In-Depth
The Guide to Windows 2000 Wisdom: My Whistler Whish List
Because Whistler is Microsoft's response to customer feedback on Windows
2000, here's my lists of wants.
People who
know me know I love Windows 2000. I’m often guilty of espousing the many
countless aspects where it triumphs over Windows NT (and its competitors):
the ease of management, its IntelliMirror features and increased stability,
to name just a few.
Currently
in development, as we’ve reported in these pages, is the next iteration
of Win2K, code-named Whistler. With the release of a new operating system
comes the opportunity to enhance current features and add some new ones.
The purpose
of this article is to voice comments from administrators and consultants
who say that Win2K “has missed the mark” in certain areas. It’s not meant
to attack Microsoft’s efforts to make Win2K the feature-rich and stable
product it is. It’s my hope that these current Win2K issues will be addressed
in the Whistler release to further satisfy the ever-hungry desires of
Microsoft customers.
I’ve weighted
each item on a scale of 1 to 10 to rank its severity in the current implementation.
Additionally, I’ve included a “probability rank” to ponder whether Whistler
will address a particular oversight. Mind you, I don’t have access to
the code or to any top-secret information; so it’s simply conjecture on
my part as to what the future may bring.
The Inconsistencies
These Win2K features work as advertised, but in a confusing manner.
Customers are hesitant to implement them because it’s unclear how to make
the most out of them.
No “Un-Delegate of Control Wizard”
Severity: 8, Probability: 5
The Delegation of Control Wizard is a great feature in Win2K. It allows
domain administrators and Organizational Unit administrators the ability
to easily grant common abilities, such as “Reset passwords on user accounts,”
and uncommon abilities, such as “Write postalAddress” to lower-level administrators
via the easy-to-handle wizard-style interface.
But there’s
no equally easy way to un-delegate an ability once it’s been delegated
away. Currently, the only way to do this is to use the View | Advanced
Features option in the Active Directory Users and Computers MMC snap in,
then find the permission by right-clicking over the delegated object (such
as OU), clicking the Properties tab, then clicking the Security tab, digging
around until you come across the permission you wish to remove, and deleting
the corresponding Access Control Entry (ACE.)
Some power-administrators
might not mind the steps required to revoke a delegated permission. But
less-savvy OU administrators will cringe at the process. It should be
just as easy to renege on tasks as it is to delegate them. Can your OU
administrators perform the necessary steps to un-delegate? Whistler should
have an un-delegation wizard.
No Ability To Set Quotas on Groups
Severity: 7, Probability: 8
Although the hooks have been around since NT Server 3.1 (see Q103657,
“NTFS System Files”), the implementation of disk quotas is new for Win2K
Server. Quotas are implemented on a per-user/per-volume basis. This means
that the sizes of files a user owns on each volume is compared against
a set number to trigger either a warning message or a ceasing of disk
writing to that volume for that user.
|
Figure 1. The Delegation of Control wizard is a great
feature, but what about a “Renege Delegation” wizard? |
This works
adequately for small customers where there’s one volume containing everyone’s
home drive; but Win2K has no facility for specifying a security group
(i.e. Engineering) to have a chunk of disk space on a volume.
Instead of
specifying, “Engineers can only use 500MB of disk-space,” you can only
specify that “Bob (an engineer) can use only 100MB, Sally (an engineer)
can use only 100MB,” and so on — which really isn’t the same thing at
all.
Interestingly,
the Administrators group is immune from disk quotas — so the hooks to
make disk quotas apply to groups must be buried in Win2K somewhere.
|
Figure 2. Win2K immunizes the Administrators group from quotas,
but doesn’t allow so for other groups.(Click image to view larger
version.) |
Note that
third-party disk quota solutions do currently exist to enable group membership.
Even if Whistler includes the ability to define group-based quotas, there’s
still plenty of room for those vendors to be creative, such as a per-domain-
or per-forest-based quota system (hint, hint).
No SMTP Replication Within the Same Domain
Severity: 2, Probability: 9
Win2K does much of its replication chores via remote procedure calls.
A new method of replication is via the Internet’s standard way of sending
mail messages, Simple Mail Transfer Protocol (SMTP).
If you choose
to implement this feature, you might find a bizarre quirk: The SMTP replication
method can’t be used to transfer data within the same domain. In other
words, the SMTP replication method only works between domains. It’s a
small point of order (that’s why I’ve only ranked it a two), but it’s
an inconsistency nonetheless.
Chances are
slim that many enterprises will choose SMTP replication inter-domain or
even care if this feature inconsistency is rectified for intra-domain.
Surely, Whistler will clear up this inconsistency.
GPO Links Aren’t Checked When Deleted
Severity: 4, Probability: 3
Companies have many options in how they implement Group Policy Objects.
Some organizations delegate an OU to an OU administrator and have that
person simply create the GPOs he or she sees fit. Other organizations
have upper-level administrators (such as the Domain Administrator) pre-create
the GPOs and then force the OU administrator to pick from the pre-created
ones. This is called “GPO linking.”
This is a
swell idea in theory: Give the harder job to the more seasoned administrators
and have the sub-OU administrators simply pick the GPOs they need. There’s
only one problem. If the OU administrator has linked to a GPO, but then
the upper-level administrator deletes it, there’s no indication to the
upper-level administrator that OUs were linking to it. Moreover, there’s
no messaging mechanism to the OU administrator to inform him or her that
the GPO (and the link) were cut.
Most organizations
won’t use GPO linking, but if they do, they’ll be disappointed with this
behavior in Win2K. Whistler should add some mechanism to check for GPO
linkage relationships. But since it’s unlikely this will be addressed
in Whistler, I rank the probability of its getting fixed at a three.
No Schema Deletions
Severity: 8, Probability: 5
The schema is the underlying database for the Active Directory. It’s extensible,
which means if you want to add the ability to capture voiceprint or shoe
size, the ability is there. It’s roughly analogous to adding a column
definition in a database.
But there’s
one problem: Once you’ve extended the schema, you can’t go back and fix
the definitions. There’s no undo, no delete.
The only
workaround is that you can disable the additions, but that’s it. If you
enter, “Social Sec Number,” but want to delete it and create, “Social
Security Number,” you’re stuck with this vestigial “Social Sec Number”
floating around in your schema.
I think the
lack of the ability to delete schema modifications is holding back application
vendors from fully embracing Active Directory for fear of making a mistake
or wanting to change or revise something later in their products’ life
cycles. Whistler should make it easy for programmers, application vendors
and administrators to change their minds when modifying the schema. I
rank this issue a severity level of eight. The probability it will be
addressed is a five.
No Security Policy Differential between Domain
and OUs
Severity: 10, Probability: 8.5
This inconsistency is a major headache for AD designers.
In NT 4.0,
one reason you created additional domains was because you had a group
of users with different security requirements than the rest of the organization
(such as password length).
|
Figure 3. Win2K retains the legacy limitation on passwords.
Because security settings are domain-wide, you need to set up separate
domains for variances in those settings. |
Win2K administration
is greatly reduced by axing your NT 4.0 domains and bringing them into
a single domain.
The only
problem is that this requirement is identical for Win2K as it was for
NT. If you can’t come to agreement within your enterprise for what the
password length, password expiration age, password complexity requirements
and Kerberos policy will be, you’re forced, by definition, to create additional
domains.
The user
interface (Active Directory Users and Computers) lets an OU administrator
set the policies any way he or she likes, but they won’t take effect at
an OU level.
I rank this
item a 10 for two reasons: 1) this inconsistency is counterintuitive to
the logic behind having fewer domains; and 2) this user-interface inconsistency
seemingly allows an administrator to perform what he or she truly can’t
(without any indication to this effect). A main design goal of Whistler
should be to have this inconsistency rectified. Microsoft has received
much negative feedback regarding this issue, so the likelihood is good
that this will be addressed. I rank the probability at 8.5.
Enterprise Computing Enhancements
These features don’t exist today, and they’d take a goodly amount
of additional coding by the product-development team to make a reality,
but the benefits to the large-scale enterprise customer would be amazing.
No Domain Rename
Severity: 7, Probability: 7
Here’s the scenario: Your company name is LITTLEFISH and your Win2K domain
name is littlefish.net. The board of directors has just changed the company
name to MEDIUMFISH; hence, they’d like you to change the name of the domain
to mediumfish.net. Notice that there’s no technical reason for the change
— just consistency throughout the company.
There’s currently
no way to do this. If forced to perform this change, an administrator
has two options: Migrate all the users, computers and resources to another
domain with the new name (using Microsoft’s Active Directory Migration
Tool or a third-party tool) or add an UPN suffix name, such as mediumfish.net
to the list of possible names in the entire forest. (See Q243629 for “How
to Add UPN Suffixes to a Forest.”)
I think we’ll
see this issue surface a lot, as businesses seek ways to change their
non-dot-com names to dot-com names, and back again. I rank the severity
of this issue a seven — people have been clamoring for it for years. Maybe
it will appear with Whistler.
No Tree/Forest Merge/Prune/Graft
Severity: 7, Probability: 7
Here’s the scenario: You’ve just gone though the pains of changing your
company name from LITTLEFISH to MEDIUMFISH and migrating your users from
the domain name littlefish.net to mediumfish.net.
And the bomb
drops: Your company is being bought out.
The board
of directors informs you that as of tomorrow, the company will be a wholly
owned subsidiary of HUGECO. They want you to make it easy for the HUGECO
employees to use the MEDIUMFISH AD to look up resources, such as color
laser printers, as well as to send Exchange 2000 e-mail.
There’s currently
no way to do this. If forced to perform this change, an administrator
has two options: Migrate all the users, computers and resources to HUGECO’s
domain or add two-way NTLM-style trusts. When you add two-way NTLM-style
trusts, the users in HUGECO and MEDIUMFISH will be able to have access
to resources in the other’s domain — but true AD integration won’t be
achieved. For instance, the HUGECO engineers wouldn’t be able to perform
AD lookups for color laser printers, nor could they do Exchange 2000 directory
lookups in MEDIUMFISH’s domain without some directory synchronization
software.
With all
the merger mania running around, I think this issue will come up frequently.
I rank the severity a seven. Because this is a particularly sore point
about which Microsoft is very aware, I rank the probability of its being
addressed at seven.
Active Directory Single Operations Masters
Severity: 5, Probability: 2
In the NT world, if the PDC went down, you were unable to add users or
change passwords until the PDC came back up or a BDC was promoted to fill
the role. If this happened at 2 a.m., you got a call at home, then had
to run to the office and manually promote a BDC to take the place of the
PDC. The PDC is the only place you could write the changed account information.
The changed information then got replicated to the NT 4.0 BDCs.
With Win2K
things are different. All Win2K Domain Controllers (DCs) are equal and
writable, which means data can be changed on any of them.
On paper
this sounds like, if any DC goes down, you can still make changes to the
domain and life goes on normally. This is true for all regular Domain
Controllers, except those that hold any of the five “Single-Operations”
roles: Schema master, Domain naming master, RID master, PDC emulator or
Infrastructure daemon. They’re called “Single-Operations,” because each
is singularly held on one Domain Controller. One Domain Controller can
house many single-operations roles, but no two Domain Controllers can
house the same role.
The world doesn’t come to an end if a Domain Controller that houses a
single operations master fails. But it isn’t a bed of roses, either. See
“So You’ve Had an Operations Master Die…” for the gory details.
Domain Controllers
with Operations Masters go down. When they go down in the wee hours, it
still means a call to you, the administrator, to manually transfer or
seize the role. It’d be nice if Whistler had a rules-based, self-maintaining
mechanism for handling the Single-Operations roles. I rank the severity
of this issue a five. Chances are this behavior won’t change with Whistler.
If
you have suggestions... |
...for improving any Microsoft product, you can make
a difference. Send e-mail to [email protected]
and put the product name in the subject: line. Feel free to tell the
folks at Microsoft, in explicit detail, what features you want to
see in their products.
Take it from me: They usually listen. |
Always Room for Improvement
The Win2K development team at Microsoft was under a huge amount of
pressure to enhance the NT feature set and produce an amazing number of
new features — and to make them all stable as well. At the time of this
writing, Service Pack 1 has made its way out the door and Service Pack
2 is expected sometime in Q1 or Q2 of 2001. Yet most Win2K installations
I’m aware of aren’t deploying it — not because they’re afraid of the service
pack, but because Win2K is already so stable out of the box, why fix it
if it ain’t broke?
The Win2K
development team needed to walk a fine line between the new feature set
and stability. In my opinion, it’s done a terrific job. With any piece
of software, there’s always room for improvement. My hope is that the
issues highlighted here (and in the accompanying chart, “An Additional
Whish List”) will get the attention needed to further establish Microsoft
as the leader of enterprise-ready software.