Windows NT
Minimum Hardware Requirements.Workstation
486DX\33.
12MB RAM (16MB recommended on x86 and required on RISC)
110 MB Free disk space.
Server
486DX\33.
16MB RAM
125 MB Free disk space.
Server Benefits
Supports Back Office Products.
Tuned for file & print and applications.
Supports 256 inbound RAS connections.
Fault Tolerance
IIS
User Mode
Apps and the subsystem run in user mode.
Low Priority, no direct hardware access, assigned address space.
Kernel Mode
NT executive runs in Kernel mode to protect it from user apps.
Full memory and hardware access
Windows Executive
(consists of Executive Services, MicroKernel and HAL)Executive Services
– consists on Managers and Device driversManagers – manage I/O, objects, security, processes, IPC, Virtual memory and graphics management.
Device Drivers – control access to hardware.
MicroKernel – thread scheduling and interrupt handling
HAL – separates NT from different hardware interfaces to make NT more portable.
Memory and Virtual Memory
NT can access up to 4GB of RAM. NT maps the memory in 4kb blocks called pages. A Virtual Memory Manager intercepts requests to be sent to memory and checks for enough pages in RAM. If there are not enough pages then pages that have not been accessed in a while are moved to the hard drive for storage. There is a file on the hard drive called pagefile.sys that stores these pages.
The recommended size of the paging file is RAM +12MB. I.e. In a system with 128MB RAM, the page file should be 140MB.
Domains vs. Workgroups
Domains require an NT Server to be a domain controller and to house the account database for all users and computers in the domain.
Domains give you the advantage of centralized management of resources and security.
One logon provides access t all resources in the domain.
Workgroups require no Domain controller and are good for small numbers of computers (10 or less)
Logon Process
Windows NT requires a mandatory logon to use the system.
A local security authority (LSA) pass the username and password info to the domain controller. The domain controller’s Security Accounts Manager (SAM) verifies the username and password against its database and the results are passed back to the LSA if approved. The LSA then creates an access token with the granted access rights. This token will be used to access all resources during this logon preventing the user from being constantly authenticated.
Computer Accounts
All computers accessing a domain must have a computer account in that domain. This can be created through the Server Manager tool or a system being built can join the domain during the install with proper administrative rights.
Installing NT
Before installing Windows NT, check to see that all of your systems hardware is on the Hardware Compatibility List (HCL).
Windows NT uses a System Partition and a Boot Partition. These can both be on the same partition or on different partitions.
The Boot Partition contains the system files.
The System partition is the one you boot from. (Makes sense huh?)
You park in a driveway and drive on a parkway.
File Systems
FAT (File Allocation Table)
Supported by Windows 95, NT, MS-DOS and OS2. It is necessary to use FAT on the system partition in order to dual boot (run two OS’s). NT does not support FAT32.
FAT partitions can be converted to NTFS by running Convert.exe
NTFS (NT File System)
Only supported by Windows NT. NTFS is more secure and allows you to give security to the file level
Any other OS running on the same physical system will not be able to access the NTFS drives. Any OS coming in remotely will be able to access NTFS.
During an install, you can choose either NTFS or FAT. The Setup program formats the partition as FAT regardless and then later converts to NTFS if that is what you chose. FAT has a maximum partition size of 4GB so you will only be able to create a 4GB partition during the install. You can get around this by putting the drive as a second drive in another system running NT and format a partition larger than 4GB.
Server Roles
There are three types of server in a Domain Environment.
Primary Domain Controller (PDC) – Maintains the master copy of the directory database.
Authenticates users. This is the first server in a domain. It is required and there can only be one in a domain.
Backup Domain Controller (BDC) - Contains a copy of the account database.
Authenticates Users. This acts as a backup in case a PDC fails and helps to load balance authentication. In the event of a PDC failure, the BDC can be promoted to a PDC.
Member Server – Used for Apps and File and Print Servers. Can be a member of a workstation or a domain. It can never be promoted to a BDC or PDC without a total rebuild.
Security Identifiers (SID’s) – All computers in a domain are issued a SID. This is NT’s method of insuring that you belong in the domain. A computer without a SID from that domain will be denied access.
The PDC and BDC’s all share the same SID. For this reason, you cannot move a PDC or a BDC to another domain without a total reinstall.
A member server or workstation however can be moved to a new domain and will be issued a new SID from the new domain.
To change the name of a domain, first change the name on the PDC. This will issue a new Domain SID. Then change the domain on all of the domain members.
Licensing
Windows NT has two licensing modes: Per Server or Per Seat. You will need to choose one during the install of the Server.
Per Server – One Client Access License (CAL) is needed for each concurrent connection to a server. I.e. if you want ten clients to connect to Server A at the same time, you will need 10 client licenses for Server A. If you want the same ten people to be connected to Server B at the same time, you will need ten more client licenses.
Per Seat – One CAL is required for each client. The client then has the option to access all of the Servers in the organization.
It is possible to do a one-time conversion from per server to per seat licensing.
Installation
Windows NT comes with a CD and 3 floppy disks.
There are four setup options: Typical, Portable, Compact and Custom.
After booting with the 3 floppy disks, The setup application is called winnt.exe or winnt32.exe
Winnt.exe is used from 16 bit operating systems such as DOS or Windows95.
Winnt32.exe is used from 32 bit operating systems – NT. This is used to upgrade or reinstall.
Some switches to be aware of are:
/ox – causes winnt.exe to not install but only to create the three boot disks.
/b – installs without the use of the three boot disks. Good for network installs or bootable CD-ROM’s
/u – unattended install
/udf – unattended install with a uniqueness database file.
There are several other switches that you can see by running winnt.exe /? But these are the most common.
Unattended Installs
By running Winnt or winnt32 with the /u or /udf switch, you can perform an unattended install.
You create an unattended.txt file with answers to the questions that are asked during setup.
You can create answer files for different locations so you can choose different answers.
These answer files can be further customized with Uniqueness Database Files (UDF’s) which contain user and computer names.
These are strictly text files that can be modified with any text editor.
You can use Sysdiff.exe to automate the install of Apps.
My recommendation is to bag the whole unattended install and purchase Ghost cloning software from www.ghostsoft.com.
Windows NT Registry
The easiest and safest method of making registry changes is through the control panel.
The registry can also be edited directly using Regedit and Regedt32. Both of these tools make changes that have immediate effect on the registry.
The Registry is divided into 5 subtrees.
HKEY_LOCAL_MACHINE – Configuration data for the local computer. Used by apps, drivers and the OS. Part of this data tells the OS which drivers to load at boot.
HKEY_USERS – two subkeys -. DEFAULT contains the default system profile. The SID of the user currently logged on.
HKEY_CURRENT_USER – stores information about the user currently logged on and stores a copy in the Profiles folder.
HKEY_CLASSES_ROOT - Contains software config data. Provides compatibility with the win3.1 database.
HKEY_CURRENT_CONFIG – Contains data about the active hardware profile.
Policies
A system Policy is a set of registry settings that will overwrite the local machine and current user registry keys. Upon logging on to the domain, the system checks the NetLogon share for a policy file. This file is called ntconfig.pol for NT clients or config.pol for 95 clients.
1) If user changes are specified for that user, these changes merge into the current portion of the registry.
2) If there is no policy for that user, but for groups that user belongs to, these are merged into the registry in order of priority. Then the default user policy is merged in.
3) If there are no user or group policies for that user then the default system policy is merged into the current user portion of the registry.
4) If system policy is defined for the computer, this is merged into the local computer portion of the registry. If not, the default computer portion is merged in.
Partitions
Primary Partitions – a partition that can be used by the system to start up the computer.
You may have up to four primary partitions, three if you have an extended. Primary partitions cannot be broken down further. Multiple primary partitions allow you to isolate OS’s. To dual boot NT with DOS or 9.x, the primary partition must be fat. The Windows NT partition must be a primary partition.
Extended Partitions – this is used to increase the four-partition limit. You are only allowed one extended partition so use all remaining space after your primaries. Extended partitions are then broken up into logical drives to use.
Volume Sets – 2 –32 areas of free space on one or more physical drives combined to make one large logical drive. This can be used to combine space from SCSI, IDE and ESDI all into one logical drive. Data is written to the first disk until full, then the second disk and so on.
Volume sets do not provide any fault tolerance.
If a volume set spans 10 physical disks and you lose one, you lose all data from the volume set.
Boot and System partitions can not reside on a volume set.
An NTFS volume set can be extended to add additional space without losing any data. A fat volume set has to be converted to NTFS to extend without losing data.
Stripe Set – Stripe sets also combine unformatted areas of space into a large drive. Stripe sets need at least two physical drives and can have s many as 32. Stripe sets can also combine space from SCSI, IDE and ESDI all into one logical drive. With stripe sets, NT breaks the data up into 64K blocks and writes a block to one drive then the next and so on. Concurrent I/O operations can take place, allowing stripe sets to be faster than Volume sets.
Stripe sets do not provide any fault tolerance.
If a stripe set spans 10 physical disks and you lose one, you lose all data from the stripe set.
Boot and System partitions can not reside on a stripe set.
Stripe and Volume sets are created from within Disk Administrator.
Partition Numbering – Primary partitions are numbered first, then logical drives. If another primary partition is created, it is given the next number after the last primary and the extended partitions are renumbered.
Windows NT uses a file called the boot.ini to find the boot partition when starting up. If the boot partition was on an extended partition that was renumbered due to a Primary partition being added, the boot.ini must be manually changed to reflect this.
Fault Tolerance
Software RAID - Windows NT Server supports a form of fault tolerance called Redundant Array of Inexpensive Disks (RAID). NT Server supports 2 levels of Fault Tolerance: NT workstation does not support Fault Tolerance.
RAID1 – Disk Mirroring - using the NT fault tolerant drive (ftdisk.sys) to write to two physical disks at the same time. The boot and system partitions can reside on a mirror set. You will lose write performance as you are writing to two consecutive disks but you will gain read performance as you read from both disks simultaneously. If one drive in a mirror fails, the system will keep functioning. If you mirror two 4Gig drives, you will have 4Gig of storage space, this can get expensive hardware wise. To recover from a disk failure, go to disk administrator and choose break mirror from the fault tolerance menu. Replace the disk or choose space from another disk and choose recreate mirror.
Disk Duplexing – also falling under the RAID1 category. This is the same as mirroring except each disk has its own disk controller.
RAID5 – Stripe Sets with Parity – You need 3 to 32 disks to make up a stripe set with parity. Like stripe sets, the data is written to disks in 64K blocks. Data is written to each disk in sequence. One block will be written to the first disk, the next block will be written to the second disk and so on. For every write, some algorithms are performed to give us our ‘parity information’. This parity information allows NT to recreate data in the event of a disk failure. The parity info is written across all disks in the array thus giving the ability to recreate data in the event of a disk loss.
Ex. You have a 10 physical disk RAID 5 array. One of the disks dies. You can replace the failed disk, go to Disk Administrator and choose regenerate stripe set from the fault tolerance menu and NT will do the calculation from the parity info on the other 9 disks and recreate your data.
The Boot and system partition may not reside on a stripe set. You will lose some write performance, as the parity calculations have to be done for each write. In a 5 disk RAID 5 array, you will be able to have 4 disks worth of data and one disk worth of parity info. The parity info will take up 1/5 of each disk, not be all on one disk. In a 8-disk RAID 5 array, you will have 7 disks worth of data. (See the pattern).
You can recover from the loss of one disk, but if you lose 2 or more disks, you can not recover. (Hope you had a good backup). (Remember ‘one can be done, two you’re screwed’)
Hardware RAID – this is independent of the operating system. Vendors offer hardware with array controllers that handle writing the data to the disks. This method is quicker because the OS does not need to get involved but is also more expensive.
Networking
Dynamic Host Configuration Protocol (DHCP) – automatically assigns TCP/IP addresses and information to client computers. The client requests an IP from the DHCP server at startup. The DHCP server chooses an IP from a pool and offers it to the client, along with the subnet mask, default gateway, and many other optional items. If the client accepts the offer the IP will be leased for a specified period of time.
A DHCP server must have a static IP address. A scope is set up which is a range of valid IP addresses that a DHCP server can assign. If you have multiple DHCP servers, they must each have a unique scope to avoid assigning duplicate IP addresses. You can have multiple scopes on a DHCP server.
For redundancy, you should share part of your scope with another DHCP server.
Ex. You have the subnet 222.222.222.x. You can give a scope of 222.222.222.1 to 222.222.222.188 to your primary DHCP server and a scope of 222.222.222.189 to 222.222.222.254 to a secondary server. This will allow clients to obtain a lease if the primary DHCP server is down but will avoid the leasing of duplicate IP’s. Microsoft’s recommendation is to have 75% of the addresses in the primary and 25% in the secondary. DHCP can also hand out many other pieces of information including Routers, DNS Servers, and WINS Servers… These can be configures on a global level, scope level or client level.
Windows Internet Name Service (WINS)
WINS is responsible for resolving NetBIOS names to IP addresses. When a WINS client boots up it announces itself to the WINS server. The WINS server stores the name and IP of the client in the database to hand out on future requests. This enables you to connect to a server named Appsserver by name instead of having to remember Appsserver’s IP address. The WINS database is dynamic.
Domain Name System (DNS)
DNS is responsible for resolving Fully Qualified Domain Names (FQDN) names to IP addresses. DNS is static and all entries must be manually added. DNS enables you to connect to www.CERTguide.com instead of having to remember 24.128.102.7. DNS allows connection to the Internet using Internet naming standards.
Computer Browser Service
Windows NT uses a browse list to store all of the NetBIOS names of computers on the network. The PDC of a domain is the domain master browser and collects the information for the browse list. This information is handed to the Master Browser. There is one master browser in each subnet. The master browser distributes the browse list to the backup browser who distributes the list to the clients when requested.
To insure that there is only one master browser per subnet, an election is held when one can not be located. An election packet is passed around and examined by each system to see if it is the most qualified. Qualifications include OS (NTserver then NTWS then win9x then Win3.x), OS version (NT4 then NT3.51…), Browser config (Browser, Potential Browser, Non Browser)
Browser configuration is set in the registry under:
\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters\MaintainServerList
Values are:
Yes - attempt to become a browser, default for domain controllers
No - Never participate in an election
Auto – Participate in election to see if most qualified, default for member servers and WS’s
Remote Access Service (RAS)
RAS allows remote connection to the network by use of a phone line.
Serial Line Internet Protocol (SLIP) – uses TCP/IP connection or serial lines. SLIP requires a static IP and cannot use DHCP or WINS. No support for IPX/SPX or NetBEUI. Passwords are transmitted as clear text.
Point to Point Protocol (PPP) – enhancement to SLIP. Supports TCP/IP, IPX/SPX and NetBEUI. Can automatically assign IP addresses.
Multilink – combines multiple physical lines to increase bandwidth. Both the client and the RAS server need to have multilink protocol enabled.
Point to Point Tunneling Protocol (PPTP) – can transfer IP, IPX, or NetBEUI PPP packets over a TCP/IP network. This protocol allows the use of the Internet as a virtual private network.
Callback Security - requires the RAS server to call the client back either at a specified number or at a number the client puts in.
RAS supports NetBEUI, TCP/IP and IPX/SPX.
TCP/IP can either assign using DHCP or from a static pool.
NetWare Connectivity NWlink - Microsoft's rendition of IPX/SPX - allows Microsoft clients to access NetWare resources and NetWare clients to access NT resources. NWlink alone allows you to connect to applications running on a NetWare server.Client Services for NetWare(CSNW) - Allows NT clients to make direct connections to NetWare file and print servers.
Gateway Services for NetWare(GSNW) - used for occasional access to a NetWare server by
a Microsoft client. The NT server connects to the NetWare File server and
shares a directory. Microsoft clients can then access the share on the server
running GSNW. This avoids having to install CSNW on all of the clients.
1) Set up a user account on the NetWare server with the same name and password as
the NT server running GSNW.
2) Give the account the appropriate permissions on the NetWare side.
3) Create a group account called NTGateway on the NetWare server.
4) Place the user account that you set up on both the NT and NetWare side in step one in
the NTGateway group.
Boot Process
Files required to boot WindowsNT
Ntldr - loads the Operating System - NT changes the boot sector so Ntldr loads at startup.
Boot.ini - builds the Operating System selection menu
Bootsect.dos - called by Ntldr if you choose to load an alternate OS(DOS, Win95, IBM O/S2 v1)
NTdetect.com - Inventories hardware and passes to Ntldr.
Ntbootdd.sys(SCSI with BIOS disabled only) - accesses SCSI devices during boot.
Ntoskrnl.exe - The NT kernel located in systemroot\system32
System - contains system configuration settings - controls which drivers and services are loaded.
Device Drivers - support for various device drivers such as ftdisk and scsidisk.
Hal.dll - Hardware Abstraction Layer protects the kernel and the NTexecutive from platform specific hardware differences.
Common Boot Errors
Boot: Couldn't find Ntldr - means the Ntldr is missing.
NTdetect failed means that NTdetect.com is missing.
The following file is missing or corrupt Ntoskrnl.exe means the Ntoskrnl is missing or the boot.ini is pointing to the wrong drive.
The Emergency Repair Disk will remedy all of these problems.
Advanced RISC Computing (ARC) Paths.
Windows NT creates a file called boot.ini when it is installed. This file is located on the system partition and points NTLDR to the location of the Operating System files.
Ex. Multi(0)disk(0)rdisk(1)partition(2)
Multi/SCSI – identifies the disk controller. SCSI indicates that the SCSI bios is not enabled. Everything else uses multi including SCSI with bios enabled. (x) Is the ordinal number of the hardware adapter. If there are two SCSI controllers, the first will be (0); the second will be (1).
Disk(x) – SCSI bus number. Always set to 0 for multi. Only used with SCSI
Rdisk(x) – ordinal number of the disk. Only used with multi.
Partition(x) – ordinal number of the partition.
All of the above are numbered starting with (0) except partition which starts numbering with (1).
Creating a Boot Disk.
1) Make sure you format a floppy on an NT system.
2) Edit the boot.ini to reflect the proper ARC path if necessary.
3) Copy the following files to the floppy. Ntldr, NTdetect.com, Boot..ini, and Ntbootdd.sys (for SCSI systems with BIOS disabled)
Last Known Good Configuration
Every time a user successfully logs on to a computer, the HKEY_LOCAL_MACHINE registry is copied to the last known good configuration.
If you install a video driver or a SCSI driver, et. al, and NT crashes, shut it off and back on and press the space bar at boot to get to the last known good configuration. Once you log on again the configuration will be overwritten.
Emergency Repair Disk(ERD)
You should create an ERD when installing NT and update it anytime you make any changes to the OS.
You must be an administrator or power user to create an ERD.
The user creating the ERD must have permissions to the systemroot\Repair folder.
Run rdisk.exe to create the ERD. You must run Rdisk /s to include the SAM and security information.
Repair Process
1) Boot from the three setup floppies. the ERD is not bootable.
2) Select repair a damaged installation instead of installing.
3) You will be prompted for the repair disk.
You will have four choices to repair:
Inspect Registry files - replaces registry files with files from disk. Any system
changes since disk was updated will be lost.
Inspect Startup environment - will rebuild the boot.ini. Useful if win9.x is
installed after NT
Verify NT system files - checks Ntldr, NToskrnl and will prompt to replace if the one on
the system does not match the disk.
Inspect boot sector - use when no OS on the computer boots.
Diagnostic Tools
Event Viewer - view event
log messages sent by the OS and applications.
System Log - shows errors and warnings sent by the OS and device
drivers
Security Log - contains logons, logoffs, file and object access.
Security log is only viewable by administrators.
Security logging is turned off by default and
must be turned on in User Manager for Domains.
Application log - contains events logged by applications. IIS,
Exchange, SQL, et. al. all write their errors here.
Windows NT Diagnostics -
shows computer hardware and OS data stored in the registry
Performance Monitor - Monitors system
performance in real time. Helps to identify bottlenecks. Establish a baseline
to compare trends to over time. Monitors memory, hard
disks, paging file, processors. processes, threads....
Network Monitor - Capture and
analyze packets sent across the network to and from the local computer..
User Accounts
There are two Built in accounts - Guest and administrator
Guest - The guest account is for individuals who you want to give occasional access to the local computer. It is disabled by default.
Administrator - The administrator account is used to manage the overall computer and domain configuration.
In addition to these built in accounts, you can create accounts with the appropriate permissions that they need.
Domain user accounts are created with User Manager for Domains. The account is created in the master directory on the Primary Domain Controller(PDC) A copy of this directory is stored on all Backup Domain Controllers(BDC)'s. These changes may take a few minutes to get to all of the BDC's thus preventing logon to the new account. After making changes, you may choose to manually sync the database by using sever manager or typing net accounts /sync at the command prompt.
Local User accounts can be created on a member server or workstation and will allow local access to the computer.
Domain user accounts can be created from workstations or 9.x boxes if you have the administrative tools installed.
All usernames must be unique and may contain up to 20 characters. You may restrict user logon hours and systems they are able to logon to. You may also assign a user a home directory and grant dialin permissions.
Each username is assigned a unique security identifier(SID). This is what stores the users rights and permissions in the directory. If you delete a user account and recreate one with the same name, it will have a different SID and will not hold the same rights and permissions. If you rename an account however it will hold the same SID and will have identical permissions. If Jack leaves the office and Jill starts, rename Jack's account if you want Jill to have the same access.
Roaming Profiles
Roaming profiles are stored on a server so a user can see his\her desktop wherever they log on.
Personal Profiles - Assign a profile to each user that they can update. The updated copy will remain on the server so their settings will follow them.
Mandatory Profiles - Can be assigned to many users so an administrator only has to update one profile. Users will not be able to update a mandatory profile and will be forced to use the same desktop settings each time they log on.
Groups
Users can be assigned to a group. A group is a collection of users that you can assign rights and permissions to. Any member added to the group will automatically inherit the rights and permissions from the group. Only users with administrative rights can create groups. Groups are created from within User Manager for Domains.
NT uses two types of groups: Global and Local.
Local - Local groups are given rights to a task or permissions to resources. Local groups can include Global groups or individual user accounts from any domain that has the appropriate trust set up. Local groups on a Domain Controller can be given rights or permissions to any domain controller within the domain.
Global - Global groups are used to organize user accounts. A global group can only include users from its own domain and cannot include other groups. Global groups are created on the PDC in the domain where the account resides. Global groups are added to local groups to give permissions or rights to the users.
AGLP - This is how Microsoft recommends assigning
permissions. They recommend against assigning permissions to individual user accounts but suggest that you put your accounts into Global groups, then
put your global groups into local groups and assign the local groups
permissions to resources.
Remember the formula: AGLP. Accounts
into
Global into
Local with
Permissions.
Built in Groups
Windows NT comes with some Global, Local, and System groups built in. If the built-in group resides on a member server or workstation, it decides what the group members can do on the local system. If the built-in group resides on a domain controller, it decides what it's members can do on the domain.
Built-in Local Groups on all computers running WindowsNT:
Users - Can perform tasks that they have been given rights to and access resources that they have been given permissions to.
Administrators - Can perform all administrative tasks
Guests - Can perform tasks that they have been given rights to and access resources that they have been given permissions to. No permanent changes can be made to the local environment.
Backup Operators - Use NT Backup to backup and restore all computers running WindowsNT.
Replicator - To be used by the Directory Replicator service.
Built-in Local Groups on Domain Controllers Only:
Account Operators - Create, Delete and modify Users and Groups. Cannot modify administrators or server operators.
Server Operators - Share disk resources and backup and restore the server.
Printer Operators - Set up and manage network printers. Print Operators cannot create Print Queues on a server as they do not have access to modify the local registry on the server.
Built-in Global Groups on Domain Controllers Only:
These groups have no rights by default. Only the rights and permissions that are assigned to them.
Domain Users - The administrator is a member of this group by default. all accounts created on the domain are automatically added to this group.
Domain Admins - Local administrative Group. Domain Admins will have administrative rights on all Domain controllers.
Domain Guests - contains the guest account by default. For security reasons, the guest account should always be disabled.
Built-in System Groups
Membership is automatic to these groups and cannot be modified.
Everyone - All local and remote users. Any rights or permissions can be assigned to this group. Unlike the Domain Users group, the everyone group contains user accounts other than the ones created by an administrator. For this reason, Domain Users should be used as opposed to the everyone group when assigning rights or permissions.
Creator Owner - This group includes the owner of a resource. This only comes into use on NTFS volumes.
Network - Any user who is connected to your computer across the network will be a member of this group
Interactive - Any user who logs on locally to a computer will be a member of this group.
Creating User Accounts
To create many similar accounts, you should create a template to copy for each new user. If you name the template starting with a underscore( _ ) or other non-alphabetic character, it will appear at the top of the list. This will copy all account properties except Username and Full name, Password, disabled Account setting and any rights and permissions given to the account being copied.
Account Policy
Account Policy determines how passwords are handled including password age, length, and how many passwords are remembered before one can be reused. It also allows you to set an account lockout policy if attempts are made to log on to an account with an invalid password You can set the number of attempts allowed before locking the account. This will help prevent against someone trying to hack into your network by using password cracking tools. Multiple user accounts can be selected at one time if you need to make a change that effects many users.
Domain Controllers
A domain controller must always be available to authenticate logons. All domains have one PDC. It is recommended to have at least one BDC to provide a backup if the PDC should become unavailable. Having one or more BDC's will also help the PDC to perform its authentication and prevent the PDC from being overloaded.
The PDC contains the master copy of the directory database. This database is replicated to all BDC's in the domain every five minutes. In the event that the PDC is unavailable, the BDC's will still be able to authenticate logons however you will be unable to do any account administration.
A BDC may be promoted to a PDC using Server Administrator. It is recommended that you promote a BDC to act as the Primary domain controller if the PDC is going to be unavailable for a long period of time. When you promote a BDC to become the PDC, the original PDC will automatically be demoted to a BDC. Before the actual switch takes place, a current copy of the accounts database is replicated from the PDC to the BDC that will be promoted. When you bring your original PDC back online, you can promote it back to the PDC and the acting PDC will be demoted back to a BDC again.
In the event that a PDC goes offline unexpectedly, you can promote a BDC to act as PDC in its absence. When the original PDC is brought back online, it will see that there is already a PDC in the domain and thus will not start its NetLogon services. To resolve this issue, go into server manager from the original PDC and you will see an option to demote to Backup domain controller (this is the only instance in which this option is available). After demoting the original PDC to a BDC, go ahead and promote it back to a PDC. This will cause the original PDC to synchronize with the acting PDC, then the acting PDC will be demoted back to a BDC and the original PDC will be promoted back to the PDC again. The synchronization will insure that no changes made to the database during the original PDC's absence are lost.
You can manually synchronize a domain by selecting the PDC in Server Manager and choosing synchronize entire domain from the computer menu.. You also have the option of selecting a particular BDC and choosing to synchronize it with the PDC.
Sharing Data
The main reason we have networks is for the sharing of data and printers. Lets take a look at data sharing.
When a folder is shared, permissions are given to users that need to access the folder. The two types of permissions are Share level and NTFS permissions.
Share Level Permissions:
By default, the everyone group is given full control permissions when a file is shared. Share Level permissions are only in effect when a folder is accessed over the network. If a user logs on locally, Share level permissions will have no effect., only NTFS permissions will be in effect.
Full Control - Allows user to change permissions, take ownership of NTFS files, Perform all tasks permitted by change permissions
Change - Create folders and add files, Manipulate data in files, change file attributes, Delete Folders and files, Perform all tasks permitted by the read permission.
Read - Display names of folders and files, Display data and attributes of files, Run program files, Manipulate subfolders.
No Access - After connecting to folder, a permission denied error will occur.
Share level permissions can be applied on a user or on a group level. When a user attempts to access a shared folder, all of the permissions for that user are combined If a user is in one group with Full Control, one group with Change and the user himself has read, The combined permissions will be the least restrictive or Full control. Any time the no access permission comes into play whether it is a user or group permission, this overrides all other permissions. A user can be in one group with Full Control, one group with no access and the user himself can have Change permissions. the effective permissions will be no access as this overrides all of the other permissions. Always assign the most restrictive permissions you can to a user. You don't want them to be able to do anything more than they need to. The easiest and most efficient way to assign permissions is to do it on a group basis. If everyone in your accounting department needs certain permissions to several folders, assign the permissions to a group called accounting, then when a new employee joins the accounting team, all you have to do is place this employees user account in the accounting group and all of their permissions will be there.
Windows NT shares some folders by default for administrative purposes. Each drive letter is shared at the root as C$, E$, D$ etc. The dollar sign signifies that the share is hidden from the browse list, these default administrative shares are only accessible by users with administrative rights. There is also a share called admin$ which is used by the system for remote administration.
NTFS Permissions:
When a volume is formatted with the NTFS file system, NTFS permissions can be used to secure resources. NTFS permissions allow you to assign permissions at the file level while Share permissions are limited to the folder level. NTFS permissions are as follows
Read (R) - display folder or file names, attributes, owners and permissions.
Write (W) - Add files or folders, Display folders or files ownership and permissions, Create files in a folder or edit data in existing files.
Execute (X) - Display folder or file attributes, display owner and permissions. Run executable files.
Delete (D) - Delete a folder or file.
Change Permissions (P) - Change a folder or file's permissions.
Take Ownership. (O) - Take ownership of a folder or file.
Applying NTFS Permissions:
Users can be assigned permissions directly or can be put into groups that have permissions assigned. All individual permissions and group permissions are combined to find out the users effective permissions.
No access overrides all other permissions.
File permissions take precedence over folder permissions. If you have no access to folder but have full control to a file in that folder, you can still access the file using the full UNC path to that file.
Combining Share and NTFS permissions.
When figuring permissions, look at share and NTFS separately. Take the least restrictive share permission and the least restrictive NTFS permission. Now take the most restrictive of the two and that is your effective permission.
By default the everyone group is given full control. This should be removed or else anyone who is able to log on locally to a system will have full control.
Permissions and Moving/Copying files on NTFS volumes:
When copying folders or files either from one partition to another or on the same partition, the permissions will be inherited from the target folder.
When moving files to another partition, the permissions will be inherited from the target folder.
When moving files or folders on the same partition, the permissions will remain intact. This is the only time permissions are retained and not inherited.
One easy way to remember this is: MRS - Move Retains Same (partition)
Whenever files are moved or copied to a fat partition, all permissions are lost as FAT does not support NTFS permissions.
Network Printing:
First lets define the terms as they are a little confusing.
A printer is a software application between the application and the print device.
A print device is the actual physical piece of hardware that does the printing. A print device can either be attached directly to the print server or can have a NIC card and be plugged to the network.
By default, the everyone is assigned print permissions when a printer is shared.
After a printer is shared, NT and 95 clients can simply point to the printer and the drivers will automatically be copied to their system.
If a printer driver is updated on the print server, a Windows NT client will automatically update itself next time a connection is made to the printer. 95 clients will not automatically update but will have to be updated manually.
A print pool is one printer(software) connected to several print devices through multiple ports. When a print job is sent, the print server sends it to the next available port.
You can set print priorities by creating multiple printers(software) pointing to the same print device. You can set the priority from 1 to 99 with 99 being the highest priority. You can give your favorite executive a 99 priority so their jobs will print ahead of all others.
You can also create a printer(software) and give it a time schedule to print. This is good if you have some really big jobs that you want to print off hours.