Eye On: Compaq's Internal Windows 2000 Rollout

Compaq Computer Corp. this week detailed its internal deployment of Windows 2000 - one of the largest deployments thus far outside of Microsoft Corp.'s own internal deployment.

Compaq's approach contained several surprises, nods to the complexity of a Windows NT 4.0 to Windows 2000 migration and an example of how quickly Microsoft technologies spin beyond Microsoft's intentions for their deployment.

In raw numbers, Compaq ( already has at least 13,000 PCs running Windows 2000 Professional and 300 servers running Windows 2000 Server or Advanced Server. When the conversion is complete by July 2001, Compaq will have roughly 200,000 PCs running Windows 2000 worldwide.

The company's server infrastructure will eventually comprise 340 Windows 2000 servers, including Domain Controllers, WINS servers, DHCP servers, DNS servers, and file and print servers.

When most Compaq users are switched to Windows 2000, they will be in native mode, meaning they will log into Windows 2000 Domain Controllers. Only in native mode can IT shops implement the cost-saving desktop lockdowns and group policies or take advantage of the security improvements in Windows 2000. For now, the vast majority of the Windows 2000 PCs at Compaq log into NT domains. Only about 100 PCs are currently running Windows 2000 Professional in native mode at Compaq.

"We're doing very mean things to them and testing out group policies so that we can understand Windows 2000 in a group environment," Brent Harman, Compaq senior corporate operating environment architect, jokes about the native mode users.

Compaq, a Joint Development Program (JDP) partner with Microsoft for Windows 2000, and a company that has worked closely with Microsoft on Windows NT 5.0/Windows 2000 for several years, diverged from recommended practice in several areas of its Windows 2000 deployment.

For one, Compaq developed a domain structure that puts a small group of about 20 enterprise administrators in their own Windows 2000 domain, the parent to all other Windows 2000 domains at Compaq.

"Microsoft is very ambivalent about the concept," says Harman, who is also the JDP lead for Compaq.

System architects at Compaq saw several advantages to the approach. For one, enterprise administrators who have the ability to do everything across the corporation except change security logs need to have more stringent passwords than everyone else, says Harman. Password policy can only be set at the domain boundary in Windows 2000.

Putting omnipotent administrators in a single domain will allow Compaq to require an 11-characters-or-longer password that includes upper case, lower case and non-printing characters and expires every 30 days for those admins without setting such onerous requirements for regular users.

In an organization with the kind of cultural clashes that Compaq has, the administrative domain will bring other benefits for central IT. Compaq is traditionally a lock-down desktop, centralized-IT kind of place. Compaq acquisitions Digital and Tandem are not. "Users felt like, `This is my domain, my machine,'" Harman says."

By creating group policies in the parent administrator domain and linking the child domains to those group policies, Compaq can prevent administrators in the child domains from being able to circumvent corporate policies.

One example will be Compaq's policy of requiring real-time virus scanning software to be running on every machine. Currently, Compaq has no way to enforce the rule. With Windows 2000, Compaq plans to set the virus scanning requirement as a group policy in the administrators domain and link the child domains to the policy.

Beneath the administrator domain, Compaq has plans for three child domains: an Americas domain, a Europe/Middle East/Africa domain, and an Asia/Pacific domain. Compaq will provide room for up to 50 domains beneath those geographic domains but central IT will heavily favor the use of Organizational Units (OUs) rather than sub-domains, Harman says. Possible exceptions may be resource domains for such critical applications as SAP.

The goal is to scrap the ugly maze that is Compaq's current Windows NT 4.0 network. Compaq, Tandem and Digital each had mature Windows NT 4.0 networks when they converged. The result is an enterprise with 13 master domains and somewhere around 1,700 resource domains. "Nobody really knows for sure," Harman says. "If you know anything at all about NT, you can imagine the great problem that this is to administer such a large environment."

Partly to accomplish that, Compaq's approach involves building its Windows 2000 environment with completely different machines, entirely in parallel to its Windows NT 4.0 environment.

"Early on we have a duplication of hardware," Harman says. Eventually, however, Compaq hopes the jump to Windows 2000 will drastically reduce Compaq's amount of hardware, possibly reducing hardware costs but definitely improving ease of administration.

For example, when Compaq's Americas domain migration is complete, the company plans to have two pairs of clustered DHCP servers in Houston compared with the 40 DHCP servers currently providing the services across the area now.

Harman stresses that the hardware cost may not fall. Such consolidation requires expensive redundant hardware, and the company has made a massive commitment to the quality and availability of its WAN links. - Scott Bekker

[For more coverage of the Compaq rollout, see ENT's upcoming Feb. 9 issue]

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

comments powered by Disqus
Most   Popular