Now that I have outlined some background and objectives of the COE, it's
time to put a plan in motion to set up the SAP-COE. Overall, the
difficulty in implementing a COE will probably reside in how committed
your organization is to its successful deployment - from a budgetary,
resource, and process perspective.
That's why I believe Step 1 -
realigning Business and IT is crucial to success. If you don't do step 1
right, you will be fighting an uphill battle the rest of the way. If
realignment has resistance, or more generally, management is not
committed, I would suggest putting together a strong business case,
highlighting the benefits and cost justification. Strong project
sponsorship is absolutely key.
Just to reiterate, without a SAP
COE, you will lack the necessary support ecosystem - including
resources, funding funnel, and governance body - and more importantly,
the strategy and roadmap that are required to launch and sustain a
successful support organization.
Let's explore the 7 steps to build a COE.
7 Steps for Establishing a COE
Step 1: Realign Business & IT After an SAP Implementation
In
many companies, business and IT go their separate ways once the
implementation project is "complete." This is a mistake. To get
enduring results, the Business must drive the ongoing improvements
needed for the SAP platform. It is the Business - supported by IT -
that needs to identify the process changes, reporting for
decision-making and end-user needs on an ongoing basis.
To that
end, you need to re-examine the current mix of your post-implementation
support team. COE's must include a mix of Process Owners - the
"super-users" within the business community, functional application
experts and technical experts for configuration and reporting. In
addition, the team needs to include people focused on new initiatives,
whether for additional rollouts or new modules, which will be
inevitable, as business needs change.
Overall, The COE needs to
be designed to break down the walls between IT and the business
community, and establish a new way to provide sustainable support that
remains business focused.
Step 2: Set up Governance
One
of the most critical steps for COE set-up is establishing Governance
for the support organization. The goal of governance is to provide
strategic direction, as well as accountability, for all SAP initiatives.
Governance also provides a framework for the Business Units to work
collaboratively, and in unison with IT, enabling process standardization
and business alignment across the enterprise.
Step 3: Define Functions and Organize the COE
No
generic formula exists for the functions and roles that should be
encompassed with the COE. At a minimum, you will need to map out the
roles and responsibilities of The Executive Steering Team, PMO Group
(Program Management), Support Services Team, and the SAP Power Users.
Some of the key roles and functions of the COE:
•
Business Support - Business Analysts are part of the teams that form
the COE, working together with the Applications teams to support the
users
•Project & Implementations - Business Analysts are part
of the COE organization, working side-by-side with the Applications
teams to roll out new functionality
•Internal Marketing - COE
coordinates participation in benchmark studies and other forums, whose
results are used to drive the COE image internally
•Coordination
of Development Requirements - All Development Requests are coordinated
through the COE, as well as all messages to SAP
•Technical Support - Provided in conjunction with SAP Basis and Global IT Operations.
•Training - To transfer SAP knowledge to the user base
•Contract Management - Usually provided in conjunction with IT Global Operations
•Support
Desk - COE interfaces directly with users and super users and to
provide SAP support based on agreed upon service levels, which may vary
by functional area and geography
•Information Management - COE is the central contact point for SAP related information, enhancements and new developments
Step 4: Implement Post Go-Live Process Analysis & Optimization as the Foundation for Continuous Improvement
Reclaim
ownership of your SAP business processes. Too often, the "to-be"
vision turns out to be a one time exercise done early in the
implementation process and then is cast aside post-live. This needs to
be re-visited as streamlined business processes are as important in the
post-live COE as it was in implementation.
The COE should perform
or coordinate a review of what is working and what is not. Typically,
the 5 areas that companies should address are:
•Broken or flawed business processes
•Deficient system design and configuration
•Inability or unwillingness to use system - Manual work-arounds present
•Insufficient training
•Data Management issues
Step 5: Mobilize for Post Go-Live Organizational Change
The
business should have a regular stream of improvement requests to
support operational changes. Inability to deliver this will create
frustration and a sense of stalling in the improvement process.
Your
COE should provide guidance on how best to manage change within the
context of your SAP platform. An effective COE has the appropriate
knowledge, skill and time to evaluate alternatives and implications,
estimate the level of effort required and provide the necessary testing,
training and documentation. Changes must be made in a controlled way to
ensure that the live environment is not put at risk -and implemented
effectively to exploit the business benefits of the improvements.
And
don't forget about the IT organization when addressing change
management. The shift of "ownership" to the business has a dramatic
impact on the role and function of your IT group.
Step 6: Marketing the COE
One
of the most forgotten aspects of setting up a COE is the marketing
effort to publicize and promote the services offered. Only after users
are aware of processes and services available, can widespread adoption
of the COE occur within the organization.
It would be a mistake
not to expend the effort to launch an internal marketing campaign. The
lifeblood and longevity of the COE depends on the perception and service
it provides to its internal customers.
Step 7: Getting Started with Setting-Up Your SAP Center of Excellence
Where
to begin? Ideally, planning for your COE begins before you go live
with your SAP business platform. This way, continuity is ensured and
the likelihood of matching your ROI expectations is increased.
If
you are in the initial stages, budget for it now - it's a question of
pay for it now, or pay for it later - and later has higher costs. If
you are in the midst of implementation, raise the flag now and address
it. But if you are already live, it's not too late. Take it
step-by-step to identify and prioritize the areas to address.
Closing Thoughts
If
you are an IT Director or CIO, I hope this two part series has
stimulated the thought process for kick-starting your COE plans.
If
you are an end user or power user feeling frustrated by the lack of
support, or if you are a support analyst and feeling overworked or
frustrated by lack of productivity, you need to take action now. You can
start by forwarding this blog to your manager and getting his/her
thoughts for taking the next step.
Note: Some of the
aforementioned steps were developed by my employer, Diagonal Consulting.
They have built a methodology, including tools and workshop courses for
implementing a COE. Obviously, this blog has only scratched the
surface. If you are interested in obtaining more in-depth information or
require assistance on the COE front, I can put you in contact with
Diagonal's COE expert.
SAP Center of Excellence
COE Overview
Whether your company is just going live with SAP or has been live for quite some time, its never to late to put the proper infrastructure in place to effectively support your SAP environment.
One of the biggest hurdles for COE set up is to get company's (management) to view SAP as a long-term commitment and to manage the SAP platform as a business asset.
Given the lifespan of the SAP business platform (analyst estimates range from 15 - 25 years), and the financial investment made for the software and implementation, it is clear the emphasis of SAP planning needs to shift from "wow, we are live, what do we do now", to crafting a SAP Support strategy, which incorporates a COE.
The next hurdle is to regain the best practices that were most likely employed pre-live. Once you go live, there is no reason to abandon the core success factors that were pertinent to the implementation. For example:
• Aligning business owners with IT
• Identifying value-added and non-value-added processes
• Benchmarking results against initial ROI projections
• Simplifying SAP instances
• Developing infrastructure and enhancement standards and procedures
• Committing to ongoing training and knowledge transfer
• Institutionalizing change management
Lastly, it is important to understand that there is no universally accepted standard for COE's, as it will vary from organization to organization. Accordingly, there is no off-the- shelf solution or silver bullet for implementing a COE within an organization.
Before discussing an approach for implementing a COE - which I will do in Part II - it's important to understand some of the characteristics and objectives of a COE. Based on my experience, many people in IT/SAP Support can not properly define a COE or describe some of the key components or objectives. So, lets put some context around COE's. Hopefully, these will resonate with your particular situation.
What is a COE and Why do I need it?
First, it's important to understand the purpose of the COE. For many companies, the COE provides business and application expertise to support an organizations global or domestic SAP implementation, by designing new processes, optimizing current ones, managing complex implementation projects, providing user support and training, and keeping the complex SAP system landscape up and running 24/7. In addition, the COE helps optimize the use of all SAP products implemented in a cost-effective manner, contributing to the overall Company's success.
Meta Group defines the critical functions as:
• Operational support
• Application management and enhancements
• Infrastructure management
• Change management
Some of the key characteristics of a functional COE:
• Business-led
• IT-supported
• Possibly virtual organization
• Varies according to enterprise size & organization
• Optimization of current system usage (business and IT levels)
It is true that every company will have different objectives or goals in setting up a COE, so it is impossible to capture the entire spectrum of what the COE is meant to accomplish. Having said that, however, I think it would be beneficial to state some of the key functions and benefits of the typical SAP COE. These include:
• A unique platform for creating global SAP solutions
• A standard vehicle for deployment of SAP best practices
• A central point of contact for all SAP related matters
• Development of strong competencies in all SAP areas
• Enhance the value of the SAP Solution - More standardization and better integration
• Improvements in User Productivity
• Reduced Cost of SAP Operations (TCO)
• Improved retention of key SAP personnel
• Improved Service Levels
Recommendation
I mentioned at the beginning of this article that establishing a COE is critical to support success. On the flip side, however, many companies mistakenly believe that having a COE in place will guarantee support success, and enable business value from SAP to be achieved. This philosophy is fundamentally flawed as COE set up is only the first step. The support environment must be managed properly and optimized in order for business value to be unlocked downstream.
To that end, establishing a COE should be the first step, but it doesn't have to be perfect on Day 1. I would suggest letting it grow, evolve, and 'morph' in unison with the business objectives. This is a key concept that is often overlooked, as companies are far too rigid in the COE's infancy stage. Overall, flexibility and agility to adapt to changing end user, business, and company requirements is critical for the COE to drive value to the organization, and is paramount for the COE's long term success.
Whether your company is just going live with SAP or has been live for quite some time, its never to late to put the proper infrastructure in place to effectively support your SAP environment.
One of the biggest hurdles for COE set up is to get company's (management) to view SAP as a long-term commitment and to manage the SAP platform as a business asset.
Given the lifespan of the SAP business platform (analyst estimates range from 15 - 25 years), and the financial investment made for the software and implementation, it is clear the emphasis of SAP planning needs to shift from "wow, we are live, what do we do now", to crafting a SAP Support strategy, which incorporates a COE.
The next hurdle is to regain the best practices that were most likely employed pre-live. Once you go live, there is no reason to abandon the core success factors that were pertinent to the implementation. For example:
• Aligning business owners with IT
• Identifying value-added and non-value-added processes
• Benchmarking results against initial ROI projections
• Simplifying SAP instances
• Developing infrastructure and enhancement standards and procedures
• Committing to ongoing training and knowledge transfer
• Institutionalizing change management
Lastly, it is important to understand that there is no universally accepted standard for COE's, as it will vary from organization to organization. Accordingly, there is no off-the- shelf solution or silver bullet for implementing a COE within an organization.
Before discussing an approach for implementing a COE - which I will do in Part II - it's important to understand some of the characteristics and objectives of a COE. Based on my experience, many people in IT/SAP Support can not properly define a COE or describe some of the key components or objectives. So, lets put some context around COE's. Hopefully, these will resonate with your particular situation.
What is a COE and Why do I need it?
First, it's important to understand the purpose of the COE. For many companies, the COE provides business and application expertise to support an organizations global or domestic SAP implementation, by designing new processes, optimizing current ones, managing complex implementation projects, providing user support and training, and keeping the complex SAP system landscape up and running 24/7. In addition, the COE helps optimize the use of all SAP products implemented in a cost-effective manner, contributing to the overall Company's success.
Meta Group defines the critical functions as:
• Operational support
• Application management and enhancements
• Infrastructure management
• Change management
Some of the key characteristics of a functional COE:
• Business-led
• IT-supported
• Possibly virtual organization
• Varies according to enterprise size & organization
• Optimization of current system usage (business and IT levels)
It is true that every company will have different objectives or goals in setting up a COE, so it is impossible to capture the entire spectrum of what the COE is meant to accomplish. Having said that, however, I think it would be beneficial to state some of the key functions and benefits of the typical SAP COE. These include:
• A unique platform for creating global SAP solutions
• A standard vehicle for deployment of SAP best practices
• A central point of contact for all SAP related matters
• Development of strong competencies in all SAP areas
• Enhance the value of the SAP Solution - More standardization and better integration
• Improvements in User Productivity
• Reduced Cost of SAP Operations (TCO)
• Improved retention of key SAP personnel
• Improved Service Levels
Recommendation
I mentioned at the beginning of this article that establishing a COE is critical to support success. On the flip side, however, many companies mistakenly believe that having a COE in place will guarantee support success, and enable business value from SAP to be achieved. This philosophy is fundamentally flawed as COE set up is only the first step. The support environment must be managed properly and optimized in order for business value to be unlocked downstream.
To that end, establishing a COE should be the first step, but it doesn't have to be perfect on Day 1. I would suggest letting it grow, evolve, and 'morph' in unison with the business objectives. This is a key concept that is often overlooked, as companies are far too rigid in the COE's infancy stage. Overall, flexibility and agility to adapt to changing end user, business, and company requirements is critical for the COE to drive value to the organization, and is paramount for the COE's long term success.
SAP Test Data Migration Server
Delivering Solutions for Unique Business Needs
SAP® Test Data Migration Server (TDMS) can help you create lean, easy-to-maintain non-production environments with consistent, relevant extracts of business data, minimizing infrastructure and maintenance expenses while maximizing the effectiveness and accuracy of your development, test and training activities.With SAP TDMS you can:
- Reduce infrastructure expenditures by greatly reducing the volume of data in the test environment
- Improve the quality of software developments by improving the quality of test data
- Increase development efficiency by enabling software developers to conduct testing earlier in the process and with consistent, accurate data out of production
- Refresh test data without affecting repository and administrative data
- Refresh data for individual clients in multi-client environments without affecting activities in other clients
- Quickly transfer pre-defined business objects or business process data in specific maintenance situations
- Enable business users to transfer small amounts of data, e.g. selective HR data while scrambling the sensitive data sets
SAP TDMS 4.0
SAP TDMS 4.0 is the forthcoming release of SAP TDMS.
Value Proposition
More Information
For more information about the new features available with SAP TDMS 4.0, see SAP Test Data Migration Server 4.0 Release Notes Overview .
For more information about SAP TDMS 4.0, see the Help Portal .
- Expansion of existing migration requirements across SAP Business Suite components.
- Consistency of business processes across SAP Business Suite components.
- Easy-to-use interfaces for business users.
- Special migration solutions for certain industry solutions.
- Focus on the overall test system landscape creation.
- Closer integration with SAP Solution Manager.
- Easy upgrade from Release 3.0 to Release 4.0.
- Compliance with data privacy laws by providing a one-stop Scrambling workbench.
More Information
For more information about the new features available with SAP TDMS 4.0, see SAP Test Data Migration Server 4.0 Release Notes Overview .
For more information about SAP TDMS 4.0, see the Help Portal .
Network Infrastructure
On This Page
OverviewSupport for Standards
TCP/IP Improvements
Virtual Private Networks (VPNs)
Network Driver Interface Specification (NDIS)
Routing
Quality of Service (QoS)
How Do Other Operating Systems Fit In?
Summary
Overview
Developed from the start as a network operating system, Microsoft Windows 2000 Server continues to improve its presence on networks and the Internet. Microsoft is following the worldwide trend of using the Internet for as much as possible.Windows 2000 Server will help companies make better use of their Internet connections. By providing support for additional standardized features of TCP/IP, Microsoft has improved the performance of its premier network operating system both for communications with other Windows systems and with UNIX systems. Technologies such as virtual private networks (VPNs) will allow organizations to reduce costs without sacrificing security. The routing features built in to Windows 2000 servers allow those servers to act as routers, with graphical user interfaces far superior to those of hardware-based routers. The new Quality of Service (QoS) standards allow more consistent and reliable networking, especially when using real-time audio and video.
Support for Standards
With the first releases of the LAN Manager and Windows NT operating systems, Microsoft made an effort not only to support Internet standards but also to create its own protocols where standards did not meet the needs of its customers. NetBIOS Enhanced User Interface (NetBEUI), the networking foundation of the first versions of Windows NT, was proprietary in nature and the details of the protocol were well hidden. TCP/IP, on the contrary, is based entirely on committee-created, completely documented standards. TCP/IP is the standard of the Internet and the future of networking, and Windows 2000 is well designed to leverage these standards.Microsoft is not simply following open standards; it is leading the development. For example, Microsoft has been working with Cisco, Ascend, IBM, and 3Com to create the Layer 2 Tunneling Protocol (L2TP) standards. Microsoft's active involvement in standards committees ensures that Windows will take advantage of these technologies just as soon as they are finalized—and sometimes before!
TCP/IP Improvements
While the core of TCP/IP (Transmission Control Protocol/Internet Protocol) has been a standard for many years, not all TCP/IP implementations are alike. Many aspects of TCP/IP are considered optional, and software developers tend to add only those features they feel will benefit their customers. Microsoft has improved the TCP/IP stack included in Windows 2000 by adding optional, standardized features not found in previous versions of Windows. The end result is that users will enjoy improved network performance on both local area networks (LANs) and wide area networks (WANs).Security-minded administrators will appreciate the new support for robust packet filtering. Windows 2000 can now filter packets based on TCP port, UDP port, IP protocol ID, ICMP type, ICMP code, source address, and destination address. An example of packet filtering is shown in Figure 6-1. With these filtering capabilities, you can control which networks are allowed to download mail from your Post Office Protocol (POP) server. This control would allow you to guarantee that only users on the local network can even attempt to establish network connections.
Filter lists make it easier to manage multiple filtering policies. Figure 6-2 shows how several lists can be used to provide separate policies for internal and external networks. You can create separate filters for each subnet in your network, if you so desire.
Windows 2000 now includes support for RFCs 1122, 1123, 1323, and Selective Acknowledgements. RFCs 1122 and 1123 were written in 1989 and summarize mandatory and optional features of TCP/IP stacks—support for these documents means better compatibility with other operating systems. RFC 1323 provides extensions to TCP that allow for better performance over high-bandwidth and high-delay networks, such as satellite links. Selective Acknowledgements improve performance when used with large TCP window sizes, by allowing only lost packets to be resent; packets that were already received are not retransmitted. For more information on Selective Acknowledgements, refer to RFC 2018.
Figure 6-1: Windows 2000 allows packet filtering based on IP address and port number.
Figure 6-2: Multiple filters can be grouped together and managed as policies.
Windows 2000 Server continues Microsoft's support of the Winsock 2.0
interface. Winsock provides an API for Internet applications and
automatically handles tasks such as name resolution, QoS, establishing
outgoing connections, and listening for incoming connections. Winsock
2.0 allows applications to specify QoS requirements, regardless of the
underlying QoS mechanism in use.Virtual Private Networks (VPNs)
A VPN allows data to travel securely across an untrusted network. In the Internet age, this means that companies that formerly required leased lines to ensure security can now leverage the public Internet for private communications. It also means that corporate users who travel can connect to a local Internet service provider (ISP) and communicate securely with the corporate network, without dialing in to a private bank of modems. See Figure 6-3 for an illustration of a VPN across the public Internet.
Figure 6-3: A virtual private network carries data securely across a public network.
The primary advantages of VPNs are reduced costs and improved
privacy. Companies can reduce costs by maintaining only a single WAN
connection for each remote office—a connection to an ISP. The ISP
forwards the traffic across the public Internet, in much the same way
that frame relay providers have operated for many years, except at a
greatly reduced cost. The VPN technologies included in Windows 2000
ensure that this data cannot be read or modified on its journey to the
destination network.While different VPN technologies vary in their specifics, they have many things in common. All VPNs transport data through a tunnel, as illustrated in Figure 6-4. The tunnel is created between two tunnel endpoints, which agree upon a set of protocols for the tunnel before any payload is transmitted. As data is sent through the tunnel, the frame or packet is encapsulated within another packet. Once the data reaches the opposite endpoint, the data is unencapsulated and processed as if it had been sent from a system on the same LAN.
Figure 6-4: Tunnels encapsulate data within IP packets.
Windows 2000 includes three technologies for creating virtual private
networks. PPTP, the Point-to-Point Tunneling Protocol, is a familiar
technology to those who have worked with Windows in the past. L2TP
provides similar functionality but has the benefit of support from a
variety of vendors. Internet Protocol security (IPSec) represents the
future of tunneling. Though IPSec is still under development, Windows
2000 provides support for much of the published functionality.Point-to-Point Tunneling Protocol (PPTP)
PPTP is a multiprotocol tunneling technology developed by Microsoft for Windows NT 4.0. It is based on the well-established Point-to-Point Protocol (PPP), which is used for the vast majority of dial-up connections. While PPP allows two computers to communicate over a single link, PPTP allows a virtual link to be created that can traverse public or private networks. PPTP was quick to develop because it borrows the authentication and handshaking mechanisms from PPP.While only Windows NT 4.0 Server or Windows 2000 Server can act as the server end of a PPTP connection, any member of the Windows family can be a client. This allows traveling users to dial in to an ISP with a Windows 98 laptop and initiate a private connection across the Internet to the corporate server. This will work properly regardless of the protocol in use at the corporate network; the traveler can dial in to an ISP and connect to a NetWare server located on a private network, using only IPX/SPX.
Layer 2 Tunneling Protocol (L2TP)
L2TP, seen as an evolution of PPTP, is a multiprotocol tunneling technology developed by Microsoft, Cisco, Ascend, IBM, and 3Com. L2TP meets many of the same goals as PPTP and borrows heavily from Cisco's Layer-2 Forwarding (L2F).One of the interesting features of L2TP is MPPP, or Multilink Point-to-Point Protocol. This differs from the MPPP technology built in to Windows NT 4.0. The MPPP built in to Windows NT 4.0 could be used only to connect to a dial-up server that specifically supported this technology. Unfortunately, the technology was not widely supported where it was needed most—by the ISPs. L2TP's MPPP technology allows a Windows 2000 system to dial in to two entirely separate ISP connections. Data can be transmitted through both of these links to a Windows 2000 server using L2TP MPPP, where the server will reassemble the traffic and transmit it onto the Internet or a private network. In this way, Windows 2000 Server and the L2TP MPPP allow multiple analog links to be combined for greater data throughput. This process is illustrated in Figure 6-5.
Figure 6-5: L2TP allows multiple links to be aggregated.
L2TP offers other advantages over PPTP. L2TP can be used over a
variety of Internet connections, including frame relay, X.25, and
Asynchronous Transfer Mode (ATM). L2TP allows multiple tunnels to be
created, each with a different QoS. Header compression in L2TP reduces
the header to 4 bytes, compared to the 6 bytes PPTP uses.Both L2TP and PPTP are configured and managed in Windows 2000 using the Routing And Remote Access service. Figure 6-6 shows a screen shot of the management utility.
Figure 6-6: The Routing And Remote Access service is used to configure L2TP and PPTP.
Windows Internet Protocol Security (IPSec)
One of the new standards that the Internet Engineering Task Force (IETF) has been working on is IPSec. The goal of the IPSec working group is to allow private and secure communications across the public Internet, regardless of the application or higher-level protocol being used. PPTP, L2TP, and several other technologies also accomplish these goals, but IPSec has one distinct advantage—it is an Internet standard. This single factor will allow IPSec to become one of the primary protocols used in VPNs in the years to come.Microsoft, in a continuing effort to support international standards, has provided an implementation of IPSec in Windows 2000. When used with Windows 2000, IPSec provides transparent authentication of clients and servers, confidentiality of data transmitted across a network, and the flexibility to work with any IP-based application.
Encapsulating Security Payload (ESP) is IPSec's standard for encryption and validation. ESP operates at either the network layer or the transport layer of the Open Systems Interconnection (OSI) model, and therefore can encrypt data created by any higher-layer protocols. For example, a Telnet session could be tunneled within ESP, and all data transmitted during that Telnet session would be immune to eavesdropping. When ESP is used at the transport layer, an ESP header is inserted between the IP header and the TCP header. The TCP header information and all data contained within the packet are encrypted.
ESP can also be used at the network layer to provide VPN functionality and privacy. When ESP is used at the network layer, the exact IP address of the packets can be obscured. In this way, data can travel between remote networks, but the IP addresses within the networks will not be revealed to anyone watching the traffic.
The encryption ensures that the traffic cannot be monitored and used maliciously. Further, ESP provides protection from replay attacks by providing a sequencing number within the header. A replay attack is a scenario wherein an unauthorized user retransmits packets that had been intercepted. Windows Internet Protocol security leverages the Internet Security Association and Key Management Protocol (ISAKMP) using the Oakley key determination protocol to identify each packet uniquely and ensure that it can never be reused. Figure 6-7 shows an event log entry generated by an error associated with ISAKMP/Oakley.
Figure 6-7: IPSec uses ISAKMP with the Oakley key determination protocol.
The other significant standard being designed by the IPSec working
group is the IP Authentication Header, or simply AH. AH allows the
client and server to validate each other before they begin to exchange
data, limiting the opportunity for a malicious third party to
impersonate either end of the connection. AH and ESP together provide
authentication and encryption of IP traffic.The IETF provided a framework for data encryption and session authentication using the ESP and AH standards. It did not provide standards for the actual mechanisms used to encrypt the data or to authenticate the hosts. Fortunately, Microsoft has built a strong authentication mechanism into Windows 2000 Server—client and server certificates. The encryption is provided by mixing public key and secret key cryptography. By leveraging existing components of Windows 2000 Server, Microsoft has provided an easy-to-use and powerful method of network security.
Note: Figure 6-8 shows how administrators can configure custom IPSec security policies using the IP Security Policies MMC snap-in. If protocols other than IP must be tunneled, IPSec can be combined with L2TP. For more information on IPSec standards, please visit the IETF's Web site at http://www.ietf.org/ids.by.wg/ipsec.html.
Figure 6-8: Set custom IPSec policies with the IP Security Policies MMC snap-in.
Network Driver Interface Specification (NDIS)
NDIS is a layer of abstraction that exists between the network protocol driver (at the network layer of the OSI model) and the network card driver (at the data link layer of the OSI model). Among other features, it allows multiple network cards to work with a single network protocol. NDIS is an international standard, and providing NDIS support allows network card vendors to ensure that their driver will be compatible with Windows.Both Windows 98 and Windows 2000 provide native support for NDIS 5.0. This is an upgrade from Windows NT 4.0 and Windows 95 (OSR2), which shipped with NDIS 4.0 support. NDIS 5.0 adds several features that were absent in NDIS 4.0:
-
Advanced network power management and network wake-up capabilities.
-
Plug and Play is now supported with network drivers.
-
Improved performance.
-
Improved support for ATM and QoS.
-
Lower total cost of ownership (TCO).
Routing
Microsoft has built routing functionality into its server operating systems since Windows NT 3.51 was released. However, the multiprotocol router (MPR) built in to Windows NT 3.51 and Windows NT 4.0 was limited in functionality and found very little use on production networks. Microsoft recognized the need for a flexible, extensible routing technology, and began developing a replacement for the built-in routing in Windows NT 4.0. Windows 2000 Server continues to build on Windows NT's routing capabilities with the new Routing And Remote Access service.With the routing functionality built in to Windows 2000 Server, Microsoft allows organizations to build entire network infrastructures based strictly on Microsoft products. By integrating routing features into the operating system, small companies will benefit by not having to purchase expensive routing hardware to segment networks. Large companies will benefit by being able to administer their routers using Windows 2000's graphical user interface (GUI), a major improvement over most routers' text-based interfaces.
Network Address Translation (NAT)
Network address translation, or NAT, is the process of transparently using a proxy to transfer packets between an internal and external network. With the NAT functionality built in to Windows 2000 Server, a single dial-up connection can be used to allow an entire network access to the Internet, without making a single change to the clients. Until now, administrators had to make use of application- or session-layer proxies, both of which require modifications to the client and support a limited number of applications.For NAT to work properly, clients on the internal network must be using private IP addresses, such as those in the 192.168.0.0 range. The clients must have the NAT server configured as their default gateway. The NAT server will act as a router to the clients, forwarding packets from the internal network to the external network. However, NAT does more than a traditional router—it not only forwards the packets, it replaces the private source IP address with a valid public IP address. NAT also listens for reply packets and returns those responses to the client that initiated the connection.
Beyond providing outside access to clients within a private network, the NAT services included with Windows 2000 Server are also capable of acting as a reverse-proxy. This allows administrators to create publicly available Web and e-mail services without placing the servers on a public network. NAT can also be configured to use a range of public IP addresses, assign clients private IP addresses using Dynamic Host Configuration Protocol (DHCP), and act as a proxy for DNS (Domain Name System) requests to the outside world. All of these features combined allow administrators to easily provide a private network access to the public Internet or any other network.
NAT is configured using the Routing And Remote Access MMC snap-in. It is treated as a routing protocol, though it is not a true routing protocol. Enabling NAT can be as simple as adding the protocol and selecting the proper radio button, as shown in Figure 6-9.
Figure 6-9: The Routing And Remote Access MMC snap-in makes configuring network address translation simple.
Static Routing
Routers forward traffic one hop at a time. For a router to correctly forward traffic in networks where multiple paths exist, the router must be configured to know where the next hop is for any given destination network. Routing protocols allow routers to automatically learn their way around a network, but routing protocols require administrative overhead and may not be worthwhile in small networks and networks that do not require dynamic redundancy. If an administrator wants to manually configure each router in a network with a list of paths to different destination networks, he or she can do so using static routing.Static routing is useful in small networks and extremely stable networks. Static routes can be configured on a Windows 2000 Server using the ROUTE command-line interface or the Routing And Remote Access GUI, as shown in Figure 6-10. For those familiar with the command-line interface included in previous versions of Windows, this graphical interface is a great improvement.
Figure 6-10: Windows 2000 allows static routes to be configured within the Routing And Remote Access MMC snap-in.
Routing Protocols
In many small networks, all network segments connect to a single router. This router knows where to forward packets because it has a direct connection to every network segment. In this situation, only a very simple router is required. However, larger networks require multiple routers. This presents a bit of a challenge—how will the routers know where to forward packets that are not destined for directly attached networks? Consider Figure 6-11, which shows a network with two routers. Router A is directly connected to Networks W and X, and therefore knows how to forward packets from Network W destined for Network X. However, how will it know where to forward packets for Network Y or Network Z?
Figure 6-11: Routing protocols are required so that routers will be aware of remote networks.
There are two correct answers to the question: either the network
administrator can implement static routes, or a routing protocol can be
used. A routing protocol enables Router B to tell Router A that it has a
direct connection to Network Y and Network Z. That way, when Router A
receives packets destined for Network Z, Router A will know to forward
the packets directly to Router B for delivery.For routers to exchange information about networks, they must use the same routing protocol. Routing protocols each have specific advantages and disadvantages. Windows 2000 Server includes support for a variety of routing protocols and provides an open API for the development of additional routing protocols. Using this open API, Microsoft or third-party vendors can write code that allows Windows 2000 servers to communicate with other routers on the network, regardless of the routing protocol.
The following section describes the routing protocols included with Windows 2000 Server: Routing Information Protocol (RIP) and Open Shortest Path First (OSPF).
RIP version 1, RIP version 2, and RIP for IPX
RIP (Routing Information Protocol) has been in use since 1982 and is still commonly used today. RIP is a member of the distance-vector routing protocol family. Distance-vector routing protocols learn a limited amount of information about the surrounding network and tend to suffer from problems such as routing loops. RIP version 1 is based on RFC 1058; RIP version 2 is based on RFC 1723.
While RIP is considered to be an outdated routing protocol, it is simple to configure and is widely supported by routing software. Many people still use RIP for backward compatibility with older routers. Indeed, RIP was the only dynamic routing protocol supported by Windows NT 3.51.
You should use RIP only if you have to. If your organization requires the use of RIP as the routing protocol, RIP version 2 is the better choice. RIP version 2 has several advantages over RIP version 1. The newer version of the protocol allows classless networks to be used; RIP version 1 required that all subnets be divided into standard Class A, Class B, or Class C networks. While RIP version 1 sent all updates between routers on a timed basis, RIP version 2 sends updates only as required. Finally, RIP version 1 was susceptible to attacks because it lacked a method to authenticate other routers; RIP version 2 adds simple clear-text authentication.
RIP for IPX is a variant of the RIP standard, modified to work with Novell's native network protocol. It is the only routing protocol Windows 2000 Server supports that is compatible with IPX.
OSPF
OSPF (Open Shortest Path First) is a robust protocol, well suited to medium-to-large networks. It is a member of the link-state routing protocol family—a family characterized by complete knowledge of surrounding networks and sophisticated router-to-router communications. While distance-vector routing protocols such as RIP typically communicate only with directly neighboring routers, OSPF-based routers communicate with all other routers in their network. This allows the router to build a map of the network, providing for more intelligent path choices when traffic must be redirected around a failed router or network.
OSPF is an Internet standard defined by RFC 1583.
Internet Group Membership Protocol (IGMP)
Windows 2000 Server supports version 2 of IGMP as defined in RFC 1112. IGMP, often called IP multicasting, is an Internet standard protocol that allows a single packet to be delivered to multiple hosts. Further, it shifts part of the responsibility for identifying those hosts from the server to the network. Using IGMP, a server can transmit a real-time data stream, such as a video presentation, to any number of subscribers on the network—while transmitting only a single copy of the data. While IGMP is gaining wider acceptance, it is still usable only on the part of the Internet called the multicast backbone (MBONE). The MBONE is a special part of the Internet that is multicast compatible.Multicasting is similar to broadcasting because both multicast and broadcast packets can be received by multiple hosts. However, broadcast packets interrupt every system on the network, while multicast packets only interrupt those systems that listen for specific multicast IP addresses. Further, broadcasts are generally limited to a single network segment. When used with IGMP, multicast packets can traverse large, routed networks. Multicast packets make use of a special range of IP addresses called Class D addresses, which have a first octet between 224 and 239.
Windows 2000 Server includes an IGMP router and an IGMP proxy. Using these two services, a Windows 2000 Server connected to the MBONE can receive and forward multicast packets on behalf of an intranet. Do not confuse the IGMP router capability with an IGMP routing protocol—Windows 2000 Server is currently not capable of acting as an IGMP router in multirouter environments. IGMP router and proxy settings can be configured from within the Routing And Remote Access snap-in by opening the IGMP Properties dialog box, shown in Figure 6-12.
Figure 6-12: Enabling IGMP is done from the Routing And Remote Access MMC snap-in.
DHCP (Dynamic Host Configuration Protocol) Relay Agent
Windows 2000 Server continues to provide DHCP relay agent functionality. Using the DHCP relay agent, administrators can have all hosts on multiple network segments retrieve their IP address information from a single DHCP server.Upon startup, a DHCP client transmits a broadcast query requesting an IP address to be used. If a DHCP server is on the same network segment, it will respond with an IP address and any additional information the administrator has configured. However, broadcast queries do not normally pass through routers, so Microsoft provides the DHCP relay agent. By placing a computer with the DHCP relay agent installed on every network segment in a network, DHCP clients do not need to be on the same network segment as the DCHP server. The DHCP relay agent will listen for DHCP requests and forward them to the DHCP server.
To configure the DHCP relay agent in Windows 2000 Server, add the service as a routing protocol using the Routing And Remote Access interface.
Quality of Service (QoS)
If you have ever experienced choppy audio and video across a network, you will appreciate QoS. Windows 2000 uses QoS to prioritize network traffic and make the most efficient use of bandwidth. Further, the QoS features built in to Windows 2000 allow it to request and reserve bandwidth from network hardware.Real-time applications will see the greatest benefit from the use of QoS. Audio and video streams do not have the opportunity to retransmit packets that are dropped, and they deserve a higher priority than a file transfer that occurs in the background and is not time-sensitive. Applications written specifically to take advantage of the QoS API can benefit by specifying requirements on a per-session basis. For example, Microsoft Windows 2000 Server Media Services can request from the network a specific amount of bandwidth for a given data stream.
Administrators can use the QoS features built in to Windows 2000 Server to give specific users priority on the network, prioritize different types of traffic, guarantee that specific applications receive a dedicated amount of bandwidth, and prevent protocols that don't support QoS (such as UDP) from stealing too many resources. QoS is a complex topic. To work correctly, every piece of equipment on a network must support the same QoS standards. Windows 2000 adds QoS support, but that is only a small part of what is required. Even if the switches and routers on your corporate network support QoS, that will not be sufficient to use QoS across the Internet—your ISP and all ISPs between you and the destination computer must support the standards. Even if this is not the case currently, you can still benefit from using QoS.
To understand QoS, it is important to understand latency and jitter. Latency is a measure of delay on a network. Routers are the biggest cause of latency—each router takes a small amount of time to process a packet and forward it to the next network. While an individual router might not add an appreciable amount of latency, the combined latency of all the routers between a client and a server can be significant. In general, the busier a router is, the more latency it adds. Latency is not a problem for real-time audio and video presentations if they are one-way communications (each packet is delayed the same amount and received in appropriate intervals). However, latency presents a serious problem if the communication is two-way, as is the case with Internet telephony and video conferencing. Video conferencing across a high-latency network leads to unnatural pauses that can be frustrating to the participants.
Jitter is the measurement of change in latency. For example, if the average latency of a packet traveling between a client and server is one-half of a second, some packets might take as long as a full second to travel, while others take only a quarter of a second. Jitter is not an important consideration for file transfers, but it has a profound impact on real-time network applications such as audio and video. One of the primary causes of high jitter is a feature of IP networks: different packets in a single session can follow different paths through a network. If different paths have different latency, high jitter results. Clients often compensate for jitter by buffering network traffic, thereby increasing overall delay.
Consistent with Microsoft's goal of making Windows more extensible, Windows 2000 Server provides several APIs to allow third-party software vendors to develop their own QoS standards. There are several QoS standards supported by Windows 2000 Server.
Resource Reservation Setup Protocol (RSVP)
When you place a telephone call, you are never concerned that the quality of your telephone call is going to degrade because your provider becomes busy. Telephone service providers never get that busy; once their network has reached capacity, new telephone calls are rejected completely. Each telephone call that you place is guaranteed a high-quality connection until you hang up your telephone.This is certainly not the case with most IP networks. If you have ever tried to carry on an audio conversation across a busy IP network, you know that the sound might break up when other network applications steal your bandwidth. Windows 2000 adds the IETF RSVP to provide QoS. RSVP is one method of making IP networks perform more like telephone networks. RSVP allows a system to reserve a predetermined amount of bandwidth along a specific path in the network—eliminating the possibility of bandwidth starvation and reducing jitter. The specific path, combined with the QoS specifications, is called a flow.
To reserve a flow, the client and server must have resources allocated from every piece of network hardware that will participate. The client starts the reservation process by sending a PATH message to the receiver. As each piece of network hardware receives the PATH message, it adds itself to the list and forwards the message on. This list allows future packets in the same session to follow the same route. Any piece of hardware that does not speak RSVP will forward the message on like any other packet, without adding itself to the list of hardware.
The receiving station then sends a response to the PATH message called an RESV (for reservation) message. The RESV message is guaranteed to travel the same route as the PATH message, because each hop in the path is listed in the message. As each piece of hardware forwards the RESV message toward the client, it verifies that it really does have the requested bandwidth and actually reserves it. The entire RSVP reservation process is illustrated in Figure 6-13. If one of the pieces of hardware cannot reserve the resources, an error message indicates the problem. The jitter that can occur by using varying paths is reduced because all packets in that session will pass through exactly the same routers.
Figure 6-13: Both a PATH and an RESV message are required to reserve resources using RSVP.
The sender automatically resends a PATH message on a regular basis to
adapt to changing states in the network. By default, this resend of the
PATH message occurs every 30 seconds. If the network hardware that has
reserved resources does not see a PATH message within a certain amount
of time (defaulting to 90 seconds), it will remove the reservation. This
prevents a failed connection from tying up resources unnecessarily.
When the session is complete, the station that breaks the connection
will send a special PATH message instructing the network hardware to
release the resources. This is called a PATH-tear message.Traffic Control
Traffic control is analogous to assigning priorities to different processes within the operating system—the most important processes receive the most processor time, and therefore become more responsive to the user. The traffic control API provides the operating system with finer control over the packets it generates, allowing it to make better use of network bandwidth.Traffic control and RSVP are not mutually exclusive. On the contrary, they complement each other well. Traffic control can be used across parts of the network that do not support RSVP. In fact, RSVP and traffic control can be used together on a single session where only some of the network components support RSVP.
Packet Scheduling
Not all network traffic is created equal. If you are uploading a large file via File Transfer Protocol (FTP), it would be nice if this transfer would not hurt the performance of the Telnet session you have open. In this scenario, you are not concerned about the time the FTP transfer takes, but you do want Telnet to be more responsive. The operating system should be able to prioritize your Telnet packets so that they are sent before FTP packets.
The QoS Packet Scheduler does just this. It retrieves packets from the outgoing queue and transmits them according to QoS parameters. These parameters allow users and applications to specify that certain applications have a higher priority in the packet queue. If congestion exists, higher priority packets will be bumped to the front of the queue, reducing for these packets latency caused by the local network segment.
External Prioritization (Diff-Serv, 802.1p, and IP Precedence)
IETF Diff-Serv is an IETF working group whose mission is to make use of the 6-bit Type Of Service field included in the IP header. The Type Of Service field was included to be used by network hardware to prioritize packets, but it was never implemented. Windows 2000 Server now allows applications to set priority, allowing this field to specify a level of QoS when compatible network hardware is used.
QoS extends to layer 2 of the OSI model for Ethernet networks. Windows 2000 supports the IEEE 802.1p priority standard to allow switches to prioritize frames. The priority is carried as a 2-byte tag in the data portion of the frame. This allows switches to drop low-priority frames when their queue is full, increasing the chance for high-priority frames to be carried successfully on a busy network segment.
The OSI Model
Computers communicate on networks by agreeing on standard languages, also known as protocols. Each network communication relies on several protocols. To make it even more confusing, protocols are hierarchical—they rely on one another. Fortunately, there's a standard way of organizing them—the OSI model. The OSI model consists of seven distinct layers, and all network protocols exist at one of these seven layers:
-
Application layer (layer 7). This highest level is
used directly by applications to communicate on a network. Examples of
protocols at this layer are HTTP, SMTP, and FTP.
-
Presentation layer (layer 6). Rarely used. It is intended to act as an interface between the session layer and the application layer.
-
Session layer (layer 5). Provides complex conversation controls. NetBIOS over TCP/IP is the best example of a session layer protocol.
-
Transport layer (layer 4). Allows for
connection-oriented communications, error-checking, and guaranteed
delivery. TCP and UDP are the most common examples.
-
Network layer (layer 3). Provides for routing, navigation, and addressing. IP and IPX are the most popular examples.
-
Data link layer (layer 2). Provides communications
within a single network segment. Protocols can include collision
avoidance and error checking. Ethernet, token ring, and FDDI (Fiber
Distributed Data Interface) are all layer 2 protocols.
-
Physical layer (layer 1). The format of the cables and electrical signals. Cat 5 copper wire, fiber optics, and repeaters live at this level.
ISSLOW—Latency Reduction on Slow Links
Using ISSLOW, large packets can be fragmented to improve performance. Consider the example of audio and video being transmitted simultaneously. Video packets are much larger than audio packets, and the delay while the packet is transmitted over a slow link can be as much as half a second. If audio packets are separated by half-second intervals, the quality of the audio becomes unacceptable.
ISSLOW solves this problem by fragmenting large packets into multiple, smaller packets. This way, many smaller audio packets can be transmitted in the middle of the big packets, ensuring a smooth service quality. ISSLOW is the name of an IETF working group—the actual letters represent "ISSLL subgroup on low bitrate links."
Quality of Service Admission Control Service (QoS ACS)
The Quality of Service Admission Control Service (QoS ACS) allows administrators to control which users and groups can reserve bandwidth on the network. Naturally, RSVP could be dangerous if control wasn't provided—a user could request so much bandwidth that the rest of the organization suffered! QoS ACS uses policies to determine whether resource requests should be approved or disapproved. QoS ACS controls RSVP, SBM (Subnet Bandwidth Management), IP Precedence, and 802.1p usage to prevent bandwidth overcommitment on both routers and network segments.QoS ACS policies can be based on network topology, available resources, users, groups, and applications. These policies are stored in Active Directory, so they are available across the enterprise. QoS ACS is an open standard, so third-party switches and routers can make use of Windows 2000 Active Directory to determine policy.
How Do Other Operating Systems Fit In?
Windows 2000 Server is intended to provide network services to a variety of clients, including Windows for Workgroups, Windows 95, Windows 98, Windows 2000 Professional, and UNIX operating systems. More recent versions of the Windows operating systems will benefit the most from the network advances added to Windows 2000 Server. For example, Windows 98 systems are shipped ready to participate in Active Directories and to use Microsoft Distributed file system (Dfs) shares.Summary
As the Internet continues to evolve, so does Windows. The new networking features of Windows 2000 Server enable administrators to take better advantage of their existing network and of the Internet. Virtual private networking technologies like PPTP, L2TP, and IPSec improve security and increase the usefulness of the Internet. The routing features of Windows 2000 Server expand the operating system's functionality past that of merely a file and application server. Finally, system-level support for Quality of Service technologies makes real-time multimedia over IP networks a reality. Ultimately, all these technological advancements lead to more productive and happier users.The above article is courtesy of Microsoft Press. Copyright 1999, Microsoft Corporation.
System copy for Abap and File system copy for JAVA ( by right need to use sapinst export/import)
System copy for Abap and File system copy for JAVA ( by right need to use sapinst export/import)
SAP Netweaver 7.0 EHP1 ( abap stack SID=XXX / java stack SID =XX1)
Oracle 10g 64bit database
Windows 2008 server
Mode: Installed in a cluster environment meaning CI host usr directory only and DB is hosted in a different node or server.
Node1 Node2
CI (just usr directory) DB ( sap directory, oraarch , and sap data files ), Oracle home installed on DB node
Objective : To move DB file system contents such as ( sap directory, oraarch , and sap data files ) and present it on CI host.
1) Login as Abap user In CI host to install the oracle 10g binary ( oracle home should result as oracle\XXX\102 and for java should be oracle\XX1\102)
2) Configure both the listener and tnsname hostname and port in two location ( oracle/xxx/102/network/admin and /usr/sap/xxx/sys/profile/oracle ), once configured
in cmd prompt issue lsnrctl start and stop and this will automatically create the listener services.
3) perform tnsping xxx make sure no error
4) Listener will not be available on CI host services therefore once item 2 is done it will be available.
5) Next to sqlplus "/as sysdba" and startup oracle ( make sure no issues)
6) Perform r3trans -xd ( should not report any error)
7) in SAPMMC - goto properties and add new SID NR and hostname and save it ( before doing this backup the existing SAPMMC)
8) Start XXX SID in SAPMMC ( should not report any error)
9) Task complete
10) Now for Java stack migration without import and export, perform similar steps from 1 to 9
11) Additional information for Java to ensure the listener ports is unique for example abap uses 1527 / java use 1528 )
Post steps
1) Abap will be no or minor issues
2) Java will be a bit tricky, in config tools to change tns port setting matching XX1 listener port otherwise it will not connect to db and secure store.
3) Once 2 is done, standard procedures can be followed however not necessary.
4) Once portal is accessible and reports can be called then task is completed.
The below command is to create OracleServiceEPP manually if lets say its a non sap standard migration
such as scenario below
oradim -new -sid XXX -startmode auto ( to start the OracleServiceXXX auto)
oradim –edit –sid XXX –startmode manual (to start the OracleServiceXXX manual)
Good Luck!!!
SAP Netweaver 7.0 EHP1 ( abap stack SID=XXX / java stack SID =XX1)
Oracle 10g 64bit database
Windows 2008 server
Mode: Installed in a cluster environment meaning CI host usr directory only and DB is hosted in a different node or server.
Node1 Node2
CI (just usr directory) DB ( sap directory, oraarch , and sap data files ), Oracle home installed on DB node
Objective : To move DB file system contents such as ( sap directory, oraarch , and sap data files ) and present it on CI host.
1) Login as Abap user In CI host to install the oracle 10g binary ( oracle home should result as oracle\XXX\102 and for java should be oracle\XX1\102)
2) Configure both the listener and tnsname hostname and port in two location ( oracle/xxx/102/network/admin and /usr/sap/xxx/sys/profile/oracle ), once configured
in cmd prompt issue lsnrctl start and stop and this will automatically create the listener services.
3) perform tnsping xxx make sure no error
4) Listener will not be available on CI host services therefore once item 2 is done it will be available.
5) Next to sqlplus "/as sysdba" and startup oracle ( make sure no issues)
6) Perform r3trans -xd ( should not report any error)
7) in SAPMMC - goto properties and add new SID NR and hostname and save it ( before doing this backup the existing SAPMMC)
8) Start XXX SID in SAPMMC ( should not report any error)
9) Task complete
10) Now for Java stack migration without import and export, perform similar steps from 1 to 9
11) Additional information for Java to ensure the listener ports is unique for example abap uses 1527 / java use 1528 )
Post steps
1) Abap will be no or minor issues
2) Java will be a bit tricky, in config tools to change tns port setting matching XX1 listener port otherwise it will not connect to db and secure store.
3) Once 2 is done, standard procedures can be followed however not necessary.
4) Once portal is accessible and reports can be called then task is completed.
The below command is to create OracleServiceEPP manually if lets say its a non sap standard migration
such as scenario below
oradim -new -sid XXX -startmode auto ( to start the OracleServiceXXX auto)
oradim –edit –sid XXX –startmode manual (to start the OracleServiceXXX manual)
Good Luck!!!
Subscribe to:
Posts (Atom)