Installation and Upgrade Issues Unless your company is buying its first Windows server, you are going to have to decide between upgrading and performing a clean install. Each method has advantages and disadvantages: ■ Upgrading preserves many of your existing settings, such as users and groups, permissions and rights, and applications. ■ Performing a clean installation can improve the performance of your hard drive, as it will be reformatted during installation.This also gives you a chance to change the partition and volume sizes used on your drives. Clean installs ensure that you don’t carry over any existing problems that you might have with your current OS. Some administrators (the authors of this book included) prefer clean installs because they have seen many problems related to OS upgrades in the past.There is something comforting about starting from scratch. Common Installation Issues The biggest problems with installing a new OS are hardware and software incompatibilities. It is important to adhere to the recommended hardware specifications for Windows Server 2003. At a minimum, you need the following hardware configuration: ■ 133 MHz processor ■ 128MB of RAM ■ 1.5GB hard drive Remember that these are the bare minimums on which Windows Server 2003 will run. Obviously, on such old hardware, performance will suffer. Microsoft recommends at least a 550 MHz processor and 256MB of RAM.The more RAM the better. You should always verify hardware compatibility before you start your installation.There is a system compatibility check you can run from the Windows Server 2003 CD that will check out your hardware for you automatically via the System Compatibility wizard. Even if all of your hard- ware is supported, you should always update your machine’s BIOS to the most recent version. Common Upgrade Issues As stated earlier, you should always verify hardware compatibility and BIOS versions.You should always back up your existing system before you start your upgrade. If you have applications on your server, you should read the release notes on application compatibility.These are found in the docs folder on the setup CD (relnotes.htm). When upgrading servers from NT 4.0 to Windows Server 2003, you must have Service Pack 5 or higher installed.You can perform upgrades from all server versions of NT 4.0 (Server, Enterprise Edition, and Terminal Server Edition). Upgrading Windows 2000 machines to Windows Server 2003 doesn’t require any service packs to be installed first. Windows 2000 Server can be upgraded to Windows Server 2003 Standard Edition or Enterprise Edition. However, Windows 2000 Advanced Server can only be upgraded to Windows Server 2003 Enterprise Edition, and Windows 2000 16 Chapter 1 • Overview of Windows Server 2003 301_BD_Win2k3_01.qxd 5/12/04 10:53 AM Page 16 Datacenter Server can only be upgraded to Windows Server 2003 Datacenter Edition.You must have at least 2GB of free hard drive space for all upgrades. When upgrading Windows NT 4.0 domains to Windows Server 2003 domains, you must first make sure that DNS is installed and properly configured.You don’t have to use a Microsoft DNS server, but your implementation of DNS must support service (SRV) records. Optionally, you might want it to support dynamic updates as well. If DNS does not support dynamic updates, you will have to manually create all of the needed SRV records. Before starting the upgrade, you should take one of your BDCs offline.This will allow you to roll back to your existing NT 4.0 environment if you should have problems with the upgrade.Always start your upgrades with the PDC, followed by the BDCs. After upgrading the PDC, you should set your forest functional level to Windows 2003 interim mode. When upgrading Windows 2000 domains, you must first prepare the forest and the domain for Windows Server 2003 by using the ADPrep tool.You can prepare the forest by running adprep.exe /forestprep on the Schema Master, and you can prepare the domain by running adprep.exe /domainprep on the Infrastructure Master.ADPrep can only be run from the command line; there isn’t an equiva- lent graphical tool. Unlike when you upgrade from NT 4.0 domains, you do not have to upgrade the PDC (technically the PDC Emulator) first.You can install a new Window 2003 domain con- troller into an existing Windows 2000 domain. When upgrading your domain controllers, you need to budget a little growing room for the Active Directory database.The database file (ntds.dit) might grow by up to 10 percent. Windows Server 2003 Planning Tools and Documentation Planning is the first step in building a reliable, secure, high-performance and highly available Windows Server 2003-based network. In this section, we’ll begin with an overview of network infrastructure planning, introducing you to planning strategies and how to use planning tools. This section also looks at legal and regulatory considerations, how to calculate total cost of ownership (TCO), and how to plan for future growth. We discuss how to develop a test network environment and how to document the planning and network design process. Overview of Network Infrastructure Planning Proper planning of a network infrastructure is essential to ensuring high performance, availability, and overall satisfaction with your network operations. In order to create a viable network design, you’ll need an understanding of both the business requirements of your organization and current and emerging networking technologies. Accurate network planning will allow your organization to maximize the efficiency of its computer operations, lower costs, and enhance your overall business processes. When planning for a new infrastructure or upgrading an existing network, you should take some or all of the following steps: ■ Document the business requirements of your client or organization. Overview of Windows Server 2003 • Chapter 1 17 301_BD_Win2k3_01.qxd 5/12/04 10:53 AM Page 17 ■ Create a baseline of the performance of any existing hardware and network utilization. ■ Determine the necessary capacity for the physical network installation, including client and server hardware, as well as allocating network and Internet bandwidth for network services and applications. ■ Select an appropriate network protocol and create an addressing scheme that will provide for the existing size of the network and will allocate room for any foreseeable expansions, mergers, or acquisitions. ■ Specify and implement the technologies that will meet the existing needs of your network while allowing room for future growth. ■ Plan to upgrade and/or migrate any existing technologies, including server operating sys- tems and routing protocols. Planning Strategies When designing a new network or significantly upgrading an existing one, you should first use the business requirements of your organization as the primary source of planning information.You’ll need to create a network infrastructure that addresses the needs of your management structure, such as fault tolerance, security, scalability, performance, and cost.You’ll need to balance these requirements with the types of services that your users and clients will expect from a modern network, including e-mail, cal- endaring, project collaboration, Internet access, file, print, and application services. After you’ve determined the business requirements of your network, you should then analyze the technical requirements of your organization.These requirements may apply to any applications that are already in use or that you plan to implement, as well as to the associated hardware and operating system.You should carefully note all of these requirements so that you won’t create any difficulties later on during the implementation process. Be sure to analyze and document the existing network, including any hardware, software, and network services that are already in place. This will make it easier to take the existing configuration into account when planning the new or upgraded network. Finally, any well-formed network plan should make allowances for future changes to the organiza- tion, including support for new technologies and operating systems, as well as additional hardware and users.Your organization’s business requirements can change—through a merger, an acquisition, or simple growth and expansion. Although it is impossible to foresee all possible changes of this nature, a good network design will be flexible enough to accommodate as many adjustments as possible. Using Planning Tools There are a number of tools available to assist you in developing a plan for your network infrastruc- ture.The first and best of these, however, might be the simplest: pencil and paper. As we discussed in the previous section, you should begin your planning by determining the requirements of the busi- ness that will be using the network. After you have a high-level understanding of your company’s organizational structure and com- puting needs, you should inventory the hardware and software that is already in place.This is especially important to ensure existing hardware and software are supported in Windows Server 2003. In a small 18 Chapter 1 • Overview of Windows Server 2003 301_BD_Win2k3_01.qxd 5/12/04 10:53 AM Page 18 office environment, you can accomplish this by simply taking a walk to determine the physical layout of network cables, routers, and the like. In a medium- to large-sized enterprise network, you will prob- ably want to rely on automated inventory tools such as Microsoft’s Systems Management Server (SMS) or a third-party equivalent.Take as detailed of an inventory as possible, including the hardware config- uration of server and workstation machines, as well as vendor names and the version numbers of the operating system and business applications the systems are running. You can use a network analyzer, such as the Network Monitor utility built into the Windows Server 2003 operating system or the more full-featured version of Network Monitor included in SMS, to create a baseline of the current utilization of your network bandwidth. If this utilization is already near capacity, you can use this baseline to justify and plan upgrades to your network infras- tructure (moving from 10MB Ethernet to 100MB Ethernet, for example). Windows Server 2003 has introduced new management features that will assist you in planning your network configuration, especially in the areas of user and computer management.The Resultant Set of Policy (RSoP) Microsoft Management Console (MMC) snap-in contains a Group Policy modeling function that will allow you to simulate changes to Group Policy Objects (GPOs) in an Active Directory (AD) environment before actually applying them to a production network. For example, if you want to apply a new GPO to a departmental Organizational Unit (OU), the modeling report will indicate how the new GPO will affect the objects within the OU to which it’s being applied.The Group Policy Management Console (GPMC) can also provide detailed configu- ration reports on existing GPO settings in place on a Windows 2000 or Windows Server 2003 AD installation. Reviewing Legal and Regulatory Considerations Depending on the business in which you are involved, your network design plan should address the legal issues associated with your industry, geographic location, and so on. Backup schedules and off- site data availability have become federally regulated matters, especially in the financial arena. Consult your Legal department during the design process, because like everything else in this ven- ture, it’s certainly best to get it right the first time. Don’t forget to include your client workstations when making allowances for legal and regula- tory matters. For example, if your corporate data-retention policy calls for maintaining e-mail data for twelve months, but some users have copies of every item they’ve sent or received in the last five years, that fact could come back to haunt you in a legal proceeding. Some fields of business are subject to very detailed governmental regulations regarding data security. For example, healthcare providers now fall under strict laws regarding electronic patient information since the Health Insurance Portability and Accountability Act (HIPAA) went into effect in 2003. Regardless of your field, if you work on government projects, your network might be required to meet specified security criteria. Network communications can also subject your company to legal liability when employees misuse the network. For example, pornographic material on the company network can subject the company to charges of the “hostile workplace” definition of sexual harassment under Title VII of the federal Civil Rights Act of 1964 and various state laws.You should also consider intellectual property (copy- right, trademark, and patent) laws in establishing your network policies. Overview of Windows Server 2003 • Chapter 1 19 301_BD_Win2k3_01.qxd 5/12/04 10:53 AM Page 19 Common factors that also need to be reviewed for legal compliance are any Service Level Agreements (SLAs) in place on your network.An SLA attempts to define the scope of a service provider’s responsibilities in maintaining applications or services on a network.This provider can be an external vendor to whom you’ve outsourced a critical service (your ISP, for example), or the SLA can be an internal document detailing the IT department’s duties in maintaining network avail- ability.The following are the major components of an external SLA, using an ISP as a real-world example: ■ Scope of services This spells out exactly which service or application that an SLA is referring to and the level of responsibility that the internal IT department will have in maintaining this service versus the external vendor.This includes outlining the hardware, software, and resources that comprise the particular service, such as the modems, network connectivity equipment, ISP help desk, and engineering personnel in the case of an ISP. ■ Roles and responsibilities Your ISP should establish a coverage schedule so that at least one primary and one backup support avenue is available to report any service outages. You’ll also need to establish a system to escalate support calls if the scheduled support person is unavailable or cannot correct the problem.You can use this information to inform your users of the turnaround time they can anticipate in responding to and resolving any problems. These are only a few of the legal considerations that are important in a corporate network envi- ronment.You should always include a legal advisor as a member of your network planning team. Calculating TCO “These upgrade proposals look interesting, but how will they impact our company’s TCO?”Total Cost of Ownership (TCO) is a calculation that was designed to assist consumers and corporate managers in assessing the direct and indirect costs and benefits associated with the implementation of new or upgraded computer technology.The purpose of TCO is to quantify the financial bottom line associated with a computer or technology purchase decision. TCO calculations do not rely on a single formula. For example, a high-end computer will have a higher initial purchase price, but will probably incur fewer repair bills during its active life cycle. TCO is balanced against the benefits created by the technology purchase, such as improved user efficiency or perceived happiness with improved performance, in attempting to make a final pur- chase decision. The first part of calculating TCO is relatively simple: What is the initial purchase price of the new technology? Include the cost of hardware, software licensing, networking equipment, installa- tion charges, and so on. Don’t forget to factor in the necessary time to train your end users and IT staff in the use and administration of the new technology. Next, determine the ongoing costs for maintenance and support.These costs can include charges for vendor support, as well as in-house labor expended on interoperability issues with third-party and legacy software support.Try to esti- mate the total costs for the full anticipated life cycle of the proposed technology. Determining the soft costs associated with a new technology is a bit more complicated. How much money will your company save by reducing the number of times your users are forced to 20 Chapter 1 • Overview of Windows Server 2003 301_BD_Win2k3_01.qxd 5/12/04 10:53 AM Page 20 reboot their computers each day? Conversely, how much money is lost when an account manager cannot access the order-entry application for 20 minutes, for an hour, and for a day? These costs are fairly difficult to quantify, but they can be critical when determining the total benefits afforded by a network upgrade.You can start investigating soft costs by talking to your users and reviewing TCO models from network analysts. Your users can certainly tell you how much it aggravates them when their e-mail or order database is “running too slowly,” even if they can’t tell you what “too slowly” means in terms of actual response time.This can also point out performance bottlenecks that you may not have known about before. For example, a real estate lending office for a well-known bank shared a T1 line with the bank branch in the lobby of the office building.The real estate lenders encountered severe net- work performance degradation every day at around 4:30 P.M. Further investigation revealed that this time frame coincided with the bank tellers transmitting their daily totals to the bank’s main head- quarters when the branch closed each day. Preconfigured TCO models from organizations like the Gartner Group, IDC, or other indepen- dent network analysts can walk you step-by-step through plugging in various budget figures to arrive at the TCO of a specific technology, hardware, or software package. However, remember that these models are not set in stone, and they should be modified as needed to meet the specific needs of your organization.These models will rely more on actual calculations, such as dividing a help desk analyst’s salary by the number of support calls he or she is able to process in a day, or deter- mining the “cost per e-mail message” of an e-mail server upgrade that increases the number of mes- sages it can transmit in a day, week, or hour.You can then take these numbers and factor in the soft costs already mentioned. Using a combination of calculations and judgment calls will typically lead you to the most accurate assessment of TCO within your organization. Developing a Windows Server 2003 Test Network Environment When implementing a new network or computer solution, you should perform a thorough battery of testing before deploying it into production. Although not specific to Windows Server 2003, you should follow a systematic approach to designing a new or upgraded network.This typically includes developing a test environment in which you can test compatibility, usability, connectivity, security settings and more. You’ll begin the test process in an isolated lab where new technologies will have no chance of adversely affecting the existing computing environment. After you are satisfied with the new technology’s performance in the test lab, you can expand testing into a pilot deployment involving a few actual users, analyzing their input and reactions to make any necessary adjustments to your design. Only after you are satisfied with the pilot deployment should you perform a full-scale deployment in your production environment. Depending on the total number of users you have, you might want to split your full-scale deployment schedule into stages. After each stage, you can verify that your system is accommodating the increased processing load from the additional users as expected, before you begin deploying the next group of users. Overview of Windows Server 2003 • Chapter 1 21 301_BD_Win2k3_01.qxd 5/12/04 10:53 AM Page 21 The success of any network deployment depends heavily on your ability to develop an effective test environment.This test lab can consist of a single lab or several labs, each of which can test various pieces of the overall design without risking the integrity of your production environment. Working in the test lab will allow you to verify the effectiveness of your design, discover any potential deployment problems, and increase your staff ’s familiarity with the new technology before it “goes live.” In short, a well-developed test environment will reduce the risk of errors during the deployment of a new tech- nology, thus minimizing any potential downtime for your clients and users. Planning the Test Network Before you begin testing your Windows Server 2003 network design, you need to plan the test net- work itself.The first step is to determine the hardware resources required to set up the lab.This involves identifying the standard configurations of your existing or new client computers. (If you support diverse workstations, do your best to include a representative workstation from each sup- ported configuration.) Be sure to include all components and peripherals, including the following: ■ BIOS versions ■ USB adapters ■ CD and DVD drives ■ Sound cards ■ Video cards ■ Network adapters ■ Smart card readers ■ Removable storage devices, such as Zip drives or external hard drives ■ Small Computer System Interface (SCSI) adapters ■ Removable storage devices ■ Mouse or trackball devices ■ Keyboards Although using separate hardware devices for your test lab is the ideal, many small and medium- sized businesses simply cannot afford to buy dozens of computers for the test lab. Using a third-party product such as VMware (www.vmware.com) will allow you to simulate a multiple server/domain environment, as well as multiple desktop operations systems, fairly closely without the expense of mul- tiple individual machines. VMware can run multiple operating systems—such as Microsoft Windows, Linux, and Novell NetWare—simultaneously on a single PC, including all networking and connec- tivity that you would need to perform your testing. In addition to purchasing hardware or virtual PC environments for the test lab, you need to secure appropriate licensing for all necessary software, including operating systems, service packs, management utilities, and business applications. Make sure that you can obtain or duplicate the following configura- tion and information when creating a test lab for Windows Server 2003: 22 Chapter 1 • Overview of Windows Server 2003 301_BD_Win2k3_01.qxd 5/12/04 10:53 AM Page 22 ■ Network services Install the same services on a test server that will be used in the actual deployment.This can include Domain Name System (DNS), Dynamic Host Configuration Protocol (DHCP), Windows Internet Name Service (WINS), or any other Windows ser- vice. ■ User accounts Create a domain controller in your test environment to effectively simu- late any upgrade procedures. ■ Domain structure Simulate the domain hierarchy of your proposed environment, including forests, trees, parent and child domains, and all necessary trust relationships. Configure sites as necessary to simulate any WAN testing considerations. ■ Network protocols and topology Re-create the network technologies that will be used in your production environment as completely as possible. For example, if your pro- duction environment will be using 100MB cabling, using Gigabit Ethernet will provide erroneous results when doing performance testing.You should also include routers to test for performance latency as well as replication across WAN links. ■ Domain authentication Use the appropriate authentication to mimic the desired pro- duction environment, including mixed mode versus native mode, and NTLM versus Kerberos client authentication. Selecting the appropriate authentication model will allow you to compare apples to apples during testing and avoid any unexpected behavior later. Remember that Windows NT 4 workstations or servers cannot use Kerberos authentica- tion.You will need to rely on either NTLM authentication or its stronger successor, NTLM version 2. ■ Group Policy Object (GPO) settings Create GPOs with the settings that you wish to deploy in your production environment.You can use the GPMC (discussed earlier) to test the potential behavior of any policy objects on user and group objects. Although you usually want your test lab to mimic your production environment as closely as possible, there are exceptions to every rule. Some tests that you might wish to perform will affect an entire domain or forest, rather than a single machine. If you are testing this type of functionality, you might wish to create a separate domain within the test lab so that the remainder of the lab environ- ment will not be adversely affected. Some of the tests for which you might wish to create a separate, isolated domain or forest are as follows: Switching from mixed mode to native mode Changing from mixed mode to native mode will allow for much tighter security in a Windows 2000 or Windows Server 2003 environ- ment, but it assumes that you have no Windows NT 4 backup domain controllers (BDCs) remaining in your domain. (After the switch to native mode, Windows NT 4 BDCs will no longer be able to replicate with Windows 2000 or 2003 domain controllers.) This change will affect an entire domain and cannot be reversed. Upgrading the domain or forest functional level This feature was introduced in Windows 2000, where you had the ability to run a domain in mixed mode for backward compatibility or native mode for increased security and functionality. Windows Server 2003 expands on this by cre- ating several levels of both forest and domain functionality that can expose different features of the Overview of Windows Server 2003 • Chapter 1 23 301_BD_Win2k3_01.qxd 5/12/04 10:53 AM Page 23 operating system for your use. For example, raising the functional level of a domain to Windows Server 2003 native will prevent any existing Windows NT 4 or Windows 2000 Server domain con- trollers from participating in domain replication. Like the switch from mixed to native mode, this will affect the entire domain and/or forest in question and cannot be undone. DNS settings Changes to a DNS server will affect all clients who use that server for name resolution.Although this does not involve the kinds of one-way changes described above, you should still proceed with caution before making changes that can affect other tests that might be running simultaneously in the lab environment. One important (but often overlooked) step in the planning process is that of carefully selecting a location for your test lab.Too often, the test lab is relegated to a corner of a server room or what- ever room is available in a file or storage area. However, if you will be performing tests for an extended period of time, you should consider allocating a permanent or semipermanent location for the lab. Be sure to locate the test lab in an area with enough space for all necessary equipment and personnel. If you will be testing network equipment that will be deployed to multiple locations, you should consider deploying a test lab at each site to test WAN links, replication, and site configura- tions. Also, identify the personnel you’ll need to perform testing, as well as whatever training they will need. Finally, be sure to provide both physical and technological security measures for the equipment and resources of the test lab.This includes isolating the test lab topology from your corporate net- work using routers, switches, or firewalls, as appropriate. If you need to provide a connection from the test lab to the corporate network, decide in advance how you will control, secure and monitor that connection, and be sure to devise a way to quickly terminate the connection if something unexpected or adverse occurs. Exploring the Group Policy Management Console (GMPC) A prominent new feature of Windows Server 2003 that is helpful in planning and assessing net- work changes is the GPMC, which allows administrators to monitor, troubleshoot, and plan Group Policy settings across an entire enterprise from a single management console. Along with a console window that provides a graphical representation of GPO settings, the GPMC also includes a collec- tion of scripts that you can run from the command line to streamline administration and planning tasks.You can download and install the GPMC from Microsoft’s Web site. Once it’s installed, you’ll have a shortcut to it in the Administrative Tools folder, and it will be available as an MMC snap-in. The scripts that are included with GPMC can greatly simplify your life when you attempt to take stock of an existing network environment (for example, when you begin to plan for an upgrade). Using GPMC, you can quickly perform the following tasks using its automated scripting function: ■ List all GPOs that are present in a given domain ■ List any disabled GPOs ■ List GPOs at a backup location ■ List GPOs by policy extension or security group ■ List any orphaned GPOs (GPOs that are no longer linked to any AD object) that are still present in the SYSVOL directory 24 Chapter 1 • Overview of Windows Server 2003 301_BD_Win2k3_01.qxd 5/12/04 10:53 AM Page 24 ■ List GPOs with duplicate names ■ List GPOs without security filtering ■ List unlinked GPOs in a domain GPMC’s reporting functions will also generate HTML-formatted reports in an easy-to-read format, which is always a hit when you’re presenting the upgrade proposal to management or a budget committee. Additionally, the GPMC includes the Resultant Set of Policy Planning function to allow you to simulate changes to GPO settings for a user, computer, or container object. Both of these functions will greatly assist you with the administrative and technical aspects of a network design project. Documenting the Planning and Network Design Process The importance of documenting your computing environment after you have deployed a new net- work design such as Windows Server 2003 cannot be overemphasized. As you move through the network design and testing processes, you should also keep detailed documentation of each design, product, or vendor decision that you make, including your reasons for choosing one alternative over another. Personnel changes can occur without warning, and a well-maintained design document will quickly answer the question of “Why did we choose Vendor X over Vendor Y?” when it is posed by the new Vice President of IT, who just started last week. Knowing that Vendor Y’s product proved incompatible after several hours of troubleshooting will save you from needing to waste time by repeating portions of the design process. Because of the effects that ongoing changes can have in a production environment, many orga- nizations use test equipment to test every patch and service pack that is released by their product vendors, so that any potential problems or bugs can be intercepted before the patch is applied glob- ally. Whatever method you use to roll out ongoing updates and changes, you should include detailed documentation, not only of what update was rolled out on a given date, but also of how the change was applied to client machines or other devices on your network. Creating the Planning and Design Document When documenting both your test lab and your overall network design, there are a number of items that need to be discussed. Although maintaining network documentation is often relegated to a backseat behind the numerous fires that we must put out on a daily basis as network administrators, comprehensive records in this area will actually help you in whatever troubleshooting issues come up after the new network is placed into production. Include configuration information about the following components of your final network design (although a complete list is limited only by the amount of time you have in the day!): ■ Windows Server 2003 domain structure information, including DNS hierarchy and repli- cation information, AD hierarchy information (site configuration, forest, domains, and OUs), and GPO settings and where they are applied within the AD hierarchy. Be sure to Overview of Windows Server 2003 • Chapter 1 25 301_BD_Win2k3_01.qxd 5/12/04 10:53 AM Page 25 . to Windows Server 2003 doesn’t require any service packs to be installed first. Windows 2000 Server can be upgraded to Windows Server 2003 Standard Edition or Enterprise Edition. However, Windows. prepare the forest and the domain for Windows Server 2003 by using the ADPrep tool.You can prepare the forest by running adprep.exe /forestprep on the Schema Master, and you can prepare the domain. However, Windows 2000 Advanced Server can only be upgraded to Windows Server 2003 Enterprise Edition, and Windows 2000 16 Chapter 1 • Overview of Windows Server 2003 301_BD_Win2k3_01.qxd 5/12/04