Windows NT Server, a new breed of network operating system, made its appearance in 1994. From its first incarnation as Windows NT Advanced Server 3.1, Microsoft's new NOS had an easy-to-use user interface, high security, and was straightforward enough that you could begin to use it almost immediately. Since that time, it has only improved. NT Server (currently on version 3.51) is an excellent choice for many networking environments. Not only is it a good product in its own right, but it can connect smoothly to other NOSs (such as Novell NetWare) without difficultyóa real advantage, because many of us don't have the luxury of dealing with only one operating system.
You've seen rows of fat books about NT Server, so you know that we can't possibly cover all of its ins and outs in one chapter of one book. In this chapter, we'll discuss the basic architecture of NT Server and talk about the basics of how you can use it on your network. After completing this chapter, you should have a pretty good idea whether or not NT Server is the right network operating system for you.
Our space is limited, so let's jump right in.
If you've inherited NT Server 3.5 and don't plan to upgrade to 3.51 (although you shouldóit's only $40 for the upgrade) this chapter still can help you get acquainted with your operating system, as version 3.51 is quite similar to version 3.5. The newer version has some added features, such as built-in software metering ability, but overall the two are fairly similar.
Although NT Server's cooperation with other NOSs means that you don't necessarily have to make it the sole NOS for your organization, you might wonder why you would even make it one of them. NetWare has been the market leader in network software for quite some time. Is NT Server giving NetWare a run for its money? The answer is yes, and the following sections explore a few of NT Server's key strengths.
One of the main reasons for NT Server's success is that it's really easy to use (I've heard one person describe it as the "Mr. Rogers" NOS). Rather than a command-line interface that requires you to remember obscure syntax and hot-key combinations if you want to do anything, NT Server is designed on the same point-and-click idea as other Windows products. For that matter, if you can't recall the exact point-and-click procedures that you need to do something, the online help system is pretty good.
Although NT Server works just fine on a 486 with 16M of RAM (with caveats as noted in the "Check Your Hardware" section later in this chapter), it is designed to work with bigger and badder machines. Out of the box, it can support up to four CPUs in the system, and you can get hardware abstraction layers (HALs) from Microsoft that let it support up to 32 CPUs. On the RAM front, it can support up to 4G of memory. Of course, we'll have to wait for 1G SIMMs to come out before this is physically practical, but the support is there. NT Server's NTFS file system also means that it can support hard disks larger than 2G, the limit for the FAT file system that DOS and Windows use. (If you're shaky on what multiprocessor support and lots of memory are good for, turn to chapter 5, "The Server Platform.")
Not only does NT Server support multiple processors, but it also supports multi-threaded applications. Multi-threaded applications are those designed as much as possible in a series of discrete steps so that a processor can perform more than one operation at once (people are fond of saying that multi-threaded applications let the processor walk and chew gum at the same time). This only works with operands which are not dependent on each other (in other words, if the third step in a program is dependent on the outcome of the second, then the second and third steps cannot be performed simultaneously), but when it does work, it speeds things up tremendously.
NT Server is designed for securityóalthough it took until 1995 to receive its C-2 certification (see the sidebar), it was designed toward that aim from the beginning. Part of the security strength lies in its file system, which cannot be accessed by booting from a DOS floppy. Part of it lies in the key sequence (Ctrl+Alt+Del) used to log on, which removes any password-grabbing viruses that cannot survive a reboot. Also in the security plan are user rights that can be specified down to individual file access for an individual user, and logging that can track the activities of each logged-in user.
***
What Is C-2 Certification?
"C-2 certification" is one of those terms that gets tossed around frequently but perhaps is not understood fully by everyone using it. The United States government has a security manual named Trusted Computer System Evaluation, but more commonly known as the Orange Book. It's essentially a manual for determining how secure a computer system is, and describing the testing required to prove that level of security. The levels of security that it identifies range from D (none) to A1 (highest, held by very few systems). A "C-2" rating means that NT Server has been certified to be a system with controlled access protection, and with the ability to track user activity, assign individual rights to individual users, and overwrite the information attached to objects such as reassigned user IDs so that the information cannot be gleaned from the hard disk.
Other certified C-2 systems include DEC's VAX 4.3 and Hewlett Packard's MPE V/E. As of the time this book went to print, NetWare 4.1 was not yet C-2 certified, although it is C-2 compliant and is expected to be certified in the first half of 1996.
As noted earlier, getting NT Server doesn't mean that you must scrap your other NOSs. NT Server has built-in connectivity to NetWare, so you can set up your NetWare and NT Server servers to be accessible to anyone on your network, no matter how they log on. Additionally, NT Server supports several different transport protocols, including TCP/IP, used for connecting to UNIX machines and the Internet, and IPX/SPX, which NetWare uses. NT Server even has an easy way of connecting to Macintosh computers (see chapter 8, "Novell NetWare," for a discussion of transport protocols.)
An NT Server network is organized into groups of machines called domains. Rather than logging on to a single machine, you log on to a domain and through that connection have access to all the servers in the domain to which you're permitted access. This centralized control makes things easier on users (who only have to log on once to access multiple servers) and network administrators (who only have to create one user account for a domain, rather than one for each server). As we'll discuss later in this chapter, you can even create relationships between domains to permit users to log on to another domain using their account on their home domain.
NT Server also allows you to set very specific file permissions on shared drives, directories, and individual files, so that you can control user access precisely.
NT Server's native file system, NT File System (NTFS), supports case-sensitive long file names and provides added security to your server. NTFS volumes are not accessible if you boot from a DOS floppy, which, although it keeps you from accessing volumes if you must boot to DOS, also keeps crackers from doing the same thing.
Unfortunately, NT Server's long file names are not compatible with those used in OS/2's HPFS file system or in Windows 95's version of FAT with long file name support.
NT Server includes three kinds of logging that you can activate for use in troubleshooting your system and metering activity on it. The Security log shows logon attempts (including failed ones, if you want, which can be useful for catching attempted break-ins); the Application log monitors who's accessing what on the server; and the System log shows system events such as network services starting (or failing to start) so that it's easier to track down a problem such as why your graphics division can't log on to the server with their Macs.
If your server is important enough for you to spend $700 on good networking software for it, it's important enough to power-protect. NT Server, recognizing that power quality is getting worse instead of better, includes an uninterruptible power supply (UPS) service that Microsoft co-developed with American Power Conversion (APC), one of the major suppliers of power protection. UPSs and other forms of power protection are discussed in detail in chapter 18, "Backup Technology: Uninterruptible Power Supplies."
If you're concerned about keeping up with your licensing requirements, NT Server 3.51 comes with a software metering capability that keeps track of your client licenses. When installing NT Server, you'll have a choice of "per server" or "per seat" licensing. The first option sets the number of concurrent connections permitted to a single server on the domain; the second sets a limit on the number of workstations that can log on to the domain through all servers.
If your network includes telecommuters who need access to a server, then you can set up a dialup account to permit them to do so. As NT Server is extremely security-conscious, this dialup capability has not only password protection but also call-back capabilityóyou can set it up so that users can dial in from only one telephone number. Remote Access Services (RAS) can connect to a modem line, ISDN, or X.25, providing extreme flexibility to meet your needs. (ISDN and X.25 are discussed in chapter 4, "Upgrading to a WAN," and other remote access products are discussed in chapter 27, "Adding Remote Network Access (Telecommuting).")
That's a quick run-through of NT Server's features. Now, let's talk about the basic concepts behind its design.
Before you figure out what you can do with NT Server, it's useful to understand where it's coming from: how it's designed, how it organizes the members of the network, and how to navigate it.
Although most of the vocabulary and concepts we'll use in our discussions of NT Server are well-known to networkers, there are a few you'll need to know that are specific to the product. The following sections explain these terms.
The core of NT Server is the Registry. Although you may never have to alter it directly, every system configuration you make is stored in this central database. From auditing setup to establishing user accounts to setting new system colors, it's all stored here.
You can view the contents of the Registry by running REGEDT32.EXE (not REGEDIT.EXEóthat only shows the file types stored on your system).
Using the Registry is complicated, and frankly, not often very useful. Almost every system setting can be more easily edited elsewhere (the few exceptions are not settings you're likely to run across unless you're having a very serious problem), and when working with the Registry it's very easy to do major damage to your system without meaning to. If you need to adjust your system settings, use the Control Panel or the User Manager for Domainsódon't try to make a change in the Registry unless you're willing to flirt with the possibility of reinstalling the operating system. (Admittedly, as NOS installations go, NT Server's installation process isn't bad, but I'm sure that you can think of a better way to spend two hours.)
The real reason you need to know about the Registry is to make sure that you back it up. If you include the Registry every time you do a backup, then if you ever have to reinstall you won't need to set up the entire system againójust restore the Registry you've backed up, and most of your system settings (including user accounts) are the way they were when you last saved them.
A domain is a rather nebulous concept, like a workgroup, but essentially it's a logical group of servers (notice that that's machines, not users) organized by some user-defined criteria. You can have a Personnel domain that encompasses all the servers dealing with personnel files, or you can have a Main domain that encompasses all the servers at the main office of your corporation. The grouping depends on your preferences. The crucial point concerning a domain is that the logical grouping means users don't have to log on to individual serversóeach user logs on to a domain, and therefore has access to all the servers in that domain (to the extent of that user's permitted access, of course).
You don't log on to individual servers on an NT Server network; you log on to a domain to access the servers that are part of that domain. In other words, to access multiple servers, you need to log on only once.
You're not limited to accessing NT Server machines when you log on to a domain; any machine capable of sharing resources, such as an NT Workstation (the client version of NT Server) or a Windows 95 machine, can make its resources available to those who log on to the domain. NT Server machines can do certain special things in a domain (such as remote administration) as we'll discuss shortly, but in terms of sharing files and resources, domain membership is pretty flexible.
If you've got a large networkóor are spread out over more than one physical siteóchances are good that you have more than one domain. If so, you can create a trust relationship between domains that permits your users to access the resources of another domain without requiring an account in that domain. We'll talk later in this chapter about the mechanics of how to set up a trust relationship.
Domains are arbitrary collections of servers; groups are arbitrary collections of users. In the User Manager for Domains, located in the Administrative Tools window, you can see the wide variety of preset groups to which you can assign users. The basic function of a group is to provide a handy way of assigning certain network rights to a bunch of users, without having to set up each user account individually. One right you can assign, for example, is the ability to perform backups. Rather than forcing you to manually set the account of each potential backup administrator, you can add all the users who need to be able to run the backup program to a group named Backup Administrators. Similarly, if someone who was a backup administrator changes job duties, you can remove their ability to run backups by removing them from the groupóno other action is required.
NT Server comes with a wide variety of user groups, but you also can build your own groups with a particular set of privileges, if none of the built-in groups have the configuration you need.
A user can belong to more than one group at a time. For example, by default all users are members of the Domain Users group (a basic group that permits its members to do the things most users need to do, like accessing files, but does not allow its members to do things most users don't need to do, like logging on to the NT Server machine itself). Every user must be a member of one of the Domain groups, and whenever the need arises, you can make any given user a member of more than one group.
Rights are cumulative; that is, if you belong to more than one group, the group with the most rights controls what you can do. The only exception to this is the No Access right, which forbids access to a particular drive or directory, and overrides any rights that other group memberships give you.
Not only can you add users to groups, but it's also possible to put one group inside another group, so that the members of the interior group have the same rights as those of the exterior group without having to actually join it. The simple restriction is that only local groups can contain other groups, and only global groups can be contained.
Local groups? Global groups? Read on...
NT Server recognizes two kinds of groups: local groups and global groups. As neither the documentation nor the online help really explains the difference between the two, it's worth exploring here. Both kinds of groups can perform the same functions (there are local and global users, local and global administrators, local and global print operators, and so on). The important difference between local and global groups relates to membership. Local groups can contain both users and global groups, while global groups can contain only users.
Local groups are the important ones for local administration. Backup Operators, Account Operators, and so on (any group that doesn't have "Domain" at the beginning of its name) are all local groups. Local groups can contain both users and global groups, but cannot contain other local groups.
Global groups are generic in function. NT Server only includes three (Domain Users, Domain Administrators, and Domain Guests). Although all users by default are members of the Domain Users group, if you only have one domainóor have no trust relationshipóthen the global groups don't matter much.
Global groups really begin to matter when you've set up a trust relationshi ea is this: if you've gotten domains VERDE and ROJA to trust each other so that the users on VERDE can access the resources on ROJA, then you've got three options for how to set this up:
If you have trouble remembering whether global groups go into local groups or the other way around, try thinking of global groups as ships, and local groups as ports. Shipsó which travel the globeócan sail into ports, but certainly cannot sail into other ships. Portsówhere all the local activity takes placeócan contain ships, but cannot contain other ports. (Thanks to David Sheridan for this excellent analogy.)
The smallest unit in the NT Server universe is the user. Like groups, users are people, rather than machines. The concept of a user is a simple one: it's your key to the domain. If you don't have an account on the domainóeven one without a passwordóyou can't log on to the domain and access its resources. (Depending how your network is set up, you may still be able to log on to individual servers, but you won't be able to access the domain members as a group.)
You can assign rights to users in addition to the rights they have as group members.
We've been talking about the rights that users and user groups can have, but what are those rights? How are they different from permissions, another NT Server security concept?
In a nutshell, rights are things that people can do; permissions are access privileges attached to files and directories. Rights consist of such events as logging on to the server directly at the server, activating a backup program, or creating a printer. Permissions include things like read access, change access, or full control. You assign rights to people and permissions to data.
That's about it for describing the way NT Server sees the world: it identifies domains, which are collections of machines; groups, which are collections of users; and individual users. Hanging onto this mental map, let's see what the operating system looks like.
NT Server is designed to be simple to use. To that end, it uses a graphical user interface (GUI) that is very similar to the one in Windows 3.x. As in any GUI, the idea is to free the user from having to remember command syntax or hot-key combinations. When you're in a hurry, you don't have to remember if you should type net use or net view to connect to network resources like disk drives and printers: you just have to pick a command from a menu.
All 3.x versions of NT Server use the Program Manager and window design features that are familiar to Windows 3.x users. NT Server 4.0, however, is expected to have an interface closer to that of Windows 95óa taskbar across the bottom and a Start menu with program groups branching from it.
As in Windows 3.x, the starting point for just about everything you do in NT Server 3.5x is the Program Manager (see fig. 9.1). It works just like the Windows 3.x Program Managerópoint to the icon representing the tool you want to activate and double-click.
Figure 9.1 The Program Manager is the starting point for everything you do in NT Server 3.5x.
In the Main program group, the tool you'll probably use most often is File Manager. As you can see in figure 9.2, the NT Server File Manager has a few options that Windows 3.x users won't recognize. The Security menu is the starting point for setting permissions for shared files, taking ownership of files, or auditing file access.
As you saw in figure 9.1, there are a few program groups in Program Manager. The one where you'll do most of your work is the Administrative Tools program group (see fig. 9.3).
By this point, you should have a pretty good idea what to expect from NT Server, and what to do with it. But if you're going to use it, you have to install it first. The following sections walk you through the installation process.
Before you start the installation, you've got to make sure that your hardware is up to snuff. First, it needs to be compatible with the operating system. The best way to ensure compatibility is to get hardware that's on the Hardware Compatibility List included in the NT Server package. If you don't have that option, then think generic and standardized. Generally speaking, SCSI-II devices like hard drives, tape drives, and CD-ROM drives are a good bet if you go with a reliable vendor, like Adaptec, who doesn't stop supporting a product as soon as the next model comes out. Some IDE devices are okay, too, but stay away from anything that uses a proprietary interface (like a CD-ROM drive that plugs into a sound card).
***
Make Sure that the BIOS Is Compatible!
Even if all the other hardware in your machine meets the system requirements, you still can run into problems with one small but crucial component: the BIOS. I had a frustrating experience once with a rental system that I'd hand-picked to be NT-compatible from a reliable rental company. All the hardware checked out, but the installation would not proceed beyond the floppy portion (as you'll see shortly, installation has a floppy section and a CD-ROM section)ówhen the machine was supposed to reboot during installation, it locked up. Occasionally, I got obscure messages indicating that crucial parts of NT were not loading, but the files were where they were supposed to be. Neither reformatting nor repartitioning the hard disk had any effect.
Finally, I called in the Marines by paying $150 to talk to Microsoft. After a little discussion, we established that the BIOS of the AST machine I was using was too oldóthe version I had was 1.0, and NT Server would only work with version 2.1 or later. I switched to an identical machine with a newer BIOS, and the installation went seamlessly.
Oddly enough, a BIOS that's too new can also be a potential problem. I've heard of a situation in which a Compaq BIOS had to be "downdated" to an older version so that it would work with NT Server. The fact that Compaq machines aren't quite as generic as many other IBM-compatible types might have had something to do with it, but it's worth noting that the newest BIOS might not always be the one that works in a particular situation.
NT Server is very picky about hardware performance. The fact that the hardware worked under DOS does not, unfortunately, mean that it will work under NT Serveróthis is because DOS is not exactly an operating system. When it comes down to it, the DOS applications run the show more than DOS itself doesóthey're permitted to control hardware, so theoretically, if something goes wrong with some of that hardware (like parity errors in your memory chips), the application is supposed to take care of it. As you might know from bitter experience, what happens more often than not in practice is that the application crashes, perhaps taking your entire system with it. It's not really the application's fault, because that should be the job of the operating system. Letting a spreadsheet program control hardware is like disbanding the fire department and giving everyone in town a bucket: as long as nothing happens, it's fine, but when there really is a fire the townspeople are neither trained nor equipped to deal with the problem.
The point is that you really need to test your hardware exhaustively before attempting to install an operating system like NT Server that insists on everything working right. Do a slow disk test (not the fast oneóyou want the slow one that can take all night or even a couple of days) and a complete memory test.
Most people install NT Server on a machine that already has data on it, rather than a brand-new one. This is fine, but don't forget that you need some way of getting that data back. (Don't even think about installing a new operating system on your server without backing it up first.) "Not a problem," I hear you say. "I've backed up the drive and have the tape right here." The only difficulty with this is that NT Server's proprietary tape backup system will not be able to read the tapes, and the DOS backup program will not run on NT Server because applications cannot manipulate hardware. In fact, that's worth repeating for those who are skimming.
Do not back up your disk with a DOS backup system, and assume that the tapes will work after you've installed NT Server. The DOS backup program won't work under NT Server, and NT's proprietary backup system will not be able to read the tapes.
Well, what's to be done about this? If you've got a networked machine with enough unused space on its hard disk, you can XCOPY everything to that machine, and then just XCOPY it back after NT Server is installed. (Don't forget the /s or /e switch to copy subdirectories, or you'll only copy the contents of your root directory.)
Another option is to install NT Server onto a FAT volume (you get to choose the file system during installation). After you've finished installing, you can boot from a DOS floppy, run the DOS-based backup program to restore the files to the FAT volume, and then, if you're using NTFS, run the conversion routine to convert the FAT volume to NTFS. If you've got the space required for the conversion routine, this beats the third alternative of installing a tape drive on a networked machine and restoring across the network, as you won't have to crack the case if it's an internal drive. Make sure, however, that you back up immediately after you've restored so that you've then got a backup of your system that you can access without all the rigmarole.
In addition to the manuals and registration information, your NT Server package should contain three floppy disks and a CD-ROM.
Although you can order NT Server on floppy disk, the CD-ROM contains some features of NT that the floppies do not. It's also much easier to install the NOS from CD-ROM, since you don't have to constantly swap disks.
Once you've tested your hardware, boot from the first floppy to begin the installation.
The first thing that the installation routine does is to run a routine named NTDETECT.COM to make sure that it can work with all your hardware.
***
If NT won't start and you think that it's due to a hardware failure, you can use a debug version of NTDETECT, named NTDETECT.CHK. It's on the CD-ROM in \SUPPORT\DEBUG\I386. To use it, diskcopy the boot disk onto a blank, formatted floppy; then copy NTDETECT.CHK onto the floppy. Delete NTDETECT.COM from the new floppy, then rename NTDETECT.CHK to NTDETECT.COM. Restart the installation, booting from the new floppy. NT shows the progress of the hardware check as it looks at each component. If it hangs when you see "Detecting Floppy Component," for example, then you know that it doesn't like something about the floppy system.
***
The installation process is pretty straightforward. There are a few potential pitfalls, which can be avoided if you do the following:
ï Choose Custom Setup rather than pressing Enter for Express Setup. You're only going to install this server a few times, so you might as well look at what you're doing and make sure that it's correct, instead of trusting the defaults.
ï Don't force the issue. When NT Server attempts to identify your mass storage devices, if it doesn't find one of yours that you think should be compatible, don't try to force NT Server to accept the device. Press F3 to halt the installation, check the device to make sure that it's installed properlyóand, if a SCSI device, terminated properlyóand then start over. NT Server is very good at identifying hardware, so if it doesn't see a device, there probably is a hardware problem.
ï Keep it simple. When choosing a network protocol, don't bother installing TCP/IP (the default) at this point if you don't have to. You can set up TCP/IP at a later date, because it's complicated enough to slow down your installation (and increase the amount of time before you get the server to work).
ï Pay attention. You'll have a choice of making this machine a domain controller or a server. The first NT Server machine on your network must be a domain controller (that's the machine that verifies all security information like logons). It's a good idea to have two domain controllers per domain, one to be the primary domain controller and one to be the backup in case you need to take down the primary domain controller, but you must have one for the network to work properlyóthe domain controller handles all security settings, such as user passwords. If you make it a server by mistake, you'll have to reinstall.
ï Choose a domain name carefully. If creating a domain, don't assign it a "throw-away" name and assume that you can change it later. You cannot change a domain's name without reinstalling.
ï Choose a server name carefully. Give your server a name that neither corresponds to a person's name on your network nor has spaces in it. Using people's names as machine names can be confusing, and makes for extra housekeeping if machine assignments change. Spaces in a name complicate matters if you ever have to use the command line to connect to that machine (as you do, for example, if you connect a DOS client).
ï Choose a password carefully. During the installation process, you'll set up the administrator's account. If you assign a password at this point, do not forget it. You won't be able to do anything else on the system, including log on, without that password. If you ever forget the administrator's password, you'll have to reinstall the operating system.
There are many issues to think about when installing NT Server, but those are the big ones. Generally speaking, installing NT Server is a trouble-free experienceóif the hardware works.
There are two aspects to setting up an operating system: what you need to do to get the network running and keep it that way, and the extras that might not need to be done right away. This chapter, therefore, first covers the basics of using NT Server, and then covers advanced topics separately.
The first thing you need to do is to set up some user accounts, and share drives and directories as appropriate, so that your users can work while you tweak the system. Let's start by setting up a user account.
Activate the Administrative Tools program group, and open the User Manager for Domains. You'll see an opening screen that resembles figure 9.4.
Let's begin by creating an account like the ones that most of your users
will require. Choose User, New User to open the dialog box
shown in figure 9.5.
Figure 9.5 Create a user account by filling in the New User dialog box.
Fill in the user's logon name, full name (the two may not be identical; for example, if you've got a Bob Jones in your office, you would set something like BobJ as his user name) and password. Using the buttons at the bottom of the dialog box, you can also set the following for this user:
We won't discuss all these in detail. Some, like logon hours, are quite straightforward; others, like user profiles, are not required for all installations. Password characteristics and user groups are the ones most likely to require tweaking, so the next two sections discuss these settings.
The password that you fill in can be up to 15 characters long. If the
user will be logging on from an NT Workstation, you can make the password
case-sensitive to make it more difficult to guess (for example, passWord),
but if the user will be logging on from a Windows 95 or DOS/Windows workstation,
case doesn't matter when a password is typed. Notice the User Must
Change Password at Next Logon checkbox; to keep yourself from knowing the
user's password (thereby increasing network security), you can check this
box to force the user to make up a new password the first time they use
the account.
Unfortunately, you cannot automatically set password restrictions for
your users with NT Server; that is, you cannot invalidate certain words
(such as user names) as passwords. You can however, tweak the available
password settings. In User Manager for Domains, choose Policies,
Account to set the minimum and maximum length and age for a password
and determine how often passwords can be reused.
Click the Account button in the lower-right of the User Properties
dialog box to change the account policies. You see a dialog box like the
one shown in figure 9.6.
Unless you're setting up an account for a member of another, untrusted
domain, you probably should select Global Account. This makes the
account usable on any trusted domains as well as on the user's home domain.
Also, you can determine here any expiration date for the accountóafter
the date you type, the account will be disabled until you enable it again.
