MCSE: The Core Exams in a Nutshell, 2nd EditionBy Michael Moncur
2nd Edition March 2000
1-56592-721-4, Order Number: 7214
482 pages, $24.95
Part 4, Chapter 2
This chapter includes the following sections covering various topics in the NT Server in the Enterprise exam:
- Directory Services
- Introduces Windows NT's system of trusted domains, which allows wide-area networks with many users to be managed.
- Advanced Network Configuration
- Describes four components provided with Windows NT Server for network management and connectivity: DHCP Server, WINS Server, DNS Server, and Services for Macintosh.
- Configuring Internet Services
- Introduces Windows NT's routing capabilities for TCP/IP, DHCP, and IPX, and describes Internet Information Server (IIS).
- Optimization and Troubleshooting
- Describes techniques and utilities for monitoring server performance and network traffic, and discusses techniques for optimizing server and domain performance.
As you learned earlier in this book, Windows NT supports two basic networking models:
- In the workgroup model, each computer has a separate list of user accounts.
- In the domain model, a single account database (on the PDC) supports the entire domain.
A single Windows NT domain, with enough fast BDC machines, can support a theoretical maximum of 40,000 accounts, although groups and computer accounts reduce this total! While this is sufficient for many organizations, larger companies need to use multiple domains. Even in an organization with far less than 40,000 users, there are many benefits to using multiple domains, particularly where WAN links are concerned.
The 40,000-user limit referred to here is based on the SAM (security accounts manager) database's size. This does not take other factors into account: a domain with 40,000 users would be slowed down severely by network traffic and would be an administrative nightmare. In typical networks, 2,000-5,000 users per domain is a more manageable limit, although more can be supported in certain cases (for example, if only a fraction of the users are logged in at a time).
Windows NT supports resource access between domains by a system of trusts between domains. This allows users to access resources in other domains, and permits a user to logon to the network from any participating domain using a single logon account. Microsoft uses the term directory services to describe the use of interconnected domains.
Windows NT 4.0's system of domains isn't a true directory services architecture, such as Novell's NDS, Banyan's StreetTalk, or the X.500 standard. Nevertheless, if the term directory services appears in the exam, it most likely refers to the domain trust system. The new version of NT, Windows 2000, supports the Active Directory, a true x.500-compatible directory service. Active Directory is not covered on the NT 4.0 MCSE exam.
When multiple domains have been installed on a network, there is no built-in way for a user in one domain to access resources in another without logging on separately to the second domain. You can eliminate the need for a separate logon by establishing trusts between domains.
A trust relationship can be configured between any two domains. The two domains involved are called the trusting domain and the trusted domain:
- The trusted domain contains the user accounts that need resource access.
- The trusting domain contains the resources that access is granted for.
Although complex systems of trusts can be configured, they can be broken down into a number of simple trust relationships. Two limitations of trusts also make them easier to understand:
- Trusts work only one way. Users in the trusting domain have no access to the trusted domain's resources, unless an additional trust is configured in the opposite direction.
- Trusts are not transitive. For example, if the NORTH domain trusts the CENTRAL domain, and the CENTRAL domain trusts the SOUTH domain, no trust relationship exists between NORTH and SOUTH domains. This trust must be explicitly defined if desired.
These terms are frequently confused, and this is a critical item to understand for the Enterprise exam. Remember, the trusting domain allows users in the trusted domain to access its resources. In other words, resources trust users.
Figure 4-1 shows the three basic types of trust possible in Windows NT. These include the following:
- Simple trust
- A simple trust (or one-way trust) is a single trust relationship with one trusting domain and one trusted domain.
- Bidirectional trust
- A bidirectional trust (or two-way trust) is a combination of two simple trusts between two domains, wherein each trusts the other.
- Complex trust
- A complex trust is any combination of trusts between three or more domains. Each domain may be a trusted domain, trusting domain, or both. While this type of trust appears complex, it is really nothing more than a number of simple trust relationships.
Figure 4-1 uses arrows to describe trust relationships. Each arrow indicates a simple trust, and the arrow points from the trusting domain (resources) to the trusted domain (users). This is Microsoft's suggested notation for trust relationships and is used in the Enterprise exam.
Figure 4-1. The three basic types of trusts
Trusts are created using the User Manager for Domains utility, included with Windows NT Server. Choose Trust Relationships from the Policies menu to display the Trust Relationships dialog. This dialog includes a list of trusted domains and a separate list of trusting domains.
To create a simple trust, first log on to the domain to be trusted as an administrator and add the trusting domain to the Trusting Domains list. You are asked for a password when you add the trusting domain; this is an optional password unrelated to any user account.
This password is used to establish the initial communication between the domains and prevents the trust from being established without agreement between the administrators of both domains.
Next, log on to the trusting domain's PDC and add the trusted domain to the Trusted Domains list. You must enter the same password you created while configuring the trusted domain.
If you configure the trust in this order, the trust is established immediately. You can perform these steps in the opposite order, but a delay of 15-20 minutes may be required for the domains to synchronize.
Logons Across Trusts
In addition to allowing users to access resources in other domains, trusts can be used to allow users to log onto the network with a single account regardless of the domain of their current workstation. This process is called pass-through authentication.
The Windows NT logon dialog includes a field for a domain name, which defaults to the name of the current domain. If a user specifies the name of a domain that is trusted by the current domain, an authentication request is passed on to a BDC or PDC for that domain.
If the user does not specify a domain, but a trust relationship exists, the system automatically attempts to authenticate the user in each trusted domain using pass-through authentication.
A user logged on through pass-through authentication is given the same rights and permissions as the same user logged on directly to the domain containing the user account.
Using a combination of one-way and two-way trusts, an infinite number of complex trust relationships can be configured between domains. However, most useful domain configurations fall into one of the four categories, called domain models, defined by Microsoft. These are described in the following sections.
For the exam, you should know the advantages and disadvantages of each of these models, and the approximate number of users they can support. In addition, you may need to calculate the number of trust relationships required for a specific model. Formulas are given in the following sections.
The single domain model uses only one domain and no trust relationships. This is the model defined in . Due to the limitations of the SAM database, there is a theoretical maximum of 40,000 accounts in this model, although the practical limit for users is much lower.
The single-domain model is most useful for small or medium-sized companies with single-location LANs, although it can be used with a WAN provided the number of users falls within the limit.
The master domain model uses a single trusted domain (the master domain) for user and group accounts and one or more trusting domains (known as resource domains) to store resources. This allows true centralized user management, since all user accounts are in a single domain's security database; however, it has the same limitation on number of users as the single domain model.
This model is most often used with multiple locations or divisions, particularly when each has its own local administrator. The master domain controllers are stored in a central location, and the resource domain controllers in the various locations. Users must authenticate with the master domain's PDC but can then access local resources without using a WAN link.
This model uses several one-way trust relationships. Each resource domain is a trusting domain, and the master domain is the trusted domain. The total number of trusts required is equal to the number of resource domains. The trusts involved in the master domain model are illustrated in Figure 4-2.
Figure 4-2. Trusts in the master domain model
Multiple Master Domains
The multiple master domain model uses two or more master domains, each with a separate database of user accounts and a number of resource domains. This model is ideal for organizations with too many users for a single master domain. This model can support a theoretical maximum of 40,000 accounts per master domain. A simple multiple master domain model is illustrated in Figure 4-3.
Figure 4-3. Trusts in the multiple master domain model
This model requires a complex trust arrangement: two-way trusts are established between each master domain and all other master domains to allow for authentication, and a one-way trust is established between each resource domain and each master domain. You can use the following formula to calculate the total number of trusts required (two-way trusts count as two trusts):
(master domains) * (master domains - 1) + (resource domains * master domains)
As an example, a multiple master domain network with 3 master domains and 8 resource domains would have (3 * 2) + (8 * 3), or 30 total trust relationships.
In the complete trust model, all domains contain both accounts and resources. This model is relatively simple to understand and versatile but requires the largest number of trusts. Figure 4-4 illustrates a complete trust model with three domains.
Figure 4-4. Trusts in the complete trust model
The complete trust model is best suited to wide-area networks with few domains and separate administrators for each domain. However, with as few as four or five domains, the number of required trusts makes this model impractical.
This model requires a two-way trust between each domain and every other domain. The following formula can be used to calculate the total number of one-way trusts required:
(number of domains) * (number of domains - 1)
For example, a complete trust model between 4 domains would use 4 * 3, or 12 trust relationships; a network with 5 domains would use 5 * 4, or 20 trust relationships. This domain model becomes increasingly difficult to manage as the number of domains increases.
The complete trust model is rarely the best choice for a network, and Microsoft no longer recommends that it be used. However, this type of trust may still be referred to by the exam questions.
Domain Users and Groups
Although trusts may have been established between domains, users still cannot access resources in the trusting domain until they are granted access. This is accomplished by using global and local groups.
Remember the rules detailed in : local groups can contain global groups or users, while global groups can contain only users. You can directly add users in trusted domains to local groups in the trusting domain, but this is usually not the most efficient arrangement.
To grant access, first create a global group in the trusted domain using User Manager for Domains and make the appropriate domain users members of the group. This can be accomplished using the Properties dialog for the group or from the Groups dialog within the user's properties.
Next, create a local group in the trusting domain. Grant the permission to access the needed resources to the local group. Finally, make the global group in the trusted domain a member of the local group. To do this, view the local group's properties in User Manager for Domains. Press the Add button, select the trusted domain in the pull-down list, and select the global group from the list.
Depending on the domain model in use, a more complex arrangement may be needed. In general, you should create one or more global groups in the trusted (user) domains and make them members of one or more local groups in the trusting (resource) domains.
If your network uses member servers, they each have their own database of local groups. In order for a global group in a trusted domain to access resources on these servers, the global group must be made a member of a separate local group on each member server. If there are a large number of member servers in the network, this can be a tedious process.
Group permissions across trusts work in the same way as local group permissions: if a user is a member of one or more groups with permissions for the same resource, the least restrictive of the rights is used unless one of them is No Access.
Advanced Network Configuration
While the protocols described earlier in this book are sufficient for simple networks, an enterprise network may require the use of additional protocols and services. The following sections examine several of these:
- DHCP (Dynamic Host Configuration Protocol) allows the dynamic assignment of IP addresses to clients.
- WINS (Windows Internet Name Service) supports conversion of NetBIOS names to IP addresses.
- DNS (Domain Name Service) supports conversion of TCP/IP domain names to IP addresses.
- The AppleTalk protocols and Microsoft Services for Macintosh (SFM) provide support for Macintosh clients.
- The DLC (Data Link Control) protocol supports mainframe connectivity and communication with some print servers.
- The Directory Replicator service maintains copies of files and directories on multiple machines.
Several of these items (DHCP, WINS, and DNS) are related to the TCP/IP protocol suite. For a basic introduction to TCP/IP, see .
Configuring DHCP Server
DHCP (Dynamic Host Configuration Protocol) is an Internet-standard protocol for the assignment of IP addresses and other settings to client machines. While you can manually assign addresses, using DHCP allows ease of administration. In addition, if you have more computers than IP addresses, DHCP can be used to dynamically allocate addresses based on need. A DHCP server assigns addresses with limited duration, called leases. A lease can also be assigned with an unlimited duration.
To use DHCP, you will need to configure at least one DHCP server per subnet or use a router that forwards DHCP packets. (Or use DHCP relay, explained in the next section of this chapter). Windows for Workgroups, Windows 95/98, and Windows NT are all able to act as DHCP clients.
To configure a Windows NT client to use DHCP, select the Obtain an IP address from a DHCP server option in the IP Address tab of the TCP/IP properties dialog.
For the NT Enterprise exam, you should be familiar with the uses of DHCP and the process of configuring it using DHCP Manager. You do not need to understand the exact details of how DHCP works or its more complex options. DHCP is described in more detail in MCSE: The Electives in a Nutshell.
Installing DHCP Server
DHCP Server is included with Windows NT Server. To install DHCP Server, select the Add option from the Services tab of the Network control panel. Select Microsoft DHCP Server from the list.
The DHCP Server machine must itself have a manually configured IP address, to allow communication with DHCP clients. Be sure the Obtain an IP address from a DHCP server option in the TCP/IP properties dialog is disabled on the server machine.
DHCP assigns IP addresses from a range of available addresses called a scope. To operate, the DHCP server must have at least one scope configured. Scopes are configured using the DHCP Manager utility. This utility is installed with the DHCP service. To run it, choose DHCP Manager from the Administrative Tools menu under the Start menu. DHCP Manager can be used from the DHCP server or from a remote computer on the network.
DHCP scopes are unrelated to NetBIOS scopes, described earlier in this book. Scopes in DHCP are pools of available addresses.
Before you can configure a scope, you must add the DHCP server computer's IP address to the DHCP Manager utility's list. Choose Add from the Server menu, and enter the address. You can manage multiple servers by adding their IP addresses.
To create a scope, choose Create from the Scope menu. The Create Scope dialog, shown in Figure 4-5, is displayed. This dialog includes the following categories of information:
Figure 4-5. The Create Scope dialog in DHCP
- IP Address Pool
- Specify the start and end address of a range of available IP addresses. You can also specify one or more ranges of addresses to be excluded from the scope. Also enter the subnet mask corresponding to the address range.
- Lease Duration
- Specify the duration of the lease. This is the amount of time the IP address remains assigned to the client after being issued. By default, this value is three days.
- Name and Comment
- Enter a name for the scope and an optional comment. These are displayed in the list of scopes in DHCP Manager.
Reserving IP Addresses
Some clients may require a consistent IP address. You can still use these clients with DHCP by adding a reservation to the scope. This reserves a specific address for a particular computer's MAC (hardware) address.
To add a reservation, choose Add Reservations from the Scope menu in DHCP manager. You must specify the MAC address (Unique Identifier) and the desired IP address. This address must be within the scope. You can also specify a name and comment to identify the computer the address is reserved for.
If you don't know a machine's MAC address, type
/allfrom the command prompt on the computer; this displays information including the network adapter's physical (MAC) address. This command works in Windows NT or Windows 95/98.
By default, DHCP assigns clients IP addresses and subnet masks. You can configure DHCP to send additional values to clients using the Scope option in the DHCP Options menu.
You can use DHCP options to specify a router (preferred gateway) as well as WINS and DNS information (explained next). The Options dialog in DHCP Manager includes a list of the available options.
You shouldn't need to know any specific DHCP options for the NT Enterprise exam.
Configuring WINS Server
NetBIOS computer names (the names defined in the Identification tab of the Network control panel) are often used in Windows networks. When TCP/IP is used, it is necessary to convert NetBIOS names to IP addresses. This process is called NetBIOS name resolution. NetBIOS resolution can use one of several methods:
- Each machine can have an optional LMHOSTS file in the \winnt\system32\ drivers\etc directory. This is an ASCII file that maps NetBIOS names to IP addresses.
- NetBIOS clients can use broadcasts for name resolution. Because this involves a number of messages sent to the entire network, broadcasts can cause heavy network traffic.
- A WINS (Windows Internet Name Service) server can be consulted. This is the most efficient and manageable method.
To configure a Windows NT client to use a WINS server, use the WINS Address tab in the TCP/IP Properties dialog. You can specify a primary server and a secondary server, which will be used when the primary server is unreachable.
Installing WINS Server
WINS Server is included with Windows NT Server. To install it, select Add from the Services tab of the Network control panel and select Windows Internet Name Service.
The computer that runs the WINS server should have a manually configured IP address. This is the same address that will be entered in the client computers' TCP/IP properties dialogs. An optional DHCP option can be used to send this value to clients automatically.
You do not need to configure a database to use the WINS server. The server maintains a database of NetBIOS names and IP addresses automatically by receiving broadcasts from clients.
Once the WINS server is installed, the WINS Manager utility is available from the Administrative Tools menu under the Start menu. To set options for the WINS Server in this utility, select Add from the Server menu to add the server's IP address, then select Configuration from the Server menu.
You should know how to install a WINS server and configure clients for the NT Enterprise exam. The specific WINS options are beyond the scope of this exam and are described in MCSE: The Electives in a Nutshell.
Configuring DNS Server
IP hostnames, introduced in , provide a user-friendly notation for IP node references. A process of name resolution is used to convert domain names to IP addresses:
- Each computer can have a HOSTS file in the \winnt\system32\drivers\etc directory. This is an ASCII text file that maps hostnames to IP addresses.
- DNS (Domain Name Service) is an Internet-standard service for resolving TCP/IP hostnames to IP addresses.
Installing DNS Server
A DNS server is included with Windows NT Server. To install it, select Add from the Services tab of the Network control panel. Select Microsoft DNS Server.
After the server is installed, you can use the DNS Manager utility in the Administrative Tools menu to configure the DNS server. As with the DHCP Manager and WINS Manager utilities, you must add the server's IP address to the list to manage it.
Creating a Zone
To use DNS, you must create at least one zone. A zone is a database consisting of names and addresses for a number of hosts. To create a zone, select New Zone from the DNS menu. Specify the IP domain name associated with the zone. You can then use the
Hostcommand from the DNS menu to add hosts to the database.
Unlike WINS, the DNS server does not automatically update its database when a machine's IP address changes. However, you can configure DNS to use WINS to answer requests, eliminating the need for a separate database. To do this, double-click on a zone to display the zone properties dialog, and select the WINS Lookup tab. Select the Use WINS Resolution option, and specify one or more WINS server IP addresses.
Although this information should be adequate for the NT Enterprise exam, DNS includes many options not described here. These are described in MCSE: The Electives in a Nutshell.
Supporting Macintosh Clients
Microsoft Windows NT includes support for Apple Macintosh clients. This includes the AppleTalk protocol, which allows communication with standard Macintosh networks, and Services for Macintosh, a service that allows Macintosh clients to access Windows NT disk shares and printers.
Installing Services for Macintosh
Services for Macintosh is included with Windows NT Server. To install it, select Add from the Services tab of the Network control panel. Select Services for Macintosh from the list. This automatically installs the AppleTalk protocol. You can then modify the AppleTalk properties dialog. This dialog includes two categories of options:
- (General) Default Adapter
- Specify a network adapter that is connected to the AppleTalk network.
- (General) Default Zone
- Specify the AppleTalk zone to communicate with. Zones are groups of up to 255 networked Macintosh computers.
- (Routing) Enable Routing
- Allows the computer to act as an AppleTalk router. This allows you to create a zone or route data between zones.
Macintosh computers do not require any additional client software to access Services for Macintosh. You do not need to be experienced with Macintosh computers for the NT Enterprise exam, but you should know how to configure NT Server to work with them.
Macintosh Disk Sharing
Unlike Windows or NetWare clients, Macintosh clients cannot access Windows NT shares directly. A special volume called a Macintosh-accessible volume must be created and made available to Macintosh clients.
Macintosh-accessible volumes are not actual disk volumes, but links to directories in the NTFS filesystem. The same directory can be shared for access by Windows clients. The FAT filesystem does not support Macintosh volumes.
The installation of Services for Macintosh adds a MacFile menu to the Server Manager utility (described in ) with options for Macintosh volumes. To display the volumes available on a server, select Volumes from the MacFile menu.
From the Macintosh-Accessible Volumes dialog box, choose Create Volume to create a new volume or Properties to manage an existing volume. The following properties are available:
- Volume Name
- Specify a name for the volume. This is the name that will appear to Macintosh clients.
- Specify the drive and directory to be used as a Macintosh-accessible volume.
- Specify an optional password. If specified, Macintosh users will need this password to access the volume.
- Volume Security
- Choose whether the volume is read-only (Macintosh users cannot write to it) and whether guest users can access the volume.
- User Limit
- If selected, only the specified number of Macintosh users are allowed to access the volume concurrently.
Supporting AppleTalk Printing
Unlike disk volumes, shared printers are available to Macintosh clients with no additional configuration. The shared printers appear as Apple LaserWriter printers in the Mac Chooser. When a Macintosh user prints to this printer, the data is converted to the appropriate format for the actual printer.
Windows NT (Workstation or Server) computers with AppleTalk installed can print to AppleTalk printers without using SFM. Windows clients can also access AppleTalk printers if they are specifically shared by the server running Services for Macintosh. To do this, choose Add Printers from the Printers dialog. Select the local printer option.
When prompted for the port the printer is attached to, select the Add Port option. Select AppleTalk Printing Devices from the list. Select the appropriate AppleTalk zone and printer.
When you configure the AppleTalk printer in this fashion, it becomes inaccessible to the Macintosh network. To make it available, share the printer. This will also make it available to Windows clients.
The computer running SFM can also share Windows printers, which will be available to Macintosh clients.
The Directory Replicator service allows simple replication of files between servers. This service can be started and stopped using the Services control panel. Once started, the Replicator service can be configured using the Replication button in the Server control panel. The Export Directories and Import Directories options specify directories to be copied.
This service uses export servers, which maintain original copies of files in a directory tree, and import servers, which receive a copy of the same files. NT Server can be configured as an import or export server; NT Workstation can only act as an import server.
The default path for export files is \Systemroot\SYSTEM32\repl\Export. Any files or directories placed under this path on the PDC are replicated to all BDCs by default. Import servers store the replicated files under \Systemroot\SYSTEM32\repl\Import. These files should not be edited, since they may be replaced by a copy from the export server at any time.
Replication uses a user account in the Replicators group for access to files, and you may need to modify the permissions of this group when files are configured for replication.
The Directory Replicator service is somewhat limited: it cannot compare versions of files being copied nor copy open files.
Configuring Internet Services
Windows NT includes several features that are useful on Internet-connected systems and other large networks. These include the following:
- Routing allows Windows NT to route packets between networks. Windows NT supports routing for TCP/IP, DHCP, IPX/SPX, and AppleTalk. Collectively, these services are referred to as the multiprotocol router or MPR.
- Internet Information Server (IIS), included with NT Server, provides Internet services: World Wide Web (WWW), File Transfer Protocol (FTP), and Gopher.
These items are explained in detail in the following sections.
Any Windows NT Workstation or Server computer that is connected to multiple networks (with multiple network cards, or dial-up connections) can act as a router. Microsoft refers to a computer connected to two or more networks as a multihomed computer.
There are two basic types of routing:
- Static routing uses a table of available IP addresses and the network card they can be reached through. This table is created manually by the administrator.
- Dynamic routing uses an intelligent protocol to communicate between routers and dynamically maintain routing tables. One such protocol, RIP (routing information protocol) is supported by Windows NT.
Configuring Static Routing
Static routing is built into all NT Workstation and Server computers. If a computer has multiple network cards, you can enable static routing by checking the Enable IP Forwarding option in the Routing tab of the TCP/IP properties dialog.
Once you've enabled routing, you must create a routing table. The table can be maintained using the
routecommand at the command prompt. For example, type route add to add a route or route /help to display a complete list of options.
You do not need to know the specific options of the
routecommand for the NT Enterprise exam. These are covered in MCSE: The Electives in a Nutshell.
Configuring Dynamic Routing
NT Server includes an implementation of RIP to support dynamic IP routing. To install it, select Add from the Services tab of the Network control panel. Select RIP for Internet Protocol from the list.
Once RIP is installed on two or more multihomed computers, this protocol will be used to dynamically maintain a routing table. No additional configuration is required to use RIP, but the Enable IP Forwarding option described earlier must be enabled.
DHCP Relay Agent
DHCP is not normally supported by routers, requiring the use of a separate DHCP server for each subnet. Some routers allow DHCP (BOOTP) packets to be forwarded. Windows NT Server includes the DHCP Relay Agent, which can forward DHCP requests and responses between subnets.
Installing DHCP Relay
DHCP Relay should be used on a multihomed computer with access to both subnets; this can be the same server that is configured as an IP router. No installation process is needed to use DHCP Relay Agent; it is installed on all Windows NT Server computers.
To activate the DHCP relay, select the DHCP Relay tab from the TCP/IP properties dialog and specify at least one DHCP server IP address.
Once the DHCP Relay is running, clients on the subnet without its own DHCP server can use DHCP. The DHCP broadcasts will be received by the DHCP Relay machine and forwarded to a DHCP server on the other subnet, and the result will be returned directly to the requesting client.
Windows NT Server's implementation of the IPX protocol (NWLink) includes a facility for acting as an IPX router. Any NT Server computer that is connected to two or more networks that use the IPX protocol can be configured to act as a router.
Windows NT IPX routing is dynamic and uses the RIP for IPX protocol. RIP for IPX is not the same protocol as RIP for IP, described earlier in this section, but serves a similar purpose.
To install RIP for IPX, Select Add from the Services tab of the Network control panel. Select RIP for NWLink IPX/SPX Compatible Transport from the list.
To configure RIP for IPX, select it from the list of services and choose Properties. This server has a single property: NetBIOS Broadcast Propagation. If enabled, NetBIOS broadcasts are forwarded between the IPX networks, which allows network browsing.
You may recall from that one of the advantages of a router is the reduction of broadcast traffic, since routers don't generally forward NetBIOS broadcasts. Enabling NetBIOS Broadcast Propagation lets some of this traffic through the router, which may cause traffic problems on the network.
Internet Information Server (IIS)
introduced Peer Web Services (PWS), a simple Internet server included with Windows NT Workstation. The full version of this software is called Internet Information Server (IIS) 2.0 and is included with Windows NT Server.
IIS includes three basic services:
- The WWW (World Wide Web) service allows documents created in HTML (Hypertext Markup Language) to be published for viewing by web browsers.
- FTP (File Transfer Protocol) allows files to be transferred between client computers and the server.
- Gopher is an information service that predates the Web, but is still in use among some educational institutions.
These instructions cover IIS 2.0, the version included with Windows NT Server 4.0. The NT Enterprise exam questions are confined to this version. The newest version, IIS 4.0, is available from Microsoft as part of the Windows NT Option Pack. This version is covered in MCSE: The Electives in a Nutshell.
To install IIS, select Add from the Services tab of the Network control panel. Select Microsoft Internet Information Server 2.0 from the list. The setup program now displays a list of IIS components to install. These include the following:
- Internet Service Manager
- A utility (installed in the Microsoft Internet Server menu under the Start menu) for managing IIS services.
- World Wide Web Service
- The WWW (World Wide Web) service.
- WWW Service Samples
- Includes sample HTML documents for the web server.
- Internet Service Manager (HTML)
- An HTML version of the Internet Service Manager that can be accessed using a web browser.
- Gopher Service
- The Gopher information service.
- FTP Service
- The FTP (File Transfer Protocol) service.
- ODBC Drivers and Administration
- Optional drivers and tools for integrating database access with web publishing.
Select the OK button in this dialog to continue. You are now prompted for directories for the content to be published by the three services. These default to directories under the InetPub directory on the boot volume. These directories will be created if needed.
The NT Enterprise exam does not cover the Gopher service, aside from the fact that it is one of the available IIS services. The emphasis is on the WWW and FTP services. You should be familiar with the function of these services, their typical options, and the process of configuring them.
Once IIS is successfully installed, the Internet Service Manager utility is available in the Microsoft Internet Server menu under the Start menu. This utility allows you to monitor, control, and configure the three IIS services.
The Internet Service Manager window displays a list of installed services and their current status. The Start, Stop, and Pause buttons in the toolbar allow you to control the selected service. You can highlight a service and select Service Properties from the Properties menu to configure the service. The available property categories are described in their own sections, which follow.
These properties allow you to specify the TCP port the service answers on, the timeout and maximum limits for connections, and a username and password for anonymous access to the service. Depending on the service, additional parameters may be included. The following options are included:
- TCP Port
- Specify the TCP port the service will send and receive data through. Defaults are 80 for WWW, 21 for FTP, and 70 for Gopher.
- Connection Timeout
- Specify the timeout (in seconds) for connections to this service. If there is no traffic for the specified number of seconds, the user is disconnected.
- Maximum Connections
- Specify the maximum number of concurrent connections to the service. The default values are very large; be sure to specify lower limits if your server has heavy traffic.
- Anonymous Logon
- Enter a username and password for anonymous access. This username is created when you install IIS and given permissions for the directories you specify.
- Password Authentication (WWW Service only)
- Specify whether a password is required to access the server and the type of authentication. You can choose the standard format or MS-CHAP, a proprietary but more secure scheme.
- Enter a comment if desired. This field is displayed in the main Internet Service Manager display.
This category allows you to modify the publishing directories you specified at installation and other settings:
- Specify the directory path. You can specify a UNC path to a directory on another machine.
- Home Directory
- If this option is selected, this directory acts as the home (root) directory for this service. Only one directory can be designated as the home directory.
- Virtual Directory
- Indicates that this directory will be used as a virtual directory. Specify an alias for the directory. The alias path begins with the root directory; for example, an alias of pub indicates the /pub directory.
- Enable Default Document (WWW Service only)
- If enabled, requests that do not specify a filename will be answered with the default file in the directory, typically default.html.
- Directory Browsing Allowed (WWW Service only)
- If the default document does not exist and this option is selected, a listing of the directory's contents will be sent as a document.
- Account Information
- If this directory is on another machine, you must specify a username and password with access to the directory. Using the Administrator password here can be a security risk; it's best to create a user specifically for the purpose.
- Select whether users are able to read from the directory, write to it, or both. The NTFS rights for the directory must match this setting.
This category includes options for logging access to the service. Log records can be written to a text file or to an available SQL or ODBC database server. The following settings are available:
- Enable Logging
- Check this box to enable transaction logging. Logging is disabled by default.
- Log to File
- Enables logging to a disk file. This is a standard ASCII text file, with one line per transaction.
- Log Format
- Choose the format for log entries. For FTP and Gopher, only the Standard format is available. For WWW, you can choose Standard or NCSA log formats. (The NCSA web server was one of the first available, and many utilities are available for analyzing logs in this format.)
- Automatically open new log
- If this option is checked, IIS creates a new log file automatically at selected intervals. New logs can be created daily, weekly, monthly, or when the log file reaches a specified size.
- Log file directory
- Specifies the directory in which IIS will create log files. Log files are named automatically based on the current date.
- Log to SQL/ODBC Database
- Enables logging to a database. Selecting this option disables the earlier options for file logging. Specify the Data Source Name (ODBC), table name (SQL), and the username and password for database access.
This category allows you to control access to the server and limit the network bandwidth used by the services:
- Granted Access, Denied Access
- Choose whether access is granted or denied to all computers by default. The Denied Access option is useful if you wish to grant access to specific machines exclusively.
- Except those listed below
- Use the Add, Edit, and Remove buttons to maintain this list of IP addresses that are exceptions to the previous rule.
- Limit Network Use by all Internet Services on the computer
- Check this option and specify a number to limit the network bandwidth that can be used by Internet services. This option applies collectively to FTP, Gopher, and WWW services.
Optimization and Troubleshooting
Parts 2 and 3 introduced various aspects of optimizing and troubleshooting Windows NT. The next sections examine optimizing and troubleshooting techniques unique to the NT Server in the Enterprise exam. These include gathering and saving baseline data, monitoring network traffic, optimizing server performance and domain communication, and advanced troubleshooting issues.
Gathering Baseline Data
While there are some methods of optimizing the performance of a Windows NT Server computer, these changes should be made carefully. Any change has the potential to degrade the performance of a server. In order to ensure that changes have the desired effect, a baseline should be measured.
A baseline is a measure of the server's performance in various areas. This data can be saved and compared with recent results to determine if a change improved performance, or if a hardware malfunction or other problem is reducing performance.
You can create a baseline by using the Log option in Performance Monitor, described in , to write counter values to a file. Some suggested counters to baseline are those that were recommended for regular monitoring in .
In addition to these, a number of counters are available for the TCP/IP protocol. These are included as part of the SNMP (Simple Network Management Protocol) service. To install this service, select Add from the Services tab of the Network control panel. Select SNMP Service from the list. The following categories of counters are added:
- Counters related to the Internet Protocol (IP). This protocol is used for addressing and sending packets between computers.
- Counters for the Internet Control Message Protocol (ICMP). This protocol is used for diagnostic messages and error messages between network nodes.
- Counters for the Transport Control Protocol (TCP). This protocol manages connection-oriented communication between computers.
- Counters for the User Datagram Protocol (UDP). This protocol manages connectionless communication between computers.
You don't need to know the specific counters in these categories for the NT Enterprise exam, but you should know that some categories are installed with the SNMP service. SNMP itself is covered in more detail in MCSE: The Electives in a Nutshell.
Monitoring Network Traffic
The Network Monitor utility, included with NT Server, is a network analyzer. This utility is able to capture packets being transmitted on the network and allows you to view raw packets or statistics about the captured packets as a group.
The version of Network Monitor included with Windows NT Server is limited to capturing "legitimate" packets: those that are addressed to, or from, the monitored computer, and network broadcasts. The full-featured version of Network Monitor (included with SMS) is able to use promiscuous mode network drivers, which allow all packets passing through the network to be viewed, regardless of their origin and destination.
SMS, or Systems Management Server, is a component of the Microsoft BackOffice package that allows for network inventory and management.
Installing Network Monitor
There are two components of Network Monitor: the Network Monitor Tools, which you use to capture and view data, and the Network Monitor Agent, which captures data for analysis by the tools. You should install the Tools on the computer you will monitor the network from and the Agent on one or more computers to monitor.
You can install either of these components using the Services tab in the Network control panel. Select Add, and select Network Monitor Agent for the agent only, or Network Monitor Tools and Agent for the tools and agent. You must then restart the computer and use the Services control panel to start the Network Monitor Agent service.
Using Network Monitor
To start this utility, select Network Monitor from the Administrative Tools menu under the Start menu. The main Network Monitor window, shown in Figure 4-6, is now displayed.
Figure 4-6. The Network Monitor utility
To begin capturing network packets, select Start from the Capture menu. As data is captured, statistics are displayed in the Network Monitor window. To capture data without displaying intermediate statistics, select Dedicated Capture Mode from the Capture menu.
To end a capture, select Stop from the Capture menu. The data captured is now stored in memory. You can save the data using the
ascommand in the File menu or display it using the Display Captured Data option in the Capture menu.
Capturing data for an extended period of time can consume a large amount of memory. One way to reduce the required memory is to configure a filter. Select Filter from the Capture menu. You can filter captured data for a particular type of packet, for one or more specific computers (by hardware address), or for data matching a specified pattern.
Monitor Agent Controls
On each machine where you've installed the monitoring software, the Monitor Agent applet in the control panel can be used to change the agent's settings. The following options are available:
- Change Password
- Changes the password required to capture and display packets from this workstation. By default, there is no password.
- Describe Net Cards
- Allows you to enter a description for each of the network adapters in the computer. While not required, this description is helpful when analyzing captured data.
- Reset Defaults
- This option applies only if you are using the Network Monitor utility on this computer. It resets Network Monitor's display, protocols, and other options to their default values.
Optimizing Server Performance
Windows NT includes a simple method of optimizing the performance of a server. To access this option, select the Services tab in the Network control panel. Highlight the Server service and select Properties. Choose one of the following choices:
- Minimize Memory Used
- Attempts to use the smallest amount of memory possible. Microsoft recommends this option for networks with 10 or fewer users.
- This option is a compromise between memory use and network throughput. This option is recommended for networks with between 10 and 64 users.
- Maximize Throughput for File Sharing
- This dedicates memory and processing to file sharing over other server activities. Microsoft recommends this option for large networks (64 users or more).
- Maximize Throughput for Network Applications
- This is a specialized option for application servers. Servers that are infrequently used for file sharing and frequently used for client-server applications should use this option.
Windows NT provides for efficient communication between domain controllers and between trusted domains with a minimum of administration. However, certain aspects of domains can be optimized, often providing dramatic increases in performance. Several areas that can be optimized are introduced in the following sections.
All of these items are emphasized on the NT Enterprise exam, particularly the database size and other calculations. If you have access to an NT network with at least two domains, calculating these factors for a real network is a useful exercise.
If a domain has a large number of users and groups, the user account database (also called SAM or the directory services database) can be quite large. Aside from disk storage requirements, the size of this database affects several aspects of domain optimization.
If the network has already been set up and is in use, you can check the current size of the database. This is a single file called SAM in the \WINNT\SYSTEM32\ CONFIG directory of the PDC. Each domain has a separate user account database.
If you are planning a future network or growth of an existing network, you can calculate the database size based on the number of users, groups, and computer accounts in the domain. Values for these items are given in Table 4-1.
Table 4-1: Database Size Factors
1K (user accounts always use this exact amount)
512 bytes plus 12 bytes per group member
512 bytes plus 36 bytes per group member
512 bytes (a computer account is required for each computer in the domain)
To provide fault tolerance, each domain should have at least one BDC in addition to the PDC. The number of additional BDCs depends on the anticipated number of users and their location.
The number of users a domain can support depends on the processor speed and RAM of the domain controllers. Table 4-2 lists common RAM values and the database size they can support. (This table assumes that Pentium processors are used. The users value listed in the table is a maximum; the value will be lower when computer and group accounts are factored in, as described earlier.)
Table 4-2: RAM Versus Database Size
Max. Users (approx.)
This is the minimum recommended RAM for NT Server.
A fast machine (Pentium Pro, Pentium 2, or RISC) is advised.
This is the maximum database size.
Since each domain controller stores the entire security database, each PDC and BDC should support the requirements just listed. As for the number of BDCs, Microsoft recommends using one BDC for every 2,000 user accounts.
The idea behind adding BDCs in this fashion is to distribute the work of authenticating users to several machines. The actual user database is not divided among the machines; each one stores a copy of the entire database. Be sure disk space is sufficient for the database size listed in Table 4-1.
The location of BDCs is another factor. While a single powerful BDC may be able to handle all of the users of your network, distributing the load between several BDCs, one at each location, would increase the speed and efficiency of the network. Figure 4-7 shows a network using BDCs at each location.
Figure 4-7. Using one BDC per location
Based on the specifications of the domain controllers and the number you plan to have in each domain, you can determine the maximum number of users a domain will support. If your network has more users than this number, you should use the multiple master domain model.
If you use an adequate number of domain controllers per domain, each master domain can support a maximum of 40,000 users. Thus, theoretically a network with three master domains could support 120,000 users. In practical terms, bandwidth and administrative overhead make networks any larger than five master domains difficult to support.
Users must authenticate with a BDC (or the PDC) of the domain that contains their user account to log on to the network. In a single master domain model, this means that users in any domain need to reach the BDC of the master domain.
In a single-location network, authentication is very fast. If this authentication crosses a WAN link, however, it can cause delays. One way to prevent these delays is to place a BDC for the master domain in each of the domains where users will log on.
The disadvantage of this approach is that synchronization traffic between the PDC and BDC uses some of the bandwidth of the WAN link. However, it is often worth the increased speed of authentication.
Here is a general rule for placing domain controllers in any network: the PDC should be as close as possible to the administrator, and the BDCs should be as close as possible to users (whether in the same domain or a trusting domain).
PDCs and BDCs must periodically communicate to exchange information and maintain the same user database on each one. This process is called synchronization. This process does use some network bandwidth, which may be an issue when the BDCs are located across WAN links. You can calculate the time required for synchronization and optimize this process if necessary.
To determine if changes are needed, first calculate the time required for the synchronization process. Microsoft provides this formula to approximate the synchronization time per month per BDC:
time = (users * age/30) / (speed * 450)
The following values are used in this formula:
- The synchronization time required per month (in hours).
- The number of domain user accounts.
- The maximum password age. This is the Expires In value from the Maximum Password Age section of the Account Policy dialog in User Manager for domains.
- The speed of the WAN links, measured in Kbps.
As an example, suppose a network has three BDCs located across 128-Kbps WAN links. The network has 5,000 users, and passwords are set to expire in 90 days. The formula would evaluate as follows:
time = (5000 * 90/30) / (128 * 450)
time = (5000 * 3) / (57600)
time = 15000 * 3 / 57600 = .78 hours
This network would require .78 hours (about 47 minutes) per month per BDC, or about 2.3 hours total, for synchronization.
You should not need to know the exact formula for synchronization time for the exam. However, you should know how to manage synchronization using the registry settings given next.
If the synchronization time is excessive, you can optimize the synchronization process by changing two registry settings, both located under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters registry key:
- This registry change is made on the PDC. The change log stores changes made to the user database on the PDC that need to be synchronized to PDCs. The log's size controls the number of changes that are transmitted in one synchronization session. The default size is 64K; you can change this value to anything between 32K and 4 MB. Higher values cause the database to be updated less frequently.
- This registry change is made on the BDCs. This value controls the percentage of time and bandwidth that can be used for replication. The default setting is 100%; using a lower value will ensure that synchronization does not create a network bottleneck. A value of 0 prevents replication entirely.
You can use the ReplicationGovernor value to control when synchronization occurs. The Windows NT Server Resource Kit includes a command-line utility called REGINI.EXE to set this value. By using a scheduler (such as Windows NT's
ATcommand) you can set the value to 0, then have it set to 100 at an appropriate time (such as after business hours).
This section covers advanced aspects of Windows NT troubleshooting: STOP errors and memory dumps. Both of these come into play when the system crashes and may be useful in determining the cause of the crash.
Although Windows NT is more stable than any other version of Windows, system crashes do happen. When this happens, a STOP error or "blue screen" is displayed. This message includes the following information:
- The word STOP followed by a series of hexadecimal codes. The first of these codes indicates the type of error.
- An identifier for the system CPU and OS version.
- A list of currently running device drivers.
- A memory dump of the code that was executing.
For the exam, you don't need to be able to interpret blue screens on your own. You should be aware of the basic information they include and be able to report it to Microsoft Technical Support if you contact them.
Memory Dumps and Notification
In addition to the memory dump displayed at the end of a blue screen, Windows NT can create a file containing the area of memory involved in a crash. Unfortunately, you must configure this option before a crash happens. To configure behavior at blue screens, select the Startup/Shutdown tab from the System control panel. The following options are available:
- Write an event to the system log
- If selected, a system log entry is created with specifics about the STOP error. You can view this using the Event Viewer utility, introduced in .
- Send an administrative alert
- If selected, administrators are notified when the crash happens.
- Write debugging information to:
- Specify a file to store a memory dump at the time of the crash. This file can be used by Technical Support to determine the problem.
- Automatically reboot
- If selected, NT will reboot upon display of the blue screen. This allows the server to return to useful operation, provided the STOP error is not a recurring problem.
In practice, most administrators find it useful to enable the system log or administrative alert options. While users may notify you when their machine crashes, they may not give you all of the details (and may reboot without telling you); this allows you to know when crashes are a problem. The memory dump option should not be enabled unless you know how to analyze the dump (or plan to send it to someone who does).
Analyzing Memory Dumps
In most cases, you will not be directly handling the analysis of memory dumps when Windows NT crashes. However, you should be aware of two utilities for the exam. These can be used to analyze the dump files created by enabling the memory dump option described in the previous section:
- Checks the validity of a memory dump file specified on the command line. This is useful to determine whether the file contains useful information before sending it to Microsoft or performing further analysis.
- Generates a summary text file for the memory dump file specified on the command line. This summary is written to the file memory.txt. This file is a more readable analysis of the computer's condition at the time of the crash and may be sufficient to determine the cause of the error.
Both of these utilities are not installed by default, but can be found in the Support\Debug\I386 (or appropriate directory for non-Intel systems) directory on the Windows NT installation CD-ROM. To run the dumpexam.exe utility, the files imagehlp.dll and kdextx8x.dll should be copied from the CD-ROM to the same location as dumpexam.exe.
Windows NT includes a debugger which can be useful for technical analysis of a system suffering from crashes or instability. Kernel Debugger uses a serial link between two computers. Debugging is turned on for the computer to be diagnosed, and the other computer displays received debugging messages.
The debugger is not installed by default but can be copied from the installation CD-ROM in the \Support\Debug\I386 directory (or the directory for the appropriate platform). To use the debugger, you must first connect the computers with a serial link. This can be a modem or a null modem cable. RAS can also be used to dial in from a remote location to the debugging computer.
In addition to the serial link, two configuration steps are required before using the debugger:
- The appropriate symbol files must be available to the debugger. If you copied the entire directory from the CD-ROM, these files are already copied.
- On the computer to be diagnosed, modify the BOOT.INI file. Add the /debug or /crashdebug switch to the operating system entry, as described in .
You should know the basics of Kernel Debugger for the NT Server in the Enterprise MCSE exam and have experience setting up a debug session. You should not need to know specific debugging commands or memory addresses.
Back to: MCSE: The Core Exams in a Nutshell, 2nd Edition
© 2001, O'Reilly & Associates, Inc.