Windows 2000 Upgrade Project:
Your company is asked to provide consulting, development and
integration services for a company named Trey Research. As a part of this
project you will implement Windows 2000. All client computers that currently
run Windows will be upgraded to Windows 2000 Professional. Wherever possible,
the Windows NT 4.0 domain controller environment will be fully upgraded to
Windows 2000 Server.
Background:
Trey Research is a military research company that operates
from several locations in the United States. Most of the company business comes
from the contracts from the United States government and military. Its
headquarters and primary IT center is in Washington, D.C. The company is
distributed as follows:
Boston, Massachusetts
Denver, Colorado
San Diego, California
San Francisco, California
Seattle, Washington
St. Petersburg, Florida
Washington, D.C.
The Denver, San Diego, San Francisco and Seattle facilities
were originally a separate company named Parelli Aerospace. These facilities
became a part of trey Research when they were purchased in 1997. These
facilities still use the Parelli Aerospace name and Parelli Aerospace still
maintains its identity as a separate company. Trey research is likely to
acquire another company in the near future.
Problem Statement:
Chief Executive Officer (CEO):
Because we are primarily a military research contractor
working on a variety of classified projects, our primary concern is security.
We purchased Parelli Aerospace in 1997, but in many respects it still operates
as a separate company. We are attempting to eliminate duplicate work within the
two companies as much as possible. We are also in the process of developing
common operating practices.
For purposes of shared research, we allow government and
military customers to access some of our data.
When we bought Parelli Aerospace we needed to restructure
our entire security network structure. We need to be able to support our growth
plans without needing to perform this type of restructuring again.
Chief Information Officer (CIO):
In some cases, to avoid the need to replace the existing
hardware, we will use other operating systems rather than Windows 2000. Rather
than built more than one directory service, we want an integrated directory
service. To work towards accomplishing the goal, we will be migrating Microsoft
Exchange Server 5.5 to Exchange 2000 Server. All account administration
currently needs to be performed from our IT centers. We want to remove this
limitation. We also want a security infrastructure that will not be needed to
be restructured when the accounts database reaches 40 MB. Our current
arrangement of trust relationship is cumbersome to manage. The current Windows
NE 4.0 domain structure requires several domains for delegation of
administration. We eventually want to have a global IT facility that uses the
common software, standards, and procedures. The consolidation will begin during
the Windows 2000 up-grade but we do not expect to complete it during the upgrade.
We want the IT facilities to be controlled from one location as necessary.
However, we also want to be able to delegate certain tasks without necessarily
needing to create domains for them. We are concerned that MS Windows 95 and
Windows 98 do not offer security at the client computer level. We want to
increase our control and continue to standardize our client computers and
applications in all departments. We want to standardize our security and
management environment throughout the company as much as possible. We must
minimize the disruption caused by Windows 2000 upgrade, and the upgrade must
not compromise our security.
History:
Trey research has a diverse server environment. The company
uses mainframe, UNIX, Novell, Macintosh, Banyan VINES and Microsoft servers.
The current Windows NT domain structure was configured in 1997, after the
purchase of Parelli Aerospace, in an attempt to integrate the IT structures of
the two companies. The network based on Windows NT was configured as a
coexisting server structure, and migration and
interoperability were gradually implemented. Since then, all
service packs up to Service Pack 7 have been applied to Windows NT 4.0. The
goal of this migration is to finally remove all of the remaining Banyan VINES
and Novell servers.
Existing IT Environment:
General:
The trey research uses 25,000 personal computers.
The distribution of users is shown below:
|
Boston |
2,900 |
|
Denver |
4,200 |
|
San Diego |
1,900 |
|
San Francisco |
3,600 |
|
Seattle |
2,400 |
|
St. Petersburg |
2,600 |
|
Washington, D.C. |
7,400 |
There are currently two Windows NT account domains. All user
accounts are in these domains. There is one resource domain in each of the
seven geographic locations. There are account domains in Washington, D.C., and
San Francisco. BDC’s are distributed throughout the company as needed. At the
Washington, D.C., location, there are two domain controllers running custom
applications that will not run on Windows 2000. During the upgrade process,
these domain controllers will remain on computers that run Windows NT Server
4.0. These domain controllers will be migrated at a later date.
Network Infrastructure:
There is a 44.736-Mbps line from San Francisco to the
primary IT center in Washington, D.C. This line is used primarily for business
applications. The 44.736-Mbps line has an average available bandwidth of 35
percent. There are 1.544-Mbps lines from Washington, D.C., to Denver, Boston,
St. Petersburg, Seattle and San Diego. There are also 1.544- Mbps lines from
San Francisco to San Diego, Denver and Seattle. The WAN links will be upgraded
if more bandwidth is needed. Each location has one internal DNS server to
manage the current UNIX environment. The current internal implementation of DNS
does not support
SRV records, dynamic update, Unicode characters, or incremental
zone transfer. The IT staff members who currently maintain DNS servers manage
both the UNIX environment and Windows NT Server environment. The external DNS
systems for both the trey research Web site and the Parelli Aerospace
Web site are currently hosted on third-party ISP servers.
The DNS modifications required for Windows 2000 will be designed to use the
existing internal DNS structure.
IT Structure:
The primary IT center is in Washington, D.C. There is also a
major IT center in San Francisco. In many ways, the San Francisco research
facility operates as an independent business unit. Since 1997, the IT
department has been creating an increasingly centralized IT structure. All
account management is performed in Washington, D.C., and San Francisco. All
Windows 2000 operations masters will remain in their default locations. The
departments that must be supported by the IT infrastructure include the following:
Administration
Financial
Human resources - managed as a single group by IT
Management
Public relations
Real estate
Information technology (IT)
Sales and marketing
Research
Aerospace
Biological
Chemical
Electrical
Mechanical
Policies and application specifications are defined at the
Washington, D.C., and San Francisco IT centers. These two locations also
provide telephone support for each department. Additionally, there is an IT
department at each geographic location. These local IT departments report
directly to the global technical support center. At the local offices, the IT
staff is divided by departments and departmental responsibilities.
Security:
Currently, the two domains have different security policies
for password length and complexity, and for account lockout. These policies
will not be changed after the Windows 2000 upgrade project is completed.
Accounts will be created at the Washington, D.C., and San Francisco facilities.
The rights for resetting passwords and changing attributes will be delegated to
local IT administrators. IT administrators give these users rights by adding
global groups to local groups. There will be four levels of administrators for
day-to-day operations:
- Enterprise administrators will be a small group contained
in a separate top-level domain to manage the entire organization.
- Domain administrators will be granted rights to the entire
domain.
- Branch administrators will be granted rights for
operations at the physical locations.
- Departmental administrators will have localized rights
based on their specific roles.
- The departmental and branch administrators of resource
domains are not granted administrative rights for the corresponding account
domains.
Group Policy Goals:
Group Policy will be centrally managed from Washington,
D.C., as much as possible.
Initially, Group Policy will be designed to redirect folders to minimize logon time, to define logon scripts, to set security, and to allow specific software to be made available for installation in departments where users have the ability to install software.