Windows NT 4.0 Server
- Installation
- Minimum requirements for NT Server 4.0:
- 125M Free disk space
- 16M RAM
- 486-DX33
- CD-ROM (if not installing over network)
- VGA compatible display
- Windows NT Setup
- WINNT32.EXE is used to upgrade only from a previous version
of Windows NT.
WINNT.EXE is used for the regular Windows NT setup, or an installation
through DOS or Windows 95.
Upgrading from Windows 3.1x or a previous version of NT will keep
all user, network and program settings.
There are no conversion options from Windows 95 to Windows NT that
will allow you to maintain user settings. To dual boot between the
two, install NT in a separate directory and reinstall all your applications.
Command modifiers for installation:
/B |
Put boot files on hard drive instead of using boot floppies
(takes an extra 4-5MB of hard disk space). |
/S |
Specify source file location(s) - multiple locations will
speed up installation. |
/U |
Specify answer file location for use with unattended installation
- MUST be used with /s to specify source file location(s). |
/T |
Specifies location of temp directory created for install
(/t:<path>). |
/OX |
Create the setup disks from CD-ROM or shared network folder.
Used to replace damaged boot disks. |
/F |
Don't verify files. Can speed up installation. |
/C |
Don't check for free space when creating boot disks. |
/I |
Specify setup information (.inf) file. This file tells setup
how to run. The default name is DOSNET.INF. |
Setup disks can be created by running WINNT.EXE /OX or running WINNT.EXE
from the cdrom.
- Answer file - Used when performing unattended installs. Provides
information that would normally be answered by the user during setup.
Default name is UNATTEND.TXT.
- UDF (Uniqueness Database File) - Used in conjunction with the answer
file when performing unattended installs. Provides information for
settings that are user or group specific. Default name is $UNIQUE$.UDF.
To uninstall NT on a FAT partition, you will need to boot to DOS,
run SYS.COM, and remove the WINNT directory and files.
In the server properties menu, there are options to optimize server
memory for certain situations.
Minimize Memory Used |
Allows memory to be allocated for up to 10 network connections. |
Balance |
Provides memory for up to approximately 64 connections (default). |
Maximize Throughput for File Sharing |
Optimizes server memory for file sharing operations. |
Maximize Throughput for Network Applications |
Optimizes server memory for server-based network applications.
Key word is SQL. |
- Virtual memory
- Virtual memory can be controlled in the Control Panel -> System properties
under the Performance tab.
The paging file size can be in/decreased here, and even distributed
across multiple drives to speed up access.
The most efficient paging file is distributed on several drives but
not on the boot or system drive.
The initial paging file size equals the amount of RAM
the system plus 12MB for NT Workstation and the
amount of physical RAM for NT Server.
Paging file size can increase during operation, but will not shrink.
Page file size will be reset when the computer is restarted.
-
Multiple Disk Sets
Disk Striping |
Divides data into 64k blocks and spreads it equally among
all disks in the array. Needs a minimum of two hard disks. Does
not provide fault tolerance. |
Disk Mirroring |
Duplicates a partition on another physical disk. Provides
fault tolerance by keeping data stored on two different disks,
in case of drive failure. |
Disk Duplexing |
Duplicates a partition on another physical disk which is connected
to another Hard Drive Controller. Provides fault tolerance by
keeping data stored on two different disks, in case of drive
failure, and by having two hard drive controllers, in case of
drive controller failure. |
Disk Striping with parity |
Distributes data and parity information across all disks in
the array. The data and parity information are arranged so they
are always on separate disks. A parity stripe block exists for
each row across the disk. The parity stripe is used for disk
reconstruction in case of a failed disk. Supports a minimum
of three disks and a maximum of thirty-two disks. |
Volume Set |
Merges numerous partitions into one drive mapping. Drives
are read one at a time. Does not provide fault tolerance. |
-
System and boot partitions cannot be part of a stripe or volume set,
but can be a part of disk mirroring and duplexing partitions.
- Speed factors
- Disk striping will provide the fastest read/write performance
as it can read multiple disks at a time.
- Disk striping with parity is slower, as it has to write the parity
information, but is still faster than disk mirroring and volume
set.
- Disk mirroring is slow due to the redundancy factor of writing
the same information to two drives at once.
- Volume set can only read/write one drive at a time.
To recover from drive failure with disk mirroring, you must install
the new drive, boot the system into NT, run Disk Administrator, break
the mirror from the Fault Tolerance menu, and then reestablish the
mirror. This will not be done automatically.
To recover from drive failure with disk striping with parity, you
must install the new drive, boot the system into NT, run Disk Administrator,
and choose the Regenerate option.
To recover from multiple drive failure with disk striping with parity,
you must install the new drives, boot the system into NT, and restore
the system backup from tape.
- File systems
- NTFS has file level security, and is faster over 400M, but has a
larger overhead (cannot format a floppy disk with NTFS) and cannot be
read by DOS, WIN 3.1, WIN 3.1.1 or WIN95.
FAT16 is compatible with MS-DOS & WIN95 but has no file-level security.
FAT32 is not NT compatible.
For upgrading NT3.51 HPFS you must convert that partition(s) to NTFS
before upgrading the OS using CONVERT.EXE.
- NTFS vs. FAT
- FAT
- Files and directories on a FAT partition only contain the standard
attributes of Archive, Read-Only, System and Hidden.
- Cannot set local security access on a FAT volume.
- Can convert the partition to NTFS by running CONVERT.EXE
- A FAT partition can be defragmented by booting with a DOS diskette
and running DEFRAG.EXE
- File moved from a FAT partition to an NTFS partition retain their
attributes and long-filename.
NTFS
- NTFS partitions contain the standard attributes, as well as security
descriptors basing file access from file-level security.
- Can set local security access on an NTFS volume.
- Partition cannot be converted to FAT. The partition must be deleted
and recreated as a FAT partition.
- NTFS partitions cannot be defragmented. To defragment an NTFS partition,
it must be formatted and restored from backup.
- Files moved from an NTFS partition to a FAT partition do not retain
their attributes or security descriptors, but will retain their long
filenames.
-
Security
- Share-Level Security - Governs user accesses a resource through the
network. Can be implemented on NTFS or FAT partitions. Applied through
the Sharing tab of the resource's properties.
File-Level Security - Governs local user file and folder security
on NTFS partitions only. Applied through the Security tab of the resource's
properties.
Share Security Levels
Full Control |
- Is assigned to the Everyone group by default.
- Allows user to take ownership of files and folders.
- Users can change file access rights.
- Grants user all permissions assigned by the Change and
Read levels.
|
Change |
- User can add and create files.
- Grants ability to modify files.
- User can change the attributes of the file.
- User can delete files.
- Grants user all permissions assigned by the Read level.
|
Read |
- User can display and open files.
- User can display the attributes of the file.
- User can execute program files.
|
No Access |
- User cannot display, access, or modify files.
|
NTFS Permissions (For a Folder - a user can...)
-
Read (R) |
Display folder names, attributes, owner,
and permissions. |
Write (W) |
Add files and folders, change a folder's attributes,
and display owner and permissions |
Execute (X) |
Display folder attributes, make changes to folders
within a folder, and display owner and permissions. |
Delete (D) |
Delete a folder |
Change Permission (P) |
Change a folder's permissions |
Take Ownership (O) |
Take ownership of a folder |
-
NTFS Permissions (For a file - a user can...)
-
Read (R) |
Display file data, attributes, owner,
and permissions. |
Write (W) |
Display owner and permissions, change file attributes,
create data in, and append data to, a file. |
Execute (X) |
Display file attributes, owner and permissions.
Run a file if it is an executable. |
Delete (D) |
Delete a file. |
Change Permission (P) |
Change a files's permissions |
Take Ownership (O) |
Take ownership of a file. |
-
-
Permissions are cumulative, except for No Access, which overrides
anything.
When a resource has both File-Level and Share-Level Securities enabled,
the most restrictive security is given to the user.
File permissions override the permissions of its parent folder.
Anytime a new file is created, the file will inherit permissions
from the target folder.
The priority of attributes to a file is:
1) File
2) Directory
3) Share
File attributes override directory attributes, which override share
attributes.
Copying within a partition |
Creates a new file resembling the old file. Inherits the
target folders permissions. |
Moving within a partition |
Does not create a new file. Simply updates directory pointers.
File keeps its original permissions. |
Moving across partitions |
Creates a new file resembling the old file, and deletes
the old file. Inherits the target folders permissions. |
Auditing can be enabled in the User Manager. The Event Viewer is
used to view audited events.
When using Event Viewer, only local administrators can see the security
log, but anyone (by default) can view other logs.
Only administrators have the right to share folders on NT Server
( and Power Users on NT Workstation)
-
Groups and Account Management
-
- Global groups - Groups which contain users with similar rights and
requirements. Can only be created on Domain Controllers, and can only
contain users in that specific domain.
- Local groups - Groups used to allow members to access resources
in the local computer/domain. Can be created on any NT system. Should
only contain global groups from the computer's domain or a trusted
domain but can also include members (not recommended).
Creating new accounts requires only two pieces of information:
username and password.
Duplicating an account requires three pieces of information: username,
password and full name.
Disabling an account is typically used when someone else will take
the users place or when the user might return.
Delete an account only when absolutely necessary for space or organization
purposes.
When copying a user account, the new user will stay in the same
groups that the old user was a member of. The user will keep all
group rights that were granted through groups, but lose all individual
rights that were granted specifically for that user.
NT Default Accounts
Backup Operators |
Group designated for members to backup and restore computers
from tape. Backup Operators can only backup and restore
from tape when logged in locally to the computer.
This group is found on all NT Servers. |
Account Operators |
Group designated for members to manage user and group
accounts. This group is found only on Domain Controllers. |
Server Operators |
Group designated for members to manage resources, but
cannot manage user accounts. Can backup and restore from
tape. This group is found only on Domain Controllers. |
Replicator |
Group designated for NT computers to perform directory
replication. This group is found on all NT Servers. |
-
RAS (Remote Access Services)
- RAS is capable of using the following connection protocols:
- SLIP - Has less overhead than PPP, but cannot automatically assign
an IP address, and only uses TCP/IP.
- PPP - Can automatically assign IP addresses, supports encryption
and other protocols besides TCP/IP.
- RAS - Used by Windows 3.x and Windows NT 3.x clients.
RAS supports call back security to either the calling number or to
a specified, non-changing number.
RAS for NT 4.0 supports multilink (the use of more than one modem
to achieve higher transmission speeds). Multilink cannot be
used with callback security unless there are two (or more)
ISDN modems configured on the same phone number.
RAS uses NetBEUI as the default network protocol, but can also use
TCP/IP and IPX/SPX. TCP/IP will need to be used if you are using programs
that utilize the Windows Sockets (Winsock) interface over the RAS
services.
RAS will default to the first network protocol on each side of the
connection. Thus, if NetBEUI is the first protocol that is in common,
Winsock applications (such as a web browser) will not be available
to the client.
To speed up NetBIOS resolution on RAS clients, put an LMHOSTS file
on each client locally.
RAS encryption settings
Allow any authentication including clear text |
This will allow RAS to use a number of password authentication
protocols including the Password Authentication Protocol (PAP)
which uses a plain-text password authentication. This option
is useful if you have a number of different types of RAS clients,
or to support third-party RAS clients. |
Require encrypted authentication |
This option will support any authentication used by RAS
except PAP. |
Require Microsoft encrypted authentication |
This option will only make use of Microsoft's CHAP (Challenge
Handshake Authentication Protocol). All Microsoft operating
systems use MS-CHAP by default. |
Require data encryption |
This option will enable the encryption of all data sent
to and from the RAS server. |
RAS will write to a log file which can be used for troubleshooting
RAS services. In order to enable RAS to write to the log, you have
to enable it in the Registry.
-
Netware
- NWLink (MS's version of the IPX/SPX protocol) is the protocol used
by NT to allow Netware systems to access its resources.
NWLink is all that you need to run in order to allow and NT system
to run applications off of a NetWare server.
To allow file and print sharing between NT and a NetWare server,
CSNW (Client Services for NetWare) must be installed on the NT system.
Both NWLink and CSNW are automatically installed when Gateway Services
for Netware is installed.
Gateway Services for Netware can be implemented on your NT Server
to provide a MS client system to access your Netware server by using
the NT Server as a gateway. You must have a group account setup on
the Netware server called NTGATEWAY. In this Netware group you add
user accounts of all the NT accounts you need to access the Netware
server. However, a single account is all that is needed in the NT
Server is used to access Netware resources for all NT users.
NWLink is automatically installed when Gateway Services for Netware
is installed.
Frame types for the NWLink protocol must match the computer that
the NT system is trying to connect with. Unmatching frame types will
cause connectivity problems between the two systems. If multiple frame
types are in use, you should manually specify each frame type. If
NT is set to auto sense the frame type it will only detect one frame
type and in the following order: 802.2, 802.3, Ethernet_II and 802.5
(token ring).
If you decide to convert a Netware server to an NT Server, you will
first need to implement the NWLink and Gateway Services for Netware
on the NT Server. Once the conversion has completed, you will need
to make sure all Netware workstations have had the Microsoft (SMB)
redirector installed on their systems to access the NT Server.
Netware 3 servers uses Bindery emulation (Preferred Server in CSNW).
Netware 4 servers use NDS (Default Tree and Context.)
There are two ways to change a password on a netware server - SETPASS.EXE
and the Change Password option (from the CTRL-ALT-DEL dialog box).
The Change Password option is only available to Netware 4.x servers
using NDS.
-
Networking
- Computer Name Resolution:
- DNS (Domain Name Services) - Used to resolve DNS host name to
an IP address.
- WINS (Windows Internet Naming Service) - Used to resolve NetBIOS
computer name to an IP address.
- HOSTS - File which contains mappings between DNS host names and
their IP addresses. Must be maintained manually.
- LMHOSTS - File which contains mappings between NetBIOS computer
names and their IP addresses. Must be maintained manually.
TCP/IP is an internet protocol currently used for most networking
situations. Each computer using TCP/IP will contain a unique address
in a x.x.x.x format (where each x equals a number between
0 and 255) and a subnet mask.
Subnet mask - A value that is used to distinguish the network ID
portion of the IP address from the host ID.
Default gateway - A TCP/IP address for the host which you would send
packets to, to be sent elsewhere on the network (typically a bridge
or a router).
Common TCP/IP problems are caused by incorrect subnet masks and default
gateways.
Install a WINS server in addition to a DNS server to alleviate traffic
due to b node broacasts.
If bandwidth is hogged by a particular group of users on a TCP/IP
network, create a separate physical subnet by installing a 2nd NIC
on the server, installing a new hub, and putting the problem users
on this hub.
UNIX computers use the TCP/IP protocol.
NetBEUI is a non-routable protocol that is used solely by Microsoft
O/S's.
Universal Naming Convention (UNC) - Universal network pathname which
is integrated into Microsoft systems. Named as \\computername\sharename,
where computername = the NetBIOS name of the computer, and sharename
= the share name of the folder.
Trap messages are sent using SNMP (Simple Network Management Protocol).
-
Profiles
- Profiles are the user settings which are loaded when a user logs
in. They can contain desktop and start menu preferences. These files
can be located either locally or on a server which has been mapped in
the User Manager.
NTUser.dat and *.dat files are the typical, user-configurable profiles
used.
NTUser.man and *.man files are read-only. If the user attempts to
configure their desktop, the *.man file will not be updated. When
the user logs in again, it will restore the original profile.
You may copy profiles using the User Profiles menu located under
CONTROL PANEL | SYSTEM PROPERTIES.
-
Policies
- Policies take precedence over profiles.
Individual policies take precendence over group policies.
Machine policies take precedence over all policies.
-
Printing
- Microsoft uses the terminology "Print Device" to refer
to the physical piece of hardware, whereas a "Printer" is
a conceptual idea describing the icon in the Control Panel.
NT 4.0 has the option to maintain drivers for different operating
systems on the server. Each operating system uses different drivers.
For example, NT 4.0, NT 3.51 and Win95 systems cannot use the same
print drivers. By installing the drivers for each of these types of
system on the print server, each of these tpyes of clients can automatically
download the driver they need without manual installation.
NT clients (3.51 and 4.0) automatically download updated drivers
from the server. Win95 machines will initially download print drivers
but will not automatically update to a newer version of the driver.
Win 3.1x and DOS clients must have the drivers installed on each client
manually.
- Print Pooling - Consists of two or more identical print devices
associated with one printer.
- Availability - This option allows you to specify which hours the
printer can be printed to.
- Priority - This option specifies which virtual printer should print
first if other virtual printers are trying to print to the same physical
printer at the same time. Priorities range from 1 - 99 with 1 being
the lowest and 99 the highest.
You can select Restart in the Document Menu of the printer to reprint
a document from the beginning. This is useful when a document is
printing and the printer jams. Resume can be selected to start printing
where you left off.
You can change the directory containing the print spooler in the
advanced server properties for the printer.
To remedy a stalled spooler, you will need to stop and restart
the spooler services in the Services
applet of control panel.
Printing to a TCP/IP printer requires you to know the IP address
and printer name.
The DLC protocol needs to be installed in order to connect to a
HP print server.
The AppleTalk protocol needs to be installed to communicate with
Apple printers.
Use the PCL.SEP separator to switch from PostScript to PCL.
Use PSCRIPT.SEP separator to switch from PCL to PostScript.
-
Troubleshooting
- To create a boot disk, format the diskette from the NT system you
want a boot disk for (Win 95 and DOS will not work), and copy over the
following files: NTLDR, NTDETECT.COM, BOOT.INI and NTBOOTDD.SYS (SCSI
only).
To create an Emergency Repair diskette, you can choose to do so either
during the installation of NT, or you can run RDISK.EXE. When RDISK.EXE
is run with the /S option, the utility backs up user accounts and
file security.
To use the Emergency Repair diskette, you will need to boot the server
with the NT installation boot diskettes, and choose to repair NT with
the Emergency Repair disk that was created.
The Emergency Repair Process can a) inspect the registry files and
return them to the state on the repair disk, b) inspect the startup
environment, c) verify the system files and d) inspect the boot sector.
To troubleshoot bootup problems, you can edit the Boot.Ini file and
add the /SOS switch to the end of the Windows NT entries in the [Operating
Systems] section of the Boot.Ini file to display driver names while
they are being loaded. The VGA startup option has /SOS added by default.
Use the Last Known Good option on bootup to restore the system to
a bootable state if problems arise from switching video drivers or
changing registry settings.
Common error codes:
- No system or boot disk message when trying to dual-boot = BOOTSECT.DOS
is corrupt
- Copy single file non-critical error - could not copy file = Occurs
when you install Windows NT from an unsupported CD-ROM or network
drive.
- Server stop errors - In the System Properties -> Startup/Shutdown
tab, there are options to configure where you would like the Server
stop errors to be written. The errors are written to a .DMP file which
is readable by the program DUMPEXAM.EXE. You must have free space
in a swapfile on your boot drive equal to or larger than the amount
of physical RAM in your system in order to generate a dumpfile.
-
PDCs and BDCs
- To upgrade from a member server to a BDC or PDC, NT Server must be
reinstalled.
To downgrade from a PDC or BDC to a member server, NT Server must
be reinstalled.
To change a PDC to a BDC, or a BDC to a PDC, you must promote a BDC
to a PDC in the Server Manager. There is no "Demote" option here,
only Promote a BDC. NT will disconnect the current PDC if online and
handle everything automatically.
Only when a PDC goes offline unexpectedly, will there be an option
to Demote to a Backup Domain Controller. This will only be seen when
the original PDC comes back online.
A BDC cannot automatically promote itself when the PDC becomes disconnected
from the network. A BDC will continue to service login requests during
the time that the PDC is unavailable.
-
Browser Services
- All NT Servers have browser services available. The Master browser
will maintain a browse list which contains a list of all workstations,
servers and domains on the network. There can be only one master browser
per subnet.
The PDC will always be the domain master browser. All BDC'S will
be backup domain master browsers and are capable of becoming domain
master browsers in the event of a PDC failure. All member servers
are capable of becoming master browers or backup browsers.
You can disable the ability of a server to become a master browser
by making the proper changes in the registry.
-
ARC Naming Convention
- The Advanced Risc Computing (ARC) path is located in the BOOT.INI
and is used by NTLDR to determine which disk contains the operating
system.
multi(x) |
Specifies SCSI controller with the BIOS enabled, or non-SCSI
controller.
x=ordinal number of controller. |
scsi(x) |
Defines SCSI controller with the BIOS disabled.
x=ordinal number of controller. |
disk(x) |
Defines SCSI disk which the OS resides on.
When multi is used, x=0. When scsi is used,
x= the SCSI ID number of the disk with the OS. |
rdisk(x) |
Defines disk which the OS resides on. Used when OS does
not reside on a SCSI disk.
x=0-1 if on primary controller. x=2-3 if on multi-channel
EIDE controller. |
partition(x) |
Specifies partition number which the OS resides on.
x=cardinal number of partition, and the lowest possible value
is 1. |
multi(0)disk(0)rdisk(0)partition(1). These are the lowest numbers
that an ARC path can have.
-
Performance Monitor
-
- Memory - add more RAM if you detect problems with the following:
- Pages/sec - excessive disk paging. Should not be above 20.
- Available bytes - virtual memory available. Should not be below
4MB.
- Commited bytes - memory being used by applications. Should be
less than RAM in computer.
- CPU - upgrade the processor if you detect problems with the following.
- %Processor time - amount of time the processor is in use. Upgrade
if constantly over 80%.
- System Object: Processor Queue Length - should not be over 2.
- Disks - upgrade hard disk or controller, add another hdd controller
to balance the load, or implement disk striping for multiple I/O channels
if receiving inadequate disk performance.
- %Disk Time Counter - amount of time the disk is in use. Should
not be over 90%.
- Current Disk Queue Length - files in disk queue. Should not be
over 2.
Must run DISKPERF -Y to enable disk performance counters.
Alert view allows alerts to be made when the counters surpass the
threshold you set.
Log view allows the tracked objects to be written to a log file.
Used to create a baseline for future reference.
Report view gives the ability to present a consice report of current
statistics.
-
UPS
- Wrong polarity setting (e.g. positive instead of negative) can make
the UPS alert service not work. Instead of getting warnings and a clean
shutdown, you'll get an abrupt power off when the juice is gone from
the UPS.
Using a standard RS-232 cable instead of a special UPS cable can
cause unpredictable results, including BSOD.
Special thanks to Joe
Seeley for providing updates to this material. |
|