Special Edition, Using Microsoft BackOffice, Ch. 05

05 - Implementing Windows NT Server

by Joe Lengyel and Larry Millett

  • Tasks associated with installing Windows NT Server - Get instruction on how to verify that the hardware to be used for the server is compatible with the Windows NT Server software. Follow the step-by-step procedures to install the server software and partition the hard disk space.

  • How to overcome a failure during system startup - Learn how to utilize the Last Known Good option and the Emergency Repair disk if the server fails to start.

  • Shutting down and restarting the server - Obtain a firm grasp of how to log on and log off the server for the purpose of shutting down and restarting the server, respectively.

  • How to connect a client workstation to the server - Learn step-by-step instructions on how to connect to the NT Server from a variety of different client workstations. This will enhance your ability to perform the tasks required of a network administrator.

  • How to administer server security and utilize the event log - Learn how to institute appropriate security measures for your server. This includes security for the server itself, security for directory and file access, and security for utilization. Gain an understanding of how to utilize the event log audit trail to monitor system activity.


Windows NT Server is the backbone of Microsoft BackOffice. All BackOffice applications depend on services provided by Windows NT Server, including security, user authentication, and access to shared devices. This chapter discusses installation and use of Windows NT Server.

Verifying Hardware Compatibility

A server's performance directly affects the productivity of everybody who uses it. Select hardware carefully to ensure a fast, reliable system. Important decisions include processor type (Intel or RISC), number of processors, memory, and disk storage.

Windows NT Server comes with the Windows NT Hardware Compatibility List. This separate booklet lists hardware - processors, adapters, disk drives, printers, and more - that Microsoft has tested and found compatible with Windows NT. To minimize the possibility of compatibility problems, you should seriously consider selecting only listed hardware.


Download the latest Hardware Compatibility List from
ftp.microsoft.com, http://www.microsoft.com/NT Server/compat.htm, or from Library 1 of the WINNT forum on CompuServe.

System Requirements

Microsoft describes the minimum system requirements for Windows NT Server as a 33 MHz 80386 with 16M RAM and 200M free disk space. This is a liberal interpretation of the word "minimum." The minimum useful configuration includes a Pentium processor, 32M RAM, and 1G disk space. Other BackOffice applications may require additional memory and hard disk space, but the biggest factor is number of users. Microsoft has published a number of worksheets and white papers on planning a Windows NT Server network. See the Planning, Migration, and Deployment page at: http://www.microsoft.com/NTServer/ntstlbr.map?18,195.

Intel versus RISC

The big issue is software execution performance. Yes, a Windows NT RISC machine can run all Windows binaries, but the penalty for Intel emulation is high. If you intend to run any software beyond BackOffice, Intel is the best choice. On the other hand, a 250 MHz Alpha offers truly scorching performance for native applications.

SMP or Uniprocessor

The vast majority of computers have a single central processing unit (CPU). Windows NT is the first Microsoft operating system to support computers with multiple CPUs. Coordinating the work of multiple CPUs is a difficult task, and most solutions can be classified as asymmetric or symmetric. In asymmetric multiprocessing, each processor performs a predefined set of tasks. For example, one processor might run scheduling services while another handles I/O, and other processors handle applications. In symmetric multiprocessing (SMP), the OS dynamically schedules tasks to run on any available processor. Windows NT uses the SMP strategy.

Multiple CPUs can improve performance for a server when tasks are delayed waiting for access to the CPU. It's far more common to find that a server is I/O bound (tasks are delayed waiting for I/O to occur). Adding memory to a CPU bound processor is often an effective alternative to adding processors. SMP is usually more appropriate for an application server (for example, SQL Server) than a domain controller.


Use Performance Monitor to determine whether a server is I/O bound or CPU bound. Processor queue length and disk queue length indicate the degree to which the system is CPU bound or I/O bound, respectively.

Usually, you will need to improve server performance to improve throughput for a particular application. Adding processors will be most effective when that application is designed for SMP. Often, the SMP version of an application will be substantially more costly than the single processor version.

Memory

You can never have too much memory. Start with at least 32 megabytes. Many manufacturers now install non-parity memory in all systems, but an enterprise server requires parity memory. Expect to pay about a 15 percent premium for parity memory. Parity memory adds one extra bit to each byte, and some extra parity checking circuitry. The parity bit indicates whether the data bit contains an even or odd number of 1's. This scheme can detect memory errors.

Modern semiconductor memory is extremely reliable, and many question the value of parity checking. Parity unquestionably adds expense and slows performance. When the system detects a parity error, the only appropriate response is to stop the system. (Error-detecting parity schemes are possible, but would add substantially more expense and overhead.) Opponents of parity say that failures are extremely rare, and the response to errors (system shutdown) is unsatisfactory. On the other hand, undetected system errors can manifest as bizarre, inexplicable problems, or subtle undetected errors in critical applications. Seymour Cray once designed a computer with non-parity memory. In production, the machines displayed anomalous behaviors ultimately traced to memory errors. Subsequent Cray designs used parity memory.

Mass Storage

Your Windows NT Server will probably include multiple hard disks, a tape drive and CD-ROM. Windows NT includes excellent support for the Small Computer Systems Interface (SCSI), and the SCSI provides the best support for this variety of mass storage devices. Windows NT Server includes a number of fault tolerance features that work only with SCSI controllers.

Invest in superior performance and reliability. The hard disk subsystem is the hardest working component of a network server, and the component most prone to failure. Invest in a high-end bus-mastering SCSI controller. Windows NT Server provides software implementation for Redundant Array of Inexpensive Disks (RAID) level 0 (disk striping), level 1 (disk mirroring), or level 5 (disk striping with parity) with ordinary IDE or SCSI drives (see "Implementing Disk Mirroring," "Implementing Stripe Sets," and "Implementing Stripe Sets With Parity" later in this chapter). However, IDE controllers can only access one drive at a time, whereas SCSI supports parallel access. Windows NT Server also supports sector sparing (hot fixing) on SCSI drives. When the Windows NT Server fault tolerance driver detects imminent failure in a disk sector, it moves the data to a spare sector with no interruption of service.

Note that Windows NT supports only SCSI tape drives. The popular and inexpensive QIC-40 and QIC-80 tape drives, which run from a floppy controller, are not supported. Almost all high-capacity tape drives are SCSI-based; don't invest in anything less than 2G.

You're unlikely to run multimedia applications on your Windows NT Server, so you need not buy the fastest CD-ROM available. An inexpensive double-speed or quad-speed drive will serve nicely. Windows NT prefers SCSI-based CD-ROMs, but a few proprietary semi-SCSI interfaces are supported. A separate CD-ROM interface will use an expansion slot, an IRQ, and a DMA. You might also consider a fast CD-ROM "jukebox" to share as a network resource. This can be particularly valuable to a software development group because so much developers' documentation is now distributed on CD-ROM.

Power Conditioning

Most desktop computers are protected with inexpensive surge protectors. This might be better than nothing, but it certainly will not suffice for an enterprise server. Manufacturers exploit fear of lightning to sell surge protectors, but small power glitches cause far more problems. An IBM engineer tells the story of a customer whose mainframe computer kept randomly rebooting. After weeks of troubleshooting, a crack team of IBM engineers began to torture test the system. They attacked the machine with diagnostic software, rubber hammers, and huge electrostatic discharges, but the machine shrugged it all off (as it was designed to do). However, the machine continued to reboot unpredictably. The team finally traced the problem to a faulty contact in an elevator shaft. When the elevator passed this contact, a brief short circuit interrupted power on the high voltage loop that supplied the computer. A team of IBM's best engineers spent weeks tracking down this problem, which could have been prevented by simple power conditioning.

Less dramatically, a simple power outage can wreak havoc with SQL Server or Exchange Server. A good uninterruptible power supply (UPS) will include an RS-232 connection to signal the attached server when power fails. This signal can trigger a script to shut down the server in an orderly fashion while running on battery power. Because most power outages last less than a minute, the shutdown script might be triggered by a low battery signal from the UPS, rather than by power failure.

Expect to spend at least $300 for a UPS with good power filtering and signaling capabilities. A better UPS will allow you to monitor power quality. Widely used brands include American Power Conversion, Tripp Lite, Clary, and Liebert. Make it a habit to check the battery each time you shut down the server.

Installing Windows NT Server

The fastest way to install Windows NT is to order it preinstalled on your system. A few vendors now offer this service. Otherwise, Windows NT can be installed from a supported CD-ROM or from a shared network drive.

The following section describes, in detail, a typical installation from a supported CD-ROM. Subsequent sections discuss differences when installing from a shared network drive, and issues in upgrading or replacing an existing operating system.

Installing from a Supported CD-ROM

The typical Windows NT installation kit includes three floppy disks and a CD-ROM. The floppy disks include just enough of the Windows NT operating system (OS) to boot up, mount a supported CD-ROM drive, and continue installation from the CD-ROM. This method does not require any previously installed OS and generally allows the greatest flexibility.

If an OS is already installed on the server, you can install from a supported CD-ROM without benefit of floppy disks. Select the drive containing the Windows NT Server CD-ROM, switch to the appropriate directory for your hardware (for example, I386), and run WINNT /b (WINNT32 /b if your current OS is 32 bit). This can be a convenient option when upgrading a prior version of Windows NT. The process copies all files needed for the installation from the CD-ROM to a local hard drive, updates the system files, and then reboots the computer.


The setup program WINNT.EXE (WINNT32 for 32-bit versions) supports a number of command-line switches. Here are some of the most useful:

  • /b. Install without using floppy disks. Files normally read from the three setup floppy disks are copied from the CD-ROM or network drive to a temporary directory on the local hard drive.

  • /o. Create boot floppy disks only. This option is useful when the floppy disks have been lost or damaged.

  • /i:inffile. Specifies a setup script file. This option is useful for automated installation.

  • WINNT. With no options, this creates the three setup floppy disks and reboots the computer.

  • /?. Display a short description of all available command-line options.


The installation proceeds as an interactive dialog session. The setup program assesses the availability of necessary system resources. If the process encounters a problem, the installation or upgrade will halt. At certain times in the process, the computer will reboot to establish modifications to the computer's configuration. This is normal. If the computer's hard disk drive was originally formatted using MS-DOS, you will notice that it now has dual boot capability. For the duration of the setup process, choose the Windows NT Server 3.5x option when booting.

Follow these steps to install Windows NT Server from a supported CD-ROM:

  1. Insert the setup boot disk in drive A and insert the NT Server CD in the CD-ROM drive. Boot the computer.

  2. The setup process begins with hardware detection.


    Setup stalls during hardware detection
    . The CD-ROM contains a debug version of the hardware detection program. Use DISKCOPY to make a copy of the original setup floppy disk 1 and then copy \I386\SUPPORT\SUPTOOLS\I386\NTDETECT.COM from the CD-ROM to the floppy disk. The debug version reports progress on-screen as detection proceeds. When the program stalls, the last message on the screen will identify the problem component.

  3. A blue screen with white lettering announces "Windows NT Setup." When prompted, insert Setup Disk Number 2.

  4. Setup switches to 50-line video mode while the Windows NT kernel loads. After another few moments, GUI mode starts with the Welcome to Setup dialog box. Press Enter to continue the process.

  5. Choose Express or Custom setup. Express setup identifies and configures hardware and software, installs Windows NT Server, and creates program groups for all existing applications. Custom setup allows you to customize the location and size of virtual memory swap files, limit the installation of certain software, or specify hardware not recognized automatically. With either method, if the setup program detects an existing Windows NT or Windows 3.x installation, it provides the option to upgrade or install to a different directory. Express installation is described here.

  6. You will encounter a dialog box concerning mass storage devices not long into the process. These mass storage devices will not include IDE or EIDE hard drives. Only SCSI drives, CD-ROM drives, or special disk controllers will be listed. If you know these SCSI devices are present, but are not listed as mass storage devices, cancel the setup program at the first opportunity. Check the connections and configuration of these devices. Consult the vendor if necessary.

  7. For a new installation of Windows NT Server, the program prompts for an install directory. If the target drive has not been formatted or partitioned, the setup program runs Disk Administrator to create disk partitions. Supply partition information as it is requested. During an upgrade, program files are copied to the drive and directory where the current OS resides.

  8. You need to provide a unique name and state the domain preference for this computer. This means deciding if this computer will be a primary domain controller, a backup domain controller, or a file and print server. If this computer will be joining an existing domain, you must supply the name of that domain. If this computer will be creating a new domain, supply a unique domain name.

  9. Select the licensing mode you will employ for this server. The options are as follows:

    • Licenses per server

    • Licenses per seat

    Determine the number of users this server will support in advance. Take into consideration network growth. In either case, you must complete the License Agreement dialog box.

  10. Supply a language preference for this server. English is the default. Click OK to continue.

  11. Identify local printers. If you want, you can skip this step and establish the local printers later. Click OK to continue.

  12. Express Setup identifies installed network adapter cards automatically if possible.

  13. If you do not choose to install the Remote Access Services, setup displays the Network Adapter Setup dialog box. You are asked to identify the name of the network adapter card you want to use, which includes supplying the correct name and settings for the card in use.

  14. You are presented with the Network Protocols dialog box. Choose the protocol that meets the needs of the network.

  15. Choose a domain name for the computer. Unless you are joining an existing domain, you must choose a domain name that does not already exist. Use a unique, mnemonic name that is easy to remember and suggests its purpose.

  16. You should create an administrator account for the server. Use a unique, mnemonic logon and password.


    By default, Windows NT Server sets up an account for user Administrator with no password. This account has full access to everything on the server. Obviously, this represents a security risk. Microsoft recommends that you add a password for this account, add at least one other administrator account with a different user ID and password, and then disable the Administrator account. Windows NT Server will not allow you to disable or delete the last active administrator account.

  17. The setup program now establishes the Program Manager and creates program groups and items. You are prompted to verify the correct date and time. Correct the date and time, if necessary, and click OK to continue.

  18. The setup program attempts to detect the display in use. The display and video adapters should be on the hardware compatibility list. Verify the display in the dialog box. Click OK to continue.

  19. The Display Settings dialog box appears. At this time, you can choose the display resolution, colors, and more. You may use the default settings or customize the settings. Click Cancel to select the default settings. If customizing the settings, you must test and save them before proceeding. Verify the settings you desire and click Test. The display changes to demonstrate the results of your selections. If these are acceptable, save them and continue.

  20. An Emergency Repair disk is created as the last step of the setup process. This disk contains Windows NT Registry information. In the event your system fails, this disk can be used to re-create the configuration preferences you have established. Creating an Emergency Repair disk is an option, but one that is strongly recommended.

  21. Click Yes to create this disk. Insert a blank diskette into the floppy disk drive and click OK to continue. When the disk has been created, the installation process is complete. Be sure to label the Emergency Repair disk and keep it in a safe place.


It is a good idea to also make a backup copy of the Emergency Repair Disk using the
Copy Disk command in File Manager. Store it in a safe place too.

Installing from a Network Drive

Installing from the network requires an MS-DOS-based network and a shared directory that points to the network directory where the setup program resides. You can run the setup program from any computer running Windows NT, Windows for Workgroups, LAN Manager, Novell NetWare, or Banyan VINES. After establishing a connection to the shared network directory, copy all files located in the \I386 subdirectories to the computer on which NT is being installed.

After copying all installation files from the network, switch to the local drive and directory containing the installation files and run WINNT /b (WINNT32 /b from NT or Windows 95).


The network installation procedure can be modified slightly to install from an unsupported CD-ROM. Just copy all files from the \I386 directory on the NT Server CD to a local hard drive and run WINNT /b.

Configuring Hard Disk Space

Windows NT Server provides a range of options for configuring disk space. Determine your needs based on three factors: performance, fault tolerance, and efficient use of disk space. For best performance, use a stripe set without parity. For fault tolerance, use a stripe set with parity (better read performance) or a mirror set (better write performance). For the most efficient use of disk space, Windows NT Server 3.51 supports file compression. See "Implementing Disk Mirroring," "Implementing Stripe Sets," and "Implementing Stripe Sets With Parity" later in this chapter.


You should create a new Emergency Repair Disk after any disk configuration changes. See "Creating an Updated Emergency Repair Disk" later in this chapter.

Windows NT Server's Disk Administrator tool makes it easy to get the most from your hard disk subsystem. This tool provides a graphical interface for a variety of functions:

  • Creating primary and extended partitions

  • Formatting volumes

  • Creating a volume set from several partitions

  • Creating mirror sets for fault tolerance (RAID level 1)

  • Creating stripe sets for improved performance (RAID level 0)

  • Creating stripe sets with parity for fault tolerance (RAID level 5)

To use Disk Administrator effectively, you must first understand a few basic concepts. These concepts are discussed in the next section.

Disks, Partitions, Volumes, and Free Space

A disk is a physical hard drive. Windows NT Server does not allow you to work with smaller physical units (platters, heads, cylinders, and so on).

A partition is a portion of a disk that the OS treats as an independent logical device. A partition can be primary or extended. An extended partition can be further subdivided; a primary partition cannot. A primary partition can be formatted, but an extended partition must have additional structures defined before formatting. Each disk can have up to four partitions; only one can be an extended partition.


MS-DOS supports only one primary partition per disk. If you create more than one primary partition on a disk, Disk Administrator warns you that the new partition will be inaccessible from MS-DOS.

If you want to dual-boot Windows NT Server and MS-DOS, the first primary partition on the first physical disk (disk 0) must be large enough to contain all shared files. This shared partition must not be compressed.

Windows NT Server defines two important partitions: system and boot. The naming is counter-intuitive: the system partition contains platform-specific files necessary to boot Windows NT Server, and the boot partition contains Windows NT Server system files. The system partition must be a primary partition on the first physical disk (disk 0). The boot partition can be the same as the system partition (recommended) or can be separate. Neither the system partition nor the boot partition can be part of a volume set or a stripe set. Disk Administrator cannot modify the system partition.

A logical drive is a set of disk space in an extended partition that may be formatted with a file system. An extended partition might contain several logical drives, no logical drives, or portions of many logical drives.


By default, Windows NT Server assigns a drive letter to each primary partition and logical drive. Use Disk Administrator to assign drive letters to volumes permanently and arbitrarily (
Tools, Drive Letter). This means that you can add new logical drives and primary partitions without disrupting existing configurations and scripts.

A volume is a formatted primary partition or logical drive. Free space is hard disk space not assigned to a logical drive or primary partition. It includes unpartitioned space and space in extended partitions not yet assigned to a logical drive.


A primary partition is designed to contain startup files for an operating system. Unless you need to maintain an alternative OS on your Windows NT Server, you should create one small (200M to 300M) primary partition on Disk 0, one extended partition for all remaining space on Disk 0, and one extended partition containing all space for each additional drive.

Creating a Primary Partition

The first partition on the first hard disk should be a primary partition. This partition stores the NT Server startup and system files.

Follow these steps to create a primary partition with Disk Administrator:

  1. Log on as an administrator. Start Disk Administrator from the Administrative Tools program group. You see the Disk Administrator main window, as shown in figure 5.1.

    Fig. 5.1 - The Disk Administrator main window that is used to create a primary disk partition.

  2. Click on an area of free space in which to create an extended partition. Make sure that the free space you select is not part of an extended partition.


    Disk Administrator marks free space with diagonal lines. If the lines run upward from left to right, the free space is unpartitioned. If the lines run upward from right to left, the free space is part of an extended partition.

  3. Select Partition, Create from the Disk Administrator main menu. If this is not the first primary partition on the disk, you see a warning that the new partition will not be accessible from MS-DOS. Click OK to close the message box.

  4. You see the Create Primary Partition dialog box depicted in figure 5.2. Specify a size for the new partition and click OK.

    Fig. 5.2 - The Create Primary Partition dialog box used to specify the primary partition size.

  5. Select Partition, Commit Changes Now from the Disk Administrator main menu. You see a Confirm message box. Click Yes to confirm that you want to update your disk configuration.


    Disk Administrator does not update your hard disk until you commit partition changes. If you exit before committing changes, Disk Administrator will pop up the Confirm message box to allow you to commit changes before exiting.

    Unlike the MS-DOS fdisk utility, Disk Administrator does not require you to restart the computer after changing partitions.

    The new primary partition must be formatted before use. See "Formatting Logical Drives and Primary Partitions" later in this chapter.

    Creating an Extended Partition

    An extended partition provides the best flexibility for configuring Windows NT Server disk space. Perform the following steps to create an extended partition with Disk Administrator:

  6. Log on as an administrator. Start Disk Administrator from the Administrative Tools program group. You see the Disk Administrator main window (refer to fig. 5.1).

  7. Click on an area of free space in which to create an extended partition. Make sure that it is not already part of an extended partition.

  8. Choose Partition, Create Extended from the Disk Administrator main menu.

  9. You see a Create Extended Partition dialog box similar to the one shown in figure 5.3. Specify a size for the new partition and click OK.

    Fig. 5.3 - The Create Extended Partition dialog box used to create an extended disk partition.

  10. Select Partition, Commit Changes Now from the Disk Administrator main menu. A Confirm message box appears. Click Yes to confirm that you want to update your disk configuration.

Creating a Logical Drive on an Extended Partition

The simplest way to use an extended partition is to create a logical drive. A logical drive can be formatted and used just like a primary partition, except that it cannot be the Windows NT system partition.

Follow these steps to create a logical drive on an extended partition:

  1. Log on as an administrator. Start Disk Administrator from the Administrative Tools program group. You see the Disk Administrator main window (refer to fig. 5.1).

  2. Click on an extended partition on which to create a logical drive.

  3. Select Partition, Create from the Disk Administrator main menu.

  4. You see the Create Logical Drive dialog box shown in figure 5.4. Specify a size for the new logical drive and click OK.

    Fig. 5.4 - The Create Logical Drive dialog box used to create logical drives for an extended partition.

  5. Select Partition, Commit Changes Now from the Disk Administrator main menu. A Confirm message box appears. Click Yes to confirm that you want to update your disk configuration.

Formatting Logical Drives and Primary Partitions

Newly created primary partitions and logical drives must be formatted before they can be used. Formatting installs and initializes a file system on the selected disk space.

Follow these steps to format a logical drive or primary partition using Disk Administrator:

  1. Log on as an administrator. Start Disk Administrator from the Administrative Tools program group. You see the Disk Administrator main window (refer to fig. 5.1).

  2. Click on the primary partition or logical drive you want to format.

  3. Select Tools, Format from the Disk Administrator main menu. The Formatting dialog box appears (see fig. 5.5).

    Fig. 5.5 - The Formatting dialog box with the NTFS file system default.

  4. Select the File Allocation Table (FAT) file system or the NT File System (NTFS). For best performance, use NTFS wherever possible.

  5. Specify a volume label, if desired.

  6. The Quick Format option installs a file system in the selected volume without checking for errors.

  7. Click OK to proceed with the format. Disk Administrator warns you that formatting will destroy the current contents of the volume. Acknowledge the warning and continue. A bar graph shows progress (percent complete) as the format proceeds.


Windows NT supports three file systems: File Allocation Table, or FAT (from DOS), High Performance File System, or HPFS (from OS/2), and NT File System, or NTFS. Disk Administrator only allows you to format with FAT or NTFS.

To format a primary partition with HPFS, type format d: /fs:hpfs (where d: is the primary partition you want to format) at a command prompt.

Implementing Disk Mirroring

Disk mirroring provides protection against hard disk failure by maintaining an exact copy of a partition on a separate physical drive. If one drive in a mirror set fails, no data will be lost.

Disk striping with parity offers a similar degree of fault tolerance. This is the only fault tolerance option available for the system partition.

Follow these steps to configure a mirror set:

  1. Log on as an administrator. Start Disk Administrator from the Administrative Tools program group. The Disk Administrator main window appears (refer to fig. 5.1).

  2. Select the partition you want to mirror. Hold down Ctrl and select an equal size area of free space on a different disk.

  3. Select Fault Tolerance, Establish Mirror from the Disk Administrator main menu. The Establish Mirror dialog box appears.

  4. If you are mirroring the system partition, you see a message box to that effect. Click OK.

  5. Select Partition, Commit Changes Now from the Disk Administrator main menu. Disk Administrator warns that the system must be restarted. Click Yes to confirm and restart the system.

  6. After restarting, the new mirror set will initialize. This will degrade performance temporarily (for a few minutes or hours depending on the size of the mirror set) while the data is replicated.

Implementing Volume Sets

A volume set joins two or more noncontiguous areas of free space into a single logical drive. You could use a volume set, for example, to create a single 4G logical drive spanning four 1G disks. A volume set may span up to 32 physical disks. Once formatted, a volume set functions as a single volume.

Perform the following steps to create a volume set. Note that you will have to restart the computer at the end of the procedure.

  1. Log on as an administrator. Start Disk Administrator from the Administrative Tools program group. The Disk Administrator main window appears (refer to fig. 5.1).

  2. Hold down Ctrl and click two or more areas of free space.

  3. Select Partition, Create Volume Set from the Disk Administrator main menu. The Create Volume Set dialog box appears, as shown in figure 5.6.

    Fig. 5.6 - The Create Volume Set dialog box is used to specify the size of a volume set.

  4. Specify the desired size for the new volume set. Click OK.

  5. Select Partition, Commit Changes Now from the Disk Administrator main menu. Disk Administrator warns you that the system must be restarted. Click Yes to confirm and restart the system.

  6. After creating a volume set and restarting the system, format the new logical drive.

You can also create a volume set by extending an existing volume. Extending appends free space to an existing volume or volume set. Only volumes formatted with NTFS may be extended; stripe sets, mirror sets, and the system partition can never be extended.

Follow these steps to extend a volume:

  1. Log on as an administrator. Start Disk Administrator from the Administrative Tools program group. The Disk Administrator main window appears (refer to fig. 5.1).

  2. Click the volume you want to extend. Hold down Ctrl and click one or more areas of free space.

  3. Select Partition, Extend Volume Set from the Disk Administrator main menu. The Extend Volume Set dialog box appears, as shown in figure 5.7.

    Fig. 5.7 - The Extend Volume Set dialog box allows you to specify the size of an extended volume set.

  4. Specify the desired size for the new volume set. Click OK.


You need not commit changes or format the new space when extending a volume set.

Implementing Stripe Sets

Because disk access is efficiently spread across multiple physical disks, stripe sets offer the best disk performance available under Windows NT. Data is divided into 64K blocks, with consecutive blocks placed on separate disks. This strategy requires that the stripe set occupy equal space on each disk.


To obtain enhanced performance from a stripe set, the disks must support independent read/write access. A stripe set spanning two hard drives attached to a single IDE controller will not provide enhanced performance because the controller can only access one drive at a time. Even if your system has two IDE controllers (the IDE specification allows only two), you could only usefully implement stripe sets with two stripes. SCSI controllers, by contrast, do support multiple independent read/write operations and are therefore a good choice for implementing this type of disk drive technology.

Perform the following steps to implement a stripe set. As with volume sets, creating a stripe set requires a system restart:

  1. Log on as an administrator. Start Disk Administrator from the Administrative Tools program group. The Disk Administrator main window appears (refer to fig. 5.1).

  2. Hold down Ctrl and click one area of free space on each disk to be included in the stripe set (at least two).

  3. Select Partition, Create Stripe Set from the Disk Administrator main menu. The Create Stripe Set dialog box appears.

  4. Specify the desired size for the new stripe set. The default will be the combined size of all selected free space, but Disk Administrator will actually use an equal amount of free space from each drive. The size you select should be an even multiple (in megabytes) of the number of disks in the stripe set. Specify an appropriate size and click OK.

  5. Select Partition, Commit Changes Now from the Disk Administrator main menu. Disk Administrator warns you that the system must be restarted. Click Yes to confirm and restart the system.


If any disk in a stripe set fails, all data in the entire stripe set will be lost. The presence of multiple disks actually increases the probability of failure. Do not use stripe sets where the cost of failure is very high. Always maintain a current backup of all data in a stripe set.

Implementing Stripe Sets With Parity

Stripe sets with parity (RAID level 5) have become a very popular fault tolerance strategy. The concept is similar to a regular stripe set: data is spread across multiple disks in 64K blocks. However, this method adds redundant data so that if one disk in the set should fail, data can be reconstructed from the remaining disks. The redundant data is known as parity information. Parity information is also spread across all disks in the set, so that the parity information is always on a separate disk from the data it describes. The disk space required for parity information varies with the number of disks in the stripe set: for three disks, one third; for four disks, one fourth; and for five disks, one fifth. Information theory places a lower limit on the amount of parity information required to represent a volume of data, however, so the 1/n relation only holds for smaller numbers of disks.

A stripe set with parity must span at least three physical disks and can span up to 32. As with regular stripe sets, IDE drives that do not support independent disk access are ill-suited for this purpose.

Follow these steps to set up a stripe set with parity.

  1. Log on as an administrator. Start Disk Administrator from the Administrative Tools program group. The Disk Administrator main window appears (refer to fig. 5.1).

  2. Hold down Ctrl and click one area of free space on each disk to be included in the stripe set. You will need to select at least three.

  3. Choose Fault Tolerance, Create Stripe Set With Parity from the Disk Administrator main menu. The Create Stripe Set With Parity dialog box appears.

  4. Specify the desired size for the new volume. The default will be n times the smallest amount of free space on any selected disk, where n is the number of disks in the stripe set. Specify an appropriate size and click OK.

  5. Choose Partition, Commit Changes Now from the Disk Administrator main menu. Disk Administrator warns you that the system must be restarted. Click Yes to confirm and restart the system.

Exploiting the Last Known Good Feature

The Last Known Good feature in Windows NT allows you to start the system with a previous configuration known as the Last Known Good menu. This feature can save the day when configuration changes render a server unbootable. Each time the server boots successfully, the current configuration is saved as the last known good configuration.


The configuration is actually saved when the first user successfully logs on after startup. To avoid saving the current startup configuration as the last known good, reset the system before logging on.

During startup, right after Windows NT switches to the blue screen, you can invoke the last known good configuration by simply pressing the space bar. Be aware that successful changes made during a previous session will be lost by using the Last Known Good feature.

The Emergency Repair Disk

In the event your system fails (that is, the system files, boot sector, or boot.ini file become corrupted), and you are unable to restart the computer using the Last Known Good option, an Emergency Repair can be performed to restore system-type files and configuration preferences established prior to the failure. To repair a Windows NT Server installation, Windows NT Setup uses information saved on the Emergency Repair disk (ERD) or in the Windows subdirectory called REPAIR.

During installation of Windows NT Server, you are provided the option of creating an ERD. Regardless of whether the disk is created at that time, repair information is written to the REPAIR subdirectory. During a repair of the system, you can direct the program to use the ERD, or the information in the REPAIR subdirectory. If the repair process is successful, the computer will be returned to the condition it was in after the last update to the repair information. Refer to "Installing Windows NT Server" earlier in this chapter for more information on creating the Emergency Repair disk during Windows NT Server installation.

Creating an Updated Emergency Repair Disk

NT Server automatically creates repair information during installation. However, this information is not maintained dynamically. As the complexion of the server changes due to installation of additional software, you should update the ERD.

The repair disk utility updates repair information and creates an ERD in separate steps. You can update repair information in the REPAIR subdirectory without creating a new ERD. If you create an ERD without first updating the repair information, the ERD will reflect an old configuration. Normally, you will want to update repair information and then create a new ERD.

Follow these steps to update repair information and create a new ERD:

  1. Log on as an administrator

  2. Run the RDISK.EXE program (normally found in the WINNT35\SYSTEM32 directory). The Repair Disk Utility message box appears. It tells you the purpose of the utility and warns you against using it as a backup tool. It also has four buttons: Update Repair Info, Create Repair Disk, Exit, and Help.

  3. Click Update Repair Info. The utility updates the repair information stored in the REPAIR directory.

  4. Click Create Repair Disk. The program prompts you to insert a floppy disk.


    Make sure that the disk you are using for the Emergency Repair disk does not contain important files. Creation of the disk erases all files previously saved on it. Also, know that the Emergency Repair disk is not a boot disk. Trying to boot your machine with it will be unsuccessful.

  5. The program formats the floppy disk inserted in step 4 and copies repair information onto the disk.

  6. Click Exit to close the Repair Disk Utility.

When you create the ERD, the following files are copied from the REPAIR subdirectory to the floppy:

  • AUTOEXEC.NT

  • CONFIG.NT

  • DEFAULT._

  • SAM._

  • SECURITY._

  • SETUP.LOG

  • SOFTWARE._

  • SYSTEM._

The ERD is PC specific and should only be used with the PC on which it was created. Make backup copies of the disk in case the original is corrupted. Be sure to store it in a safe place. Place a label, with the date and description, on each disk created.

Understanding the Emergency Repair Process

Before performing an emergency repair, check to make sure that what the process is attempting to fix is the probable cause of the boot failure. Remember, the server is down, and end users are waiting to use its resources. Use your time wisely and economically to determine the source of the problem and eradicate it. If you have been running Windows NT successfully and it fails to boot, you can use the following simple procedure to try and recover:

  1. Verify that the problem has not been caused by changes or failures in hardware. Check all cables for loose or bad connections. Verify new settings on existing hardware. Make sure that any new cards or drives are compatible and have been installed correctly. Any of these can be the cause of boot problems.

  2. Try using the Last Known Good option at the OSLOADER screen. Obviously, this option is only useful if the machine has no hardware problems.

If the preceding options do not succeed, you will need to perform an Emergency Repair. It is useful to know what occurs when performing this procedure. The following steps are performed by the Emergency Repair process:

  1. CHKDSK is run on the disk partition containing Windows NT system files. On x86-based computers, CHKDSK also is run on the system partition. This verifies that every file in the installation is good through a checksum algorithm. If files are missing or corrupt, they can be restored from the Windows NT Server installation software.

  2. The default system and security registry archives are replaced. Each replacement is contingent upon user confirmation.

  3. The boot loader is reinstalled.

The repair process allows you to repair one or more of the following:

  • System files. Setup checks the Windows NT directory tree against the log file on the Emergency Repair disk to ensure that all system files are present. If they are missing or corrupt, they can be restored. It also checks the Windows NT files on the system partition and verifies that they are present and in good order.

  • Default system configuration. Setup checks the Registry for errors. If any configuration errors are found, you will have the option of restoring a setting to what it was when Windows NT was installed. User accounts and file security added since installation will be lost, unless they were backed up in \%SYSTEMROOT%\SYSTEM32\CONFIG or updated on the Emergency Repair disk using the Repair Disk Utility.

  • Boot variables. Setup restores the boot variables for a particular installation on the hard disk. You must provide the Emergency Repair disk for this option.

  • Boot sector (x86-based only). Setup writes a new boot sector on the system partition. If any files are missing or corrupt, the repair restores them from the appropriate Windows NT Setup disk or CD. If you have accidentally changed the system partition on your x86-based computer so that NT no longer starts, Repair restores the original boot configuration so that Windows NT can be started.


The Emergency Repair disk may be unable to restore some of the Windows NT system files if additional drivers or third-party software were added after the installation. This includes display and printer drivers, network software, audio adapters, and any other software copied to the system after the Windows NT Server installation. The Emergency Repair disk will have no information on these files and will be unable to verify them. Troubleshooting and restoration of such files must be done manually, rather than with the Emergency Repair disk. Think about using backup tapes to restore such drivers.

See "Making Backups," (Ch. 6)

Performing an Emergency Repair

To execute a repair on an x86-based computer, perform the following tasks:

  1. If you installed Windows NT using the original Setup floppies, CD, or WINNT.EXE, start setup just as you did originally. That is, insert the first Setup Boot Disk in drive A and start the computer.

  2. When prompted, type R to indicate that you want to repair Windows NT files.

  3. Setup asks you for the Emergency Repair disk. If you do not have one, Setup presents a list of the NT installations that it found on the computer, and you can pick one.

  4. Follow the instructions on the screen, inserting the Emergency Repair disk in drive A and providing any other Windows NT Setup disks as requested. You will be allowed to choose what should be restored. You can bypass a repair on one or more items, but it is not recommended.

  5. When the final message appears, remove the Emergency Repair disk and restart the computer.

To execute a repair on a RISC-based computer perform the following tasks:

  1. Start the NT Setup program as instructed in your manufacturer's supplied documentation. Starting Setup can vary by machine type.

  2. When prompted, type R to indicate that you want to repair Windows NT files.

  3. Follow the instructions on the screen, inserting the Emergency Repair disk in drive A and providing other Windows NT Setup disks as requested.

  4. When the final message appears, remove the Emergency Repair disk and press Enter to restart the computer.

Logging On and Off

Normally Windows NT Server will run with nobody logged on to the local machine. Many remote users may log on for the purpose of accessing services, but a local user typically logs on only for server administration or maintenance.

Follow these steps to log on to the Windows NT Server:

  1. Press Ctrl+Alt+Del. The Welcome dialog box appears.


    You can customize the Welcome dialog box. Add the keys LegalNoticeCaption and LegalNoticeText to the registry at \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon. The values you enter will appear as the caption and text, respectively, of the Welcome dialog box. The user must click OK in this message box to continue the logon process. Use this feature to provide fair warning of the consequences of unauthorized access attempts.

  2. Type a valid User ID in the Username box.

  3. If you are logging on to a domain server, select the domain name in the From drop-down list box. Otherwise, select the name of the local machine.

  4. In the Password box, type the password for the User ID entered in step 3.

  5. Click OK or press Enter.


Your logon fails.
The password in Windows NT is case sensitive. Check Caps Lock and retype your password. The User ID is not case sensitive.

Never walk away from an NT Server while logged on locally as an administrator. The intuitive interface makes it easy for any user to make drastic changes to your network configuration (for example, Disk Administrator, delete partition). Even a well-intentioned person can commit an expensive blunder.

After completing administrative tasks, follow these steps to log off the server:

  1. Press Ctrl+Alt+Del. The Windows NT Security dialog box appears.

  2. Click the Logoff button.

  3. A confirmation message box appears. Click Yes.

You may also log off by choosing File, Logoff from the menu in Program Manager.

Shutting Down and Restarting the Server

Occasionally, you will need to shut down the server for routine maintenance or equipment upgrades. Configuration changes often require restarting the server, and a restart begins with a shutdown. It's important to perform an orderly shutdown to avoid data loss.

Because a shutdown disconnects all clients, try to schedule configuration changes for periods of low activity. It's also wise to advise concerned users in advance of any scheduled downtime.

Perform the following steps when restarting the server:

  1. Log on as an administrator.

  2. Open Control Panel and select the Services icon. Select the Server service and click Pause. Pausing the Server service prevents new users from logging in. Close Control Panel.

  3. Shut down active applications such as SQL Server, Exchange Server, and so on. Shutting down these services may also require disconnecting users.

  4. Use Server Manager to contact active users. Select Computer, Send Message, and compose a message asking them to log off. Wait a few minutes to allow them to comply.


    Sixteen-bit Windows clients must be running the WinPopup program to receive messages sent in this fashion.

  5. Use Server Manager to disconnect any users who could not be contacted. Select Computer, Properties and click Users in the Properties dialog box. Click Disconnect All in the User Sessions dialog box.

  6. Press Ctrl+Alt+Del. The Windows NT Security dialog box appears.

  7. Click Shutdown.

  8. The Shutdown Computer dialog box appears. To shut down without an immediate restart, click Shutdown and then click OK. To restart the server, click the Shutdown and Restart button, click OK, and continue with step 9.

  9. The server restarts.

  10. Log on as an administrator.

  11. Restart applications and services. Verify successful restart.

  12. Notify users that the server is available.

  13. Log off.


Configuration changes often require a restart before becoming effective. Such changes include installing new or updated drivers and installing certain applications. In such cases, a restart dialog box appears immediately after completing the configuration change. When you know that a configuration change requires a restart, first complete steps 1 through 5 in the preceding list.

Getting Connected from a Client Workstation

Most users will interact with Windows NT Server through client workstations. Client sessions typically involve several activities: logging on, using file and print services, using other application services (SQL Server, Exchange Server, and so on), and logging off. A network administrator must know how to configure a variety of workstations to properly perform these tasks.

DOS

Prior versions of Windows NT used software called The Workgroup Connection for DOS to connect DOS workstations. Windows NT Server 3.5x allows you to generate a client setup disk. The software contained on this disk takes better advantage of the Windows NT Server environment, and The Workgroup Connection for DOS should no longer be used.

Windows workstations use the same client software as DOS workstations. Using the PC on which Windows NT Server has been installed, perform the following steps to create a client setup kit for Windows and DOS workstations:

  1. Label two formatted high-density floppy disks as Windows NT Server DOS Client Setup Disks 1 and 2.

  2. Insert the Windows NT Server CD-ROM in your CD-ROM drive.

  3. Start Network Client Administrator from the Network Administration program group to display the Network Client Administrator dialog box (see fig. 5.8).

    Fig. 5.8 - The Network Client Administrator dialog box is used to install or update client workstations


    Network Client Administrator can create either a single network installation startup disk or a set of installation disks. The single disk allows a workstation to boot up, connect to a Windows NT Server, and download the rest of the needed client files. Although this may seem convenient, there are a number of severe limitations:

    • The disk must boot with the same version of DOS as the target workstation. A different disk is required for every DOS version on your network.

    • The disk is specific to a single type of network interface card (NIC). A different disk is required for each type of NIC on your network.

    • You must copy all the client setup files to a shared directory on the server.

    • If the procedure fails, you will have to use the multidisk setup kit.

    For these reasons, it's best to always use the multidisk install set. The only exception would arise if you have to install many systems of the same type. Then the shortcomings of this method may be offset by an overall time savings, and the avoidance of swapping diskettes during each install.

  4. Click the Make Installation Disk Set radio button to select the option, and then click Continue. The Share Network Client Installation Files dialog box appears (see fig. 5.9).

    Fig. 5.9 - The Share Network Client Installation Files dialog box allows you to specify the source of the client installation files.

  5. Type D:\CLIENTS (where D: is the letter for your Windows NT Server CD-ROM) in the Path text box.

  6. Click Use Existing Path to select the option.

  7. Click OK to display the Make Installation Disk Set dialog box in figure 5.10.

    Fig. 5.10 - The Make Installation Disk Set dialog box appears when you click OK in the Share Network Client Installation Files dialog box.

  8. Select Network Client v3.0 for MS-DOS and Windows.

  9. Select a Destination Drive.

  10. Insert the floppy disk labeled Disk 1 in the destination drive and then click OK.

  11. Swap disks as prompted.

Follow these steps to install client software at a DOS or Windows 3.1 workstation:

  1. Identify the make and model of the workstation's NIC. You also need to know the card's IRQ and I/O port settings.

  2. Insert the Windows NT Server DOS Client Setup Disk 1 in the workstation's floppy drive. At the DOS command prompt, type A:SETUP (or B:SETUP, if appropriate) and press Enter.

  3. You will see a typical Microsoft character mode setup screen. Press Enter to proceed.

  4. The default directory for installation of the client software is C:\NET. Either accept this default or change it as desired. You may not install the software in the Windows directory of a Windows 3.1 workstation.

  5. The network drivers use memory on the client. Allocating more memory to the drivers can improve performance, but leaves less memory for other applications. At this point, a dialog box allows you to press Enter to maximize performance; press C to conserve memory.

  6. Enter a computer name of up to 15 characters consisting of letters, numbers and/or the special characters {, }, !, #, $, %, ^, &, (, ), _, ', and ~. The name must be unique: it cannot match any other computer name or domain name in the network.

  7. The main setup menu appears (see fig. 5.11). Select Change Names to set the user name, workgroup name, and domain name. Enter the appropriate names, and select The Listed Names Are Correct to return to the main setup menu.

    Fig. 5.11 - The Network Client main setup menu allows you set up a client workstation from a DOS prompt.

  8. Select Change Setup Options. The Network Client Setup Options screen appears, as shown in figure 5.12.

    Fig. 5.12 - The Network Client main setup options screen facilitates a client workstation installation.

  9. Select the Full Redirector or Basic Redirector. The Full Redirector is required for Windows or for dial-in networking. In most other cases, the Basic Redirector is adequate and uses less memory.

  10. Decide whether to run the network client and the Net Pop-up utility at system startup. If you run the network client, you may also decide whether to log on to a domain during startup. If you choose to load the Net Pop-up, you may change the default hot key (Alt+N) to another letter. For most users, you will probably want to run the network client, but not the pop-up (which, of course, consumes additional memory), and log on to a domain.

  11. Select The Listed Options Are Correct to return to the main setup menu.

  12. Select Change Network Configuration to configure the network adapter and protocols. The Network Client screen appears (see fig. 5.13).

    Fig. 5.13 - The Network Client screen allows you to specify the network adapter and protocol for the client being installed.

  13. Select the correct network adapter for the workstation in the Installed Network Adapters box. Then select Change Settings in the Options box.

  14. Verify that the Driver, Interrupt, and I/O settings are correct. Change incorrect settings. Select The Listed Options Are Correct to return to the Network Client screen. Repeat steps 13 and 14 for each network adapter.

  15. Use the Tab key to switch between the Protocols box and the Options box. Set up the network protocols appropriate for your network.

  16. Select Network Configuration Is Correct to return to the Network Client main setup menu. Choose The Listed Options Are Correct.

  17. Remove the install floppy disks and reboot the machine to activate the network client software.

After the client software is installed and activated, the NET command on the client workstation provides access to all network services. Running NET with no command options loads the Net Pop-up program. The Net Pop-up provides an intuitive interface for connecting to network drives and printers, but consumes memory.

The NET command also supports a number of command-line options that can be used in batch files. A few of the options are described in the following list:

  • NET LOGON. Logs a user onto the domain specified during setup. User name and password are optional parameters.

  • NET LOGOFF. Logs current user off.

  • NET USE <drive> <UNC path>. Attaches to a shared drive on the network. For example:

    NET USE F: \\Moby\Users\Larry

    maps drive F to the shared directory Larry in the Users shared directory on Moby.

  • NET USE <port> <UNC path> [/PERSISTENT:YES]. Attaches to a shared printer on the network. For example:

    NET USE LPT1: \\Moby\Laser1 /PERSISTENT:YES

    redirects the local printer to the shared printer Laser1 on Moby. The /PERSISTENT:YES option causes this device to be automatically reattached when the network client starts and may be used with drives or printers.

  • NET PASSWORD. Changes user password.

  • NET SEND. Sends a message to a user, domain, or all users on a server. Users must be running the messenger service (or WinPopup) to receive the message. To notify all users that a server will shut down in five minutes, for example, you might use:

    NET SEND /USERS. The server Moby will shut down in 5 minutes. Please log off.

    The /USERS option sends the message to all users logged on the server.

  • NET HELP. Displays a summary of available options for the NET command. You may specify a particular option for more detailed information. For example, NET HELP USE displays information about NET USE.

Windows

To set up networking for Windows (versions 3.1 and later, excluding Windows for Workgroups), first complete the DOS setup described earlier and then follow these steps:

  1. Start Windows.

  2. Start the Windows Setup program (usually found in the Main program group).

  3. Choose Options, Change System Settings to display the Change System Settings dialog box.

  4. Drop down the Network list box. Select Microsoft Network (or 100% Compatible). Click OK.

  5. Exit Windows Setup and restart Windows.

To use network drives, you may use the NET USE command from DOS as described earlier. You may also use File Manager to connect to network drives or Print Manager to connect to network printers.

Windows for Workgroups

Windows for Workgroups (WFW) is a network client right out of the box. Typically, you need to make only one small change to set up a WFW workstation as a client in a Windows NT Server domain:

  1. Start WFW.

  2. Start Control Panel. Double click-the Network icon. The Microsoft Windows Network dialog box appears.

  3. Click the Startup button. The Startup Settings dialog box appears.

  4. Under Options for Enterprise Networking, enable Log On to Windows NT or LAN Manager Domain. Enter the Domain Name. Click OK.

  5. Click OK in the Microsoft Windows Network dialog box. Close the Control Panel.

  6. Restart WFW.


A WFW workstation running only NetBEUI cannot communicate with a Windows NT Workstation running only NWLink.
The primary network protocol in Windows NT Server 3.5 is NWLink, Microsoft's implementation of the IPX/SPX protocol used on Novell networks. The primary protocol in WFW is NetBEUI. When two nodes on a Microsoft network cannot communicate, a common cause is the lack of a common protocol. To solve the problem, set up a common protocol by installing IPX/SPX on the WFW client or installing NetBEUI on the server.

Log on and off the network using the Log On/Off icon in the Network program group. Once logged on to a network, use WFW's File Manager to connect to network drives and use Printer Manager to connect to network printers.

Windows 95

Microsoft designed Windows 95 as a network operating system from the ground up. Many of the most important networking features in this operating system will become apparent when Microsoft delivers network OLE. Until then, users can still appreciate the seamless access to network resources built into the Explorer shell.

To configure a Windows 95 workstation as a client for Windows NT Server, follow these steps:

  1. Open Control Panel. Select the Network icon. The Network dialog box shown in figure 5.14 appears.

    Fig. 5.14 - The Windows 95 Network dialog box facilitates configuration of a client workstation running Windows 95.

  2. Double-click Client for Microsoft Networks. The Client for Microsoft Networks Properties dialog box shown in figure 5.15 appears.

    Fig. 5.15 - The Client for Microsoft Networks Properties dialog box shows the general configurable property options.

  3. Check the Logon to Windows NT Domain check box. Enter the appropriate name for the Windows NT Domain.

  4. Click OK. Click OK again in the Windows 95 Network dialog box. Close Control Panel.

  5. You must restart the computer before the new setting takes effect.

The fastest way to connect to a network drive in Windows 95 is to right-click the Network Neighborhood icon from the desktop and select Map Network Drive from the pop-up menu. The Map Network Drive dialog box appears so that you can specify a drive letter and UNC share name. This dialog box does not have a Browse button, so you must know the exact UNC name of the resource. The dialog box remembers shares to which you have successfully connected in the past, and these shares can be displayed for selection by clicking the Path drop-down list box.

You can also access network resources by exploring the network neighborhood. To open a Word document on a server, for example, right-click Network Neighborhood and choose Explore from the pop-up menu. In Explorer, open Entire Network, the domain, the machine, and the share where the file resides, and then proceed down into the subdirectories until you can double-click on the file. As depicted in figure 5.16, for example, the Word document file named Review2.doc can be opened simply by double clicking it.

Fig. 5.16 - Opening a Network File is easy with Explorer.

Windows 95 can use network printers in a couple of different ways. DOS programs print directly to a printer port, so Windows 95 must capture the printer port and redirect the output across the network. Windows and Windows 95 programs do not need to capture a printer port because they can print to any printer defined in the Printers utility. Follow these steps to set up a network printer for use in Windows 95:

  1. Right-click the icon for Network Neighborhood and select Explore from the pop-up menu.

  2. Browse until you find the printer you want to use. Then select that printer (see fig. 5.17).

    Fig. 5.17 - Selecting a Network Printer with Explorer is accomplished by finding the desired printer and clicking it.

  3. Choose File, Install from the Network Neighborhood menu.

  4. Follow instructions in the Printer Setup wizard. You may need a copy of the printer driver.

Windows NT Workstation

Not surprisingly, Windows NT is its own best network client. A Windows NT client can remotely administer a server using Server Manager (provided the user is an administrator). A system running Windows NT Server can be a primary domain controller (PDC), a backup domain controller (BDC), or just a server. Each domain has exactly one PDC that is responsible for maintaining the domain's user accounts database and processing domain logons. A BDC maintains an additional copy of the user database and assists with processing logons.


A system running Windows NT Server can participate in a Microsoft network only as a member of a domain. A system running Windows NT Workstation can be a member of a workgroup or a member of a domain, but not both at the same time.

To map a network drive, select Disk, Connect Network Drive from the File Manager menu. To use a network printer, start Print Manager and select Printer, Connect to Printer.

OS/2

To create a network client setup kit for OS/2 workstations, follow the earlier procedure for DOS clients, but in step 6, select LAN Manager 2.2c as the Network Client or Service. This setup kit requires four high-density floppy disks.

After creating the setup kit, insert the first floppy in drive A and run A:SETUP. See the Installation Guide supplied with the Windows NT Server software package for guidance on running the Setup program and procedures pertaining to OS/2.

Using Windows NT Security

Windows NT Server employs user-level security. This means that a list of permissions is associated with each user account. Resource sharing in WFW and Windows 95, by contrast, uses resource level security - permissions are associated with each shared resource. This subtle difference has a major impact on ease of administration. When a new user joins a Windows NT Server network, an administrator can assign all appropriate privileges to the new account with one utility. In a WFW network, the user must be added separately to each shared resource, probably on many different PCs by many different people.

Permissions define the type of access allowed for various users and groups. Windows NT maintains an independent list of permissions for each user. So, to use Windows NT security, you must understand how to manage users and groups and how to assign permissions for system resources. You should also understand how to monitor access to network resources.

Windows NT Security Overview

Windows NT's robust security features protect every shared resource in the system. When a user logs on, Windows NT creates an access token for that user, which identifies the user and all groups to which the user belongs. Windows NT checks the token each time the user (or a program running under that user's account) requests access to a system resource. Windows NT's Security Reference Monitor (SRM) analyzes user and group permissions for the object and returns a verdict. The following are a few important rules that the SRM uses to evaluate a request:

  • Permissions are cumulative. If a user belongs to two groups and the first has Read access to a file, whereas the second has Read/Write access, the user effectively has Read/Write access.

  • Windows NT has a special "No Access" permission. If No Access is defined for a user or any group to which that user belongs, the user will have no access to the resource.

  • Certain objects in Windows NT are defined as containers. For example, a directory is a container for files. Objects in a container can inherit permissions from the container.


    Files inherit permissions from a subdirectory only under NTFS, not under the FAT file system or the high performance file system (HPFS).

  • An object such as a printer or directory might be shared under multiple share names. In that case, each share will have an independent permissions list.

  • If an object has no permissions list, then all users implicitly have full access. If an object has an empty permissions list, then all users implicitly have no access.

C2 Security

United States government certifiable level C2 security was an important design goal in the development of Windows NT. C2 compliance is a very complex subject, and space here does not allow even a cursory treatment. However, the phrase level C2 will inevitably come up in any discussion of Windows NT security, so it's important to know a little about it.

Level C2 is a Defense Department standard, which includes the following (grossly simplified) requirements:

  • Each user must have a unique logon name and a password, and must log on before accessing any system resources.

  • The owner of a resource controls access to the resource.

  • Security events must be logged. Access to the security logs must be limited.

  • The system must resist tampering, including changes to itself, either in memory or on disk.

  • Reusable resources, such as memory and disk space, must be cleared when released. Deleted files must not be accessible by users, which rules out any sort of "undelete" utility.


To help with setting up a C2-compliant installation, the Windows NT Resource Kit, version 3.51, includes a utility called C2CONFIG. Microsoft provides more information on C2 compliance at its NT Workstation web site
http://www.microsoft.com/ntworkstation/c2.htm.

Using a Single User ID for the Enterprise

In many enterprise networks, users juggle a number of separate accounts: one account for access to the LAN, another for e-mail, another for a database server, and still another account for access to the local machine. Each account may have a distinct user ID and password, and users must not only remember them all, but also understand the difference. Typically, users end up committing the first cardinal sin of security: they make up cheat sheets listing all their passwords. Windows NT Server allows a user to have a single user ID for the Microsoft network.

Understanding Trust Relationships

An enterprise network based on Windows NT Server includes servers and clients organized into one or more domains. A domain is essentially a set of shared resources and a shared, centrally managed user database. Often, a large enterprise will have many domains. Sometimes, a user in a domain needs access to resources in another domain. The quick and dirty solution would be to give the user an account in the other domain; however, that leads right back to password cheat sheets and administrator headaches.

Microsoft's solution is the Trust relationship: one domain trusts another domain to manage user accounts (see fig. 5.18).

Fig. 5.18 - Domain Ulysses trusts Domain Cosmo.

In this simplified example, domain Ulysses trusts domain Cosmo. This means that users logged on to domain Cosmo need not log on to domain Ulysses to use resources there. Cosmo trusts Ulysses to authenticate users. In effect, the administrator of domain Cosmo trusts the administrator of domain Ulysses to do a good job of maintaining user accounts. A trust is a one-way relation: Ulysses trusts Cosmo, but Cosmo does not trust Ulysses. Two-way trust requires two trust relations. Also, trusts are not transitive. If Ulysses trusts Cosmo, and Cosmo trusts Bertha, Ulysses will not trust Bertha (unless a separate trust is set up).

Microsoft has defined four models for enterprise networks. Used properly, these models allow a user to have a single account in one domain, but access resources throughout the network:

  • The Single Domain model is the simplest. All servers belong to a single domain with one primary domain controller.

  • The Master Domain model allows for centralized account management with distributed computing resources. The master domain model is illustrated in figure 5.19.

    Fig. 5.19 - The Master Domain model diagram illustrates the Master Domain model.

  • The Multiple Master Domain model distributes account management, but still allows a user to have a single account in a single domain. This model can be useful for a wide area network (WAN), or when several departments insist on managing their own users. As illustrated in figure 5.20, trust networks in a multiple master domain model quickly become complicated.

    Fig. 5.20 - The Multiple Master Domain model diagram depicts the inherent complexity of the model.

  • The Complete Trust model completely distributes account management, but still allows a user to have a single account in a single domain. This model has limited usefulness because the number of trust relationships quickly becomes unmanageable. Figure 5.21 depicts complete trust among five domains. Twenty distinct trust relationships are required.

Fig. 5.21 - The Complete Trust Model diagram portrays the peer-to-peer trust of the model.

Setting Up Auditing

A thorough security policy includes logging of security events. Different organizations will have different logging requirements, and Windows NT provides good flexibility. Auditing can impose a considerable performance penalty, so monitor only those activities required by your security policy.

Windows NT Server can monitor success and failure for each of the following security events:

  • Logon and logoff. Very useful information. Performance penalty usually minimal; depends on volume of logon requests processed by the server.

  • File and object access. File access can be audited only for files in NTFS partitions. Auditing for selected files must be enabled in File Manager. Auditing for selected printers must be enabled in Print Manager. Moderate to high performance penalty, depending on objects monitored.

  • Use of user rights. Generates mountains of extremely detailed access information. Very high performance penalty.

  • User and group management. Vital information. Negligible performance penalty.

  • Security policy changes. Vital information. Negligible performance penalty.

  • Restart, shutdown, and system security. Vital information. Negligible performance penalty.

  • Process tracking. Can be useful for troubleshooting. High performance penalty.

Follow these steps to enable auditing on a Windows NT Server domain:

  1. Log on as an administrator.

  2. Open the Administrative Tools program group. Double-click on User Manager for Domains.

  3. Select Policies, Audit from the User Manager menu. The Audit Policy dialog box appears. If the Do Not Audit radio button is highlighted, the Audit These Events area of the dialog box will be grayed out, as shown in figure 5.22.

    Fig. 5.22 - The Audit Policy dialog box reflecting no audit options selected.

  4. Select Audit These Events. Note that this area of the dialog box becomes available for use.

  5. Select the list of events you want to audit. Figure 5.23 is a sample of what the Audit Policy dialog box should look like, with the possible exception of event selection, after you have completed this step.

    Fig. 5.23 - The Audit Policy dialog box reflecting the desired event audit approach.

  6. Click OK to return to User Manager. Select User, Exit to close User Manager.

Files are usually the most sensitive network resources. Therefore, it is critical that access to certain files and directories be tightly controlled and managed. This ultimately requires that access be monitored from time to time to validate the effectiveness of management controls and access restrictions on selected files or directories. Auditing access can be a very useful capability when such monitoring needs to be done.

Perform the following steps to audit access to a selected file or directory:

  1. Enable File and Object Access auditing for the domain.

  2. Log on as an administrator. Start File Manager.

  3. Select the file or directory to be audited.

  4. Select Security, Auditing from the File Manager menu. If you selected a directory in step 3, you will see a Directory Auditing dialog box. If you selected a file in step 3, you will see the File Auditing dialog. The Events to Audit area of the dialog box will be grayed out and unavailable if no users or groups are listed in the Name box.

  5. In the Name box, select the user groups whose access should be audited. Use the Add and Remove buttons to modify this list. Note that when the group Everyone is added to the Name box, the Events to Audit area of the dialog box becomes available.

  6. Select Events to Audit. As in domain auditing, you may audit success and failure for each activity.

  7. If you selected a directory in step 3, decide whether to replace auditing on existing files and subdirectories. New files and subdirectories in the selected directory will have the audits defined here, but audits for existing files and subdirectories will not change unless you select the appropriate option here. Figure 5.24 is a sample of what the Directory Auditing dialog box could look like after you have completed this step.

    Fig. 5.24 - The Directory Auditing dialog box showing the audit policy for the selected group.

  8. Click OK to save the audit setup.

Using Dial-Up Access to Windows NT

Dial-up networking is one of the best features of Microsoft networks. Basically, a workstation can establish a full service network connection over a telephone line. Of course, the connection operates at telephone line speeds, but it's still good enough for serious telecommuting.

Windows NT Server provides dial-up access via the Remote Access Service (RAS). A workstation establishes a client session using RAS client software. The RAS server is included with Windows NT Server. RAS client software ships with Windows for Workgroups, Windows 95, and Windows NT. The Exchange client included with Windows 95 makes particularly effective use of RAS. DOS workstations may also be RAS clients.

RAS requires a high degree of compatibility from your hardware, including serial ports, cables, and modems. Your server should be equipped with high-speed serial ports (16550 UART). You can avoid unnecessary user support headaches by using a premium brand modem for dial-in access. The slightly higher price buys better connectivity with the astonishing variety of brand X modems your users will install. U.S. Robotics modems are about the best.


Many modem cables that work perfectly well with other communications programs simply will not work with RAS.
Your best bet is a 25 pin "straight-through" cable.

See "Installing the Remote Access Service," (Ch. 7)

Checking the Logs

The EventLog Service is one of the most useful features of Windows NT Server. It provides a common method for capturing information about system startup, configuration errors, security events, and application events. Information captured here is a primary source for troubleshooting and monitoring performance.

Windows NT Server records a variety of events in its three log files:

  • System Log. Records system events, such as system startup, service startup failure, and browser elections. This log can be useful for troubleshooting.

  • Security Log. Records events selected for auditing. Depending on the audits enabled, this log can grow quite rapidly.

  • Application Log. Can be used by applications to record important events.

The logs record five types of events:

  • Information events, marked by a letter "i" in a blue circle

  • Warning events, marked by an exclamation point in a yellow circle

  • Critical errors, marked by a stop sign icon

  • Success audits, marked by a key icon

  • Failure audits, marked by a padlock icon

The EventLog Service starts automatically at system startup. In the next two sections, learn to view logged events and manage the log files.

Viewing Event Logs

To view a log, log on as an administrator, and run Event Viewer from the Administrative Tools group. From the Log menu, select the log you want to view. Figure 5.25 is a view of a System log.

Fig. 5.25 - The Event Viewer window showing detailed audit information for system events.

The Event Viewer displays the date and time, and five information columns for each event:

  • Source. Identifies the process that logged the event

  • Category. Applies mainly to the Security log

  • Event. A numeric identifier referring to the source

  • User. Identifies the user account under which the event occurred

  • Computer. Identifies the computer where the event occurred

To view additional details for an event, double-click the event. You see the Event Detail dialog box, as shown in figure 5.26.

Fig. 5.26 - The Event Detail dialog box provides more descriptive information about a selected log event.

In addition to the information from the list view, the detail view presents a description of the event and may include additional data, such as a stack dump.

Managing Event Logs

By default, Windows NT Server allocates 512K bytes for each log and overwrites events older than seven days. Each of these parameters can be configured independently for each log. When it's important to save log data for future reference, the overwrite delay should reflect your archiving schedule (seven days with weekly archiving, for example). Perform the following steps to configure these options:

  1. Log on as administrator. Start Event Viewer from the Administrative Tools group.

  2. Select Log, Log Settings from the Event Viewer menu. The Event Log Settings dialog box appears, as shown in figure 5.27.

    Fig. 5.27 - The Event Log Settings dialog box allows you to customize the logging of each event type.

  3. Select the log you want to configure in the Change Settings For drop-down list.

  4. Set the Maximum Log Size.

  5. Configure Event Log Wrapping. Overwrite Events as Needed grows the log to its maximum size and then overwrites the oldest events with new events. Do Not Overwrite Events retains all log entries so that you must manually purge the log. You might use this option for a sensitive security log, but make sure that the allocated size is adequate.

Logs can be saved (archived) for future reference so that space allocated for the logs can be made available for other uses. Logs can be saved in one of three formats:

  • Native log file format (EVT). This format can be loaded and viewed later with Event Viewer.

  • Text format (TXT). This format can be viewed with a standard text editor browser.

  • Comma delimited text (TXT). This format can be imported into other applications.

To save a log, follow these steps:

  1. Log on as administrator. Start Event Viewer from the Administrative Tools group.

  2. Select Log, Save As from the Event Viewer menu. You see the Windows common file dialog box.

  3. Select the format in which to save the file from the Save File as Type drop-down list.

  4. Specify the directory and file name in which to save the file. Click the OK button.

To clear a log, select Log, Clear All Events from the Event Viewer menu. Be sure to select the correct log first! Event Viewer asks if you want to save the file first and then warns you that clearing the log is irreversible.

From Here...

This chapter taught you how to install your Windows NT Server. Your server acumen now includes concepts such as system requirements, disk partitions, mirrors, volumes, and boot failure recovery. You learned how to connect to the server from a workstation under a variety of operating systems. You should know how to administer security and monitor that security through audits and logs.


Table of Contents

04 - Becoming Part of the Enterprise

06 - The Role of the Network Administrator