Most attendees of Microsoft's Professional Developers Conference (PDC) in September probably didn't expect to see many new Windows NT 5.0 developments. I certainly didn't because of the numerous developments Microsoft revealed at last year's PDC. (For an overview on the 1996 PDC developments, see my article, "The Evolution of NT," February 1997.) But Microsoft surprised the 7000 attendees with a healthy dose of new capabilities. NT 5.0 has key developments in five areas: the Active Directory (AD), security systems, infrastructures, hardware support, and networking tools.

Compelling New AD Features That You Might Lose Out On
From the beginning, NT 5.0's directory service, AD, has been in the spotlight. Microsoft intends AD to be a big, flexible, distributed, fault-tolerant database containing user account information, network shares information, security data, shared applications, and just about anything else that you want to put in it. AD eliminates or severely modifies the current notion of local and global groups, trust relationships, the Network Neighborhood, and user accounts.

Installing NT 5.0 and its directory service on your existing network will yield some positive features, but migrating to NT 5.0 will require major changes in your network. Most firms won't be able to switch all their domain controllers to NT 5.0 simultaneously, which means that many companies will live in a mixed environment including NT 3.x, 4.0, and 5.0 systems for a while. However, unless you convert every domain controller to NT 5.0, you will lose out on two compelling AD features: multimaster replication and nested groups.

Multimaster replication is an improvement that's long overdue. In NT 3.x and 4.0, user account information for a domain resides only on the Primary Domain Controller (PDC). Backup Domain Controllers (BDCs) contain copies of that information. If you want to change user account information (such as resetting a forgotten password or creating a new account), you must connect directly to the PDC--a major pain in large networks. But with NT 5.0, you can update account information at any domain controller, as long as you have a pure NT 5.0 environment.

The Global Catalog (GC) helps make multimaster replication possible. Different domains in an enterprise share a GC, which contains summarized information (e.g., user accounts and shares) about all the enterprise's domains. When you're logging on to one domain from another domain, the local domain controller can't authenticate you directly because it doesn't contain a user account for you. So, with the GC's help, the local domain controller determines what domain you belong to and the name of a domain controller in your domain.

Although an enterprise has only one GC, you can set up GC replicas anywhere in the enterprise. Thus, GC management will be an important part of NT 5.0 administration.

Another attractive feature of NT 5.0 is that you can nest groups. For example, you can create a group called Virginia_managers inside another group called Virginia_employees, which in turn might reside in a third group named American_employees, which finally resides in a group named Employees. You can't nest groups in NT 3.x or 4.0--and you can't nest groups in NT 5.0 until you've converted the last NT 3.x and 4.0 domain controllers.

Nested groups and multimaster replication will not work in a mixed environment because of the way in which NT 3.x and 4.0 systems look up security information. NT 5.0 domain controllers can pretend to be NT 3.x and 4.0 domain controllers for compatibility purposes, but once they flex their wings and act like full-fledged NT 5.0 domain controllers, the way in which they arrange user accounts would confuse an NT 3.x or 4.0 BDC.

So why doesn't Microsoft simply use a service pack to modify how an NT 3.x or 4.0 domain controller searches the domain's account information? According to a Microsoft program manager, Microsoft could certainly create a service pack to let NT 5.0 operate in a mixed NT environment without sacrificing features, but "customers won't accept" another service pack. This response is odd when you consider that Microsoft will release a service pack for NT 4.0 because NT 5.0 incorporates a new NTFS format, called NTFS 5. Apparently, disk formats are important enough to warrant a service pack, but the directory service isn't!

In addition to multimaster replication and nested groups, NT 5.0's AD has another important development: a networked Registry called the Class Store. Each Organization Unit (Microsoft's term for a subpart of a domain) has a Class Store. The Class Store is a list of all available applications and where to find them.

For example, suppose I send you an email with an attachment in Portable Document Format (PDF). Because Adobe Acrobat creates .pdf files, to read the file, you need Acrobat Reader, which you don't have on your system. When you try to open the .pdf file, your NT 3.x or 4.0 system searches the local Registry, discovers that the necessary software is missing, and realizes that it doesn't know what to do with the .pdf file. So NT gives you a dialog box that says, in effect, "I don't know what to do with a .pdf file, but I do know of these programs: Word, Notepad, and so on. Can any of them read a .pdf?"

In contrast, if NT 5.0 can't find the appropriate software in the Registry, it queries AD's Class Store about the software. The Class Store might respond, "Oh, yes, I know what program you need for .pdf. You can install this program from a file named \\APPSVRS\ADOBE\ACROBAT.CAB," or perhaps, "You can find a program that handles .pdfs at http://www.adobe.com/acrobat/acroread.zip." The Class Store extends HKEY_CLASSES_ROOT on your machine to a distributed directory of applications, whether the applications are local (via a universal naming convention or universal resource locator--URL) or distant (via a URL).

Kerberos Is Not the Only Guard Dog in Town
With NT 5.0, to borrow from Firesign Theater, "everything you know is wrong." Current network logons rely on a variation of the NT LAN Manager (NTLM) authentication system, which has been around since the LAN Manager days. (For background on NTLM logons, see my column "Windows NT Logons," June 1997.) NTLM is a tad inefficient, so Microsoft originally decided to embrace an old standard, the Kerberos authentication system. Because Kerberos uses passwords for authentication, you can easily build transitive trust relationships, which are an important part of NT 5.0's big network nature. (For more information about Kerberos, see my Inside Out column "Kerberos and NT 5.0," August 1997, and Michael E. Chacon, "Kerberos Is on Guard in Windows NT 5.0," October 1997.)

Kerberos is the security blanket for NT 5.0--or at least that was the story at last year's PDC. At this year's PDC, Microsoft demonstrated a growing affection for public-key authentication rather than password-based (also known as shared-secret) security systems. Kerberos will be the default security system, but you can also use an X.509-compatible public-key authentication system. In addition, you can use an NT server as your own key server. In other words, you will have your own certificate authority.

Public-key systems have drawbacks, however. One disadvantage is that passwords on public-key systems are enormous and impossible to memorize. Currently, the most popular solution to this problem is smart card systems. The Microsoft representatives were pushing smart card technology for NT 5.0 quite a bit at the PDC. (For information about such public-key authentication systems, see Ben Rothke, "Token-Based Security Add-Ons," June 1997.)

To audit your public-key or password-based security system, you can use NT 5.0's Security Configuration Editor. This feature performs two major functions: It helps you audit your network security, and it lets you easily modify permissions (i.e., the access control lists­ACLs) in your network. You can't modify the ACLs for many items in NT 3.x and 4.0, but NT 5.0 eliminates that limitation. Even better, you can run the Security Configuration Editor from the command line, so you can easily write scripts for administration of big portions of the network.

New Infrastructures Take the Terror Out of Handling Terabytes
I expected TCP/IP or new mutations of HTML to be the big story at the PDC. Although Microsoft had news about NT 5.0's networking capabilities, the news about NT's data storage capabilities captured the attendees' attention.

The biggest story is that NT Server will ship with Hierarchical Storage Management. HSM is similar to virtual memory. With virtual memory, NT uses the hard disk as memory when NT runs out of RAM (a habit for NT). With HSM, NT creates virtual disk storage out of tape drives, optical drives, and other cheaper-by-the-byte storage media when NT runs out of RAM.

Here is a simplified description of how HSM works. Suppose a company has an NT 5.0 Server with an 8GB hard disk and 12GB tape drive. As employees access files, the server keeps track of which files they use and how often they use them.

Although the server starts without much data on its hard disks, that situation soon changes as employees fill up the server's shares. The first 8GB of data go on the hard disk, where employees can quickly access the data. As time goes on, employees try to put more than 8GB on the server. (To most employees, this server appears to have 20GB of storage.) With previous versions of NT, employees would, at this point, get "out of disk space" messages. With NT 5.0, however, the story has a different, happier ending. The server analyzes file usage patterns to determine which files aren't accessed often. The HSM then migrates the less-used files to the tape drive, making space on the hard disk for more often-used files.

Migrated files show up in the user interface with a small clock icon next to them. This icon lets you know that if you want to access those files, you will have a short wait while the HSM service grabs them off the tape drive.

The process I just described is a two-level HSM system, which comes free with NT Server. A three-level system is also available from HSM's developer, Eastman Software. In the three-level system, data migrates from a fast disk to a somewhat slower, but more capacious, optical disk. If you need even more space, the least-used data can migrate from the optical disk to the tape drive.

Two tools (reparse points and volume-mounting utilities) make two- and three-level HSM systems possible. (You could even use these tools to create a 50-level HSM system.)

Reparse points let you create a new directory by gluing together two existing directories. For example, suppose you're working on a project that has graphics on h:\grafs and text on c:\txt. You want to compile the information into a directory called m:\project. First, you create the directory m:\project. Below the directory, you use reparse points to glue c:\txt as m:\project\words. Next to m:\project\words, you use reparse points to glue h:\grafs as m:\project\pictures. The result is that when you open m:\project, you'll have everything you need for your project, but you won't realize that you're accessing the C: and H: drives.

In addition to using reparsing, HSM uses volume-mounting utilities. Volume refers to the place where you store data. Mounting refers to the process in which a server assigns a drive letter to a storage device.

DOS, Windows, and NT have always been weak in the mounting area. For example, when you boot an NT 4.0 system, the server locates all floppy drives, hard disks, CD-ROMs, and so on, giving each a drive letter. Because the NT world inherited the DOS/critical path method (CPM), single-drive-letter model, the server has only 26 possible places to store data (A: through Z:).

But in most other operating systems, you can control drive mounts and dismounts on the fly--a task not feasible in the Wintel world, until now. NT 5.0's volume-mounting utilities let you store data in whatever drive you assign it to. For example, in a PDC demonstration, a Microsoft representative first used a reparse point to glue a CD-ROM onto an existing drive as the directory E:\CDROM. He then dismounted the CD-ROM, which had been drive D:. The result was that all the CD-ROM's data was accessible as E:\CDROM and the D: drive letter was free for re-use!

In addition to HSM, Microsoft introduced several other networking infrastructure developments at the PDC. Those developments include the new Disk Manager (which replaces the old Disk Administrator), FAT32 support, encryption support, a defragger, and an improved backup program.

The new Disk Manager and many other NT administration tools no longer require reboots. You can add a new physical drive, partition it, format it, and use it without rebooting. However, you need to beware of one catch. To eliminate reboots, your disk's host adapter must be an NT 5.0 disk driver. The NT 5.0 disk driver differs from the NT 4.0 disk driver in that it features Plug and Play (PnP). With PnP, you can disconnect removable media more easily, so you won't even have to reboot to remove your Jaz cartridge.

Another feature of the Disk Manager is that it is a single-seat administration tool. This feature will let you perform disk administration tasks on computers without having to be sitting at the computer. Think of how much fun you'll have remotely attaching to someone else's workstation disks via the network and then formatting those disks....

Microsoft decided to knock down a big wall between Windows and NT by supporting FAT32 under NT. With the FAT32 driver, you can format partitions up to 32GB.

NT 5.0's new format, NTFS 5, will support encryption. You can encrypt files and annotate them any way you like. You can even search on those annotations. NTFS 5 will also support filters. These programs (e.g., an antivirus application) examine files as the files are being transported on or off a disk.

A defragger will finally ship with NT 5.0. Executive Software is graciously providing this tool for free. I'm sad to say that the defragger will not include the cool application-specific defragmentation wizard that Windows 98 (Win98) will feature.

Microsoft will improve NT 5.0's backup program several ways. First, Microsoft will add support for changers. Second, you'll be able to use nontape devices (such as Jaz or other optical drives) for backups. Third, NT 5.0's backup program will integrate better with the Scheduler (which now features an easy-to-use GUI). Finally, best of all, the backup program will support disaster recovery. When you need to restore an entire server on a new machine, you just insert one floppy in the drive and boot the new machine. The floppy will prompt you to insert tapes and, in a while, you'll have a completely restored server.

All these changes to NT 5.0's infrastructure will render NTFS volumes created under NT 5.0 unintelligible to earlier NT versions. Microsoft plans to release a service pack for NT 4.0 that will let NT 4.0 understand NTFS 5. Unfortunately, Microsoft does not plan to create a similar service pack for NT 3.51.

Hardware Won't Be so Hard
I'm not much of a fan of Windows 95 (Win95) and Win98, but they have one undeniably desirable feature: PnP. Although you might have heard shrug-and-pray jokes, PnP's theory is sound. Most problems that PnP users encounter stem from PnP's hardware. Many PnP systems in use today are the early hardware--the first crop. Remember how bad the first crop of Windows 3.0 applications was? Similarly, remember what a pain Windows 3.0 was when you ran a few old DOS applications? What DOS was to Windows is what old ISA boards are to PnP systems. Modern PnP systems that contain only PnP components and a PnP-enabled operating system (such as Win95) are much easier to configure than older systems (such as NT 4.0).

NT 5.0 will close the PnP gap with Windows. NT 5.0 will fully support PnP and all the latest hardware doodads, including Universal Serial Bus, Institute of Electrical and Electronic Engineers (IEEE) 1394, tape changers (the built-in backup program now supports tape loaders), and asynchronous transfer mode (ATM). NT will even follow Win98's footsteps by supporting TV tuner boards and enhanced television--an improvement I have yet to completely understand. (At the PDC, Microsoft demonstrated an online TV guide. Not only can you discover what programs are on, but you can also click on a program to watch it right on your PC. This integration of TV and PCs lets couch potatoes become mouse potatoes!)

Another questionable improvement in NT 5.0's hardware is DirectX 5. With DirectX 5, game designers will have an easier time supporting NT. (However, I find it hard to imagine NT as a game platform.) NT 5.0 will also support multiple monitors. You just install a few PCI video cards into a box and attach monitors to them. NT will then spread your display among the monitors.

NT 5.0 will also feature power management. This feature will let you put your computer in at least two low-power modes: standby and hibernate. Microsoft characterizes the standby mode as a light sleep. Outside devices (such as fax modems, network cards, or the clock) can wake the computer. The hibernate mode is similar to the suspend/resume feature in many notebook computers. This mode notes the current state of the computer and puts this information into a hibernation file.

To use NT 5.0's power management feature, you'll need a new computer. Currently, PCs use a BIOS-based standard called Advanced Power Management (APM) to accomplish power management. Because APM is BIOS-based and NT doesn't use any real-mode code, APM won't work well under NT without a lot of fancy driver work. Some vendors have tried power management under NT, but I have yet to come across a laptop in which power management works reliably.

Newer computers supposedly use a power management method called the Advanced Configuration and Power Interface (ACPI), but I don't recall seeing ACPI as an option in the various laptops I've looked at in the past year. In addition, I'm not thrilled about having to buy all new computers when NT 5.0 arrives next year.

Will NT 5.0's hardware changes force you to get new drivers for your hardware? The answer depends on whether you want to use all of NT 5.0's features. Because Microsoft received a lot of flack when it made NT 4.0 disk drivers incompatible with NT 3.51 drivers, Microsoft designed NT 5.0 so that it can use NT 4.0 drivers. However, if you use NT 4.0 drivers, you won't be able to use NT 5.0's new features to the fullest extent. To take advantage of multimaster replication, nested groups, PnP, no reboots, and power management, you'll have to update your drivers. (For information about hardware requirements, see the sidebar "Updating Your Drivers and Setting Your Sites for Windows NT 5.0," page 128.)

Network News
Although many of NT 5.0's networking capabilities have been public for a while, Microsoft introduced several new network tools at the PDC. Two of those tools will let you more easily build Virtual Private Networks (VPNs) on the Internet or private intranets. Currently, NT's main VPN tool is Point-to-Point Tunneling Protocol (PPTP), which ships with Remote Access Service (RAS). A protocol similar to PPTP--Layer 2 Tunneling Protocol (L2TP)--will appear in RAS for NT 5.0. NT 5.0 will also feature Ipsec, a system that lets you add security to IP networks at the IP level. (For information about PPTP, see Douglas Toombs, "Point-to-Point Tunneling Protocol," June 1997, and Douglas Toombs, "DNS and PPTP for Network Security," August 1997.)

Once you have built your VPN, you might want to play NetShow video broadcasts. By supporting multicasting, NT 5.0's routing software will simplify playing such broadcasts. Multicasting is a technology similar to broadcasting, except that broadcasting communicates with every computer on the network and multicasting communicates only with selected machines.

All the network news is about IP because it is the default network protocol for NT 5.0. Fortunately, controlling IP will get easier. NT 5.0 will have an improved administrative user interface, and you'll be able to do all your server administration without rebooting. Microsoft will also plug a long-standing hole in NT networking by including distributed time server software in NT 5.0. Although I have learned how to compensate for this past oversight, I'll be glad to have the software automatically synchronize all the NT boxes (and yes, the time server software does understand time zones).

Improvement Potpourri: Upgrade Paths and More
At the PDC, Microsoft revealed other NT 5.0 developments that did not fall in the five areas I just covered. One such announcement was that NT 5.0 will have an upgrade path from Win9x. Currently, if you install NT 4.0 on a system that already contains Win95, the NT setup program cannot read the Win95 Registry. As a result, you cannot migrate your applications to NT and instead must reinstall all your applications. However, the NT 5.0 installer will understand both the Win95 and Win98 Registries, so you can upgrade a machine from Windows to NT without trouble.

Other interesting improvements include:

• NT 5.0's kernel will have a tool that lets you point to a program and tell the system, "If this program takes up more than X megabytes of space or more than Y seconds of CPU time, automatically terminate it (or reduce its priority or alert you, etc.)."
• Under NT 5.0, you can build a single version of a program to support many different languages.
• NT 5.0 will include a text-to-speech facility. You just point to a part of the screen and the computer will speak the screen's text. Although text-to-speech technology isn't new, it'll be convenient when incorporated into the operating system.

Is Microsoft Up to the Challenge?
In the past year, Microsoft did not ship any new NT versions, yet it changed the overall picture of NT immensely. Although NT is gaining acceptance at an incredible rate--Microsoft claims to have sold over 1 million copies of NT Server in the past year--NT has lost on the architecture-independence front. In 1996, NT supported four architectures; now, NT supports only Alpha and the Intel x86 lines.

NT has become more formidable in size. At the PDC, a Microsoft representative compared NT 3.1, 4.0, and 5.0 by noting that NT 3.1 contains 6 million lines of code, NT 4.0 contains 16 million lines, and so far, NT 5.0 contains 27 million lines! In fact, 400 developers and 400 testers are working on NT 5.0.

At this point, Microsoft's marketing prowess has all but guaranteed that NT will be a major desktop operating system in the twenty-first century, if not the desktop operating system of the future. But NT 4.0's quality problems and the ill-fated Service Pack 2 leave open the question of whether Microsoft's development prowess is up to the NT 5.0 challenge. Although no one can answer that question yet, I saw a disturbing trend at the PDC that might indicate Microsoft is not ready: More than half of the demonstrations I saw on the first day failed. The demonstrations did not fail because of unsound technology. They failed because the Microsoft representatives did not take a few extra minutes to actually try the demos before attempting them in front of 7000 potential customers. NT 5.0 is enterprise software, and it can't be sold like Monster Truck Madness.

If NT 5.0 delivers, it'll be a new benchmark in operating system price and performance--but let's hope that Microsoft takes its time. Most customers would rather see a high-quality product that doesn't ship until 2000 than an unreliable one that takes six service packs to become stable.