Texas Instruments Takes NT International

NT's trusted domains help organize theenterprise

[Editor's Note: This article assumes you understand Windows NTdomains and trust relationships. For information on these and related topics,see Volume 2, Chapter 4 of the Microsoft Windows NT Resource Kit forWindows NT 3.51 and the related Windows NT Magazine articles listed inthis article.]

Texas Instruments (TI) is in the business of keeping up on the latesttechnology and finding ways to leverage that technology in its products. Thecompany produces various products, including consumer electronics, computingdevices, semiconductors, avionics, weapons guidance systems, software tools andservices, precision-engineered materials, and sensors and control products. TIemploys about 59,000 people worldwide, and they work on about 50,000workstations.

When TI needed to connect its various users worldwide, the companyimplemented Windows NT Advanced Server 3.1, a new technology at the time, toreplace its installed base of OS/2 1.3 LAN Manager servers. In the fourthquarter of 1993, five months after Microsoft released NT 3.1, TI began to deploythis new technology to 17 countries and almost 40,000 users worldwide. Figure 1shows TI's global enterprise network.

TI uses Windows for Workgroups 3.11 for its DOS-based clients and isextending NT Workstation to its desktop clients and Windows 95 to notebooksuntil NT incorporates Plug and Play (PnP). NT transformed TI's client/serverenvironment: The company moved from a fragmented environment with many smallstandalone domains to an NT network in which two-thirds of the company is linkedby domain trusts.

From LAN Manager to NT
TI's production environment requires 24 X 7 availability, so the companyemphasizes the importance of rapid restarts and gathering good (preferablydynamic) debug information at the time of a system failure. Unfortunately, theIntel-based server environment of the early 1990s wasn't up to this task andsuffered in comparison to TI's mature and reliable mainframe systems. At thetime, TI's 486/33- and 486/66-based servers ran Microsoft LAN Manager on OS/21.3. The rapidly growing popularity of the server environment quickly stretchedbeyond LAN Manager's capabilities.

The combination of OS/2 1.3 and LAN Manager suffered from severallimitations, including

Despite TI's frustration with Microsoft, NT was the top contender as asuccessor to TI's LAN Manager systems. Table 1 lists some of the problems TIfaced with LAN Manager and TI's NT engineering team's solutions. TI chose NTbecause administrators and users were familiar with the Microsoft networkingenvironment, and much of this environment remained unchanged from LAN Manager toNT. The Microsoft applications, such as SQL Server, that TI used under LANManager were available on NT, and NT's 32-bit addressing and symmetricmultiprocessing (SMP) support finally created an opportunity for power andexpandability. NT was Microsoft's flagship operating system and had thecompany's full support. NT had greatly improved system recovery over LANManager, and eventually incorporated automatic failure notification, dump, andsystem restart. NT's domain-trust model, which Microsoft expanded over LANManager's, largely eliminated the need for duplicate accounts between domains.Prices for new NT software and upgrades to existing licenses also were veryfavorable--not an insignificant issue in a company such as TI, which hadhundreds of LAN Manager licenses.

The TI NT engineering team's project to deploy NT followed a phasedapproach, as you see in Figure 2. TI planned its domestic strategy from Januaryto May 1994; domestic deployment began in June 1994 and ended in December thatyear. Between January and September 1995, TI planned its international strategyfor three major regions: Japan, the Asia Pacific rim countries (Singapore,Malaysia, Philippines, Hong Kong, Taiwan, and Australia), and Europe (France,Germany, Italy, and the UK, initially). TI put its international plan intoaction between July and December 1995. The domestic integration of other masterdomains to the trusted network has been ongoing since January 1996.

Planning
To engineer NT Server 3.1 into TI's production environment, the TI team hadto plan the implementation in three areas: server, support, and architecture.

TI's NT trusted domain network of almost 40,000 accounts comprises only 10of the hundreds of domains throughout the company--the rest arestandalone domains. Microsoft's domain-trust models work best when acompany has at most a few IS organizations. Ironically, because NT Server is adecentralized computing environment, the amount of trouble a company will havedesigning and deploying NT Server on a large scale is proportional to howdecentralized the administration is. Most major sites at TI have their own Helpdesk and IS administrative staff, so fitting Microsoft's NT domain-trust modelinto TI's IS infrastructure was a significant challenge.

Domestic Deployment
Because stress testing an NT server with realistic loads was so difficult in1994, TI initially employed NT on a few servers for internal IS department useonly. The company migrated LAN Manager users to NT in groups to build theinfrastructure step by step and record performance data.

This approach helped TI gain experience in moving user accounts and datafrom older systems. When the company was satisfied with the results, it beganconversions in earnest.

TI converted about three LAN Manager servers into each NT Server andcarefully scripted the process for future conversions. The script covered everycontingency, from ensuring a dedicated multiport was available to speed datatransfers to guaranteeing the right type of power (with the right plugs) wasavailable in the computer room. Eventually, TI's NT engineering team could handoff the domestic conversions to another group because the process was socarefully laid out.

TI initially created two US master domains. Then the company brought athird domain online to limit each existing domain to 10,000 accounts and to helpdistribute administration.

International Planning

The international deployment team held planning meetings in a centrallocation for each region. For TI's international sites, planning meetings servedseveral purposes. First, these meetings were teaching sessions on how toadminister an NT server in a multiple-master domain environment. Mostadministrators were familiar with NT on a server-by-server basis, but no one hadexperience with multiple master domains. Second, the meetings were forumsin which the engineering team presented domain proposals and reached a consensusfor a final design. Finally, the meetings introduced the administrators to someof the Dallas, Texas, support people they would work with in the coming years.When you're working internationally, you need to realize that many othercultures place more importance on establishing personal relationships with theircoworkers than Americans do.

To plan for the international NT deployment, TI used different NTarchitectural models within different regions. Ultimately, the company chosethree domain models--multiple master domain, master domain, and single domain.TI's NT domain design across the entire enterprise uses a multiple master domainmodel with master domains in the US, Japan, Europe, and the Asia Pacificregions. Settling on the multiple-master domain model was easy because it is theonly design that can support a potential user base of 40,000 to 45,000 accounts.

TI organized its domains primarily along administrative boundaries,although geography and network topology influenced the decisions. TI Japan is agood example of the single-domain model. Because all of TI Japan uses the sameadministrative group, a single-domain model was the best choice.

In the Asia Pacific (APR1) and European (EUROPE1) regions, each country hadits own administrative organization and security requirements. In planningmeetings for these regions, the deployment team agreed to build a resourcedomain for each country and a master account domain for each region. Thisorganization gave each country's administrators full control over their resourcedomain and gave two administrators from each country full administrative rightsin their master domain.

International Deployment
Shortly after each planning trip, the deployment team returned to its homeregion to install NT at a major site. The local administrators attended toobserve the conversion. They then returned to their sites to convert theirservers. TI scheduled the conversions to occur on weekends with no more than oneconversion per region on a given weekend so that the engineers could moderatethe load on the region's Primary Domain Controller (PDC).

Because of impending network upgrades, TI was unable to employ the WindowsInternet Name Service (WINS) concurrently with the international domains--thecompany installed WINS servers several months after the conversion. TI usedlmhosts files instead of WINS to map NetBIOS computer names to IP addresses.This workaround caused many communication and coordination problems. Forexample, if a regional administrator created a new Backup Domain Controller(BDC) in a master domain and didn't notify the other administrators around theworld so they could update all server lmhosts files, or if the BDC was promotedto PDC to make mass account creation easier, the PDC for the master domainseemed to disappear from the network. Notifying regional systems administratorsto add the new PDC's IP address to the lmhosts file on their server correctedthe problem.

Integration
In a truly useful trusted network, NT domains outside the network canconnect to it to take advantage of the network's Remote Access Service (RAS) andSystems Management Server (SMS) resources and eliminate the need for duplicateaccounts between their domain and the trusted network. In January 1996, TI begana series of integrations to set up two-way trusts with master domains fromorganizations such as the Systems Group and Materials & Controls Group.

These integrations have complicated the administration of the company'strusted network in several ways. Two of the most significant impacts are in thearea of trusts and customer support. Adding master domains and domaincontrollers to a multiple-master domain NT network significantly increased thenumber of domain trusts and trust sessions that TI had to monitor and repair.Every new master domain has a support organization, which complicates usersupport. The users need to know which group to call, and if they call the wrongplace, the support organization needs to be able to quickly route the call tothe correct group or have rights to fix the problem themselves. TI soon realizedthat support issues across domains were as important as the technical issues ofdomain integration. To see how one member of TI's NT engineering team felt aboutthe project, see the sidebar, "An Interview with TI."

Challenge to Manage NT
The biggest tasks now involve NT management issues. The cost of support faroutweighs the cost of soft-|ware, and few tools exist for the enterprise inareas such as audit data collection and analysis and storage management. TI iswatching the road to NT 5.0 carefully, and positioning the enterprise to takeadvantage of its much-needed enhancements as they become available.

RELATED ARTICLES IN WINDOWS NT MAGAZINE