Windows NT Advanced Server has a lot of feature functionality that now allows us, the MIS shops
of the world, to take these mission critical apps and actually apply them to these really
tough problems. One of the really great things about Windows NT is that with a single network
logon, I can access resources anywhere in the network where I've been given permission.
Well Windows NT Advanced Server's openness has made it really easy to integrate it into the
diverse network we have here at Microsoft, which includes Windows, Macintosh, and DOS clients,
as well as PS400 systems, back systems, and several flavors and units.
Hello, I'm Wesley Rice. You've been listening to three of the people responsible for the
upgrading of the Microsoft World Wide Network to Windows NT Advanced Server. They will offer
the benefit of their experience so that when you plan your company's network, the flow of
information and the methods of protecting that information will meet your company's business
needs. In addition, Microsoft's director of global networking, Dave Lineweber, will give us his
perspective on client server computing, and specifically the role of Windows NT Advanced
Server in implementing Microsoft internal business applications. Then we will describe
what client server computing means under Windows NT Advanced Server, both to the administrators
and to the users of local area and wide area networks. Keith Logan, lead program manager
for Windows NT Administration, will review the functional characteristics and features
that customers require for this powerful client server operating system. Dan Perry, a Microsoft
product support training specialist, will provide an illustrated overview of Windows NT Advanced
Server concepts and four suggested models for organizing your network. In addition to discussing
the applications of these concepts and models, Debbie Alsop, a corporate network engineer,
and Alan Juergen, Microsoft's corporate computer operations manager, will demonstrate several
administrative tasks by using the Windows NT Advanced Server graphical user interface. In the
final segment, we will respond to some of the most frequently asked questions about Windows NT
Advanced Server. After you watch the video, we recommend that you review your Windows NT
Advanced Server concepts and planning guide, which provides more detailed planning information,
as well as examples and scenarios to illustrate the concepts. If you are upgrading your network
from LAN manager to Windows NT Advanced Server, see your upgrade planning guide for LAN manager.
You may want to reset your VCR counter to zero now so that you can easily make note of the places
in the video you want to return to. In the last few years, the network industry has been moving
steadily toward microcomputer and multiprocessor client server platforms. Windows NT Advanced Server
is a natural extension in this trend. Here's Dave Lineweber with his perspective. So for me,
Windows NT Advanced Server really represents a new generation of client server computing that
will allow us to take on more mission-critical applications, to take those things that have
been running on mainframes and to put them down into an area that's really much closer
to the reach of the end user. It's interesting to me that that's exactly what client server
architecture is really designed to do. That it really strikes a balance between this distributed
and centralized data. That's really its greatest strength. The ability for you to develop a system
that allows an MIS shop from a central location to really manage the data, but still keep the data
out there close to the people who are actually turning that data into information. So that's
the challenge of the MIS professional today, is to take all of those islands of information
and to be able to join them together in cohesive enterprise-wide networks that allows the information
to flow very, very freely between individual users within the company and also to flow
up to the senior managers who are trying to make those day-to-day decisions.
Windows NT Advanced Server's client server architecture can make use of data and resources
more effectively and less expensively throughout the entire company. Windows NT Advanced Server
is the server version of Microsoft's Windows NT operating system, integrating mission-critical
applications and personal productivity tools. But what exactly do we mean when we say client,
server operating system? And how does that functionality increase the efficiency and
lower the cost of your company's network? Many people do not realize that what is offered by
client server architecture can differ significantly from brand to brand of network software.
Generally, client server architecture splits application processing between a front-end
client component, which runs on the PC workstation, and a back-end server component,
which runs on the PC server, minicomputer, or mainframe. On the front-end, the client
part of the application typically consists of an easy-to-use graphical user interface capable
of presenting and manipulating data. On the back-end, the server application is responsible
for storing, retrieving, and protecting data. When it receives a request, the server processes
the request and provides the requested service to the client. But what makes Windows NT Advanced
Server the most powerful client server platform is the ability to run mission-critical business
applications on high-performance PC servers. The presentation services and application-specific
processing that an individual user needs are handled by the PC workstation. Windows NT Advanced
Servers handle the work that is most processor-intensive and that must be shared among users. The greatest
benefit to the users is improved performance. Much of an application's processing is offloaded
to the high-performance server hardware. Essentially, this gives the user at the PC workstation
a boost in computing power and it preserves your company's existing investment in PC hardware.
The centralized processing services reduce network traffic, provide improved security,
and centralized administration helps to ensure the integrity of the data. In addition, the
user-friendly graphical interface of the system reduces training costs. Now, let's
turn to Windows NT Program Manager Keith Logan, who will review the functionality that makes
it possible for Windows NT Advanced Server to run powerful business applications with
the high reliability offered by advanced fault tolerance. Keith will also show that Windows
NT Advanced Server is open, which makes it easier to integrate into mixed networks. When
we asked our customers for their requirements several years ago for our new operating system,
Windows NT, they told us they wanted a powerful operating system on which they could deploy
a client-server solution. In general, their feedback fell into the following categories
– power, reliability, and openness. They told us they wanted a high-end operating system
with 32-bit processing and preemptive multitasking. In addition, they didn't want any bottlenecks
in the system, so we made Windows NT scalable so it can run on single processor machines
and also scale up to symmetric multiprocessor or RISC architectures. In addition, there are
no built-in capacity limits in Windows NT. Files can be as large as 17 billion gigabytes,
effectively removing all storage limits. As well, Windows NT can address up to 4 gigabytes
of RAM. Customers also told us they wanted it to be easy to share information from these
systems so they could exploit client-server computing. Networking and workgroup computing
capabilities are built into Windows NT and Advanced Server, and the graphical administration
tools in Advanced Server make it easy to centrally administer these systems.
One of the most important pieces of feedback we got was that administrators wanted a user
to only have to log on once to access any resources in the network. This single network
log-on means that a user only has to remember a single user account and password, where
an administrator, since there's only one account to deal with, only has one account
per user to manage. Finally, people told us they wanted us to retain this simple Windows
user interface so that their new business-critical applications could integrate well with personal
productivity applications and not lose the existing investment they have in training.
Windows NT Advanced Server's power makes it a system you want to grow. Its symmetric
multiprocessing support, its portability to other architectures, as well as its large
capacity in centralized administration, ensures it'll support your business needs as your
company grows. In terms of reliability, customers asked for a number of features. Perhaps the
most important feature in Windows NT Advanced Server is application protection. Application
protection ensures that your server will be highly available. One application can't crash
the system or another application. Windows NT's preemptive multitasking ensures that
one application can't delay another. And memory protection ensures that one application can't
corrupt another's address space. Customers also asked us for centralized security to
guard against malicious users or user error. A user can only access data to which they're
authorized. Windows NT's security is designed to the government's C2 security requirements.
Its flexible central management tools make it possible for an MIS administrator to control
the network if he chooses so, or to allow users complete control of their desktop. Finally,
Windows NT Advanced Server includes a number of fault tolerance features to further improve
its reliability. The NTFS file system offers quick recovery in the event of a power failure
without the need to run CheckDisk. Also, Windows NT Advanced Server includes some data protection
features such as disk mirroring, disk duplexing, striping with parity or RAID 5, integrated
support for uninterruptible power supplies, and a backup program. These features make
Windows NT Advanced Server the most reliable platform for client server computing. It protects
your business critical information with quick recovery and fault tolerant features that
make sure your data is highly available. As well, tightly integrated security protects
against malicious tampering or user error. Customers also ask that we provide them with
an open system. Windows NT Advanced Server is open in that you can choose what type of
hardware you wish to run it on. It runs on Intel 386, 46, and Pentium systems, as well
as risk-based systems such as the MIPS R4000 series or the DEC alpha chips, as well as
symmetric processor systems from each of these architectures. Openness also extends to applications.
Our customers told us they wanted to integrate their business critical applications with
personal productivity applications. So Windows NT and Windows NT Advanced Server support
MS-DOS applications, 16-bit Windows applications written for Windows 3.1, 32-bit Windows applications,
as well as OS2 character-based and POSIX compliant applications. Given this flexibility, the
user can choose the right application for the job. Customers also told us that Windows
NT should be open with respect to networks and protocols. So we built Windows NT Advanced
Server to work with your existing network. Windows NT Advanced Server is interoperable
with LAN Manager, Novell NetWare, DEC PathWorks, Banyan Vines, Unix, and SMA networks. And
in addition, both Advanced Server and Windows NT include TCPIP for internetworking and OSF
DCE-compatible RPC for distributed applications. In addition, Windows NT Advanced Server supports
clients including Microsoft Windows, Windows for Workgroups, Windows NT, MS-DOS, and OS2.
Using Windows NT Advanced Server's services for Macintosh, Macintosh clients can connect
as well. And remote clients can access the network over phone, X25, and ISDN lines using
Windows NT Advanced Server's remote access feature. Windows NT Advanced Server's openness
gives you the choice of hardware, software, and networking that's most appropriate to
your business, and the flexibility to change that as your business infrastructure changes.
In sum, Windows NT Advanced Server is the most powerful, reliable, and open client-server
platform for the enterprise today. Microsoft also offers other enterprise services such
as SQL Server, SNA Server, and Microsoft Mail that take advantage of Advanced Server's
capabilities to provide advanced database, SNA connectivity, and messaging services.
Planning is integral to the success of any network, making sure that the structure of
your local area and wide area networks supports your business needs. Sound planning, in part,
relies on the designer's understanding of the basic concepts of the network software.
Dan Perry of Microsoft Product Support Services will introduce us to the security model for
Windows NT Workstations. He will expand this security model to include server security
with concepts such as user accounts, local groups, and global groups. He will describe
Windows NT Advanced Server domains as well as the single network logon.
Windows NT provides a number of security mechanisms to assure that only the appropriate users
are allowed to log on, access resources such as files and printers, and perform server
administration tasks. To implement this security, each Windows NT station maintains a database
of user accounts. Each person who will be allowed access to this station must have an
account in this database. The user account, created by the network administrator, includes
a unique username and a password. Please note that when typed into the actual system, passwords
are always displayed, stored, and transmitted in an encrypted form. In order to use a Windows
NT station, a user must first logon. The logon information the user must provide includes
the username and password. The password provided is compared to the password stored for this
user in the user account database. If the passwords match, the user is allowed access.
Similarly, when the user attempts to connect to another server on the network, the user's
logon information is sent to the remote server and is compared to the information stored
in the server's user account database. If the passwords match, the connection completes
successfully. Administrators can specify additional restrictions that will be enforced
when the user attempts to logon or connect to a remote server. These include during what
time of day or from which workstations the user is allowed access. To ensure that only
the appropriate users are allowed to access a server's shared resources, such as disk
files, printers, and client-server application communication pipes, the user account can
be assigned specific access permissions on specific resources. For example, a certain
user might be assigned permission to read from, write to, or delete specific sales history
files. Another user may be assigned permission only to read from the same files. In addition
to resource access permissions, the user account can be assigned user rights to perform specific
server administration activities, such as managing user accounts, backing up and restoring
files, and shutting down the server. Users who have similar jobs or resource needs can
be assigned to groups. Although you can grant resource access permissions and user rights
to an individual user, groups generally make granting access permissions and rights more
convenient when multiple users need access to the same server resources or will perform
the same server administration tasks. To make network administration easier, Windows
NT contains a few special built-in groups, such as the administrators group and the backup
operators group. These built-in groups are pre-assigned a specific set of user rights.
For example, all users assigned as members of the backup operators group automatically
gain the right to log on locally, backup and restore files and directories, and shut down
the system. Within your organization, you may want users to be able to access several
servers. Now, this would normally require that the network administrator create a separate
account for each user on each of the servers. This turns out to be a lot of administrative
work, especially when user accounts need to be added, modified, and removed on a regular
basis. As the number of servers increases, the task of administering them increases proportionally.
To ease the administrative load, Windows NT Advanced Server implements centralized administration
through the establishment of domains. A domain is a group of servers and workstations, typically
comprising the computer resources of a small company, or perhaps of a single distinct department
or division within a large corporation, such as sales or finance. You can organize your
network into one or several domains, depending on the internal structure of your company
and the needs of its computer users to share resources and data. When you install each
Windows NT Advanced Server, you will be asked to specify a domain name. All of the servers
that have been assigned the same domain name belong to the same domain. All of the Windows
NT Advanced Servers in a domain form a single administrative unit, sharing security and
user account information. One server, which you designate as the Domain Controller, maintains
a master database of user accounts, with associated group memberships and user rights.
Any additions, deletions, or alterations that you make to the user accounts and associated
rights are replicated automatically to the user account databases on all other Windows
NT Advanced Servers within the domain. This means that you have to create and manage only
one account for each user. It also means that the group memberships and user rights assigned
to the user will be the same on all servers within the domain. When a user logs on, she
can specify the name of the domain where her user account resides. Since the account information
has been replicated to all Windows NT Advanced Servers within that domain, any one of those
servers can validate the logon request. The user can then connect to shared resources
on any server within that domain. Please note that although user accounts with associated
group memberships and user rights are replicated to all Windows NT Advanced Servers within the
domain, resource access permissions are not replicated. Land manager servers can also
be assigned as members of the domain, and as such, they too will receive updates of
the Domain User Accounts Database. However, the server assigned as the Domain Controller
must be a Windows NT Advanced Server. Larger organizations may require multiple domains,
one for each separate administrative unit. If you create more than one domain, you can
establish inter-domain trust relationships between the domains. A trust relationship
is a link between domains which makes it possible for users who are logged on in one domain,
the trusted domain, to access data and resources in the other domain, the trusting domain.
Trust relationships are one way. To have two domains trust each other, you simply establish
a pair of one-way trust relationships between them. When a trust relationship exists between
two domains, such as between the sales and finance domains, a network user logged on
in the finance domain can access servers in the sales domain even though the user's account
does not exist in the sales domain's user account database. The trust relationship enables
pass-through authentication, which works as follows. When a user logged on in the finance
domain attempts to connect to a shared resource on a server in the sales domain, the server
in the sales domain communicates with the Windows NT Advanced Server in the finance
domain to verify the user's account name and password. If the account name and password
are found to be correct, verification is returned to the trusting server in sales and the user
is granted access. Thus, a single network log on enables the user to access his own
workstation, all servers within the user's log on domain, and all servers in any trusting
domains. To summarize, domains allow easy central administration of a selected set of
users, workstations, and servers. Each domain can be administered by a separate authority.
Trust relationships enable a user to access servers in other domains without having to
add the user to the other domain's respective user account databases. In addition to pass-through
authentication, trust relationships provide other important benefits. When a trust relationship
has been established, a server's resource access permissions and user rights can be
assigned to selected users and groups defined in any trusted domains as well as to those
defined in the server's own domain. When defining a user account in a Windows NT domain,
you can designate the account as either local or global. A local user account is so named
because the user can be assigned resource access permissions and user rights only on
servers within the local domain. In contrast, a global user account can be assigned resource
access permissions and user rights not only locally on servers in the local domain, but
also globally on all servers in any trusting domains. By default, all domain user accounts
are global. Local accounts are typically used when you need to allow domain server access
from selected users in untrusted domains. However, you do not want these user accounts
to be available for permission and rights assignment on servers in trusting domains.
Much like user accounts, groups can be designated as either local or global. Local groups can
be assigned resource permissions and user rights only on servers within the local domain,
whereas global groups can be assigned permissions and rights not only on servers within the
local domain, but also on all servers in any of the trusting domains. To make administration
even easier, global groups can be assigned as members of local groups. Then, when resource
permissions or user rights are assigned to the local group, these permissions and rights
will automatically apply to all local domain users, local domain global groups, trusted
domain users, and trusted domain global groups that are designated as members of the local
group. To review the concept and usage of trust relationships, let's walk through a
typical scenario where a user will access resources on a server located outside of the
user's local domain. Joe, a payroll clerk whose account is established in the finance
domain, requests connection to the sales history files resource located on the sales info server
in the sales domain. Sales info determines that the connection request came from a workstation
in the finance domain. Since the sales domain trusts the finance domain, sales info communicates
with the Windows NT advanced server in the finance domain to request verification of
Joe's account name and password. The account name and password are found to be correct.
Verification is returned to sales info, and Joe is granted access. Using a spreadsheet
program, Joe then attempts to open one of the sales history files located on sales info.
Since Joe is a member of the finance domain's global payroll group, which is in turn a member
of the sales domain's local liaison group, and since the liaison group has been assigned
permission to read from the sales history files, Joe is allowed to open the requested
file. We anticipate that companies will take advantage of domains and trust relationships
by organizing their network systems according to one or more of the following domain models.
This is the single domain model. In this model, no trust relationships are established. Any
user who wishes to connect to server resources within this domain must have an account established
in the domain's user account database. The single domain model facilitates easy central
network administration for companies with few users and shared resources. The number
of users that can be efficiently supported in a single domain depends on your domain
controller hardware configuration. For example, for best performance when using a 48650 with
32 megabytes of RAM, the number of domain users should be limited to around 10,000.
Here we have the master domain model. Network resources are grouped into several logical
domains, with one domain designated as the master domain. Accounts for all network users
within the organization are established in the master domain's user account database.
All other domains trust the master domain. Thus, user accounts can be centrally managed
and global groups need be established only once in the master domain. In this model,
all users can log on via their account in the master domain. They can then connect to
any server in any domain. Global groups and user accounts established in the master domain
are available for resource access permission and user rights assignment on all servers
in all domains. The master domain model is a good choice for organizations that want
to group network resources into logical domains, yet maintain the ability to centrally manage
user accounts and group memberships. However, as previously indicated, there are performance
related limits to the number of user accounts that can be efficiently supported in a single
domain. Since the single master domain must contain accounts for all users, this model
may not be appropriate for organizations with an extremely large number of network
users. This is the multiple master model. As in the previous model, network resources
are grouped into several logical domains. However, in this model there are multiple
master domains. All other domains trust one or more of the master domains. This model
may be the best choice for organizations that have more users than can be efficiently
supported in a single domain, as the large number of user accounts can be distributed
across the multiple master domains. Indeed, this model can be scaled to accommodate any
number of network users, while facilitating central administration of user accounts and
group memberships across the master domains. Administration of the multiple master model
can be a little more complex than that of the single master model, since global groups
need to be defined multiple times, once per master domain. This is called the complete
trust model. Again, network resources are grouped into several logical domains. Each
domain can potentially trust any or all other domains. Each user's account need only be
established in the user's primary logon domain. The complete trust model might fit well in
organizations that distribute network administration authority, where each department or division
assumes full control over its user accounts and network resources. This model, like the
previous one, is scalable to accommodate networks with any number of users. A disadvantage of
the complete trust model is the large number of trust relationships that may need to be
managed. With features such as domains, trust relationships, and global groups, Windows
NT Advanced Server provides a rich set of flexible options designed to enable easy
administration of systems ranging from small, single domain LANs to very large multi-domain
enterprise networks. The key to managing large networks with Windows NT Advanced Server is
the single network logon, which allows the appropriate users to access data and resources
from anywhere in their enterprise-wide network. And using remote access service over phone,
X.25, or ISDN lines, administrators can manage remote sites and branch offices, and users,
granted the appropriate permissions, can access data and services on the network from a hotel
room or home. Let's turn to our Microsoft network administrators for their perspective on these
features. One of the things about administration that's exciting as I begin to roll this out and
look at our opportunities to administer this worldwide is that you can sit down at a Windows
NT workstation and manage all the Windows NT servers in the world. It's pretty incredible
when you think about it that I can sit down and pull up user manager for a domain, actually
select any domain that the domain I'm in has a trust relationship with. So for example,
I'm at my desk and I want to administer the domain in Europe that maintains all the user
accounts. I can be running a domain version of user manager on my Windows NT workstation,
and you have administrative access to Europe through my account perhaps, and then just log in
and I can bring up the user database for Europe and make whatever changes I need right there,
and I can actually do that with every single one of them. So even though there's no servers
perhaps for the Windows NT advanced server domain called Europe, there's no servers locally
at my site, so long as I'm on the network or using ISDN RAS, I can connect in from home.
Say somebody called me at two in the morning and I was the only one available, it was my
time on the beeper to be available to support the network, I can have ISDN RAS at my home,
go into my office at home, log in, and perhaps solve a problem in Europe and go back to bed.
Windows NT advanced server domains can include workstations running Windows 3.1, Windows
NT, Windows for Workgroups, MS-DOS, Macintosh, and OS2 operating systems. This flexibility
makes it easier for you to organize computer users and resources into domains that support
your company's business structure. But how best to do this? The amount of time it takes
to design and implement a Windows NT advanced server-based network will vary from company
to company in proportion to the size and other characteristics of your network. Let's return
to our administrators for some insight into how this process was accomplished across the
150 sites and 30,000 workstations that make up the Microsoft Worldwide Network.
In a enterprise-wide network such as what we've got here where we've got literally thousands
of workstations, thousands of file servers that are not just here in the Redmond site
for Microsoft Corporation, but indeed exist in over 150 sites that scatter the world.
And it's a real essential part of our operation. It's an essential operation for providing
the information across all of the Microsoft employees everywhere in the world. So we've
put a lot of time and money into building this enterprise-wide network that has extensive
WAN communications connecting Redmond to Paris, to London, to all the major cities within
the U.S. as well as really the major cities across the world. Now we have this new thing
called Windows NT advanced server with its domain structure. How is it that we're going
to actually go about applying this domain structure to our business?
The two issues that we had to balance were the WAN structure, line speeds, hub sites,
tail circuits, what the physical topology, what the freeway looks like and how fast it
was, and then the business needs of all the individual user communities throughout the
entire company. We were talking 16,000 people here so there was a lot of considerations
that we had to take a look at. So my suggestion to anyone thinking about doing this is to
look at those two factors equally. So what we ended up with was a decision that would
carry us through the most indefinite period of time that we could think of. So we ended
up doing it on geography because we feel pretty confident that we're not going to be moving
sites from city to city and we feel pretty confident that North America will be North
America for a long time. So what we did is we broke up the user communities, basically
broke up the user accounts based on large geographic areas and put those in what we
call first tier domains. And then we put all the remote sites, then we put all the remote
sites in site domains called Chicago, New York, Paris, London, Singapore, Sydney, all
of the remote sites get a city name as their domain. Because we spent a lot of time thinking
what business advantage, what do you win or lose by having just one domain in a city?
We decided there really wasn't any trade off for Microsoft to have just one domain. So
we're doing one domain per city. And if you think about it, what will show up when you
go into file manager and you do a browse is you'll see all the cities and hopefully
you know where the person's data is that you're trying to get to. So that's fine from
a business sense, but how did that look to the network? You don't want to stress the
network needlessly, it's expensive. So, and we want to keep everything centralized. So
what we did is we put all of the Windows NT advanced servers for each domain in Redmond.
And then we put the rest of the servers in that domain, one at each site. So for example,
North America is the easiest to talk about. The Windows NT advanced server, the primary
server for North America resides in Redmond. There's another Windows NT advanced server
for North America, one in Chicago, one in New York, St. Louis, Atlanta, right, duplicated
to provide redundancy, if you will. The protocols allow for the users to be able to sit down
at a computer in Atlanta, for example, and be able to access a server here to get authenticated,
but it'd be a little bit slow, you have to use the network, it's a waste of resources.
We decided that what we would do is put another server in Atlanta or in these sites so that
when the user sits down, they can go to that server. It's locally contained packets and
all of that.
But I think one of the important things to remember here is that all Windows NT advanced
servers are in fact domain controllers in the fact that they can validate a login. So
this, in our particular case, a lot of these servers that you're talking about really aren't
new servers. They are servers that were there that we've updated to Windows NT advanced
server and have given this additional task to.
Right. So we've talked a lot about the remote stuff, but what about locally? And this is
the biggest site. Redmond is the biggest site. We have about 8,000 users. It's a huge domain.
Well, it's all in one domain called Redmond. And our account database for the Windows NT
advanced server on that domain is about 8 or 9,000 user accounts, so it's 8 or 9 meg
database. And it works for us great. We get good performance.
Really shows off the scalability aspects of Windows NT that you can actually have a domain
that isn't just a few hundred, but actually a number of thousands.
Right. Alan, I think it's about 8 or 9,000.
I think it is. It's about 9,000.
And it's growing. I mean, we're just beginning and we'll have more groups and each group
is an account and on and on. But that's just the big Redmond domain. What about all the
little business units that are here that we can't have a site domain called Redmond?
It would just be a little bit much. So what we did is we took into consideration the
business units. And the easiest thing to do from balancing the business needs of the work
groups and the business needs of Alan's team, which is to administer all this, was to take
large business units that we felt pretty sure weren't going to change, like Word. It's one
great big domain. And Excel, one great big domain. And finance maybe would be two domains
broken up into a couple of secure pieces. And then what we want to do is we want to
give, to offload some of the stress from Alan's administrative staff, we want to offload that
back into the Word domain. So we're actually going to give the people in the Word domain
access to administering their own private domain. Because in our case, they're only going to
have to administer groups, local groups, and machine accounts. And there will be no user
accounts. So we feel pretty safe letting Word decide how they want to maintain the security
of all their systems. The Windows NT advanced server graphical user interface makes the task
of managing your network easier and quicker. Alan Jurgen will demonstrate how to set up a
user account, create a global group, and grant permissions on files to that group.
What I'd like to talk about today is how we go about setting up user accounts and global
groups under Windows NT advanced server. Now here at Microsoft, we would get a piece of
email from the manager of a new employee with the full name, the location, and the job title.
We would use this information to set up the user account. Now I'll double click on administrative
tools, double click on user manager for domains, and simply select new user. Now our user happens
to be Sarah LaVante. And for a user name, I'll use her first name and the first letter of her
last name. So she's set up as Sarah L, full name, Sarah LaVante. And under description,
I'll put her job title. She happens to be a network engineer. I'll put in the password
and confirm that password. Now at this point, I've entered the required information to set up
the account. We have many other things to choose from. I could select groups, add her to a group,
which I'll talk about a little more later. And profile, we have the user environment profile,
which I can basically tailor the environment for the user. Under the user profile, I can do things
such as personal program groups and program items. Under the logon scripts, I can select certain
network connections that will be established every time this person logs on. And we have a home
directory to which I could set so they could have a personal workspace out on the network somewhere.
I could click on hours, and I could restrict this person from logging on to certain hours. But for
right now, all I need to do is click on add, and we've set up the account. Now at this time, Sarah
has an account to which she could get authenticated from her workstation, but she really has no
permissions to do anything. And to give her permissions, I'm going to create what's called a
global group. I'll select user, click on new global group, and set up a global group called
engineers. I'll put in a description of network engineers, and I'll select the users that I want
to be members of this group. Now I could click on the add button or drag them over. Now when I click
on OK, there's a global group created called engineers, and it has those two people in it.
Now with that global group, I can use that to put down permissions on files. I'll connect up to a
server, and there happens to be a share here called drivers. I'll click on that. OK, now I'm
connected to this server and to the driver share. What I'm going to do is click on security and
permissions, click on add, and there is the global group engineers. I'll highlight it, click on add,
and click OK. Now that global group engineers has permission to access that data. Security exists
throughout Windows NT advanced server. User accounts, groups, and domains all utilize security
features meant to ensure that only the appropriate people have access to data. The user first
encounters Windows NT security when she logs on. Network engineer Debbie Alsop. One of the really
great things about Windows NT is that with a single network log on, I can access resources
anywhere in the network where I've been given permission. To log on, I hit control alt delete.
Control alt delete captures the attention of the system in such a way that if anyone's written a
program that mimics Windows NT, it can't capture my password. In the welcome dialog box, I enter my
username, then I need to choose the domain where my username is kept. In this case, my username
is maintained in the Redmond domain. Enter my password. I'm now logged in, can access resources
anywhere in the network where I have permission. After you've organized the structure of Windows NT
advanced server domains, the next consideration is the physical location of the Windows NT
advanced servers. The location of the primary domain controller is particularly important
because it contains the master copy of the user account database. Changes to that database and
only the changes are replicated to the backup domain controllers every five minutes. Let's hear how
our administrators decided to place their Windows NT advanced servers to best take advantage of the
Microsoft wide area network.
One of the things that we struggled with in trying to decide how to set up our master user domains,
the first tier domains that have all the accounts, was where to put the primary domain controller
for Europe or for some of these remote sites. I remember a lot of our discussion is if we put it in
Europe and it replicates every five minutes, are we going to want it to go across the link between
here and Europe 18 or 20 times or 30 times, however many sites in DCs we have over there,
are we going to risk putting it over there and not having it in our secure environment here?
The decision was made to put it there and it seems to be proving out that this way there's one
replication that comes back or two maybe replications that come back to Redmond.
It just replicates the changes, so that's going to keep that very small. Even if it does stack up,
if your links go down, it's never going to get that large where you can't replicate it.
So as important as primary domain controllers are, they still don't have to reside physically with
the group that is ultimately responsible for them.
But by having the backup domain controller here, if something did happen in Redding where the primary
is and the hot standby that's right there also failed for some reason, we can easily promote one
here in Redmond and we're covered. So you always have that option.
So long as you have enough domain controllers and you think about that logically about where you want
them, you can always promote any one of those domain controllers in that domain to the primary,
the one that does the initial administration.
The flexibility and scalability of Windows NT advanced server domains allow organizations to tailor
their networks so that the various kinds of information are available to people with varying
responsibilities wherever those people are physically located.
Debbie Alsop will demonstrate the single network logon by setting up a trust relationship.
She will also demonstrate the procedure for promoting a Windows NT advanced server to domain controller.
We're going to establish a trust relationship between the second tier domain where my workstation is
and the first tier domain where my user account is.
Now I can do this from this workstation because I have administrative privileges in both domains.
A trust relationship has two sides.
The first side that needs to be set up is the side that's permitted to trust this domain,
which in this case is Redmond.
If I want to go into the user manager for Redmond, go to policies and select trust relationships.
And I'm going to add my second tier domain to the permitted to trust this domain.
Type in Bill O, which is the name of my second tier domain.
Type in a password, which I'll use to set up both sides of the trust.
I'm going to close that connection, go to my second tier domain, Bill O, and do the same basic steps,
go into policies, trust relationships.
Only this time I'm setting up the opposite side in the trusted domains,
and I'm going to add Redmond as a trusted domain.
I'm going to type in the same password that I set up on the other side.
When the two domains have completed setting up the trust relationship,
you'll get a dialog box that will tell you that it's done.
In this case, the dialog box says trust relationship with Redmond successfully established.
Now we have a trust relationship between the second tier domain where my workstation is
and the first tier domain where my user account is.
Now whenever I need to log into this system,
I can log in using my Redmond account and be validated into the network.
Sometimes hardware fails, and when that hardware is an integral part of the Windows NT
advanced server domain and the systems are all counting on the hardware to be up,
you need a fast recovery method.
The Windows NT advanced server folks have designed in a method of recovering very quickly.
When server manager comes up, you have several options.
I want to view all the devices that are in the Redmond domain.
And since Redmond is just a domain that contains user accounts and doesn't contain workstations,
there aren't very many devices in this domain.
But let me change to a domain that does have a lot of systems.
This domain has literally hundreds of systems.
It's a very large Windows NT domain.
We have different ways of being able to view this.
Currently we're seeing all systems in the domain,
but in my case I just want to look for the Windows NT advanced servers in this domain.
And there's quite a few.
Now you'll notice there's a little icon associated with the computer name.
If you go down this list of icons, you'll notice one that's unique.
And it also has a type description as controller.
This is the primary domain controller in the Windows NT advanced server domain.
I want to take and promote a different computer to being a primary domain controller at this point,
because I need to take the current domain controller down and rebuild it.
Hypothetically, this is something that you might want to do if you wanted to add more memory
or add more hard disk or just do regular maintenance.
So in this case I'm going to go to another server,
and I'm going to go into the computer option and choose promote to domain controller.
And I'm going to promote the spork to primary.
It may take a few minutes, but this is all that's required is to say yes at this point.
And then the servers will take care of all the business necessary,
and a few minutes the icons will change and you'll notice that the other one's been promoted,
at which time then you could take the original primary domain controller off the network.
Under Windows NT advanced server, setting up a network printer and printing to it are easier than ever.
Let's go to one of Microsoft's centralized computer rooms
where Alan Yergin will demonstrate how to do this.
What I'd like to do is walk you through setting up a print server under Windows NT advanced server.
Let me explain the environment here a little bit.
We've got some PC servers set up in a rack with a concentrator
that will allow me to switch from Windows NT advanced server to my Windows for workgroups.
Now in setting up this printer, I'm going to log in as the administrator on this server,
and I'm going to double click on the print manager.
I'll go over here under printer and click on create printer.
We'll put in a printer name, in this case it will be a printer for this building, building 11.
You've got to then select the driver, to which there are hundreds of drivers to choose from,
for the appropriate printer.
In this case, we'll go with an HP LaserJet series, HP LaserJet 3SI.
A description of the printer, and we will click on sharing this printer on the network.
It automatically puts in the share name, which will be MS-11,
and we can put in a location here, which is a very nice feature.
We can put in the location of the printer, in this case a room in this building.
Click on OK, and the printer is set up.
Now the printer is set up, it's ready to use, and it's also shared out.
I can switch over to my Windows for workgroups.
Select the print manager, look under printer, and connect to a network printer.
I can view all the printers, existing printers, and the new one we've set up.
Double-click on it, and I'm ready to print.
Administrators require easy access to system information to help troubleshoot and identify potential bottlenecks.
The Event Viewer enables administrators to view system, application, and security events within Windows NT Advanced Server.
But it's not just having that information, it's also how you present that information and how you manipulate it.
The Event Viewer is a very easy-to-use application.
You can view the events, you can set it up in certain ways, you can view based on priorities.
The system events, security, which as Debbie said, the unsuccessful, successful logins, printing, as much detail as you want to get.
And the application events, which would be from, say, an email or a database application or something storing in there.
And then you can view the ones that are important to you and pertain to your server, your domain.
Over the course of this video, you've become familiar with many of the concepts and features you will apply to the design,
implementation, and management of Windows NT Advanced Server in your network.
You may still have questions about this system.
Here are some of the more commonly asked questions we've received from our customers.
I'm about to install Windows NT, but first I need to know what the difference is between a workgroup and a domain.
A Windows NT-based workgroup is simply a grouping of computers running Windows NT without a Windows NT Advanced Server.
Each workstation running Windows NT is responsible for maintaining its own user account database.
A domain is a group of Windows NT Advanced Servers and client workstations that share a common user account database.
I'm curious about user profiles and the user profile editor.
Exactly what are user profiles and how would I be able to use them in my work?
A user profile is the most flexible method administrators have of managing user environments on a Windows NT workstation.
A profile provides a snapshot of a specific user's desktop environment,
including program manager groups and program items, network and printer connections, and other characteristics.
There are two kinds of user profiles, personal and mandatory.
The personal profile can be changed by the user, whereas the mandatory cannot be changed by the user.
Sounds like user profiles could be very useful.
I have noticed, though, in the new user dialog box, this profile button that brings up the user environment variable dialog box.
In that, I notice logon scripts and home directories.
Exactly what is a logon script? How would I use that?
And what's the home directory? How would that be useful to me?
A logon script is a file that runs automatically when a user logs on at a workstation.
There are a few reasons why you may want to use logon scripts.
You may want to manage only part of the user's environment, such as network connections,
or you may already have Land Manager 2.0 or higher and want to continue to use logon scripts you have created.
Home directories can benefit both users and administrators.
A home directory is a personal data storage space for an individual user.
For workstations with low disk storage space, an administrator may want to assign each user a home directory on a server.
In addition, administrators can consolidate storage space and centrally manage file security.
I've just started User Manager for Domains, and I noticed that it has something called a guest account, but it's grayed out.
What do I use a guest account for?
By default, every Windows NT advanced server domain and every Windows NT workstation initially has a guest account defined.
But for security reasons, it resides in a disabled state until an administrator activates it.
There are two kinds of guest logons, local guest logons and network guest logons.
With a local guest logon, the user can work on the local computer subject to the rights and permissions the administrator has granted the guest account.
The computer may allow a network guest logon for users not contained in its user account database.
The guest user then has all rights, permissions and group memberships on the computer that are granted to the guest account.
I've opened the policies menu under User Manager for Domains because I want to set up trust relationships between domains.
But a question just occurred to me.
Under Windows NT advanced server, if the finance domain trusts the sales domain, does the sales domain automatically trust the finance domain?
No. As an added security precaution, trust relationships are designed to be one way and must be set up individually.
For two domains to trust each other, a pair of one way trust relationships must be established.
I want to use one of my Landman 2.1 servers with my Windows NT advanced server domain.
Before I set it up, I need to know what level of functionality I can expect.
A Landmanager 2.0 or higher server can keep a copy of the domain's user account database and perform all of its usual functions.
However, it can only operate as a backup domain controller and cannot validate logon requests for Windows NT machines.
We have a number of Macintosh computers on our network. Can we include them in a Windows NT advanced server domain?
Yes. Windows NT advanced server integrates all the tools you will need to include Macintosh users as members of those domains.
Because there is no difference between administering Macintosh users and PC users in Windows NT advanced server domains, you will not have to learn additional procedures.
You also will not need to add software to the Macintosh desktop to connect to a Windows NT advanced server.
I understand that Windows NT advanced server includes TCPIP. Why did Microsoft include it, and in what situations can we use it?
Windows NT advanced server includes several network protocols, including NetBuoy, IPX, and TCPIP.
However, TCPIP is Microsoft's strategic protocol for wide area networking. It can serve as the only protocol connecting PC desktops and Windows NT advanced servers.
TCPIP also provides a reliable foundation for Unix connectivity applications such as FTP and Telnet.
Windows NT includes many common utilities that have been designed to access and transfer data in mixed environments.
And the inclusion of the Windows Sockets interface offers a compatibility with many foreign host connectivity products and is ideal for developing client server applications.
We hope this introduction to concepts and planning information has answered some of your questions about how to implement Windows NT advanced server.
At Microsoft, we believe in information at your fingertips.
Windows NT advanced server represents our proud commitment to achieving that goal.
Thank you for listening.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.