Special Edition, Using Microsoft BackOffice, Ch. 06

06 - The Role of the Network Administrator

by Joe Lengyel and Larry Millett

  • Important tasks in the administration of a Windows NT Server - Learn to administer users and secure resources in a Windows NT Server domain. Learn to configure NT Server for efficient, reliable operation.

  • Administrative tools provided with NT Server - Learn to use User Manager for Domains, Disk Administrator, and Server Manager. Learn to share resources and implement security through File Manager and Print Manager.

  • Implementing a security policy - Learn to manage permissions for shared resources, within and across domains. Understand the various domain models and how to implement a trust relationship.

  • How to back up your Windows NT Server - Review a backup strategy. Learn to use the Windows NT Server Backup utility.


Successful deployment of Microsoft BackOffice requires an active and capable network administrator. On an active network with many users, the necessary administrative tasks can require a lot of time. It is nearly impossible for one person to administer the entire BackOffice suite. Successful management of each BackOffice component, including Windows NT Server itself, requires a significant level of expertise and knowledge.

After finishing this chapter, you will understand how to perform the duties of a network administrator using the tools provided with Windows NT Server.

Understanding the Role of a Network Administrator

The network administrator configures and manages the components of a Windows NT server that allow it to attach to a network and communicate with other devices. The administrator's duties include the following:

  • Creating user and group accounts

  • Sharing resources

  • Setting and changing permissions

  • Implementing trust relationships between domains

  • Monitoring and maximizing server performance

  • Configuring appropriate network protocols

  • Configuring the server hardware

  • Managing network-specific services such as Schedule and Alerter

Network administrators also usually bear responsibility for establishing an appropriate backup strategy. The actual backups are generally performed by backup operators, less experienced people who are trusted to perform this vital administrative task. Network administrators may also formulate and enforce security policies, although larger organizations usually assign this function to a different person or group.

Network administrators may have duties managing additional software components or services that run on the server. A network administrator will often be a Systems Management Server (SMS) administrator as well because SMS can play a pivotal role in automating network administration tasks. A network administrator could administer another BackOffice component, but this is less common.

Network administrators also typically plan and configure servers and must be thoroughly familiar with the day-to-day operation and use of Windows NT Server.

A Survey of Windows NT Server's Administrative Tools

Windows NT Server includes a rich set of network administration and server management tools. These tools exploit Windows' graphical user interface to make administrative chores simpler to understand and easier to perform. Although some administrative tasks can be performed with command-line utilities, the graphical tools offer better capability with less difficulty.

Administrators regularly use six primary tools, complemented by a handful of occasional use tools:

  • User Manager for Domains. Used for people-specific tasks affecting a user or group of users

  • Server Manager. Used for server-specific tasks affecting a computer

  • Event Viewer. Used for troubleshooting, detecting security violations, and verifying the basic status of the server at regular intervals

  • File Manager and Print Manager. Used for resource sharing and auditing

  • Performance Monitor. Used for tracking server performance

  • Control Panel. Used for managing user resources and the services available on the computer, among other things

  • Backup. Used for backing up network data to tape

Windows NT Server automatically creates a Program Manager group called Administrative Tools during installation. This is where you will find the tools discussed in this chapter. Figure 6.1 depicts a sample Administrative Tools group window. This sample includes the standard Administrative Tools icons loaded during a typical installation, plus several additional ones that have been manually placed there for the convenience of the administrator. You can also install these tools on a Windows NT Workstation client from the Windows NT Server media. Some tools can also be run from other versions of Windows.

Fig. 6.1 The Program Manager group, Administrative Tools, contains icons for some of Windows NT Server's administrative tools.

Whereas all versions of Windows include File Manager and Print Manager, only the Windows NT versions (Server and Workstation) include the capabilities outlined in this chapter.

User Manager for Domains

Everyone who uses BackOffice needs a user account in one or more Windows NT domains. These accounts are created and managed with a tool called User Manager for Domains (see fig. 6.2).

Fig. 6.2 With User Manager for Domains, you can create user accounts, assign users to groups, and establish security policies.

In addition to user account management, User Manager for Domains supports the following tasks:

  • Defining a security policy for user accounts

  • Creating and managing user groups

  • Setting up trust relationships between domains

Versions of User Manager for Domains are available for all versions of Windows. It can also be run effectively from a remote location over a dial-up phone connection. You can probably improve response time when running User Manager for Domains remotely by choosing Options, Low Speed Connection. This reduces the frequency with which User Manager for Domains polls the network for new information and therefore improves its responsiveness over a slow link such as a dial-up phone connection..


Windows NT Workstation includes a tool called User Manager (without "for Domains"). This tool allows the creation of local user accounts and groups for use only on the Windows NT computer that is running User Manager. User Manager for Domains is a much more powerful version of User Manager. It creates accounts that can be used on many computers in the same domain or in domains with trust relationships.

Server Manager

You can use File Manager to do some of the same things Server Manager does. In particular, File Manager makes it very easy to share directories on a computer's disk drive with other users on a network. The strength of Server Manager is the breadth of different tasks that can be completed with one tool. So although Server Manager isn't the easiest tool to use for sharing directories, it can do that job and many others.

Figure 6.3 shows the Server Manager main window. Use Server Manager for the following machine-oriented tasks:

  • Sharing server resources

  • Setting permissions for shared resources

  • Starting and stopping services

  • Pausing and continuing services

  • Viewing the properties of a Windows NT computer

  • Adding a computer to a domain

Fig. 6.3 Views can be manipulated in Server Manager to display servers only, workstations only, or both servers and workstations.

Event Log Viewer

The Event Viewer is generally the first tool to use when investigating a problem with a server. Use it to browse the three main logs kept by a Windows NT Server:

  • System log. Includes messages about system events such as service startup and device failures.

  • Security log. Includes messages about security events such as user logons and logoffs and unauthorized access attempts. The specific events logged are determined by the audit policy.

  • Application log. Includes messages generated by applications. The specific messages are determined by the application developer.

See "Setting Up Auditing," (Ch. 5)

File Manager

File Manager is familiar to almost anyone who has run any version of Windows other than Windows 95. It has capabilities especially useful to the administrator because you can use it to create directories on your computer (or on any computer for which you have administrator privileges) and then share these directories with other users or groups on the network.

Print Manager

Print Manager is most often used to manage print queues. However, you can also use Print Manager to share a printer with other network users. Printers can be attached either to a computer or directly to the network cable if they are capable of such an attachment. For example, some of the popular Hewlett-Packard (HP) LaserJet printers are capable of being attached directly to a network with the addition of HP's JetDirect interface card.

Performance Monitor

Performance Monitor is a powerful tool that which can be used for a variety of tasks. First and foremost, it allows you to monitor the activity on a computer so that you can see exactly what resources (disk, memory, processor, or network connections) are being used. You can graph the activity as it occurs, as depicted in figure 6.4, write the data to a log file for later analysis, or set alerts that will act as an alarm if utilization exceeds a particular threshold for a given resource.

Fig. 6.4 The Performance Monitor has the capability of simultaneously plotting multiple variables, even though only one is shown here.

Because of its many capabilities, Performance Monitor can play an important role in troubleshooting performance problems or determining what to add to a particular server to improve its performance. The Windows NT Resource Kit devotes an entire volume to this important tool.

Backup

Backup is a utility for making tape backups of your important information. It works with tape devices listed in the Hardware Compatibility List (HCL). You can find the latest HCL on the Microsoft Network, CompuServe, or www.microsoft.com on the World Wide Web. A copy of the HCL is also included with the Windows NT Server documentation.

Backup allows you to back up not only your data files, but also the user account database that contains all your users and groups. It also backs up the registry, which is a hierarchical database of all configuration information for your Windows NT Server. In addition, should the need arise, you can use the Backup application to restore information from your tape(s) to your disk drive. In the event of a total disk failure, you can rebuild your computer with a new disk drive and an appropriate set of tapes.

It is important to use the Backup utility properly to protect yourself against disaster. The process of making backups and tips on creating an appropriate backup regimen are outlined in the section "Developing a Backup Strategy" later in this chapter.

Managing User Accounts

User account management is the most visible activity of a network administrator. All access to NT Server network resources depends on user accounts. Naturally, User Manager for Domains is the tool for most account management tasks.

User account management encompasses four major tasks:

  • Defining a security policy for user accounts

  • Creating new accounts and disabling unused accounts

  • Managing user groups

  • Setting user rights

Each of these topics is covered in detail in the following sections.

Defining a User Accounts Security Policy

A user account security policy can control password length, force users to change their passwords at regular intervals, keep a history of passwords to prevent reuse, and set account lockout options.

To define a security policy with User Manager for Domains, follow these steps:

  1. Start User Manager for Domains.

  2. If the proper domain is not active, choose User, Select Domain. Select the proper domain with the mouse or type the name of the domain into the Domain text box.

  3. Choose Policies, Account. The Account Policy dialog box appears (see fig. 6.5).

    Fig. 6.5 Create an account policy by setting options in the Account Policy dialog box. The minimum recommended settings are displayed here.

  4. Make selections in the dialog box reflecting your company's security policy. Figure 6.5 illustrates a recommended minimum.

  5. Click OK.

Creating a New User Account

To create a user account with User Manager for Domains, follow these steps:

  1. Start User Manager for Domains.

  2. If the proper domain is not active, choose User, Select Domain. Select the proper domain with the mouse or type the name of the domain into the Domain: text box.

  3. Choose User, New User. You see the New User dialog box shown in figure 6.6.

    Fig. 6.6 The New User dialog box is used to register new users and to establish group memberships, environmental profiles, logon permissions, and account types.

  4. Fill out the New User dialog box. You must enter the password twice.


    You will not be able to see the password, or the confirming password, as they are entered. You will see asterisks instead. This is a security precaution to prevent someone from looking over your shoulder as you type. Because you can't see what you are typing, you must enter the exact same text twice to prevent an accidental keystroke from going unnoticed. Passwords are case sensitive - that is, capitalization matters.

  5. Click Add to add the new user and clear the data from the New User dialog box. Notice that the Cancel button also changes to the Close button when the first new user is added. This is so that you can continue to add new users (and click Add each time) or click Close to close the dialog box.

Disabling a User Account

Microsoft recommends disabling unused accounts, not deleting them. A disabled account can be easily reactivated, but a deleted account is gone for good. A new account can be created with the same permissions, but that can be a substantial chore on a large network.

Follow these steps to disable a user account:

  1. Start User Manager for Domains.

  2. If the proper domain is not active, choose User, Select Domain. Select the proper domain with the mouse or type the name of the domain into the Domain text box.

  3. Choose User, Properties. The User Properties dialog box appears. This dialog box is identical to the New User dialog box shown in figure 6.6 except for the title bar, which contains User Properties rather than New User.

  4. Click the Account Disabled check box.

  5. Click OK.

Managing Group Accounts

Group accounts enable efficient management of security. Although each user needs access to a unique combination of resources, you can identify common needs. For example, accounting personnel might need access to applications, data, and printers on a particular server, whereas marketing personnel need access to different resources. In this example, you could create one group called Accounting and another called Marketing. You can assign appropriate permissions to the group accounts and then add users to the groups. By assigning a user to the accounting group, you effectively assign that user all permissions held by the group account. If the marketing group should install a new application, you can assign new resource permissions to the marketing group, rather than individually to all marketing users. To create a group with User Manager for Domains, follow these steps:

  1. Start User Manager for Domains.

  2. If the proper domain is not active, choose User, Select Domain. Select the proper domain with the mouse or type the name of the domain into the Domain text box.

  3. Choose User, New Global Group, or choose User, New Local Group.


    A local group may contain users and groups from the local domain, users from trusted domains, and global groups from trusted domains. A global group may only contain users from the local domain. Use local groups to manage permissions on domain resources. Use global groups to define a set of users who need access to similar resources in other domains.

  4. In the New Global Group dialog box (see fig. 6.7), enter a name and description for the group.

    Fig. 6.7 The New Global Group dialog box allows you to enter a name and description for the group as well as select the members for the group.

  5. Highlight users in the Not Members list box that you want to include in the group and click Add. You can select users and click Add multiple times. If you want, you can also highlight users in the Members list box that you want to delete from the group and click Remove.

  6. When the members list is correct, click OK.

See "Understanding Trust Relationships," (Ch. 5)

Setting User Rights

The User Rights policy controls which users can perform certain actions such as shutting down servers or changing the system time on a computer. Exercise caution when changing Advanced User Rights. They rarely need to be changed. The process is outlined next for those rare occasions when it is necessary.

To change user rights, follow these steps:

  1. Start User Manager for Domains.

  2. If the proper domain is not active, choose User, Select Domain. Select the proper domain with the mouse or type the name of the domain into the Domain text box.

  3. Choose Policies, User Rights. The User Rights Policy dialog box appears (see fig. 6.8).

    Fig. 6.8 The User Rights Policy dialog box allows you to add and remove users or groups for selected rights.

  4. Make selections in the dialog box reflecting your company's policy. Select a right you want to review or change. If the Grant To window does not contain those users or groups that should have the right shown in the Right drop-down list box, use the Add and Remove buttons to change them.

  5. If you click Show Advanced User Rights, you will see many additional rights listed in the Right drop-down list box.

  6. Click OK.

Creating a Service Account

All applications under NT, including server applications (for example, SNA Server) run in a particular account context that controls the rights and permissions of the service. In a multiserver environment, it is common for one SNA Server, for example, to communicate with other SNA Servers. It is a good idea to create a service account (in a master domain if you are using a master domain model) that has permissions on multiple servers in the domain. Most of the services in BackOffice default to a Local System account that only has privileges on the single computer running the service.

To create a service account with User Manager for Domains, follow these steps:

  1. Start User Manager for Domains.

  2. If the proper domain is not active, choose User, Select Domain. Select the proper domain with the mouse or type the name of the domain into the Domain text box.

  3. Choose User, New User.

  4. Enter the new service account information in the New User dialog box. You must enter the password twice.

  5. Click Add.

  6. Choose Policies, User Rights.

  7. Click Show Advanced User Rights, as shown in figure 6.9.

    Fig. 6.9 The empty Grant To box shows that no service account has yet been granted the right to log on as a service.

  8. Log On as a Service in the Right drop-down list box (see fig. 6.9).

  9. Click Add to display the Add Users and Groups dialog box illustrated in figure 6.10.

  10. Select the account you created in step 4 and click Add.

    Fig. 6.10 Select the new service account and click Add to place it in the Add Names box.

  11. Click OK in the Add Users and Groups dialog box to close the dialog box and add the account created in step 4 to the Grant To box in the User Rights Policy dialog box.

  12. Click OK in the User Rights Policy dialog box.

Other aspects of service management are discussed in the "Services" section later in this chapter.

Managing Access to Shared Resources

For a few networks, it may make sense to have a single Guest account that provides unlimited access to all resources. In most cases, however, accounts exist to limit network access.

A well-defined security policy includes four elements:

  • Accounts

  • Resources

  • Permissions

  • Logging

Permissions define the ways in which accounts may use resources. Logging records access to resources by accounts.

Sharing Directories

Directories may be shared with Server Manager or with File Manager. In this section, the techniques for sharing a local directory through Server Manager and using File Manager to create a server-based shared directory on another computer are presented.

To share a directory with Server Manager, complete the following steps:

  1. Start Server Manager.

  2. If the proper domain is not active, choose Computer, Select Domain. Select the proper domain with the mouse or type the name of the domain into the Domain text box.

  3. Highlight the computer on which you want to share a directory.

  4. Choose Computer, Shared Directories. The Shared Directories dialog box appears (see fig. 6.11).

    Fig. 6.11 The Shared Directories dialog box showing shared directories on the computer named IceMan2. Available buttons allow new shares to be defined, properties to be modified, and sharing to be terminated on selected directories.

  5. Click New Share, and the New Share dialog box appears (see fig. 6.12).

    Fig. 6.12 The New Share dialog box allows the share name to be defined and the share properties for the new shared directory to be established.

  6. Fill in the dialog box with the appropriate information. The path should be a fully qualified path name that refers to the appropriate physical disk drive on the computer that contains the directory (for example, c:\[pathname]). Do not use a logical drive letter you may have connected to the other computer.

  7. Click Permissions. The Access Through Share Permissions dialog box appears (see fig. 6.13).

    Fig. 6.13 The shared directory PUBDATA is set with the group Everyone having Full Control permissions.

  8. The default permissions are for the predefined group Everyone to have Full Control over this resource. This means that everyone on the network can read, write, create, and delete information in this directory. You usually will want to remove that permission and add something more restrictive. Select the Type of Access you want to assign to the selected group for the resource.

  9. Click OK in the Access Through Share Permissions dialog box.

  10. Click OK in the New Share dialog box.

To create a server-based share for a shared directory on another computer with File Manager, follow these steps:

  1. Make a drive connection to that computer. Choose Disk, Connect Network Drive. Connect an available drive letter to the computer and shared directory that will contain your new shared directory (for example, \\COMPUTER\C$).


    Hidden administrative share names are automatically created for the root directory of each disk drive when you install Windows NT Server. For example, the root directory of C: has a share name of C$. The dollar sign at the end of the name prevents it from showing up in lists when other users are browsing for shared resources. These automatic share names are given permissions for administrators only.

  2. Highlight the directory (probably the root directory) that will contain your new, shared directory.

  3. Choose File, Create Directory. The Create Directory dialog box appears.

  4. Enter the name of the new directory you would like to create (for example, Public Data).

  5. Click OK in the Create Directory dialog box.

  6. Now highlight the newly created directory.

  7. Choose Disk, Share As to display the New Share dialog box (see fig. 6.12).

  8. Enter the appropriate information in the dialog box. The path should be a fully qualified UNC name (for example, \\computer\c$\directory). If you try to use a relative drive letter, Windows NT changes it to a UNC name automatically.

  9. Click Permissions. The Access Through Share Permissions dialog box appears (refer to fig 6.13).

  10. The default permissions are for the predefined group Everyone to have Full Control over this resource. This means that everyone on the network can read, write, create, and delete information in this directory. You usually will want to remove that permission and add something more restrictive. Select the Type of Access you want to assign to the selected group for the resource.

  11. Click OK in the Access Through Share Permissions dialog box.

  12. Click OK in the New Share dialog box.

Sharing Printers

To share a printer using Print Manager, follow these steps:

  1. Start Print Manager. It will either be in the Main group, or you can double-click the printer icon in the Control Panel.

  2. If the printer you would like to share is connected to a computer other than the one you are using, choose Printer, Server Viewer. Select the computer to which the printer is attached.

  3. Choose Printer, Create Printer. The Create Printer dialog box appears.

  4. Fill out the Create Printer dialog box. The Printer Name will be visible to Windows NT users connecting to this printer after it is shared. Select a driver that matches the model of your printer. Enter a description to inform users about the model and capabilities of the printer (for example, Includes Envelope Feeder). Select the Print To destination. Select Share This Printer on the Network. Enter a Share Name and a Location.

  5. Click OK in the Create Printer dialog box.

Setting Permissions on Shared Resources

Resource permissions may be assigned to a user account or to a group account. Usually, the best way to assign permissions to a user is to add the user to a group, as discussed earlier in the "Managing Group Accounts" section earlier in this chapter.

To use File Manager for changing access permissions, follow these steps:

  1. Start File Manager.

  2. Highlight the shared directory for which you want to change permissions.

  3. Choose Disk, Share As to display the Shared Directory dialog box. This dialog box is virtually identical to the New Share dialog box with the exception of the title bar and the presence of a New Share button, which allows you to open the New Share dialog box to create a new share name for the currently shared directory.

  4. Select the Share Name for which you want to change permissions. It is possible that multiple share names were created for the same directory. If the share name you desire is not the default, use the Share Name drop-down list box to locate and select the share name you desire.

  5. Click Permissions. The Access Through Share Permissions dialog box appears.

  6. The default permissions are for the predefined group Everyone to have Full Control over this resource. This means that everyone on the network can read, write, create, and delete information in this directory. You usually will want to remove that permission and add something more restrictive. Select the Type of Access you want to assign to the selected group for the resource (see fig. 6.13).

  7. You may want to add users or groups to the list that has access to the shared resource. Click Add. The Add Users and Groups dialog box appears, as shown in figure 6.14.

    Fig. 6.14 The Add Users and Groups dialog box showing the SMS Shared Project group in the Internal domain being given Full Control access permissions.

  8. Locate and select the user or group you want to add. Highlight the selection and click Add. Repeat this step for all users and groups you want to add.

  9. Click OK in the Add Users and Groups dialog box to close the dialog box and redisplay the Access Through Share Permissions dialog box depicted in figure 6.15. Notice that the SMS Shared Project group now appears in the Name box with an access type of Full Control. Notice also that the predefined group Everyone has been removed (by clicking Remove while the group was highlighted), and additional users and groups with various types of access have also been added.

    Fig. 6.15 The Access Through Share Permissions dialog box showing a variety of permissions for groups and users.

  10. When you are finished adding (and removing) users and groups, click OK in the Access Through Share Permissions dialog box to close the dialog box and redisplay the Shared Directory dialog box.

  11. Click OK in the Shared Directory dialog box.

Changing Permissions For Local Disk Drive Access

For logical drives formatted with NTFS, NT Server allows you to define file and directory permissions that apply to local users. These permissions apply only to NTFS drives: all local users have full access to FAT and HPFS formatted local drives. This is due to Windows NT's discretionary access control built around the NTFS file system. Each file has security information as an attribute. The FAT file system inherited from MS-DOS has no place to store security attributes in its design.

To use File Manager for changing local disk access permissions, follow these steps:

  1. Start File Manager.

  2. Highlight the directory (probably the root directory) you want to change.


    These permissions will affect access rights when a user connects to this computer over the network. The rights a particular user receives will be the most restrictive combination of rights from the Access Through Share permissions and local Directory permissions. For example, if a user is given Full Control on the Access Through Share permissions, but is given Read access on Directory permissions, the user will have only Read access.

  3. Choose Security, Permissions. The Directory Permissions dialog box appears (see fig. 6.16).

    Fig. 6.16 Permissions being set directly on the local directory using File Manager.

  4. Click Add to add new users or groups. The Add Users and Groups dialog box appears (see fig. 6.17).

    Fig. 6.17 The Add Users and Groups dialog box allows you to select users and groups for the purpose of setting directory permissions.

  5. Select the users or groups to whom you would like to assign permissions for this directory and click Add. You may do this step more than one time for all users and groups that you want to give a particular level of access.

  6. Select the Type of Access.

  7. Click OK in the Add Users and Groups dialog box.

  8. If you would like to have the same permissions apply to all subdirectories of this directory, select the Replace Permissions on Subdirectories check box.

  9. Click OK in the Directory Permissions dialog box.

Logging Account Activities

A complete security policy includes logging of account activities. NT Server provides flexible support for auditing the use of domains, files and directories, and printers. NT Server's Event Log service records specified activities in the security log where they can be browsed with Event Viewer.

You can also establish trust relationships with User Manager for Domains. Trust is a one-way relationship: the trusting domain trusts the trusted domain to authenticate users. To implement a two-way trust, create a pair of relationships. You need to be a domain administrator for both domains, or work with a domain administrator from another domain, to create a trust relationship. You can physically go to the domain controllers involved or perform all actions remotely.

To perform the operation remotely, you must either log on with an account that is a domain administrator for both domains, or use the Connect As feature of File Manager in Windows NT. Log on with a domain administrator account from the first domain, and then from the File Manager menu bar, choose Disk, Connect Network Drive to display the Connect Network Drive dialog box. Then in the Shared Directories drop-down list box, select a shared resource (for example, C$) on the primary domain controller of the second domain. In the Connect As box, enter a domain administrator account from the second domain in the form domain\user. You are prompted to enter the password for this second account. This establishes an administrative account context in the second domain so that you can create the trust relationship.

To create a one-way trust relationship between two domains, complete the following steps:

  1. Start User Manager for Domains.

  2. If the proper domain is not active, choose User, Select Domain.

  3. Select the proper domain with the mouse or type the name of the domain into the Domain text box. You should select the domain that will be trusted.

  4. Choose Policies, Trust Relationships. The Trust Relationships dialog box appears (see fig. 6.18)

    Fig. 6.18 The Trust Relationship dialog box showing the creation of a one-way trust relationship.

  5. Click Add next to the Permitted to Trust This Domain list box. The Permit Domain to Trust dialog box appears (see fig. 6.19).

    Fig. 6.19 The Permit Domain to Trust dialog box where a domain name and password is supplied when creating a trust relationship.

  6. Enter the name of the domain you are permitting to trust the first domain.

  7. Enter a password and then enter it again to confirm it was correctly typed. You will not be able to see the password.

  8. Click OK.

  9. Select the other domain by choosing User, Select Domain.

  10. Select the domain with the mouse or type the name of the domain into the Domain text box. You should select the domain that will trust the first domain.

  11. Choose Policies, Trust Relationships. The Trust Relationship dialog box appears.

  12. Click Add next to the Trusted Domains list box. The Add Trusted Domain dialog box appears (see fig. 6.20).

    Fig. 6.20 The Add Trusted Domain dialog box where the Trusted Domain and password are supplied.

  13. Enter the name of the first domain (the one you are going to trust).

  14. Enter the password created in step 7. You will not be able to see the password.

  15. Click OK in the Add Trusted Domain dialog box. Click OK in the Trust Relationships dialog box.

See "Setting Up Auditing," (Ch. 5)

See "Understanding BackOffice Structures for Organizing Servers," (Ch. 4)

See "Understanding Trust Relationships," (Ch. 5)

Services

A service is an application running on the server, has the following characteristics:

  • It does not depend on anyone being logged on to the computer for its execution. It can be set to start automatically when the server is started or manually by an administrator.

  • It can be set to run in the security context of any account you want. It need not run with the rights and privileges assigned to the user who may currently be logged on.

  • A service may perform operations on behalf of a client application. Typically, the client runs in an account context different from that of the service.

  • A service runs in the background, that is, it need not have an active window with a user interface. A service can be controlled by one or more administrative utilities, but the service itself does not automatically open a window when it starts.

  • A service can be started, stopped, paused, or continued. These operations can be performed on the server running the service, or from a remote computer.

All the main programs in the BackOffice suite (Internet Information Server, Exchange Server, SQL Server, SNA Server, and Systems Management Server) are implemented as one or more services. They also include client components and administrative utilities that are implemented as traditional applications.

To control services with Server Manager, complete the following steps:

  1. Start Server Manager.

  2. If the proper domain is not active, choose Computer, Select Domain.

  3. Select the proper domain with the mouse or type the name of the domain into the Domain text box.

  4. Highlight the computer on which you want to control services.

  5. Choose Computer, Services. The Services On <servername> dialog box appears (see fig. 6.21).

    Fig. 6.21 The services of a Windows NT Server can be started, stopped, or paused using the Server Manager window.

  6. At this point, you can highlight any of the listed services and change their state. If the service is started, you can Stop or Pause it. If it is stopped, you can Start it. If it is paused, you can Continue.


    Pausing a service allows everyone who is currently using the service to continue, but no new users are allowed to connect to or use the service. Stopping a service disconnects anyone actively using the service and shuts it down.

  7. Click Startup. The Service On <servername> dialog box appears (see fig. 6.22).

    Fig. 6.22 The startup options of a Windows NT service are configurable, as shown for the Server service on the computer named DATASRV.

  8. The dialog box shown in figure 6.22 allows you to configure the service to start automatically when the server is started, to be started manually by an administrator, or to be disabled. You may also specify a service account to be used by this service (see "Creating a Service Account" earlier in the chapter).

  9. Click OK and then Close to close the two dialog boxes.


Services can also be configured through the Services icon in the Control Panel program group.

Monitoring Server Performance

The performance of an enterprise server has a direct impact on the performance of everybody connected to that server. It's important to take a proactive approach, identifying small problems and potential problems early.

Three basic activities are involved in monitoring server performance: establishing a baseline for normal performance, analyzing variations from normal performance, and viewing event logs.

Viewing Event Logs

Windows NT Server allows you to monitor any significant system and application event. The monitoring is configurable. For events that do not necessitate immediate attention, Windows NT Server adds event information to an Event log file and lets you view this audit trail at later time.

Windows NT records selected user activities and system events in log files. The system log records events generated by the Windows NT system components. The failure of a system component to load during startup, such as the Server service for example, is recorded in the System log. The Security log records system security events. This helps track modifications to system security and points out any attempted breaches to security. Attempts to log on to the system may be recorded in the Security log, depending on the audit settings in User Manager. The Application log records events generated by applications. For example, a database application might record a data access error.

The event logs list three kinds of messages:

  • Information. A message to make you aware of a condition or action that is probably not serious

  • Warning. A message alerting you to a condition or situation that should be investigated and may become more serious if left unchecked

  • Error. An error message indicating a potentially serious condition (for example, a driver did not load due to a corrupt file).

The Event Viewer allows you to view and monitor these log files. The Event Viewer is a service that, by default, starts automatically with the system. The Event Viewer startup status can be found in the Services administrator in the Control Panel. It is recommended that you allow the Event Log to start and run on its own. It can be a valuable information source when troubleshooting.

To use the Event Viewer, follow these steps:

  1. From the Administrative Tools program group, double-click the Event Viewer icon.

  2. The Event Viewer window appears (see fig. 6.23). Determine which log file you are viewing.


    There are two ways to determine which log file you are viewing: the title bar and the     Log menu. The title bar explicitly specifies the log file type, whereas the Log menu places a check mark next to the log file type you are viewing.

    Fig. 6.23 The Event Viewer showing system type activity written to the System log.

  3. Interpret the information displayed in the Event Viewer. The information is displayed in seven columns:

    • Date. Indicates the date the event occurred. The icon immediately left of the date indicates the status of the event when it occurred.

    • Time. Indicates the time on the local server that the event occurred.

    • Source. Indicates the software that logged the event.

    • Category. Shows the classification of the event as it was defined by the source software.

    • Event. Indicates a specific number identifying the event.

    • User. Indicates a user associated with the event.

    • Computer. Indicates a name of a computer where the event occurred.


A message tells you that a service won't start. Use the Control Panel Services icon and try to manually start the service. Sometimes you get additional information about why the service won't start, which can aid problem resolution.

Managing Event Logs

The Event Viewer is somewhat configurable. Controlling the size of a log file is useful if you have limited system resources. The log wrapper instructs NT on a course of action should an event log be filled. To adjust the settings for a log file, perform the following tasks:

  1. From the Administrative Tools program group, click the Event Viewer icon.

  2. Make sure that the active log is the Security log. If not, choose Log, Security.

  3. Choose Log, Log Settings.

  4. The Event Log Settings information dialog box appears with default settings (see fig. 6.24). Note that the log type indicates Security.

    Fig. 6.24 The Event Log Settings dialog box allows you to manage the capacity of the log.

  5. Depending on the size of your network, the 512K maximum log size may be sufficient. If you are logging a lot of event detail, however, it could fill up fast. This will probably be a trial and error exercise for you. Initially, you should default to the 512K log size, but change the log wrapping option to Do Not Overwrite Events. When the log fills up, adjust the log wrapping feature, if necessary.

  6. Choose OK.

Clearing and Saving Log Files

The event logs available in the Event Viewer can be archived for future use. You may find this useful for future troubleshooting or verification. The log can be saved as a text file or in a file format native to the Event Viewer. The latter format allows you to view the file directly with the Event Viewer. Archiving the log saves the entire log. There are two methods of saving an event log. You can choose Log, Save As in the Event Viewer, or you can save the log automatically when prompted after choosing Log, Clear All Events to clear an event log as detailed in the next procedure.

To clear the log file, perform the following tasks:

  1. From the Administrative Tools program group, click the Event Viewer icon.

  2. Choose Log, Clear All Events. The confirmation dialog box shown in figure 6.25 appears.

    Fig. 6.25 The Clear Event Log dialog box forces a confirmation before clearing the log.

  3. Obviously, if you have accidentally chosen the Clear option, choose Cancel. If you want to clear the log and save the contents to a file, choose Yes. At that time, you are asked to supply a file name and path for the file. If you want to clear the log and not save the contents to a file, choose No.

  4. Choose Yes at this time. Note the default file extension EVT. Using this file extension saves the file in an Event Viewer format.

  5. If you had not chosen to save the event log as a file, you would have received a warning message box. You can choose Yes to clear all events from the log.

Viewing Remote Log Files

Windows NT Server allows you to look at the event log for a user's computer. As an administrator, sometimes this is useful. It can assist you in troubleshooting an error situation on that computer. To view a remote log file using the Event Viewer, perform the following tasks:

  1. From the Administrative Tools program group, double-click the Event Viewer icon.

  2. Choose Log, Select Computer.

  3. You are presented with a list of the available computers for which you may view event logs (see fig. 6.26).

    Fig. 6.26 The Select Computer dialog box facilitates the selection of a computer for viewing the remote log file.

  4. Select the computer you want and click OK. If you've done this correctly, the remote computers event log appears on the screen. You will be viewing the same type of log file as was selected on the server.

  5. While attempting to access a remote log, you may encounter an access denied message. This can mean that you don't have the correct permissions to view the event log, or that the person's computer has been turned off. Verify this before attempting to view the remote log again.

Setting and Responding to Alerts

The Alerter service is used to send alert messages to specified users and to users connected to the server. Alert messages warn about many types of problems including security and access issues, printer issues, and user sessions. Administrative alerts are generated by the system as a response to server and resource use. Alert messages are sent as Windows NT messages from the server to a user's computer.

You can determine which computers are notified when alerts occur at the server. For alerts to be sent, the Alerter and Messenger services must be running on the server. For alerts to be received, a messenger service must be running on the destination computer. If the destination computer is not on, the message eventually will time out. The destination computer must be running Windows for Workgroups, Windows NT, Windows 95, OS/2, or a DOS messenger driver.

Enabling Administrative Alerts

To enable the Alerter service, perform the following tasks:

  1. From the Control Panel, choose the Services icon.

  2. Locate and select the Alerter service item.

  3. Choose the Startup button.

  4. Choose Automatic as the Service startup type.

  5. Choose OK. The Alerter service now starts automatically with the system.

  6. Click Start.

Assigning Administrative Alert Recipients

Use Server Manager to specify the administrators, users, and computers that should receive administrative alerts. To manage the list of administrative alert recipients, perform the following tasks:

  1. In the Control Panel window, choose the Server icon. The Server dialog box appears, as shown in figure 6.27.

  2. In the Server dialog box, choose Alerts. The Alerts dialog box appears, as shown in figure 6.28.

    Fig. 6.27 The Server dialog box enables the administrator to specify the recipients of administrative alerts.

    Fig. 6.28 The Alerts dialog box showing the addition of the Sample computer to receive Administrative Alerts.

  3. To add a user or computer to the list of alert recipients, type the user name or computer name in the New Computer or Username box, and then choose Add.

  4. To remove a user or computer from the list of alert recipients, select the user name or computer name from the Send Administrative Alerts To box, and then choose Remove.

  5. Choose OK to exit.

Notifying Users

Sometimes it is important and useful to send a message to a user base. This is especially true following an alert or error message. If the user is sent an alert saying that print services are going down, then it is important to send another message to them when print services are back online. Another important occasion to send a message is when important network resources are going to be down for a period of time.

To send a message to a user, perform the following tasks:

  1. From the Administrative Tools program group, click the Server Manager icon.

  2. Choose Computer, Send Message. The Send Message dialog box appears.

  3. In the Send Message dialog box, type in the message, as shown in figure 6.29.

    Fig. 6.29 The Send Message dialog box showing a message that will be sent to specified users or computers.

  4. Choose OK. The message will be sent to all users currently connected to the selected server that are running the NT Messenger service. Computers running the WinPopUp program will receive the message as well.

Making Backups

About the worst thing that can happen to a network administrator is loss of data without adequate backups available. Data stored on your NT Server is critical to your business. It is obvious, then, that a sound backup strategy must be rigorously implemented.

This section outlines the tasks that must be carried out by the network administrator to perform backups of the data residing on NT Server. It includes a discussion of backup strategies and methods, NT Backup Sets, and a step-by-step description of the procedures required to back up and restore data. When you are finished with this section, you will be capable of backing up and restoring data on NT Server in a manner best suited for your network.

The Backup Tool

NT Server includes a backup tool found in the Administrative Tools program group. The program enables you to easily back up and restore important files on NTFS, HPFS, or FAT file systems. You can supply detailed selection criteria for the backup and have the backup verified. The Backup utility allows you to select disks and directories or files to be backed up, including shared directories on other computers.

Backup Media

The Backup program is designed for use with a tape drive. It is certainly possible to make backups using a fixed disk or floppies, but you may be unable to back up all the system files. It is highly recommended that you employ a tape drive. These mass-storage devices make centralized administration of backups more reliable and easier. When storing large amounts of data, it is really the right media choice.


If you don't have a tape drive, the files REGBACK AND REGREST, available with the Windows NT Resource Kit, will allow you to back up and restore the system registry with floppy disks. See the Windows NT Resource Kit for more information on employing this method.

Windows NT Server supports high-capacity SCSI tapes for 4mm, 8mm, and .25-inch drives, as well as economical mini-cartridge drives. The Backup utility allows you to place multiple backups on a single tape set. You can also span multiple tapes for a single backup. Determine storage needs and objectives prior to purchasing a tape drive. Be sure that the brand and model you intend to purchase is supported and listed on the Hardware Compatibility List.


Even though you can have numerous tape drives connected to your system, only one can be selected at a time.

See "Verifying Hardware Compatibility," (Ch. 5)

Understanding NT Backup Sets

A backup set is a collection of files or directories selected for backup. These files or directories can be appended to or replace an existing backup set. A family set, or tape set, is the group of tapes that make up one backup set. The Backup tool automatically creates a tape catalog for each backup set. A tape catalog (stored on the last tape in the tape set) contains information about the backup set.

Backup Methods

File-based backup methods can be broadly categorized as complete or incremental. A complete backup copies all files from the source. An incremental backup copies only those files that have changed since the last backup (an archive bit indicates whether each file has changed since last backed up). NT Backup supports both types of backups, also providing the option to leave the archive bit unchanged. The archive bit is an indication that a file has been archived. NT Server uses the following terms to define backup methods:

  • Daily backup. Backs up only those files changed that calendar day. The archive bit remains set. These files will be selected for backup during the next normal backup. The daily backup is most often used as an interim backup or to get a copy of working files.

  • Differential backup. Backs up files flagged as not archived. The archive flag is cleared after backup. This is helpful between full backups, because restoring the data only requires restoring the last full backup and the most recent differential backup.

  • Incremental backup. Backs up files flagged as not archived. They are then flagged as being archived. This is similar to the differential backup.

  • Copy. All files on the selected disk are backed up, but the archive bit remains set.

  • Normal backup. Creates a full backup of all files and resets the archive bit for all files successfully backed up. Perform a normal backup periodically for safety.

Developing a Backup Strategy

As with disaster recovery plans, the most critical element of backups is to be sure that they work reliably. This means that the entire backup plan has to be thoroughly designed and periodically tested. An effective backup strategy should provide reliable performance of backups, offsite storage of recent complete backup sets, and reliable restoration when needed.


Backups provide disaster recovery. Do not confuse this with fault tolerance. Fault tolerance allows a server to continue operating after a partial failure. Fault tolerance strategies include disk mirroring and stripe sets with parity. Disaster recovery (backup) preserves data after a catastrophic loss, such as theft of the entire server.

Implement your backup plan before beginning network operations. This means that the plan should be fully prepared and exercised prior to the server being put into operation. After the plan is implemented, it must be followed. Consider the following points when developing a backup strategy:

  • Make the backup process someone's job. Assign at least one other person this responsibility in a contingency role.

  • Determine how often you will perform backups. You should base this decision on how much data your organization can afford to lose or rebuild. Most companies implement daily backups.

  • Daily backups can quickly fill a lot of tapes. Most companies have a plan for reusing backup tapes. The child, parent, grandparent method described later is popular and straightforward.

  • Determine when the backups will occur. Usually backups occur after-hours to spare users of the overhead associated with the process. Doing so requires use of the NT Server Schedule Service. Refer to "Scheduling a Backup" later in this chapter for more information. If you decide to perform backups during business hours, determine the impact this will have on your network performance in advance.

  • Regardless of the backup time, devise a plan to verify that the backup occurred completely and without error. NT Backup automatically creates a backup log file; determine the appropriate level of detail:

  • Full Detail. Records the name of every file backed up as well as other major backup event information

  • Summary Only. Records major backup event information only

  • No Log. Records nothing

  • Determine two safe places to store the tapes, one onsite and one offsite. These places need to be secure, yet practical. Store the tapes in a waterproof and fireproof safe or vault, if possible, so that they will be protected in the event water, smoke, or fire damages the premises. Tapes with data should be stored both onsite and offsite. Tapes with software should be stored offsite.

  • Keep accurate records of the information on each tape. Do this in a binder and on the tape label. This helps you to identify tapes correctly when performing a restore.

  • Create a manual of your backup, restore, and test procedures. When changes in the procedures occur, make these changes to the manual. Keep this manual with other company records. If the backup expert leaves your organization, don't let the knowledge go with them.

The Child, Parent, Grandparent Method

This common backup method keeps daily backups, weekly backups for the past month, and monthly backups for the past year. Daily backups (children) are kept on site; weekly (parent) and monthly (grandparent) backups are kept offsite.

You will need enough tapes to perform 16 complete backups, plus four daily backups (assuming that backups are performed Monday through Friday only). Daily backups can be complete, incremental, or differential. Tape sets should be labeled for each month (12 sets); Friday1, Friday2, Friday3, Friday4, and Friday5; and Monday, Tuesday, Wednesday, Thursday.

Each Monday through Thursday, make a daily backup using the tape set labeled for that weekday. This means that daily backups will be recycled once a week. Each Friday, make a complete backup: use the Friday1 tape set for the first Friday in a month, Friday2 for the second Friday, and so forth. The complete Friday backup sets should be stored offsite. Note that Friday sets get recycled once a month. On the last day of each month, make an extra complete backup using the tape set labeled for that month. Monthly backup sets recycle once a year and should be stored offsite.

Developing a Backup Test

An important component of the backup strategy is the backup test. Every facet of the backup scenario needs to be tested for reliability, validity, timeliness, and security. A test of the backup and restore processes should be periodically performed to make sure that environmental or employment status changes have not rendered the backup process invalid. Consider the following points when developing a test of the backup and restore procedures:

  • Make a list of all the tasks required to perform a backup or restore. Associate people with each task. If any one task is being performed by only one person, there is a danger. On the day when an emergency restore is needed, inevitably that person will be sick or at lunch. Make it a rule that at least two people will have access to network administration, backup tapes, server software, and server hardware and will know how to get the backup job done. Make sure that these people are never on vacation at the same time.

  • There is no guarantee that a backup tape will restore. However, if you make a backup and perform a test restore successfully, you can be reasonably assured of a successful restore a second time. Have spare backup tapes available in case a tape goes bad. Perform diagnostics on tapes periodically. Follow the guidelines of the tape manufacturer for replacement tapes.

  • Assuming failure, determine how long it will take to restore the last backup. Understand how much downtime your network users can afford. A restore is most valuable if it can speedily bring your network back to normal.

Performing an Interactive Backup

To perform an interactive (user controlled) backup of the C drive, log in as an administrator or backup operator and complete the following tasks:

  1. Double-click the Backup program item in the Administrative Tools program group. The Backup window depicted in figure 6.30 appears.


    The Backup window may be minimized. If so, double-click an icon labeled Drives in the Backup window.

    Fig. 6.30 The Backup dialog box showing the drives available for tape backup.

    If the tape drive has not been powered on or connected properly, or the correct software driver for your tape drive is missing or improperly installed, you will receive the message shown in figure 6.31. If this message should occur, exit the Backup utility and check both the tape drive connections and the software drivers.

    Fig. 6.31 The Tape Drive Error Detected message box appears if you start the Backup utility and no tape drive is detected.


    NT Server fails to detect tape drive after system startup. An external SCSI tape drive should be powered up before booting the server. At system startup, the SCSI adapter will scan for attached devices and will not detect a tape drive that has not been powered on. NT Server will be unable to access the drive until it is turned on and the system rebooted.

  2. Select the drive you want to back up. You must do this even if there is only one drive in the Drives window. Choose the Backup button in the Backup dialog box. The Backup Information dialog box appears (see fig. 6.32).

    Fig. 6.32 The Backup Information dialog box allows the user to specify numerous backup options.


    The message "Tape Drive Error Detected." appears. Inserting a tape that has a lower density than the tape drive can cause this error to appear. Click the Backup button in the Backup dialog box to eject the tape. The Application log in the Event Viewer is filled with the message "No tape in drive." Running Backup without a tape in certain tape drives can cause this to happen. You must delete these event messages to free up the Event log before you can run any other application associated tasks.

  3. Enter a Tape Name. The maximum tape name length is 50 characters or spaces. Only 32 characters are visible, however. Give the tape a descriptive name that will remind you of its contents.

  4. Choose the Verify After Backup check box. Although it takes a little longer, the verification helps to ensure that a restore will be complete and accurate. At a minimum, you should include this option when performing a normal backup.

  5. Choose the Backup Registry check box if you or others have made changes to the local registry files. These files contain configuration information about the local computer.

  6. Select Append to add this backup set to a backup set currently on the tape. Select Replace to have the new backup overwrite the old backup set. Obviously, you need to know what has been archived previously to the tape. For this example, you're performing the first normal backup. Therefore, choose Append.

  7. Restrict the access to the backup set by selecting the Restrict Access to Owner or Administrator check box. This limits who can restore backups and institutes a level of security into your backup strategy.

  8. Note the drive you have selected. Double check it for accuracy. If it is not the correct drive, choose Cancel and change the selection.

  9. Enter a description for this backup. As with the tape name, give a description that will help you remember the tape contents in the future.

  10. Choose Normal from the Backup Type list box.

  11. Specify a file that will contain a log of the backup process. A good name is BACKUP.LOG. This file indicates the number of files backed up, how many were not, the amount of time the process consumed, and any errors encountered. You may find it useful to create a special directory, in advance, in which to store all log files.

  12. Choose the level of detail you desire for this backup. Consider the following options:

    • Full Detail. Records the name of every file backed up as well as other major backup event information

    • Summary Only. Records major backup event information only

    • Don't Log. Records nothing.

    For the first backup, choose Full Detail. Following the backup, review the log. Determine if this level of detail is acceptable or excessive for your needs. Adjust this selection accordingly in the future.

  13. Choose OK to complete the Backup Information dialog box and begin the backup operation. The Backup Status dialog box shown in figure 6.33 keeps you informed during the entire process.

    Fig. 6.33 The Backup Status dialog box provides feedback during the backup process.

  14. You will probably require the use of multiple backup tapes when backing up the local hard drive. The NT Backup utility makes this easy. When available tape space has been consumed, a dialog box will request an additional tape.


Determine the volume you will be backing up in advance and have enough tapes available for the entire backup process.


If you need to terminate the backup process, choose Abort. Any files that were backed up prior to the Abort will be on the tape. Furthermore, any file that was within 1M of completion will be on the tape. Any file not within 1M of completion will be corrupted on the tape.

Scheduling a Backup

Backups can be so time consuming that performing them during business hours can be impractical. The best time for this activity is when it causes the least impact on the use of network resources. This normally would be sometime during the night. The Backup utility included with NT Server does not facilitate scheduling unattended backups. Fortunately, NT Server provides a way to run backups automatically. The Command Prompt, in conjunction with the Schedule service, enables you to schedule backups (and many other types of activities) while you are away.

Configuring the Schedule Service

NT Server's Schedule service is required to support scheduled backups. Follow these steps to configure the Schedule service to start automatically each time the server restarts:

  1. From the Control Panel, select the Services icon.

  2. Locate and select the Schedule service entry. The default Startup mode for any service is Manual.

  3. Choose Startup.

  4. Select Automatic as the Startup Type. This allows the Schedule service to start each time the system starts.

  5. You need to select an account type. Services need a logon when they start. The default option is system account. Most services log on using the system account. This account will run a service without necessitating a user logon. Some services, however, may need more privileges to perform their programmed actions. The Schedule service is one example. If you want to schedule commands that need more than guest privileges on network resources, you will have to assign a network access-permitted account to the service. The system account has only guest privileges on remote shares. Select the system account for now.

  6. Choose OK. The Schedule service will now have an automatic startup.

  7. Choose the Start button. The system will attempt to start the Schedule service (see fig. 6.34). If successful, the Schedule service will have a Started status.

    Fig. 6.34 The Service Control advisory message provides feedback during service startup.

  8. Click Close.

  9. Close the Control Panel.

Setting Up a Scheduled Backup

When the Schedule service is running, you can execute many programs and commands on the server at a specified time and date. Using the Command Prompt and the AT network command, you can automate the backup process so that it runs after hours.

Naturally, the following instructions are an example. You should determine, in advance, how often you want to make backups and which files to include. Refer to your backup plan.


The Windows NT Resource Kit includes a GUI alternative to the Command Prompt for scheduling unattended backups.

For a complete description of the AT, NTBACKUP, and BACKUP commands, refer to Windows NT Help in the Main program group.

  1. From the Main program group, click the Command Prompt icon. The session opens to the default Directory.

  2. Create a text file with the following command line (Hint: Type edit at the command prompt to start the text editor):

    ntbackup backup C: /D "Daily Backups"
     /B /L "C:\results.log"
    • backup is the operation to be executed.

    • C: is the path that will be backed up.

    • /D specifies a description of the backup contents.

    • /B specifies that the local registry be backed up.

    • /L specifies the file name and path for the backup log.

The preceding command backs up all files on the C drive. The process replaces any files currently on the tape.


The ntbackup command invokes the Backup tool in the Administrative Tools program group.

  • Save the file as CBACKUP.CMD.

  • Schedule a backup event using the AT command, using the following syntax:

    at [\\computername] time [/every:date[,...] |
    /next:date[,...]] command
    where

    • Computername is the computer on which you are scheduling the event to run. If omitted, the event will be scheduled to run on the local system.

    • Time is any hour and minute from 00:00 (midnight) to 23:59 (11:59 p.m.).

    • Date is the day of the week or the number representing the day of the week.

    • Command is any command, program or batch file.


    If the command is not an executable file, you must precede the command with cmd /c.

    Example:

    at 10:50 "cmd /c c:\users\default\update.bat"


    Type     help at at the command prompt for the at command syntax.

    Issue the command shown in figure 6.35 to schedule backups of the C drive on Sundays, Tuesdays, and Thursdays at midnight.

    Fig. 6.35 The Command Prompt showing the use of the AT command to perform a scheduled backup.

  • At the prompt, type at by itself to see the scheduled job you just entered. When it executes, the Schedule service performs the instructions specified in CBACKUP.CMD.

  • Type Exit and press Enter to close the command prompt.

    Restoring Files

    The process of restoring files is similar to that for backing them up. To perform a normal restore of the C drive, complete the following tasks:

    1. If the backup set spans multiple tapes, insert the last backup tape into the tape drive. If the backup set is contained on only one tape, insert that tape.

    2. Click the Backup program item in the Administrative Tools program group. The Backup administration window shown in figure 6.36 appears.

      Fig. 6.36 The Backup Utility showing a minimized Tape window.

    3. Locate the Tapes window. In all likelihood, the Tapes window will be minimized. If so, double-click the Tapes icon. The Tapes window appears, as shown in figure 6.37.

      Fig. 6.37 The Backup-Tapes window showing tape drive selected for backup.

    4. Select the tape, catalog, or files you want to restore. For this example, select the tape by clicking the check box next to it. This performs a normal restore of the entire tape. Click OK.

    5. In the Restore Information dialog box, choose the drive letter to which the tape files should be restored. This is an important step. Be careful to choose the correct drive. For this example, choose drive C.

    6. Enable the Verify After Restore check box. This offers assurance that the restore was successful.

    7. If your file permissions have changed since the tape backup was made, do not enable the Restore File Permissions check box.

    8. If your local registry has changed since the tape backup was made, do not enable the Restore Local Registry check box.

    9. Specify a file that will contain a log of the restore process. A good name is RESTORE.LOG. This file will indicate the number of files restored, how many were not, the amount of time the process consumed, and any errors encountered. You may find it useful to create a special directory, in advance, in which to store all log files.

    10. Choose the level of detail you desire for this restore. Choose Full Detail to record the name of every file restored as well as other major restore information. Choose Summary Only to record major restore information only. Choose Don't Log to record no event information.

    11. Click OK.

    12. Observe the restore information in the Restore Status information dialog box.


    Warning message appears when attempting to restore corrupted files. Windows NT makes a copy of corrupted files during backup. It marks these files appropriately in the backup status field. The corrupted file list is stored in CORRUPT.TXT. As long as these corrupted files exist, you will get a warning any time you attempt to restore one of them. These files should be removed before attempting to restore.

    Managing Log Files

    Windows NT can track selected activities of users by auditing system, security, and application events and then placing entries in respective log files. The System log records events generated by the Windows NT system components. The Security log records system security events. The Application log records events generated by applications. The Event Viewer, which is somewhat configurable, then allows you to view and monitor these log files. It also allows you to control the size of a log file. This is particularly useful if you have limited system resources.

    Windows NT can record a wide variety of successful and unsuccessful file access event types. Use the Audit policy in the User Manager for Domains and the Audit policy in the Security menu of File Manager to control the types of security events to be audited as well as file and directory access. This, in turn, determines the types of security events Windows NT records on the log files.

    The event logs available in the Event Viewer can be archived for future use. You may find this useful for future troubleshooting or verification. The log can be saved as a text file or in a file format native to the Event Viewer. The latter format will allow you to view the file directly with the Event Viewer.

    See "Checking the Logs," (Ch. 5)

    From Here...

    This chapter detailed the most important tasks of the network administrator. It provided detailed procedures on administering users, groups, and resources in a Windows NT Server environment. A thorough survey was taken of the Administrative tools. Serious consideration was made on managing user accounts and the permissions to server and other shared resources. Detailed steps were covered on how to perform tape backups and restores.

    Table of Contents

    05 - Implementing Windows NT Server

    07 - Implementing the Remote Access Service (RAS)