On 25 October, Microsoft fever will grip the globe as Bill Gates and his crew introduce us to the world of XP. But for many IT departments, it is Windows 2000, not XP, that will require their attention this autumn.
When Windows 2000 was launched in February last year Microsoft expected great things of the operating system. Launched in a desktop (Professional) version, alongside Server, Advanced Server and Datacenter editions, Windows 2000 was meant to be much more stable than NT4, scaling up to multinational implementations and offering flexible features such as the object-oriented Active Directory system. It was, in short, everything that Windows NT should have been.
Why is it then, that so few companies are moving to Windows 2000? David Roberts, chief executive of The Infrastructure Forum (Tif), a user forum representing more than 1,800 IT directors, says the lack of commercial take-up has been surprising. In April 1999, Tif conducted a Windows 2000 workshop in the City. IT directors from 38 companies attended, with only half a dozen actively involved in Windows 2000 implementation. When it posted another workshop a year later, only 31 organisations came along.
"Although most organisations now have some Windows 2000 projects going, they are still pilot studies," Roberts explains. "This came as a surprise, because everyone in the audience expected a significant amount of corporate penetration."
One of the biggest concerns among corporate users could be the implementation costs. Migrating from NT4 to Windows 2000 carries a significant impact for larger businesses. Before Windows 2000 first came out analysts at Gartner Group predicted an average cost of £1,280 per PC to move from Windows NT4 Workstation to Windows 2000 Professional, for example.
One big cost for companies planning to migrate to Windows 2000 is the application migration overhead, according to Martin Doxey, principal consultant for Microsoft consulting practice at ICL. Doxey had one client with 1,500 applications packaged and working under NT4. "Getting that packaged and working on Windows 2000 is a million-pound project," he warns. Certifying applications for Windows 2000 compliance is a process similar in scope to the Y2K compliance projects of the late 1990s. All suppliers must be contacted and their products' compliance with Windows 2000 checked.
The multiple levels of certification available for Windows 2000 complicate matters, says Doxey. Basic certification essentially dictates that a program will not crash when running under the new operating system. But if, for example, you want to make your program compliant with Active Directory, then a higher level of certification is needed and, after all, Active Directory was one of the most-promoted features of Windows 2000.
Jason Lochhead, founder of application hosting company Data Return, explains that of the 1,500 servers throughout his organisation, 900 are Windows 2000 machines. "The ones that aren't upgraded are generally because of the applications' compatibility," he says. Running in mixed mode like this, where NT4 servers sit alongside Windows 2000 machines, makes it difficult to use Kerberos security authentication.
Active Directory - the repository for end-user and network device information designed to make the IT infrastructure easier to manage - is one of the least-implemented parts of Windows 2000, according to Roberts. "Active Directory is viewed as difficult and far-reaching," he says. "There is little take-up - it is approached with extreme caution."
Olivier Thierry, vice-president of NetIQ, a company that provides directory migration services for Windows 2000 customers, says that migration to Active Directory is a one-shot deal. Companies have to be very sure of their organisational structures before beginning directory implementation, he says, because it is very difficult to go back and change things later.
"Of those that have implemented, I would say that maybe half have done it right," says Thierry. "If they had to do it again, many would do it differently, with a different organisational unit structure definition."
Add to this the difficulties that many companies will experience when putting other directory systems into Active Directory, and you will begin to see the problem. Thierry explains that many companies are finding discrepancies in data between their directory and other sources - for example, a human resources database in another application - because of the difficulties integrating the two. Companies that have implemented Active Directory are starting to think about integration between multiple data sources, so that all data can be fed into the directory, which becomes a trusted source.
A major concern amongst users considering Active Directory is the challenge of extending the directory schema, according to experts at Quest Software, a performance management software company. Extending the schema is not necessarily a bad thing, as long as there is a valid reason and it is not adding a huge load to the directory, say technicians, but many companies are unsure about how to do this.
Migrating from NT4, which uses a flat file directory system, into the hierarchical Active Directory structure is a significant challenge. While migration may be relatively straightforward, co-existence between Windows 2000 and NT4 during the migration process can be difficult, say experts - companies are unlikely to do the whole thing over the weekend, but will instead transfer employee records incrementally from one system to the other.
Exchange 5.5 users face further challenges. The product uses a separate directory from Windows NT4, but upgrading it to work in a Windows 2000 environment involves taking objects from both directories and consolidating them into Active Directory.
The Liverpool Institute for the Performing Arts (Lipa) was daunted by the prospect of upgrading its Exchange 5.5 implementation. Such was its concern that it left the application running on its own Windows NT4 server, while the rest of the organisation migrated to Windows 2000. The institute's IT manager Paul Millington says, "It was an historical thing." He explains that the original Exchange 5.5 system was set up about five years ago, adding that the permissions in the system were not as they should have been.
"You need enterprise administrator permissions, but the account that was given the permission wouldn't do what it was meant to do." The company would have had to give enterprise administrator permission status to the administrator account to make the upgrade work, which was not advisable.
However, the Lipa has gained some significant benefits from the upgrade to Windows 2000, says IT director Ken Donaghue. The institute had originally kitted out its building with a new network in 1996, but last year it ground to a halt. There were problems logging on to the network from client machines and data transfer was slow, he recalls. Lipa replaced the old AST PC clients with Compaq Pentium III machines and replaced its servers, while moving from a shared 10mbps hub-based network to 100mbps switches.
Donaghue is enthusiastic about the new system. It incurs 90% fewer problems for the helpdesk, making a substantial cost saving, he says. In reality, though, the reduction in networking problems and the money saved appear to be largely due to a revamped hardware infrastructure rather than an operating system replacement. The Windows 2000 upgrade seems to be almost cosmetic.
"It is far more robust and reliable, and easier to use," says Millington, while admitting that the performance enhancements are mainly hardware-based. "There are fewer problems because the software is more robust," he says.
However, this highlights what Roberts sees as a significant issue with Windows 2000 implementations - the lack of detailed reference sites. "The Tif user community would like better access to reference sites," he says. "They can't get enough information - they have doubts about the depth of the implementation concerned."
While it does its best to promote Windows 2000 as a robust operating system, Microsoft also has to battle concerns about security issues. John Cheney, managing director of managed security services company Activis, says many recent Web site placements have been aimed at Windows 2000 users, often running in conjunction with Microsoft's Internet Information Server. In the first half of this year alone, eight security patches appeared to plug loopholes in the operating system. End-users who don't apply them leave themselves open to serious vulnerabilities.
"Part of the problem is that Microsoft operating systems are integrated with other Microsoft products - 2000 is particularly integrated with Internet Information Server," says Cheney. "How does a busy IT manager spend time checking Microsoft's Web site?"
Cheney is overplaying his hand - Microsoft has a security notification service for its customers, and it is not the only company with security holes. Nevertheless, for a system that was supposed to be ultra-secure, Windows 2000 has been something of a security embarrassment since its launch.
The company's Lars Lindstedt says that any security issues surrounding Windows 2000 are largely a result of the company introducing more flexibility into the system in response to user requests. "Today, ongoing vigilance and maintenance of a security environment has to be a high priority for everyone," he says. In short, it is up to users to make sure they have the policies in place to protect their systems, and to keep track of security patches as they emerge. Lochhead says he uses Microsoft's Systems Management Server (SMS) to distribute hot fixes when Microsoft produces them.
Roberts praises the Windows operating system, as do other industry experts. Microsoft has produced a robust, feature-rich operating system that is as solid in both small and large environments. But uptake has not been as fast as the company may have hoped because of its complexity and the leap that customers have had to make to implement it. Introducing Windows XP so soon after Windows 2000 has also wrong-footed the customer base, and many companies which were considering upgrading to Windows 2000 may now jump it altogether. Windows 2000 is a pearl of an operating system, but the market is still approaching it carefully.
How long is Windows 2000 good for?
One of the biggest contentions among the user base is that Microsoft is rolling out Windows XP so soon after launching Windows 2000. Now, companies that are in the midst of deploying the most recent operating system are faced with having their systems well on the way to obsolescence by the time projects are concluded. So how much mileage can you expect from an upgrade to Windows 2000? Microsoft offers three phases in the life cycle of its Windows operating system:
- Mainstream phase three years after general availability, when licensees and standard support offerings are available for the products
- Extended phase between three and four years after general availability, when licensees are only available in the authorised OEM distribution channel, and incident support and hot fix support are provided on a paid basis
- Non-supported phase after four years of general availability. Licences are still available through the OEM channel, and only online support information is available. Microsoft can terminate this phase whenever it likes, but promises 12 months advance notice.
Windows 2000 products are in the mainstream phase, and no changes are planned before the end of next year. Meanwhile, Microsoft ceased to offer skills certification for Windows NT4 last year, and the company has also announced that it will cease to provide hot fixes for that version of the operating system on 30 June 2003.
Problems and glitches
Since it was launched, Windows 2000 has had its fair share of bugs and glitches. Some of the most threatening have been in the area of security. Microsoft launched the Windows 2000 Service Pack 2 to fix a host of different bugs in the spring. Here are some of the more notable gremlins posted on Microsoft's Web site. Fortunately the company has fixed them all, and it is simply a case of downloading the patches.
- There is an unchecked buffer in the Internet Printing Isapi (Internet Services Application Programming Interface) extension for Windows 2000 and if it is intentionally overflowed by a malformed request, hackers could take control of your Web server
- If you open an HTML message that takes you to a malformed Web address, it can be used to run hacker-written code on your machine. This is known as the HyperTerminal Buffer Overflow security glitch
- Computers using a certain graphics controller (the VIA AGP system) may stop working during the resume process after they have been hibernated
- Under Windows 2000, cookies can be stolen or set for other domains, if Internet Explorer is used to visit a Web site with a series of illegal characters in the URL
- During the installation process, the operating system will sometimes identify IDE hard drives as being only 8Gbytes in size, when in fact they are much larger
- After installing Internet Explorer 5.5 on Windows 2000, it may become impossible to add or remove programs because the relevant tool in the control panel may cease to work
- When your laptop is running on battery power, the CPU may enter a processing loop that uses all of its available resources, slowing the system to a halt
Case study: Scottish Building Society uses Windows 2000 as catalyst for e-development
Not all Windows 2000 implementations have to be huge enterprise-driven operations. The Scottish Building Society is an example of a small organisation migrating from Windows NT to the newer operating system.
The company was running version 3.51 of NT before the migration. It has 54 desktop machines across a head office in Edinburgh and five regional sites. There are also two servers at the head office and one each within the area offices.
Senior manager Allison Quilter explains that the building society was facing new challenges, particularly in the area of e-commerce, and after attending seminars on Windows 2000, she decided to upgrade to the new system. Having used ICL to implement the previous operating systems, she chose the company to help her with this project too.
"It provides us with a solid foundation for the development of the business systems and gives us more staff productivity, freeing us up to look at other business issues," she says, quoting systems manageability as a key issue. "Managing things remotely is better because we don't have to trail around the five corners of Scotland to do it. Security is also improved."
The building society was not the most high-tech of places, as the failure to upgrade to NT4 in the interim reveals. The company did not even have internal e-mail before the Windows 2000 upgrade. Desktop PCs ran Microsoft Office 95 and PC Anywhere. An Oracle Forms-based front-end hooked into a Unix-based NCR machine running an Oracle database supporting a bespoke financial application.
The project started on 16 January and was finished just three months later. The ICL team designed a single domain for the system, building a Windows NT4 server as a back-up domain controller in the 3.51 domain. Once this was tested, it was upgraded to a primary domain controller, and finally upgraded to Windows 2000, putting the network into mixed mode.
The next stage was to upgrade the rest of the infrastructure to Windows 2000, taking down each branch briefly while putting the Windows 2000 servers and Windows Professional desktops in place. A single Active Directory domain was implemented covering all the sites, with each site constituting an organisational unit. ICL used Microsoft's security templates to control the desktop permissions for individual users, employing the Active Directory group policy facility.
Initially, the provider of the accountancy application on the NCR server was unwilling to support an interface to the Windows 2000 servers, but changed its mind after persuasion from the implementation team.
Ironically, the e-mail system is not based on Windows 2000 after all. Instead, it is based on a Netscape server, operated as a managed service by BT and runs on an NT4 server.
The Scottish building society is hoping to expand its application base soon, running an intranet-based mortgage system for its branch offices..
This was first published in September 2001