C4 CD: Networking With Windows 98 and Window NT: Rakesh Ranjan
C4 CD: Networking With Windows 98 and Window NT: Rakesh Ranjan
C4 CD: Networking With Windows 98 and Window NT: Rakesh Ranjan
and Window NT
Rakesh Ranjan
Contents
.. .. .. .. .. ..
Chapter 1. Introduction
1.1. History
.. .. .. .. .. .. ..
1.2. Architecture Independence
.. ..
1.3. Multiple Processor Support
.. ..
1.4. Multi-Threaded Multitasking .. ..
1.5. Massive Memory Space .. .. ..
1.6. Internet and TCP/IP Compatibility
1.7. Event and Account Logging
.. ..
1.8. Remote Access Service
.. .. ..
1.9. Domains
.. .. .. .. .. .. ..
1.10. Fault Tolerance and RAID Support
1.11. Graphical User Interface
.. ..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
1
1
1
1
2
2
2
3
3
3
3
4
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
5
5
6
6
9
NT Domains .. .. .. .. .. .. .. .. ..
Understanding Domain Model
.. .. .. ..
Trust Relationship
.. .. .. .. .. .. ..
Creating Trust Relationship
.. .. .. .. ..
3.3.1. Setting up a Domain to Trust Another
3.3.2. Completing the Trust Relationship ..
3.4. Removing a Trust Relationship
.. .. .. ..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
10
10
11
11
11
12
13
Chapter 2.
2.1.
2.2.
2.3.
2.4.
..
NT Server Installation
Planning the NT Installation
Primary Domain Controller
Starting NT Install Program
Creating NT Boot Disk
..
..
..
..
..
..
..
..
..
..
..
Chapter 3.
3.1.
3.2.
3.3.
..
Chapter 4. Managing User Accounts
4.1. User Accounts
.. .. .. ..
4.1.1. Administrator Account
4.1.2. Guest Account
.. ..
4.2. Creating User Accounts
.. ..
4.3. Creating Groups
.. .. .. ..
4.3.1. Using Local Groups ..
4.3.2. Using Global Groups
4.3.3. Special Groups
.. ..
Chapter 5. Directory Shares
5.1. FAT and NTFS
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
14
14
14
15
15
17
18
19
19
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
21
21
5.2.
5.3.
5.4.
5.5.
5.6.
5.7.
5.8.
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
22
22
22
23
23
24
25
.. .. .. .. .. .. .. ..
TCP/IP on WinNT
What is TCP/IP?
.. .. .. .. .. .. .. .. ..
Installing TCP/IP on Windows NT Server
.. ..
TCP/IP Diagnostic and Connectivity Utilities
..
6.3.1. IPCONFIG
.. .. .. .. .. .. .. ..
6.3.2. NETSTAT
.. .. .. .. .. .. .. ..
6.3.3. PING .. .. .. .. .. .. .. .. .. ..
6.4. DNS
.. .. .. .. .. .. .. .. .. .. .. ..
6.4.1. Configuring NT for Existing DNS Servers
6.5. DHCP .. .. .. .. .. .. .. .. .. .. .. ..
6.5.1. How DHCP Works
.. .. .. .. .. ..
6.5.2. Leasing an IP address
.. .. .. .. ..
6.5.3. Renewing IP Address Leases
.. .. ..
6.5.4. Installing DHCP Server .. .. .. .. ..
6.5.5. Understanding DHCP Scopes .. .. ..
6.5.6. Configuring DHCP Options .. .. .. ..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
26
26
26
28
28
29
29
29
30
30
31
31
31
32
32
34
..
..
..
..
..
..
..
36
Chapter 6.
6.1.
6.2.
6.3.
Index
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
iii
List of Figures
3.1.
4.1.
4.2.
6.1.
6.2.
6.3.
6.4.
6.5.
6.6.
6.7.
6.8.
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
12
16
16
26
27
27
28
28
30
32
33
List of Tables
4.1.
4.2.
4.3.
4.4.
4.5.
4.6.
5.1.
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
..
17
17
18
19
20
20
24
Chapter 1. Introduction
Objectives
This chapter introduces Windows NT to you. You will learn about the various features of
Windows NT.
Windows NT Server is the network OS adopted in Railnet. It has its strengths and its
weaknesses. Here, let us see a few of the strengths of NT Server.
1.1. History
Early on, Bill Gates knew that networking was the key to capturing the computer business.
Microsoft introduced MS-NET on April 15, 1985 along with DOS 3.10. This was a simple DOS
based software that allowed simple resource sharing like files and printers. From 1985 to 1988
Microsoft worked on the next generation of networking software. Lan Manager was made during
this time.
In 1988, work earnestly started on Windows NT. In August 1993, Windows NT 3.1 was
released. No, there were no previous versions. Microsoft, the marketing strategist, did the version
numbering so that it looks like the next release of Lan Manager, although they have little in
common. Windows NT 3.5 was released in September 1994 and Windows NT 4.0, in 1996.
1.2. Architecture Independence
Operating system designers, when designing an OS tend to target it for a particular
microprocessor. This makes the OS tied to the underlying hardware in terms of word size, page
size, word representation1 etc. When NT was written, Microsoft first made it for MIPS R50002.
It was then ported to x86 platform. This made the parts of NT that are machine dependent all
segregated into a relatively small piece of NT (when compared with the overall size of NT). This
small piece is made of HAL3, the kernel and the network and device drivers.
Thus, a large part of NT is architecture independent. This makes it portable across a large
number of platforms.
1.3. Multiple Processor Support
NT has a support for a maximum of 32 processors. This means that if a computer employs
32 processor, NT can use all of them to enhance its performance. But the version that is normally
shipped has a support for two or four processor. In case, support for more number of processors
1
Chapter 1. Introduction
is sought, an appropriate HAL is required. NT can then use all these processors and speed up
the overall computer system running NT.
Among multi processing systems, a computer is said to be symmetric or asymmetric
multiprocessor. An asymmetric multiprocessor system has more than one processor, but each
one of them has a different, specially defined job. A symmetric multiprocessor system, on
the other hand, has processors that can take over for one other without skipping a beat. Each
processor has a complete access to all hardware, bus, memory actions etc. NT servers must
have symmetric processor system in order to use multiprocessor capabilities.
NT can split its task among various processors and thus increase the throughput of
the system.
1.4. Multi-Threaded Multitasking
Multitasking means that a single computer can run several different programs simultaneously. These programs use different data space in memory. Hence they do not interfere with each
other. A program is normally single tasking within itself. It means that a program is a single unit
and does the whole work as a single process.
A program may be multi-threaded. This means that there will be different smaller programs
that will cooperate to produce the desired result. This is advantageous if there are more than
one processor. Each of this small programs, called a thread, can execute itself on a different
processor. NT is multi-threaded so that it supports a multi-threaded application.
It does not mean that the multi-threaded application runs only on a computer with multiple
processor. In fact, NT gives you an abstraction. If there are multiple processors, then these are
used. Otherwise, NT schedules these threads on the single processor. The software developer
need not be bothered about the underlying architecture of the computer. NT guarantees that the
multi-threaded application will run.
The difference between a task and a thread is that the different threads of the program use
the same data space. It means that if one thread changes a data, the change is seen by all the
other threads as well. Tasks invariably use different data space. This means that each of the
tasks have a personal copy of each of the data items and the changes done by one is not seen
by the other.
1.5. Massive Memory Space
The NT architecture supports a RAM1 of up to 4GB2. This means that NT applications does
not need to worry about the memory. The amount of memory is only limited by the amount of
actual physical memory of the computer.
1.6. Internet and TCP/IP Compatibility
Nowadays, most network speak the language of the Internet, a protocol called TCP/IP3. NT
supports most of the protocols of the Internet. So it is possible to build our own enterprise intranet
based on Windows NT.
Giga-Bytes
Hot Fixes are a feature on any NT server whose disk has been formatted under the NTFS
file system. NTFS constantly monitors the disk area that it is using , and if it finds that one
has become damaged, it takes the bad area out of service and moves the data on that area
to another, safer area automatically.
RAID (Redundant Array of Independent Disks) is a six level method for combining several
disks drives into what appears to the system to be a single disk drive. RAID improves upon
a single disk drive answer in that it offers better speed and data redundancy.
Chapter 1. Introduction
Level 0, or disk stripping, improves only the speed. It creates what appears to be one
disk out of several separate physical disk drives. Areas that appear to be cylinder or a
track on a logical disk drive are actually spread across two or more physical disk drives.
The benefit is realized when accessing data; when reading a block of data, the read
operation can actually become several simultaneous separate disk reads of several
physical disks.
Level 1 is a straight forward disk mirroring system. You get two disk drives and tell NT
to make one a mirror image of the other. Its fast and fault tolerant.
Level 5 is very much like level 0, in that data is stripped across several separate physical
drives. It differs, however, in that it adds redundant information called parity that allows
damaged data to be reconstructed.
The different level of RAID do not get better as they rise in number; they are just different
options. NT Server has software RAID support. This means that we need not invest in costly
RAID boxes.
This survey is important in case NT refuses to recognize the hardware device. Then to setup
the device, these information comes in handy. The list may be as exhaustive as possible. There
is no harm in learning about the hardware as much as possible.
NT server can be installed as a primary domain controller, backup domain controller or as
an ordinary file/application server. This planning is necessary because once configured during
install, it cannot be changed without a reinstall.
NT server should be installed as a primary domain controller only if you are creating a
new domain.
If an NT server is installed as a backup domain controller, a PDC must already be setup, and
the machine you are installing NT on must be on the same network as the PDC. NT will refuse to
get installed as a backup domain controller if it cannot see the primary domain controller on the
same network.
The name of the NT server must be decided now. A name should be so chosen that looks
appropriate. Avoid using names like pc1, pc2 etc. One must also know/decide the following
before starting an install if a TCP/IP network1 is to be installed.
IP address
Subnet mask
Default gateway(s)
DNS Server(s)
Domain Name
Pop the "Setup boot disk" into A: drive and reboot the machine. NT then runs the NTDETECT.COM, which figures out what kind of hardware you have on your system. You see a
message that says, "Windows NT Setup/Setup is inspecting your computers hardware configuration."
Next you see the following blue screen with white letters:
Windows NT Setup
And on the bottom of the screen:
Setup is loading files (Windows NT Executive)
NT next loads the HAL1, after which you are prompted to insert Setup disk #2 and press Enter. You see some messages on the bottom of the screen about what is loading, including
Fonts
PCMCIA support
Video drivers
Keyboard driver
The next screen that comes up is a welcome screen with the following choices.
To quit, press F3
Press Enter, insert Setup disk #3, and press Enter Again. Setup goes into device detection.
Setup auto detects any SCSI adapters in your system. If the adapter wasnt recognized, you
can tell NT to use a device support disk.
Next NT offers you with a message whether you want to upgrade or do a fresh install. If NT
was already loaded on the hard disk you get an upgrade option. If it is a newly formatted
hard-disk then, the upgrade option is not given.
NT Setup then tell you what it thinks you have in terms of:
Basic PC type
Video systems
Keyboard
Mouse
The list is usually correct. At times a powerful video card may be detected as a less powerful
VGA card. Nothing to worry, it can be reconfigured to its maximum capacity after the Basic
NT install.
Next, NT Setup shows you the partitions on your system and asks which one you want
to install NT on. Select the partition that you want NT to install and press Enter. You next
choose how you want to format the partition, if you want to format it at all. Your choices are
It is recommended that on an NT Server you use an NTFS partition on the data drives unless
you have very good reasons not to do so.
The main features that NTFS offers include:
Long names are automatically converted to the 8+3 format when accessed by a
DOS workstation.
NTFS uses the disk space more sparingly than does FAT. Under FAT, the minimum size
that a file actually uses on a disk is 2048 bytes, and as disk partitions get larger, that
minimum size also gets larger: on the 1700MB disk, this minimum size would be 32768
bytes! Under NTFS, that same hard-disk supports files so that no file actually takes
more than 512 bytes of space.
Now choose an install directory. Normally \WINNT is chosen. This is the default shown
as well.
Now NT asks you to personalize your Software by Entering your name and the company
name. Enter them and click Continue.
Now you have to make the licensing choice. There are two options:
Per Seat Per-seat licensing means that you need a license for every workstation
that will ever log onto domain. Per seat licensing has a few advantages. If you count
the number of people that log onto the domain, you have the number of licenses that
you need.
Per server Per-server licensing means that you need a license for every simultaneous
NT server connection. It means that if a user logs onto the server, he uses one license.
In this way every one logging in or using a service uses one license. If this licensing is
chosen then the number of client licenses obtained are to be given. This must be at
least one or else the File and Print services will refuse to start.
NT now prompts you to create an emergency repair disk. Please make it. This isnt a
bootable disk. It is just a disk that contains the data necessary to reconstruct a configuration
if your NT system in no longer able to boot.
NT then goes into actually setting up the system, copying data from the CD to the hard disk
drive, configuring the work space etc.
Format a floppy under either NT explorer or from a command line under NT. Do not use a
DOS-formatted floppy, or this wont work. A DOS-formatted floppy looks for the DOS boot
files IO.SYS and MSDOS.SYS; an NT formatted floppy looks for the NT boot file NTLDR.
(From explorer, just right-click on the drive and choose Format.)
You are going to copy a bunch of files from the root directory of your server to the floppy
in the A: drive. The files are hidden, however, so you have to tell the Explorer to show you
hidden files. To do that, click View, then By File Type, and then check the "Show All Files"
radio button.
Looking in your servers root directory, copy the following files from the servers root to the
floppy disk:
NTLDR
NTDETECT.COM
BOOT.INI
NTBOOTDD.SYS (if your server boots from a SCSI hard disk; if not this file wont
be there.)
When you are finished, you have a floppy that essentially "jump starts" your system.
Chapter 3. NT Domains
Objectives
This chapter explains NT Domains. We see the various schemes of NT implementation.
We also examine NT trust model as well as the way the trust relationships are established
and removed.
2.
A Master domain.
3.
4.
The Single domain model is the simplest. If there are only a few servers and a few users, this
model is what one should go for. It contains just one domain and all the resources are managed
through it.
In the master domain, there are many domains. On domain is set up as the master domain
for controlling all the user accounts and any number of resource domains. The resource domain
contains only servers, and NT workstation machine accounts no users. These resource domains, can contain print server, file servers and application servers. Trust relationship with master and all the resource domains are setup, completing the arrangement. No trust relationship is
needed between the resource domains.
If there are a large number of users, a single master domain may not be appropriate. Hence,
10
11
Microsoft created the multiple domain master model. Many master domain are created here.
Then all these master domains trust each other. All the resource domains now should trust each
of the master domains.
As the size of the network grows, so does the complexity. Maintenance of these trust relationship are time consuming and trying to figure out all the permutations can be frustrating. The
good news is that this disappears with Windows 2000 Server,and multiple machine management
is greatly enhanced.
3.2. Trust Relationship
What is a trust relationship? In NT, security is a major component of the system, and one
domain cannot talk to another domain, in any fashion, unless the two domains are told that
doing so is okay. This relationship extends to the workstation level. if Rakesh tries to use an NT
workstation on domain B where he does not have an account, he gets nowhere. The manner in
which a domain is told to acknowledge another domain is called the trust relationship.
Trust relationship can be one-way or two-way. Domain A might trust domain B in a aone-way
relationship. users in domain B, therefore, can access resources in domain A using the accounts
and passwords originally set up for them in their home domain (in this example, B.) users in
domain A cannot use the resources of domain B, however, because the relationship goes in only
one direction.
3.3. Creating Trust Relationship
Nt is very security consious. Hence, before a trust can be established, both the domain must
allow this trust to occur. The domain that is to be trusted, say A, must approve the possibility;
then the domain that wants to trust it, say B, must perform action to validate the trust of the
other domain.
3.3.1. Setting up a Domain to Trust Another
Let us say that we have two domains viz. A & B. To establish a trust relationship so that B
trusts A, follow the following steps:
1.
2.
Open the user manager for Domain by choosing Start | Programs | Administrative Tools
(Common) | user Manager for Domain.
3.
Choose Policies | Trust Relationships. Figure 3.1 shows the dialog box that appears. This
dialog shows all the domains that are currently trusted or permitted to be trusted. The two
main windows are called Trusted Domain and Trusting Domain.
4.
5.
In the box that appears, type the name fo the domain in which you want to allow trust to occur.
In our example you will type B here.
6.
You can use a password by entering one in the place that is provided. Using a password
really isnt necessary as long as you continue the trust process and finish it. The password
applies to the time between allowing a trust with B and and the time at which B sets up and
Chapter 3. NT Domains
12
Click Ok when you are ready to continue. You will see B appears in the Trusting Domains
window.
8.
Click the Close button in the upper-right corner of the dialog box to complete the task.
By setting the trusting portion of the relationship, we are halfway to establishing a one-way
trust relationship.
3.3.2. Completing the Trust Relationship
here we actually allow the domain B to start trusting A. A has already ready to allow B trust
it as we saw in Section 3.3.1. For this purpose follow these steps.
1.
Log on to domain B using an account with Administrative privileges. Obtain the special Trust
password that the domain A administrator used when the trust relationship was started (if
one was used.)
2.
Open the user manager for Domain by choosing Start | Programs | Administrative Tools
(Common) | user Manager for Domain.
3.
Choose Policies | Trust Relationships. You see the two main windows called Trusted
Domains and trusting Domains.
4.
5.
In the Add Trusted Domain dialog box, type the name of the domain that you want to trust.
13
In this example A. Then enter the password supplied by the domain A administrator. If no
password was used, leave the password field blank.
6.
Click OK when you are ready to continue. After some activity by the machine, the domain
A will appear in the Trusted Domain windows. B now trusts A.
7.
Click the Close button in the upper-right corner to complete the task.
2.
Open the user manager for Domain by choosing Start | Programs | Administrative Tools
(Common) | user Manager for Domain.
3.
Choose Policies | Trust Relationships. You see the two main windows called Trusted
Domains and trusting Domains.
4.
Select the domain A from the Trusted Domain window, and then click Remove. Click Yes
when a confirmation is asked.
5.
Click the Close button on the upper-right corner of the dialog box to complete the task.
6.
7.
Open the user manager for Domain by choosing Start | Programs | Administrative Tools
(Common) | user Manager for Domain.
8.
Choose Policies | Trust Relationships. You see the two main windows called Trusted
Domains and trusting Domains.
9.
Select the domain A from the Trusting Domain window, and then click Remove. Click Yes
when a confirmation is asked.
10. Click the Close button on the upper-right corner of the dialog box to complete the task.
Administrator
Guest
14
Assign operators.
Not be deleted.
15
The Administrator account is omnipotent. You need to control its use tightly.
4.1.2. Guest Account
This is also created when you install Windows NT. A Guest is anyone that the domain
doesnt recognize. BY default the guest account remains disabled and must be left so.
4.2. Creating User Accounts
We will explore two methods of creating user account. The first is by using the "User
Manager for Domain", and the other is to user the NET command. The User manager for Domain
can be used to perform the floowing tasks:
Let us see how to create a user account. For this follow the following steps:
1.
2.
3.
Choose User|New USer.The new user dialog box appears as shown in Figure 4.2.
4.
Type the new user account name, say iriset, in the Username box. Press Tab to move to the
next field.
5.
Type the users fullname in the Full Name box.Press Tab to move to the next field.
6.
Enter a comment in the User Description box. Press Tab to move to the next field.
7.
Enter a password from 1 to 14 characters in length for the user. Press Tab to move to the
next field.
16
Windows NT Server displays the password that you entered as asterixs to protect its
confidentiality as you enter is.
17
8.
9.
The various options of this command is shown in Table 4.1. The command has many options
Parameter
Username
Password
/DOMAIN
Options
Description
Specifies the name of the acccount that you want to create, change or delete.
Specifies the password for the username. Alternatively, you can use *; the system
prompts you for the password and masks the character that you enter.
Specified the action applies to the Primary Domain Contrioller.
Specifies one or more options as shown in Table 4.2. You must separate your
options with at least one space.
Table 4.1. The NET USER Parameter.
Option
/ACTIVE:{YES NO}
/COMMENT:"User description"
/PASSWORDCHG:{YES NO}
Description
Enables or disables the account. The default is to enable
the acount
Provides the maximum length 48 characters descriptive
account about the user.
Specifies whether the user can change the password.
but the most used ones have been listed in Table 4.2.
4.3. Creating Groups
You can create groups and then add users to them. Groups simplify administration because
they allow you to assign rights at the group level. A group is a name, similar to the usernameof a
user account, that can be used to refer to one or more users.Using groups provides a convenient
way to give and control access to users who perform similar tasks.
18
Option
User Must Change Password at next
Logon.
Default
ON
OFF
OFF
Account Disabled
OFF
Description
Selecting this option forces users to
change the password when they logon the first time. Selecting this option
is a good idea so that the administrator
doesnt continue to know the users password (because they are forced to change
it.)
Selecting this option prevents users from
changing the password. Selecting it is
not a good idea, especially when the
users have acces to confidential and critical data.
Selecting this option bypasses the Maximum Password Age account policy.
Again, selecting it is not a good idea because the password doen not change
and becomes easier to guess with time.
Selecting this option creates an inactive
account. You can use this feature when
you are creating accounts for future use,
or when you think that the account is being used by some intruders.
Two types of groups exist in NT environment: local groups and global groups. The term local
group and global group do not refer to the contents of the group, but to the scope of the groups
accessibility. Local groups are local to the security system where they were created. Domain
local groups rights and permission on a single domain.
A local group is available only on the domain controllers within the domain where you create
the group, whereas a global group is available within its own domain and trusting domains.
Microsoft likes calling local groups as import groups and global groups export groups. A few
things that should be kept in mind is itemized below.
Local groups on domain controllers have rights only on the domain on which they were created.
Local groups on Windows NT Workstation and member servers (non Domain Controllers)
have rights only on the computer that they were created.
Local groups cannot contain other local groups; they can contain only users accounts or
global groups from the same domain or other domain.
19
Domain Guests
Domain Users
Description
Members can fully administer the home domain, the workstation of the
domain, and any other trusted domains that added this group to the local
Administrators group. These members are added automatically to the local
Administrators group.
Mmebers can access the guest account,and can potentially access resiurces
accross domains. members are added automatically to the guest groups.
members have normal access to the domain and any NT workstation in the
domain. The group contains all domain users, and its members are added
automatically to the local Users group.
Table 4.4. Domain Global groups on Windows NT Server
20
Name
Administrators
Account Operators
Backup Operators
Guests
Print Operators
Power Users
Replicator
Server operators
Users
Name
Interactive Users
Network Users
Everyone
Description
Users who log on to the local computer. Interactive users access resources
on the machine at which they are sitting.
users who log on to a network or remote computer using their account or
an enabled Guest account.
all users who access a computer whether locally or remotely. This group
includes both interactive and network users.
Table 4.6. Domain Global groups on Windows NT Server
Long names are automatically converted to 8+3 naming convention when accessed by a
DOS based workstation.
NTFS uses disk space more sparingly than does FAT. Under FAT the minimum size that a
file actually uses on a disk is 2048 bytes, and as disk partitions get larger, that minimum size
also gets larger. On a 1700MB disk, this minimum size would be a whooping 32768 bytes.
Under NTFS the same hard disk - and any hard disk in fact - supports files so that no file
actually takes more than 512 bytes of space.4
2
3
NT File System
The hard disk space is allocated to files in chunks of fixed size bytes. For FAT File System this fixed size chunk becomes
larger as the hard disk size increases. So for a 1700MB harddisk, even if the file contains only 1 byte, the disk space
allocated to it will be 32768 bytes. This means that to save any information of less that 32768 bytes, FAT will allocate
32768 bytes and no less. This wastes a lot of space and hence the disk space utilization is very poor. NTFS, on the other
hand uses 512 bytes chunks for any size of hard disk. This File system thus offers better disk space utilization.
21
22
5.2. Creating Directory Share
Most servers on network function as repositories for files and directories that must be
accessible to the network users. Files and directories, on a server running NT Server must first
be shared before network users can access them. Merely setting up a server will not do as the
server will just announce itself by saying , "Hi, I am a server, but I am not sharing anything."
To share a directory, you must log on as a member of the Administrators or Server Operators
group. Creating a share is easiest if you are physically logged on to the server. This is the
recommended method.
NT can only share directories, not files; it is not possible to pick just one file and ask NT to
share it. A whole directory must be shared1.
5.3. Sharing of folders using Windows NT Explorer
To share a folder using Windows NT Explorer the following may be done.
1.
2.
3.
Select the Folder you want to share and then right-click on the folder to see the drop
down menu.
4.
Select the Sharing option. NT server shows you the Properties window with sharing options.
The windows default is Not Shared.
5.
Click the Shared As button and fill in the details as needed to set up a share. For example,
type the new share name you want users to see, and type a description of the files in the
share. Set up the maximum number of users as needed.
6.
Click the Permissions Button. You then see the permissions dialog box. Add and remove
access as needed by using the Add and Remove buttons. These allow you to select users
and type of access you want them to have. Double-click on the groups you want, and select
the type of access. Click OK. Return to this screen a few times as needed to add any number
of groups and access levels. Click OK on the Access Through Share Permissions window
when you are finished.
7.
Of course, one can always put a file in a folder and can share it, in effect, achieving sharing of a single file
It should not be misunderstood that hiding is a security feature. One can access the shares if one knows the names.
Moreover, it is only to reduce the clutter in the browser. The NET program will show it directly.
23
file and directory permissions do. Sharing can reduce the level of access provided by file and
directory permissions. Share restrictions apply even to members of Administrators group. If you
restrict access to a directory to read-only, you will not be able to add or remove any files, even if
you are an administrator.
5.5. File and Directory permissions
One of the main strengths of NTFS is provide access-level restrictions down to the file
level. It means that access can be restricted for a file. Before we delve into the various types of
permissions let us see what File Ownership is.
Every file in NT is owned by some account1. NT assigns ownership of a file to the account
that creates the file. By default, ownership is granted to the creator of the file, and it cannot be
given away. It can be taken away, however, and there is a distinction between the two terms.
File ownership is important because the creator of the file is provided with the ability to
do anything to the file, even delete it. The creator has full control. In NT full control means the
ability to read, modify, and delete the file, as well as change the access to grant someone else
full control rights.
Let us summarise. If you create a new file, you own it and gain full control access to the file.
If you copy a file, you become the owner of the copy, with the same rights. As the file, owner you
can remove everyones ability even administrators to access the file.
Ensuring that files are appropriately owned and managed is one of the keys to effective
security with NT Server 4.
5.6. Taking Ownership of Files
To take the ownership of a file the following should be done.
1.
2.
Choose Start, Program, Windows NT Explorer. Open the directory the file resides in.
3.
Select the file you want to reassign by left-clicking one on the file name.
4.
Using the reight mouse button, click on the mouse to see the drop down menu.
5.
Select Properties.
6.
7.
Permissions.
Auditing.
Ownership.
Select Permissions. Grant the user account that needs ownership full control over the file
by using the Add button. Click OK when finished.
The user
24
8.
Log off. Log in again with the user account that needs to take over the ownership.
9.
Open Explorer and find the file. Select it and then right-click and Select Properties. Select
security. Note that this tab is shown only when you are accessing a file on NTFS partition.
10. Select the ownership option near the bottom of the screen.
11. You se a small dialog box offering the next option, Take ownership. Click the take ownership
button. Click OK to finish the task.
12. Log off. The user account now owns the file.
Being an owner does not automatically grant you the permission to use the file. Of course,
being the owner, you can give permissions to yourself. Only, it does not happen automatically.
You can also set up permission that deny you the access of file1.
5.7. Permissions
What are the various permissions that you can set for a file in NTFS? Table 5.1 gives the
detail of the the various permissons and their meaning when applied to file or a directory.
Individual Permission
Change Permission
Delete
Execute
Read
Take Ownership
Write
I use it only when a file is very important and I think I may accidently delete it. I deny permission to myself.
25
2.
Go to Start, Program, Windows NT Explorer. Open the directory containing the files.
3.
Select the file or files you want to reassign by left clicking once on the file name. If you hold
the Shift key while dragging the cursor over the list of files, you can select a group of files.
4.
Using the right mouse button, click on the file(s) to see the drop down menu.
5.
Select Properties.
6.
7.
Select Permissions. If some groups are already showing (The Everyone group is probably
showing), select those groups and click the Remove button. This action removes all unneeded users from the list. Be careful not to leave the list blank or no one will have access. Click
the Add button to add new groups or user accounts for which you want to provide access
from the list provided, and double click to select them. Set the desired access at the bottom
of the screen, and when you are ready click OK.
8.
Log in your server as an Administrator. Next, Open the control panel and double click the
Network icon. The network dialog box appears as shown in Figure 6.1
26
27
2.
Click the protocols Tab. Any protocol that you have already installed will be shown in
the list.
3.
Click the Add button to add a new protocol. NT builds a list of all the protocols it supports
and provides this to you. The dialog presented is shown in Figure 6.2.
4.
Select the TCP/IP protocol from the list, and Click the OK button. NT asks whether there
is a DHCP server on your network and whether you want to use that server to obtain your
address. For the time being say no.
5.
You might be asked to provide the address of your installation files. Place the NT Install
CDROM in the drive, and enter its path. Click OK when you are ready. NT copies a bunch of
files to the local NT system directory. If RAS1 is installed, the installation asks you whether
you want RAS configured to use TCP/IP. Choose an appropriate answer to continue. This
will mostly be Yes.
6.
When the installation finishes, you will see the TCP/IP protocol displayed in the protocols tab
of your Network Protocols Dialog box. You can see it in Figure 6.3.
28
7.
Click the close button. NT goes through various binding processes before displaying the
Microsoft TCP/IP dialog box (Figure 6.4.)
TCP/IP offers various setup options. The first option enables you to specify that IP
addresses will come from the DHCP server. The next option enables you to predefine a
static IP address, subnet mask and default gateway.
8.
Enter the necessary IP address for your network. Click OK when you are finished. NT
completes the process and tells you to reboot the server, after which the TCP/IP services
are available.
29
ipconfig [/all]
/all: This switch causes the command to return additional IP information for all network
adapters running TCP/IP. THis includes the hostname, all the DNS servers, the node type, the
state of IP routing on your system etc. You also get the physical address of all adapter using
TCP/IP, the IP address of the adapter and its subnet mask as well as the default gateway.
6.3.2. NETSTAT
The netstat command displays the statistics for all TCP, UDP and IP connections. The
syntax consists of
netstat switches
6.3.3. PING
The ping command send small packets to a host to verify whether the host is active. It is a
very commmon troubleshooting command. The syntax consists of
ping switches
In this case, the most common values for the switches are listed below.
-n number
-l size
-t
6.4. DNS
DNS1 is a service that takes the website address like www.iriset.ac.in and translate it
into actual IP address. DNS is really only a list of IP addresses and an associated name for each
address. You might think of it as a table with two entries in the form of IP address - name. For
example, you might see and entry such as this:
210.212.217.130 - www.iriset.ac.in
30
So who controls all these names and addresses? The central authority for DNS is the InterNIC
Registration Services. This organisation ensures that your name is unique and that a current IP
address is associated with it.
6.4.1. Configuring NT for Existing DNS Servers
What the NT server will do when it has to translate an address like www.iriset.ac.in
into IP address? It will take help from another machine that is running the Domain Name Server.
So, whenever NT has to get the IP address corresponding to the name www.iriset.ac.in, a
process called resolving the name, it will query the Domain Name Server. The Domain Name
Server will then return the IP address of the name.
Let us see how to set up NT to use an existing Domain Name Server.
1.
Log on the server using an Administrator account. Select the NT Control Panel and doubleclick the Network icon. Click the Protocols tab, and then double click the TCP/IP protocol.
2.
Next, Click the DNS tab. This tab displays the configuration options as shown in Figure 6.6.
3.
Enter the DNS domain name in the box titled Domain. By default, your computers NT
registered name is shown in the Host Name box.
4.
Click the Add button to add a DNS server already existing on your network. You can specify
three servers and change the order in which they are tried by using the up and down arrows.
If the first server fails to resolve a name, NT tries the next server and then the third.
5.
Finally, you assign default domain suffixes in the box called Domain Suffix Search Order by
using the Add button shown. NT allows six additional domain suffixes. Again, use the up and
down arrows to tell NT in what order they are to be searched.
6.
Click OK to finish the setup. Your NT machine is now set to use the DNS specified.
6.5. DHCP
Every computer running TCP/IP needs specific information to identify itself. The DHCP1 was
designed to dynamically configure computers with IP addresses and related TCP/IP information.
6.5. DHCP
31
2.
Selecting States The servers respond with DHCPOFFER of IP address and lease time.
3.
Requesting State The client chooses the offer that sounds most appealing and broadcasts back a DHCPREQUEST to confirm the IP address.
4.
Bound State The server handing out the IP address finishes the procedure by returning
with a DHCPACK, an acknowledge of the request.
2
3
The BOOTP protocol was originally defined in RFC 952. The latest BOOTP RFC is RFC 1542, which includes support
for DHCP. THe major advantage of using the same message format as BOOTP is that an existing router can act as an
RFC 1542 (BOOTP) relay agent to relay the DHCP messages between subnets. Therefore, with a router acting as an
RFC 1542 relay agent between two subnets, it is possible to have a single DHCP server providing IP addresses and
configuration information for systems on both subnets.
32
1.
Renewing State By default, a DHCP Client first tries to renew its lease when 50% of
its lease time has expired. To renew its lease, a DHCP Client sends a directed DHCPREQUEST message to the DHCP server from which it obtained the lease.
When permistted, the DHCP server automatically renews the lease by responding
with a DHCPACK message. This DHCPACK message contains the new lease as well
as any configuration parameters so that the DHCP Client can update its settings in case
the administrator updated and settings on the DHCP servers. After the DHCP client has
renewed its lease, it returns to the bound state.
2.
Rebinding State If a DHCP client attemts to renew its lease on an IP address and for some
reason cant contact a DHCP server, the DHCP client displays a message saying do.
Log in as an Administrator. Double-click the Network icon in the control panel. When the
Network dialog box appears, click the Services tab, and then click Add to display the Select
Network Service dialog box. (See Figure 6.7.)
2.
From the Network Service list, highlight Microsoft DHCP Server, and the click OK.
3.
Windows NT Setup displays a message asking for the full path to the Windows NT Server
distribution files. Provide the appropriate location and click Continue button. All necessary
files are copied to your hard disk.
4.
Complete all the required procedures for amnually configuring TCP/IP as described in
Section 6.2.
6.5. DHCP
33
addresses, or pool of addresses, to draw on. You create a scope for each subnet on the network
to define parameters for that subnet.
When DHCP server is installed, the DHCP Manager icon is added to the Network Admistrative Tools group under Programs in the Start menu. You use DHCP Manager for the following:
Define properties for the scope, including the leases duration and IP address ranges for
distribution to potential DHCP clients in the scope.
Define default values for options (like default gateway, DNS server etc.) to be assigned
together with n IP address.
1.
In the DHCP Servers list in the DHCP Manager window, select the server where you want
to create a scope.
2.
Choose Scope|Create. The Create Scope dialig bos is displayed as shown in Figure 6.8.
3.
To define the available range of IP address for this scope, type the begining and the ending
IP addresses for the range in the Start Address and End Address boxes. The IP address
range includes the Start and End values. You must supply this information in order for the
system to activate this scope.
4.
In the Subnet Mask box, DHCP Manager proposes a subnet mask based on the IP address
of the Start and End addresses. Accept the proposed values unless you know that a
different value is required.
5.
To define excluded addresses within the IP address pool range, use the Exclusive Range
controls as detailed here:
Type the first IP address that is part of the excluded range in the Start Address box, and
type the last number in the End Address box. Click the Add button. Continue to define
34
any other excluded range in the same way.
To exclude a single IP address, type the number in the Start Address box. Leave the
End Address box empty and then click Add button.
To remove an IP address or range from the excluded range, select it in the Excluded
Addresses box, and then click the Remove button.
6.
To specify the lease duration for IP addresses in this scope, select Limited To. Type values
defining the number of days, hours, and minutes for the length of the address lease. Ig you
do not want IP address leases in this scope to expire, slect the Unlimited option (this is
not recommended.)
7.
In the Name box, type a scope nam,e. Although this is optional, its probably a good idea to
name each scope for later reference. Use any name that describe the subnet. The name can
include any combination of letters, numbers, and hyphens. Blank spaces and underscores
characters are also allowed.
8.
Optionally, in the Comment box, type and string to describe this scope, and then click OK.
9.
When you finish creating scope, a message reminds you that the scope has not been
activated and enables you to choose Yes to activate the scope immediately. Do not activate
a new scope, however, until you have defined the DHCP options for this scope.
In the DHCP Servers list in the DHCP Manager window, select the scope that you want
to configure.
2.
From the DHCP Options menu, choose the Global or Scope command, depending on
whether you want to define options for all scopes on the currently selected server or for the
scope currently selected in the DHCP Manager window. The DHCP Options: Scope dialog
box appears.
3.
In the Unused Options list in the DHCP Option: Scope dialog box, select the name of the
DHCP option you want to apply. Click the Add button to move the name of the Active Options
list. This list shows predefined options and any custom options you added.
4.
To define the value for an active option, select its name in the Active Options box and click
the Values button. Then click the Edit button and edit the information in the Current Value
box, depending on the data type for the options, as described here:
For an IP address, type the assigned address for the selected option.
For a number, type an appropriate decimal or hexadecimal value for the option.
For a string, type an appropriate ASCII string containing letters and numbers for
the options.
6.5. DHCP
35
Index
Abstraction, 2
Multi-Threaded, 2
Multitasking, 2
Operating System, 1
Single Tasking, 2
symmetric processor system, 2
Task, 2
Thread, 2
36