What Windows Server 2003 Can Do for You
You've migrated from Windows 2000 in the last year, so why the rush to Windows 2003? Bill examines the pros and cons.
- By Bill Heldman
- May 01, 2003
I'm an impulsive kind of guy. Given a few bucks in my pocket and some
sort of toy, tool, car, electronics gizmo or appliance, I'm likely to
spring and buy it right away. Why wait? Life is short and you might as
well enjoy the toys while you're still young enough to do so.
Which is why I'm jealous of those of you who are cautious and pragmatic
when it comes to waiting on new releases of software. Me? I installed
SMS 2.0 at a client site when it was first released—okay, I installed
Release Candidate 1. Boy howdy, I paid for that mistake big-time.
The initial SMS 2.0 code simply wasn't ready for prime-time. It took two
service packs for the code to become stable and useful and, even at SP3,
you still probably wouldn't consider using Software Metering as a part
of your routine SMS offerings—at least in mid- to large shops.
So my hat's off to you folks who waited with Windows 2000 Server before
installing. Perhaps you're running an all-Windows NT 4.0 shop (and chewing
your nails because of the impending support drop by Microsoft), or maybe
you've got a Win2K test lab running but haven't actually implemented any
servers in production. Most likely, you've got a couple of Windows 2000
boxes running but no Domain Controllers. And you certainly haven't flipped
the native-mode switch yet.
If this is you—i.e., you're the type that waits for the second model
year before buying a new car just so you can be sure they've worked the
bugs out—I think that you're going to:
- save yourself a lot of pain over those who've already completed their
NT 4.0/Win2K conversions, and
- there are a ton of good reasons to switch directly from NT
to Windows Server 2003.
Let's talk about some of the reasons why you should consider an upgrade
to Windows Server 2003. Incidentally, if you've already completed your
conversion to Win2K, I think there is plenty of impetus to move forward
into the new product. I've listed the most compelling reasons for beginning
your Windows Server 2003 architecture and design now. (Incidentally, I
view Windows Server 2003 as that next model year, not as a release of
brand new code. Yes, you can expect service packs to come out for Windows
Server 2003 and beyond, and no, I don't think you should wait for SP1.)
First Things First
Understand that there are now four versions of Windows Server 2003:
Server, Enterprise, Datacenter and Web. There are distinct reasons why
you'd pick one version over the other, some more important than others.
For example, if you're just itching to get into 64-bit code and you've
got servers with Itanium processors capable of running the code, then
you can run Windows Server 2003 Enterprise or Datacenter, both of which
are available in 64-bit editions. (Note that it might be awhile before
a plethora of 64-bit applications are available for the OS. We underwent
this phenomenon when the OS was upgraded to 32-bit.)
Also, clustering is not available in plain old Windows Server 2003, only
in Enterprise and Datacenter. If you've got some clustered environments
deployed, then you'll need to purchase Enterprise. (Datacenter is generally
saved for large, expensive equipment such as the Unisys
Interestingly, symmetric-multiprocessing (SMP), the idea of the OS being
able to use more than one microprocessor in some sort of intelligent load-sharing
capacity, is not available in the Web edition of Windows Server 2003.
My guess is that Microsoft wrote the Web code for 1U rack-based servers
that typically make up large Web environments.
Rather than chew up words trying to explain the version differences,
see this URL for the complete table: http://www.microsoft.com/windowsserver2003/
Got NT Domains?
If you've not yet converted from NT 4.0 (or NT 3.51, for that matter)
and you have a fairly large, diversified campus, then your chief reason
for doing so will be Active Directory. AD is essentially a catalog of
users, computers and other information that is shared across the DCs in
an AD environment using the Lightweight Directory Access Protocol (LDAP)
and conforming to the X.500 standard (see www.webopedia.com
and key in LDAP for good links on this subject). There are some updates
in Windows Server 2003's AD that folks have been anxiously waiting for:
- Active Directory Migration Tool (ADMT) version 2, the tool
that allows you to migrate users from the old stuff to the new, ships
with Windows Server 2003. The chief benefit from this updated ADMT tool
is that you can also migrate your user's passwords. Imagine the Win2K
days, migrating a thousand users, resetting their passwords along the
way, then having to worry about all the help-desk calls the following
Monday in which the customer care folks try to walk users through a
password change. You've been there; you know what I'm talking about.
ADMT 2 fixes that problem.
- A new Group Policy Management Console (GPMC) allows you to
rope in the management of your Group Policy Objects in your environment.
Because the way your users interact with the system is largely predicated
on GPOs, a centralized console is of extreme benefit.
- Cross-forest trusts allow you to set up more than one forest in your
environment, then connect them together with a trust relationship. I'm
not crazy about this idea except in the largest of shops because I think
it defeats the idea of the enterprise and the connecting together
of the user-base across a corporate platform. But, as I'm sure you're
familiar, there are politics in any given IT environment—groups
that feel, perhaps rightly, that they shouldn't have anything to do
with your corporate computing public—and this cross-trust thing
will help eliminate some of the difficulties.
Example Is, Ahem, for the Birds
One of the companies I worked for at one time was a
satellite television broadcast company. This company
had a couple of locations that were responsible for
actually managing the satellites (called "birds"
in the biz) in geosynchronous orbit—flying directly
over the equator at 17,500 miles per hour. The folks
that worked at these locations could perform functions
such as uploading updated code to the birds' transponders,
steer the birds from one position to another and so
Understandably, normal admins were not allowed to get
into the domains of these locations in any way shape
or form. There were no trust relationships set up and
these locations had their own admins. These locations
were verboten to regular corporate employees.
This kind of environment is, I think, a place where
a separate forest is called for and, in my opinion,
one of a few examples in which this might be the case.
Because of Windows Server 2003's security capabilities,
I don't see the need for highly segmented computing
environments in which different groups operate in their
own private forest.
- Software restriction policies allow you to stipulate what software
is trusted so users don't accidentally run something that is harmful.
- Passport integration is now facilitated through AD. You've
doubtless been involved with .NET Passports if you've visited any Microsoft
Web sites that required authentication-now you can integrate this into
your corporate environment.
- You can now take a backup of the Active Directory then replicate
it across your environment from the backup. This feature, called
Install Replica From Media mimics the storage area network idea
of a "shadow-copy" where you take a snapshot of the actual production
data, then work from the snapshot as opposed to the real stuff. This
feature should help shops that may have replication problems due to
slow wide-area network links or where there are many geographically
dispersed DCs. AD replication problems, like name-serving, are mischievous
little bugaboos that can be hard to diagnose and difficult or expensive
to satisfactorily rectify.
- Public Key Infrastructure has been enhanced with the release
of Credential Manager, allowing you to more closely manage and monitor
the credentials a user has. PKI, especially in the area of certificate
services, is a place where not many administrators have previously gone
mostly, I think, because of the complexity of understanding PKI and
the certificate infrastructure, then wisely deploying it. Microsoft
has devoted some engineering cycles to this problem and has streamlined
your ability to deploy a secure certificate- or smart-card-based environment,
then monitor accordingly. It's definitely phase 2 of a Windows Server
2003 deployment, but also definitely worth a look.
Scripting has always been big in the Unix world, but only recently
has it become a popular way to automate control the Windows environment.
Perhaps you've always wanted to script a process then automate it with
the command scheduler (AT) embedded in the Windows Server products. Microsoft
has greatly enhanced the commands that can be utilized from a command-line
interface, giving you greatly increased capability to script command operations.
Most Windows Server 2003 tasks can be managed from the command line. Scripting,
like software development or packaging, is a complicated thing. I would
recommend finding a class or a book on scripting before embarking down
a scripting path. (Visit www.bestbookbuys.com,
then key in the search string "Windows 2000 scripting" for an idea of
the literature and pricing available.) Also check out the Windows
2000 Scripting Guide at http://www.microsoft.com/technet/treeview/default.asp?
Software Update Services
The biggest dog in the kennel is Microsoft and so, to hackers,
it's the most desirable target for mischief. Seems like a month hasn't
gone by that Microsoft has made the news with some sort of serious security
hack that required admins to jump quickly to patch the problem. Every
now and then, the patch itself created problems, so most admins got to
the point where they'd test each patch before deploying.
Windows Server 2003 gives you the ability, called Software Update Services
(SUS) to manage the patching of your servers and workstations from a centralized
interface. This way you can download the patches to a single machine,
test then deploy them. You're given a client- and server-side interface
in which you can manage the patching operation in your environment. (For
an in-depth look at SUS, check out "Patching
the Holes," by Jeremy Moskowitz, in the March 2003 issue, or click
Storage Management Features
Most shops have begun to either deploy, or at least research, some sort
of SAN or network-attached storage solution in order to more effectively
manage disk. While there are different ideas about what a SAN or a NAS
is, essentially you can think of these boxes as a large disk repository
that's managed by some sort of miniature OS with enough oomph to serve
users their files, whether via Windows shares or Unix NFS volumes.
With a SAN/NAS purchase comes software that allows an admin to perform
various operations on the partitions, Logical Units (LUNs) and their associated
data. EMC Corporation, a huge SAN/NAS specialist, has some software called
TimeFinder that allows an admin to take a snapshot of real-time data for
the purposes of creating a test environment in which to develop code or
databases, or for backing up the data without interrupting the real-time
user/data interaction. EMC takes this idea one step further with Shared
Remote Data Facility (SRDF), a facility that allows for symmetric, pseudo-symmetric
or manual real-time mirroring of data across a geographic span.
SRDF can work in harmony with TimeFinder. You might have a database on
an EMC Symmetrix (Symm) SAN for which you use TimeFinder to create a shadow
copy on the same data partition. You then use SRDF to symmetrically copy
the data to another Symm in a different campus. (There are distance limitations
associated with SRDF, so you can't really get away with an SRDF copy across
a thousand miles, but you can use it with a
campus just a mile or two away. Hence, the need for a pseudo-symmetric
copy in which you basically get the copy done pretty fast but not at real-time
speeds. This takes into account the latency associated with large-hop
While Windows Server 2003 includes such Win2K data management features
as Distributed File System and File Replication service that allow for
some semblance of real-time file copying and fault-tolerant high-availability,
I'm most intrigued with two new storage-management features in Windows
Server 2003. These new features mimic and enhance ideas such as TimeFinder
- Virtual Disk Service allows an admin in charge of different
storage arrays such as an EMC Clariion (a down-scaled unit from the
Symm), HP or XIOTech array to centrally pull in the management of these
disparate arrays within a single Windows interface. VDS allows for the
scripting of storage management activities across heterogeneous storage
platforms. Because SAN manufacturer storage-management applications
are proprietary to the SAN device, the admin needs to learn to "drive"
the various applications in order to manage the respective SAN arrays.
With VDS, this management can be centralized and scripted, thus allowing
those not skilled in the storage management software to still be able
to perform storage tasks such as adding a new disk to the array.
- Virtual Shadow Copy Service gives admins the ability
to create a shadow copy of some real-time data so that the data can
be manipulated and operated upon without disrupting the real-time copy.
VSS is useful for backups, data warehousing and mining, setting up software
development test environments and so forth.
Note: VDS and VSS are available
only in Windows Server 2003 Enterprise & Datacenter versions.
- Shadow Copy of Shared Folders provides admins the ability
to set up a shared folder so that version tracking is enabled. The admin
is required to allocate a certain portion of a file server's disk space
(10 percent recommended) for shadow copies of the work on which a user
is working. As a user works on a file, the deltas of the file are written
to this shadow copy space. As space fills up, old deltas are purged.
If a user needs to get something back (e.g. she overwrote the old file
with some deletions when she meant to re-name the file) she can simply
access the file's properties, see a version history, and open the previous
version. Shadow Copy of Shared Folders works with Windows 98, XP and
2000 clients (but not NT 4.0 Workstation) and will be a huge boon to
admins and internal customer care centers everywhere.
Step Back Before Deployment
Whether you've already migrated your network to Win2K or you're
just now playing with the idea of updating, I'd highly recommend developing
a solid migration plan that will put you in the Windows Server 2003 driver's
seat in the ensuing months. Be sure you drive your migration from a project-management
perspective and utilize the skills of subject matter experts who can guide
you through the complexities of the upgrade. Be sure you test all elements
before deploying so that you understand the deployment's nuances and complexities.
Do not simply upgrade your production servers to Windows Server
If you're in the midst of a Win2K deployment, finish it before updating
to Windows Server 2003. You're much better off getting your servers out
of the NT environment and onto Win2K before you introduce yet another
server OS into the mix. This is, in the words of mathematics folks, too
many unknowns without enough constants to solve the equation.
In either case, there is enough meat in Windows Server 2003 to compel
you to strongly consider the upgrade. It will cost you time, server upgrades
(also potentially infrastructure enhancements) and planning but, overall,
the new OS is well worth the effort and puts you on the cusp of being
able to provide some very cool and dynamic services to users.