Windows 2000: Do all the new features make the case for Win 2000 Server?

WINDOWS 2000: Do all the new features make the case for Win 2000 Server?

By Barry Nance

Special to GCN

The new OS takes some giant leaps forward, but not without a few steps back

The release of Microsoft Windows 2000 occurred in February with promises from Microsoft Corp. that it would be stable, secure, scalable and manageable. How well did the company deliver on those promises?

Two reviewers, computer analyst and consultant Barry Nance and Irv Epstein, Unisys Corp.'s vice president for Win 2000 programs, assess the new operating system, focusing on its scalability, security, directory services and handling of applications. They also list what they like best and the things they think need improvement.



Microsoft Windows 2000 is both better and worse than its predecessor, Windows NT 4.0. It improves on NT 4.0 in areas such as scalability, power management and connectivity, but it requires greater resources'in computing power, money and maintenance expertise'and burns its bridges to many existing utilities and applications.

Most of my quibbles with the operating system are fairly minor, however. The key to understanding what's good and bad about Win 2000 is its biggest new feature, Active Directory. If you choose to upgrade to Win 2000, it will likely be because you find Active Directory a compelling way to organize your network.

Active Directory, a proprietary feature that works well with other Microsoft software but poorly with any other software, constitutes the biggest difference between NT and Win 2000.

Departments and agencies that use Microsoft software exclusively may find Active Directory's time-saving, well-organized representation of network objects a worthwhile reason to switch to Win 2000. Others, likely because they also rely on operating systems such as Novell NetWare or Unix, may choose to delay upgrading or perhaps even phase out Windows from their server environments and migrate solely to Unix.

Directory services

Active Directory is Win 2000's central repository for storing log-on identifications, passwords, shared disk and printer information and other network tidbits. You administer Active Directory via the easy-to-use Microsoft Management Console to add, change or delete users as well as define relationships among the servers on your network. Computers running Win 2000 automatically share Active Directory data among themselves, making Active Directory a single point of maintenance for network data.

Each server can play one of three roles in the Active Directory infrastructure: standalone server (not a participant in Active Directory), member server (member of an Active Directory domain, but not a domain controller), or domain controller. Active Directory predefines a great number of network parameters for you, and programmers can extend it even further with custom definitions unique to your organization's network.

Unfortunately, servers running NetWare and Unix cannot interface with Active Directory to obtain user IDs, passwords or file access permissions.

I'd give Microsoft a grade of B' for its excellent but proprietary design of Active Directory.

Security

Servers can run in mixed NT and Win 2000 mode, or in native Win 2000 mode, which precludes relationships with NT domains except through directory brokerage services. Running Win 2000 in native mode removes many of the widely publicized NT LANManager security problems that plagued NT Server and makes accessing network resources quicker and simpler for both end users and administrators.

Win 2000 derives its security from Active Directory. The Win 2000 Kerberos authentication system, which works closely with Active Directory, issues an electronic ticket when a user logs on to a particular server. The OS uses the ticket as a shortcut to authenticate a user to other domain controllers without forcing the user to log on separately in each domain. The entire process is encrypted and transparent to users.

But Win 2000 is not yet certified at the National Computer Security Center's C2 security level, which could slow its adoption by government agencies. Despite the company's best design efforts, Microsoft programmers had to make several changes to Win 2000's security functions in the last few weeks before the product's release.

Microsoft already shipped security changes in the first set of patches for Windows 2000. Keep in mind that, because of its prominence, Microsoft has become a popular target for
hackers.

Win 2000 earns a C for security.






Hit List
What's good about Win 2000 Server:


  • Active Directory has a central network resource repository.
  • Many applications run faster than they do under NT 4.0.
  • Scalability is better than NT 4.0's.
  • File and print server, Web server, message queue server and File Transfer Protocol server are included.
  • IntelliMirror synchronizes files when redocking a notebook computer.
  • Installation is easier than NT 4.0.
  • Power management tools for notebook computers are included.
  • Universal Serial Bus and FireWire port connectivity are supported.
  • Management of desktop PCs is centrally administered and policy-based.
  • Dynamic Link Library replacement
    protection is included.
Wish list:

What needs to be changed or improved:


  • Make Active Directory less proprietary.
  • Improve security.
  • Expand apps that support Win 2000's clustering technology.
  • Bolster device support.
  • Make more reliable.
  • Add support for MS-DOS programs.
  • Reduce demands on processing power, RAM and disk space.
  • Avoid making system utilities and antivirus programs obsolete.
  • Reduce price.
  • Lessen maintenance requirements.




Scalability

When running in a mixed NT and Win 2000 environment, an Active Directory domain controller assumes the role of the NT primary domain controller and removes the former PDC from the domain. Because the directory service is based on an extension to the Internet Domain Naming System, DNS must be present and working on the network where a domain controller for Active Directory is deployed.

Win 2000 uses Dynamic DNS, an extension to DNS that allows automatic updates of machine names against IP addresses.

All Active Directory objects are named in accordance with the American National Standards Institute X.500 naming structure and are connected to one another via DNS.

Microsoft divides the Active Directory into sites for replication purposes. Each site must have a working DNS infrastructure and correct pointers inserted into the local DNS database.

This is an easy job for those experienced in TCP/IP and DNS, and it's mandatory for successful replication inside and across sites.

The Active Directory uses a multimaster replication model. This means that, unlike when using NT resource and user domains, administrators do not need to establish trusts among domains. Trusts can be established between different groups of the most elemental objects in a domain, but most network designs won't need such relationships.

The simpler Active Directory model makes Win 2000 more scalable than NT.

Win 2000 earns a B+ for scalability.

Applications

Win 2000 should tolerate most of the commercial applications that run under NT, but you'll need to test each custom-written software product that your office uses in order to properly evaluate Win 2000's compatibility. Certainly, switching to Win 2000 means you'll have to get new system utilities, such as those from Symantec Corp. of Cupertino, Calif., as well as new antivirus software.

In grading the new operating system's ability to run applications, I give Win 2000 an Incomplete.

Active Directory

Win 2000 Server's Active Directory is a considerable improvement over NT's network domain model. If your network consists of computers that only run Windows and you plan to keep it that way, upgrading to Win 2000 likely is the right choice.

Your network administrators will spend less time updating user information when people join or leave your organization, and you'll have fewer problems when users access shared resources on your network's various servers.

On the other hand, if your network is a heterogeneous mixture, Active Directory may not save sufficient network administrator time and effort to make upgrading to Win 2000 worthwhile.

Barry Nance, a computer analyst and consultant for 28 years, writes from Wethersfield, Conn., about information technology. E-mail him at barryn@erols.com

inside gcn

  • When cybersecurity capabilities are paid for, but untapped

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group