Windows 2000 and its trade-marked Active Directory (AD) are far more powerful and capable than Windows NT 4.0, analysts say. But to deploy them properly, network and system managers must master new concepts, new techniques and new vocabulary. Even more important -- without proper training, it's all too easy to go wrong deploying Windows 2000.
Just ask Kraig Kluba, Windows 2000 enterprise coordinator at the University of California-San Francisco.
Just recently, Kluba met a systems administrator who simply migrated his existing department-level domains from Windows NT 4.0 to Windows 2000 without first assessing how users would fit into the university-wide AD made possible by Win2k. The end result was an island of staff cut off from key migration benefits such as easier systems management and university-wide videoconferencing. "But he wasn't trained enough," says Kluba, "and didn't know enough to know he was doing anything wrong."
Training is considered fat in these cost-conscious times, observes Laura DiDio, an analyst at Cambridge, Mass.-based Giga Information Group Inc., who believes that sharpening IT staff skills is critical for keeping Win2k systems running smoothly and reaping the full cost-benefits of the upgrade itself. Yet, according to a recent Giga study conducted this past spring, only 45 percent of 1,200 IT professionals surveyed planned to train their staff on Windows 2000 server, and only 37 percent planned training on AD even though
Among the specific technologies for which analysts and IT educators say new skill sets are crucial: directory services, replication, and security.Directory services
A directory acts like an organization-wide phone book listing everything from users to printers. Once it's set up, a directory makes it far easier and less expensive to do chores such as adding or deleting users or changing their access rights. But AD is Microsoft's first true stab at a directory service, making training critical for administrators who had previously worked only with NT's more limited domain structures.
In Windows NT, administrators created local control groups, known as domains, often around geographical or departmental lines. In AD, domains (now also called containers) are groups of network objects sharing common security and replication processes which are administered as a unit. Adding to the complexity, domains can be subdivided into multiple levels of organizational units that can be "nested" within each other, and domains can be linked to form trees, which in turn can be combined to create forests.
Network administrators who have worked with Novell Inc.'s NDS (Novell Directory Services) have a head start in understanding directories, says David Wells, a principal with WSB Technologies, a Wolfeboro, NH design, training and consulting firm. But they still need in-depth training on AD, he says, because "it's a fundamental and far-reaching underpinning for the whole network. Even if the network includes other directory services, and other platforms such as Unix, the impact of AD has to be very well understood."Replication
In Windows NT, a primary domain controller held the master copy of the information in the directory and doled it out to backup controllers. In AD, updates can be entered into any domain controller, which share the updates with other controllers. This makes it easier to delegate management responsibility to local business groups. But if implemented wrong, all that chatter among domains can sink network performance, says Hank Carbeck, vice president of education and operations at Scottsdale, Arizona-based training firm trainAbility Inc. Simply upgrading your existing NT domains to Windows 2000 can mean "you just created yourself a resume-altering experience because you drove the performance of your network into the tank," he says.
"Replication, especially across wide area networks, is very important to understand," says Wells. "AD does a lot of that automatically, but users have to understand the impact on their network's performance."
On the Internet, the Domain Name System (DNS) governs the translation, or resolution, of Internet domain names into Internet Protocol addresses. In AD, it also plays a vital role in how AD servers communicate with each other and find network resources. "There are whole new levels of name resolution you may not ever had to deal with in NT 4.0," says Carbeck.Security
Then there is security, which most novice administrators underestimate the need for in a Windows 2000 environment, adds Wells. He stressed the need for additional training in both DNS and DHCP (the Dynamic Host Configuration Protocol which allows administrators to assign IP addresses within a network). Both protocols are important security-wise because they deal with the integrity of network data, and in maintaining that integrity when linking Windows-based networks with popular, non-Microsoft platforms such as Unix, he says.
Training costs will vary depending on the administrator's previous experience and the complexity of the deployment he will be doing. Wells estimates that an admin with some experience in Windows NT will require between $6-10,000 in Windows 2000 and AD coursework , which would pay for four to five instructor-led training courses lasting five days each. That training could take place over as long as six months to a year, he says, so that the student can alternate between classes and hands-on experience.
Faced with tight budgets and the never ending demands of network management, business units may be more reluctant than central IT staffs to do the necessary training, analysts say. Kluba has sent all four members of his primary Windows 2000 administration staff to at least one five-day Windows 2000 training class but notes that. "We are walking a fine line between requiring and recommending training" for the departmental-level administrators who are not under hiscontrol, but who will make important decisions about how to deploy Windows 2000 and AD in their departments.
Migrating to Windows 2000 and Active Directory without the proper training is a gamble, adds Wells. The risk is that your staff will make mistakes that either jeopardize your company's operations, or make it impossible for you to receive the full benefits of the upgrade.Robert L. Scheier is a free-lance writer based in Boylston, Mass. He can be reached at email@example.com