone a customer
service center.
If you replace key hardware components,
move the operating system drive to another machine,
or reinstall the same Product ID on different
hardware, then you’ll need to contact a customer
service center to explain the circumstances and
get a new Installation ID. Support centers are
open 24x7.
This copy protection scheme will
undoubtedly have lots of growing pains. It’s been
in operation for a while in Australia and some
Pacific Rim countries and is now making its North
American and European debut with Office XP.
Is Windows
2002 Worth The Wait?
Administrators often ask, “Should we postpone
our Win2K server migration and wait for Windows
2002?” If I may borrow a phrase from my nuclear
submarine days, “Proceed all ahead flank with
Win2K and don’t spare the neutrons.” The sooner
you can get out from under the limitations of
classic NT, the better. You can always upgrade
to Windows 2002 when it becomes available.
The features in Windows 2002 make
it a compelling upgrade opportunity. The new Forest
Trust gives large organizations the design flexibility
to quickly absorb and divest business units. The
replication engine modification that treats individual
group members as discrete units gives administrators
the freedom to modify group membership on any
DC without worrying about stepping on each other’s
work. The new Terminal Server features make Windows
2002 truly competitive to Citrix MetaFrame in
features and performance. Best of all is the ability
to manage a group of servers quickly and easily
using command-line utilities and scripts.
Final release of Windows 2002 server
is still months away. Microsoft hasn’t firmed
up packaging or pricing. Beta 2 of Server and
Advanced Server are available for evaluation.
Get a copy and start testing in your lab. I think
you’ll like what you see.