Network Migration to NT 5.0

If you keep up with the latest developments in the Windows NT 5.0 infrastructure, your head is swimming with a myriad of new terms. You've heard about forests, trees, sites, Kerberos trusts, and Active Directory (AD). But, how familiar are you with NT 5.0 networking? NT 5.0 brings so many new concepts to Microsoft networking that seeing how all the new operating system's (OS's) pieces fit together can be challenging. Of all the questions people ask me about NT 5.0, I hear most often, "What will the new OS mean for my network?" A look at a fictitious midsized network's upgrade from NT 4.0 to NT 5.0 can help answer this question.

Meet BigCorporation
BigCorporation, my fictitious firm, has an NT 4.0 network that includes 19 servers and serves 500 users in three offices. Of the company's 500 users, 250 work at BigCorporation's headquarters in Maryland, 95 work in a branch office in Ohio, and 155 work in a branch office in New York. BigCorporation's network comprises four NT domains in a single master domain model.

The company's administrators manage all user accounts from an accounts domain called BIGCORP (the master domain), and each of the company's offices has a resource domain. The resource domains are MARYLAND, OHIO, and NEWYORK. Each resource domain has a one-way trust relationship with the accounts domain, and each office houses a Backup Domain Controller (BDC) in the BIGCORP domain that handles local authentication requests. Figure 1 depicts BigCorporation's domain structure. Table 1 lists each BigCorporation server's NetBIOS name and explains the server's function.

BigCorporation decision makers chose the single master domain model for their NT 4.0 network because this domain configuration keeps administrative costs down. The configuration keeps centralized control over the accounts database within the company's IS group, because giving each site's administrators account operator permissions in the BIGCORP domain would give them rights over all the company's accounts. But, the configuration's resource domain structure lets administrators at each site perform routine tasks such as backing up servers, starting and stopping services, and rebooting servers. Local administration of the resource domains is more cost-effective than remote administration.

BigCorporation's network uses TCP/IP as the primary protocol. Each office has a Dynamic Host Configuration Protocol (DHCP) and Windows Internet Naming Service (WINS) server, and each office uses two adjacent, private class-C address blocks for servers and workstations. Table 2 lists these subnets. Each resource domain's DHCP and WINS server gives its address to clients in its domain for use as a primary WINS server and gives clients the address of an enterprisewide WINS server in the BIGCORP domain for use as a secondary WINS server. The resource domains' WINS servers are push/pull replication partners with the BIGCORP domain's WINS server. (For information about WINS push/pull replication, see Mark Minasi, "Advanced WINS Features," September 1997.)

Because BigCorporation delegates administration tasks, it decided to upgrade to NT 5.0. AD will let BigCorporation reduce its number of domains from four to one, provide local administrators with administrative rights for user accounts and resources at each site, and reduce the number of servers the network requires. (For more information about AD, see Mark Minasi, Inside Out, November 1997 through February 1998.) BigCorporation uses an eight-step approach to upgrade from NT 4.0 to NT 5.0.

Step 1
Designing the New Infrastructure
NT 5.0 introduces the concept of Organizational Units. OUs are administrative boundaries in AD that organize user and resource objects. Think of an OU as a directory in a file system and think of the OU's users and resources as files within the directory. You can assign a user administrative rights for one OU's accounts and resources but exclude the same user from administrative rights for other OUs' accounts and resources within the same domain. This flexible account and resource organization contrasts with NT 4.0 organization, in which domain boundaries are the administrative boundaries. BigCorporation collapses its four-domain infrastructure into one domain and organizes the domain's accounts and resources into OUs. Delegating administration becomes straightforward when you can grant separate administrative rights for each OU.

BigCorporation administrators design an NT 5.0 network that consists of three OUs: OU-MARYLAND, OU-OHIO, and OU-NEWYORK. Each OU contains all the user accounts and resources for its office. BigCorporation's IS department defines access control lists (ACLs) for the OUs so that each office's local administrators have permission to reset passwords, reboot servers, start and stop services, and perform backup operations on their OU's objects but not on the other OUs' objects.

"But wait," you say. "Won't rolling the four domains into one domain increase traffic over the WAN?" Microsoft anticipated the possibility of an increase in traffic and borrowed the concept of sites from Exchange and Systems Management Server (SMS) for controlling traffic over slower links. Microsoft defines a site as a collection of computers with a local affinity. A more common definition of site is one or more well-connected subnets. This definition leaves unclear how to determine which subnets are well-connected, but one Microsoft document targets 512 kilobits per second (Kbps--about one-third the speed of a T1 circuit and four times the speed of a full ISDN Basic Rate Interface--BRI--connection) as an appropriate amount of bandwidth for devices within the same site. Microsoft doesn't recommend using links slower than 512Kbps or high-speed links that are too saturated to produce at least 512Kbps of bandwidth to connect machines within an NT 5.0 site. NT 5.0's 512Kbps minimum connection speed for machines within a site is substantially higher than Exchange's current minimum speed (128Kbps) for intrasite connections, but the difference isn't surprising. AD's multimaster replication creates a lot of work within NT 5.0 sites. (For more information about multimaster replication, see Mark Minasi, "NT 5.0 Gets Better and Better--Mostly," December 1997.)

BigCorporation uses the TCP/IP subnets Table 2 lists to create three sites: SITE-MARYLAND, SITE-OHIO, and SITE-NEWYORK. BigCorporation defines each site with a /23 addressing scheme, which translates into a subnet mask of 255.255.254.0. By defining each site's IP address range, BigCorporation ensures that every NT system in the domain can differentiate between other machines in its site and systems outside its site (i.e., systems it has slow connections to). NT 5.0 adjusts replication according to site boundaries to minimize traffic over BigCorporation's WAN links.