Windows NT Server 4 in the Enterprise (70-68) STUDY GUIDE 2

(From CERTSITES )

Planning

Selecting a domain model:

·         Single Domain - Easiest to implement, all users and resources are in one domain which allows centralized administration.  Browsing could be slow if there are many servers and workstations.  It is suggested that there be a max of 40,000 users in a single domain model.

·         Single Master Domain - All user accounts are in a single master domain while all resources are in separate resource domains. Supports a single logon account because one way trusts are established by the resource domain pointing to the master domain.  This model allows for centralized administration of user accounts, but each resource domain will probably require its own administrator for the resources.   Global groups are defined in the master domain but local groups must be set up in each resource domain.

·         Multiple Master Domain - There are at least two master domains containing user accounts and there is a two way trust established between them.   There are one way trusts pointing to each of the master domains from each of the resource domains.  Advantages are that centralized administration is still possible.   Disadvantages are that the trust relationships are very complex and multiple administrators may be necessary for user accounts.

·         Complete Trust - In this model every domain has a two way trust with every other domain.  This is an extremely complicated domain model and centralized administration is not possible.

Trust Relationships

·         A trust is simply a link between two domains.  When one domain trusts another you always create the trust so that the trusted domain is the domain with the user accounts.  The trusting domain containst the resources.  In a two way trust, both domains trust each other.

·         Trust relationships are created using User Manager for Domains.

·         Trusts are not transitive.  This means that A trusts B and A trusts C, but since trusts are not transitive B cannot trust C (draw a picture, its much easier that way)

Disk Drive Configuration

·         Raid 1 (Disk Mirroring)- Data is written to two physical disks.  Writing to a disk is slow but reading from a disk is faster.   The boot and system partitions can be mirrored. Disk duplexing is the same as disk mirroring except that each disk has its own controller.

·         Raid 5 (Disk Striping with Parity) - Data is written evenly across stripes.  Each stripe has a parity block that will be used to regenerate data in case of a disk failure.  The boot and sytem partitions can't be included in a stripe set with parity.  Stripe sets without parity are not fault tolerant.

Choosing a Protocol

·         TCP/IP - allows you to connect systems that are not similar. This is the protocol used by the internet.  Would be most beneficial to large organizations. It is the default protocol for NT 4.

·         TCP/IP with WINS and DHCP - WINS dynamically maps IP addresses to host names.  DHCP will automatically assign an IP address to a host so that it does not have to be done manually.

·         NWLink - This protocol is compatible with Novell's IPX/SPX.  It would be most beneficial when connecting your NT network to a Novell network.

·         Apple Talk - allows for connectivity with Macintosh computers.  (The Macs could also be set up to use TCP/IP)

·         Data Link Control (DLC) - Primarily used for connecting HP printers to the network

Installation and Configuration

Server Roles:

·         Primary Domain Controller (PDC) - Only one per domain, is the first server installed.  Contains the master directory database.

·         Backup Domain Controller (BDC) - Contains a copy of the directory database.  Can authenticate users.  If necessary because of PDC failure, a BDC can be promoted to a PDC.  More than one BDC can exist in a domain.

·         Member Server- Does not contain a copy of the directory database and does not authenticate users.  Provides file and print services and runs applications.

Configure Protocols - (All protocols and adapters are configured using the Network properties from Control Panel)

• TCP/IP- requires an IP address, subnet mask and default gateway.  
• TCP/IP with WINS and DHCP - when configuring a network adapter, the address of the WINS servers must be entered and the radio button that says "Obtain an address from a DHCP server" should be checked.
• NWLink- requires proper frame type.  May also need to adjust the network address

• Each protocol must be bound to a network adapter card in order to be functional.  The bindings are viewed from the Bindings tab in the Network Properties.

Configure NT Server Core Services

• Directory Replicator - allows directory contents to be replicated to other servers.  The default export directory is \winnt\system32\repl\export\. The replication is configured through Server Manager.  On the import computer you must specify a service account that was set up on the export computer.  This is entered in Control Panel-Services-Directory Replication.  Any errors will be reported in the Event Viewer.
• Computer Browser:

Domain Master Browser- merges browse lists from all Master Browsers.  It then forwards the complete browse list to all master browsers.   The Domain Master Browser will be the PDC.

Master Browser - compiles a browse list of all servers and workstations.  This list is forwarded to the Domain Master Browser

Backup Browsers - receives a copy of the browse list from the Master Browser.  Can server as a Master Browser if necessary

Potential Browser -  can become a browser if necessary

Non-Browser - will not be a browser

Configuring Hard Disks

• Providing Redundancy - Redundancy can be provided by using the Fault Tolerance option in Disk Administrator.  You can configure stripe sets, volume sets, Disk Mirroring, and Disk Striping with parity. When configuring a mirror set, it is best to have two idenitcal disks or at least the mirror partition should be the same size or larger than the primary partition being mirrored.  For stripe sets with parity, the size of the stripe set is limited by the disk with the smallest amount of free disk space.
• Improving Performance - Disk mirroring allows you to use only 50% of the hard disk space but provides for increased speed when reading from the disk.   Writes are slower because the data must be written to 2 separate disks.   Striping will improve reads and writes because data can be written and read from multiple disks simultaneously.

Configuring Printers-

·         If a printer is added locally, the driver must be installed locally.  If a network printer is installed, the driver will be downloaded from the server.

·         A printer pool can be created if two printers use the same driver.  In order to set up a printer pool set each printer so that it prints to multiple ports of the other identical printers.

·         Print priorities are set on the printers properties tab.  Print operaters can also change the priority of the print jobs while they are in the spool

Managing Resources

 

• Remember - Users into Global, Global into Local
• User accounts are created for each individual users, global groups contain user accounts and are then placed into local groups for the purpose of assigning permissions. Local groups exist only on the local machine, global groups can be used anywhere across the network.
• Built in Groups:

Administrators - have complete administrative control over the entire domain

Users- all new accounts are placed into the Users group.   Provides user accounts with default permissions.

Guests - all guest accounts are placed in this group.  Has very limited rights.

Backup Operators- Allows for users to backup and restore files

Replicator- Used in Directory Replication.  See above

Print Operators - Allows members to create, manage and delete printer shares

Server Operators - Allows members to log on to the server, shut it down, change system time, backup and restore files and manage network shares

Domain Admins (global group) - by default is a member of the Administrators group.  Allows members to administrate the domain.

Domain Users (global group) - by default all user accounts are made a member of this group. Has default user rights.

Domain Guests (global group) - all guest accounts are automatically made a member of this group.  Has very limited access

• Policies and auditing are set up through user manager.   Auditing allows the tracking of successes and failures of account usage.

Profiles

• Local profiles exist on the local workstation and are only accessible at that workstation.
• Roaming profiles are stored on the server and are downloaded to the workstation.  Allows the user to retain all settings no matter which machine the login on.
• System policies are created with Policy Editor and allow an Administrator to "lock down" the users interface and access to the machine.

Managing Disk Resources

• When files or directories are moved or copied to a different parition the attributes of the destination directory are inherited
• When files are moved within the same partition, the original attributes are retained

Directory and File permissions (file permissions require an NTFS partition)

·         No Access - users cannot access the directory

·         List -  the contents of the directory can be viewed

·         Read - the contents can be viewed and a program can be executed so the file can be read

·         Add - the user can copy a file into a directory but cannot see the contents

·         Add & Read - the user can see the contents and can copy files to the directory

·         Change - files can be viewed and modified but not deleted

·         Full Control - all of the above rights apply and the user can also controle permissions

Connectivity

Configure NT/Netware interoperability

·         Install Gateway Services for Netware and NWLink on the NT Server.  Setup an NTGATEWAY group on both the NT and Netware servers, setup an identical user account on both servers, check the enable gateway box.  This will   allow users to see the shared directories and printers of a  Netware server.

·         Migration Tool for Netware - This is used to migrate Netware users and groups and the data contained on the Netware server.  There is an option to allow for a trial migration to work out any problems before the migration.

Install and Configure Multiprotocol routing for various functions

·         Internet Router - To set NT up as a router you install 2 network adapter cards, one is attached to your internal LAN and the other is attached to the internet.  All you need to do now is to enable IP routing.  If you wish for a routing table to be built dynamically, the RIP service must be installed.   Otherwise, the routing table must be edited manually.  This is done with the ROUTE ADD command.

·         BOOTP/DHCP Relay Agent - This allows clients to get IP addresses from a DHCP server across a router.  Without this, there would have to be a DHCP server on the subnet. This is configured under the TCP/IP properties.

·         IPX Router - To make your server an IPX router, install the IPX RIP router software.  The routing is then done dynamically.

Install IIS

·         If you chose not to install IIS during the NT setup, a shortcut will be placed on the desktop so that you can install it later.   Simply double click the shortcut and choose the services you wish to install. The publishing directories are displayed but it is best to just accept the defaults.  If you are going to host a web page with datatbase connectivity, be sure to install the proper ODBC drivers when prompted.

Install and Configure DNS services

·         World Wide Web - this service is installed with IIS and is configured through the Internet Service Manager.

·         DNS - this service is installed as a Network service.  This will allow IP addresses to be resolve to the corresponding host name.   First, create the top domain structure in DNS Manager by choosing DNS and adding the server.  You will enter the IP address of the DNS server here. Next, select the server and choose New Zone from the DNS menu, then choose primary.  Enter the zone name and click finish.  Create the subdomain by choosing New Zone and following the same steps as before. You can now begin creating the Alias (A) files for the network clients. 

·         Intranet - An intranet is simply a "mini-internet" on your internal LAN.  Install IIS on a server to host the web pages.  Clients can reach the intranet by typing http://hostname into a browser

RAS

·         RAS is supported over public telephone networks, X.25, ISDN, and a null mode cable

·         RAS supports the PPP protocol as both a client and server.  SLIP is supported only as a client.  PPTP allows TCP/IP packets to be securely transmitted via RAS over the internet

·         RAS security includes setting then encryption level betwenn server and client.  Callback security will hang up and call a user back at a predetermined number.

 

Monitoring and Optimization

Performance Monitor

·         Can be used to determine the overall functionality of the server.  Is also useful in determining bottlenecks in the server.

·         Memory, processors and hard disks are common causes of bottlenecks

·         When using disk counters in PerfMon, you must activate them using the diskperf -y command

·         To get a true idea of the performance of a machine, establish a baseline by monitoring the system at specific intervals over a long period of time.

Network Monitor

·         Must be installed from Control Panel-Network-Add Services

·         Capture data by selecting Capture-Start from the menu, click Capture-Stop to end a capture

·         Using a filter will help you to capture only the specific data you need

·         The Details window will provide the results of the capture.  The information can also be saved to a *.cap file for later use.

Optimizing Performance

Steps to help optimize performance are as follows:

·         Place logon servers near the users

·         Disable File and print sharing on Win95 machines and the server service on NT Workstations if the user will not be sharing files or printers.

·         Only have the minimum number of protocols

·         Have the proper number of domain controllers, not too many  and not too few

·         Don't let users logon across a WAN link

Troubleshooting

Installation Failures - Is media corrupted?  Do you meet the requirements for installation?

Boot Failures - This may require that the boot.ini be edited.  The boot.ini uses the ARC Naming Convention to determine the location of the system files.  It may apper as   multi(x)disk(y)rdisk(z)partition(a) or scsi(x)disk(y)rdisk(z)partition(a)

·         multi or scsi (x)- will identify the hardware adapter.  Scsi is only used if the controller bios is disabled

·         disk (y) - scsi bus number, always 0 if multi is used

·         rdisk (z) - physical drive number, ignored for scsi

·         partition (a) - the logical partition number of the location of the system files

Printer Problems - may be necessary to stop and restart the spooler service.  At a command prompt type net stop spooler then net start spooler

Connectivity Problems- Are you using the proper protocol?  Is it bound to the network card?  Do you have an IP address?

Blue Screens - Remember that drivers and hardware are the main cause of blue screens. Reading the screen will give you clues to the problem.   A reboot will clear up the problem many times.  If not, using the Emergency Repair Disk or a total reinstall may be necessary

Emergency Repair Disk (ERD) - The ERD will return the system to the state it was in when the ERD was made.  Ther ERD is not bootable.