Windows 2000: A Six-Step Migration Plan

Time to cut through the hype, roll up your sleeves and get to work. Our six-step plan will help prepare you for the Win 2K era.

Soon, Microsoft will be releasing shrink-wrapped versions of Windows 2000 to you, the sweating IT public. It's not enough that you're about to have your annual tiff with the IRS; now you're looking at a large-scale OS migration. And worse, Windows 2000 means rearchitecting your entire domain structure, which basically means reorganizing the network.

OK, breathe easy. It's really not that bad. We can't help you with the IRS, but we can outline the basic managerial and technical steps to a successful migration from Windows NT Server to Windows 2000 Server. Along the way, we'll dispel some myths and hand out as many helpful hints as we can. But first things first: Is a migration really necessary? After all, Windows 2000 can't be for everyone.

Well, that's Myth No. 1: Actually, any company running Windows in its network now is a candidate for Windows 2000. Companies running Windows 98 or Windows NT Workstation will benefit from Win2K Professional's better performance, and new features like IntelliMirror, which lets network managers save user desktop preferences for easier systems management. The server question is a bit trickier, however, because of Win2K Server's deep and abiding love of Active Directory.

And this is where we run into Myth No. 2, which is that Windows 2000 requires Active Directory, and that means redesigning your entire domain structure--right now! In actuality, Windows 2000 deeply desires Active Directory, which would mean redesigning your network's entire domain structure real soon, but no need to tear at your hair, because you have some time.

Actually, Windows 2000 Server can be quite happy running inside a typical Windows NT domain network. You'll be giving up some of its additional features, like IntelliMirror and much of the management tools that make Windows 2000 Server better than NT, but if you're looking to start your migration slowly in phases over several months, Windows 2000 has no problem with that.

In fact, that's exactly what you should do; and a helpful tip would be to start spreading that news as soon as you can. No one managing a network with more than 50 users should attempt a full-scale migration to this new operating system all at once. Those who do are suffering deep emotional problems and should be given Thorazine, a straitjacket and some edible crayons.

Windows 2000 has a long list of advantages over Windows NT: better security, better performance, a better Web server and much better management capabilities. But you'll notice that stability is not on that list.

Sure, Win2K may prove to be more stable than NT over time, but if our lengthy experiences with Redmond's operating systems have taught us anything, it's that Version One of a new Microsoft OS is like riding a motorcycle in the rain: No matter how careful you are, things still get hairy when you take that first unexpected turn. The idea is to take it slow.

Just Do It

You think I'm going to say planning, right? Wrong. Don't start planning right now, just get Windows 2000 Server running as quickly as you possibly can.

This may sound somewhat strange in the face of our original "take it slow'' advice, but getting your IT staffers started with Windows 2000 Server as soon as possible is critically important. This new operating system from Microsoft is much different and very complex, and network managers shouldn't underestimate just how different and complex.

Both chief information officers and general IT staffers will need time to become familiar with Windows 2000 if they haven't been playing with its copious beta releases over the past few years. Get some Windows 2000 server machines up and running right away; but these servers should be for testing and initial familiarization only. They shouldn't be connected to business production systems at all for the time being. Once these machines are up and running, it's time to set up an active training and testing program.

If you have the spare hardware resources, your best bet is to build a small Windows 2000-only network that's sequestered from anything on your business applications or production systems.

That way, your IT staffers will be in a stronger position to familiarize themselves with all the new Windows 2000 features, especially the installation process and advanced services like Active Directory and its new approach to network design and trust relationships.

Working with Active Directory now in a nonproduction environment will be invaluable when it comes time to plan your migration from NT's domain structure. Your network administrators will know the real-life capabilities of Active Directory rather than just the published feature set, and so will be much better prepared to get it working inside your network--especially if you already have a directory service running from Novell or Sun.

Third-party directory management tools are popping up all over and are aimed at acting as referees between dueling directories on the same network. A sterile test network would let your team evaluate these products with actual directory services to see which is the best fit.

And on the client side, you'll be able to test out your mission-critical applications on Win2K Professional. Some may scoff at this as unnecessary, but these folks should remember that as of mid-January of this year, Microsoft had certified only 25 applications for use with Windows 2000--and not even its own Office 2000 is certified for Windows 2000.

We tried installing Windows CE development software under Windows 2000 RTM during the first part of January and wound up having to reinstall the entire system. As it turns out, the development software package hadn't been certified for Windows 2000. These are clearly the kinds of unwelcome surprises you want to be sure to avoid during your IT shop's Windows 2000 migration.

Plan Carefully

Once you have a team of folks who are knowledgeable about Windows 2000, you should start to plan your migration. We've stressed that Active Directory will require a complete network design overhaul, but this is not the only component of the planning process.

On a system level, you'll need to figure out which of your existing systems are able to run Windows 2000. On the client side, hardware requirements start at a Pentium 133 MHz with at least 64MB of RAM and around 2GB of hard disk space. For many organizations, that means it'll be time to purchase a round of new client hardware. On the server side, these requirements are significantly increased (specifics will vary depending on server function, but Xeon processors are a good bet as are gobs of RAM), which means additional money will also have to be spent in the data center.

Software costs are another factor, and we're not talking only about licensing fees for the operating system. Third-party products may be necessary to manage a smooth directory migration or even just a peaceful coexistence. And even after Microsoft releases a list of certified application software, upgrades may be required for full functionality. This is especially true on the back-end, where Redmond has made Active Directory a requirement for those looking to upgrade to the next versions of BackOffice, notably Exchange and SQL Server.

And finally, the actual introduction of Active Directory into the network needs to be especially well thought out. Fortunately, Windows 2000 is capable of utilizing Active Directory in a network still relying on NT domains. But while this approach is possible, it's certainly not a recommended mode of operation long-term. A good approach here is to roll out Active Directory with only a limited number of features enabled, especially in regards to security, until testing has been completed. Start with simple domain trees for user authorization and gradual integration into the Microsoft Management Console.

Planning for Active Directory is much more than just figuring out how to morph your existing domain structure into a directory-enabled organization. Active Directory may not be able to compete on features with Novell's or Sun's offerings in its initial implementation, but the potential is there nonetheless. Especially for networks that are heavily reliant on the Windows platform, managers need to remember that Active Directory's functionality will increase in future upgrades and with the addition of BackOffice products as well. Look to more mature directory products as a guide for what to expect from Active Directory in the future.

Get To Know Active Directory

Now it's time to plan your network so it can make at least rudimentary use of Active Directory right away and also to ease the process of a full migration to Active Directory in the future. Of course, that means going straight back to square one, including asking questions like: "What are the mission-critical business requirements from our network?" IT staff assignments can even be decided or reorganized at this stage because of Active Directory's much more hierarchical structure than under traditional domains. Are there any new business objectives or additions on the horizon, and if so, what requirements will they have?

These questions are all relevant again because of the depth at which Active Directory forces network managers to rethink their strategies. A new domain map is required for several reasons. First, because Active Directory now allows for trust relationships without the need for specific statements. This is called dynamic trust or transitive trust. Old domains such as resource domains are no longer required under Active Directory and will need to be dispelled and their responsibilities reassigned under the Active Directory maxim.

And remember that Windows 2000 Server makes extensive use of the DNS naming service, which means that the Active Directory namespace automatically becomes an extension of DNS's own namespace. That means careful attention needs to be paid to how your network planners assign new domain names and what their functions are. If you think this sounds like you'll be drawing a new multilayer network diagram from the physical layer on up, you're absolutely right.

The bad news is that this is a tedious process when done properly. The good news is that by the time you're finished, you should have all your hardware and software requirements in hand, which means you'll also have a fairly good idea as to what your overall budget needs to be. From here, you can begin to plan a staged rollout, complete with feature integration and even temporary as well as permanent staff assignments.

Under Windows 2000, you will be able to divide the systems in your network into Organizational Units (OUs). What makes these OUs so significant is that they can be assigned under any paradigm, such as business function, department or team. NT limited managers to only a geographical organization.

Even better, OUs are represented as objects inside the Active Directory tree. You can subsequently assign properties such as policies, tasks or security and then assign responsibility for these tasks merely by dragging that OU onto the name account of an IT staffer. The software lets you easily accomplish and change these properties as new policies or business initiatives take effect.

This is where that real-life experience with Active Directory in your test network will pay off. Microsoft has reams of white papers and technical documents describing all kinds of scenarios for Active Directory, but only with direct experimentation can you really be sure what this software can do for your organization. Armed with this knowledge and your new network diagram and budget, you'll have a much easier time planning a gradual and smooth migration to Windows 2000.

Decide How Far To Go

Once again, the actual move to Windows 2000 will occur in stages--for most. No, we're not reversing; we're quantifying. Small businesses (something like 50 nodes or fewer) may well move to Windows 2000 all at once.

Indeed, if you can, this is a very good idea, since your company will be able to take advantage of all Windows 2000's benefits like full Active Directory functionality and IntelliMirror.

But for midsized or larger networks, we strongly recommend starting with only a few servers, limited Active Directory functionality and moving up slowly from there. As each new phase of Windows 2000 is rolled out, network managers should take the time to carefully test the new section, especially in terms of the applications required to run in that section, and its security provisions.

Make sure that authentication works for all users and that the new segment actually works with any existing disaster recovery plans you have in place. Windows 2000 has some excellent security features, but you should make sure they're working for you before moving on to something new.

When it comes time for the actual upgrading process, you'll find upgrading NT servers is easier than clients because Windows 2000 provides a direct upgrade path only from NT. Windows 95/98 users will need to have a clean OS install run on their machines, which means data and application files will need to be backed up and then re-installed into the new environment.

Insert CD-ROM

Overall, the new Setup Wizard for the Win2K Server upgrade is a big improvement over what we have in Windows NT. Since the upgrade will most probably mean the machine has a new role in the network, you're immediately prompted to decide whether this machine will be a stand-alone, member or domain controlling machine.

In case you're wondering, a stand-alone server can't be part of a domain, although these machines are generally used as small workgroup servers. Member servers don't have domain controller responsibilities either, but they fit seamlessly into a domain environment and usually have other duties as application servers.

Physically, Windows 2000 will detect whether the machine it is upgrading is a Primary Domain Controller (PDC) or a Backup Domain Controller (BDC) and automatically configure these machines to perform the same kinds of duties under the new operating system.

You need to be careful when installing here, however, if you have other plans for these machines in your new network design. On the back-end, you should have all your hardware in place before starting the migration. Some network administrators will balk at immediately upgrading their PDC to a new operating system, but they shouldn't be. That's because Microsoft has taken care that Windows 2000 Server is backwards compatible in this sense, meaning that it will appear as a Windows 2000 PDC to Windows 2000-aware clients and servers, and as a Windows NT 4.0 PDC to systems still operating under the new regime.

It's still a good idea to perform a full backup on all affected systems, however, prior to upgrading as well as testing out your existing applications in this scenario on your nonproduction Windows 2000 test network.

Going Native

For the most part, your rollout of Windows 2000 Server should be gradual. But the final step of moving to a native Windows 2000 environment only affects domain controlling servers. Windows 2000 will default to a mixed-mode environment whenever it performs an upgrade from an NT 4.0 PDC. Be prepared: During initial installation, Win2K will want to do rudimentary configuration of Active Directory, DHCP and DNS starting with this machine.

DNS deserves special mention, as Microsoft has gone a step beyond other operating systems in its native implementation of DNS under Win2K. For one thing, Win2K defaults to DNS and seamlessly integrates this naming scheme with that of Active Directory. Not only does this mean your company can manage a consistent naming scheme on both internal and external resources, it's also a help when integrating Win2K users with Unix resources.

A good thing to remember in case your legacy network was running the Windows Internet Naming Service (WINS) is that Win2K requires DNS. While it can support legacy WINS systems, this is not installed by default. To compensate for its loss, Microsoft has introduced Dynamic DNS, which basically allows zone servers to update each other pretty much automatically rather than the manual edits that were required on older versions. This is certainly the way to go long-term, but you'll need to be careful phasing out your older WINS-reliant systems before doing so.

Once your PDC is upgraded, each of the network's BDCs can be upgraded in turn. When all these machines are running Windows 2000, you're ready to move into Native Windows 2000 mode. Stand-alone servers or other application servers that have no domain-controlling responsibilities needn't be upgraded to Windows 2000 for this to happen, although it's probably a good idea.

Once you're ready, simply open the domain properties box to switch from mixed to native mode. Just be sure this is what you want, because this is an irreversible step. In mixed mode, the network will still accept NT 4.0 domain controllers, but under Native mode only Win2K controllers are allowed.

If you've got a bunch of NT BDC and application servers that will all be set up in similar fashion, make sure to get the Windows 2000 Server Resource Kit. The kit has a utility called the Setup Manager that lets administrators create a list of answers to all of Windows 2000's setup questions. This lets you perform a mostly unattended installation.

Windows 2000 improves upon Windows NT in almost every way. Hardware support is better, as are security, management, networking and mobile-user support. But while Microsoft has done solid work in making these features as easy to use as possible, they're hardly automatic.

The bottom line: Win2K is very different from Windows NT. Investing in proper training and testing now is probably the most important step toward moving to Windows 2000.

Oliver Rist is contributing technical editor at InternetWeek and technical director at Grand Central Networks Labs. He can be reached at orist@cmp.com.