by Joe Lengyel and Larry Millett
Successful deployment of Microsoft BackOffice requires an active and capable network administrator. On an active network with many users, the necessary administrative tasks can require a lot of time. It is nearly impossible for one person to administer the entire BackOffice family. Successful management of each BackOffice component, including Windows NT Server itself, requires a significant level of expertise and knowledge.
After reading this chapter, you will understand how to perform the duties of a network administrator using the tools provided with Windows NT Server.
The network administrator configures and manages the components of a Windows NT server that enable it to attach to a network and communicate with other devices. The administrator's duties include the following:
Network administrators also usually bear responsibility for establishing an appropriate backup strategy. The actual backups are generally performed by backup operators: less experienced people who are trusted to perform this vital administrative task. Network administrators can also formulate and enforce security policies, although larger organizations usually assign this function to a different person or group.
Network administrators may have duties managing additional software components or services that run on the server. A network administrator is often a Systems Management Server (SMS) administrator as well because SMS can play a pivotal role in automating network administration tasks. A network administrator also could administer other BackOffice components, but this is less common. See Chapter 44, "The Role of the SMS Administrator," for more information.
Furthermore, network administrators typically plan and configure servers, and must be thoroughly familiar with the day-to-day operation and use of Windows NT Server.
Windows NT Server includes a rich set of network-administration and server-management tools. These tools exploit the Windows graphical user interface to make administrative chores simpler to understand and easier to perform. Although some administrative tasks can be performed with command-line utilities, the graphical tools offer equivalent capabilities and are easier to use.
Administrators regularly use seven primary tools, complemented by a handful of tools for occasional use, as follows:
During installation, Windows NT Server automatically adds a folder called Administrative
Tools to Programs on the Start menu, which contains the tools discussed
in this chapter. Figure 7.1 depicts a sample Administrative Tools group window. This
sample includes the standard Administrative Tools icons loaded during a typical installation,
plus several additional ones that have been manually placed there for the convenience
of the administrator. You can also install these tools on a Windows NT Workstation
client from the Windows NT Server media. Some tools can be run from other versions
of Windows as well.
FIG. 7.1
The shortcut to the program group Administrative Tools opens a window containing
icons for some of the Windows NT Server administrative tools.
Although all versions of Windows can run some of the tools, only the Windows NT versions (Server and Workstation) include all of the capabilities outlined in this chapter. For example, there are versions of Server Manager and User Manager for Domains that can be run on 16-bit Windows platforms. Quite a number of the administrative tools for the BackOffice family of products are available for Windows 95 (e.g., SQL Server), and the current initiative to create an integrated management tool called the Microsoft Management Console (MMC) will target both Windows 95 and Windows NT 4.0 (and later) platforms. With the current versions of some BackOffice products and some Windows NT Server administration tools, you must use a Windows NT Workstation or Windows NT Server system.
Everyone who uses BackOffice needs a user account in one or more Windows NT domains. These accounts are created and managed with a tool called User Manager for Domains (see Figure 7.2).
With User Manager for Domains, you can create user accounts, assign users to groups, and establish security policies.
In addition to user account management, User Manager for Domains supports the following tasks:
Versions of User Manager for Domains are available for all versions of Windows.
It can also be run effectively from a remote location over a dial-up phone connection.
You can probably improve response time when running User Manager for Domains remotely
by choosing Options, Low Speed Connection. This
reduces the frequency with which User Manager for Domains polls the network for new
information and therefore improves its responsiveness over a slow link, such as a
dial-up phone connection.
NOTE: Windows NT Workstation includes a tool called User Manager (without the "for Domains" designation). This tool enables the creation of local user accounts and groups for use only on the Windows NT computer that is running User Manager. A user who has logged in with such an account will not usually be able to access resources on other computers in a domain.User Manager for Domains is a much more powerful version of User Manager. It creates accounts that can be used on many computers in the same domain or in domains with trust relationships.
You can use the Windows NT Explorer (or the Windows Explorer on Windows 95) to do some of the same things Server Manager does. In particular, Explorer makes it very easy to share directories on a computer's disk drive with other users on a network. The strength of Server Manager is the breadth of different tasks that can be completed with one tool. So although Server Manager isn't the easiest tool to use for sharing directories (e.g., it won't browse directory trees), it can do that job and many others.
Figure 7.3 shows the Server Manager main window. Use Server Manager for the following machine-oriented tasks:
Views can be manipulated in Server Manager to display servers only, workstations only, or both servers and workstations.
The Event Viewer is generally the first tool to use when investigating a problem with a server. Use it to browse the three main logs kept by a Windows NT Server, as follows:
See "Setting Up Auditing," [Ch. 5]
Explorer is familiar to almost anyone who has run any 32-bit version of Windows. It has features especially useful to the administrator because you can use it to create directories on your computer (or on any computer for which you have administrator privileges) and then share these directories with other users or groups on the network.
Print Manager is most often used to manage print queues. However, you can also use Print Manager to share a printer with other network users. Printers can be attached either to a computer or directly to the network cable if they are capable of such an attachment. For example, some of the popular Hewlett-Packard (HP) LaserJet printers are capable of being attached directly to a network with the addition of HP's JetDirect interface card.
Performance Monitor is a powerful tool that can be used for a variety of tasks. First and foremost, it enables you to monitor the activity on a computer so that you can see exactly what resources (disk, memory, processor, or network connections) are being used. You can graph the activity as it occurs (as depicted in Figure 7.4), write the data to a log file for later analysis, or set alerts that will act as alarms if utilization exceeds a particular threshold for a given resource.
The Performance Monitor has the capability of simultaneously plotting multiple variables.
Because of its many capabilities, Performance Monitor can play an important role in troubleshooting performance problems or determining what to add to a particular server to improve its performance. The Windows NT Resource Kit devotes an entire volume to this important tool.
Backup is a utility for making tape backups of your important information. It works with tape devices listed in the Hardware Compatibility List (HCL). You can find the latest HCL on the Microsoft Network, CompuServe, or at www.microsoft.com on the World Wide Web. A copy of the HCL is also included with the Windows NT Server documentation.
Backup enables you to back up not only your data files, but also the registry, which is a hierarchical database of all configuration information for your Windows NT Server. The registry includes the user account database that contains all of your users and groups. In addition, should the need arise, you can use the Backup application to restore information from your tapes to your disk drive. In the event of a total disk failure, you can rebuild your computer with a new disk drive and an appropriate set of tapes.
It is important to use the Backup utility properly to protect yourself against disaster. The process of making backups and tips on creating an appropriate backup regimen are outlined in the section "Developing a Backup Strategy" later in this chapter.
User account management is the most visible activity of a network administrator. All access to Windows NT Server network resources depends on user accounts. Naturally, User Manager for Domains is the tool for most account management tasks. User account management encompasses the following four major tasks (which are covered in detail in the following sections):
A user account security policy can control password length, force users to change their passwords at regular intervals, keep a history of passwords to prevent reuse, and set account lockout options. To define a security policy with User Manager for Domains, perform the following steps:
See "Creating a Security Policy," [Ch. 3]
To create a user account with User Manager for Domains, follow these steps:
NOTE: You cannot see the password or the confirming password as they are entered; you see asterisks instead. This is a security precaution to prevent someone from looking over your shoulder as you type. Because you can't see what you are typing, you must enter the exact same text twice to prevent an accidental keystroke from going unnoticed. Passwords are case sensitiveóthat is, capitalization matters.
Microsoft recommends disabling unused accounts, not deleting them. A disabled account can be easily reactivated, but a deleted account is gone for good. A new account can be created with the same permissions, but that can be a substantial chore on a large network with many shared resources. Perform the follow steps to disable a user account:
Group accounts enable efficient management of security. Although each user may need access to a unique combination of resources, you can identify common needs. For example, accounting personnel might need access to applications, data, and printers on a particular server, whereas marketing personnel need access to different resources.
In this example, you could create one group called Accounting and another called Marketing. You can assign appropriate permissions to the group accounts and then add users to the groups. By assigning a user to the accounting group, you effectively assign that user all permissions held by the group account. If the marketing group should install a new application, you can assign new resource permissions to the marketing group rather than individually to all marketing users.
To create a group with User Manager for Domains, perform the following steps:
TIP: A local group can contain users and groups from the local domain, users from trusted domains, and global groups from trusted domains. A global group can only contain users from the local domain.Use local groups to manage permissions on domain resources. Use global groups to define a set of users who need access to similar resources in other domains.
See "Domains," [Ch. 8]
The user rights policy controls which users can perform certain actions, such as shutting down servers or changing the system time on a computer. Exercise caution when changing Advanced User Rights. They rarely need to be changed. The process is outlined next for those rare occasions when it is necessary. To change user rights, follow these steps:
All applications running under Windows NT, including server applications (for example, SNA Server), run in a particular account context that controls the rights and permissions of the application. Ordinary applications, such as Microsoft Word, can be executed on both Windows NT Workstation and Windows NT Server. If the current user of the computer logs off, all standard applications will be shut down. A special type of application, known as a service, is designed to keep running regardless of who is or is not logged on. Most server-based applications, and all applications in the BackOffice family, are implemented as services.
These services, like standard applications, run in a particular security context. This context may be that of the current user, a special system account, or an account created specifically for this purpose called a service account. Service accounts enable the administrator to explicitly control the security privileges that are assigned to a service.
In a multi-server environment, for example, it is common for one SNA Server to communicate with other SNA Servers. It is a good idea to create a service account (in a master domain if you are using a master domain model) that has permissions on multiple servers in the domain. Most of the services in the BackOffice family default to a Local System account that only has privileges on the single computer running the service. You should strongly consider using service accounts for BackOffice family services, especially if you are using multiple domains.
To create a service account with User Manager for Domains, perform the following steps:
Other aspects of service management are discussed in the "Understanding Services" section later in this chapter.
For a few networks, it can make sense to have a single Guest account that provides unlimited access to all resources. In most cases, however, accounts exist to limit network access. A well-defined security policy includes the following four elements:
Permissions define the ways in which accounts can use resources. Logging records access to resources by accounts.
Directories can be shared with Server Manager or with Explorer. In this section, the techniques for sharing a local directory through Server Manager and using Explorer to create a server-based shared directory on another computer are presented. To share a directory with Server Manager, complete the following steps:
TIP: Hidden administrative share names are automatically created for the root directory of each disk drive when you install Windows NT Server. For example, the root directory of C: has a share name of C$. The dollar sign at the end of the name prevents it from showing up in lists when other users are browsing for shared resources. These automatic share names are given permissions for administrators only.
To share a printer using Print Manager, perform the following steps:
Resource permissions can be assigned to a user account or to a group account. Usually, the best way to assign permissions to a user is to add the user to a group, as discussed earlier in the "Managing Group Accounts" section. To use Explorer for setting access permissions, follow these steps:
For logical drives formatted with NTFS, Windows NT Server enables you to define file and directory permissions that apply to local users. These permissions apply only to NTFS drives: all local users have full access to FAT and HPFS formatted local drives. This is due to the Windows NT discretionary access control built around the NTFS file system. Each file has security information as an attribute. The FAT file system inherited from MS-DOS has no place to store security attributes in its design.
To use Explorer for changing file and directory access permissions, perform the following steps:
NOTE: The permissions shown in Figure 7.16 will affect access rights when a user logs on directly at the keyboard of the computer in question. They will also have an impact on the rights when users connect to that computer over the network. The rights a particular user receives will be the most restrictive combination of rights from the Access Through Share permissions and local Directory permissions. For example, if a user is given Full Control on the Access Through Share permissions, but is given Read access on Directory permissions, the user will have only Read access.
FIG. 7.17
The Directory Permission dialog box displays the access controls applied directly
to the files or directories currently selected on an NTFS partition.
A complete security policy includes logging of account activities. Windows NT Server provides flexible support for auditing the use of domains, files and directories, and printers. The Windows NT Server Event Log service records specified activities in the security log where they can be browsed with Event Viewer.
You can also establish trust relationships with User Manager for Domains. Trust is a one-way relationship: the trusting domain depends on the trusted domain to authenticate users. To implement a two-way trust, create a pair of relationships. You need to be a domain administrator for both domains or work with a domain administrator from another domain to create a trust relationship. You can physically go to the domain controllers involved or perform all actions remotely.
To perform the operation remotely, you must either log on with an account that
is a domain administrator for both domains, or use the Connect As feature of File
Manager in Windows NT. Log on with a domain administrator account from the first
domain, and then from the File Manager menubar, choose Disk, Connect
Network Drive to display the Connect Network Drive dialog box. Then
in the Shared Directories drop-down list box, select a shared resource
(for example, C$) on the primary domain controller of the second domain. In the Connect
As box, enter a domain administrator account from the second domain in the form <domain>\<user>.
You are prompted to enter the password for this second account. This establishes
an administrative account context in the second domain so that you can create the
trust relationship.
To create a one-way trust relationship between two domains, complete the following steps:
See "Setting Up Auditing," [Ch. 5]
See "Understanding BackOffice Structures for Organizing Servers," [Ch. 4]
See "Domains," [Ch. 8]
A service is an application running on the server that has the following characteristics:
All the main programs in the BackOffice family are implemented as one or more services. They also include client components and administrative utilities that are implemented as traditional applications. To control services with Server Manager, complete the following steps:
NOTE: Pausing a service enables everyone who is using the service to continue, but no new users are allowed to connect to, or use, the service. Stopping a service disconnects anyone actively using the service and shuts it down.
TIP: Services on a particular computer can also be configured through the Services icon in the Control Panel for that computer.
The performance of an enterprise server has a direct impact on the performance of everybody connected to that server. It's important to take a proactive approach, identifying small issues and potential problems early. Three basic activities are involved in monitoring server performance, as follows:
Windows NT Server enables you to monitor any significant system and application event. The monitoring is configurable. For events that do not necessitate immediate attention, Windows NT Server adds event information to an Event log file and lets you view this audit trail at later time.
Windows NT records selected user activities and system events in log files. The System log records events generated by the Windows NT system components. The failure of a system component to load during startup, such as the Server service, is recorded in the System log. The Security log records system security events. This helps track modifications to system security and points out any attempted breaches to security. Attempts to log on to the system may be recorded in the Security log, depending on the audit settings in User Manager. The Application log records events generated by applications. For example, a database application might record a data access error. The Event logs list the following three kinds of messages:
The Event Viewer enables you to view and monitor these log files. The Event Viewer is a service that, by default, starts automatically with the system. The Event Viewer startup status can be found in the Services administrator in the Control Panel. It is recommended that you enable the Event log to start and run on its own. It can be a valuable information source when troubleshooting. To use the Event Viewer, follow these steps:
TIP: There are two ways to determine which log file you are viewing: the title bar and theLog menu. The title bar explicitly specifies the log file type, whereas theLog menu places a check mark next to the log file type you are viewing.
FIG. 7.23The Event Viewer is showing system type activity written to the System log.
- DateóIndicates the date the event occurred. The icon immediately to the left of the date indicates the status of the event when it occurred.
- TimeóIndicates the time on the local server that the event occurred.
- SourceóIndicates the software that logged the event.
- CategoryóShows the classification of the event as it was defined by the source software.
- EventóIndicates a specific number identifying the event.
- UseróIndicates a user associated with the event.
- ComputeróIndicates the name of the computer where the event occurred.
Troubleshooting: A message tells me that a service won't start. Use the Control Panel Services icon and try to manually start the service. Sometimes you get additional information about why the service won't start, which can aid problem resolution.
Managing Event Logs
The Event Viewer is somewhat configurable. Controlling the size of a log file
is useful if you have limited system resources. The log wrapper instructs Windows
NT on a course of action should an event log be filled. To adjust the settings for
a log file, perform the following tasks:
Clearing and Saving Log Files
The Event logs available in the Event Viewer can be archived for future use. You may find this useful for future troubleshooting or verification. The log can be saved as a text file or in a file format native to the Event Viewer. The latter format enables you to view the file directly with the Event Viewer.
Archiving the log saves the entire log. There are two methods of saving an event
log: You can choose Log, Save As in the Event Viewer,
or you can save the log automatically when prompted after choosing Log,
Clear All Events to clear an event log as detailed in the next procedure.
To clear the log file, perform the following tasks:
Viewing Remote Log Files
Windows NT Server enables you to look at the event log for a user's computer. As an administrator, you will find this useful sometimes. It can assist you in troubleshooting an error situation on that computer. To view a remote log file using the Event Viewer, perform the following tasks:
The Alerter service is used to send alert messages to specified users and to users connected to the server. Alert messages warn about many types of problems including security and access issues, printer issues, and user sessions. Administrative alerts are generated by the system as a response to server and resource use. Alert messages are sent as Windows NT messages from the server to a user's computer.
You can determine which computers are notified when alerts occur at the server. For alerts to be sent, the Alerter and Messenger services must be running on the server. For alerts to be received, a Messenger service must be running on the destination computer. If the destination computer is not on, the message eventually will time out. The destination computer must be running Windows for Workgroups, Windows NT, Windows 95, OS/2, or an MS-DOS Messenger driver.
Enabling Administrative Alerts
To enable the Alerter service, perform the following steps:
Assigning Administrative Alert Recipients
Use Server Manager to specify the administrators, users, and computers that should receive administrative alerts. To manage the list of administrative alert recipients, perform the following steps:
Sometimes it is important and useful to send a message to a user base. This is especially true following an alert or error message. If the users are sent an alert saying that print services are going down, then it is important to send another message to them when print services are back online. Another important occasion to send a message is when important network resources are going to be down for a period of time. To send a message to a user, perform the following steps:
NOTE: Users will only see messages sent in this fashion if they are running WinPopUp or another utility designed to receive NetBIOS messages.
About the worst thing that can happen to a network administrator is loss of data without adequate backups available. Data stored on your Windows NT Server is critical to your business. It is obvious, then, that a sound backup strategy must be rigorously implemented.
This section outlines the tasks that must be carried out by the network administrator to perform backups of the data residing on Windows NT Server. It includes a discussion of backup strategies and methods, Windows NT Backup sets, and a step-by-step description of the procedures required to back up and restore data. When you are finished with this section, you will be able to back up and restore data on Windows NT Server in a manner best suited for your network.
Windows NT Server includes a backup tool found in the Administrative Tools program group. The program enables you to easily back up and restore important files on NTFS, HPFS, or FAT file systems. You can supply detailed selection criteria for the backup and have the backup verified. The Backup utility enables you to select disks and directories or files to be backed up, including shared directories on other computers.
More complete backup utilities with much richer sets of features are available from various third parties. The Arcada Backup Exec product, for example, enables you to initiate backups from a remote workstation, monitor the progress of the backup in detail, and easily create and manage automated backup schedules. Any large network site should strongly consider purchasing a tool that provides more capabilities than the standard Backup utility combined with the Schedule service. That combination is described here.
The Backup program is designed for use with a tape drive. It is certainly possible to make backups using a fixed disk or floppies, but you may be unable to back up all the system files. We highly recommend that you employ a tape drive. These mass-storage devices make centralized administration of backups more reliable and easier. When storing large amounts of data, it is really the right backup medium choice.
NOTE: If you don't have a tape drive, the files REGBACK and REGREST (available with the Windows NT Resource Kit) will enable you to back up and restore the system registry with floppy disks. See the Windows NT Resource Kit for more information on employing this method.
Windows NT Server supports high-capacity SCSI tapes for 4mm, 8mm, and 0.25-inch drives, as well as economical mini-cartridge drives. The Backup utility enables you to place multiple backups on a single tape set. You can also span multiple tapes for a single backup. Determine storage needs and objectives prior to purchasing a tape drive. Be sure that the brand and model you intend to purchase is supported and listed on the Hardware Compatibility List.
NOTE: Even though you can have numerous tape drives connected to your system, only one can be selected at a time.
See "Verifying Hardware Compatibility," [Ch. 5]
A backup set is a collection of files or directories selected for backup. These files or directories can be appended to or replace an existing backup set. A family set, or tape set, is the group of tapes that make up one backup set. The Backup tool automatically creates a tape catalog for each backup set. A tape catalog (stored on the last tape in the tape set) contains information about the backup set.
File-based backup methods can be broadly categorized as complete or incremental. A complete backup copies all files from the source. An incremental backup copies only those files that have changed since the last backup. (An archive bit indicates whether each file has changed since last backed up.) Windows NT Backup supports both types of backups, also providing the option to leave the archive bit unchanged. The archive bit is an indication that a file has been archived. Windows NT Server uses the following terms to define backup methods: