Each Domain has Full Control over its Accounts and Resources

Requires Some, but Little, Central Planning

Well Suited for Companies with Localized Operations joined together by a WAN

Requires n(n-1) Trusts, where n=number of Domains

Be aware of how they affect WAN traffic

Also applies to DHCP, WINS, and DNS

A BDC CANNOT be installed into a Domain if the PDC is Unavailable

By Default PDCs Send a Pulse every 5 Minutes

When the BDC Receives the Pulse, it Responds and Requests the Changes from the Change Log. This is a PARTIAL Synchronization

Pulse and Pulse Concurrency (the number of BDCs to which a Pulse will be sent) can be controlled through the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetLogon\Parameters Key. The Default for the Pulse is 300 seconds (Range=60-3,600). The Default for Pulse Concurrency is 20 (Range=1-500)

Controls how often the BDC responds to the Pulses from the PDC

Is controlled through

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetLogon\Parameters Key. The Default is 100% (Range=1-100). This value also manipulates the size of the buffer, which has a default value (at 100%) of 128k. At 50% the buffer size would be 64k.

Can be Forced through Server Manager at Either the PDC or a BDC

Once installed, is configured through DHCP Manager

Can have Basic or Advanced Configuration. For a Basic Configuration:

1. Create a Scope (a range of IP addresses that can be leased by the DHCP Clients)
2. Edit the properties of the Scope to reflect your configuration

AppleTalk is AUTOMATICALLY INSTALLED with Services for Macintosh

Configured by Specifying:

1. Default Adapter
2. Default Zone
3. Routing Information

The BROWSER SERVICE is used to display the available Domains and computers and their associated resources that are available to the Local Computer

Full Control - allows manage documents plus all properties of a printer including ownership

The Print Server that defines the TCP/IP Printer becomes an LPD (Line Printer Daemon) Print Server. To print to printers that have been configured as LPD Print Servers, use the LPR command. To obtain the status of an LPD Server queue, use the LPQ command.

You only need to add the Services for Macintosh on the NT Server to which the Client will attach, if you configure Services for Macintosh to allow Guest Logons or Clear Text Passwords. If you need encrypted passwords, the Macintosh Clients will require the UAM (User Authentication Module) be installed.

1. Upgrade the Macintosh Clients to EtherTalk (or some other common media with the PC network)
2. Install a third-part router that connects Ethernet with LocalTalk
3. Install a LocalTalk NIC into your NT Server to function as a router

When created (at ANY NT MACHINE) it resides in the Local computer's Local SAM database

Can Contain:

1. Users from the Local SAM database
2. Users from within the Domain
3. Users from Trusted Domains
4. Global Groups from within the Domain
5. Global Groups from Trusted Domains

Groups which do not appear in User Manager for Domains, but which are used in the NT Security Model.

They appear in other parts of the NT OS, such as when NTFS permissions are set.

Once auditing is enabled, you can select to manage these events:

1. Logon and Logoff
2. File and Object Access - must be enabled to audit NTFS or printer events
3. Use of User Rights - any User Right except those associated with Logon and Logoff
4. User and Group Management - Tracks changes to Users and Groups
5. Security Policy Changes
6. Restart, Shutdown, and System - Clearing the Security Log is tracked through System
7. Process Tracking - Process-related events such as program activation, indirect object access, etc…

File auditing is enabled and configured through NT EXPLORER, Right Click, Properties, Security Tab

The Options you can Audit are:

1. Read
2. Write
3. Execute
4. Delete
5. Change Permissions
6. Take Ownership

In order to support routing, NT Server uses a Service called MultiProtocol Router (MPR). It is actually a set of three different network Services that you can install. They are:

1. RIP (Routing Information Protocol) for IP - also referred to as the Internet Router
2. DHCP Relay Agent - also referred to as BOOTP/DHCP Relay Agent
3. RIP for NWLINK IPX/SPX Compatible Protocol - also referred to as IPX Router

Routers are commonly used to:

Uses Dynamic Route Tables to route between IP subnets

Static route tables are sometimes used because they do not generate network traffic. Static route tables require an NT Server with at least 2 NICs, each configured with an IP address from the subnet to which it will connect. Once the NICs have been installed you need to ensure that IP Forwarding is enabled. You can verify this through Control Panel>Network>Protocols>TCP/IP>Properties>Routing

The Route command can then be used to manually configure your router tables

With RIP for IP, Dynamic Routing is enabled. Anytime routing information changes, the RIP router will note the change and propagate the changes to other routers on the network. The drawback is increased network traffic.

Used to broadcast DHCP messages between a DHCP Server and a router.

Install through Control Panel>Services>Add>DHCP Relay Agent

In a static IPX environment, IPXROUTE command is used

When installing RIP for NWLink, you actually use the services of RIP and SAP (Service Addressing Protocol). SAP is used by Netware to broadcast Services.

If you have Microsoft Clients using NWLink to connect to the NT Server, you must also enable Broadcast Propagation (broadcast of type 20 packets). Failure to do so will prevent NetBIOS functions (such as browsing) running on NWLink will not function properly.

Comprised mainly of:

1. HTTP
2. FTP

Upon installation, The Program Group, Microsoft Internet Server (Common) is created. Within the group is INTERNET SERVICE MANAGER. HTTP and FTP are configured here.

Installed automatically upon IIS installation. Used to provide a graphical interface for viewing documents on the Internet. Uses HTTP as a Client-Server process. To configure, click on the WWW service. Through WWW service you can configure:

1. Service - Tabs for such elements as Port (default is port 80), Connection Timeout (Default is 900 seconds without activity), Max Connections (Default is 100,000), Anonymous Login (Default is to use account IUSR_computername, Password Authentication (Default is ALLOW ANONYMOUS and Windows NT Challenge/Response)
2. Directories - Directories Tab specifies the path of the directories to be used by WWW, paths for virtual directories, the IP address for virtual servers, and Error (which will list any system errors reported). You can also Enable Default Document to specify a default document to be displayed if the remote client does not request a specific document in the directory. Directory Browsing Allowed - This option will allow the remote client to obtain a listing of directories and files that are hosted by the WWW Service.
3. Logging - Logging is used to determine how much use you have through the WWW Service (i.e., how long each client is attached), what files are being accessed, and help identify any security violations. Here you can Enable Logging, select Log Format - either Standard format or the NCSA format (National Center for Supercomputing Applications), Automatically Open New Log - Specifies how often a new log should be generated, Default is Daily but can be set to Weekly, Monthly, or whenever the file reaches a specified size. Log File Directory -Default is \WINNT\System32\LogFiles, unless otherwise specified, or Log to SQL/ODBC Database - which specifies that the log be saved in a database as opposed to the file logging (this option requires the path, username and password required to access the database application).
4. Advanced - Here you can define which computers are granted or denied access based on the computer's IP address and subnet mask. You can also specify bandwidth allowed by the ISP and specify the maximum number of kilobits per second that will be allowed.

Through the FTP Services Properties you can configure:

1. Service - Similar to WWW Service with the exception of a Default Port of 21, Max Connections of 10,000, and NO MS-CHAP (encrypted passwords
2. Messages - Allows you to specify the message users see when

   They Access the FTP Server

   They Exit the FTP Server

   They access the FTP Server, but the Max Connections has already been exceeded

3. Directories - Similar to WWW Directories but allows you to specify whether the will be UNIX or MS-DOS based. FTP DOES NOT SUPPORT VIRTUAL SERVERS
4. Logging - Similar to WWW Logging Properties
5. Advanced - Similar to WWW Advanced Properties

A directory that appears to exist on the IIS Server, but in fact resides on a remote computer

To create a Virtual Server, point to a UNC name through the WWW or FTP Directories Service Property Tab

A single computer that has IIS installed, but appears to remote users as multiple Internet Servers

To create a Virtual Server:

1. You must have an IP address for the Primary Server and an IP address that will be used for each Virtual Server
2. You must use Control Panel>Network to assign the multiple IP address to your LAN adapter
3. Through the Internet Service Manager, assign each Virtual Server its own IP address through the Directories Tab of the WWW Service. FTP DOES NOT SUPPORT THIS.

Each network protocol can be configured to allow access to the Entire Network or This Computer Only. Entire Network allows RAS Clients to access any network resource to which the User Account has permissions. This Computer Only allows access to resources on the RAS Server only.

Other than Entire Network or This Computer Only, NetBEUI requires no configuration.

TCP/IP is the only protocol that supports the Windows Sockets API. If your Users require access to applications that use the Windows Sockets API, you must configure TCP/IP for your RAS Server

To install on an NT Client, follow the same procedure as RAS for NT Server. Once completed, choose My Computer, then Dial-Up Networking. Here you must specify:

1. A phone book entry (where you will call your RAS Server)
2. The communication device you will use
3. The telephony dialing properties (where you are calling from)

Once DUN is installed you use the Dial-Up Networking Dialog Box (accessed by clicking the "More" button) where you can further configure the RAS Client software. The two most important configuration tabs are:

Allows you to configure the connection for the Server to which you will connect. The options are:

1. Dial-Up Server Type - Allows you to specify the type of connection you are using

1. PPP connection to attach to Windows NT, Win95 Plus, or the Internet
2. SLIP connection to the Internet
3. A connection to a Windows NT3.1 or Windows for Workgroups computer

1. Network Protocols - Allows you to specify the dial in protocol(s) you will use. TCP/IP and IPX/SPX are selected by default. You must have a protocol in common with the RAS server you are calling.
2. Enable Software Compression - Offers software compression that is used in addition to modem hardware compression. Selected by Default
3. Enable PPP LCP Extensions - Specifies that you want to enable enhancement features for PPP. This can cause problems if you connect to a Server running outdated PPP software. Selected by Default

The Security Tab specifies the authentication and encryption method you want to use. The options are:

1. Accept any Authentication Including Clear Text - Specifies that the Client can specify any authentication that is requested by the Server, including no authentication (which could happen if you are connecting to a non-Microsoft Server)
2. Accept Only Encrypted Authentication - Specifies that you can authenticate with any encryption method except PAP. This is more secure than the previous option
3. Accept Only Microsoft Encrypted Authentication - Specifies that you want to use the MS-Chap encryption method to authenticate. This assumes that you will connect to a Microsoft Server. This is THE MOST SECURE AUTHENTICATION METHOD AND ALLOWS YOU THE OPTION OF ENCRYPTING ANY DATA THAT IS SENT. This also allows use of data encryption and current usernames and passwords. Selected by Default

When collecting data, you should first try to create a measurement for an environment with no-load, or as little load as possible. New Baselines should be established after major hardware and software configuration changes.

By default Network Monitor IS NOT INSTALLED. Install it through Control Panel>Network>Services, then add the Network Monitor Tools and Agent. Once Network Monitor is installed you can use it too:

1. Collect Data - To collect Data, access the Network Monitor through Administrative Tools (Common)>Network Monitor. To initiate a data capture, Capture>Start, then Capture>Stop
2. Present Data - The Main screen presents data through 4 summary panes:

1. %Network Utilization
2. Frames per Second
3. Bytes per Second
4. Broadcasts per Second
5. Multicasts per Second

1. Data Filtering - can be configured on:

1. Specific Protocol
2. Specific MAC (media access control) address
3. Protocol Property

Generated when NT encounters a fatal system error (basically a crash)

To create a DUMP FILE you must have a paging file on the boot partition that is at least 1MB larger than the amount of RAM installed on the NT Server

Advanced Troubleshooting can be accomplished through the Kernel Debugger. Used when you are dealing with MS Tech Support to help ID and resolve problems that are occurring on your NT Server. The most common way to connect to Microsoft is through RAS

Content created and copyright Ó 1998-1999, by David L. Woodall, all Rights Reserved