C4 CD: Networking with Windows 98

and Window NT

Rakesh Ranjan

Contents
.. .. .. .. .. ..
Chapter 1. Introduction
1.1. History
.. .. .. .. .. .. ..
1.2. Architecture Independence
.. ..
1.3. Multiple Processor Support
.. ..
1.4. Multi-Threaded Multitasking .. ..
1.5. Massive Memory Space .. .. ..
1.6. Internet and TCP/IP Compatibility
1.7. Event and Account Logging
.. ..
1.8. Remote Access Service
.. .. ..
1.9. Domains
.. .. .. .. .. .. ..
1.10. Fault Tolerance and RAID Support
1.11. Graphical User Interface
.. ..

..
..
..
..
..
..
..
..
..
..
..
..

..
..
..
..
..
..
..
..
..
..
..
..

..
..
..
..
..
..
..
..
..
..
..
..

..
..
..
..
..
..
..
..
..
..
..
..

..
..
..
..
..
..
..
..
..
..
..
..

..
..
..
..
..
..
..
..
..
..
..
..

..
..
..
..
..
..
..
..
..
..
..
..

..
..
..
..
..
..
..
..
..
..
..
..

..
..
..
..
..
..
..
..
..
..
..
..

..
..
..
..
..
..
..
..
..
..
..
..

..
..
..
..
..
..
..
..
..
..
..
..

1
1
1
1
2
2
2
3
3
3
3
4

..
..
..
..
..

..
..
..
..
..

..
..
..
..
..

..
..
..
..
..

..
..
..
..
..

..
..
..
..
..

..
..
..
..
..

..
..
..
..
..

..
..
..
..
..

..
..
..
..
..

..
..
..
..
..

5
5
6
6
9

NT Domains .. .. .. .. .. .. .. .. ..
Understanding Domain Model
.. .. .. ..
Trust Relationship
.. .. .. .. .. .. ..
Creating Trust Relationship
.. .. .. .. ..
3.3.1. Setting up a Domain to Trust Another
3.3.2. Completing the Trust Relationship ..
3.4. Removing a Trust Relationship
.. .. .. ..

..
..
..
..
..
..
..

..
..
..
..
..
..
..

..
..
..
..
..
..
..

..
..
..
..
..
..
..

..
..
..
..
..
..
..

..
..
..
..
..
..
..

..
..
..
..
..
..
..

..
..
..
..
..
..
..

10
10
11
11
11
12
13

Chapter 2.
2.1.
2.2.
2.3.
2.4.

..
NT Server Installation
Planning the NT Installation
Primary Domain Controller
Starting NT Install Program
Creating NT Boot Disk
..

..
..
..
..
..

..
..
..
..
..

Chapter 3.
3.1.
3.2.
3.3.

..
Chapter 4. Managing User Accounts
4.1. User Accounts
.. .. .. ..
4.1.1. Administrator Account
4.1.2. Guest Account
.. ..
4.2. Creating User Accounts
.. ..
4.3. Creating Groups
.. .. .. ..
4.3.1. Using Local Groups ..
4.3.2. Using Global Groups
4.3.3. Special Groups
.. ..
Chapter 5. Directory Shares
5.1. FAT and NTFS
..

..
..

..
..

..
..

..
..
..
..
..
..
..
..
..

..
..
..
..
..
..
..
..
..

..
..
..
..
..
..
..
..
..

..
..
..
..
..
..
..
..
..

..
..
..
..
..
..
..
..
..

..
..
..
..
..
..
..
..
..

..
..
..
..
..
..
..
..
..

..
..
..
..
..
..
..
..
..

..
..
..
..
..
..
..
..
..

..
..
..
..
..
..
..
..
..

..
..
..
..
..
..
..
..
..

..
..
..
..
..
..
..
..
..

14
14
14
15
15
17
18
19
19

..
..

..
..

..
..

..
..

..
..

..
..

..
..

..
..

..
..

..
..

..
..

..
..

21
21

5.2.
5.3.
5.4.
5.5.
5.6.
5.7.
5.8.

Creating Directory Share .. .. .. .. .. ..

Sharing of folders using Windows NT Explorer
Hidden Share .. .. .. .. .. .. .. .. ..
File and Directory permissions
.. .. .. ..
Taking Ownership of Files
.. .. .. .. ..
Permissions
.. .. .. .. .. .. .. .. ..
Assigning File Permissions
.. .. .. .. ..

..
..
..
..
..
..
..

..
..
..
..
..
..
..

..
..
..
..
..
..
..

..
..
..
..
..
..
..

..
..
..
..
..
..
..

..
..
..
..
..
..
..

..
..
..
..
..
..
..

..
..
..
..
..
..
..

22
22
22
23
23
24
25

.. .. .. .. .. .. .. ..
TCP/IP on WinNT
What is TCP/IP?
.. .. .. .. .. .. .. .. ..
Installing TCP/IP on Windows NT Server
.. ..
TCP/IP Diagnostic and Connectivity Utilities
..
6.3.1. IPCONFIG
.. .. .. .. .. .. .. ..
6.3.2. NETSTAT
.. .. .. .. .. .. .. ..
6.3.3. PING .. .. .. .. .. .. .. .. .. ..
6.4. DNS
.. .. .. .. .. .. .. .. .. .. .. ..
6.4.1. Configuring NT for Existing DNS Servers
6.5. DHCP .. .. .. .. .. .. .. .. .. .. .. ..
6.5.1. How DHCP Works
.. .. .. .. .. ..
6.5.2. Leasing an IP address
.. .. .. .. ..
6.5.3. Renewing IP Address Leases
.. .. ..
6.5.4. Installing DHCP Server .. .. .. .. ..
6.5.5. Understanding DHCP Scopes .. .. ..
6.5.6. Configuring DHCP Options .. .. .. ..

..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..

..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..

..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..

..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..

..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..

..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..

..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..

26
26
26
28
28
29
29
29
30
30
31
31
31
32
32
34

..

..

..

..

..

..

..

36

Chapter 6.
6.1.
6.2.
6.3.

Index

..

..

..

..

..

..

..

..

..

..

..

..

..

..

..

iii

List of Figures
3.1.
4.1.
4.2.
6.1.
6.2.
6.3.
6.4.
6.5.
6.6.
6.7.
6.8.

The Trust Relationship Dailog Box.

..
User Manager for Domains. .. .. ..
New User Dialog Box.
.. .. .. ..
The Network Dialog Box. .. .. .. ..
All the available network protocols.
..
TCP/IP appears in the protocol list.
..
The TCP/IP configuration dialog box.
Using the ipconfig command. .. ..
The DNS configuration option dialog box.
The Select Network Service dialog box.
The Create Scope dialog box.
.. ..

..
..
..
..
..
..
..
..

..

..
..
..
..
..
..
..
..
..
..
..

..
..
..
..
..
..
..
..
..
..
..

..
..
..
..
..
..
..
..
..
..
..

..
..
..
..
..
..
..
..
..
..
..

..
..
..
..
..
..
..
..
..
..
..

..
..
..
..
..
..
..
..
..
..
..

..
..
..
..
..
..
..
..
..
..
..

..
..
..
..
..
..
..
..
..
..
..

..
..
..
..
..
..
..
..
..
..
..

..
..
..
..
..
..
..
..
..
..
..

..
..
..
..
..
..
..
..
..
..
..

12
16
16
26
27
27
28
28
30
32
33

List of Tables
4.1.
4.2.
4.3.
4.4.
4.5.
4.6.
5.1.

The NET USER Parameter. .. .. .. .. ..

The NET USER Command options. .. .. ..
New User Options
.. .. .. .. .. .. ..
Domain Global groups on Windows NT Server
Predefine Local Groups. .. .. .. .. .. ..
Domain Global groups on Windows NT Server
File and Directory permissions type.
.. ..

..
..
..
..
..
..
..

..
..
..
..
..
..
..

..
..
..
..
..
..
..

..
..
..
..
..
..
..

..
..
..
..
..
..
..

..
..
..
..
..
..
..

..
..
..
..
..
..
..

..
..
..
..
..
..
..

..
..
..
..
..
..
..

..
..
..
..
..
..
..

17
17
18
19
20
20
24

Chapter 1. Introduction
Objectives
This chapter introduces Windows NT to you. You will learn about the various features of
Windows NT.

Windows NT Server is the network OS adopted in Railnet. It has its strengths and its
weaknesses. Here, let us see a few of the strengths of NT Server.
1.1. History
Early on, Bill Gates knew that networking was the key to capturing the computer business.
Microsoft introduced MS-NET on April 15, 1985 along with DOS 3.10. This was a simple DOS
based software that allowed simple resource sharing like files and printers. From 1985 to 1988
Microsoft worked on the next generation of networking software. Lan Manager was made during
this time.
In 1988, work earnestly started on Windows NT. In August 1993, Windows NT 3.1 was
released. No, there were no previous versions. Microsoft, the marketing strategist, did the version
numbering so that it looks like the next release of Lan Manager, although they have little in
common. Windows NT 3.5 was released in September 1994 and Windows NT 4.0, in 1996.
1.2. Architecture Independence
Operating system designers, when designing an OS tend to target it for a particular
microprocessor. This makes the OS tied to the underlying hardware in terms of word size, page
size, word representation1 etc. When NT was written, Microsoft first made it for MIPS R50002.
It was then ported to x86 platform. This made the parts of NT that are machine dependent all
segregated into a relatively small piece of NT (when compared with the overall size of NT). This
small piece is made of HAL3, the kernel and the network and device drivers.
Thus, a large part of NT is architecture independent. This makes it portable across a large
number of platforms.
1.3. Multiple Processor Support
NT has a support for a maximum of 32 processors. This means that if a computer employs
32 processor, NT can use all of them to enhance its performance. But the version that is normally
shipped has a support for two or four processor. In case, support for more number of processors
1

Big endian or small endian

An RISC processor from MIPS

Hardware Abstraction Layer

1

Chapter 1. Introduction

is sought, an appropriate HAL is required. NT can then use all these processors and speed up
the overall computer system running NT.
Among multi processing systems, a computer is said to be symmetric or asymmetric
multiprocessor. An asymmetric multiprocessor system has more than one processor, but each
one of them has a different, specially defined job. A symmetric multiprocessor system, on
the other hand, has processors that can take over for one other without skipping a beat. Each
processor has a complete access to all hardware, bus, memory actions etc. NT servers must
have symmetric processor system in order to use multiprocessor capabilities.
NT can split its task among various processors and thus increase the throughput of
the system.
1.4. Multi-Threaded Multitasking
Multitasking means that a single computer can run several different programs simultaneously. These programs use different data space in memory. Hence they do not interfere with each
other. A program is normally single tasking within itself. It means that a program is a single unit
and does the whole work as a single process.
A program may be multi-threaded. This means that there will be different smaller programs
that will cooperate to produce the desired result. This is advantageous if there are more than
one processor. Each of this small programs, called a thread, can execute itself on a different
processor. NT is multi-threaded so that it supports a multi-threaded application.
It does not mean that the multi-threaded application runs only on a computer with multiple
processor. In fact, NT gives you an abstraction. If there are multiple processors, then these are
used. Otherwise, NT schedules these threads on the single processor. The software developer
need not be bothered about the underlying architecture of the computer. NT guarantees that the
multi-threaded application will run.
The difference between a task and a thread is that the different threads of the program use
the same data space. It means that if one thread changes a data, the change is seen by all the
other threads as well. Tasks invariably use different data space. This means that each of the
tasks have a personal copy of each of the data items and the changes done by one is not seen
by the other.
1.5. Massive Memory Space
The NT architecture supports a RAM1 of up to 4GB2. This means that NT applications does
not need to worry about the memory. The amount of memory is only limited by the amount of
actual physical memory of the computer.
1.6. Internet and TCP/IP Compatibility
Nowadays, most network speak the language of the Internet, a protocol called TCP/IP3. NT
supports most of the protocols of the Internet. So it is possible to build our own enterprise intranet
based on Windows NT.

Random Access memory

Giga-Bytes

Transmission Control Protocol/Internet Protocol

1.7. Event and Account Logging

1.7. Event and Account Logging

NT Server provides the capability for logging various events. This logging helps the administrator sort out various activities. NT also provides the facility of full logging of user activities.This
helps the administrator to know what the user has been doing in case of problems. This logging
facility is one of the most useful feature when it comes to administration.
1.8. Remote Access Service
NT Server has remote access capability built right into it. His allows a person to use the
network/NT server resource from his home using a modem. The RAS1 shipped with NT is the
server end of the software.
Also included in RAS are two powerful TCP/IP protocols: Point to Point Tunneling protocol
(PPTP) and Multi-link PPP. The first allows you to use the entire Internet as router, so to speak ,
to communicate with your office network. Multi-link PPP lets you take several slower speed communication link and blend them into just one link. This increases the speed of communication.
1.9. Domains
Domains are groups of machines. NT allows a group of machines to use central location,
a single server for user authentication. So, NT server acts as the central Security Accounts
Manager database. In this role NT is called a Primary Domain Controller or a PDC. The PDCs
main job is to log2 people onto the domain.
Domains offer better manageability and security. A Network user using Windows-95/98/Me
etc. can use the PDC as an authentication server to make the network resources available to the
user logging in. The Domain controller model of Microsoft networking offers a lot of flexibility.
We will discuss it in details later.
1.10. Fault Tolerance and RAID Support
Security normally means keeping people from data that they are not supposed to have
access to. An important part of securitys function includes keeping safe the data that people
have entrusted to the network. NT has many features that support fault tolerance:

Directory Replication makes it possible to designate a directory on a particular server

and then create a backup server whose job it is to match, on a minute-to-minute basis, the
contents of that directory.

Hot Fixes are a feature on any NT server whose disk has been formatted under the NTFS
file system. NTFS constantly monitors the disk area that it is using , and if it finds that one
has become damaged, it takes the bad area out of service and moves the data on that area
to another, safer area automatically.

RAID (Redundant Array of Independent Disks) is a six level method for combining several
disks drives into what appears to the system to be a single disk drive. RAID improves upon
a single disk drive answer in that it offers better speed and data redundancy.

Remote Access Service

Logging in means an authorization after which the network resources are made available

Chapter 1. Introduction

Level 0, or disk stripping, improves only the speed. It creates what appears to be one
disk out of several separate physical disk drives. Areas that appear to be cylinder or a
track on a logical disk drive are actually spread across two or more physical disk drives.
The benefit is realized when accessing data; when reading a block of data, the read
operation can actually become several simultaneous separate disk reads of several
physical disks.

Level 1 is a straight forward disk mirroring system. You get two disk drives and tell NT
to make one a mirror image of the other. Its fast and fault tolerant.

Level 2, 3, 4 are not supported by NT Server.

Level 5 is very much like level 0, in that data is stripped across several separate physical
drives. It differs, however, in that it adds redundant information called parity that allows
damaged data to be reconstructed.

The different level of RAID do not get better as they rise in number; they are just different
options. NT Server has software RAID support. This means that we need not invest in costly
RAID boxes.

1.11. Graphical User Interface

Windows NT has a simple GUI1 that is easy to use and resembles that of the Win95
GUI. This makes the learning easier. All the administration functionality is available through
this GUI.

Graphical User Interface.

Chapter 2. NT Server Installation

Objectives
This chapter explains how to install Windows NT on a computer. It introduces the Primary
Domain Controller for its installation.

2.1. Planning the NT Installation

Before starting the NT Installation it is necessary to plan. A hardware survey of the server
has to be done for many things. A few of them are the following:

What kind of network you have.

What kind of disk adapter you have.

How much is the disk drive capacity etc.

This survey is important in case NT refuses to recognize the hardware device. Then to setup
the device, these information comes in handy. The list may be as exhaustive as possible. There
is no harm in learning about the hardware as much as possible.
NT server can be installed as a primary domain controller, backup domain controller or as
an ordinary file/application server. This planning is necessary because once configured during
install, it cannot be changed without a reinstall.
NT server should be installed as a primary domain controller only if you are creating a
new domain.
If an NT server is installed as a backup domain controller, a PDC must already be setup, and
the machine you are installing NT on must be on the same network as the PDC. NT will refuse to
get installed as a backup domain controller if it cannot see the primary domain controller on the
same network.
The name of the NT server must be decided now. A name should be so chosen that looks
appropriate. Avoid using names like pc1, pc2 etc. One must also know/decide the following
before starting an install if a TCP/IP network1 is to be installed.

IP address

Subnet mask

Default gateway(s)

DNS Server(s)

Railnet runs TCP/IP.

5

Chapter 2. NT Server Installation

Domain Name

2.2. Primary Domain Controller

Windows NT machine can be installed as a primary domain controller, a backup domain controller or a server only machine. Let us see what these are. NT gives a lot of emphasis on security.
It was one its design goals. One of the main building blocks of this security is the authentication of
users. In a Windows NT network, the job of authentication is done by one machine that controls
the domain. In this role, this machine is called the Primary Domain Controller(PDC). It maintains
the basic database of the users and their rights and authenticates a uesr that wants to use the
resources of the network.
This means that in an NT network the PDC is of primary importance. Without its permission
no one is allowed to use the network. This puts on a great necessacity to keep the server available. For such time the server is not available, we install another Windows NT Server configured
as Backup Domain Controller(BDC). For installing a BDC, a PDC should already exists in the
network and should be working. The BDC keeps talking to the PDC and also updates itself about
the network users and their rights from the PDC. When the PDC goes down, the BDC takes the
role of the PDC and starts authenticating users. When the PDC is back in service, the BDC regresses.
At times, we may not want the domain setup proposed by network. Maybe, we are only
interesed in hosting a web site on NT. In such cases, Microsoft provides us with the server
only installation of Window NT. This works as any other server and is not taking part in any
domain activity.
2.3. Starting NT Install Program
Windows NT comes with three install floppy disks. We will discuss the install that uses these
floppy disks. These disks re labeled "Windows NT Setup boot disk", "NT Disk 2" and "NT disk
3." These floppies dont contain all of NT; they contain enough software to kick off the installation
process so that NT installation CD can take over.

Pop the "Setup boot disk" into A: drive and reboot the machine. NT then runs the NTDETECT.COM, which figures out what kind of hardware you have on your system. You see a
message that says, "Windows NT Setup/Setup is inspecting your computers hardware configuration."

Next you see the following blue screen with white letters:
Windows NT Setup
And on the bottom of the screen:
Setup is loading files (Windows NT Executive)

NT next loads the HAL1, after which you are prompted to insert Setup disk #2 and press Enter. You see some messages on the bottom of the screen about what is loading, including

"NT config data "

Hardware Abstraction Layer

2.3. Starting NT Install Program

Fonts

Locale-specific database Windows NT setup

PCMCIA support

SCSI port drivers

Video drivers

Floppy disk drivers

Keyboard driver

FAT1 file system

The next screen that comes up is a welcome screen with the following choices.

To learn more, press F1.

To setup Windows NT now, press Enter

To repair a damaged installation, press R

To quit, press F3

Press Enter, insert Setup disk #3, and press Enter Again. Setup goes into device detection.

Setup auto detects any SCSI adapters in your system. If the adapter wasnt recognized, you
can tell NT to use a device support disk.

Next NT offers you with a message whether you want to upgrade or do a fresh install. If NT
was already loaded on the hard disk you get an upgrade option. If it is a newly formatted
hard-disk then, the upgrade option is not given.

NT Setup then tell you what it thinks you have in terms of:

Basic PC type

Video systems

Keyboard

Country layout for keyboard

Mouse

The list is usually correct. At times a powerful video card may be detected as a less powerful
VGA card. Nothing to worry, it can be reconfigured to its maximum capacity after the Basic
NT install.

Next, NT Setup shows you the partitions on your system and asks which one you want
to install NT on. Select the partition that you want NT to install and press Enter. You next

File Allocation Table

Chapter 2. NT Server Installation

choose how you want to format the partition, if you want to format it at all. Your choices are

Wipe the disk, formatting to a FAT system.

Wipe the disk, formatting to an NTFS system.

Convert an existing FAT system to NTFS.

Leave current file system and data alone.

It is recommended that on an NT Server you use an NTFS partition on the data drives unless
you have very good reasons not to do so.
The main features that NTFS offers include:

Directories that are automatically sorted.

Support for upper and lowercase letters in names.

Support of Unicode in file names.

Allow permissions to be set on directories and files.

Faster access to large sequential access file.

Faster access to random access files.

File and directories names up to 254 characters.

Long names are automatically converted to the 8+3 format when accessed by a
DOS workstation.

NTFS uses the disk space more sparingly than does FAT. Under FAT, the minimum size
that a file actually uses on a disk is 2048 bytes, and as disk partitions get larger, that
minimum size also gets larger: on the 1700MB disk, this minimum size would be 32768
bytes! Under NTFS, that same hard-disk supports files so that no file actually takes
more than 512 bytes of space.

Now choose an install directory. Normally \WINNT is chosen. This is the default shown
as well.

NT reboots itself and enters the graphical setup.

Now NT asks you to personalize your Software by Entering your name and the company
name. Enter them and click Continue.

Now you have to make the licensing choice. There are two options:

Per Seat Per-seat licensing means that you need a license for every workstation
that will ever log onto domain. Per seat licensing has a few advantages. If you count
the number of people that log onto the domain, you have the number of licenses that
you need.

Per server Per-server licensing means that you need a license for every simultaneous
NT server connection. It means that if a user logs onto the server, he uses one license.

2.3. Starting NT Install Program

In this way every one logging in or using a service uses one license. If this licensing is
chosen then the number of client licenses obtained are to be given. This must be at
least one or else the File and Print services will refuse to start.

NT now allows you to choose the name of the computer.

Now specify whether the NT is to be a domain controller or a server.

NT now prompts you to create an emergency repair disk. Please make it. This isnt a
bootable disk. It is just a disk that contains the data necessary to reconstruct a configuration
if your NT system in no longer able to boot.

NT then goes into actually setting up the system, copying data from the CD to the hard disk
drive, configuring the work space etc.

Windows NT is now installed on the computer.

2.4. Creating NT Boot Disk
At times you may need to start NT from a floppy. Here we outline the procedure for creating
a generic NT boot boot floppy.

Format a floppy under either NT explorer or from a command line under NT. Do not use a
DOS-formatted floppy, or this wont work. A DOS-formatted floppy looks for the DOS boot
files IO.SYS and MSDOS.SYS; an NT formatted floppy looks for the NT boot file NTLDR.
(From explorer, just right-click on the drive and choose Format.)

You are going to copy a bunch of files from the root directory of your server to the floppy
in the A: drive. The files are hidden, however, so you have to tell the Explorer to show you
hidden files. To do that, click View, then By File Type, and then check the "Show All Files"
radio button.

Looking in your servers root directory, copy the following files from the servers root to the
floppy disk:

NTLDR

NTDETECT.COM

BOOT.INI

NTBOOTDD.SYS (if your server boots from a SCSI hard disk; if not this file wont
be there.)

When you are finished, you have a floppy that essentially "jump starts" your system.

Chapter 3. NT Domains
Objectives
This chapter explains NT Domains. We see the various schemes of NT implementation.
We also examine NT trust model as well as the way the trust relationships are established
and removed.

Domains are groups of NT machines. These must be either NT Workstations or NT Servers.

No other client operating system, as Win 95, Win 98 etc. can join the domain, although all these
machines can can access resources and login. Domains provide a single entity to manage and
to use for signing in, regardless of the number of machines in the domain.
NT helps by enabling you to setup domains, or groups of machines. After a domain is
registered, users sign on once to obtain the services of any machine on the domain that they
are authorized to use. The domain relegates certain functions to certain servers, telling the other
servers when it is okay to allow access.
A domain really takes on that function within NT only when one or more of the machines in
the domain are in control. NT calls such a machine domain controller. On each network, we need
a machine called a Primary Domain Controller. This machine maintains the central database
containing all the accounts, passwords, and access control list that are a part of NT security.
3.1. Understanding Domain Model
Microsoft allows four basic methods for combining servers and workstations:
1.

The Single domain.

2.

A Master domain.

3.

Multiple master domains.

4.

The compete trust models.

The Single domain model is the simplest. If there are only a few servers and a few users, this
model is what one should go for. It contains just one domain and all the resources are managed
through it.
In the master domain, there are many domains. On domain is set up as the master domain
for controlling all the user accounts and any number of resource domains. The resource domain
contains only servers, and NT workstation machine accounts no users. These resource domains, can contain print server, file servers and application servers. Trust relationship with master and all the resource domains are setup, completing the arrangement. No trust relationship is
needed between the resource domains.
If there are a large number of users, a single master domain may not be appropriate. Hence,
10

3.1. Understanding Domain Model

11

Microsoft created the multiple domain master model. Many master domain are created here.
Then all these master domains trust each other. All the resource domains now should trust each
of the master domains.
As the size of the network grows, so does the complexity. Maintenance of these trust relationship are time consuming and trying to figure out all the permutations can be frustrating. The
good news is that this disappears with Windows 2000 Server,and multiple machine management
is greatly enhanced.
3.2. Trust Relationship
What is a trust relationship? In NT, security is a major component of the system, and one
domain cannot talk to another domain, in any fashion, unless the two domains are told that
doing so is okay. This relationship extends to the workstation level. if Rakesh tries to use an NT
workstation on domain B where he does not have an account, he gets nowhere. The manner in
which a domain is told to acknowledge another domain is called the trust relationship.
Trust relationship can be one-way or two-way. Domain A might trust domain B in a aone-way
relationship. users in domain B, therefore, can access resources in domain A using the accounts
and passwords originally set up for them in their home domain (in this example, B.) users in
domain A cannot use the resources of domain B, however, because the relationship goes in only
one direction.
3.3. Creating Trust Relationship
Nt is very security consious. Hence, before a trust can be established, both the domain must
allow this trust to occur. The domain that is to be trusted, say A, must approve the possibility;
then the domain that wants to trust it, say B, must perform action to validate the trust of the
other domain.
3.3.1. Setting up a Domain to Trust Another
Let us say that we have two domains viz. A & B. To establish a trust relationship so that B
trusts A, follow the following steps:
1.

Log into the domain A using an account with Administrative privileges.

2.

Open the user manager for Domain by choosing Start | Programs | Administrative Tools
(Common) | user Manager for Domain.

3.

Choose Policies | Trust Relationships. Figure 3.1 shows the dialog box that appears. This
dialog shows all the domains that are currently trusted or permitted to be trusted. The two
main windows are called Trusted Domain and Trusting Domain.

4.

Click the Add button beside the Trusting Domains Window.

5.

In the box that appears, type the name fo the domain in which you want to allow trust to occur.
In our example you will type B here.

6.

You can use a password by entering one in the place that is provided. Using a password
really isnt necessary as long as you continue the trust process and finish it. The password
applies to the time between allowing a trust with B and and the time at which B sets up and

Chapter 3. NT Domains

12

Figure 3.1. The Trust Relationship Dailog Box.

completes the relationship.

7.

Click Ok when you are ready to continue. You will see B appears in the Trusting Domains
window.

8.

Click the Close button in the upper-right corner of the dialog box to complete the task.

By setting the trusting portion of the relationship, we are halfway to establishing a one-way
trust relationship.
3.3.2. Completing the Trust Relationship
here we actually allow the domain B to start trusting A. A has already ready to allow B trust
it as we saw in Section 3.3.1. For this purpose follow these steps.
1.

Log on to domain B using an account with Administrative privileges. Obtain the special Trust
password that the domain A administrator used when the trust relationship was started (if
one was used.)

2.

Open the user manager for Domain by choosing Start | Programs | Administrative Tools
(Common) | user Manager for Domain.

3.

Choose Policies | Trust Relationships. You see the two main windows called Trusted
Domains and trusting Domains.

4.

Click the Add button against the Trusted Domains Window.

5.

In the Add Trusted Domain dialog box, type the name of the domain that you want to trust.

3.3. Creating Trust Relationship

13

In this example A. Then enter the password supplied by the domain A administrator. If no
password was used, leave the password field blank.
6.

Click OK when you are ready to continue. After some activity by the machine, the domain
A will appear in the Trusted Domain windows. B now trusts A.

7.

Click the Close button in the upper-right corner to complete the task.

3.4. Removing a Trust Relationship

Having established a trust relationship, let us see how we can remove one. For this follow
the following steps.
1.

Logon to domain B using an account with Administrative privileges.

2.

Open the user manager for Domain by choosing Start | Programs | Administrative Tools
(Common) | user Manager for Domain.

3.

Choose Policies | Trust Relationships. You see the two main windows called Trusted
Domains and trusting Domains.

4.

Select the domain A from the Trusted Domain window, and then click Remove. Click Yes
when a confirmation is asked.

5.

Click the Close button on the upper-right corner of the dialog box to complete the task.

6.

Log on to domain A using an account with Administrative privileges.

7.

Open the user manager for Domain by choosing Start | Programs | Administrative Tools
(Common) | user Manager for Domain.

8.

Choose Policies | Trust Relationships. You see the two main windows called Trusted
Domains and trusting Domains.

9.

Select the domain A from the Trusting Domain window, and then click Remove. Click Yes
when a confirmation is asked.

10. Click the Close button on the upper-right corner of the dialog box to complete the task.

Chapter 4. Managing User Accounts

Objectives
This chapter explains the user management of Windows NT. It introduces the user account
and the group account. You will learn how to create a user, a group and how to allot a group to
a user. Also explained is the concept of Local and Global groups.

4.1. User Accounts

User accounts are the building blocks of NT security. In any system, identification and authentication of the people using the system is of primary importance; this is the role of user accounts. Username is simply a method of referring to those user accounts. You assign username
and passwords for each domain. In addition, you can specify the times the user can log on, and
control where the user can log on. You can also set a minimum character limit for the password
length and the limit to the amount of time that the passwords can be kept. These controls reduce
the chances that an unauthorized user can guess the password.
Usernames can be anywhere between 1 to 20 characters in length. You can use upper- or
lowercase charaters, numbers and underscores for making a username. the charaters =,>, <, |,
+, [, ], \, /, *, ;, :, ., ,, ? and " are not allowed in the usernames. Usernames are assigned a ii security
identifier (SID) when they are first created. An SID is a unique number for identifying an account
in the NT server security system.
When you create a new Windows NT domain, the system create the following two user
accounts.

Administrator

Guest

4.1.1. Administrator Account

This account gets created when you install a Windows NT system.Its purpose is to manage
accounts. The administrator can do the following:

Access any file or directory.

Create or delete users and groups.

Establish trust relationships.

manage printers and print sharing.

14

4.1. User Accounts

Assign operators.

Create and modify logon scripts.

Set default account policies.

Set and change passwords.

Manage auditing and security logs.

Not be deleted.

15

The Administrator account is omnipotent. You need to control its use tightly.
4.1.2. Guest Account
This is also created when you install Windows NT. A Guest is anyone that the domain
doesnt recognize. BY default the guest account remains disabled and must be left so.
4.2. Creating User Accounts
We will explore two methods of creating user account. The first is by using the "User
Manager for Domain", and the other is to user the NET command. The User manager for Domain
can be used to perform the floowing tasks:

Create, modify and delete user accounts.

Assign logon scripts to user accounts.

Create and manage groups.

Manage the domains security policies.

Establish trust relationships.

Let us see how to create a user account. For this follow the following steps:
1.

Log on to the Windows NT Server a Administrator.

2.

Choose Start|Programs|Administrative Tools (Common)|User manager for Domains. You

will see the window shown in Figure 4.1.

3.

Choose User|New USer.The new user dialog box appears as shown in Figure 4.2.

4.

Type the new user account name, say iriset, in the Username box. Press Tab to move to the
next field.

5.

Type the users fullname in the Full Name box.Press Tab to move to the next field.

6.

Enter a comment in the User Description box. Press Tab to move to the next field.

7.

Enter a password from 1 to 14 characters in length for the user. Press Tab to move to the
next field.

16

Chapter 4. Managing User Accounts

Figure 4.1. User Manager for Domains.

Figure 4.2. New User Dialog Box.

Windows NT Server displays the password that you entered as asterixs to protect its
confidentiality as you enter is.

4.2. Creating User Accounts

17

8.

Confirm the password by retyping the password.

9.

Click the Add button.

10. Click Close button.

In the New User Dialog shown in Figure 4.2, there are a few more option at the bottom to control
and set other properties of the account. Table 4.3 list the various options and their descriptions.
We can also add a user by the command NET. To add a user account, enter the following
NET USER username [Password *] [/ADD] [Options] [/DOMAIN]

To modify an existing user, enter the following

NET USER username [Password *] [Options] [/DOMAIN]

To delete an existing user, enter the following

NET USER username [Password *] [/DELETE] [Options] [/DOMAIN]

The various options of this command is shown in Table 4.1. The command has many options
Parameter
Username
Password
/DOMAIN
Options

Description
Specifies the name of the acccount that you want to create, change or delete.
Specifies the password for the username. Alternatively, you can use *; the system
prompts you for the password and masks the character that you enter.
Specified the action applies to the Primary Domain Contrioller.
Specifies one or more options as shown in Table 4.2. You must separate your
options with at least one space.
Table 4.1. The NET USER Parameter.

Option
/ACTIVE:{YES NO}
/COMMENT:"User description"
/PASSWORDCHG:{YES NO}

Description
Enables or disables the account. The default is to enable
the acount
Provides the maximum length 48 characters descriptive
account about the user.
Specifies whether the user can change the password.

Table 4.2. The NET USER Command options.

but the most used ones have been listed in Table 4.2.
4.3. Creating Groups
You can create groups and then add users to them. Groups simplify administration because
they allow you to assign rights at the group level. A group is a name, similar to the usernameof a
user account, that can be used to refer to one or more users.Using groups provides a convenient
way to give and control access to users who perform similar tasks.

Chapter 4. Managing User Accounts

18
Option
User Must Change Password at next
Logon.

Default
ON

User cannot change Password.

OFF

Password never expires.

OFF

Account Disabled

OFF

Description
Selecting this option forces users to
change the password when they logon the first time. Selecting this option
is a good idea so that the administrator
doesnt continue to know the users password (because they are forced to change
it.)
Selecting this option prevents users from
changing the password. Selecting it is
not a good idea, especially when the
users have acces to confidential and critical data.
Selecting this option bypasses the Maximum Password Age account policy.
Again, selecting it is not a good idea because the password doen not change
and becomes easier to guess with time.
Selecting this option creates an inactive
account. You can use this feature when
you are creating accounts for future use,
or when you think that the account is being used by some intruders.

Table 4.3. New User Options

Two types of groups exist in NT environment: local groups and global groups. The term local
group and global group do not refer to the contents of the group, but to the scope of the groups
accessibility. Local groups are local to the security system where they were created. Domain
local groups rights and permission on a single domain.
A local group is available only on the domain controllers within the domain where you create
the group, whereas a global group is available within its own domain and trusting domains.
Microsoft likes calling local groups as import groups and global groups export groups. A few
things that should be kept in mind is itemized below.

Local groups on domain controllers have rights only on the domain on which they were created.

Local groups on Windows NT Workstation and member servers (non Domain Controllers)
have rights only on the computer that they were created.

Local groups cannot contain other local groups; they can contain only users accounts or
global groups from the same domain or other domain.

4.3.1. Using Local Groups

Local groups define permissions to resources onlt within the domain where the local group
exists. Hence, the term local defines the scope of the resource permission granted to users

4.3. Creating Groups

19

within the group.

Windows NT automatically creates several default local and global groups during installation.
A few of them are listed in Table 4.5.
4.3.2. Using Global Groups
A global group, available on Windows NT Server domains, contain only individual user
accounts (no groups) from the domain where it was created. After you create a global group, you
can assign it permisssions and rights, either in its own domain or in any trusting domain.
Using a global group is good way to export a group of users as a single unit to another
domain. In atrusting domain, for example, you can grant identical permissions to a particular file
to a global group; these permissions then pertain to all individual members of that group. Global
groups defined in a domain can be exported to Windows NT workstations because domain
Windows NT workstation support local groups; they can, therefore, make use of a global groups
defined in either the workstations own domain or other domain.
In fact, this is how NT sets up control so that Administrator can controll all NT servers and
workstations in a domain. By plaing the Domain Administrator group into the machines Local
Administrator group, the Domain Administrators can own that machine.
By using trust relationships, uers within a global group can access resources outside their
locally defined domain.
A local group and global group can share the same name. They are still different.
Table 4.4 shows the default global groups created by Windows NT.
Name
Domain Admins

Domain Guests
Domain Users

Description
Members can fully administer the home domain, the workstation of the
domain, and any other trusted domains that added this group to the local
Administrators group. These members are added automatically to the local
Administrators group.
Mmebers can access the guest account,and can potentially access resiurces
accross domains. members are added automatically to the guest groups.
members have normal access to the domain and any NT workstation in the
domain. The group contains all domain users, and its members are added
automatically to the local Users group.
Table 4.4. Domain Global groups on Windows NT Server

4.3.3. Special Groups

Besides the local and global groups Windows NT has a few special groups with no
members. The name special does not refer to the privilege level of users but rather to access to
computer resources. These groups have no members because they apply to any account using
the computer in a specified way. You do not see these groups listed in the User manager for
Domain for Domain windows; however they might appear when you are assigning permission to
directories, files, shared directories, or printers.
Table 4.6 shows some of the special groups of Windows NT Server.

20
Name
Administrators

Account Operators

Backup Operators
Guests
Print Operators
Power Users

Replicator

Server operators
Users

Chapter 4. Managing User Accounts

Description
Members are fully administer the local computer and any domain resources. The group is the most powerful. Within the Administrators group
is a built-in account that you cannot delete. Because you cannot disable
the Administrator account, you might want to create a backup Administrator account for emergencies.
members can use User Manager for Domains to manage domain user
and group accounts. An Account operator cannot change or delete the
domain Admins, Account Operators, BAckup operators, Print operators,
or Server operators groups. Also, an Account Operator cannot change
or delete administrator user accounts or administer security policies.
Members can perform backups and restores, and can bypass the security
restriction on directories and files to back them up.
Members can access the server from the network but cannot log on localy.
The built in Guest account is automatically a member of this group.
Members can administer the domain printers. They can create, manage,
and delete printer shares.
Members can do everything that members of the Users group can do.
In addition, these members can create user account, modify the user
accounts they created, put any user accounts on the computer into Power
Users, Users, and Guests built in groups, share and stop sharing files and
directories and printers located at the computer, and set the computers
internal clock.
Members can manage replication services. They are granted appropriate
priviledges to replicate files in the domain. use this group only to support
the Directory Replication Services.
Members can manage the servers in the domain. Tasks include logging
on locally, restarting the server, and shutting down the server.
Members can access the server from the network but cannot log on
locally. They are normal users of the domain and have limited access
to the domain and their computers. They can make some configuration
changes to their environment but have limited functionality. They cannot
create new shared directories, for example, or start and stop services.
Table 4.5. Predefine Local Groups.

Name
Interactive Users
Network Users
Everyone

Description
Users who log on to the local computer. Interactive users access resources
on the machine at which they are sitting.
users who log on to a network or remote computer using their account or
an enabled Guest account.
all users who access a computer whether locally or remotely. This group
includes both interactive and network users.
Table 4.6. Domain Global groups on Windows NT Server

Chapter 5. Directory Shares

Objectives
This chapter will explain you about how to share a folder to make it available to all network users.
We will also discuss about the variuos permissions that can be set on Files and Folders.

5.1. FAT and NTFS

FAT1 was the file system that was being used in DOS and Win 95/98 OS2. As this was
supported by DOS base systems, it should be used if backward compatibility is required. If
you want to boot from a boot floppy and read the hard disk, FAT should be used. If no such
requirement is there, NTFS3 should be used.
The main features that NTFS offers include :

Directories that are automatically sorted.

Support for upper- and lowercase letters in names.

Allows permissions to be set on directories and files.

faster access to large (over 0.5MB ) sequential files.

Faster access to all random access files.

File and directory names up to 254 characters.

Long names are automatically converted to 8+3 naming convention when accessed by a
DOS based workstation.

NTFS uses disk space more sparingly than does FAT. Under FAT the minimum size that a
file actually uses on a disk is 2048 bytes, and as disk partitions get larger, that minimum size
also gets larger. On a 1700MB disk, this minimum size would be a whooping 32768 bytes.
Under NTFS the same hard disk - and any hard disk in fact - supports files so that no file
actually takes more than 512 bytes of space.4

File Allocation Table

Operating System

2
3

NT File System

The hard disk space is allocated to files in chunks of fixed size bytes. For FAT File System this fixed size chunk becomes
larger as the hard disk size increases. So for a 1700MB harddisk, even if the file contains only 1 byte, the disk space
allocated to it will be 32768 bytes. This means that to save any information of less that 32768 bytes, FAT will allocate
32768 bytes and no less. This wastes a lot of space and hence the disk space utilization is very poor. NTFS, on the other
hand uses 512 bytes chunks for any size of hard disk. This File system thus offers better disk space utilization.
21

Chapter 5. Directory Shares

22
5.2. Creating Directory Share

Most servers on network function as repositories for files and directories that must be
accessible to the network users. Files and directories, on a server running NT Server must first
be shared before network users can access them. Merely setting up a server will not do as the
server will just announce itself by saying , "Hi, I am a server, but I am not sharing anything."
To share a directory, you must log on as a member of the Administrators or Server Operators
group. Creating a share is easiest if you are physically logged on to the server. This is the
recommended method.
NT can only share directories, not files; it is not possible to pick just one file and ask NT to
share it. A whole directory must be shared1.
5.3. Sharing of folders using Windows NT Explorer
To share a folder using Windows NT Explorer the following may be done.
1.

Log on to your system using an Administrative account.

2.

Go to Start, Program, Windows NT Explorer.

3.

Select the Folder you want to share and then right-click on the folder to see the drop
down menu.

4.

Select the Sharing option. NT server shows you the Properties window with sharing options.
The windows default is Not Shared.

5.

Click the Shared As button and fill in the details as needed to set up a share. For example,
type the new share name you want users to see, and type a description of the files in the
share. Set up the maximum number of users as needed.

6.

Click the Permissions Button. You then see the permissions dialog box. Add and remove
access as needed by using the Add and Remove buttons. These allow you to select users
and type of access you want them to have. Double-click on the groups you want, and select
the type of access. Click OK. Return to this screen a few times as needed to add any number
of groups and access levels. Click OK on the Access Through Share Permissions window
when you are finished.

7.

Click OK to complete the sharing task.

5.4. Hidden Share

NT allows you to set up shares and hide them so that casual browsers cannot find them.
You do this by adding a $ character to the end of the share name. These shares are then not
displayed. The purpose of this facility is to allow administrators to hide certain shares to minimise
the clutter when users browse the server2.
How sharing works with file and directory permissions? Sharing never allows more than
1

Of course, one can always put a file in a folder and can share it, in effect, achieving sharing of a single file

It should not be misunderstood that hiding is a security feature. One can access the shares if one knows the names.
Moreover, it is only to reduce the clutter in the browser. The NET program will show it directly.

5.4. Hidden Share

23

file and directory permissions do. Sharing can reduce the level of access provided by file and
directory permissions. Share restrictions apply even to members of Administrators group. If you
restrict access to a directory to read-only, you will not be able to add or remove any files, even if
you are an administrator.
5.5. File and Directory permissions
One of the main strengths of NTFS is provide access-level restrictions down to the file
level. It means that access can be restricted for a file. Before we delve into the various types of
permissions let us see what File Ownership is.
Every file in NT is owned by some account1. NT assigns ownership of a file to the account
that creates the file. By default, ownership is granted to the creator of the file, and it cannot be
given away. It can be taken away, however, and there is a distinction between the two terms.
File ownership is important because the creator of the file is provided with the ability to
do anything to the file, even delete it. The creator has full control. In NT full control means the
ability to read, modify, and delete the file, as well as change the access to grant someone else
full control rights.
Let us summarise. If you create a new file, you own it and gain full control access to the file.
If you copy a file, you become the owner of the copy, with the same rights. As the file, owner you
can remove everyones ability even administrators to access the file.
Ensuring that files are appropriately owned and managed is one of the keys to effective
security with NT Server 4.
5.6. Taking Ownership of Files
To take the ownership of a file the following should be done.
1.

Log on to your system by using an Administrator account.

2.

Choose Start, Program, Windows NT Explorer. Open the directory the file resides in.

3.

Select the file you want to reassign by left-clicking one on the file name.

4.

Using the reight mouse button, click on the mouse to see the drop down menu.

5.

Select Properties.

6.

Select the Security frame to see three options.

7.

Permissions.

Auditing.

Ownership.

Select Permissions. Grant the user account that needs ownership full control over the file
by using the Add button. Click OK when finished.

The user

Chapter 5. Directory Shares

24
8.

Log off. Log in again with the user account that needs to take over the ownership.

9.

Open Explorer and find the file. Select it and then right-click and Select Properties. Select
security. Note that this tab is shown only when you are accessing a file on NTFS partition.

10. Select the ownership option near the bottom of the screen.
11. You se a small dialog box offering the next option, Take ownership. Click the take ownership
button. Click OK to finish the task.
12. Log off. The user account now owns the file.
Being an owner does not automatically grant you the permission to use the file. Of course,
being the owner, you can give permissions to yourself. Only, it does not happen automatically.
You can also set up permission that deny you the access of file1.
5.7. Permissions
What are the various permissions that you can set for a file in NTFS? Table 5.1 gives the
detail of the the various permissons and their meaning when applied to file or a directory.

Individual Permission
Change Permission
Delete
Execute

Read

Take Ownership
Write

When applied to a Directory/File

To a directory: Allows changes to the directorys permission.
To a file: Allows changes to the files permission.
To a directory: Allows deletion of the directory.
To a file: Allows deletion of the file.
To a directory: Allows display of attributes, permissions and owner;
allows changing to subdirectories.
To a file: Allows running of program files and display of attributes, permissions, and owner. (Note that it does not include Read permission).
To a directory: Allows display of filenames within the directory and
their attrributes; permissions and owner of the directory.
To a file: Allows display of files data, permissions, attributes, and
owner.
To a directory: Allows changes to the directorys ownership.
To a file: Allows changes to the files ownership.
To a directory: Read permission;plus allows creation od subdirectories
and files within the directories, and changes to attributes.
To a file: Read permissions; plus allows changes to file data and
attributes.
Table 5.1. File and Directory permissions type.

I use it only when a file is very important and I think I may accidently delete it. I deny permission to myself.

5.8. Assigning File Permissions

25

5.8. Assigning File Permissions

Here we will see how file permissions may be assigned.
1.

Log on your system using an Administrative account.

2.

Go to Start, Program, Windows NT Explorer. Open the directory containing the files.

3.

Select the file or files you want to reassign by left clicking once on the file name. If you hold
the Shift key while dragging the cursor over the list of files, you can select a group of files.

4.

Using the right mouse button, click on the file(s) to see the drop down menu.

5.

Select Properties.

6.

Select the security frame.

7.

Select Permissions. If some groups are already showing (The Everyone group is probably
showing), select those groups and click the Remove button. This action removes all unneeded users from the list. Be careful not to leave the list blank or no one will have access. Click
the Add button to add new groups or user accounts for which you want to provide access
from the list provided, and double click to select them. Set the desired access at the bottom
of the screen, and when you are ready click OK.

8.

Click OK on the File permissions window to complete the task.

The permissions can be set using the command line program CACLS as well.

Chapter 6. TCP/IP on WinNT

Objectives
This chapter will show you the TCP/IP configuration of a Window NT Server. We will also
discuss a few services viz. DNS, DHCP etc.

6.1. What is TCP/IP?

TCP/IP stands for Transmission Control Protocol/Internet Protocol. You can think of it
as a collection of tools used originally by the US Department of Defence (DoD) to facilitate
communication among the many kinds of computer the DoD had in use.
Protocol is a set of rules and formalities used by various computers to pass messages to
each other. One set of protocols may not be sufficient and you often find various protocols in use,
layered on top of each other. TCP/IP actually consists of two protocols: the Transmission Control
Protocol and Internet Protocol.
The original goal of TCP/IP consisted of providing providing solid failure recovery, a
capability to handle high error rates, and mchine and vendor independence. It was, after all,
designed primarily by the military as a defence network.
For more information about TCP/IP network kindly See the IRISET note C4AE.
6.2. Installing TCP/IP on Windows NT Server
Here we will see how do we install the TCP/IP on Nt Server.
1.

Log in your server as an Administrator. Next, Open the control panel and double click the
Network icon. The network dialog box appears as shown in Figure 6.1

Figure 6.1. The Network Dialog Box.

26

6.2. Installing TCP/IP on Windows NT Server

27

2.

Click the protocols Tab. Any protocol that you have already installed will be shown in
the list.

3.

Click the Add button to add a new protocol. NT builds a list of all the protocols it supports
and provides this to you. The dialog presented is shown in Figure 6.2.

Figure 6.2. All the available network protocols.

4.

Select the TCP/IP protocol from the list, and Click the OK button. NT asks whether there
is a DHCP server on your network and whether you want to use that server to obtain your
address. For the time being say no.

5.

You might be asked to provide the address of your installation files. Place the NT Install
CDROM in the drive, and enter its path. Click OK when you are ready. NT copies a bunch of
files to the local NT system directory. If RAS1 is installed, the installation asks you whether
you want RAS configured to use TCP/IP. Choose an appropriate answer to continue. This
will mostly be Yes.

6.

When the installation finishes, you will see the TCP/IP protocol displayed in the protocols tab
of your Network Protocols Dialog box. You can see it in Figure 6.3.

Figure 6.3. TCP/IP appears in the protocol list.

Remote Access Server

28

Chapter 6. TCP/IP on WinNT

7.

Click the close button. NT goes through various binding processes before displaying the
Microsoft TCP/IP dialog box (Figure 6.4.)

Figure 6.4. The TCP/IP configuration dialog box.

TCP/IP offers various setup options. The first option enables you to specify that IP
addresses will come from the DHCP server. The next option enables you to predefine a
static IP address, subnet mask and default gateway.
8.

Enter the necessary IP address for your network. Click OK when you are finished. NT
completes the process and tells you to reboot the server, after which the TCP/IP services
are available.

6.3. TCP/IP Diagnostic and Connectivity Utilities

NT provides several utilities that are common to UNIX system. These are all automatically
installed when you install TCP/IP. Given below is a brief description of a few of them.
6.3.1. IPCONFIG
The ipconfig command provides you with a systems TCP/IP configuration data.
Figure 6.5 shows this command in action. Following is the syntax for this command.

Figure 6.5. Using the ipconfig command.

6.3. TCP/IP Diagnostic and Connectivity Utilities

29

ipconfig [/all]
/all: This switch causes the command to return additional IP information for all network

adapters running TCP/IP. THis includes the hostname, all the DNS servers, the node type, the
state of IP routing on your system etc. You also get the physical address of all adapter using
TCP/IP, the IP address of the adapter and its subnet mask as well as the default gateway.
6.3.2. NETSTAT
The netstat command displays the statistics for all TCP, UDP and IP connections. The
syntax consists of
netstat switches

Here switches can be any of the following option:

-a
-e
-n
-p protocol
-s
interval

Displays all current connection and listening ports.

Displays all ethernet statistics. Can be combined with -s switch.
Displays addresses and port numbers numerically.
Displays the connection for the protocol specified. The protocol can be TCP, UDP,
or IP used with the -s switch.
Displays all protocol statistics.
Redisplays the selected statistics using the number of seconds indicated by
interval parameter as the intervening pause. Ctrl+C stops the display.

6.3.3. PING
The ping command send small packets to a host to verify whether the host is active. It is a
very commmon troubleshooting command. The syntax consists of
ping switches

In this case, the most common values for the switches are listed below.
-n number
-l size
-t

Specifies the number of packets to be sent.

Specifies the length of the packet. The default is 64 bytes and the maximum is
8192 bytes.
Ping the host until interrupted.

6.4. DNS
DNS1 is a service that takes the website address like www.iriset.ac.in and translate it
into actual IP address. DNS is really only a list of IP addresses and an associated name for each
address. You might think of it as a table with two entries in the form of IP address - name. For
example, you might see and entry such as this:
210.212.217.130 - www.iriset.ac.in

Domain Name Service

Chapter 6. TCP/IP on WinNT

30

So who controls all these names and addresses? The central authority for DNS is the InterNIC
Registration Services. This organisation ensures that your name is unique and that a current IP
address is associated with it.
6.4.1. Configuring NT for Existing DNS Servers
What the NT server will do when it has to translate an address like www.iriset.ac.in
into IP address? It will take help from another machine that is running the Domain Name Server.
So, whenever NT has to get the IP address corresponding to the name www.iriset.ac.in, a
process called resolving the name, it will query the Domain Name Server. The Domain Name
Server will then return the IP address of the name.
Let us see how to set up NT to use an existing Domain Name Server.
1.

Log on the server using an Administrator account. Select the NT Control Panel and doubleclick the Network icon. Click the Protocols tab, and then double click the TCP/IP protocol.

2.

Next, Click the DNS tab. This tab displays the configuration options as shown in Figure 6.6.

Figure 6.6. The DNS configuration option dialog box.

3.

Enter the DNS domain name in the box titled Domain. By default, your computers NT
registered name is shown in the Host Name box.

4.

Click the Add button to add a DNS server already existing on your network. You can specify
three servers and change the order in which they are tried by using the up and down arrows.
If the first server fails to resolve a name, NT tries the next server and then the third.

5.

Finally, you assign default domain suffixes in the box called Domain Suffix Search Order by
using the Add button shown. NT allows six additional domain suffixes. Again, use the up and
down arrows to tell NT in what order they are to be searched.

6.

Click OK to finish the setup. Your NT machine is now set to use the DNS specified.

6.5. DHCP
Every computer running TCP/IP needs specific information to identify itself. The DHCP1 was
designed to dynamically configure computers with IP addresses and related TCP/IP information.

6.5. DHCP

31

The server handles the task of assigning unique IP addresses dynamically.

DHCP is a boon for administrators. It takes away the concern from him of keeping record
of all the IP addresses to avoid an IP clash2. The DHCP server takes care and assigns unique
addresses to the computers. It also configures the full TCP/IP settings for the system. Whenevr
some changes in the configuration has to be done, it can be done in the server and the clients
will update themselves automatically.
6.5.1. How DHCP Works
DHCP was designed as an extension to the Bootstrap Protocol (BOOTP)3, originally used
to boot and configure diskless workstations across the network.
BOOTPs capability to hand out IP address from a central location is terrific, but its not
dynamic. The network administrator musk know beforehand the MAC addresses of the Ethernet
cards on the network. This isnt impossible information to obtain, but its not fun. Furthermore,
there is no provision for handling out temporary IP addresses, such as an IP address for a laptop
used by consultant.
DHCP improves upon BOOTP because you give it a range of IP addresses that its allowed
to hand out, and it just gives them out first-come, first-served to whatever computers request
them. If, on the other hand, you want to maintain full BOOTP-like behaviour, you can; its possible
with DHCP to pre-assign addresses to particular MAC addresses, as with BOOTP.
6.5.2. Leasing an IP address
A DHCP client geta and IP addresss from a DHCP server in four steps.
1.

Initializing State A DHCPDISCOVER broadcasts a request to all DHCP Servers,

requesting an IP address.

2.

Selecting States The servers respond with DHCPOFFER of IP address and lease time.

3.

Requesting State The client chooses the offer that sounds most appealing and broadcasts back a DHCPREQUEST to confirm the IP address.

4.

Bound State The server handing out the IP address finishes the procedure by returning
with a DHCPACK, an acknowledge of the request.

6.5.3. Renewing IP Address Leases

DHCP client leases their IP addresses from a DHCP Server. When that lease expires,
they can no longer use that IP address. Therefore, DHCP Clients must renew their leases on IP
addresses, preferably before the lease has expired or is about to expire. Once again, during the
process of renewing its lease, a DHCP Client passes through the stages listed below:

Dynamic Host Configuration Protocol

2
3

IP clash is when two machines are assigned the same IP number.

The BOOTP protocol was originally defined in RFC 952. The latest BOOTP RFC is RFC 1542, which includes support
for DHCP. THe major advantage of using the same message format as BOOTP is that an existing router can act as an
RFC 1542 (BOOTP) relay agent to relay the DHCP messages between subnets. Therefore, with a router acting as an
RFC 1542 relay agent between two subnets, it is possible to have a single DHCP server providing IP addresses and
configuration information for systems on both subnets.

32

Chapter 6. TCP/IP on WinNT

1.

Renewing State By default, a DHCP Client first tries to renew its lease when 50% of
its lease time has expired. To renew its lease, a DHCP Client sends a directed DHCPREQUEST message to the DHCP server from which it obtained the lease.
When permistted, the DHCP server automatically renews the lease by responding
with a DHCPACK message. This DHCPACK message contains the new lease as well
as any configuration parameters so that the DHCP Client can update its settings in case
the administrator updated and settings on the DHCP servers. After the DHCP client has
renewed its lease, it returns to the bound state.

2.

Rebinding State If a DHCP client attemts to renew its lease on an IP address and for some
reason cant contact a DHCP server, the DHCP client displays a message saying do.

6.5.4. Installing DHCP Server

You install the DHCP server during the install process, or you can add it manually by adding
the service. Let us see how we do it.
1.

Log in as an Administrator. Double-click the Network icon in the control panel. When the
Network dialog box appears, click the Services tab, and then click Add to display the Select
Network Service dialog box. (See Figure 6.7.)

Figure 6.7. The Select Network Service dialog box.

2.

From the Network Service list, highlight Microsoft DHCP Server, and the click OK.

3.

Windows NT Setup displays a message asking for the full path to the Windows NT Server
distribution files. Provide the appropriate location and click Continue button. All necessary
files are copied to your hard disk.

4.

Complete all the required procedures for amnually configuring TCP/IP as described in
Section 6.2.

6.5.5. Understanding DHCP Scopes

For DHCP to give out IT addresses, it must know the range of IP addresses it can give
out. How does it find out the addresses? You tell it with a scope. A scope is simply a range of IP

6.5. DHCP

33

addresses, or pool of addresses, to draw on. You create a scope for each subnet on the network
to define parameters for that subnet.
When DHCP server is installed, the DHCP Manager icon is added to the Network Admistrative Tools group under Programs in the Start menu. You use DHCP Manager for the following:

Create on or more scopes to begin providing DHCP services.

Define properties for the scope, including the leases duration and IP address ranges for
distribution to potential DHCP clients in the scope.

Define default values for options (like default gateway, DNS server etc.) to be assigned
together with n IP address.

Add any custom option.

Let us see how we create DHCP scopes.

1.

In the DHCP Servers list in the DHCP Manager window, select the server where you want
to create a scope.

2.

Choose Scope|Create. The Create Scope dialig bos is displayed as shown in Figure 6.8.

Figure 6.8. The Create Scope dialog box.

3.

To define the available range of IP address for this scope, type the begining and the ending
IP addresses for the range in the Start Address and End Address boxes. The IP address
range includes the Start and End values. You must supply this information in order for the
system to activate this scope.

4.

In the Subnet Mask box, DHCP Manager proposes a subnet mask based on the IP address
of the Start and End addresses. Accept the proposed values unless you know that a
different value is required.

5.

To define excluded addresses within the IP address pool range, use the Exclusive Range
controls as detailed here:

Type the first IP address that is part of the excluded range in the Start Address box, and
type the last number in the End Address box. Click the Add button. Continue to define

Chapter 6. TCP/IP on WinNT

34
any other excluded range in the same way.

To exclude a single IP address, type the number in the Start Address box. Leave the
End Address box empty and then click Add button.

To remove an IP address or range from the excluded range, select it in the Excluded
Addresses box, and then click the Remove button.

6.

To specify the lease duration for IP addresses in this scope, select Limited To. Type values
defining the number of days, hours, and minutes for the length of the address lease. Ig you
do not want IP address leases in this scope to expire, slect the Unlimited option (this is
not recommended.)

7.

In the Name box, type a scope nam,e. Although this is optional, its probably a good idea to
name each scope for later reference. Use any name that describe the subnet. The name can
include any combination of letters, numbers, and hyphens. Blank spaces and underscores
characters are also allowed.

8.

Optionally, in the Comment box, type and string to describe this scope, and then click OK.

9.

When you finish creating scope, a message reminds you that the scope has not been
activated and enables you to choose Yes to activate the scope immediately. Do not activate
a new scope, however, until you have defined the DHCP options for this scope.

6.5.6. Configuring DHCP Options

Besides the IP addressing information, you must configure other DHCP configuration
options pertaining to DHCP Clients for each scope. Let us see how se do it.
1.

In the DHCP Servers list in the DHCP Manager window, select the scope that you want
to configure.

2.

From the DHCP Options menu, choose the Global or Scope command, depending on
whether you want to define options for all scopes on the currently selected server or for the
scope currently selected in the DHCP Manager window. The DHCP Options: Scope dialog
box appears.

3.

In the Unused Options list in the DHCP Option: Scope dialog box, select the name of the
DHCP option you want to apply. Click the Add button to move the name of the Active Options
list. This list shows predefined options and any custom options you added.

4.

To define the value for an active option, select its name in the Active Options box and click
the Values button. Then click the Edit button and edit the information in the Current Value
box, depending on the data type for the options, as described here:

For an IP address, type the assigned address for the selected option.

For a number, type an appropriate decimal or hexadecimal value for the option.

For a string, type an appropriate ASCII string containing letters and numbers for
the options.

6.5. DHCP

35

Index
Abstraction, 2
Multi-Threaded, 2
Multitasking, 2
Operating System, 1
Single Tasking, 2
symmetric processor system, 2
Task, 2
Thread, 2

36