CEDPA Logo DataBus Header

DataBus Index
More Info

Issue Index

   DataBus - Vol 40 No 2: February-March, 2000
Installing Microsoft Windows 2000 in Education

Topics in this Article
Key Features
Planning for Active Directory
Installing a Server
Migrating a Windows NT-based Domain
Microsoft TechNet Solutions for Education
January 2000
This Solutions paper describes initial aspects of planning for and installing the Microsoft© Windows© 2000 Server operating system in an education environment.
Windows2000 Logo
This paper captures the initial aspects of planning for and installing the Microsoft© Windows© 2000 Server operating system. It briefly introduces key features of Windows 2000 Server and points out some of the technical and project management implications for their deployment. And it reviews basic installation steps, along with installation and configuration options.
Central to the Windows 2000 Server feature set is the Active Directory™service for organizing and accessing objects on a network, such as printers, file servers, and user information. This paper introduces Active Directory concepts, and discusses issues to consider when migrating a Windows NT©-based domain to Active Directory.
You can use this paper as a starting point to identify the issues involved in installing Windows 2000 on your network. To help you easily pursue topics of interest in greater depth, this paper provides extensive references to in-depth technical resources, such as white papers, tutorials, and samples.
Key Features
Windows 2000 is designed to make network administration more powerful and efficient, while reducing total cost of ownership (TCO). For example, with Windows 2000 you can:
- Centralize user and resource management. At the core of Windows 2000 Server is a complete set of infrastructure services based on Active Directory. Active Directory simplifies management, strengthens security, and extends interoperability. It provides a centralized way to manage users, groups, security services, and network resources. In addition, Active Directory has a number of standard interfaces allowing interoperability with a variety of applications and devices.
- Increase administrative efficiency. Microsoft Management Console (MMC) improves administrative efficiency by providing a single point of management for Windows 2000, from which you can access all of the administrative tools and processes you need. MMC hosts tools as consoles, called snap-ins. Snap-ins give you single-seat control, monitoring, and administration of widespread network resources, and you can manage Windows 2000 Server remotely from any computer running Windows 2000. The Active Directory Users and Computers MMC snap-in is the most useful tool for administering your Active Directory. With Active Directory and MMC, you can build hierarchical information structures that make it easier to control administrative privileges and other security settings, and make it easier for your users to locate network resources such as files and printers.
- Manage workstations remotely, and set profiles that perform configuration tasks automatically. Windows 2000 has many new management features for managing workstations. For example, using Windows 2000 IntelliMirror™ management technologies, you can define policies based on a user's role, group membership, and location. Each time that user logs onto the network from any Windows 2000 Professional workstation, the desktop is automatically reconfigured to match the user's profile. Windows 2000 also supports remote software and operating system installation. For more information, see Deployment Planning Guide.
- Deploy operating system features incrementally. Windows 2000 Server is a multipurpose network operating system with distinct-but integrated-features that can be deployed incrementally, based upon the information needs and IT capabilities of your institution. For example, you can separately implement print, file, and Web services. For more information, see Introducing Windows 2000 Server.
Planning for Active Directory
To use the Windows2000 Server operating system with maximum effectiveness, you must first understand Active Directory and plan an appropriate directory infrastructure. Investing time in planning will help you avoid spending time and money in the future reworking structures that you have already put in place.
Active Directory extends the features of previous Windows-based directory services with features that make it easy to navigate and manage large amounts of information. With Active Directory you can consolidate multiple domains-for example, faculty, students and administrators-into a single domain, permitting better management. You can also delegate specific administrative tasks to technology specialists throughout the institution, so that they can better serve users within their departments.
Active Directory stores information about network objects and also implements the services that make the information available and usable to users. Active Directory presents this information through a standardized, logical structure that facilitates the organization of domains and domain resources. When you plan to deploy Active Directory, you want to create a set of structures that best reflect your institution. The structures you create will determine:
  • The availability and fault tolerance of the directory.
  • The network usage characteristics of directory clients and servers.
  • How efficiently you can manage the contents of the directory.
  • The way users view and interact with the directory.
  • The ability of your directory structures to evolve as your institution evolves.
It is important to create an Active Directory design early in the planning phase. Some preparatory steps for designing an Active Directory infrastructure are:
  • Master key Active Directory concepts that influence infrastructure planning.
  • Identify the people in your insitution who should participate in planning.
  • Consider how existing practices might need to change or evolve to take full advantage of Active Directory.
  • Assess the flexibility of the structures you create, and consider how easily or difficult they might be to change.
  • Envision various scenarios that reflect the structure of your institution and the expected usage of the directory.
Details on the steps involved in developing an Active Directory design will be published in a future Microsoft for Education Solutions paper. For more information about infrastructure planning in general, visit the Microsoft Solutions Framework Web site. For a complete introduction to Active Directory, see Active Directory Architecture, as well as the "Active Directory Overview" section in the Windows 2000 Server online product documentation.
The following topics introduce some general concepts that are important to understand when planning an Active Directory infrastructure.
Active Directory Namespace
The Active Directory namespace (also known as the console tree) refers to the area in which a network component can be located. For example, the University Catalog forms a namespace in which departments can be resolved to course numbers, and Domain Name System (DNS) is a namespace that resolves host names to IP addresses. Active Directory provides a namespace for resolving the names of network objects to the objects themselves. Active Directory can resolve a wide range of objects, including users, systems, and services on a network.
Everything that Active Directory tracks is considered an object. An object is any user, system, resource, or service tracked within Active Directory.
Attributes describe objects in Active Directory. For example, all User objects share attributes to store a user name, full name, and description. Systems are also objects, with attributes that include host name, IP address, and location.
The set of attributes for any particular object type is called a schema. The schema makes object classes different from each other. Schema information is stored within Active Directory, and administrators can add attributes to object classes and distribute them across the network without restarting any domain controllers.
A container is a special type of object used to organize Active Directory. It does not represent anything physical, like a user or a system. Instead, it is used to group other objects. Container objects can be nested within other containers.
Each object in an Active Directory has a name. These are not the names that you are accustomed to, like "Tony" or "Eric." They are Lightweight Directory Access Protocol (LDAP) distinguished names, which uniquely identify any object within a directory.
The term tree is used to describe a set of objects within Active Directory. When containers and objects are combined hierarchically, they tend to form branches-hence the term. A related term is contiguous subtree, an unbroken branch of the tree.
The term forest describes trees that are not part of the same namespace but that share a common schema, configuration, and global catalog. Trees in a forest all trust each other, so objects in these trees are available to all users in the forest if the security allows it. Organizations that are divided into multiple domains should group trees into a single forest.
A site is a geographical location, as defined within Active Directory. Sites correspond to logical IP subnets, and can be used by applications to locate the closest server on a network. Using site information can profoundly reduce wide area network traffic.
Name Resolution
Windows 2000 uses DNS naming standards for hierarchical naming of Active Directory domains and domain computers. DNS is necessary to any Internet-connected institution. It provides name resolution between common names, such as support.microsoft.com, and the raw IP addresses that network layer components use to communicate. Using DNS name resolution represents a substantial change from previous Windows operating systems that require NetBIOS names to be resolved to IP addresses, and to rely on WINS or another NetBIOS name resolution technique.
Domain and computer objects are part of both the DNS domain hierarchy and the Active Directory domain hierarchy. Although these domain hierarchies have identical names, keep in mind that they represent separate namespaces.
Group Policy
You can use policies to define the permitted actions and settings for users and computers. In contrast to local policy, Group Policies apply across a given site, domain, or organizational unit in Active Directory. Policy-based management simplifies tasks such as operating system updates, application installation, user profiles, and desktop-system lock down.
Security and Authentication
It's important to protect your directory from attackers, authenticate users, and delegate tasks to other administrators where necessary. You can accomplish these things by using the Active Directory security model, which associates an access control list (ACL) with each container, object, and object attribute within the directory.
Flexible and secure authentication and authorization services provide protection for data while minimizing barriers to conducting the business of education over the Internet. Active Directory supports multiple authentication protocols (such as the Kerberos V5 protocol, Secure Sockets Layer v3, and Transport Layer Security using X.509v3 certificates) and security groups that span domains efficiently.
Installing a Server
Once you've designed your Active Directory infrastructure, you're ready to install Windows 2000 Server and run it on your network. You can install Windows 2000 Server as the first operating system on a new computer, as an upgrade to Windows NT Server, or in a dual-boot configuration with other Windows operating systems. If you're installing Windows 2000 Server in an existing domain, be sure to read "Migrating a Windows NT-based Domain," later in this paper.
You can upgrade to Windows 2000 Server from Windows NT Server 4.0, Windows NT Server 3.51, or Windows NT Server 4.0 Terminal Server. You can also upgrade from Windows NT Server 4.0 Enterprise Edition to Windows 2000 Advanced Server. However you cannot upgrade directly to Windows 2000 Server from versions of Windows NT Server earlier than 3.51. Instead, you must first upgrade to 3.51 or 4.0.
Using the Setup Wizard
The Windows 2000 setup wizard leads you through the installation process. First, it prompts you for configuration information, such as regional settings, user names, and passwords. It then copies files to the hard disk, checks the hardware, and configures the installation. After finishing setup, you reboot the computer and then configure the system and its components by using the Configure Your Server wizard.
Pre-installation Checklist
To ensure a successful installation, review the following topics before starting Windows 2000 Setup.
Installation Information
It's recommended that you review the installation and setup information located at the root of your Windows 2000 Server CD, as well as Deployment Planning Guide. System Requirements
The hardware you plan to use must meet the following minimum system requirements for running Windows 2000.
Basic Hardware
166-MHz Pentium or higher microprocessor
VGA or higher-resolution monitor and keyboard
2 GB hard disk with a minimum of 850 MB of free space
High-density 3.5-inch disk drive as drive A and a CD-ROM drive; or if you want to start setup without using a floppy disk drive, an El Torito-compatible CD-ROM drive is required
x86 computers: 64-MB RAM minimum; 128 MB recommended, 4 GB maximum (expandable to up to 64-GB on Intel-based PAE platforms running Windows 2000 Advanced Server or DataCenter Server)
Alpha computers: 64-MB RAM minimum, 128 MB or higher recommended, 4 GB maximum (expandable to up to 32-GB on Compaq Alpha platforms running Windows 2000 Advanced Server or DataCenter Server)
Hardware and Software Compatibility
During installation, Windows 2000 Setup automatically checks your hardware and software and reports any potential conflicts. However, it's a good idea to verify hardware and software compatibility before starting Setup. You can find the Hardware Compatibility List (HCL) online or in the Hcl.txt file located in the Support folder on the Windows 2000 Server CD. If your hardware isn't on this list, request a Windows 2000 device driver from the hardware manufacturer. For software programs that use 16-bit drivers, you need to obtain 32-bit drivers from the vendor to ensure that the program functions properly on Windows 2000.
Network Information
If the computer on which you're installing Windows 2000 (the target computer) will be connected to a network, gather the following information before starting Setup: - DNS name of the target computer. DNS computer names can be up to 63 characters long and can include numbers from 0 to 9, uppercase and lowercase letters, and the hyphen (-).
- Name of domain or workgroup. During installation, you specify the DNS name of a workgroup or a domain to join. When you specify a workgroup, Setup installs Windows 2000 Server as a stand-alone server. In a domain, Setup installs Windows 2000 Server as a Member server. In the latter case, you also need to reset the computer account in the specified domain, or create a new one, if necessary. If the target computer will be a Domain Controller, it must have an NTFS drive in order to host Active Directory. For more information, see the Windows 2000 DNS white paper.
- IP address. If your network does not use a DHCP server to assign IP addresses, you can manually assign an IP address for the target computer. If an IP address is not assigned by either method, then Setup assigns a restricted IP address.
Optional Components
In addition to automatically installed core components, you can choose from a number of optional components that extend the functionality of Windows 2000 Server. You can install these components during setup, or add them later by using Add/Remove Programs in Control Panel. For more information, see "Choosing Components to Install" in the Windows 2000 Server online product documentation.
Advanced Setup Options
You can use the default installation, or you can specify one or more of the following options during Setup, available from Advanced Settings:
  Change the default location of the setup files.
  Specify a folder for the system files other than the default folder (C:\Winnt).
  Specify an alternate setup information file (.inf).
  Copy all of the installation files from the CD to the hard disk.
  Select the partition on the hard disk on which to install Windows 2000.
  Create Setup startup floppy disks.
  Configure a dual boot, to install Windows 2000 without uninstalling your existing operating system. For more information, see "Dual Boot Configuration" in AdvSetup.txt, found at the root of the Windows 2000 CD.
Best Practices
The following are recommended steps to take before starting Windows 2000 Setup.
Back up existing files. Back up all files on the computer to which you're installing Windows 2000 onto a disk, tape drive, or another computer.
Disable disk mirroring. You can re-enable disk mirroring after completing the installation.
Disconnect UPS devices. Setup attempts to automatically detect devices connected to serial ports; UPS equipment can cause problems with the detection process. Remove specific applications. Remove any virus-scanners and third-party network service or client software.
Stop DHCP and WINS services. Before performing an upgrade, bring each server database (WINS or DHCP) to a consistent state by stopping the related server service. You can do this from Services in Control Panel or by running the net stop <service> command from the command prompt.
Configuring the Server
Once you have completed setup, restart the computer, and log on with administrator privileges. When you do this, the Configure Your Server wizard appears, which provides the most common tasks you will want to perform. It also guides you through the steps to configure your first server. You can also install these components later, by using Add/Remove Programs in Control Panel.
Installing a Domain Controller
After you have installed Windows 2000 Server, you can make the new server a domain controller by using the Active Directory Installation wizard. Before running the wizard, take these steps:
- Review Getting Ready for Windows 2000--Part 1 or read "Checklist: Installing a Domain Controller" in the Windows 2000 Server online product documentation.
- Obtain the network credentials needed to create a domain; i.e., the logon name of a user account, account password, and domain name. The user account must have administrative privileges to create a domain controller.
- Decide which type of domain controller you want to create: either Additional domain controller for an existing domain or Domain controller for a new domain. (If you are installing a domain controller in an existing domain, be sure to read the next section, "Migrating a Windows NT-based Domain.")
- Identify the DNS name of the domain.
To install a domain controller
On the Start menu, click Run.
Type dcpromo, and then click OK to start the Active Directory Installation Wizard. Follow the instructions on the screen.
Migrating a Windows NT-based Domain
This section discusses some basic steps to migrate a Windows NT-based domain to Active Directory. For more information, see Migrating from Microsoft Windows NT Server 4.0 to Windows 2000 Server.
Choosing an Approach
When planning to migrate a domain to Windows 2000 from Windows NT, you need to decide whether to simply upgrade the domain and continue using the existing structure or whether to restructure the domain.
A domain, or in-place, upgrade is the easiest, lowest risk migration route. A domain upgrade consists of upgrading the software on the Primary Domain Controller (PDC) of a domain, and upgrading some or all of the Backup Domain Controllers (BDCs), from Windows NT 4.0 to Windows 2000 Server.
Because Windows 2000 is designed to support mixed networks containing Windows 9x, Windows NT 4.0, and Windows 2000 with full interoperability, not all systems in the domain must be upgraded to take advantage of Windows 2000 features. The existing domain structure, users, or groups are maintained, and new Windows 2000 features are enabled. However, mixed domains cannot take full advantage of the new Active Directory features.
If structural change is a main goal of migration, you should consider restructuring the domain during the migration. Also called domain consolidation or domain collapse, domain restructure allows you to redesign the forest according to the needs of your institution. You might want to do this in order to rationalize the current domain structure, or to create fewer, larger domains. Windows 2000 provides the following functionality to enable domain restructure:
Moving security principals from one domain to another while maintaining access to resources
Moving domain controllers from one domain to another without complete reinstallation of the operating system. A more complete discussion of domain planning and migration issues is available online.
Upgrading Domain Controllers
With Windows 2000 there are three main server roles: standalone, member server, and domain controller. When you run the Active Directory Installation Wizard (described earlier, in "To Install a Domain Controller"), it automatically upgrades domain controllers, according to the type of server you are upgrading, as follows:
Windows NT primary domain controller (PDC) becomes a domain controller Windows NT backup domain controller (BDC) can become a domain controller or a member server, based on your choice
The following are the basic steps to migrate your primary and backup domain controllers to Windows 2000 Server and Active Directory:
- Plan your Active Directory structure, and decide whether to create a new tree or join an existing tree. If you're the first domain in the network to be migrated, you'll want to create a new tree. If you're merging multiple domains into a single Active Directory domain, you will want to join as a child of the existing tree. For more information, read Active Directory Logical Structure or read "Deploying Active Directory Topics" in the Windows 2000 Server online product documentation.
- Migrate the PDC. Always migrate the Windows NT 3.51 or 4.0 PDC (Primary Domain Controller) to Windows 2000 Server Active Directory first. Users and groups from your current domain will be automatically transferred into Active Directory, and existing clients will interface with the new domain controller exactly as if it were still a PDC. (Clients must be upgraded to Windows 2000 Professional to participate fully in Active Directory functionality.) After the migration, your server is fully backward compatible. By default the domain is installed to operate in mixed mode, i.e., the domain controller appears as a Windows 2000 domain controller to other Windows 2000-based servers and clients, but emulates a Windows NT 4.0 PDC to servers and clients that are not aware of Active Directory.
- Migrate the BDCs. Migrate the BDCs once you are sure the mixed mode domain is functioning completely. Microsoft recommends that you upgrade a backup controller as a replica of your domain controller. If you have any additional backup controllers, back them up and upgrade one at a time.
- Switch over. If you have completely upgraded all domain controllers to Windows 2000, you can switch the network to native mode. Once you do this, you will not be able to install a Windows NT Server-based domain controller into this domain. To change the domain mode:   Open Active Directory Domains and Trusts.   Right-click the domain node for the domain you want to administer, and then click Properties.   On the General tab, click Change Mode, and then click Yes. Resources
Preparing for Windows 2000 Server This is Chapter 12 from Introducing Microsoft Windows 2000 Server, published by Microsoft Press. It discusses the process of planning an implementation of Windows 2000 Server. It gives detailed instructions on using the setup routine and points to other resources to help you efficiently deploy Windows 2000 in your network.
Windows 2000 Beta 3 Reviewer's Guide This guide provides overview information about Windows 2000 Server Beta 3.
Windows 2000 Technical Resources This Web site provides white papers and other documents concerning the technical features of the Microsoft Windows 2000 operating system. Topics covered include Microsoft development strategy, architecture, functional specifications, and usage scenarios.
Planning Migration from Windows NT to Windows 2000 This white paper outlines the planning processes and considerations when migrating Microsoft Windows NT domains to Microsoft Windows 2000.
Active Directory Chapter 11 from Introducing Windows 2000 Server, published by Microsoft Press. This chapter discusses Active Directory features and how to implement them.
Microsoft Windows 2000 Deployment This Web site provides information that you can use to evaluate and deploy the Windows 2000 operating system.
Windows NT Services for UNIX By providing access to core interoperability components in an integrated, fully supported package the Microsoft Windows NT Services for UNIX Add-On Pack makes it easier for customers to integrate Windows NT-based operating systems with their existing UNIX-based workstations and servers.
Microsoft TechNet for Education This Web site includes extensive information about planning, evaluating, deploying, maintaining, and supporting Microsoft technology in education. It also offers a CD-based subscription service, delivering the latest technical information, supplemental drivers and patches, utilities, white papers, service packs, resource kits, and a host of other tools essential for installing and supporting Microsoft products.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. ©1999 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, Microsoft Press, Windows, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the U.S. and/or other countries.
Tuan Nguyen is K-12 Education Marketing Manager for Microsoft Corporation's Southern California District. He may be reached by telephone at (310) 449-7408 or by e-mail at [email protected]