Windows NT Server, a new breed of network operating system, made its appearance in 1994. From its first incarnation as Windows NT Advanced Server 3.1, Microsoft's new NOS had an easy-to-use user interface, high security, and was straightforward enough that you could begin to use it almost immediately. Since that time, it has only improved. NT Server (currently on version 3.51) is an excellent choice for many networking environments. Not only is it a good product in its own right, but it can connect smoothly to other NOSs (such as Novell NetWare) without difficulty--a real advantage because many of us don't have the luxury of dealing with only one operating system.
You've seen rows of fat books about NT Server, so you know that we can't possibly cover all of its ins and outs in one chapter of one book. In this chapter, we'll discuss the basic architecture of NT Server and talk about the basics of how you can use it on your network. After completing this chapter, you should have a pretty good idea whether or not NT Server is the right network operating system for you.
Our space is limited, so let's jump right in.
NOTE: If you've inherited NT Server 3.5 and don't plan to upgrade to 3.51 (although you should--it's only $40 for the upgrade) this chapter still can help you get acquainted with your operating system, as version 3.51 is quite similar to version 3.5. The newer version has some added features, such as built-in software metering ability, but overall the two are fairly similar.
Although NT Server's cooperation with other NOSs means that you don't necessarily have to make it the sole NOS for your organization, you might wonder why you would even make it one of them. NetWare has been the market leader in network software for quite some time. Is NT Server giving NetWare a run for its money? The answer is yes, and the following sections explore a few of NT Server's key strengths.
One of the main reasons for NT Server's success is that it's really easy to use (I've heard one person describe it as the "Mr. Rogers" NOS). Rather than a command-line interface that requires you to remember obscure syntax and hot-key combinations if you want to do anything, NT Server is designed on the same point-and-click idea as other Windows products. For that matter, if you can't recall the exact point-and-click procedures that you need to do something, the online help system is pretty good.
Although NT Server works just fine on a 486 with 16M of RAM (with caveats as noted in the "Check Your Hardware!" section later in this chapter), it is designed to work with bigger and badder machines. Out of the box, it can support up to four CPUs in the system, and you can get hardware abstraction layers (HALs) from Microsoft that let it support up to 32 CPUs. On the RAM front, it can support up to 4G of memory. Of course, we'll have to wait for 1G SIMMs to come out before this is physically practical, but the support is there. NT Server's NTFS file system also means that it can support hard disks larger than 2G, the limit for the FAT file system that DOS and Windows use. (If you're shaky on what multiprocessor support and lots of memory are good for, turn to chapter 5, "The Server Platform.")
Not only does NT Server support multiple processors, but it also supports multi-threaded applications. Multi-threaded applications are those designed as much as possible in a series of discrete steps so that a processor can perform more than one operation at once (people are fond of saying that multi-threaded applications let the processor walk and chew gum at the same time). This only works with operations that are not dependent on each other (in other words, if the third step in a program is dependent on the outcome of the second, then the second and third steps cannot be performed simultaneously), but when it does work, it speeds things up tremendously.
NT Server is designed for security--although it took until 1995 to receive its C-2 certification (see the sidebar), it was designed toward that aim from the beginning. Part of the security strength lies in its file system, which cannot be accessed by booting from a DOS floppy. Part of it lies in the key sequence (Ctrl+Alt+Del) used to log on, which removes any password-grabbing viruses that cannot survive a reboot. Also in the security plan are user rights that can be specified down to individual file access for an individual user, and logging that can track the activities of each logged-on user.
What Is C-2 Certification?
"C-2 certification" is one of those terms that gets tossed around frequently but perhaps is not understood fully by everyone using it. The United States government has a security manual named Trusted Computer System Evaluation, but more commonly known as the Orange Book. It's essentially a manual for determining how secure a computer system is and describing the testing required to prove that level of security. The levels of security that it identifies range from D (none) to A1 (highest, held by very few systems). A "C-2" rating means that NT Server has been certified to be a system with controlled access protection and with the ability to track user activity, assign individual rights to individual users, and overwrite the information attached to objects such as reassigned user IDs so that the information cannot be gleaned from the hard disk.Other certified C-2 systems include DEC's VAX 4.3 and Hewlett Packard's MPE V/E. As of the time this book went to print, NetWare 4.1 was not yet C-2 certified, although it is C-2 compliant and is expected to be certified in the first half of 1996.
As noted earlier, getting NT Server doesn't mean that you must scrap your other NOSs. NT Server has built-in connectivity to NetWare, so you can set up your NetWare and NT Server servers to be accessible to anyone on your network, no matter how they log on. Additionally, NT Server supports several different transport protocols, including TCP/IP, used for connecting to UNIX machines and the Internet, and IPX/SPX, which NetWare uses. NT Server even has an easy way of connecting to Macintosh computers (see chapter 8, "Novell NetWare," for a discussion of transport protocols).
An NT Server network is organized into groups of machines called domains. Rather than logging on to a single machine, you log on to a domain and through that connection have access to all the servers in the domain to which you're permitted access. This centralized control makes things easier on users (who only have to log on once to access multiple servers) and network administrators (who only have to create one user account for a domain, rather than one for each server). As we'll discuss later in this chapter, you can even create relationships between domains to permit users to log on to another domain using their account on their home domain.
NT Server also allows you to set very specific file permissions on shared drives, directories, and individual files, so that you can precisely control user access.
NT Server's native file system, NT File System (NTFS), supports case-sensitive long file names and provides added security to your server. NTFS volumes are not accessible if you boot from a DOS floppy, which, although it keeps you from accessing volumes if you must boot to DOS, also keeps crackers from doing the same thing.
CAUTION: Unfortunately, NT Server's long file names are not compatible with those used in OS/2's HPFS file system or in Windows 95's version of FAT with long file name support.
NT Server includes three kinds of logging that you can activate for use in trouble- shooting your system and metering activity on it. The Security log shows logon attempts (including failed ones, if you want, which can be useful for catching attempted break-ins); the Application log monitors who's accessing what on the server; and the System log shows system events such as network services starting (or failing to start) so that it's easier to track down a problem such as why your graphics division can't log on to the server with their Macs.
If your server is important enough for you to spend $700 on good networking software for it, it's important enough to power-protect. NT Server, recognizing that power quality is getting worse instead of better, includes an uninterruptible power supply (UPS) service that Microsoft co-developed with American Power Conversion (APC), one of the major suppliers of power protection. UPSs and other forms of power protection are discussed in detail in chapter 18, "Backup Technology: Uninterruptible Power Supplies."
If you're concerned about keeping up with your licensing requirements, NT Server 3.51 comes with a software metering capability that keeps track of your client licenses. When installing NT Server, you'll have a choice of "per server" or "per seat" licensing. The first option sets the number of concurrent connections permitted to a single server on the domain; the second sets a limit on the number of workstations that can log on to the domain through all servers.
If your network includes telecommuters who need access to a server, then you can set up a dialup account to permit them to do so. As NT Server is extremely security-conscious, this dialup capability has not only password protection but also call-back capability--you can set it up so that users can dial in from only one telephone number. Remote Access Services (RAS) can connect to a modem line, ISDN, or X.25, providing extreme flexibility to meet your needs. (ISDN and X.25 are discussed in chapter 4, "Upgrading to a WAN," and other remote access products are discussed in chapter 27, "Adding Remote Network Access (Telecommuting).")
That's a quick run-through of NT Server's features. Now, let's talk about the basic concepts behind its design.
Before you figure out what you can do with NT Server, it's useful to understand where it's coming from, how it's designed, how it organizes the members of the network, and how to navigate it.
Although most of the vocabulary and concepts we'll use in our discussions of NT Server are well-known to networkers, there are a few you'll need to know that are specific to the product. The following sections explain these terms.
The Registry. The core of NT Server is the Registry. Although you may never have to alter it directly, every system configuration you make is stored in this central database. From auditing setup to establishing user accounts to setting new system colors, it's all stored here.
You can view the contents of the Registry by running REGEDT32.EXE (not REGEDIT.EXE--that only shows the file types stored on your system).
Using the Registry is complicated and, frankly, not often very useful. Almost every system setting can be more easily edited elsewhere (the few exceptions are not settings you're likely to run across unless you're having a very serious problem), and when working with the Registry it's very easy to do major damage to your system without meaning to. If you need to adjust your system settings, use the Control Panel or the User Manager for Domains--don't try to make a change in the Registry unless you're willing to flirt with the possibility of reinstalling the operating system. (Admittedly, as NOS installations go, NT Server's installation process isn't bad, but I'm sure that you can think of a better way to spend two hours.)
The real reason you need to know about the Registry is to make sure that you back it up. If you include the Registry every time you do a backup, then if you ever have to reinstall you won't need to set up the entire system again--just restore the Registry you've backed up, and most of your system settings (including user accounts) are the way they were when you last saved them.
Domains. A domain is a rather nebulous concept, like a workgroup, but essentially it's a logical group of servers (notice that that's machines, not users) organized by some user-defined criteria. You can have a Personnel domain that encompasses all the servers dealing with personnel files, or you can have a Main domain that encompasses all the servers at the main office of your corporation. The grouping depends on your preferences. The crucial point concerning a domain is that the logical grouping means users don't have to log on to individual servers--each user logs on to a domain and therefore has access to all the servers in that domain (to the extent of that user's permitted access, of course).
NOTE: You don't log on to individual servers on an NT Server network; you log on to a domain to access the servers that are part of that domain. In other words, to access multiple servers, you need to log on only once.
You're not limited to accessing NT Server machines when you log on to a domain; any machine capable of sharing resources, such as an NT Workstation (the client version of NT Server) or a Windows 95 machine, can make its resources available to those who log on to the domain. NT Server machines can do certain special things in a domain (such as remote administration) as we'll discuss shortly, but in terms of sharing files and resources, domain membership is pretty flexible.
If you've got a large network--or are spread out over more than one physical site--chances are good that you have more than one domain. If so, you can create a trust relationship between domains that permits your users to access the resources of another domain without requiring an account in that domain. We'll talk later in this chapter about the mechanics of how to set up a trust relationship.
Groups. Domains are arbitrary collections of servers; groups are arbitrary collections of users. In the User Manager for Domains, located in the Administrative Tools window, you can see the wide variety of preset groups to which you can assign users. The basic function of a group is to provide a handy way of assigning certain network rights to a bunch of users, without having to set up each user account individually. One right you can assign, for example, is the ability to perform backups. Rather than forcing you to manually set the account of each potential backup administrator, you can add all the users who need to be able to run the backup program to a group named Backup Administrators. Similarly, if someone who was a backup administrator changes job duties, you can remove their ability to run backups by removing them from the group--no other action is required.
NOTE: NT Server comes with a wide variety of user groups, but you also can build your own groups with a particular set of privileges if none of the built-in groups have the configuration you need.
Multiple Group Membership. A user can belong to more than one group at a time. For example, by default all users are members of the Domain Users group (a basic group that permits its members to do the things most users need to do, like accessing files, but does not allow its members to do things most users don't need to do, like logging on to the NT Server machine itself). Every user must be a member of one of the Domain groups, and whenever the need arises, you can make any given user a member of more than one group.
Rights are cumulative; that is, if you belong to more than one group, the group with the most rights controls what you can do. The only exception to this is the No Access right, which forbids access to a particular drive or directory and overrides any rights that other group memberships give you.
Not only can you add users to groups, but it's also possible to put one group inside another group, so that the members of the interior group have the same rights as those of the exterior group without having to actually join it. The simple restriction is that only local groups can contain other groups and only global groups can be contained.
Local groups? Global groups? Read on...
Local Groups versus Global Groups. NT Server recognizes two kinds of groups: local and global. As neither the documentation nor the online help really explains the difference between the two, it's worth exploring here. Both kinds of groups can perform the same functions (there are local and global users, local and global administrators, local and global print operators, and so on). The important difference between local and global groups relates to membership. Local groups can contain both users and global groups, while global groups can contain only users.
Local groups are the important ones for local administration. Backup Operators, Account Operators, and so on (any group that doesn't have "Domain" at the beginning of its name) are all local groups. Local groups can contain both users and global groups, but cannot contain other local groups.
Global groups are generic in function. NT Server only includes three (Domain Users, Domain Administrators, and Domain Guests). Although all users by default are members of the Domain Users group, if you only have one domain--or have no trust relationship--then the global groups don't matter much.
Global groups really begin to matter when you've set up a trust relationship between domains and want to give users of one domain access to another domain without creating new user accounts on the second domain. The idea is this: if you've gotten domains VERDE and ROJA to trust each other so that the users on VERDE can access the resources on ROJA, then you've got three options for how to set this up:
If you have trouble remembering whether global groups go into local groups or the other way around, try thinking of global groups as ships, and local groups as ports. Ships-- which travel the globe--can sail into ports, but certainly cannot sail into other ships. Ports--where all the local activity takes place--can contain ships, but cannot contain other ports. (Thanks to David Sheridan for this excellent analogy.)
Users. The smallest unit in the NT Server universe is the user. Like groups, users are people, rather than machines. The concept of a user is a simple one: it's your key to the domain. If you don't have an account on the domain--even one without a password--you can't log on to the domain and access its resources. (Depending on how your network is set up, you may still be able to log on to individual servers, but you won't be able to access the domain members as a group.)
You can assign rights to users in addition to the rights they have as group members.
Rights versus Permissions. We've been talking about the rights that users and user groups can have, but what are those rights? How are they different from permissions, another NT Server security concept?
In a nutshell, rights are things that people can do; permissions are access privileges attached to files and directories. Rights consist of such events as logging on to the server directly at the server, activating a backup program, or creating a printer. Permissions include things like read access, change access, or full control. You assign rights to people and permissions to data.
That's about it for describing the way NT Server sees the world: it identifies domains, which are collections of machines; groups, which are collections of users; and individual users. Hanging onto this mental map, let's see what the operating system looks like.
NT Server is designed to be simple to use. To that end, it uses a graphical user interface (GUI) that is very similar to the one in Windows 3.x. As in any GUI, the idea is to free the user from having to remember command syntax or hot-key combinations. When you're in a hurry, you don't have to remember if you should type net use or net view to connect to network resources like disk drives and printers: you just have to pick a command from a menu.
NOTE: All 3.x versions of NT Server use the Program Manager and window design features that are familiar to Windows 3.x users. NT Server 4.0, however, is expected to have an interface closer to that of Windows 95--a taskbar across the bottom and a Start menu with program groups branching from it.
As in Windows 3.x, the starting point for just about everything you do in NT Server 3.5x is the Program Manager (see fig. 9.1). It works just like the Windows 3.x Program Manager--point to the icon representing the tool you want to activate and double-click.
Figure 9.1
The Program Manager is the starting point for everything you do in NT Server 3.5x.
In the Main program group, the tool you'll probably use most often is File Manager. As you can see in figure 9.2, the NT Server File Manager has a few options that Windows 3.x users won't recognize. The Security menu is the starting point for setting permissions for shared files, taking ownership of files, or auditing file access.
Figure 9.2
The NT Server File Manager is good for more than just file sharing--it's also
where you set file and directory permissions.
As you saw in figure 9.1, there are a few program groups in Program Manager. The one where you'll do most of your work is the Administrative Tools program group (see fig. 9.3).
Figure 9.3
The Administrative Tools program group contains the icons for basic network administration.
By this point, you should have a pretty good idea what to expect from NT Server and what to do with it. But if you're going to use it, you have to install it first. The following sections walk you through the installation process.
Before you start the installation, you've got to make sure that your hardware is up to snuff. First, it needs to be compatible with the operating system. The best way to ensure compatibility is to get hardware that's on the Hardware Compatibility List included in the NT Server package. If you don't have that option, then think generic and standardized. Generally speaking, SCSI-II devices like hard drives, tape drives, and CD-ROM drives are a good bet if you go with a reliable vendor, like Adaptec, which doesn't stop supporting a product as soon as the next model comes out. Some IDE devices are okay, too, but stay away from anything that uses a proprietary interface (like a CD-ROM drive that plugs into a sound card).
Make Sure That the BIOS Is Compatible!
Even if all the other hardware in your machine meets the system requirements, you still can run into problems with one small but crucial component: the BIOS. I had a frustrating experience once with a rental system that I'd handpicked to be NT-compatible from a reliable rental company. All the hardware checked out, but the installation would not proceed beyond the floppy portion (as you'll see shortly, installation has a floppy section and a CD-ROM section)--when the machine was supposed to reboot during installation, it locked up. Occasionally, I got obscure messages indicating that crucial parts of NT were not loading, but the files were where they were supposed to be. Neither reformatting nor repartitioning the hard disk had any effect.Finally, I called in the Marines by paying $150 to talk to Microsoft. After a little discussion, we established that the BIOS of the AST machine I was using was too old--the version I had was 1.0, and NT Server would only work with version 2.1 or later. I switched to an identical machine with a newer BIOS, and the installation went seamlessly.
Oddly enough, a BIOS that's too new can also be a potential problem. I've heard of a situation in which a Compaq BIOS had to be "downdated" to an older version so that it would work with NT Server. The fact that Compaq machines aren't quite as generic as many other IBM-compatible types might have had something to do with it, but it's worth noting that the newest BIOS might not always be the one that works in a particular situation.
NT Server is very picky about hardware performance. The fact that the hardware worked under DOS does not, unfortunately, mean that it will work under NT Server--this is because DOS is not exactly an operating system. When it comes down to it, the DOS applications run the show more than DOS itself does--they're permitted to control hardware, so theoretically, if something goes wrong with some of that hardware (like parity errors in your memory chips), the application is supposed to take care of it. As you might know from bitter experience, what happens more often than not in practice is that the application crashes, perhaps taking your entire system with it. It's not really the application's fault because that should be the job of the operating system. Letting a spreadsheet program control hardware is like disbanding the fire department and giving everyone in town a bucket: as long as nothing happens, it's fine, but when there really is a fire the townspeople are neither trained nor equipped to deal with the problem.
The point is that you really need to test your hardware exhaustively before attempting to install an operating system like NT Server that insists on everything working right. Do a slow disk test (not the fast one--you want the slow one that can take all night or even a couple of days) and a complete memory test.
Most people install NT Server on a machine that already has data on it, rather than a brand-new one. This is fine, but don't forget that you need some way of getting that data back. (Don't even think about installing a new operating system on your server without backing it up first.) "Not a problem," I hear you say. "I've backed up the drive and have the tape right here." The only difficulty with this is that NT Server's proprietary tape backup system will not be able to read the tapes, and the DOS backup program will not run on NT Server because applications cannot manipulate hardware. In fact, that's worth repeating for those who are skimming.
CAUTION: Do not back up your disk with a DOS backup system, and assume that the tapes will work after you've installed NT Server. The DOS backup program won't work under NT Server, and NT's proprietary backup system will not be able to read the tapes.
Well, what's to be done about this? If you've got a networked machine with enough unused space on its hard disk, you can XCOPY everything to that machine, and then just XCOPY it back after NT Server is installed. (Don't forget the /s or /e switch to copy subdirectories, or you'll only copy the contents of your root directory.)
Another option is to install NT Server onto a FAT volume (you get to choose the file system during installation). After you've finished installing, you can boot from a DOS floppy, run the DOS-based backup program to restore the files to the FAT volume, and then, if you're using NTFS, run the conversion routine to convert the FAT volume to NTFS. If you've got the space required for the conversion routine, this beats the third alternative of installing a tape drive on a networked machine and restoring across the network, as you won't have to crack the case if it's an internal drive. Make sure, however, that you back up immediately after you've restored so that you've then got a backup of your system that you can access without all the rigmarole.
In addition to the manuals and registration information, your NT Server package should contain three floppy disks and a CD-ROM.
NOTE: Although you can order NT Server on floppy disk, the CD-ROM contains some features of NT that the floppies do not. It's also much easier to install the NOS from CD-ROM since you don't have to constantly swap disks.
Once you've tested your hardware, boot from the first floppy to begin the installation.
The first thing that the installation routine does is to run a routine named NTDETECT.COM to make sure that it can work with all your hardware.
TIP: If NT won't start and you think that it's due to a hardware failure, you can use a debug version of NTDETECT, named NTDETECT.CHK. It's on the CD-ROM in \SUPPORT\DEBUG\I386. To use it, diskcopy the boot disk onto a blank, formatted floppy; then copy NTDETECT.CHK onto the floppy. Delete NTDETECT.COM from the new floppy, then rename NTDETECT.CHK to NTDETECT.COM. Restart the installation, booting from the new floppy. NT shows the progress of the hardware check as it looks at each component. If it hangs when you see "Detecting Floppy Component," for example, then you know that it doesn't like something about the floppy system.
The installation process is pretty straightforward. There are a few potential pitfalls, which can be avoided if you do the following:
There are many issues to think about when installing NT Server, but those are the big ones. Generally speaking, installing NT Server is a trouble-free experience--if the hardware works.
There are two aspects to setting up an operating system: what you need to do to get the network running and keep it that way, and the extras that might not need to be done right away. This chapter, therefore, first covers the basics of using NT Server and then covers advanced topics separately.
The first thing you need to do is to set up some user accounts and share drives and directories as appropriate, so that your users can work while you tweak the system. Let's start by setting up a user account.
Activate the Administrative Tools program group, and open the User Manager for Domains. You'll see a window that resembles figure 9.4.
Let's begin by creating an account like the ones that most of your users will require. Choose User, New User to open the dialog box shown in figure 9.5.
Figure 9.4
In the User Manager window, you'll create and fine-tune user accounts and establish
cross-domain relationships.
Figure 9.5
Create a user account by filling in the New User dialog box.
Fill in the user's logon name, full name (the two may not be identical; for example, if you've got a Bob Jones in your office, you would set something like BobJ as his user name) and password. Using the buttons at the bottom of the dialog box, you can also set the following for this user:
We won't discuss all these in detail. Some, like logon hours, are quite straightforward; others, like user profiles, are not required for all installations. Password characteristics and user groups are the ones most likely to require tweaking, so the next two sections discuss these settings.
User Password. The password that you fill in can be up to 15 characters long. If the user will be logging on from an NT Workstation, you can make the password case-sensitive to make it more difficult to guess (for example, passWord), but if the user will be logging on from a Windows 95 or DOS/Windows workstation, case doesn't matter when a password is typed. Notice the User Must Change Password at Next Logon check box; to keep yourself from knowing the user's password (thereby increasing network security), you can mark this box to force users to make up a new password the first time they use the account.
NOTE: Unfortunately, you cannot automatically set password restrictions for your users with NT Server; that is, you cannot invalidate certain words (such as user names) as passwords. You can, however, tweak the available password settings. In the User Manager window, choose Policies, Account to set the minimum and maximum length and age for a password and determine how often passwords can be reused.
Click the Account button in the lower-right of the User Properties dialog box to change the account policies. You see a dialog box like the one shown in figure 9.6.
Figure 9.6
In the Account Information dialog box, you can determine whether the account is
a global one that can be extended to another domain or a local one for use only in
the local domain.
Unless you're setting up an account for a member of another, untrusted domain, you probably should select Global Account. This makes the account usable on any trusted domains as well as on the user's home domain. Also, you can determine here any expiration date for the account--after the date you type, the account will be disabled until you enable it again.
User Group Membership. The other setting that you're likely to adjust is the user group membership. When you create an entirely new account--that is, when it's not created using another account as a template, which you can do to save time--then by default the user is a member of the Domain Users group with all the rights that most network users require. For those who need additional rights (such as a person who'll be doing backups), there are additional groups that you can add them to. To do so, in the New User dialog box, click the Groups button. You'll reach the Group Memberships dialog box (see fig. 9.7).
Figure 9.7
You can change group memberships in this dialog box.
A user must be a member of a global group. Because the only built-in global groups are Domain Administrators and Domain Users, this generally means that all your users are members of the Domain Users group. However, you can choose as many other groups as you want. Just don't forget that the user account you're setting up will have all the rights associated with the most powerful group to which it belongs. For example, you should never casually assign someone to the Administrators or Domain Administrators account because administrators can do anything to a server.
To add the user to a new group, click to select the appropriate group in the column on the right. Click Add, and when the group appears in the Member Of column, you've successfully added the user to that group.
How do you make sure that you're selecting the correct group for a particular user? To see which rights are associated with each group, you need to return to the main screen of the User Manager window and choose Policies, User Rights. As shown in figure 9.8, you can click to select the name of a group and then open the Right drop-down list to see all the rights granted to that group.
Figure 9.8
In the User Rights Policy dialog box, you can see which rights are associated
with which groups.
Once you've set the group memberships, password, and other information for the new account, click Add in the New User dialog box to add the new account to the security database. Click Close (the button that was labeled Cancel until you clicked Add) to exit and return to the User Manager window.
TIP: If you're setting up a bunch of user accounts that are pretty much alike, you can use an existing account as a template for new ones. At the User Manager window, click the user account to be used as a template, and choose User, Copy. All you need to do for each new user is fill in a new username and password and then click Add; the existing settings (including group memberships) are copied to the new user account.
TIP: To change the settings for an account, double-click it to open the User Properties dialog box.
To review, the steps for creating a new user account are as follows:
Setting Up Cross-Domain Access. If you've only got one domain on your network, you don't need to worry about how to make multiple domains talk to each other. It's the nature of networks to grow, however, so the possibility of establishing cross-domain access is worth considering. Permitting domains to trust each other is not difficult, and it can make network administration easier. A trust relationship between domains means that you can log on to one domain's domain controller and administer another domain or that users of one domain can access files and peripherals associated with another domain without logging on to the second domain.
Trust relationships don't have to be mutual. Just because you give your house key to your neighbor when you go on vacation doesn't necessarily mean that he'll give his house key to you when he goes away. Likewise, one domain can trust another without the second domain trusting the first. If you want a two-way trust relationship, then you have to establish two trust relationships: one going in one direction, and the second going in the opposite direction.
Not only are trust relationships essentially one-way, but they also are intransitive--the fact that domain A trusts domain B, and domain B trusts domain C, does not mean that domain A trusts domain C. To make A trust C, you need to set up a separate trust relationship between them.
Setting up a trust relationship requires action on both domain controllers. In the User Manager window, choose Policies, Trust Relationships. You'll see a dialog box like the one shown in figure 9.9.
Figure 9.9
You can set up cross-domain relationships in the Trust Relationships dialog box
of the User Manager for Domains.
TIP: The order of these steps is important--you cannot trust a domain until you're permitted to trust it and the permission is recorded in that domain's security database.
First, you need to permit each domain to trust the other, just as you'd ask your neighbor if he would mind watching your house before you hand him a house key. In the Trust Relationships dialog box, click the lower Add button and type the name of the domain that wants to trust yours in the space provided. If you like, you can password-protect this trust in the same dialog box in which you identify the trusted domain, so that only those domains with the password can trust yours. When you click OK, the domain's name appears in the Permitted To Trust This Domain list.
NOTE: There is no browse list available when setting up a trust relationship. You must know the exact name of the domain that you want to set up.
To trust a domain that you've been permitted to trust, click the upper Add button and type in the name of the domain and any passwords required. When you click OK, that domain's name appears in the Trusted Domains list.
You need to perform both operations at the other domain to complete the trust relationship. To review, the process of building a two-way trust relationship goes like this:
This sounds cumbersome, and to some extent it is, but it's worth it. Once the trust relationship is built, you can add domain groups of one domain to the local groups of the other domain, thereby letting the other domain's members access shared resources on the trusting domain. You also can log on to a trusting domain from the trusted one, from either a workstation or a server.
The users you have set up need something to do after they log on to the server. To provide some productive activity for them, let's use File Manager to share files as required.
As mentioned earlier, NT Server's File Manager (see fig. 9.10) looks very much like the Windows 3.x File Manager, with a few extra menu options.
Because Windows is so common, we'll assume that most people are familiar with the basics of sharing files and directories (you do so by choosing Disk, Share As), and skip to the issues unique to NT Server.
Figure 9.10
Although the NT Server File Manager looks similar to the one used by Windows 3.x,
it has a much broader function. Not only can you share drives and directories here,
but you can set security options and audit file access.
Basic File and Directory Permissions. You learned earlier in this chapter that permissions are different from user rights. Rights give a user the ability to do something, such as log on to the server or run a backup program. Permissions, on the other hand, determine the level of access a user or group has to particular files and directories. For example, you could permit the administrative staff "read-only" access to the directory in which memos were stored, so that they could look up memos but not edit them. To do this, you would either create a group for the administrative staff and assign read-only permission to the pertinent directory to the group or set permissions for that directory on an individual basis.
File Permissions and the NTFS File System
Although NT Server supports FAT and HPFS file systems, many of the advanced security features of NT Server are available only if you're using NTFS. Individual file permissions are such a feature. You cannot use the permissions, file ownership, or access auditing features from the Security menu in File Manager on a partition formatted for anything other than NTFS.
To convert the file system to NTFS, open the MS-DOS prompt (really a misnamed NT Server text interface) and type convert driveletter: /fs:ntfs (where driveletter is the letter assigned to the partition you want to convert). If your drive has a single partition, you get a message telling you that the conversion cannot take place until the system restarts (because it needs the system files to keep NT working) and asking if you want that to happen. Type Y, and the conversion routine will run the next time you reboot.
You cannot convert from NTFS to either FAT or HPFS--the conversion routine works in only one direction.
You can set a directory's permissions while setting up the initial share. Highlight the directory you want to share and then choose Disk, Share As. You reach the New Share dialog box (see fig. 9.11).
Figure 9.11
In this dialog box, you can share the directory under a certain name and indicate
the number of people who can access the directory at one time.
Most of the options here are fairly self-explanatory. The User Limit section determines whether you want only a certain number of people accessing the share at one time or want to allow as many people as there are client licenses to access it simultaneously. To adjust the permissions attached to this share, click Permissions. You reach the Access Through Share Permissions dialog box (see fig. 9.12).
Figure 9.12
By default, everyone has full control (read/write, change, and delete abilities)
over shared directories.
Notice two things here: First, everyone on the domain has full control over the share, meaning that they can do anything to it (including delete it). Second, because everyone has full control, only one group is represented here. (If everyone can do anything to a share, then there's little use in specifying any other permissions.) At this point, you have two options. You can change the permissions that everyone has to the share (by selecting a different option from the Type of Access drop-down list) or you can click Add and then set permissions based on user accounts and groups.
CAUTION: For your permission assignments to do any good, you need to put an end to everyone having full control. In the Directory Permissions or File Permissions dialog box (depending on which kind of share you're configuring), either click Remove to eliminate that permission set entirely, or change the permissions for Everyone. Otherwise, setting specific permissions for other groups won't make any difference, as Everyone's full control overrides anything else you set.
If you click Add in the Directory Permissions or File Permissions dialog box, you reach the Add Users and Groups dialog box (see fig. 9.13).
Figure 9.13
In this dialog box, you select groups or users to set permissions for.
To set directory permissions for the Backup Operators group, for example, you have to highlight it in the Names list and then click Add to add it to the Add Names box at the bottom. To set permissions for the Backup Operators, select the desired permission (Read, Change, Full Control, or No Access) from the Type of Access drop-down list. Click OK to return to the previous dialog box, where the group for which you just specified permissions has been added to the list.
Advanced File Security. As stated earlier, you need NTFS for real file security (the file security you paid $700 for). If you're using NTFS, you can
Permissions. Setting permissions using the Security menu is similar to the process of setting permissions for shares that was described earlier; however, there are two big differences. First, the New Share permissions settings only permit you to set permissions to the directory level. Even if you select an individual file and attempt to share it, you'll share the entire directory in which that file is located. With the Advanced Permissions tool on the Security menu, you can set discrete file permissions on individual files and subdirectories. Second, when you set permissions on individual files, you are not limited to the Read, Change, Full Control, and No Access permissions. The Special File Access option leads to more choices that let you narrowly define the permissions attached to the file.
To understand this better, let's look at how you can set permissions for a shared file. Click on a file to share and then choose Security, Permissions. The File Permissions dialog box appears (see fig. 9.14).
Figure 9.14
This dialog box allows you to fine-tune the permissions assigned to shared files.
When setting the permissions on an individual file, you'll notice a new entry, Special Access, on the drop-down list of file permissions. Click this entry to reach the Special Access dialog box shown in figure 9.15.
NOTE: When setting permissions on a directory, the initial dialog box looks much like the one shown in figure 9.14, except that you'll also have the option of choosing to replace permissions in sub- directories and existing files with the ones you choose there.
Figure 9.15
When setting the Special Access permissions, you can select as many or as few of
the options as you like.
Check each option you want; these become the permissions assigned to this file for Everyone. If you ever want to modify the Special Access permissions for a different group, you just have to click Add in the File Permissions dialog box, click to select the group you want, and then select Special Access from the Type of Access drop-down list.
Auditing Files. If you want to see who's been accessing which files and directories, you need to set up auditing. If you're using NTFS, this is simple. In File Manager, highlight the file or directory that you want to audit, and then choose Security, Auditing. The resulting dialog box looks much the same whether you're auditing a file or a directory; the only difference is that the Directory Auditing dialog box (see fig. 9.16) includes settings for overriding the existing auditing settings for subdirectories and files.
Figure 9.16
With the auditing settings, you can monitor both successful and failed attempts to
access files and directories.
TIP: Most people are more interested in monitoring failures than successes. Failures might indicate that someone has been attempting to access information to which they do not have permission; successes often do little more than fatten your auditing files.
For auditing to work, you must first enable it in the User Manager for Domains (located in the Administrative Tools program group). Choose Policies, Audit and set up the options that you need.
Take Ownership. You've seen the Take Ownership option in several dialog boxes. What is ownership and why is it important? Essentially, the owner of a file can grant permissions to it--setting the way in which any member of the network, including the administrator, can access the file. When you choose Security, Owner, the Owner dialog box appears (see fig. 9.17).
Figure 9.17
Only the administrator can take ownership of a file which she does not own or
have full control over, but once owned, a file cannot be returned to its original
owner.
By default, the person who creates a file is the owner. Although the administrator can take ownership of a file which she does not own or have full control over, it's impossible to relinquish ownership of a file once you've got it, so the original owner will be able to tell if you've taken a file.
Protect Your System Files. When sharing drives and directories, it's wise to create a user data directory and share it to look like drive C. Why? You really don't want people messing around in the system files or saving files in the root directory. (Your life is complicated enough without cleaning DOOM scenarios out of the /I386 directory.) When you've identified a good user data directory, share it as C--it will look to your users as though they're connecting to the entire hard drive.
TIP: If you want to share a directory but keep it off the browse list, put a dollar sign after its share name. Users who know the directory's name (and that it's shared) can connect to it, but this keeps "casual connectors" from attaching to shared directories just because they can. In addition, you can assign passwords to shared directories to limit access to those directories.
Printer administration under NT Server is not difficult--you create, share, and set the properties for a printer within a single dialog box.
Open the Control Panel (in the Main program group) and choose Printers; alternatively, double-click the Print Manager icon in the Main program group. Either action starts Print Manager (see fig. 9.18).
NOTE: Although you had the option of installing a printer while installing the operating system, for the moment we'll assume that you didn't.
Figure 9.18
All printer administration takes place in one window--you needn't share printers
in one place and install them in another.
Creating a Printer. To create a printer, choose Printer, Create Printer. This brings up the Create Printer dialog box (see fig. 9.19).
Most of the settings in this dialog box are self-explanatory--the printer needs a name, the appropriate drivers (NT Server supports a wide variety of printers, so your printer should show up on the list), and a port.
TIP: To hide your shared printer (so that only those who know its name can connect to it) put a dollar sign after its name; for example, PRINTER$.
Figure 9.19
Before you can share a printer, you must create it.
To make it useful to the rest of the network, the printer needs to be shared. (For some reason, sharing the printer is not the default option. That seems odd in a network server product, but that's the way NT Server is.)
TIP: To keep it simple, make the printer's share name the same as the printer name. Also, describe the printer's location to reduce the number of people who connect to it by mistake and then complain that their documents aren't printing. (Such documents usually are printing--they're just printing somewhere other than where the user expected.)
Click OK to install the printer. NT Server pulls the drivers from the /I386 directory, then opens the Printer Setup dialog box (see fig. 9.20).
Figure 9.20
When you first create a printer, NT Server automatically opens the Printer Setup
dialog box, where you can set the paper source or specify the installed font cartridges
and printer memory.
Select the options appropriate to your printer, and click OK. You return to the main screen of Print Manager, where your new printer appears (see fig. 9.21).
Figure 9.21
The new printer appears in the Print Manager as soon as you've set it up.
If you have shared the printer, it's now available to the rest of the network.
To change the properties of a printer (for example, if you have installed the wrong driver), choose Printer, Properties. You'll be back in the Create Printer dialog box where you named the printer and chose its driver. Notice that the Setup button is now available (it was unavailable before you finished installing the printer).
Setting Printer Security. It's not always desirable to have everyone on the network have access to a printer or have access at all times. The reasons don't have to be sinister: a color printer on the network is an expensive liability if people play with it, so you might want to secure it from anyone on the network who's not in the graphics department. Similarly, if someone whose job doesn't generally require him to send many print jobs suddenly produces a number of one-page documents, it might be worth investigating.
The first line of defense in printer security is putting a dollar sign ($) at the end of each printer's share name, so that the printer does not show up on a browse list. If that isn't sufficient, NT Server provides other security options:
These security settings work just as they did in File Manager: setting permissions determines how extensive each person's access to the printer is; auditing keeps track of print jobs and their originators; and whoever has ownership of a printer can set the permissions on it. The permissions to be granted are slightly different, and the permission level only goes to the printer itself (you can't, for instance, give someone permission to delete only print jobs belonging to a particular person), but the basic idea is much the same.
The final task we'll cover in this section is backing up and restoring files. NT Server is essentially a file server (as opposed to a print server or application server), and as such, it contains files that must be backed up regularly. Exactly how regularly depends upon your organization's needs, but if you generate data of any importance at all, then daily backups are advisable. Re-creating a day's worth of work is bad enough, but re-creating a week's worth could be nearly impossible.
Before you can use the backup utility, you need to install a tape drive. (Oddly enough, you can't install it while you install the operating system.) To do so, double-click the Windows NT Setup icon in the Main program group and then choose Options, Add/Remove Tape Devices to open the Tape Device Setup dialog box. No devices are in the list of installed tape drives, but don't worry--just click Add and then choose your tape drive from the list in the next dialog box that appears. (If you don't see the exact model that you have, try selecting another model by the same manufacturer.) NT Server loads the drivers from the /I386 directory on the CD-ROM and then returns to the Tape Device Setup dialog box, where your tape drive now appears in the list of installed devices. Click Close to exit Tape Device Setup, and then choose Options, Exit to exit NT Setup. You need to restart the server before the tape drive is fully installed.
NOTE: If you start NT Backup before installing the tape drive, you get an error message reminding you that no tape drive is installed yet.
Like many of the other tools discussed in this chapter, NT Server's backup utility is in the Administrative Tools program group. Double-click the Backup icon to start the utility (see fig. 9.22).
Figure 9.22
NT Server's backup and restore utility has an easy-to-use graphical interface for
backing up and restoring data.
Performing a Backup. Backing up isn't difficult. To back up an entire drive, select its check box in the Drives window (notice that you can back up a CD-ROM drive as well as a hard disk drive). To back up only certain directories, double-click the drive's icon to display its directories (the tree structure works like File Manager), and then select each directory or file you want to back up. Click Backup (or choose Operations, Backup), and you'll see a dialog box in which you can place the following information:
CAUTION: If you select Restrict Access to Owner or Administrator in the Backup Information dialog box, then no one except the administrator will be able to restore the backups.
Click OK, and the backup begins.
Restoring Backups. The process of restoring backups is very similar to the process of backing up. Open the Backup utility again, but this time activate the Tapes window. Select the check box of the tape if you want to restore the entire backup (the name of the tape in the drive appears next to the drive's icon), or double-click the tape icon to catalog it and reveal its directory structure, allowing you to select individual files or directories. When you've selected what is to be restored, click Restore to set the Restore options (such as logging, restoring file permissions, and restoring the Registry), click OK, and the process begins.
NOTE: If any file being restored has a name that matches a file on the drive, you get an error message asking if you want to replace the existing file.
CAUTION: Don't restore the Registry unless you want to restore all the security information to the way it was when you performed that backup. For example, if you restore a two-week old Registry, all the user accounts you've created since then will be gone the next time you restart the computer. However, you should always back up the Registry, whether you plan to restore it or not. If you must reinstall NT Server for any reason, and if you can restore the Registry, you won't have to set up most of your security options (such as user accounts) again.
So far in this chapter, we've discussed NT Server's design and how it works and have looked briefly at the processes for some of the most common administrative tasks that you'll perform with NT Server. By now, you should have a pretty good idea how this NOS operates.
There is much more to this operating system than just user groups and file sharing, however, and that's what we'll cover next. Remember that this chapter is not designed to do what other books have used a thousand pages to cover, so we'll stick with just three advanced topics: disk administration for RAID, keeping and reviewing logs to help with monitoring and troubleshooting the system, and connecting to NetWare and Macintosh networks.
NT Server's Disk Administrator, shown in figure 9.23, includes tools for both disk management and software RAID protection against data loss.
You can better understand how the Disk Administrator works if you are familiar with the following terms:
Figure 9.23
The Disk Administrator provides a handy arena for setting up software RAID protection
of your data, and organizing your disk space.
NOTE: The characteristics of the various RAID types are covered in detail in appendix C, "RAID."
Setting Up RAID. Creating RAID protection for your data is not difficult. To set up mirroring, you have to Ctrl-click two partitions on different disks to select them both (the selected partitions have heavy black lines around them); then choose Fault Tolerance, Establish Mirror. Both sides of the mirror set will be the same size.
NOTE: You can break apart a mirror set (to reclaim the disk space it uses) without damaging the data in it. Select the mirror set, then choose Fault Tolerance, Break Mirror. The two halves of the mirror set will be independent of each other.
To set up a stripe set with parity, select at least three areas of free space on three different physical disks, and choose Fault Tolerance, Create Stripe Set with Parity. The stripe set does not have to be as big as the combined areas of free space you have chosen; you have the option of reducing its size in the Create Stripe Set dialog box that appears. Click OK, and the stripe set is created.
To set up a stripe set without parity, select free space on at least two physical disks, and choose Partition, Create Stripe Set. (Notice that this option is available from the Partition menu, not Fault Tolerance.) Once again, you have the option of setting the size of the stripe set.
NOTE: Stripe sets without parity are grouped with mirror sets and stripe sets with parity because they're a RAID type (level 4) like the other two, but remember that striping without parity offers you no data protection.
Arranging Data Space. As noted earlier, you can use the Disk Administrator not only to protect your data, but to arrange it on your physical disks in the way that's best for you.
To create a primary partition, select an area of free space on a drive, and choose Partition, Create. You can make the partition any size you want, as long as it fits on the physical drive.
TIP: Only make a primary partition as large as you need it to be for the system files (for example, about 100M for NT Server). That way, you're able to allocate the other space on the disk as you like--primary partitions can't be subdivided, so any space that goes unused in one is wasted.
To create an extended partition, click an area of free space, and choose Partition, Create Extended. (You do not need to have a primary partition on the drive to create an extended one.) Select the size for the extended partition, and click OK.
To create a logical drive, select an extended partition, and choose Partition, Create. (Notice that this is the same command used to create a primary partition--the difference is that here you're selecting unused space in an extended partition, while there you were selecting free (unpartitioned) space.) Select the size of the logical drive, assign it a drive letter, and click OK.
To create a volume set, select all the areas of free space on all disks that you want to make part of the volume, and choose Partition, Create Volume Set. Select the size of the set, and click OK.
Formatting New Disk Divisions. No matter how you're slicing up your disk, you need to partition the divisions before you can use them. In earlier versions of NT, this required using the command-line FORMAT command, but NT Server 3.51 lets you format drives and sets within the Disk Administrator. Select the unformatted section (it should be highlighted with a heavy black border), and then choose Tools, Format. Select the file system you want (remembering that only NTFS lets you fully exploit NT Server's security features) and click OK. When you leave the Disk Administrator, you get a message advising you that the changes you have made will not take place until you restart the system and asking if you want to restart it. If you do not restart now--perhaps to avoid disrupting users who are accessing the server--don't forget to do so at the earliest possible chance.
In the Administrative Tools program group, there are two tools you can use to monitor the system: Performance Monitor, which tracks what your server is doing, and Event Viewer, which tracks security, system, and application events.
Performance Monitor. By default, Performance Monitor is turned off, as you can see in figure 9.24. To turn it on, you need to create or open a new chart, log, alert system, or report.
For example, let's set up a chart to track CPU activity. Click the Chart button (the icon at the far left that looks like a chart) and then choose Edit, Add to Chart. The Add to Chart dialog box appears (see fig. 9.25), displaying options for what gets monitored (you can chart more than one parameter at a time--color-coded lines help you distinguish between them), and how data gets displayed. Clicking Explain displays information about the option highlighted in the Counter list to appear in the Counter Definition area at the bottom of the screen. In figure 9.25, we've selected the Processor Time counter, which displays the amount of time that the CPU is actually doing anything.
Figure 9.24
You can use Performance Monitor to maintain charts or logs of system activity,
to alert you when pre-set thresholds have been exceeded, or to create reports about
system activity.
Figure 9.25
In the Add to Chart dialog box, you choose the items to be charted and specify
how data should be displayed.
When you click Add, the Cancel button is relabeled Done. Clicking Done allows you to view the chart displaying CPU activity (see fig. 9.26).
Figure 9.26
Performance Monitor displays graphical information about particular aspects of
your server's performance.
Although the ins and outs of Performance Monitor are too complex to describe in this short section, you can trust the online help system to explain how to use it. The information you view in Performance Monitor can tell you exactly what demands are being placed on your hardware and can help you determine when you need to upgrade.
Event Viewer. Event Viewer, also found in the Administrative Tools program group, is a helpful tool for finding out what's going on in your system. If you want to know why a certain NIC won't work, what time Cindy logged off last night, or why the Macintosh clients cannot connect to the server, Event Viewer is a good place to look.
Unlike Performance Monitor, Event Viewer is turned on by default. It contains three types of logs: S_ystem, which records system events such as the failure of a device driver to load; Security, which records security-related events such as logon attempts and any changes to the security database; and Application, which records events noted by applications, such as the data noted by the conversion utility that switches FAT volumes to NTFS.
To view a log, choose Log, and then choose the type of log that you want to view. The log appears on-screen, looking something like the one shown in figure 9.27.
Figure 9.27
The System Log shows system events and errors that occur on your system.
In figure 9.27, a Stop icon indicates an error, a blue icon indicates a successful action, and a yellow icon indicates an action that represents a change but usually does not present any problems. You can export the contents of a log to an ASCII file for use as a report. To do so, choose Log, Save As, and then in the Save File as Type drop-down list, choose *.TXT as the file type. (Saving it as a LOG file takes a snapshot of the log that you can load in Event Viewer but does not put the log on to text form.)
NT Server comes equipped to connect to two distinctly different network types: NetWare and Macintosh networks. When NT Server is connected to a NetWare server, the NT Server machine effectively becomes a gateway to the NetWare machine, permitting anyone who logs on to the NT Server to access the NetWare server. The Macintosh connection is more limited--it's really a way of permitting Mac clients to access the NT Server and store data on it, rather than being a full gateway service permitting NT users to talk to the Macintosh machines.
Each of the connection services is initially installed through the Networks icon in the Control Panel. Click the Network icon to open the Network Settings dialog box, click Add Software, and select either Gateway Services for NetWare or Services for Macintosh to be added to your system. After you restart the machine, you'll be able to connect to your preferred server on the NetWare network or set up Mac-accessible volumes in File Manager.
NOTE: Gateway Services for NetWare is mentioned here only to alert you to its existence. For the nuts and bolts of how it works and how to set it up, see chapter 12, "Network Client Software for 32-Bit Windows," which offers a detailed discussion of this connection service.
That's the flying tour of Windows NT Server 3.51. This chapter has explained what NT Server is designed to do and has shown you how to perform some basic network tasks. By now, you should have a pretty good idea how NT Server would fit into your network--at least enough to compare it with the descriptions in this book of other server products.
NT Server is the first major server-oriented graphical network operating system. It contains both the features that you'll need every day, such as simple user administration tools and backup utilities, and more advanced features that let you configure software redundant disk systems, connect to other network operating systems, and monitor your network's and server's activity. Not only is it easy to use and comprehensive in scope, it's quite security-conscious, being one of the few network operating systems with C-2 certification.
© Copyright, Macmillan Computer Publishing. All rights reserved.