The Evolution of NT

Where NT 5.0 is headed

Last month, Windows NT Magazine gave you a quick overview ofwhat Microsoft talked about at its November Professional Developer's Conferencein Long Beach, California. We've now had time to assimilate more of whatMicrosoft showed.

Microsoft delivered several big messages at Long Beach. First, WindowsNT 5.0 isn't Cairo. Second, the Internet continues to be the basis ofMicrosoft's plan for the future. Third, NT 5.0 will be almost completelydifferent from 4.0, mainly because of a change in the user interface and anX.500-like directory service, Active Directory. Fourth, the Internet isimportant, really important. Fifth, setting up and maintaining NT onuser machines will be easier. And did I mention the Internet?

Cairo: It's Not a Release--It's a State of Mind
Once upon a time, Cairo was a beta name for a version of NT. This versionwas to be a major milestone in NT development. Now the name is a sort ofsoftware gestalt, a kind of catch all phrase.

Think of NT's evolution this way: If you're running a small- tomedium-sized network, NT 4.0 is an excellent answer. The domain structure workswell for a few dozen servers and up to several thousand users, depending on whomyou talk to. NT 4.0's Windows interface means that you can get a networkadministrator up to speed in fairly short order. But building a multidomainnetwork, or building a network whose directory structure includes user-definedattributes (more on this later), is impossible on NT 4.0.

So, take today's NT. Keep all the things we like--the security, thestability--and add the tools to create and maintain a globe-spanning network.The result is Cairo. Some of what Microsoft calls Cairo is alreadyshipping in the form of NT 4.0's user interface and the Distributed ComponentObject Model (DCOM). In fact, you can say that we've already got the "C,"and still await the "airo." NT 5.0 will be mainly "air,"with the "o" still to come. (For more information on DCOM, see KeithPleas, "DCOM in NT 5.0," )

NT 5.0 Features
NT 5.0 will, according to Microsoft's claims in Long Beach, contain conceptsold and awaited, and new and revolutionary. In roughly decreasing order ofimportance, NT 5.0 will probably contain Active Directory; Active Server, a planfor extending the power of NT-based Web servers; a new Page and Link metaphorfor much of the user interface; Distributed File System (Dfs); Plug and Play;and Microsoft Management Console. (For more on NT's new management interface,see Keith Pleas and Dean Porter, "Microsoft Management Console," page78.) Additionally, BackOffice will grow with the addition of Microsoft ProxyServer (formerly called Internet Access Server, code-named Catapult) andMicrosoft Transaction Server, previously known as Viper.

This list looks like a lot of new stuff, and it is. Most developers at theconference walked around with looks on their faces that could be described as across between excitement and bewilderment with a little hope thrown in.

Active Directory
NT 4.0 is better for small- to medium-sized networks than large networks,for two reasons. The trust relationship problem is the first reason. NT securityand network administration are based on organizational units called domains.Domains act as authentication areas, groups of machines that all agreeto accept login information from the same source: A computer called a PrimaryDomain Controller (PDC), which will disappear from 5.0.

Domains are a convenient way to centrally manage a network of many servers.But you can't always build your company's network as one big domain, so you mustcreate multiple domains. The problem with multidomain networks is getting thosedomains to talk to each other; you must first set up a trust relationship.Trust relationships aren't transitive: If A trusts B, and B trusts C, A does nottrust C, unless you create an explicit trust between A and C. As a result, youcan't create hierarchies of domains. For example, if you have 15 domains in yourorganization and want each to trust the other, you have to create 15 * 14, or210, separate trust relationships.

The second reason is the way that NT stores information about people. NTkeeps a database of information about users. This Security Accounts Manager(SAM) database records your identity, your password, and the user groups youbelong to. But you can't extend the SAM to contain information about how youlike your mail delivered.

Microsoft's answer to both problems is Active Directory. Based on the CCITTX.500 and Lightweight Directory Access Protocol (LDAP), Active Directory is amassively extensible database of information on, well, just about anything. Itcan maintain information about servers on the network, security relationships inthe network, and most important, the users in the network.

My name in an Active Directory setting might be something like CN=MarkMinasi,OU=management,O=TTI,C=US. You read this right to left: I'm in the country(C=) United States, my organization (O=) is TTI, the department ororganizational unit (OU=)in TTI is management, and my common name (CN=) is MarkMinasi. Get used to seeing such names; they're central to NT 5.0 naming. Thehierarchy includes the country name because, believe it or not, some folksworking on X.500 and LDAP want to use these directory structures as the basisfor a worldwide directory structure.

Active Directory names will benefit NT in several ways. First, they'llreduce NT's current dependence on 15-character NetBIOS server names. Forexample, Active Directory is a major ingredient in another NT 5.0 tool, Dfs. Dfswith Active Directory can support more flexible universal naming convention(UNC) names. Today, you must address a share named data on a servercalled S1 as \s1data--the name of the machine is part of the UNC. If yourename the machine, or move the share to another, perhaps larger machine (callit S2), you have to find everyone who uses \s1data and tell them to change theUNC to \s2data. But with Active Directory, you can identify a share by thedomain in which it lives. For example, if S1 and S2 are both part of a domainnamed servfarm, you can use Dfs and Active Directory to call the share \servfarmdata. Then you can place the data share on any server in the servfarmdomain without changing the UNC whereby a user accesses the share. (For moreinformation on the potential for this technology, see Sean Deuby and TimDaniels, "Dfs--A Logical View of Physical Resources," December 1996.)

You can have organizational units (OUs) inside organizational units, so youcan build the kind of hierarchy of business units that you couldn't build withdomains. Under NT 5.0, domains still exist, but trust relationships can betransitive, making hierarchies of domains possible. And the directory iscompletely expandable. In addition to the usual name, full name, description,and similar user information, you can add data fields such as shoe size or "incase of emergency call."

Active Server and Cooler Logons
With NT 5.0, you can modify the basic NT definition of user. Doesn't thatcapability make the User Manager a bit messy? Well, no because the User Managerdisappears altogether. Instead, you use Internet Explorer (IE) to manage useraccounts, as shown in Screen 1.

Microsoft believes that the next step in graphical user interfaceeffectiveness is to de-emphasize the old menus/dialog boxes aspect ofWindows and move to a page-and-link metaphor: The user interface willlook like a Web page. Look at Screen 1, and you see a few elements of thatapproach. First, look at the title bar. This next-generation User Manager isreally IE. See the bar that runs down the left side with General Information,Contact Information, and the like? Those topics are hyperlinks in the Web page.It's a menu, certainly, but one implemented in a different way from what we'reused to. Some of these screens show up with a menu down the side and across thetop: a main menu and a submenu. Is it the basis of a great new user interface(UI), or is it just alloy wheels, tail fins, and fuzzy dice on the mirror?Honestly, I don't know yet.

But why the heck is IE the UI for this utility, called DS Web? Because thiscomputer is running a beta version of Internet Information Server (IIS) 3, thelatest in Microsoft's line of free NT-based Web servers. IIS 3 supports a newkind of Web page called an Active Server Page, identified by the extension ASPrather than the typical Web page extension HTM. ASP pages are basically the sameas HTM pages, but with one big difference: ASP pages contain code--VisualBasic (VB) code.

For those of us who don't feel like learning Java, here's the answer tobuilding Web pages that aren't just static HTML documents. Here's the world'ssimplest ASP page:

The time is <%= time() %>

Put those three lines in a text file, call it something with an ASPextension, and put it in your IIS documents directory. Then look at the filewith a Web browser, and you'll see a page that says, "The time is 5:09 pm."

Sure, the hard-core Webmeisters out there won't care a fig or a farthingabout this, as they've already tested their mettle on Perl and Java. But thissolution is great for the rest of us who write no more than a handful ofprograms a year and whose previous programming experience consists of findingand removing the noisemaking lines in gorilla.bas.

Anyway, ASPs are the heart of DS Web, the tool that you saw in Screen 1.And speaking of VB, ASPs containing VB are also the new language forbuilding NT logon scripts. Now getting onto your network can be a much morevisual--the term du jour seems to be richer--experience. Just imagine the possibilities: VB can control multimedia, so when you log on, you might hear, "Goodmorning, Mr. Phelps. Your mission, should you decide to accept it..."

Login scripts will also get a vitally important feature--"deep"NET USEs. You'll typically put all the home directories in a directory on aserver. For example, let's say server S1 has a directory on it named d:users,and users contains directories below it. The home directory for a usernamed Bill might be d:usersbill. You share d:users as users, and so someoneattaches to Bill's home directory by doing a

NET USE H: \S1USERS

The problem is that Bill is now attached to d:users, rather than d:usersbill. NT 5.0 will allow

NET USE H: \S1USERSBILL

so Bill will never see the general root directory of the usersdirectories--good for security and reducing confusion.

Distributed File System
NT's new Dfs is another step in disconnecting network objects from physicalobjects. Let's say you're working on your company's annual report. This projectrequires graphs, text, and a project time line to help manage the schedule. Butthe finance department is creating the graphs on its servers, Marketing iswriting the prose, and the time line is in Microsoft Project on another server.The ability to just stitch it all together into one big directory would beawfully nice. That's Dfs's job, or at least one of Dfs's jobs.

With Dfs, you go to an NT server (call it A) and create a share called, forexample, annrpt. But the share isn't on machine A, only the share name is. Youtell A that the annrpt share consists of a directory, anngrafs, the graphics,which are on another machine (call it B); another directory rpttext on one ofthe marketing department's machines (call it C); and a directory timeline on yetanother machine, D. All a user must do is NET USE to the share annrpt to see allthe data from the three directories all in one share.

Now, to make this work, you not only need snazzier software on the server,you also need it on the workstation: You need a Dfs client. The goodnews is that the Dfs client is built into NT 4.0 and apparently will appear inthe next Windows 95 service pack.

Dfs can also accomplish fault tolerance. Suppose you have a share, web pages, where the HTML pages for your Web server reside. If the computer thatwebpages resides on goes down, you want the Web server to still find thedocument content of your Web site. Well, you can install disk mirroring, buthere's something even easier: Copy all the HTML pages to another directory, on adifferent computer if you like. Then create a fault tolerant Dfs volumecalled webpages. Now, when your Web server requests a file from webpages, theDfs volume will randomly direct it to one copy or the other. If one copy isunavailable, the Dfs volume will direct all webpages requests to the functioningcopy.

With Active Directory, Dfs lets you create shares that are relativelymachine-independent. Right now, you must specify a share by its share name andthe name of the server that the share is on physically. For example, to access ashare schedules on a server central in a domain railroad, you must use\centralschedules. If you decide to put schedules on another server, you haveto inform all the schedules users to look for that share in a new place. A lotmore convenient approach is to name the share with a more generic name, such as\railroadschedules. In other words, you can avoid mentioning a specific serveraltogether by creating Dfs volumes addressed by their domain, not their machinename. Because you never mention particular machine names, you can move theshares from machine to machine within a domain without telling the shares' usersto reconfigure their attachments to the shares.

Odds and Ends
NT 5.0 will support Plug and Play and power management, but with a catch: NT5.0 will not support the current power management system, a BIOS-based approachcalled Advanced Power Management (APM). The bottom line is that NT 5.0 willsupport power management with a new approach, but only with recent machines.NT's hardware horizons will expand with support of Universal Serial Bus, P1394,and Advanced Graphics Bus. Universal Serial Bus and P1394 are high-speed,daisy-chainable interfaces that make hot Plug and Play work. In onedemonstration, a Microsoft presenter attached a hard disk to an already-runningsystem. The system recognized the new hard disk and transparently mergedit into an existing drive. A 1GB volume became a 4GB volume without thepresenter rebooting!

Yet another database programming interface, Object Linking and Embedding(OLE) DB, lets companies centralize their data stores into single largedatabases and then present a simple flat-file view of that data to programs. Theidea is to have most of your firm's data not in SQL databases but in ASCII filesand Excel spreadsheets, for example. The interface makes all those disparatedata objects look like one big consistent database for administration purposes.This concept is an old idea and a good one, but I wonder if it's practical. Youoften implement OLE DB atop Open Database Connectivity (ODBC), a tool that makesdifferent kinds of databases look uniform. At my company, we've written aclient/server application with VB on the front end and SQL Server on the backend. We connected the two with ODBC drivers. Good heavens, it was slow--so slow,in fact, that we're rebuilding it with direct passthrough SQL commands to theserver, which is turning out to be pleasingly faster. I wonder how horribleperformance would be on our system if it ran OLE DB in addition to ODBC?

NT 5.0 brings 64-bit programming to NT, albeit in a limited way. A new setof memory allocation and management APIs will support 64-bit memorymanipulation, but the memory references and structures have to be in physicalmemory. So you'll be able to store records from big databases (opticals are theones that are most frequently cited as causing troubles), but programmers willhave to know a little more about the target machine than they do nowadays: Formost NT programming, if your program runs out of RAM, NT automatically uses diskspace to stand in for RAM. But 64-bit programming won't allow that solution.(For more on this memory technology, see Keith Pleas, "64-bit Architecture.")

TCP/IP in NT 5.0 will support the Quality of Service interface, QoS. Withthis support, you can pay your ISP to make your IP packets higher-prioritypackets. Those packets will zip through the increasingly congested Internet moreeasily.

NT will also move away from a domain structure with one PDC and one or moreBackup Domain Controllers (BDCs) to a model with simply Domain Controllers(DCs). Currently, the PDC and the BDCs contain copies of the SAM user database,but you can modify that database only on the PDC--the system replicates changesout to the BDCs, but the BDC copies are read-only.

Let's say that you work in Timbuktu, at a branch office. The BDC on sitehandles your logins. It's connected to a PDC over a WAN link to the centraloffice. Now, if the WAN link goes down, you can't modify your account--changeyour password, groups, description, or the like. Under NT 5.0, that situationwon't be a problem. You can modify your account, and the local DC will note thechange. Then, when the central office's DC is once again connected to your localDC, the central office's DC will say to your local DC, "Hey, what did Imiss while I was gone?" This configuration will be convenient for folksbuilding NT networks that span multiple locations--but boy, I'm glad I don'thave to write the code to make that work!

Virtually all NT security will change. As users and administrators, wewon't see the changes because they're under the hood; an Internet methodcalled Kerberos will supplant the current method of authentication.

What Does This Stuff Mean for NT 4.0 Users?
You're probably thinking, "Hey, I just got 4.0. What are they doingdropping another version on me?" Here's some advice.

First, remember this is all just the initial overture--not only hasn't thefat lady sung, she's probably not even back from dinner yet. Active Directory,the new domain controller model, and Kerberos security will probably constitutethe largest change to NT's innards since 3.1. Given that Microsoft intends toship the first beta by the first half of 1997, we probably won't see NT 5.0until early to middle 1998.

That prediction is not a criticism, by the way. If anything, let's all begMicrosoft to take its time on this next version of NT! Microsoft has shipped aversion of NT about every 12 months, so my guess is that we'll see some interimversion in late 1997, perhaps NT 4.5 or the like. That guess is not insiderinformation, and no Microsoft person has so much as breathed the wordsNT 4.5. This is just my analysis based on current release patterns.

Should you skip NT 4.0 and wait for 5.0? On the workstation side,definitely not. NT 4.0 workstation is an attractive product, and as workstationtools go, it's easy to recommend.

Server 4.0 is another story, however. Several months' work with it hasraised, in my mind at least, some very disturbing questions about its stability.Under 4.0, machines that have run NT 3.1, 3.5, and 3.51 suffer random UIfreeze-ups, where people connected to the file server can still access files,but NT 4.0 ignores mouse motions and keystrokes at the server--even on machineswith NT 4.0's Service Pack 1 installed.

That glitch, coupled with the requirement to buy new client access licensesfor your entire network when you install just one NT 4.0 Server, makes mehesitate to recommend upgrades to 4.0 Server. We did it. But if we had it to doagain, I doubt that we would.

Assuming that you're using 3.51 or 4.0, what can you do to get ready for5.0? Not much, really. The main work of a 5.0 upgrade will be reconfiguring yourdomain structure to use Active Directory. Microsoft is working hard to buildtools to make that conversion easy, so don't lose any sleep over it. Other thanthat recommendation, I recommend getting comfortable with IIS because it will bean important network management tool under NT 5.0.

NT's progress, with the exception of some of 4.0 Server's warts, has been asteady, upward evolution. NT 5.0 will provide a bit more evolution than we'reused to from NT--think of it as a mini-revolution. In the end, we'll probablyenjoy the results.