Microsoft Windows NT Server 4.0 in the Enterprise Exam 70-068 Study Outline
Content created and copyright Ó 1998-1999, by David L. Woodall, all Rights Reserved
Trust Relationships
Domain that Contains the Users is the TRUSTED Domain
Domain that Contains the Resource(s) is the TRUSTING Domain
To Establish a Trust BOTH Domains must configure the Trust in User Manager for Domains
The Four NT Domain Models
All Account and Resource Management is Centralized
NO Trusts to manage
Must Contain LESS THAN 40,000 User, Group, and Computer Accounts
User Account Management is Centralized
Resource Management can be Decentralized if Desired
Only One-way Trusts are needed
Must Contain LESS THAN 40,000 User, Group, and Computer Accounts
More Administrative Overhead than the Single Domain Model
Account Management is Retained in Multiple Account Domains
Resource Management can be Decentralized if Desired
Scalable to ANY SIZE
More Administrative Overhead to Manage the two-way Trusts
Each Domain has Full Control over its Accounts and Resources
Requires Some, but Little, Central Planning
Well Suited for Companies with Localized Operations joined together by a WAN
Requires n(n-1) Trusts, where n=number of Domains
Logon Validation and SAM Synchronization Traffic
Be aware of how they affect WAN traffic
Also applies to DHCP, WINS, and DNS
BDC's Offload Authentication Traffic and Provide Fault Tolerance to the PDC's
A BDC CANNOT be installed into a Domain if the PDC is Unavailable
Automatic Domain Synchronization
By Default PDCs Send a Pulse every 5 Minutes
When the BDC Receives the Pulse, it Responds and Requests the Changes from the Change Log. This is a PARTIAL Synchronization
Pulse and Pulse Concurrency (the number of BDCs to which a Pulse will be sent) can be controlled through the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetLogon\Parameters Key. The Default for the Pulse is 300 seconds (Range=60-3,600). The Default for Pulse Concurrency is 20 (Range=1-500)
The Replication Governor
Controls how often the BDC responds to the Pulses from the PDC
Is controlled through
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetLogon\Parameters Key. The Default is 100% (Range=1-100). This value also manipulates the size of the buffer, which has a default value (at 100%) of 128k. At 50% the buffer size would be 64k.
Manual Domain Synchronization
Can be Forced through Server Manager at Either the PDC or a BDC
DHCP
Once installed, is configured through DHCP Manager
Can have Basic or Advanced Configuration. For a Basic Configuration:
AppleTalk Configuration
AppleTalk is AUTOMATICALLY INSTALLED with Services for Macintosh
Configured by Specifying:
DLC - No Configuration
Computer Browser
The BROWSER SERVICE is used to display the available Domains and computers and their associated resources that are available to the Local Computer
Browser Roles
Browser Selection (Election Hierarchy)
NT Server Domain Controller (PDC wins over BDC)
NT Member Server
NT Workstation
Windows 95
Windows for Workgroups
NT4.0
NT3.51
NT3.5
NT3.1
NT Printer Permissions
No Access
Manage Documents
Full Control
- allows manage documents plus all properties of a printer including ownershipPrinting in a TCP/IP Environment
The Print Server that defines the TCP/IP Printer becomes an LPD (Line Printer Daemon) Print Server. To print to printers that have been configured as LPD Print Servers, use the LPR command. To obtain the status of an LPD Server queue, use the LPQ command.
Configuring Printers to use the DLC Protocol
NT Server Configuration for Client Support
To add an NT Workstation;
To add a Windows95 Client
To add a Macintosh Client
You only need to add the Services for Macintosh on the NT Server to which the Client will attach, if you configure Services for Macintosh to allow Guest Logons or Clear Text Passwords. If you need encrypted passwords, the Macintosh Clients will require the UAM (User Authentication Module) be installed.
If you will support a Macintosh Network that uses LocalTalk as its connection media, you must:
Managing NT Groups
Local Groups
When created (at ANY NT MACHINE) it resides in the Local computer's Local SAM database
Can Contain:
Global Groups
Can reside only on NT Domain Controllers
Can only contain USERS FROM WITHIN THE LOCAL DOMAIN
Default NT Groups - Global Default Groups
Group |
Default Membership |
Description |
|
|
|
Domain Administrators |
Administrator |
Used to logically group all members who will administer the Domain |
Domain Users |
Any User Created in the Domain, Except the Guest Account |
Used to logically group all Users within a Domain |
Domain Guests |
Guest |
Used to logically group all of the Domain Guest accounts |
Local Default Groups
Group |
Default Membership |
Description |
|
|
|
Administrators |
Administrators and the Domain Administrators Global Group |
This group has the rights to manage accounts, resources, and the NT OS |
Account Operators |
None Assigned |
This group can only manage NT accounts |
Backup Operators |
None Assigned |
Can backup and restore the NT Domain Servers |
Print Operators |
None Assigned |
Can share and stop sharing printers, and manage EXISTING printers |
Replicator |
None Assigned |
Special group used only if you use Directory Replication |
Server Operators |
None Assigned |
Can manage NT Server resources such as sharing, lock or override a lock on a Server, manage (even format) the hard disks, backup and restore the Server |
Guests |
Guest and the Domain Guests Global Group |
Guests don't have default rights. You must assign them right to the resources to which they need access |
"Hidden" Default Groups
Groups which do not appear in User Manager for Domains, but which are used in the NT Security Model.
They appear in other parts of the NT OS, such as when NTFS permissions are set.
Group |
Description |
|
|
Everyone |
ALL USERS who can access a computer |
Network |
Users who connect and use the resources of a computer over the network |
Interactive |
User who is logged on locally at the computer which contains the resources he or she is accessing |
Domain Users are from Local Domain Only! Everyone includes Users from Trusted Domains also.
Domain Admins is automatically added to the Administrators Local Group on each machine, so DOMAIN ADMIN IS MORE POWERFULL THAN LOCAL ADMIN!
Audit Options
Once auditing is enabled, you can select to manage these events:
File Auditing
File auditing is enabled and configured through NT EXPLORER, Right Click, Properties, Security Tab
The Options you can Audit are:
MultiProtocol Routing
In order to support routing, NT Server uses a Service called MultiProtocol Router (MPR). It is actually a set of three different network Services that you can install. They are:
Routers are commonly used to:
RIP for IP
Uses Dynamic Route Tables to route between IP subnets
Static route tables are sometimes used because they do not generate network traffic. Static route tables require an NT Server with at least 2 NICs, each configured with an IP address from the subnet to which it will connect. Once the NICs have been installed you need to ensure that IP Forwarding is enabled. You can verify this through Control Panel>Network>Protocols>TCP/IP>Properties>Routing
The Route command can then be used to manually configure your router tables
With RIP for IP, Dynamic Routing is enabled. Anytime routing information changes, the RIP router will note the change and propagate the changes to other routers on the network. The drawback is increased network traffic.
DHCP Relay Agent
Used to broadcast DHCP messages between a DHCP Server and a router.
Install through Control Panel>Services>Add>DHCP Relay Agent
Once installed it must be activated by specifying the DHCP Server's IP address in Control Panel>Network>Protocols>TCP/IP Protocol DHCP Relay Tab.
Rip for NWLink
In a static IPX environment, IPXROUTE command is used
When installing RIP for NWLink, you actually use the services of RIP and SAP (Service Addressing Protocol). SAP is used by Netware to broadcast Services.
If you have Microsoft Clients using NWLink to connect to the NT Server, you must also enable Broadcast Propagation (broadcast of type 20 packets). Failure to do so will prevent NetBIOS functions (such as browsing) running on NWLink will not function properly.
IIS
Comprised mainly of:
Upon installation, The Program Group, Microsoft Internet Server (Common) is created. Within the group is INTERNET SERVICE MANAGER. HTTP and FTP are configured here.
WWW Service
Installed automatically upon IIS installation. Used to provide a graphical interface for viewing documents on the Internet. Uses HTTP as a Client-Server process. To configure, click on the WWW service. Through WWW service you can configure:
FTP Service
Through the FTP Services Properties you can configure:
They Access the FTP Server
They Exit the FTP Server
They access the FTP Server, but the Max Connections has already been exceeded
Virtual Directories and Virtual Servers
Virtual Directory
A directory that appears to exist on the IIS Server, but in fact resides on a remote computer
To create a Virtual Server, point to a UNC name through the WWW or FTP Directories Service Property Tab
Virtual Servers
A single computer that has IIS installed, but appears to remote users as multiple Internet Servers
To create a Virtual Server:
LAN Protocols and RAS
Each network protocol can be configured to allow access to the Entire Network or This Computer Only. Entire Network allows RAS Clients to access any network resource to which the User Account has permissions. This Computer Only allows access to resources on the RAS Server only.
NetBEUI
Other than Entire Network or This Computer Only, NetBEUI requires no configuration.
IPX
TCP/IP
TCP/IP is the only protocol that supports the Windows Sockets API. If your Users require access to applications that use the Windows Sockets API, you must configure TCP/IP for your RAS Server
The REMOTE ACCESS ADMIN Utility can be used to manage the RAS communication ports; Start, Stop, and Pause the RAS Service; or Assign RAS permissions. To assign RAS permissions, select Users>Permissions
Installing RAS Client Software
To install on an NT Client, follow the same procedure as RAS for NT Server. Once completed, choose My Computer, then Dial-Up Networking. Here you must specify:
Once DUN is installed you use the Dial-Up Networking Dialog Box (accessed by clicking the "More" button) where you can further configure the RAS Client software. The two most important configuration tabs are:
1. Server Tab
Allows you to configure the connection for the Server to which you will connect. The options are:
2. Security Tab
The Security Tab specifies the authentication and encryption method you want to use. The options are:
Baseline Measurement and System Optimization
When collecting data, you should first try to create a measurement for an environment with no-load, or as little load as possible. New Baselines should be established after major hardware and software configuration changes.
A Bottleneck is a system resource that is inefficient compared to the rest of the system as a whole.
You can also use your baselines to perform Trend Analysis. If you create Baselines on a regular basis, you can use the data to spot trends in system usage.
Network Monitor
By default Network Monitor IS NOT INSTALLED. Install it through Control Panel>Network>Services, then add the Network Monitor Tools and Agent. Once Network Monitor is installed you can use it too:
Bar Graphs - provide Real-Time information on network activity. They provide information on:
To create a filter, choose Display>Filter
NT Blue Screen Errors
Generated when NT encounters a fatal system error (basically a crash)
Information Generated through Blue Screens
Area of Screen |
Information Generated |
|
|
TOP |
Error Code and Parameters |
Middle |
All Modules and Drivers that have Loaded and Initialized Successfully |
Bottom |
All Modules and Drivers that are Waiting to be Loaded |
To create a DUMP FILE you must have a paging file on the boot partition that is at least 1MB larger than the amount of RAM installed on the NT Server
Kernel Debugger
Advanced Troubleshooting can be accomplished through the Kernel Debugger. Used when you are dealing with MS Tech Support to help ID and resolve problems that are occurring on your NT Server. The most common way to connect to Microsoft is through RAS
Kernel Debugger Requires:
Content created and copyright Ó 1998-1999, by David L. Woodall, all Rights Reserved