FRAMINGHAM (02/10/2000) - When it comes to migrating to Windows 2000, network executives will need to devote several months to a whole range of key planning issues before the new operating system ever touches bit to metal.
Analysts and corporate users agree that the nuts and bolts of migrating to Microsoft Corp.'s extension of the Windows NT operating system family will be nothing compared to the sheer amount of head scratching that will be needed beforehand.
Figuring out how to whittle 35 domains down to three, doling out more narrow, specific privileges to administrators who previously had a free rein, ensuring that existing applications will be compatible with the new operating system and deciding whether to upgrade in stages or in one fell swoop - that will be the hard part.
Microsoft and its partners, such as IBM, are well aware that IT managers will have to take off their technology hats and dive headfirst into management issues and power struggles long before they set up the first desktop. That's why the two industry powerhouses have invested tens of millions of dollars in building new training sites around the globe and deploying a small army of trainers.
"This can become an administrative nightmare if you're not ready for it," says Todd Richter, PC specialist at Baystate Health System in Springfield, Mass.
"This will take more forethought than usual. For many NT administrators, it may look like a totally alien system unless you've been studying it."
Now that Win 2000, after four years on the drawing boards and test beds, is slated to ship to customers this month, Microsoft is throwing its shoulder into preparing customers for the big migration. Sergio Pineda, a lead Windows product manager at Microsoft, says the company is focused on two legs of training - one track for the nuts and bolts of deployment and an advanced track for planning and preparation.
"People need to decide how they want their network to work over the next five years," Pineda says. "If Windows 2000 is going to be key, you absolutely have to have planning skills."
Industry watchers say Win 2000 is so different from NT 4.0 that it might as well be a whole new animal. For instance, Win 2000 has 35 million to 45 million lines of code, compared to about 15 million lines in NT 4.0. Win 2000 also is quite different architecturally, offering NT's first across-the-board directory, Active Directory, and its new security feature, Kerberos.
Microsoft's Kerberos security, which offers benefits such as stronger user authentication and mutual authentication, is an off-shoot of the Kerberos security found in Unix. It's not, however, compatible with Unix security and is completely different from NT 4.0's security, as well.
Win 2000 also incorporates Microsoft Message Queue and Microsoft Transaction Server, which had been separate tools.
Analysts generally agree that this will be the largest and most difficult migration Windows users have undertaken.
"You can't take the matchbook correspondence course on this one," says Laura DiDio, an analyst for Giga Information Group in Cambridge, Mass. "This is a huge undertaking - a huge problem."
A Microsoft spokesman downplayed the migration challenge, saying this move simply will take more upfront planning than before.
The biggest issue network executives need to mull over is how to deal with Active Directory, which calls for companies to collapse possibly dozens of domains down into three or four. The challenge is moving from NT 4.0's flat-file system to the hierarchical file system in Active Directory, which will hold information on users, devices, applications and services. That will allow the new directory system to describe which users have access to which servers, as well as what applications the server can provide to that user.
Implementing Active Directory won't be easy because the network administrator needs to ensure that data is defined the same way and the same symbols are used to represent specific features in both systems. Because a hierarchical structure supports inheritance, the administrator also needs to be aware of the fact that a change made to a domain high in the structure will trickle down to lower domains, like the characteristics of a parent being passed down to children.
All these structural changes mean a network administrator will have much more granular control over the rights and privileges users and other administrators have in the system. With NT 4.0, for instance, if a network administrator wanted to give the head of marketing the ability to change subordinates' passwords, it meant the marketing manager would have free rein throughout the system. The network administrator could not just give the marketing manager a specific, limited right.
That's not the case in Win 2000.
"The capabilities of an administrator have completely changed," says an IS operations and information security manager in Dallas. "It's a lot better, but it takes a lot more effort. That means I have to rethink who is in what department and who should be able to do what . . . and who I'm going to take what rights away from and who I'll give those rights to. It can get pretty sticky."
Users agree that network administrators will have to sit down with the CEO or others on the business side and wade through the company's management structure in order to dole out administrative rights on the system, as well as create a specific map of the servers and services each and every employee will have access to.
And companies may have to upgrade, rebuild or at least tweak most, if not all, of their Windows-based applications to make them compliant with Win 2000. Some industry watchers say as much as 80% of the code in Win 2000 is brand new, which means existing applications will still run on the new operating system, but net administrators probably won't be able to take advantage of the new features that enticed them into buying the software in the first place.
In addition, the sought-after Win 2000 features won't be available until the new operating system is sitting on every desktop and server across the entire enterprise. That means companies that pay heed to Microsoft's suggestion of a long, piece-by-piece migration won't see the benefits of those new features until the migration is complete. Some analysts say that could be as long as 18 months for the average large company.
Microsoft, though, still is recommending that users take the long, slow road to migration. A Microsoft spokesman advises customers to start with upgrading the desktops, saying users will see "incremental benefits," such as local encryption and power management. If something goes wrong with the migration at this point, the network will not be affected.
After that, customers should do a few servers at a time, wrapping up by changing over the domain controller, which is where user names and passwords are kept. Because that move affects everyone on the system, users need to be comfortable with the new system by the time administrators hit this final stage.
Don't be afraid to ask for help
Al Williams, director of Distributed Systems Services at the Center for Academic Computing at Pennsylvania State University in University Park, has been working with beta versions of Win 2000 for nearly a year, testing the software and planning a transition. And he says it's a big enough move that he brought in reinforcements - IBM.
"You can't cold cut over and be a happy person," says Williams, who services about 44,000 users on 50 NT servers. "IBM came to us and said they wanted to prove that Win 2000 was ready to use on their equipment. They said they would supply hardware and a support structure . . . where they field problems and act as an advocate with Microsoft. We didn't have to pull our own equipment out to test on."
IBM has loaned Penn State half a dozen desktops and the same number of laptops, along with two Netfinity servers. IBM also gave the university's technical staff two days at IBM's Windows training center in Kirkland, Wash., right next door to Microsoft's Redmond headquarters. Then IBM sent a trainer to work on site at Penn State for a week.
"It's good to have somebody help you understand how different Win-dows 2000 is," Williams says. "What do you want to do to take advantage of Kerberos? What does [Lightweight Directory Access Protocol] do for me? How do I rearrange my domain structure so it works well for my company? How do I work with my domain name services? A lot of the training comes in the planning stage. And under the covers is the management structure," he says.
Pittsburgh-based Mellon Financial Corp. is using the upcoming Win 2000 migration as the jumping off point for a complete overhaul of its infrastructure.
"We're building a new infrastructure to support the move," says Joe Cirra, assistant vice president of Mellon Financial. "We're going to let a lot of the legacy domains fall away. We have roughly 40, and we want to end up with three when all is said and done. It'll be a technological refresh." Cirra adds that the planning and preparing will be a year-long process, with broad-range pilots scheduled for the fourth quarter of 2000 and main deployment in 2001.
Cirra also has been bringing in plenty of help. He's been working with IBM trainers and tech support people on the planning and building of the Active Directory infrastructure. He's also been working with local Microsoft support staff, along with joining Microsoft's Premier Support program.
And all that training is exactly what Microsoft needs to do, according to Dan Kusnetzky, analyst with International Data Corp., a market research firm in Framingham, Mass.
"Microsoft sees this as absolutely crucial for the success of their product," Kusnetzky says. "A lot of NT's problems can be attributed to a system that was configured badly, but that doesn't stop people from blaming Microsoft. They don't want any more jokes about the blue screen of death . . . It's not going to be an invisible upgrade, and Microsoft knows that."