|
|
 |
NT Server 4.0 Study Guide |
 |
Note: This exam is retired.
Tutorial Quick Links:
Installation
NTFS vs FAT
UPS
RAID
Registry
User Accounts
System Security
Sharing
Printing
Networking
Browsing
Managing Domains
Netware
Optimization
RAS
Troubleshooting
Guides and Tests
INSTALLATION
--GENERAL INFO--
You can't very well use NT until you get it installed, right? In order to install NT, your machine must meet the following requirements:
- 16mb Ram
- VGA video card
- 486-DX33 or better
- 125mb free disk space
- CD-ROM unless this will be a network installation
There are a couple of different options for setup. If you are upgrading from an earlier version of NT, then you will use WINNT32.EXE. If you are upgrading from DOS or Win95 then you will use WINNT.EXE. At this point installation will begin and should be pretty self explanatory until you get to the upgrade or fresh install option. If you are upgrading your server from a previous version, then you will probably want to select upgrade as it will preserve your user accts and all directory and share info. This will save you the huge pain of setting all of this up all over again. Fresh install should be self-explanatory.
The next step of note is selecting the partition that NT will install onto. This option will allow you to delete partitions as well. Next you will be asked how you would like this partition to be formatted. Your options will be something like:
- Format to a FAT system
- format to an NTFS system
- leave it as is
- Convert a FAT partition to NTFS
- Convert an HPFS/HPFS386 partition to NTFS(This is for a LAN Manager upgrade only)
The differences between the file systems will be discussed later, so read on!
Next, setup will run a version of CHKDSK and then you will be prompted to select a directory to install the NT files into. The recommended directory is \WINNT. After all of this you will reboot and the more "windows style" set up will begin.
The next step of note is to designate whether the machine will be a PDC, BDC or Server. It is important to select this correctly the first time as you can't go back and change it later. The first NT Server that you install will be a PDC. Microsoft recommends 1 BDC for every 2000 users. More than this can cause unneccesary network traffic.
--UNATTENDED INSTALLATIONS--
Now who has time to sit with the NT machine for 45 minutes to an hour. That kind of time cuts into happy hour, which is why Microsoft provided options for unattended installations. With a little configuring beforehand, NT will do the whole installation for you. In order for this to work, you need a "script" known as an answer file that provides instructions to the setup program. This script can be handwritten in a text editor such as notepad or use the utility supplied with NT called Setup Manager.
Listed below are the various command switches that can be used during installation.
| SWITCH |
PURPOSE |
| /B |
Bypasses the creation of startup disks |
| /S |
Sourcepath. Choose location of a source file - multiple locations will speed up installation. |
| /F |
Speed up install by not verifying files |
| /U |
Denotes unattended setup mode and points to an answer file location. Must use with
/s to specify source file location. |
| /T |
Destination. Specifies installation location of temp files used during installation. |
| /C |
Bypasses checking for free space when creating boot disks. Can speed up install. |
| /OX |
Creates the setup disks from CD-ROM or network location. Replaces damaged
boot disks. |
| /I |
Specify an inf file. Default file is DOSNET.INF. |
--NETWORK INSTALLATIONS--
Another installation option is to install over the network which requires that you find a way to point the computer to an I386 directory somewhere on your network. Here is how it is done. First, you will need to have a shared I386 directory. Next, you need to make a boot disk from DOS or Win 95/98. Then go to an NT Server and go to Network Client Administrator, which is located in the Administrative Tools section of your start menu. From here you can create a network startup disk.
UNINTERRUPTIBLE POWER SUPPLY(UPS)
A UPS is designed to protect your servers from power surges and spikes, voltage variations and power outages. Any one of these things can damage data, cause network problems or even destroy your server. NT Server is designed to receive information from the UPS via its serial port and act on it. Here are the messages that it can receive:
- POWER FAILED: This signal goes from the UPS to the server. This alerts the server that power has failed and it is now running on battery power.
- BATTERY LOW: Some UPS will inform the server that it the UPS is running low on battery power.
- REMOTE UPS SHUTDOWN: If NT detects that it is getting a crappy electrical signal from the UPS it will send a message to it to shutdown and charge itself. While in this state the UPS will continue to forward power to NT, but will not provide any of it's other services.
Once the UPS is installed, it can be configured in the UPS control panel. Workstations that have the messenger service installed will receive broadcast messages when the power fails or when it comes back up. This gives workers a chance to save what they are working and gracefully shutdown.
NTFS VS FAT
--GENERAL INFORMATION--
When using NT it is a good idea to use NTFS partitions, at least on the partitions that contain your data. One of the advantages of the FAT file system is the system that DOS uses. On an NTFS partition, you can't boot from a DOS boot disk - this is one of the security features of NTFS. Additionally, a floppy disk cannot be formatted as NTFS. For this reason it might not be a bad idea to have a small partition formatted FAT so that you can boot into DOS for recovery purposes. FAT partitions can be defragmented while NTFS cannot. An NTFS partition cannot be converted to FAT without erasing the disk and reformating. Files moved from a FAT partition to an NTFS partition will retain their filenames and attributes.
--FEATURES OF NTFS--
NTFS partitions provide the following features:
- Supports upper and lower case letters in names.
- Allows permissions to be set on files and directories
- Supports Unicode in file names.
- "Forks" in files.
- File and directory names up to 254 characters in length.
- Ability to access sequential access files over .5mb faster.
- Faster access to all random access files.
- Long file name conversion to the 8+3 convention.
- Support for Appletalk and the ability to share Mac Volumes.
- Disk space is used more effeciently.
RAID
--GENERAL INFORMATION--
In order to understand how RAID works it is first best to understand the following concepts regarding hard disk configurations.
- PARTITIONS -- A partition is a portion of a physical hard disk. A partition can be primary or extended
- PRIMARY PARTITION -- This is a bootable partition. One primary partition can be made active.
- EXTENDED PARTITION -- An extended partition is made from the free space on a hard disk and can be broken down into smaller logical drives. There can only be one of these per hard disk.
- LOGICAL DRIVE -- These are a primary partition or portions of an extended partition that are assigned a drive letter.
- VOLUME SET -- This is a disk or part of a disk that is combined with space from the same or another disk to create one larger volume. This volume can be formatted and assigned a drive letter like a logical drive, but can span more than one hard disk. A volume set can be extended without starting over, however to make it smaller, the set must be deleted and re-created.
- DISK ADMINISTRATOR -- This utility is found in the administrative tools section of NT 4. This is the tool that controls the configuration of the hard disks on an NT 4 system. You can create partitions, volume sets, logical drives, format disks, etc.
--RAID LEVEL 0 - DISK STRIPING WITHOUT PARITY--
Disk striping will distribute data across 2-32 hard disks. This provides the fastest read/write performance as the system can access the data from more than one place. This level of RAID does not provide any redundancy. This means that if one of the disks fails you lose all of the data and have to delete the stripe set and start over once the bad disk is replaced. System and boot partitions cannot be included in a stripe set.
--RAID LEVEL 1 - DISK MIRRORING--
Disk mirroring writes exact copies of data to more than one disk. Each disk or partition of a disk will contain the exact same data. If one hard disk fails, the data still exists on the other disk. This level of RAID also increases disk read performance as it can pull the data off of both disks. Disk mirroring on NT Server also uses disk duplexing whereby each disk has it's own disk controller. This provides redundancy in the case of a controller failure. To recover from a failure, the new drive must be installed and then in Disk Administrator break the mirror and re-establish it.
--RAID LEVEL 5 - DISK STRIPING WITH PARITY--
Very similar to RAID level 0, however, parity information is written to each of the 3-32 disks in the array. If one of the disks fails, the data can be reconstructed by installing a working hard disk and using Disk Adminstrator. The parity information will be used to reconstruct the data that was lost when that drunk employee urinated in your computer case. Think this has never happened? If more than one disk fails then you have a real problem will spend your weekend fixing this. RAID 5 offers increased disk read speeds, but slower write speeds because it has to write the parity info. System and boot PARTITIONS cannot be included in a stripe set. To recover from a failure, you must select the regenerate option in Disk Administrator.
REGISTRY
--GENERAL INFORMATION--
Maybe you have been sitting around with a bunch of computer geeks who are throwing the word registry around in every sentence so that they sound smart and wondered what in the world they are talking about. After this you will be able to do that too. The registry is a huge hierarchical database that stores all of NT's settings. It can be accessed by running regedt32.exe or regedit which has a few new features. Below are the 5 subtrees and the information that each controls.
| SUBTREE |
DESCRIPTION |
| hkey_local_machine |
This subtree contains most of the information that you will use. It holds information about hardware, systems and programs running on the machine. |
| hkey_classes_root |
Stores file associations such as which application should be used to open files based on the extension. It also contains the OLE registration database and also provides redundancy as all of its info is found in the hkey_local_machine subtree. |
| hkey_users |
Holds 2 user profiles. One is a default used for settings when nobody is logged in and the other is for a user that is already known to the system. |
| hkey_current_user |
This subtree contains the user profile for whoever is currently logged in to the server. |
| hkey_current_config |
Contains information about the hardware configuration that was used during boot. |
Each subtree contains "keys" and within most of the keys are "subkeys". Once you browse deep enough you will get to the final subkey. When this is opened, the first line you see will be the "value entry". The value entry will contain 3 parts called name, data type(5 types) and value.
Most of the registry(the static items) are contained in hive files which are located in 2 places. Machine hive files are located in \WINNT\SYSTEM32\CONFIG and user files are located in \WINNT\PROFILES.
The registry editors will allow you to remotely edit the registry of another computer. The registry can be backed up and restored in the event that mistakes are made.
USER ACCOUNTS
--GENERAL INFO--
One of the most important tools in NT is the "User Manager for Domains" on the PDC. On non-PDC servers and workstations, it is called "User Manager". The difference is that User Manager creates and maintains accounts that are only applicable for that machine, while User Manager for Domains creates domain accounts that can be used on any machine that participates in the domain.
When user accounts are added or edited, changes are made to a SAM file. User Manager for Domains changes the SAM file on the PDC while User Manager changes the SAM file that is local to the machine that it exists on. When a new acct is created it is assigned a unique Security Identifier(SID).
--GROUPS--
Using user groups is a way to greatly simplify account administration, especially on larger networks. If you place a group of users into a group, you only have to change permissions for the group and it applies to all of the users in the group. There are 2 kinds of groups, global and local. Local groups are "local" to the NT machine. For fun let's say that your company just hired someone named "Rod". He will be the adminstrator for the network so he will need administrative rights on all 1000 NT workstation and server computers. He would have to be given administrative rights on all 1000 computers if we were using local groups, which is a whole lot of work and overtime for Rod. That is why NT also has global groups which can only be created on a domain controller. Once this is done, Rod will be seen as the administrator for the whole domain. NT comes with a set of pre-installed local groups listed in the tables below:
| GROUP |
DESCRIPTION |
| Administrators |
Most powerful group so that they can manage the configuration of the domain. |
| Server Operators |
Have necessary rights to manage domain servers. |
| Account Operators |
This group has rights to manage user accounts. |
| Print Operators |
Responsible for managing printers. |
| Backup Operators |
Have rights to control backup and restoration functions |
| Users |
Have minimal rights on the NT servers, but do have some rights on their local workstations. |
| Guests |
Very limited abilities. No rights on NT server. |
| Replicator |
Supports directory replication functions. |
| GROUP |
RIGHTS |
| Administrators |
- log on locally
- Take ownership of files
- Access computers from network
- Create and manage user accts
- Create and manage global groups
- Manage auditing and the security log
- Shutdown or remotely shutdown the system
- Assign user rights
- lock system
- Bypass server lock
- Format server hard disk
- Change the time
- Backup files and directories
- Keep a local profile
- Create and remove shares
- Create common groups
|
| Server Operators |
- Log on locally
- Lock server and bypass lock
- Change time
- Shutdown or remotely shutdown the system
- Backup files and directories
- Keep a local profile
- Restore files and directories
- Create and remove shares
- Create common groups
|
| Account Operators |
- Log on locally
- Create and manage user accounts, local and global groups
- Shutdown the system
- Keep a local profile
|
| Print Operators |
- Log on locally
- Keep a local profile
- Shutdown the system
- Create and remove printer shares
|
| Backup Operators |
- Log on locally
- Keep a local profile
- Shutdown the system
- Backup files and directories
- Restore files and directories
|
| Users |
- Create and manage local groups(only if user has permissions to log on locally at server or has access to user manager for domains.
|
| Guests |
|
And now for the global groups. There are 3 global groups which can only be created on a domain controller.
| GROUP |
DESCRIPTION |
| Domain Admins |
By default this group can administer the servers(also from trusted domains) and any NT Workstation logged into the domain. |
| Domain Users |
By default, this group is a member of the Users local groups for for the domain and NT Workstations in the domain. |
| Domain Guests |
If given permissions by the domain admin, this group permits guest accounts to access resources across domains. |
SYSTEM SECURITY POLICIES
--GENERAL INFO--
In order to understand system policies, you need to understand the difference between rights and permissions. Rights give a user or group the ability to perform a certain task, such as the ability to create user accounts. Permissions give access to specific objects like files and directories. Rights are determined by the administrator, whereas permissions are determined by the owner of the object being accessed. Generally rights carry more weight than permissions. NT allows new groups and users to be created with a customized set of rights.
--EVENT AUDITING--
NT allows auditing to be enabled which allows security information to be stored in a security log. The table below should sum it up.
| EVENT |
DESCRIPTION |
| File and object access |
Tracks jobs sent to printers and access to files or directories. |
| Logon and logoff |
Keeps track of logging on and off activity as well as connections to servers. |
| Process tracking |
Tracks the running and quitting of programs. |
| Restart, shutdown and system |
Self-explanatory |
| Security policy changes |
Audits any changes made to user rights, trust relationships and the auditing process itself. |
| Use of user rights |
Displays when a particular right is used. |
| User and group management |
Notes any alterations of user accounts or groups. |
--PROFILES--
A user profile is a bunch of configuration settings that comprise a users desktop. There are several different ways that these can be configured and each is listed below.
LOCAL
- LOCAL PROFILE - Each user creates and maintains there own profile.
- PRECONFIGURED LOCAL PROFILES - Users have local profiles that are partially or entirely preconfigured by the admin.
- PRECONFIGURED DEFAULT USER PROFILE - Users have local profiles, but admin uses a "template" for new users. This can be modified by user.
NETWORK
- ROAMING PROFILES - A path is created to the users profile and is maintained on the server. Users can alter this profile.
- PRECONFIGURED ROAMING PROFILE - A path is added to users account info and a preconfigured version is stored on the server.
- NETWORK DEFAULT USER PROFILE - A default user profile that is stored in the netlogon shared directory. Users will be able to change this profile.
- MANDATORY PROFILE - A path is made to the users profile and a preconfigured profile is copied to that path. The user may not modify this profile.
The %systemroot%/profiles directory contains profiles for every user that has ever logged in to the NT box. Each user's profile contains the following folders: Application data, desktop, favorites, personal, sendto and start menu. Any setting that is not a part of the desktop settings is stored in the NTUSER.DAT file. This file can be altered by editing the registry in the HKEY_CURRENT_USER subtree. Most changes that you would want to make can also be done in the control panels.
SHARING
--GENERAL INFO--
Sharing is difficult in NT, but you will want to make sure that you understand it.
There are 3 ways to create a share:
1) Explorer
2) My Computer
3) NET SHARE command at a DOS prompt
Lets talk about sharing a directory. First of all, NT comes with default shares if the server service is running. All root directories of partitions, Netlogon and CDROM drives have default shares. These shares can only be accesed by admins. For others to access these resources, a new share must be made by a member of the Administrators or Server Operators groups. A single file cannot be shared under NT, it must be a directory. Share names can be up to 12 characters long, but it is recommended to keep them under 8 as DOS redirectors can't handle anything longer. Spaces are allowed, but if the share name has a space in it you will have to enclose the name in quotations in order to access it. If you wish to hide a share so that it does not show up on the browse list, all you have to do is add a $ sign at the end of it(eg. secret$). If a share is hidden then you can only access it from a DOS prompt or via the map network drive option in explorer. When a share is created, you have the option of specifying permissions(see below) for the share and the maximum number of users that can access it at one time. The NT Resource kit contains a program called "Server Manager" that can be installed on an NT Workstation or Win9x computer and will allow you to create shares remotely so you don't have to get up again, which means that it might be a good time to join a gym.
When you create a share, you have the ability to assign permissions to it so that crazy Joe doesn't get in and start erasing files. There are 3 of sets share-level permissions:
1) Share-level
2) File-level
3) Directory-level
Now more in depth on each of these-
--SHARE-LEVEL PERMISSIONS--
When assigning permissions to a share, the users and or group/s that are given access to a share is defined by the "access control list" or ACL. For example, lets say that you have a company called Smack City...You can assign a certain level of permission to the Processing group such as read only and full control to the refining group. Or you can specify by user or both groups and users. It is very flexible and can also be very complicated.
Here are the different types of share-level permission.
| No access | Can't get in or access at all |
| Read | View files and subdirectories. Execute applications. No changes can be made. |
Change | Includes read permissions and the ability to add, delete or change files or subdirectories |
Full Control | Includes change permissions and the ability to change permissions(NTFS only) and take ownership(NTFS only) |
If you are a member of multiple groups and different permissions are assigned to each group, your permissions will be for whichever group gives you the greater permissions unless one of your groups is given no access. No access would override any other permissions for any other group of which you are a member.
--FILE AND DIRECTORY PERMISSIONS--
Lets say you have an NT workstation with 3 users that share it. NT will allow you to create shares that permissions can be assigned to the other users of the same workstation to prevent or limit their ability to access the other users' files or directories. This type of security occurs at the local file system. File and directory permissions apply to NTFS permissions only.
The following permissions can be applied to directories:
- No access
- List
- Read
- Add and Read
- Change
- Full control
- Special directory access
- Special file access
The following permissions can be applied to files:
- No access
- Read
- Change
- Full control
- Special access
| Permission | Description |
| No access | Directory: Can't view or change directory or directory permissions.
File: Can't view or change file or file permissions. |
| Read | Directory: Users can view files and their attributes inside directories. User can browse through directory.
File: Users can open or execute the file and view the file's attributes and and permissions. |
| Add | Directory: Can add files to a directory but can't access files put into that directory.
File: N/A |
| Add and read | Directory: Users can open/execute and add files in the directory. Can't change or delete files
File: When a directory is Add and read, the files in that directory are read only. Add and read cannot be applied directly to files. |
| List | Directory: User can view files and view file and directory permissions. Can open/execute files.
File: N/A |
| Change | Directory: Able to make new files and directories, change or delete files, open/execute files. Can't change permissions.
File: View, change and delete files. Can't change permissions. |
| Full Control | Directory: All of the permissions included with change and the ability to change permissions and take ownership of files.
File: Same as change permissions, but can also change permissions and take ownership of files. |
| Special access | Directory and file: Create custom permissions using NT's 6 basic permissions which are read, write, execute, take ownership, change permissions and delete. |
In order to access data over the network, you must have share-level and file and directory-level permissions. Share-level and file and directory-level permissions can be used in conjunction with each other. NOTE: New files will take on the permissions of the directory that they are created in by default.
--OWNERSHIP--
Files have owners who have administrative rights to a particular object. This permission is not stored in an ACL file and is typically given to the creator of that object. NT includes this feature so that users can administer their own machines and supply resources for their own stuff. An admin would become quite cranky if he/she had to make every little change for a user because they didn't have permission to. So, when a user creates an new file, for example, they are the owner of that file and can do whatever they want with it. Now let's say that you are the admin at a company and you want to find out why Billy the slacker is getting no work done. You access his hard drive and you find a folder called "games" and you try to open it and are denied access. You can then take ownership of the file and then add yourself to the ACL as you have administrative permission to do so.
PRINTING
--INSTALLATION AND CONFIGURATION--
Network printing has a couple advantages over a parallel or serial connection. The most obvious reason is that a network connection allows multiple users easily share the same printer and allows for permissions to be set for that device. It will typically be faster to connect to printer via ethernet than a parallel connection. How much faster depends on a variety of variables including, printer processor speed, computer processor speed, network traffic, data format, etc. In order to put a printer on a network, you will typically need a print server. During driver installation on an NT server, you will want to select local printer if this NT box will be the print server. The clients, on the other hand would select network printer and browse to the printer or enter the UNC path to it. When installing on the print server you have to select shared and give it a share name(under 12 characters) in order for clients to be able to use the print queue. When you select "shared" you have the option of specifying the operating systems that will be sharing the printer. If you select any of these you will need to supply drivers for those operating systems. If you are accessing a shared printer from an NT workstation, you do not have to load the drivers. The workstation will pull them off of the server during installation. NT allows you to pool your printers so that your job will print on the first available printer. This only works if you have more than one identical printer with an equal amount of memory in each.
Once your drivers are all installed, you need to worry about spool settings. By default, an NT server will spool print jobs so that the client computer is "freed" up so that the user can continue with their work. This is called background printing. There may be occasions where you will not want to spool the jobs to the server - maybe you have an old server that can't handle the workload or for trouble-shooting reasons. In these situations, you can change the scheduling to "print directly to the printer".
--PRINTER PERMISSIONS--
Printer permissions are only slightly different than NT's regular permissions. The table below should explain it.
| Permission | Description |
| No access | Can't print or do anything else. |
| Print | Can print, pause, resume, delete and restart their own documents only. |
| Manage Documents | Have "print" permissions for all documents(not just their own). Can also control document settings. |
| Full access | Have "manage document" permissions and can also change printing order and change the printer's permissions and properties. |
In addition to permissions, priorities for print jobs can be set. For example, If you are the president of a company and you feel that your documents are more important than the secretaries', then on the server you can create 2 printer objects and assign a different print priority to each so that your documents come out first.
Like other things in NT, a printer can be audited by enabling "file and object access auditing in the user manager. Then in the printer properties, you can select the users and/or groups that you would like audited.
--PRINTER CONNECTION PROBLEMS--
Let's start off with the famous "I can't print" problem. Please note that the following discussion focuses on TCP/IP printer connections, whereas on the exams Microsoft will be referring to HP printers using the DLC protocol.
- No matter what the problem is, whether it be print quality or connection related, print an internal page. Most printers have some sort of startup or configuration page that it will print and this page may also have the printers network settings on it. This will verify that the printer is working properly.
- Treat the printer just like you would a computer that is not participating on the network properly. I.E. if it is a TCP/IP printer, try to ping it. If the printer uses a jet direct box with IP, ping the box. If this doesn't work make sure that you can ping another device on the network.
- Check your network settings. Make sure that someone hasn't fiddled with the printers settings and that the printer's and computers IP settings are correct.
- Make sure that everything is plugged in correctly even if you are sure that it is. Don't be cocky, you don't want to be that guy that calls techsupport and they help you determine that the printer isn't connected. Believe me it happens. I have also seen a case where an ethernet cable was chewed up by rats, so take a good look at it. One of the best ways to test cabling, is to take the drop in question and connect it to another printer or computer. Can you ping the new device? If not then you probably have a cable problem.
- If you were able to ping it, then see if you can print from the server. If not, then do the following: Make sure that NT is pointing at the correct port. Verify that the correct driver is installed(you may need to consult your printer manufacturer to find out which is the correct one). Reinstall the driver.
- If you were able to print from the server just fine, then try to narrow down whether it is just one client or several or all that are unable to print. This is where it starts to get tricky and you have to do your homework. If only a certain group of users can't print, it may be a routing problem. If it is all, then something probably isn't set up correctly on the server. If it is just one user that can't print, then it is probably a driver problem(assuming that they can access the rest of the net.).
- If for some reason a document gets stuck in the spooler, restart the spooler service.
This is, of course, isn't even the tip of the iceberg but these are the basics. The main point is that when troubleshooting anything, try to narrow it down first. You probably won't figure it out on your first try - use the process of elimination.
NETWORK CONNECTIONS
--CONNECTING A DOS WORKSTATION TO NT--
DOS is the most complicated one to connect to NT because it has no built-in networking support. There are several different ways to do this and we will look at each.
The first way is to use NT's NCA(Network Client Administrator). The NCA setup will ask for your Network card type, protocol info, etc and will then create a file on a floppy that you would use as a boot disk on the DOS client after modifying the protocol.ini file. This will provide enough network support to connect to the NT server. Then a batch file will be run that will install the Microsoft Network Client 3 for DOS.
There is an easier way to set up the Microsoft Network client 3 for DOS that bypasses using NCA. Browse to the "clients" directory and look in the "msclients" subdirectory. In here, you will find a "disk1" and a "disk2" directory. Copy each of these to a separate floppy disk. Now all you have to do is install disk one into the DOS client, switch to the A drive and type setup. This will run the installation program and ans should be pretty straight forward from there.
When you first try to logon, you will get a message that your password has expired so you will have to change it using the following command: net password /domain:(your domain)(username)(old password)(new password). You will probably get an error message, but the password has been changed and should work when you try to logon again.
--GETTING AROUND THE NETWORK WITH DOS--
To browse the network, use the "net view" command without the quotes. To view shared resources on a particular server, use "net view \\(server name)". To connect to a shared resource, use "net use (drive letter): \\(server name)\(resource)". If you need to map to drive letters higher that E, then you will have to edit your config.sys file and add LASTDRIVE=(whatever you want the last drive letter to be). To use a printer type "net use (port such as lpt1:)\\(server)\(printer share name)". To disconnect a network connection type "net use /delete".
--CONNECTING WINDOWS FOR WORKGROUPS TO NT NETWORKS--
During installation of Windows for Workgroup you will install the network card. If it was not done at this time or you installed a new network card, then go to the Network Group and run the network setup program. Once the network card is setup and you have logged into the domain, you can browse shared network resources and servers. To do this, open file manager and click "disk" and then "connect network drive" and you will see the browse list. Working with printers is similar except you open Printer Manager and click "Printer" and then "Connect Network Printer".
--CONNECTING WINDOWS 95/98 TO NT NETWORKS--
Like Windows for Workgroups you will have the option of setting up network support during Windows installation. But again let's pretend that it didn't happen that way or that you are adding a new network card. To set this up, all you have to do is go to the networking control panel, click the configuration tab, select "add" and you will see choices of client, adapter, protocol and service. Select "adapter". Select your adapter type or go to have disk if you wish to install 3rd party drivers. IPX and NetBeui protocols will automatically be installed. Clicking on the "add" or "remove" buttons from the configuration tab to add or remove protocols.
In order to enable the workstation to log into the domain, you will need to go to the "properties" of Client for Microsoft Networks. In this dialog box, you will need to select "log on to Windows NT domain" and enter the domain name. Once finished with all of this you will have to reboot and will then be able to log in. Like NT. Windows 95/98 uses the Network Neighborhood interface to browse the network.
--WINDOWS TERMINAL SERVER--
It is similar to a centralized network - remember that from networking essentials? Essentially, the network would have 1 or more terminal servers and the rest of the computers would be almost like dumb terminals which are also known as "thin" clients. Thin clients can be any old computer that you have laying around which is one of the attractions to this type of set up - hardware savings, although you have to have enough beefed up servers to support them. This is not the only advantage however, you also save on support as Winterm can be configured to run all of the applications on the servers. This means that if there is a problem, odds are good that it is occurring at the server which makes for easy and centralized support. Installation of the Terminal Server is very similar to an NT installation. Once installed, you will notice some differences in the administrative tools from NT 4.0 as it will now include the following:
- Terminal Server Client Creator -- Will create floppies for Client installation on the workstations.
- Terminal Server Administration -- The Big Brother application that allows you to view what the clients are running, disconnect them and view protocol information.
- Terminal Server License Manager -- Allows you to add or subtract client licenses that you must pay for.
- Terminal Server Connection Configuration -- Used to configure the RDP protocol, set security and a bunch of other stuff.
In order to set this up for a workstation, the Windows Terminal Client must be installed. On the server side, you will need to select either Remote Desktop Protocol(RDP) or MetaFrame. MetaFrame is faster as it only sends the changed information from the client as opposed to RDP which will resend the whole desktop if a user deletes a file from it, for example.
--MACINTOSH CONNECTION TO NT NETWORKS--
NT offers Services for Macintosh to allow MACs to access shared resources as well as provide other services including:
- Support for appletalk protocols without the need for a gateway.
- MAC filename attribute support.
- Support for Appleshare protocol
- Allows MAC users to access non-PostScript printers without the need to convert documents.
- Ability to map extensions for PC files which allows MAC apps to recognize PC file extensions.
- Allows PC users to access Laserwriter printers without the need to convert documents.
- Allows for 255 simultaneous appletalk sessions per NT server.
So how do you set this all up? On the server side, you need to install services for Macintosh which requires an NTFS partition. If there are routers on the network, they will need to be configured to route the Appletalk protocol or NT server can be set up to perform this function. If you will be using NT as the router, you will need to specify the zones and the network range. Each number in the network range will support up to 256 devices per network segment. After rebooting, the NT server should show up in the chooser on the MACs and a Microsoft UAM Volume will appear on the NTFS partition. Now MAC volumes can be created using server manager. Finally, you will need to set your permissions for the MAC volumes. Following are the MAC permissions:
| Permission | Description |
| See Files | Like NT's read permission. Permits the everyone, a primary group or everyone to view files in the MAC volume. |
| See Folders | Same as see file permissions except it applies to folders within the MAC volume. |
| Make Changes | Similar to NT's change permissions. Permission to view, add and delete files or folders. Can also save changes. |
| Replace permission on subdirectories | Whatever permissions are set and copies them to all of the folders within the MAC volume or a folder within the volume. |
| Cannot remove, rename or delete. | Users can't rename, remove or delete a MAC volume or a folder within it. |
Not much setup needs to be done on the MAC side unless you would like to maintain NT's C2 security and allow for encrypted passwords. The software for this is included with NT server and would need to be installed on every participating MAC client.
You are now ready to move files back and forth, except you will undoubtedly run into problems. Obviously, Macs and PCs use different file systems and this also means that they won't recognize each others file types without some configuration. For DOS extensions, you will need to use file manager to change the extension mappings for ones that aren't correctly configured. If an application isn't listed then you will need to get to the type and creator codes for the files it supports. On the Mac you will probably need a 3rd party converter application like Maclink. Many applications have cross platform versions available.
If you would like to find out more about how Appletalk works, click here to read our tutorial.
BROWSING
--GENERAL--
The browsing service allows one to view what recources are available on your network. In order for this to work, at least one computer has to be the Master Browser that is responsible for maintaining a browse list. Keep in mind that every computer on the network is either a master browser, backup browser, potential browser or not participating. There are several rules that govern who becomes the master browser as follows:
- Each subnet on a tcp/ip network must have its own master browser.
- As long as a PDC is up and running, it will be the master browser and any BDCs will be backups. This can be changed by editing a couple of registry keys, however.
- There will be 1 backup browser for every 15 computers on the network.
- If the master browser cannot be reached, then an election is held to determine the most suitable candidate. Priority is based on the type of computer(NT Server then NT Workstation then Win95 then ETC)
MANAGING DOMAINS
--BACKGROUND--
Whenever you log in to an NT Server, a session is created. Server Manager is a very important tool for managing your domain as it allows you to:
- Synchronize a PDC's security database with the BDCs.
- Setup directory replication
- Add and remove NT machines from your domain.
- Create and remove shares
- Change an NT server from BDC to PDC or vice versa
- View users with open sessions on a particular machine
- View how long the user has been using a particular resource
- The resources being accessed during the session
- View all non-hidden computers on the network
- View Macfiles
- Send messages or alerts to clients(for Win 95/98 must have Winpopup running)
Allows you to configure the services on your other NT servers.
Remote administration will only work on other NT Servers, NT workstations or LAN Manager 2.x and will only include current data. If you want to view statistics over a period of time then you will need to set up Performance Monitor or use the set statistics server from a command prompt. Server Manager also gives you the ability to disconnect users from a server, however, certain things must be in place in order for it to work. When a user logs on to a server, the server verifies the users login information with a domain controller and a Security Access Token(SAT) is created that allows the user to reaccess a share. If you disconnect the user, the next time they attempt to access a particular share the server will look at the SAT and let them back in and the user will never even know that they had been given the boot. Instead, change the users permissions to no access and then boot them. Then the server will have to query a domain controller to create a new SAT and the domain controller will report to the server that the user doesn't have access to that share.
Next, I want to mention the system shares that Server Manager allows you to view. They are as follows:
| Share | What is it? |
| ADMIN$ | This share is used for the remote administration of a server. |
| NETLOGON | You will only see this one on domain controllers. It is used by the net logon service, which keeps your PDCs and BDCs synchronized. It is responsible for handling login attempts. |
| REPL$ | Used when NT server is acting as an replication export server. |
| IPC$ | Shares the named pipes that are used for the creation of sessions between apps. Used during remote administration or viewing shared resources. |
| PRINT$ | The share for printers |
| driveletter$ | This is the root directory for a storage device on an NT server. |
--DIRECTORY REPLICATION--
Server Manager is also used to set up replication.
Directory replication is used to export directories to another NT server or Workstation such as the exportation of login scripts from a PDC to a BDC, for example. This is useful for server load balancing and redundancy. Only NT servers can export, NT servers, NT workstations and OS/2 LAN Managers can import. Replication occurs in the followin manner: Let's say that you have a domain called "sales". "sales" has a server called "highpressure" that is configured as an exporter to the "sales" domain. You also have 3 NT workstations that have the directory replicator service running and are configured as importers.
Once the service has been configure a directory at C:\winnt\system32\REPL\EXPORT will be created. Directories that are to be exported will go in subdirectories that you create within the C:\winnt\system32\REPL\EXPORT directory. Once everything is configured on the importer, a directory called C:\winnt\SYSTEM32\REPL\IMPORT will be created. This is where the directories will be copied to. Then, run server manager and click the replication button to set up the rest. Note that the importers and exporters must support the same file system. You also must make sure that the Directory Replication service is started in the "services" control panel.
WORKING WITH NETWARE
--BACKGROUND--
Unfortunately, most networks will be a mix of network operating systems which makes the process of everything working together a little more complicated. The big one that you have to wory about in real life and in the exam is Netware, so really know this section. The 2 basic Netware situations that you will need to worry about for this exam are: NT Server on a Netware network and Netware on an NT Server network.
--CONNECTION OPTIONS--
- NWLink is a routable transport protocol that imitates Netware's IPX/SPX protocol and is all that is necessary to allow NT to run applications from a Netware server, but does not allow file and print sharing. After this is installed you will now have multiple protocols bound to your ethernet card(if you didn't already). To improve your network performance change the binding order so that the most frequently used protocol is first.
- File and Print Services for Netware(FPNW) is add on software that allows Netware clients to access an NT Server. The NWLink protocol must be installed for this method to work.
- Client Services for Netware(CSNW) allows NT workstations file and print sharing access to a Netware server. The NWLink protocol will automatically be installed with CSNW.
- Gateway Services for Netware(GSNW) creates a gateway that allows NT clients to access a Netware network via an NT Server without having to install any clent software. GSNW will also allow you to run many Novell commands from a command prompt. NWLink is required and will be installed automatically when GSNW is installed. You must create a group called NTGATEWAY on the Netware server and then map a drive on the NT Server for the clients to access. The account used for the gateway must be a member of the NTGATEWAY group and have appropriate permissions for the resources on the Netware server. Only the NTGATEWAY account is necessary to allow all users to access Netware resources. Accessing a Netware server via a gateway will be slower than connecting directly. Go here for our tutorial dedicated to Gateway Services For Netware with installation instructions.
- Netware Client Software is Novell's solution to the whole mess and substitutes ODI(what Netware uses) based network drivers for the NDIS ones that come with NT. This would be used if you were connecting a few NT workstations or Win 95/98 machines to a Netware network and did not want to use CSNW. This situation doesn't really apply to this exam, but I included it just in case.
--FRAME TYPES--
Once you have all of this figured out, you then need to worry about the frame type. If mismatched frame types are used then communication will not happen. By default, NWLink and GSNW will only allow you to connect to Netware 3.12, 4.1, 4.11, which use Ethernet 802.2 frame type. Auto-detection should work fine in this situation as NWLink also uses 802.2. Auto-detect is only capable of selecting one frame type so to connect to NetWare 3.11 or lower, you need to use manual configuration and select both frame types as these lower versions of Netware use the Ethernet 802.3 frame type.
--MIGRATION TOOL--
NT has a file called NWCONV.EXE that is designed to aid in the event that you are moving away from a Novell based network to an NT network. You must first set up GSNW as described above. After running the conversion, you need to make sure that all of the Netware workstations have the SMB redirectors installed so that they will be able to access the NT server.
OPTIMIZATION AND TUNING
--PERFORMANCE MONITOR--
Performance Monitor uses "counters" not only allows you to view statistics on a local NT Server, but on others located on the network as well. Perfmon allows you to locate trouble areas and bottlenecks on your NT Server. The main sources of these bottlenecks are the network card and drivers, CPU, memory and the disk subsystem. These problems will vary depending on whether your server is a file server or an application server. Perfmon gives you several ways to handle your statistics as follows:
- Report - view statistics.
- Chart - good for finding problems over a period of time.
- Log - used to view data over a period of time.
- Alerts - Alerts can be configured so that you are notified when a particular counter has passed a benchmark that you have set. The results can only be sent to one user.
Following are how to tell where the problem is:
- DISK - If the %disk time is over 90% or the disk queue length is over 2, then there is a problem with either the disk or the controller. You must type DISKPERF -Y at a command prompt to enable disk performance counters.
- NETWORK CARD - Use the network/%network utilization counter. You won't be able to use this unless you have the Network Monitor Agent installed and running. If this value is over 30% then the network card is the problem. As previously mentioned, make sure that you bind your most used protocols first.
- CPU - Check the %processor time. If it is running above 80% then there is a problem. To get TCP/IP statistics you will need to have SNMP running.
- MEMORY - The pages/sec counter should be less than 20. The available bytes should be more than 4mb and committed bytes should not exceed the amount of physical memory installed in the computer. You will also want to use Performance Monitor to keep an eye on your paging file(virtual memory) by using the %usage and %usage peak counters. Microsoft recommends that the paging file is set to a value equal to the amount of RAM +12. So if you had 32mb of RAM, your initial paging file size would be 44, but using Perfmon and viewing the %usage and %usage peak counters is the best way to tell whether it is cutting the mustard.
--MISC--
The Event Viewer is a configurable tool that keeps track of what happens on your server and tracks 3 categories of information: System, Security and Application. The system log will contain information about drivers and services that fail to start. The security log will keep track of events that you enable in auditing. The Application log keeps track of application errors and processes.
Task manager allows you to list and stop running programs, start programs, view CPU and memory usage, view running processes and change their priority.
REMOTE ACCESS SERVICE(RAS)
--GENERAL--
RAS is basically NT's dial up networking service that allows NT to dial out to other computers and to receive calls as well. On the client side it is called Dial Up Networking(DUN) which is not as robust as RAS. Essentially, RAS turns your dial-up-communications into a network card.
In NT 4.0 a new software layer called TAPI has been added which allows software vendors to not have to provide support and worry about the type of modem being used. TAPI handles this for them. RAS supports the SLIP and PPP dialup protocols. PPP is most commonly used as it allows for dynamic addressing. RAS supports modem, frame relay, direct serial, x.25 and ISDN connections. Additionally, RAS has an option for multilink PPP that allows for connections to automatically be pooled. By default RAS uses the NetBeui protocol but can also use TCP/IP and IPX/SPX. TCP/IP must be used with programs that use Winsock. An LMHOSTS file on a RAS client can speed up NetBios name resolution.
--LOGIN AUTHENTICATION--
RAS provides several different authentication possibilities as follows:
- Allow any authentication including clear text -- Allows for a variety of password authentication protocols including PAP. This is a good option if you have a variety of RAS client types.
- Require encrypted authentication -- Will allow any password authentication except for PAP.
- Require Microsoft encrypted authentication -- This will use CHAP(Challenge Handshake Authentication Protocol) or MSCHAP and means that only Microsoft clients will be able to attach.
- Require data encryption -- Will require all data to be encrypted
By default nobody is able to dial in to the RAS server. These permissions have to be set in the Remote Access Service Administrator. Once this is done, there is a callback security option that must be set. Callback security can be set so that the RAS server will call back a user trying to login to verify that their phone number matches their login ID and password. Not only does it provide security, but it can also save customers money if they are dialing in long distance. There are 3 possible options:
- No call back -- Default option that provides no added security.
- Set by caller -- Once the user is validated, RAS will then call the user back. Provides no additional security.
- Preset to -- This option provides a lot of security but only works if the users always call from the same phone number. If they try to call from a different one, they will not be able to connect.
RECOVERY AND TROUBLESHOOTING
--BACKUP--
The backup option in Administrative tools is one of the easiest ways to protect your data. NT offers 5 different backup types. Before looking at them, you need to understand archive bits. An archive bit is attached to a file anytime it is removed and changed during the backup process. Its purpose is to mark which files have been modified already allowing for selective backups.
| Backup Type | Description |
| Normal | This is a full backup - backs up everything that is selected regardless as to whether or not the archive bit is set. |
| Copy | Also a full backup but the archive bit is not reset after the files have been copied. |
| Differential | Only backs up files that have the archive bit set and doesn't reset the bit afterward. |
| Incremental | Same as differential except the archive bit is reset afterward. |
| Daily | Backs up all files that were modified that day and doesn't reset the archive bit. |
NT backup will also allow you to protect your registry by selecting the backup Local Registry box in NT Backup. It can also be used to backup drives for Win95/98 and NT workstation provided that they are a part of the domain. Also, using the backup utility, you can restore the disk, specific files or the registry from the tape drive.
--BOOT PROBLEMS--
If your server dies on you and won't boot, a good thing to try is to select the "last known good configuration" when prompted at boot. This often will be a valid solution when you add a new piece of hardware like a video card for example. The new drivers that you loaded for it may be causing a problem, so this selection will tell NT to forget any changes that you have made since the previous boot, by looking for the last configuration that did not cause system critical errors at boot. Another good thing to try is to boot into VGA mode. This mode has a /sos appended to it in the boot.ini file.
Let's say that you have really messed out your server and the last known good menu did not work. Now you take it to the next level and use an Emergency Repair Disk(ERD). Make sure that you create one of these every time you make any major changes to your server - It will be worth it in the long run. To create an ERD, run RDISK.EXE.
To utilize the ERD, you boot from the 3 setup disks and you select R for repair when prompted. After this, you will be able to select from the following options:
- Inspect registry files - This allows you to restore registry hive files from backup.
- Inspect startup environment - If this is selected, NT will try to repair or replace the boot.ini file if it has problems.
- Verify windows NT system files - Will check and make sure that all of the system files that NT installed are still there.
- Inspect boot sector - Will repair the boot sector if there is a problem and make sure that the NTLDR file is still intact and operating properly.
--ARC NAMING CONVENTION--
ARC is an architecture-independant way of naming drives for x86, risc, alpha, etc. NT uses this convention in its boot.ini file to determine which disk holds the OS. The table below will explain the different options.
| Multi(x) | Specifies an EIDE disk or a SCSI disk if the bios is enabled to detect it. Can only be used on x86 systems. "x" is the number of the controller. |
| SCSI(x) | Defines a SCSI controller if the BIOS is not enabled to do so. Again, "x" is the number of the controller. |
| Disk(x) | Defines which SCSI disk the OS is on. If SCSI(x) was used then x=the SCSI ID of the drive. If Multi(x) was used then x=0. |
| Rdisk(x) | Defines disk which the OS is on when it is on an EIDE disk. x=0-1 if on primary controller. x=2-3 if on multi-channel EIDE controller.
|
| Partition(x) | Specifies the partition that the operating system is located on. (x)=the partition's number. |
--SERVER STOP ERRORS--
Stop errors can be written to a .dmp file in the following manner: In the system control panel, you can specify the directory that you would like the files to be written in the startup/shutdown tab. In order to view the contents of the file, a program called dumpexam.exe must be used. There must be free disk space available in a swapfile on the boot drive that is equal to the amount of RAM installed on the server.
--WHEN A PDC GOES DOWN--
This section will discuss what to do if the PDC goes down. By default, your PDC will replicate its SAM database to the BDC every 5 minutes, which means that the BDC should always have a fairly current copy on hand. If for some reason the PDC and BDC(s) become out of sync, you can use Server Manager to force the databases to synchronize. Anyway, while the BDC(s) will have copies of the SAM, they do not have the ability to make changes to it. If the PDC were to crash, users would still be able to logon, but no changes could be made to their accounts and new accounts could not be created. If the PDC will be unavailable for a long period of time, you can use Server Manager to promote one of the BDC to a PDC. When the original PDC is back up again, you will see the option to demote the other server back to a BDC.
|
|
|
|
 |
|
 CareerAcademy
Certification training videos with private instructors. Topics
cover Microsoft MCSE, CompTIA, CISSP & Cisco exams. Courses also come with official practice exams with 7x24 mentors.
more products...
Netwind Learning
Free Demo. Certification Training for A+, MCSE, MCTS Microsoft.NET, Cisco CCNA, CCNP, CCVP, CCSP, Java, Oracle, Linux, PMP and 100's of other courses.
more products...
EDULEARN
Certification Training on CD-ROMs & Videos: Microsoft MCSE Training, A+ Certification, Windows 2003, & Free demos. MCSE certification training includes videos and labs.
more products...
CBT Nuggets
Our products offer classroom training at home. We offer CBTs for Microsoft, Cisco, CompTIA, INFOSEC, LPI, Java, CIW, Citrix, CWNA, CISSP, CEH, Oracle, and other certifications.
Free Videos
more products...
|
|
