Special Edition, Using Microsoft BackOffice, Ch. 04

04 - Becoming Part of the Enterprise

by Don Benage

  • What aspects of your organization impact a Microsoft BackOffice implementation - Learn how to analyze your organization with respect to the number and type of users, their needs, and application server requirements.

  • How to logically organize your servers - Learn the Microsoft BackOffice structure for organizing servers and users, and learn how to map your organization to it.

  • The role of a server - Gain valuable insight into the various roles server applications can fulfill and why they should be designated in these roles.

  • Why network protocols are important - Learn how computers communicate with one another through network communication protocols, and learn about the network protocols supported by Microsoft BackOffice.

  • Microsoft BackOffice security basics - See how security is implemented in Microsoft BackOffice and what considerations you should give to security in planning your implementation.

  • How Microsoft BackOffice supports remote access - Learn how Microsoft BackOffice provides built-in access to users not connected directly to the network.


Setting up a single, stand-alone Windows NT computer is a straightforward task. Things become more complicated, however, when you must connect a server to an enterprise-wide network. The need for cooperation with others and coordination with the work they are doing becomes important. Decisions that were previously somewhat arbitrary become critical issues.

This chapter discusses the most important considerations facing an administrator involved in creating an enterprise network and setting up servers to run in such an environment. When you finish this chapter, you will understand how computers on a large network are organized, the basics of network protocols, and Windows NT security.

Analyze Organizational Requirements

Administrators, managers, and users should work together to define the organization's needs with respect to a Microsoft BackOffice network. To determine the requirements, the administration team must perform the following activities at regular intervals (at least annually):

  • Identify organizational structure.

  • Select server applications.

  • Design server organization.

  • Determine server configurations.

  • Choose peripheral devices.

Each of these activities is described in the sections that follow.

Organizational Structure

The first area of emphasis in analyzing the organizational requirements is the user community. The administration team should begin with a thorough inventory of every aspect of the users connected to the network. The following areas should be documented as a basis for making implementation decisions:

  • Number of Users. Determine how many users are on the network and where they are located. It may be helpful to keep this information by geographic location. At a minimum, the number of users should be tracked for each LAN within the enterprise WAN, as well as the total number of users on the WAN. Management should be queried for estimates regarding the rate of growth in the user population over the next one, two, and three years. These estimates should be tracked against the actual number of users as each year passes.

  • Type of Users. It is also necessary to document information about the characteristics of the users. Records should be kept about the configuration of PCs on the network, PC operating systems, and desktop software. You may also be interested in knowing the various skill levels of the users. This information helps you to group users into categories, which are more manageable for network decision-making purposes.

  • User Organization. Learn how the users are organized. Most organizations are arranged in one or more levels of divisions, departments, or other functional entities. The administration team should "map" the various levels of these groups of users to the Microsoft BackOffice user models. See "Understanding BackOffice Structures for Organizing Servers" later in this chapter for a thorough discussion of user organization.

Server Applications

After the user characteristics are understood, it is possible to analyze their requirements to determine which network services are needed. The administration team should map user requirements to the available server applications.

Each Microsoft BackOffice product provides a different set of network services:

  • Windows NT Server. Windows NT Server fulfills the most basic of network user requirements. This product is necessary for there to be a network at all because it serves as the network operating system. Windows NT Server also is the operating system upon which all other Microsoft BackOffice server applications operate.

  • Microsoft Internet Information Server. Microsoft Internet Information Server provides the connection to the world via the Internet. This product supports the two major services available on the Internet - messaging and publication. The Microsoft Internet Information Server can also be used to create your own private Internet, commonly referred to as an intranet.

    See "Building Your Network," (Ch. 3)

  • Microsoft Exchange Server. Microsoft Exchange Server provides messaging services to the network. The primary application of this product is in providing e-mail services to the users. In addition to e-mail, Microsoft Exchange Server offers other services, sometimes referred to as groupware or workgroup applications, such as document routing, public discussion forums, and document libraries.

  • Microsoft SQL Server. Microsoft SQL Server provides relational database management services. This product is the foundation upon which most client-server applications are built. Microsoft SQL Server stores, manages, and protects the organization's data.

  • Microsoft SNA Server. Microsoft SNA Server provides connectivity services to IBM mainframes and minicomputers. This product allows users to access and manipulate host information from their network PCs.

  • Microsoft Systems Management Server. Microsoft SMS provides a number of important network services. This product is the cornerstone of desktop systems management. It can be used to track the inventory of hardware on the network and to manage software distribution. These aspects of network administration can be significant for large networks. Microsoft SMS greatly simplifies the delivery of these services. It can also be used by administrators to remotely troubleshoot problems on the network.

Approaches to Server Size and Placement

Microsoft BackOffice applications run on a server attached to the network. Deciding how many servers to operate and where to place each server application is the next step in preparing for your Microsoft BackOffice implementation.

Two schools of thought exist on server organization: the super-server school and the distributed computing school. Both approaches have strengths and weaknesses. You must weigh the tradeoffs and decide which approach makes sense in your organization.

The super-server approach involves buying one (or few) very large computers with multiple processors and a large amount (for example, 256M or more) of random-access memory (RAM). This concentrated power can be easier to physically secure than multiple smaller machines. It also offers the advantage of letting one application make full use of the super-server if other applications are not yet active, or if they experience a reduced load during off-peak hours. By careful scheduling, you can bring a tremendous amount of computing power to bear on your server application.

The distributed computing approach favors multiple, redundant servers each performing a portion of the overall delivery of service. This redundancy reduces the impact of a single machine failure. In a geographically distributed network, it can aid in the placement of server resources on the same fast LAN with client workstations. But it does make physical security a greater challenge and reduces your ability to easily apply a lot of computing power to one task. Chapter 30, "Managing Distributed Data," covers many of the issues associated with data distribution across a network.

See "Geographically Separate Locations," (Ch. 29)

Of course, your approach need not be one or the other. You may adopt a largely distributed approach, applying an occasional super-server if concentrated power is needed for a very demanding application. There is no single correct approach that fits the needs of all organizations.

Understanding BackOffice Structures for Organizing Servers

It makes sense to provide some logical organization for the network. Microsoft has developed several mechanisms for organizing groups of servers and desktop computers. This not only makes it easier to manage the network, but can also simplify things for the user community by making it easier to find a particular shared resource. These logical network structures can also provide a span of control for a security authority.

Some of these structures are used for only one of the BackOffice products. An organization is only used when setting up Exchange servers, for example. Only Systems Management Server (SMS) uses machine groups. SMS and Exchange both use sites. SQL Server uses server groups. In addition, these structures don't necessarily map directly into the domain structures Windows NT uses to manage security. At first, this may seem arbitrary and needlessly complex. After you understand each of the products better, however, you should see the logic behind some of these differences. The products do different things and different structures are appropriate to manage them.

There is one more thing to remember that may help make sense of all this. Don't make things any more complicated than they need to be. The capability to break computers and users into groups makes it easier to manage them. If natural divisions don't suggest themselves, perhaps you don't need to take advantage of these capabilities. On smaller networks (fewer than 100 users) you may only need:

  • One domain for security

  • A single site for SMS

  • One machine group for SQL Server

  • One organization with a single site for Exchange

Workgroups

The simplest structure you can use to provide some order on a network is the workgroup. A workgroup, for the purposes of Microsoft networking, is nothing more than a convenient way to restrict browsing for shared resources to a small group of computers. If you want to use a shared laser printer, for example, you don't need to look at a list of all the printers on your entire network. You can simply check through a much smaller list of computers in your workgroup, which are usually in close physical proximity. Therefore, workgroups perform much the same function for networks as subdirectories (or folders) perform for hard disks. They allow you to logically group related items into smaller, more manageable groups.

A workgroup has no role in authenticating a user's identity or enforcing security. Windows NT Servers in a workgroup each have their own account database. If you want to use resources on two different Windows NT Servers in a workgroup (not a domain), you need to have an account on both computers, as shown in figure 4.1. If you change your password on one server, it does not automatically change on the other.

Fig. 4.1 - Microsoft BackOffice servers have separate user accounts and security policies, which means no replication of account information occurs from one server to another.

Domains

When you log on to a computer that is part of a domain, you still enjoy all the capabilities of a workgroup. In addition, domains build upon the browsing help offered by workgroups by adding significant security features. All the servers in a domain share the same user account database. As a result, you only need one user account ID and its corresponding password to access shared resources anywhere in the domain.

To establish a domain, you must configure at least one Windows NT Server as a domain controller. This computer contains the master copy of the user account database. It is kept in an encrypted form so that it cannot be read by unauthorized persons, and permissions are set such that it cannot be tampered with or accidentally deleted. The domain controller also keeps the master copy of the policy information regarding passwords. It is possible, for example, to require that all passwords be at least six characters long, and a new password be selected every 90 days.

Unless you have a very small network, you will also want one or more additional domain controllers, sometimes referred to as backup domain controllers. These computers are automatically updated whenever a user account is added, modified, or deleted. If any changes are made to the security policy of the domain, they are also forwarded to all domain controllers, as shown in figure 4.2. By default, this occurs approximately every five minutes.

Fig. 4.2 - Account and security policy information is automatically replicated from the primary domain controller to all other domain controllers.


A common mistake made by people new to Windows NT Server is to assume that the five minute interval is too long. In practice, five minutes is usually plenty fast. Try using the network this way for at least a week before going to the trouble to change it. You'll probably find it is adequate.

After you establish a domain, you can create user accounts and organize users into groups that reflect their computer needs or departmental affiliation in your organization. For example, you might create a group containing everyone who needs to use a particular application or a group containing everyone in the Research Department. After you create accounts and groups, you can use them to assign permissions to access shared resources on your network.


In general, it is a good idea to assign permissions to groups rather than individual accounts. As new users are added, you simply add them to the appropriate groups, and they will inherit the necessary permissions to use the resources they need. A user may belong to many groups.

An additional feature provided by Windows NT Server is the capability to establish trust relationships between two domains. A trust relationship is set up by the domain administrator(s) for two domains. If domain B trusts domain A, then user accounts and groups from A can be assigned permission to use resources in B. In a very real sense, the administrators of B are trusting the administrators of A to be responsible about security policy and assigning users to particular groups. In figure 4.3, the domain INTERNAL trusts the domain GSULLIVAN.

Fig. 4.3 - Establishing a trust relationship between two domains.


It is common for a domain to correspond to a geographic location or an organizational structure such as a department.

A single domain can span geographic locations, if necessary. More complex domain models also can be created, using domain trust, to accommodate large numbers of computers and users. A utility included in the Windows NT Resource Kit offers guidance for domain planning. This is an essential activity that should ideally take place before installing your first server. Although it is possible to reorganize your domain design later, it is not a simple process.


The Windows NT Resource Kit is a separate product available from Microsoft. It does not ship as a part of the Windows NT package or the Microsoft BackOffice package. The Windows NT Resource Kit is a useful product for Windows NT network administrators and should be included as a part of the implementation and administration tool set.

The most common domain model used in large enterprises is the master domain model. This structure uses a single master domain and one or more resource domains. In figure 4.3, GSULLIVAN is the master domain, and INTERNAL is the resource domain. All user accounts and global groups are created in the master domain. This domain is administered by the Information Systems (IS) department for the organization. As people join the organization, an account is created for them in the master domain. If they leave the organization, the account can be disabled or deleted.


It is a good idea to disable an account for a short period of time before deleting it to be absolutely certain that it will never be needed again. Once an account has been deleted, the permissions assigned to that account must be reestablished from scratch, even if a new account with an identical user ID is created. This is due to the fact that permissions are associated with a unique security identifier, or SID, which is automatically generated when an account is created.

A master domain typically has at least two domain controllers with fast processors and high-speed network cards. They do not usually need to have a lot of disk storage or RAM (32M to 64M of RAM should be enough) because they are only validating logons. Shared resources and server-based applications run on the resource domains.


See Chapter 3, "Preparing to Implement Microsoft BackOffice," for more information on selecting appropriate hardware and options for your server.

Resource domains are then created by installing one or more domain controllers and establishing a one-way trust relationship. The resource domain trusts the master domain. Figure 4.4 depicts a typical master domain with two resource domains; each with a primary domain controller.

Fig. 4.4 - A master domain with two "trusting" resource domains.

The domain controllers and other servers in the resource domain provide the shared resources users need and are the real workhorses of the network. They may have multiple processors and a lot of RAM (128M or more) to support server-based applications. If they exist primarily to support file and printer sharing, you should consider fast disk subsystems with Redundant Array of Inexpensive Disks (RAID) Level 5 disk arrays or disk mirroring for high reliability. Windows NT supports RAID up to Level 5 right out of the box.

The master domain model yields a very useful environment. The master domain administrators maintain control over who can and cannot log on to the network. But the day-to-day activities of sharing printers and directories, and giving users permissions to use them, can be controlled by members of the department or organizational unit where the work is being done. By making one or more members of the department administrators of the resource domain, you can delegate some authority and provide an environment responsive to rapid changes. If you want slightly less autonomy with more central control, you can make department members server operators, account operators, printer operators, or backup operators rather than full-fledged administrators.

Administrators and server operators in the resource domain can assign permissions to shared resources. After the trust relationship has been established, the user accounts and global groups from the master domain can be used to assign permissions for resources in the resource domain. Figure 4.5 depicts a typical scenario in which the group Staff from the master domain GSULLIVAN is being given permission to use a shared directory called TechInfo on the server PrimSrv in the resource domain INTERNAL.

Fig. 4.5 - Assigning permissions to a shared directory in a resource domain using master domain accounts and groups.

In addition to the workgroups and domains understood by Windows NT, several other structures are used by the other server-based applications in BackOffice.

Organizations

Another structure used by one of the BackOffice products is the organization. It is the largest logical entity understood by Exchange. An organization usually corresponds to an entire corporation, educational institution, or other similar entity.

Sites

Two of the BackOffice products, SMS and Exchange, allow you to create sites. These do not necessarily correspond to domains, although they may. Sites almost always correspond to a physical site at one geographic location. For Exchange, the entire site must be on the same high-speed network; incorporating slower, wide area links into a site causes problems. For SMS, a site corresponds to a group of computers that all report their inventory information to the same site server.

Machine Groups

In addition to sites, SMS includes the idea of machine groups. This is a mechanism to form an arbitrary group of computers that need to be managed in the same way. They may be scattered among several sites in disparate geographic areas. Their only relationship is that they are managed together. In a large organization, you might have a single member of the Human Resources department in each regional office, for example. The computers for these users would all likely require the same applications and would, therefore, be good candidates for inclusion in a machine group.

Server Groups

SQL Server allows you to group servers together for administrative purposes. Database administrators (DBAs) can create their own server groups to organize servers for which they are responsible. These groups are set up only at the computer on which they are created. Other administrators can create their own groups on the computers they use to do their work.

Understanding the Server's Role

When you install Windows NT Server, you will configure it to take on a certain role. With version 3.51 of Windows NT Server, the current version, you can either designate a server as a domain controller or a server. These roles are described in the following sections.

Domain Controller

As previously discussed, each domain has one or more domain controllers. These servers each have a copy of the user account database and security policy for the domain. When a user logs on, a logon request is sent out on the network. Whichever domain controller receives the request first checks its copy of the account database and attempts to validate the user's ID and password.

The exact mechanics of the conversation are somewhat more complicated, and the particulars vary depending on how the network is set up. The important things to remember are the following:

  • In general, logons are handled by all domain controllers.

  • A natural load balancing will occur. If one server gets busy handling requests, another domain controller will respond to a new logon request more quickly. This happens automatically due to the second server's smaller workload and relatively better performance at that moment in time.

  • Cleartext (unencrypted) passwords are never passed over the network cable. This is an important consideration given the popularity and availability of network protocol analyzers that can capture and display the contents of network packets.

Server

Although it can be somewhat confusing, there is a role, called server, for a Windows NT server in a domain. So a server, running the operating system called Windows NT Server, can be configured as the server role in a domain. With this role, it is possible to configure a computer to participate in domain security without itself validating logons. This role is particularly useful for computers running server-based applications such as SQL Server. These computers can easily be added to, or removed from, a particular domain because they don't play an active role in account validation. By making a server a member of a domain, you can use accounts from that domain, or any trusted domain, to assign permissions to resources on that server.

Understanding Network Protocols

When two computers communicate on a network, they need to speak the same language. Just as an American and a native of Japan can't understand each other unless they share a common language, so computers must also use the same language, or protocol, if they are to transmit information to one another.

A network protocol is a detailed recipe for taking information, breaking it into groups or packets, adding some additional control information, and sending it over a wire (or even through the air with some equipment!) to another computer. A variety of network protocols have been developed over the years with different characteristics. The main features of the most widely used protocols supported by Windows NT are outlined in the following sections.

Using a LAN or WAN

An important factor in deciding how to organize your network and what protocol to use is the size of the network. It is relatively simple to communicate with other computers in physical proximity to your computer over cables specifically designed for computer networking. This type of network is referred to as a local area network or LAN.

If you need to be able to communicate with computers at another geographic location, in another city or country for example, you will certainly not be able to run your own cable to the other site. You will probably need to arrange to use a cable owned by a telecommunications company (your local phone company for example) or another service provider. This requires special equipment designed for communication over such lines, and you then have a wide area network or WAN. See Chapter 8, "Wide Area Networking with Windows NT Server" for a complete discussion on this topic.

The computer programs implementing a network protocol for a particular operating system are commonly referred to as a protocol stack. When LANs were first developed, it was common to have a single program handle all networking issues. This type of program was called a monolithic stack. Now it is more common for a protocol stack to have separate program components for the network adapter installed in your computer and the particular type of network protocol (for example, TCP/IP) you are using. These specific network protocols are sometimes referred to as transport stacks.

Protocol stacks have three significant characteristics:

  • Size

  • Speed

  • Ability to be used on a routed WAN

On computers running DOS or DOS/Windows, the size of the protocol stack is an important issue. DOS-based computers must operate within the constraints of a 640K address space. On more powerful operating systems such as Windows 95 or Windows NT, this limitation has been eliminated. Therefore, the relative size of a particular protocol stack on Windows NT, for example, is not very important.

The speed of a protocol stack isn't always important, but may be an issue with certain applications where response time is critical. It is difficult to measure the actual speed of a protocol stack because many things affect their performance. Relative performance characteristics are well understood, however, and can help you decide which transport stack to use.

If a transport stack can be used on a WAN to send packets of information across routers to remote network segments, the stack is said to be routable. Routable stacks generally have better error handling capabilities and are, therefore, more resilient when used over slow lines of poor quality. They also carry additional information indicating which network segment they are bound for and may indicate the best path to get there.

NetBEUI

NetBEUI (Netbios Extended User Interface) is a network protocol developed by IBM and Microsoft for use on LANs of 250 nodes or fewer. It is a small, fast stack, but is not routable.

Internetwork Packet Exchange/Sequenced Packet Exchange (IPX/SPX)

This transport stack was made popular by Novell with their NetWare network products. In its initial incarnation, it did not meet strict requirements for routability; however, Novell has enhanced the transport over the years. Also, because of NetWare's popularity, many WAN vendors adapted their equipment to work with Novell's IPX/SPX. It can, therefore, be successfully used in many WAN environments.

Transmission Control Protocol/Internet Protocol (TCP/IP)

TCP/IP is a protocol whose time has come. This protocol was developed through the cooperative efforts of the Internet community over the past ten years. As corporations began connecting the many small LANs they had built to form one large WAN, a routable protocol became essential. With the explosion of interest in the Internet, it was inevitable that TCP/IP would become widely used. Many corporations want to attach their corporate WAN to the Internet, and TCP/IP is the protocol of choice.

In comparison to other transports, TCP/IP is generally bigger and slower. Recently, however, improved stacks have been developed that are not much slower than NetBEUI. As a rule of thumb, the latest stacks included with Windows NT and Windows 95 are on the order of 5 to 20 percent slower than NetBEUI. Perform controlled tests in your own environment if you need more exact performance comparisons.

The real benefit to using TCP/IP is, of course, it is designed for wide area networking and is routable. It performs as well as possible under poor conditions, using slow lines with a lot of extraneous noise. TCP/IP is essential if you want to connect your computer or your entire network to the Internet.

Understanding BackOffice Security

The security provided on a Microsoft BackOffice network is potentially controlled by a number of different sources. Basic user logon validation is provided by the network operating system (NOS). This could be either Windows NT Server, Novell NetWare, or another NOS. There are advantages to using Windows NT Server, and it is the only NOS discussed in this section, but some organizations add Windows NT Server as a platform to run server-based applications and continue to use another NOS for user validation and file and print services. The rest of this section describes different security elements provided by Microsoft BackOffice. For a more thorough discussion of Microsoft BackOffice security, see Chapter 29, "Implementing Real World Security."

Using a Single User ID for the Enterprise

It is possible, and even desirable, for users to have a single user ID and password for all Windows NT-based services. By using a single domain, or implementing a master domain model using domain trust, a single account can be granted access permissions on any computer in your organization. This account lets users do the following:

  • Log on to the network at their desktop computer

  • Connect to shared printers and files

  • Use SQL Server databases

  • Open their electronic mailbox to send and receive e-mail

  • Open shared folders of information and participate in bulletin-board-style discussion databases

  • Automatically install new software distributed over the network by Systems Management Server (SMS)

  • Attach to a gateway that provides LAN-based connectivity to a mini or mainframe computer (you would still likely need a separate ID and password to log on to the other computer)

This list is just a sample of the kinds of Windows NT-based services that can be accessed with a single ID and password. Being able to integrate the security for all these services with the native Windows NT security subsystem is certainly a powerful feature. This capability is very popular with users who quickly get tired of managing and remembering multiple IDs and passwords. There are reasons, however, that you may not want to allow a single ID and password to be used for everything. If a user ID and password combination is discovered and misused, the results are obviously more traumatic if the compromised account has permissions to many resources.

In some organizations, it makes sense to give the authority over database resources to a separate group of people. The database administrators may feel a need to create a separate set of user accounts that are used solely for database access. SQL Server allows either choice.

See "Using SQL Server Security," (Ch 19)


SQL Server also offers the capability, as an option, to encrypt data as it is transmitted over the network.

There are special security considerations for e-mail. The information included in messages may be extremely sensitive. Exchange Server offers powerful capabilities that augment the simple access control provided by an ID and password. It is possible to encrypt your message to another individual using a public key algorithm. It is also possible to digitally sign your message so that the recipient knows the message came from you, and it has not been altered in any way.

See "Using Exchange Server Advanced Security," (Ch. 16)

Using Service Accounts

As discussed earlier, a service is a special type of program designed to run unattended on a Windows NT server. Every service runs in its own security context. In other words, a service runs in the context of a particular account just as regular users do. You can run services using a special type of account, called a system account, or you can define an account specifically for use by a service.

A system account has access privileges only on the computer on which it is defined. This can be a problem if it is a service that needs to communicate with other similar services on other computers. Clearly in an e-mail system some services need to have access privileges on more than one computer. This is also true in a SQL Server environment where data replication is desired. In these situations, it is important to define a service account that will be used as the security context for the service.

If you have a single domain, your service account will be a regular domain account. In a master domain environment, you would want to create your service accounts in the master domain, even though most services are likely to be run in a resource domain.

See "Creating a New User Account," (Ch. 6)

Understanding Dial-Up Access to BackOffice

On many networks, it is important to provide access to users who need to connect from their homes or from a hotel as they travel. Windows NT Server includes the Remote Access Service (RAS). With this service, and the addition of some specialized hardware, you can attach up to 256 modems to a single Windows NT server. Remote users can then use a modem to dial this server and attach to the network. They do not need to have a network adapter in their computer because they will not be attached directly to the network cable plant. A modem-based connection is slower than typical network speeds, even with high-speed modems using compression technology. You can think of them as full-fledged users attached to the network through a slow line. Users connected in this way are usually able to access all network services.


To attach 256 modems to a single server, you would need a relatively powerful computer with more than one processor. It might make sense to use two or more computers with fewer modems to provide some redundancy and eliminate single points of failure.

Understanding the Remote Access Service

RAS is a powerful service that can greatly extend the reach, and the usefulness, of your network. By allowing users to connect from remote locations, you can offer them network services almost anywhere.

RAS supports connectivity through three mechanisms:

  • X.25 packet switched networks

  • Integrated Services Digital Network (ISDN) connections

  • Standard telephone line connections utilizing modems

By far the most common means of connecting is the third - standard telephone lines. With relatively high-speed modems (14.4K baud or better) you can get very acceptable performance. Many modems now available include the capability to compress and decompress information on the fly. This can yield an effective throughput rate that is approximately double the rated speed, or better, depending on the type of information you are transmitting.

RAS access is particularly suited to client-server applications that minimize the amount of information transmitted from one computer to another. For example, in a typical database operation, a small query is sent to the database engine on the server. Only the resultant answer set is sent back over the wire. Large indexes are kept and used on the server and need not be transmitted to the (remote) desktop client.

Another method for providing network connectivity to remote users is available from other vendors. This method allows one computer to remotely control a network-attached computer's mouse, keyboard, and display over a modem connection. An advantage of this configuration is improved speed because only typed keystrokes and the resulting screen changes need to be transferred across the wire. The downside is the need to have two computers dedicated to a single user's activity for the duration of the connection. If you need ten active connections, you must have twenty computers, two for each connection.

With the design of RAS, on the other hand, the remote access connection takes the place of the network attachment. No additional locally attached computer is required. All network traffic destined for the client computer is transmitted over the RAS connection. Using RAS to provide ten active connections would require only eleven computers-the server and ten workstations. RAS therefore provides a cost-effective method for remote network access.

Using Remote Access to Connect to Your Server

To connect to a RAS server, you must use special RAS client software. You cannot use standard asynchronous communications software. Fortunately, the RAS client software is included with Windows NT, Windows 95, and Windows for Workgroups. RAS software for Windows and DOS-based systems is included on the BackOffice CD.

The procedures for setting up RAS are covered in more detail in Chapter 7, "Implementing the Remote Access Service," but an overview is presented here to aid in planning:

  1. An administrator configures RAS on one or more servers.

  2. An administrator enables one or more accounts to use RAS.

  3. A user or administrator configures the client software on a desktop computer or laptop that will be used at the remote site.

  4. The user starts the RAS client and dials the RAS server.

  5. The user logs on and is authenticated by the domain controller as a valid user.

After you have made a connection, you can access and use any of the services on the network including shared resources such as files and printers and server-based applications like SQL Server databases.

From Here...

You should now have a better picture of the way Windows NT Server can be used to build a large enterprise network and how individual servers participate. You've also learned some important terminology, and the basics of Windows NT and BackOffice security. In the next chapter, you start to learn exactly how to set up Windows NT Server on a computer, and how to configure it to perform the tasks you've been learning about.


Table of Contents

03 - Preparing to Implement Microsoft BackOffice

05 - Implementing Windows NT Server