In a lot of
ways, Windows Server 2003, Standard Edition (which I’ll call “Server 2003” or “2003”
in this chapter) should be named “NT 2.1.” Anyone coming into the Microsoft networking story
without any previous experience with some version of NT, Windows 2000, or Server 2003
probably feels just as lost as someone who gets dragged into a movie theater to see
The Empire Strikes
Back
while knowing nothing of the original
Star Wars
. They end up asking things like, “Who
is
the
tall guy with the black shiny mask and the bad attitude; and speaking of attitude, what is
with
that
woman whose hairdo looks like she strapped a couple of Danishes on her head?”
In this chapter, I’ll give you a bit of history on Server 2003 and then take a very high-altitude
look at why we’re using Microsoft’s networking software in the first place. This is
not
intended
to prepare you for a test on networking essentials, nor is it a complete book on NTs past and
present. (When I say “NT,” remember that Windows Server 2003, Standard Edition is really just
NT Server 5.2.) What I’m trying to accomplish in this chapter is to answer the questions:
Ÿ
Why should I care about all of this networking stuff, anyway?
Ÿ
Why does Microsoft’s networking software approach networking the way that it does? Here,
I’m referring to the fact that much of why Server 2003 works the way that it does is simply
because NT always did it that way—
so knowing more about NT’s history makes 2003 make
more sense.
What’s the Point of Networks and Networking?
In a way, this chapter is penance for my youthful misdeeds.
When I was in the seventh grade, I had a math teacher named Mr. Schtazle. Seventh-grade math
was a kind of potpourri of mathematical topics—I recall one chapter that took pains to drill into our
heads the difference between precision and accuracy—and I’d plague the poor man at the beginning
of every chapter by asking him, “How will we use this?”—a slightly more-polite version of “why do
Copyright ©2003 SYBEX, Inc., Alameda , CA www.sybex.com
22 C
HAPTER
2
THE BASICS: NETWORKING SOFTWARE, SERVERS, AND SECURITY
we care?” Well, nowadays I find that when I’m teaching a room full of people about Windows 2000,
I’ve
got to be careful to answer that question, “Why do you care?” even if it isn’t asked. Because if I
don’t answer that, then many people in the room will leave the class with a pretty good notion of
how
to accomplish a bunch of tasks but not a really good feel for
why
they’d do the tasks in the first
place. And you know what? Answering the “Why do I care?” question can be pretty rough some times.
So, Mr. Schtazle, if you’re out there…my apologies.
Let’s consider the two questions that I asked a paragraph or two back:
Ÿ
Why network in the first place, and
Ÿ
If we agree that networking is a good thing, why do we do it this way?
The answer to the first question will turn out to be pretty straightforward: Networking solves a
set of problems for us. The answer to the question, “Why do we do it this way?” is a bit longer.
First and foremost, you’re doing this to try to solve some problem that networking can help you
with. Your company might want, for example, a great Web site, or to be able to send and receive
e-mail, or a simple file and print server for a small office. These are the goals; a network is the means
or tool to reach them. In short:
The ultimate goal of any networking project is to provide some kind of service
.
Everything else is just a necessary evil—but there are a
lot
of those necessary evils!
Second, there are many kinds of services that networks can provide, and every kind of service needs
different software to make it work. For example, suppose you wanted to set up a Web site on the
Internet. Network services, including Web sites, need two main pieces: a
server
piece and a
client
piece.
To put up that great Web site, you’ll create the site itself with HTML and drop that HTML onto a
Web server. One way to get a Web server is by taking one of your computers and putting a piece
of software on that computer to make it function as a Web server. But that’s only half the story—in
order for your customers to enjoy that Web server’s content, they will need a piece of client software
called a
Web browser
. That’s our first networking piece:
Every network service needs server software and client
software
.
Third, you need to ensure that there’s a way for your information to get from your server to your
clients, a physical system that the service can travel over. If the clients and servers are in the same
building, then you only need a local area network (LAN), and setting that up only requires pulling
wires through the building. If, however, you want to offer your service to the world, as in the case
of a Web server, then you’ll need some kind of WAN (wide area network) connection to the Internet.
In other cases, you’ll need a WAN connection, but not to the Internet: many organizations with more
than one location connect those locations via private communications links with names like
leased
line
,
T1
, or
frame relay
. That’s our next networking piece:
Networks need connection hardware (switches, hubs,
routers, modems) and links (phone lines, network cables, frame relay, DSL, cable modem, ISDN, etc.) or the clients can’t
connect to the servers
.
Fourth, to provide a service over a network, your server and your clients must agree on how to
transmit information over that network. That agreement is called a
network protocol
, and the one that
you’ll most probably use in the Windows 2003 world is called the Transmission Control Protocol/
Internet Protocol (TCP/IP). You may have heard of it before, as it’s the network protocol that
the Internet uses, but you needn’t be on the Internet to use it. In short:
Clients and servers must speak the
same network protocols
.
Fifth, once you’ve got the channels open, and before information starts flowing in both directions,
you’ll almost certainly need to worry about security. When you use the tool that is networking, you
Copyright ©2003 SYBEX, Inc., Alameda , CA www.sybex.com
WHAT’S THE POINT OF NETWORKS AND NETWORKING?
23
want to be sure it doesn’t increase your risk, and in fact you can shape the tool so it reduces hazards.
Briefly:
Networks need security
.
Sixth and finally, once you’ve set up that terrific network service, you need a way for people to
find
that great service. You do that with a “naming” system. Windows 2003 has two of them—one that
appeared years ago before the first version of NT, and a newer (to NT, anyway) method that the
Internet’s been using for years. The last network piece, then is that:
Networks must provide a way for users
to find their services
.
Let’s examine these pieces in order, take a closer look at why they work the way that they do, and
get some insight into how Windows 2003 in particular handles them.
Network Client and Server Software
The reason that we network computers in the first place is so that computers acting as clients can benefit
from the services of computers acting as servers. For example, suppose you want to visit my Web site,
www.minasi.com
.
Two of the ingredients that you’ll need to make that possible are software:
Ÿ
You’ll need a computer running a program that knows how to request Web information and
then how to receive it—in other words, a
client application
.
Ÿ
I’ll need a computer running a program that knows how to listen for requests for Web
information and then how to deliver that information—in other words, a
server application
.
As sometimes occurs
too
often in the computer business, you’ve got choices about both the client
and the server.
The Client Piece: A Web Browser
I’ve said that first you’ll need a computer, of course, one that’s running a Web browser program like
Netscape Navigator or Internet Explorer. But let me rephrase that in basic network client-server
terms.
There is technically no such thing as “the World Wide Web.” Instead, there is an agreement
about how to transfer text, pictures, and the like, and that agreement is called the HyperText
Transfer Protocol—which is normally shortened to HTTP. The phrase World Wide Web just
refers collectively to all of the HTTP servers on the Internet. When you think you’re surfing a
Web page, what really happens is this:
1.
Your client computer asks the Web server (oops, I meant
the HTTP server
) something like, “Do
you have any documents?”
2.
The Web server responds by saying, “Here’s my default document,” a simple text file that
is the so-called home page for that Web server. The Web server sends that file to your client
using the HTTP protocol.
3.
Once your client receives the text file, it notices that the page is full of references to
other
files.
For example, if the home page that you requested has pictures on it, your Web browser
(HTTP client) didn’t originally know to ask for them, so the Web server (HTTP server)
didn’t send them. Your client notices the lack of the images and requests that the server send
them, which it does—again using the HTTP protocol.
Copyright ©2003 SYBEX, Inc., Alameda , CA www.sybex.com
24 C
HAPTER
2
THE BASICS: NETWORKING SOFTWARE, SERVERS, AND SECURITY
Here, “HTTP client” just means a program that knows how to speak a language that transfers
a particular kind of data—Web data. Your computer is deaf to the Web unless it knows how to
request and receive data via HTTP.
Notice what
client
means here. It doesn’t refer to you, or even to your computer. Instead, it just
means a program that your computer runs.
The Server Piece: A Web Server
Next, let’s consider what’s sitting on my side of the conversation.
I’ll need a computer running a special piece of software that is designed to listen for your computer
(or anyone else’s, for that matter) requesting to see my Web pages via the HTTP protocol, and that
can respond to those requests by transferring those pages to the requesting client software. You
might
call such a piece of software an “HTTP server” program, although almost no one calls it by that
name. You’d more
commonly
call it “Web server” software. There is a variety of Web server software
that I might run on my Windows Server 2003 computer, but I’m most likely to run the one that
comes free with Server 2003, a program called Internet Information Services (IIS) 6. Alternatively,
I might find, download (probably using HTTP!), and install a popular piece of free Web server
software called Apache.
Once again, notice carefully what “server” means here. It does not really refer to the particular
computer hardware that I’ve got stashed in my network room connected to the Internet. Instead,
“server” means “the program running on Mark’s computer that listens for HTTP requests and knows
how to fulfill them.”
Now that I’ve gone through all of that, consider again the question that I asked at the beginning of
the chapter—why are you bothering with a network? The answer is probably “because you want
to offer a Web site, either internally or on the public Internet, and you that think that IIS is the best
(highest-performance, cheapest, or some combination of the two) Web server software around”—
which means that you must use Server 2003, as it’s the only operating system that supports IIS 6.
(Or you could use an earlier version of Server and an earlier version of IIS, but why not go with the
latest and greatest?)
Other Types of Servers
I’ll tend to use the Web client-server example for this discussion. But I don’t want to lose sight
of the fact that there are quite a few client-server systems, besides Web servers, that are in common
use and that you may want to use 2003 to create. Returning to the theme of this chapter, then—
“Why do I care or why do I need this stuff?”—networks offer several valuable services, and you
may want to set up a computer to act as a server and offer some of those services. Here are a few
besides the Web server example.
File Servers
File servers act as central places to store data files. Why put them on a server
rather than just keep them on your local computer? Well, in some cases someone else created
the file, and placing a file on a central server is a simple way to make the files available to others.
The other good thing about storing files in a central location is that they’re more easily backed
up that way. 2003 comes with file server software built in.
Print Servers
Print servers let you share printers. Not everyone wants to put a printer on their
desk, and besides, if you share the printers, you can afford more expensive (and presumably better)
models. 2003 comes with print server software built in.
Copyright ©2003 SYBEX, Inc., Alameda , CA www.sybex.com
WHAT’S THE POINT OF NETWORKS AND NETWORKING?
25
E-Mail Servers
Mail servers are essential if you’re going to do e-mail. Some computer (or
computers) must act as the post office, collecting e-mail from the local users and sending it to
other mail servers across the Internet and acting as a receiving point for other mail servers to
send mail destined for your organization. You
can
outsource this function by letting your ISP
act as your mail server, but running your own mail server gives you more flexibility. (However,
it
does
require a persistent connection to the Internet.) 2003’s new features include a basic e-mail
server. Yes, it’s “basic” because Microsoft
really
wants to sell you Exchange as your mail server.
But it’s not a bad server for many people’s needs.
Group Scheduling Servers
The centralized nature of servers means that they’re a great place
to keep track of scarce resources like meeting rooms or your time. 2003 does not come with a
scheduling server, as Microsoft wants to sell you Exchange to do that sort of thing. But there are
alternatives to Exchange; there are some terrific Web-based scheduling tools that work great on
2003—for one example, take a look at
www.mattkruse.com/scripts/calendar/
or other tools,
like Lotus Notes.
E-Commerce Online Stores
If you’ve got something great to sell, then the Web’s one place
to do it. There are thousands of online stores on the Web, and a good number of them run on
2003. While 2003 includes a Web server, it doesn’t include the other software that you’d need to
create a complete online store. But there are a lot of consulting and programming firms that would
be happy to help you create an online store atop 2003!
Networks Need Connection Hardware and Links
If I want to offer a server service and ensure that you can enjoy that service, then we’ll both need to be
physically attached to the same network—the same series of cables, satellite links, or whatever—or
your computer’s requests will never get to my computer in the first place. That probably means that
we’re both on that huge network-of-networks called the Internet, but we could just be working for the
same company in a single wired building, or a multilocation firm connected by a private intranet.
Now, notice that if I’m going to run a Web server, I’ll need to be connected to our common
network (Internet or otherwise) persistently: I couldn’t decide to run a Web server out of my
house and just dial in to the Internet now and then. Of course, if I’m only serving some private
network that we share, then an Internet connection is unnecessary, as we already have connection
to a common network.
People who worry about the physical connection part of networking concern themselves with
getting cables run through walls, calling the phone company to arrange for persistently connected
data links of various kinds—links with names like DSL, cable modem, frame relay, leased lines, T1
or T3 lines—and then work with a family of hardware that helps get the bits going off in the right
direction—devices with names like switches, hubs, and routers.
Does 2003 help you with this part of the job? In some parts, it can. Switches and hubs are very
basic, simple devices, and 2003 has nothing to do with them—although clearly 2003 depends on
their presence in order to network! Routers are, however, more complex devices. You probably know
that the market leader in the router world is a firm named Cisco Systems, but you may not know that
a router is really just a small, single-purpose computer. If you wanted to, you could use a computer
running Server 2003 to replace a Cisco router. Additionally, if you wanted to allow people outside
your network to dial in to your network, you could use a Windows Server 2003 to make that
possible. (It’s not the best answer, as you’ll see in Chapter 6, but it
is
possible.)
Copyright ©2003 SYBEX, Inc., Alameda , CA www.sybex.com
26 C
HAPTER
2
THE BASICS: NETWORKING SOFTWARE, SERVERS, AND SECURITY
Clients and Servers Must Speak the Same Protocols
But simply being connected to the same wire isn’t enough—we need a common communications language.
If I were to pick up a phone and dial some number in Beijing , I’d have a physical connection
with whatever poor soul picked the phone on the other end—but that would be the extent of our
interaction. In the same way, computer networks need to agree on things like, “What’s the biggest
block of data that I can ever send you?” and, “How shall I acknowledge that I actually
got
that block
of data?” or, “Should I bother acknowledging receipt of data at all?” and hundreds of other questions.
The answers to all of those questions are contained in the “network language” or, in network
techie terms, the
network transport protocol
. It probably won’t surprise you that more than one network
transport protocol exists, and over the years NT has generally supported three of them:
Ÿ
NetBEUI (Network Basic Input/Output System Extended User Interface), an old Microsoft/
IBM/Sytek protocol designed to support small networks
Ÿ
IPX/SPX (Internet Packet Exchange/Sequenced Packet Exchange), the protocol that Novell
NetWare predominantly used for years
Ÿ
TCP/IP (Transmission Control Protocol/Internet Protocol), the protocol of the Internet
and intranets
Although you have three choices, it’s a good bet that your Microsoft software-based network uses
TCP/IP. Why TCP/IP? Well, there have been some really great protocols over the years, but as the
Internet uses TCP/IP and as the Internet is so popular, TCP/IP has sort of trumped the other
protocols. In fact, it’s impossible to do a fair number of things that 2003 and its predecessors
Windows 2000 and, to a lesser extent, Windows NT 4 are capable of
without
TCP/IP. So I’m
going to assume for our discussion and indeed for most of this book that your network will use
TCP/IP.
Oh, and one more thing—once you’ve decided that TCP/IP is your network protocol of choice,
then you’ll need to install several
more
servers to support TCP/IP’s infrastructure. And here again,
when I say “more servers,” I’m not suggesting that you have to buy more PCs, although you might.
What I mean is that you’ll have to install software on some computer or group of computers to
perform three basic pieces of plumbing or infrastructure jobs:
Ÿ
A Domain Naming System (DNS) server keeps track of the names of the computers in your
network (an important task, believe it or not).
Ÿ
A Dynamic Host Configuration Protocol (DHCP) server configures the specifics of TCP/IP
on each computer in your network, both great and small.
Ÿ
A Windows Internet Name Server (WINS) does something like what DNS does—keeps
track of names—but isn’t really necessary on a “pure” Windows 2003 network—its main job
is to support older Microsoft operating systems like Windows 9
x
, Me, and NT 3.
x
and 4.
You’ll learn more about the specifics of DNS, DHCP, and WINS in Chapter 7. I should point
out that if you’re a one-person shop, then you might not need all of that, as your ISP might
be handling it for you—but I’m assuming throughout this book that you are probably a network
administrator/manager for a network of at
least
a few computers, and possibly for a tremendous
number of computers.
Copyright ©2003 SYBEX, Inc., Alameda , CA www.sybex.com
WHAT’S THE POINT OF NETWORKS AND NETWORKING?
27
Keeping the Bad Guys Away: Security
Once you’ve gotten the first four things done, then your job’s finished, in a sense—people can now
read and write files on that file server, view pages on that Web server, print to that shared printer, set
up meetings with you over your scheduling server, and so on. I mean, hey, networking’s all about
sharing, so just open the doors and let ’em in!
As you’ve probably realized, there’s a missing piece here: security. While there’s a lot to security,
it basically boils down to two things:
authentication
and
permissions
.
Ÿ
First, you want to be able to identify who’s entering your network. That’s authentication.
Ÿ
Second, once you know for sure who you’re talking to—once you’ve authenticated—then you
must be able to look up somewhere what that person is allowed to do, his
permissions
. For
example, a network logon could figuratively go something like, “Okay, now I know you’re
Jack…but I’ve been told to deny Jack access to everything.” Merely being authenticated
doesn’t mean that you get access!
Authentication
The first part of security is called
authentication
, and you usually accomplish it through usernames
and passwords, although as time goes on you’ll eventually use the more science-fiction means of
authentication: One day, the computer may recognize you by your fingerprint, face, voice, retina
blood vessel pattern, or some other item that’s distinctly you. The geek term for those authentication
approaches is
biometric
.
For now, however, it’s user accounts and passwords that identify users. I realize that nearly everyone
who’s reading this book has undergone an authentication at some point—you’ve logged in to a
network some time. It all sounds simple, doesn’t it? And yet user accounts and passwords present
special problems.
Storing Authentication Information
First, you’ll need some kind of program that lets administrators create user accounts and store them
in a file. In their simplest form, user accounts consist of a database of usernames and passwords.
That’s no big deal—it’s a very simply structured database, and there are tons of database programs
out there—but don’t forget that you need to
encrypt
that information. Otherwise, there’s the possibility
that someone could come along and steal the database file, take it home, and perhaps crack it
for your user’s passwords.
Just such a thing happened to NT 4. NT stored user information in a file named SAM. If you leave
me in the same room as your server, then I can copy that SAM onto a floppy and take it off-site to
analyze it. Wasn’t it encrypted? Well, yes, but sometimes encryption isn’t enough—a group of hackers
figured out how to crack SAM’s encryption. With just a bit of work, anyone could extract passwords
from an NT SAM. (Which is a good reason to keep your servers behind lock and key, so that it’s
harder for someone to steal your account files.) Windows 2000- and 2003-based domains (a term
I’ll define soon) use a more sophisticated encryption scheme on its user account/password file
(which is named
NTDS.DIT
, not SAM), but unfortunately even that file can be cracked with some
determination. Again, let me stress that this is only a danger if you let someone physically sit down
at the servers that do logons, a set of servers called domain controllers, so don’t worry that 2003 isn’t
secure. Any security person can tell you that you should
never
give the bad guys physical access to
your important servers—lock ’em up!
Copyright ©2003 SYBEX, Inc., Alameda , CA www.sybex.com
28 C
HAPTER
2
THE BASICS: NETWORKING SOFTWARE, SERVERS, AND SECURITY
The tool that lets administrators create, modify, or delete user accounts is called Active Directory
Users and Computers.
Active Directory
refers to Windows 2000 and 2003’s system for storing usernames
and passwords. It’s called a directory because
directory
is the current network lingo for “database
of user accounts.” Personally, I think it’s kind of confusing—in my mind, directory conjures up
visions of drive letters, like C:\DOS—but it’s the current argot, so it’s worth knowing. And, in case
you’re wondering, the “Active” part is just Microsoft marketing; don’t look for any deep meaning
there. (It’s not like Novell makes a product called Comatose Directory or Lethargic Directory.)
Authenticating without Compromising Security
So you’ve got a server somewhere that contains the list of usernames and passwords. Those are only
good if someone can use her username and password to be authenticated and get access to things
on the network. So you need some way for a user sitting at her workstation computer to be recognized
by that server. You’re already familiar with this recognition process: we call it logging on.
Suppose I’m sitting at my Windows XP workstation and I want to get to some files on a file server
named files-r-us.bigfirm.biz. Before files-r-us will give me access, I’ve got to submit myself for
authentication—I’ve got to log on. One of the many programs that comes with every version of NT
since version 3.1 is called
winlogon.exe
, and it’s the program that pops up when you first turn
your workstation on, asking you to punch in your username, password, and domain. (Again, I’ll
explain what a domain is in a minute.)
So imagine that I’m trying to access some data on files-r-us. Files-r-us responds by asking my
workstation, “What’s his name and password?”
Now
I’ve got a problem.
You see, what I’d
like
to do is to just say over the network line, “This is Mark and his password
is ‘swordfish.’” Then files-r-us can just look in its directory file of usernames and passwords and
see if it has a user named Mark with a password of “swordfish.” If so, then it lets me in. If not, it
doesn’t. Simple, eh?
Well, there’s one flaw here—the part where my workstation passes “swordfish” over the network.
A class of programs called “sniffers” can record and display any data that passes over a network wire.
So passing passwords around on an unencrypted Ethernet cable isn’t a great idea. That means
you’ve got another challenge: how to prove to a server across the network from you that you’ve got
Mark’s password without actually showing that password to the server.
Over time, networks have come up with different answers, but Active Directories, whether based
on Windows 2000 or 2003, use an old authentication method called Kerberos which some folks at
MIT first invented in the mid ’80s. It replaces an older method employed by NT 3.
x
and 4 called
NTLM, which was short for NT LAN Manager, a reference to one of NT’s predecessors. What
follows is an extremely simplified version of how Kerberos works. (It’s actually a wildly simplified
description, but it’ll help you understand the more complete explanation that you’ll see in the next
section.)
Let’s return to files-r-us. I try to access its data, so files-r-us needs to first log me in. It does that
by saying, “I’ll tell you how to access my data,” and sends me some instructions on how to get to its
data. But the data is
encrypted—
with my password! In other words,
anyone
could claim to be me, and
files-r-us would happily send these vital instructions-for-connection. But only I can decrypt those
instructions, so only I can benefit from them. So files-r-us ensured that only someone with my
password could gain access, without sending my password over the wire.
Copyright ©2003 SYBEX, Inc., Alameda , CA www.sybex.com
WHAT’S THE POINT OF NETWORKS AND NETWORKING?
29
Centralizing and Sharing User Account Information: Domains
But my simple example about trying to access one file server is, well, a bit
too
simple. Most companies
will end up with more than one server, and in fact it’s not unusual to end up with dozens
or hundreds of servers. And that leads to the following problem. Recall that I said a page or so
back that if you’re going to employ user accounts, then you’ll need a file to store them in. But what
if you have more than one server? What if in addition to the server named files-r-us.bigfirm.biz, I’ve
also got a mail server named postoffice.bigfirm.biz and a Web server named www.bigfirm.biz?
I might want to log in to any one of those three, so they
all
have to be able to accomplish logons. But
now let’s examine what that actually means in terms of keeping track of user accounts. Should
each server contain a complete copy of
NTDS.DIT
, the file containing the names and passwords
for users?
That might work, but it’d be a pain, for several reasons. First,
NTDS.DIT
can get pretty big, and I’d end
up burning up a lot of disk space copying it to every server in my enterprise. Second, if servers are
connected by low-speed WAN links, the process of copying the changes to
NTDS.DIT
to all of the
servers on my network (a process called
directory replication) would take up a lot of time and network bandwidth.
Third, do I really want to have to create a network “storm” of file copying amongst the servers
every time someone just changes his password? And finally, what about the issue of securing the
NTDS.DIT file in the first place? If I copy NTDS.DIT to every single server in the enterprise, there are bound
to be a few that are out in the open, not physically secured. It’d be easy for an intruder to copy the
NTDS.DIT from a poorly secured computer and spirit it off-site, to crack it at leisure.
The better idea that we’ve used in networks for years is to put the user directory, the NTDS.DIT, not
on every single server, but instead on a relatively small subset of the servers. Those NTDS.DIT-holding
servers then serve in the role of logon server, doing the job of authenticating for the other servers. In
Microsoft parlance, a logon server is more commonly called a domain controller. So, to return to the
example of accessing data on files-r-us, imagine that files-r-us is not a domain controller and doesn’t
contain a copy of NTDS.DIT, and that another computer, vault.bigfirm.biz, is a domain controller
and contains a copy of NTDS.DIT. In this newer arrangement, I don’t directly log into files-r-us but
instead enlist the aid of vault.bigfirm.biz in order to authenticate with files-r-us.
In a purely Active Directory network (which can only include Windows 2000, XP, and 2003 systems),
vault.bigfirm.biz would help me log in to files-r-us with Kerberos. In order to understand how
Kerberos works, you first need to understand that under Kerberos, not only do the users have passwords,
the server programs do also. Thus, the file server program running on files-r-us has its own
password. So both the user and the server each have passwords—remember that.
When I tell my workstation to try to get some data from files-r-us, my workstation sees that
it’ll need to get me logged in to files-r-us. It does that by asking the domain controller, vault, to
give me something called a “ticket” to the file server service on files-r-us. The domain controller
responds by handing my workstation an encrypted piece of data, which is the Kerberos ticket.
The ticket can be decrypted with my password, making its contents a mystery to anyone but me
(or my workstation, which obviously knows my password). My workstation decrypts the ticket,
which contains two things. First, it contains a message saying “your special one-time-only password
for accessing the file server at files-r-us is ‘opensesame.’” Second, it contains another encrypted
message—but this one’s not encrypted with my password, so I can’t decrypt it! But my workstation knows
to send it to the file server, which decrypts it successfully, as the file server has its own passwords.
Once the file server receives and decrypts the part of the Kerberos ticket that I sent it, the file server
Copyright ©2003 SYBEX, Inc., Alameda , CA www.sybex.com
30 CHAPTER 2 THE BASICS: NETWORKING SOFTWARE, SERVERS, AND SECURITY
sees that that ticket piece says something like, “The special one-time-only password for communicating
with Mark is ‘opensesame.’ And by the way, you should have gotten this message from Mark
sometime between 10:45 A.M. and 10:50 A.M. from his IP address, which should be 117.39.82.3.”
Once the file server gets its half of the Kerberos ticket, it knows a few things:
Ÿ The user claiming to be Mark who wants access to the file server is indeed Mark.
Ÿ Any messages from that now-authenticated person named Mark should have originated from
IP address 117.39.82.3.
Ÿ If Mark and the file server really want to maintain a secure connection, they could even encrypt
their communications using this shared—but secret—password, opensesame.
Security Roles and Definitions: Domains, Domain Controllers, and Member Servers
Armed with this information, I can define a few Microsoft networking terms.
Domain You just saw an example where one machine (vault) let me log in to another machine
(files-r-us). I haven’t mentioned this yet, but before I could get anywhere I needed to log in to the
computer at my desk, my workstation—and when I first tried to log in to my workstation, it was
once again vault.bigfirm.biz that authenticated me. Clearly, then, my workstation and files-r-us
“trust” vault.bigfirm.biz in some fashion.
The collection of machines that share the same list of user accounts, the same NTDS.DIT, is a
domain. Or, to put it a bit more specifically: several computers hold a copy of NTDS.DIT and are
willing to act as “logon servers” (domain controllers) with that NTDS.DIT. The collection of
machines that are willing to accept logons from those domain controllers (in Microsoft terms, who
“trust” those domain controllers) and the domain controllers themselves are collectively called
a domain. So my workstation, vault, and files-r-us are all part of the same domain.
Domain Controller A server, such as vault.bigfirm.biz, that contains a copy of the user
account/password data, and that therefore can let users log in to servers, is a domain controller. Domain
controllers exist to centralize the user account/password information so that you needn’t put
the NTDS.DIT on every server.
Member Server A machine that is running NT 3.x, 4.0, 2000, or Server 2003 but not acting
as a domain controller will not contain a copy of NTDS.DIT and therefore can’t authenticate domain
members. Such a machine is called a member server.
Permissions and Access Control Lists (ACLs)
Once a server has determined that I am indeed me, does that mean that I’ll get access to the server’s
information? Not necessarily. Authentication just identifies me. The next step in security is access
control, also known as (depending on what network operating system you are using) rights, permissions,
or privileges.
Ever since its earliest versions, NT (which includes Windows Server 2003) has had a very
flexible system of file and directory permissions. As you’ll see later in this book, you can exert
very fine-grained control, such as specifying that Mary can read or write to a given file, that Bill can
only read it, and that June cannot access the file at all. Don’t get the idea, however, that permissions
Copyright ©2003 SYBEX, Inc., Alameda , CA www.sybex.com
WHAT’S THE POINT OF NETWORKS AND NETWORKING? 31
refer only to files. There are permissions to do things like create, modify, and destroy user accounts,
and even permissions to create domains in the first place. The flexibility of these permissions is one
of Microsoft networking’s great strengths.
Just about everything in the Microsoft networking world has security on it. Want to read a
file? You need the permissions to read it. Want to shut down the program that provides the Web
server? You need the permissions to shut it down. Want to create a new user account on your network?
You need the permissions to create a new user.
These permissions are stored as a list. In the case of the file, the operating system sets aside a little
space for every file that it creates, and keeps the permissions in that space. A set of permissions for
a file, then, might look like
Ÿ A user named June can do anything that she wants to the file.
Ÿ Another user, Joe, can only read it.
Ÿ Any user in a group named Cube-dwellers can read or modify the file, but not delete it.
Ÿ The operating system can do anything that it wants to the file.
In Microsoft networking-speak, that list is called an access control list or, inevitably, ACL. Each
of the four entries are called access control entries or ACEs. You will learn in this book that lots of
things have ACLs, and adjusting those ACLs is how you configure security in your network.
Access to Earlier Security Systems
The last challenge that Windows 2000 and 2003’s security designers faced was the so-called “legacy”
support—ensuring that they could interact with the security systems built into Windows for
Workgroups, Windows 9x, NT 3.x, and 4. I’ve described in very broad strokes how Kerberos works,
but Windows and NT didn’t use anything like that and in fact couldn’t do Kerberos logons; Kerberos
first appeared in the Microsoft networking world in February 2000, with the introduction of
Windows 2000. Microsoft knew that you wouldn’t be very happy if they required you to throw away
all of your old Windows 9x and NT systems before you could implement Active Directory, so
Windows 2000, XP, and Server 2003 know a variety of logon methods—NTLM 1.2 for Windows 9x
and NTLM 2.0 for NT 3.x and 4—in addition to Kerberos.
It’s hard to overstate the importance of security. For example, in the past, one of Novell’s main
advantages over NT was in the way that it stored user accounts and handled logins—Novell’s security
was faster and more flexible. Sure, one could argue that Novell moved data around file servers more
quickly, but not so much more quickly that anyone would really modify a buying decision. Basically,
people were buying Novell for Novell’s security system, something called NetWare Directory Services
(NDS). NDS was essentially a big-time user database, something with a more enterprise feel to it than
NT’s older SAM-based system. In short, security is important.
Names: Finding Servers and Resources
When PC-based networking first appeared, we didn’t do much Web work—the earliest common
LAN functions were file and print services. So from the very beginning (all of 15 years ago) of
PC-based networking, we’ve done file and print services; they’re the most basic network services. But
now suppose that you’ve got a network with more than one server on it, and you want to find out
Copyright ©2003 SYBEX, Inc., Alameda , CA www.sybex.com
32 CHAPTER 2 THE BASICS: NETWORKING SOFTWARE, SERVERS, AND SECURITY
which server has a printer available for sharing, or you can’t remember which server holds that share
called hrdocuments; how do you search for network functions?
That’s one of the oldest problems in networking, and not just in Microsoft networking.
Microsoft’s most current answer to the “how can I find resource X on the network?” question is
to store that information in the Active Directory database. But they’re not there by any means yet and,
even if you have an all-Windows 2003 and XP network (which is unlikely), you’ll find that by
default the Active Directory isn’t all that much help in finding file and printer shares. I’m sure
that’s going to change as new versions of NT appear, but for now, we Microsoft operating systems
users are pretty much stuck with an old technology known colloquially as the Network Neighborhood
or, in Windows 2000 and later, My Network Places. Here’s where it came from and how
it works.
How would you set up a system that provided a centralized directory of services on a network,
a kind of “yellow pages” that lets a user quickly find a file share or shared printer? Microsoft networking
uses a name server system called the computer browser or browse services—it has nothing at all
to do with the Web, it’s had that name since before the Web existed—where you, the network
administrator, don’t have to do anything; the name servers set themselves up automatically. Sounds
good? Well, it is for small networks, but it gets troublesome for larger ones—which is why
Microsoft is trying to phase it out.
The servers in a Microsoft network that contain information about network services are called
browse masters or master browsers. What’s different about the concept of Microsoft browse servers is
that no one computer is fixed as the browse master. Instead, when your computer logs in to your network,
it finds a browse master by broadcasting a request for one, saying, “Are there any browse masters out
there?” The first browse master to hear the workstation (there can be multiple browse masters,
as you’ll see) responds to the workstation by saying, “Just direct all your name service requests
to me.”
When a server starts up, it does the same thing. It broadcasts, “Are there any browse masters out
there?” and when it finds one, it says to it, “I am a server with the following shares. Please add me
to your list of servers.” The list of servers that a browse master maintains is called the browse list,
not surprisingly.
Tip This is the really irritating thing about the browse list: it’s broadcast-based. That means that if your network isn’t
100 percent broadcast-friendly, then you’ll sometimes end up with an incomplete list of servers on your network. So if
you have a network built in more than one segment (and who doesn’t?), or you use some kinds of Ethernet switches rather
than hubs, then you may experience missing servers in the browse list. That’s part of why Microsoft is trying to phase out
the browse list. But for now, understand that the browse list is a largely lame and unreliable technology. You’ll see later
on, in Chapter 7, that you can install a service called the Windows Internet Name Service (WINS) to reduce the chance
that the browser breaks, but trust me—you’ll eventually come to a point where you’ve done everything that you can do,
but the browser still doesn’t work. When that happens, don’t feel bad—we’ve all been there. I’ll suggest some ways to make
it work better and reduce your dependence on the browser a bit later in this section.
By now, you may be wondering, “How come I’ve never seen one of these browse lists?” You
have. If you ever worked with earlier versions of NT or with Windows for Workgroups, then
you saw Figure 2.1 when you opened the File Manager and clicked Disk/Connect Network Drive.
Copyright ©2003 SYBEX, Inc., Alameda , CA www.sybex.com
WHAT’S THE POINT OF NETWORKS AND NETWORKING? 33
FIGURE 2.1
Sample browse list
from Windows for
Workgroups or
Windows NT
version 3.x
From Windows 9x or Windows NT 4, you can see a browse list by opening the Network Neighborhood
folder, as in Figure 2.2.
FIGURE 2.2
Sample browse list
from Windows NT 4
or Windows 9x
From DOS or indeed any command line, you can see a browse list by typing net view or net view
\\ machinename. You see a screen like the one in Figure 2.3.
Copyright ©2003 SYBEX, Inc., Alameda , CA www.sybex.com
34 CHAPTER 2 THE BASICS: NETWORKING SOFTWARE, SERVERS, AND SECURITY
FIGURE 2.3
Sample browse list
from a command line
Note What’s with that \\ thing? Microsoft’s network software has, since 1985, used a way of writing the names
of servers and of shares on servers called a Universal Naming Convention or UNC. It looks like \\servername\
sharename. So, for example, if I had a server named bigserver that contained a file share called mydata, I’d refer to
that share as \\bigserver\mydata—that would be the UNC for that share. You’ll learn more about this in Chapter 11,
on file shares, but I wanted to explain the mystifying \\ briefly here. And by the way, you pronounce “\\” as “whackwhack”
in the Microsoft world. Now, to my way of thinking, that’d mean that a regular forward slash— / —would
be pronounced “backwhack” in Microsoftese, but I’ve never gotten confirmation on that.
Each figure shows you the list of servers available: Aldebaran, Artemis, and Astro, just to list a
few. Other servers—Daffy and MWM66—appear only in some of the browse lists because a few
minutes passed between taking the screen shots, and a few “test” servers went up or down in those
few minutes. In all three cases, the workstations that these screens were taken from got their
browse lists from a local browse master.
You can drill down further into these browse lists, as well. In Windows 9x/Me, Windows NT 4,
2000, XP, or Server 2003 (in 2000, XP, or Server 2003, open My Network Places), you can
double-click any one of those servers and see the list of shares that the servers offer; that too, is
information from the browse list. In Windows for Workgroups or Windows NT 3.x, you’d just
click a server once, and the list of its shares would appear in the bottom pane of the dialog box. From
DOS or any other command line, you’d get the list of servers by typing net view, as you’ve already
seen, and then you get the list of shares for any given server by typing net view \\ servername, where
servername is the name of the server whose shares you want to see.
When Browse Lists Get Too Large: Workgroups to the Rescue
As I’ve described them so far, browse lists seem pretty convenient. But in the little test network
that I used for the previous screen shots, you saw only a few servers. Hell, everything works fine on
small networks.
Now let’s talk about your network. Sit down at a corporate network of any size and you see dozens,
hundreds, or thousands of servers. Scrolling down through a 500-server browse list would be a bit
Copyright ©2003 SYBEX, Inc., Alameda , CA www.sybex.com
WHAT’S THE POINT OF NETWORKS AND NETWORKING? 35
time-consuming—to say nothing of how much work the browse master would have to do to keep
it up-to-date! The problem to solve is, then, managing the size of the browse list. There are two
ways to do that:
Ÿ Reduce the number of servers in your enterprise.
Ÿ Divide the enterprise-wide browse list into several smaller browse lists called workgroups.
Disable Peer-to-Peer Sharing on Workstations
The first answer is actually a bit off the main topic, but let me digress for a moment and talk about it
before returning to the main item: workgroups. When I say, “Reduce the number of servers,” I’m
talking about an unfortunate side effect of running Windows for Workgroups, Windows 9x/ME,
Windows NT, 2000, or XP workstations—they all have the capability to become peer-to-peer
servers. The browse masters don’t distinguish between industrial-strength servers running NT Server
and low-octane peer-to-peer servers, so you could end up with a browse list that’s supposed to only
list your servers, but actually lists all of your servers and workstations. In general, I think peer-to-peer
networking is a bad idea. If a piece of data is important enough to be used by two employees, then
it’s a company asset that should be backed up regularly and so should go on a managed file server, not
a desktop machine that’s probably backed up once a decade. My recommendation is this: Disable
the peer-to-peer sharing option on your Windows for Workgroups, Windows 9x/ME, Windows
NT, 2000, and XP workstations. How you do this depends on the operating system of the workstations
in question. In NT 3.x and 4, open the Control Panel and then the Services applet; locate the
service called Server and stop it, as well as disabling it for future reboots. In Windows 9x, go to
Control Panel/Network/File and Print Sharing and make sure both options, to share files and
printers, are unchecked. In Windows for Workgroups, make sure the sharing control in Network
Setup is set not to enable file or printer sharing. In Windows 2000 and later, right-click My Computer
and choose Manage, then find the Services folder and stop the Server service. (You’ll see more
about doing this later in the book.)
Not only will your network have less traffic—workstations will no longer have delusions of serverdom,
so they won’t be chattering at the browse master all of the time—but not loading the server part
of the workstation’s operating system saves RAM on the workstation.
Divide the Browse List into Workgroups
The other approach to keeping a browse list to a manageable size is to subdivide it in some way.
That’s a reasonable thing to suggest if you realize that, no matter how large an organization seems
to be, it’s usually composed of lots of smaller groups, such as Manufacturing, Sales, Marketing,
Accounting, Finance, Personnel, Senior Management, and so on. Each of those groups can be called
workgroups, and you can pretty much chop up your enterprise into workgroups in any way you like
(but a rule of thumb says that a workgroup should be a group of people for whom 95 percent of the
data generated by that group stays within that group).
From a more network-technical point of view, the minimum definition of a workgroup is just
a group of workstations that share a browse list. (That’s my definition, not Microsoft’s.) The idea is that
when someone in Accounting opens up her browse list, you want her to see just the Accounting
servers, not the Manufacturing servers, as she has no use for the Manufacturing servers. (Besides,
Copyright ©2003 SYBEX, Inc., Alameda , CA www.sybex.com
36 CHAPTER 2 THE BASICS: NETWORKING SOFTWARE, SERVERS, AND SECURITY
there’s a good chance that she doesn’t have permission to access the Manufacturing servers anyway—
but I’ll get to workgroups and security in a little bit.) How do you join a workgroup? See the sidebar
“How Do I Join a Workgroup?”
Note Workgroup names are like Windows 9x and NT 3.x/4.x machine names and can be up to 15 characters long.
So, to review what you’ve seen so far:
Ÿ Network browse lists allow a user at a workstation to see all of the servers on the network, and
from there to see all of the shares on a given server.
How Do I Join a Workgroup?
Generally, all you need to do is to tell the networking software on your workstations and servers that
they’re members of a given workgroup. There isn’t any “security” in being part of a workgroup—you
pretty much just declare yourself a member and you are a member. (As a matter of fact, if you misspell the
name of the workgroup, you end up accidentally founding a whole new workgroup all by yourself, which
I’m sure was not your intention!)
Specifically, you designate which workgroup you’re a member of in one of the following ways:
From a DOS or Windows for Workgroups workstation In the [network] section of the SYSTEM.INI
file you’ll find a WORKGROUP=parameter. (You’ll have a SYSTEM.INI even if you’re just running DOS,
because the network client software creates one.) You can also set the workgroup from the MS-DOS Network
Client Setup program, or in the Windows for Workgroups’ Network applet of the Control Panel.
From Windows 9x Open the Control Panel and double-click the Network icon. In the property sheet
that you see, click the Identification tab. You see the place to fill in the workgroup name.
On Windows NT 3.x Open the Control Panel and double-click the Network applet. You’ll see a button
labeled Domain or Workgroup. (NT has a kind of confusing way of blurring workgroups and domains,
which I’ll make clearer later in this chapter.) Click that button, and you can change the workgroup you’re
a member of. Again, NT complicates choosing a workgroup somewhat, so read the rest of this chapter if
you want to change an NT workgroup.
On Windows NT 4 Open the Control Panel and double-click the Network applet. Like Windows 9x,
Windows NT 4 has a property sheet with an Identification tab. Click Change to change the workgroup.
Again, with NT you may see no references to workgroups at all; instead you see references to
domains. Read on to understand the differences.
On Windows 2000 If you’re a member of a domain, then do not join a workgroup—I’ll explain that
in a minute. Otherwise, right-click My Computer and choose Properties. Click the Network Identification
tab and then the button labeled Properties. Fill in a new workgroup in the field named Workgroup;
then close the dialog box and reboot.
On Windows XP and Server 2003 Right-click My Computer and choose Properties. (You may have
to click the Start button to find My Computer.) Click the tab labeled Computer Name, then the button
labeled Change. In the resulting dialog box, you’ll see the choice to become a “Member of:” either a
domain or a workgroup. Click the radio button next to Workgroup and fill in the workgroup name,
then close the dialog box and reboot.
Copyright ©2003 SYBEX, Inc., Alameda , CA www.sybex.com
WHAT’S THE POINT OF NETWORKS AND NETWORKING? 37
Ÿ Browse lists can get fairly long, so you can partition your entire network into workgroups, which
are just groups of people that share a browse list.
Ÿ When you request a browse list, you don’t get the entire list of servers in your enterprise
network, you only get the list of servers within your workgroup.
Ÿ Each workgroup has one or more servers that act as gatherers of browse information. They’re
called browse masters or master browsers, and they’re picked automatically.
Ÿ Machines that are only workstations and don’t act as servers even in a peer-to-peer capacity
do not appear on browse lists.
As the question of what machines go on a browse list and what machines don’t is important to the
length of a browse list, let me list the kinds of machines that can act as servers in a Microsoft
enterprise network:
Ÿ Windows 3.x (with the Workgroup Add-On for MS-DOS clients)
Ÿ DOS (with Workgroup Add-On for MS-DOS clients)
Ÿ Windows for Workgroups
Ÿ Windows 9x/Me
Ÿ NT Workstation
Ÿ NT Server
Ÿ Windows 2000 Professional
Ÿ Windows Server 2003
How Do I View a Browse List?
Microsoft has built different browse programs into its various network client software.
From a DOS or NT/2000/XP/2003 Command Line Type net view. That shows you the list of
servers. You can view the shares on a given server by typing net view \\servername. To see the browse
list for a workgroup other than your own, type net view /workgroup:workgroupname.
From NT, 2000, XP or Server 2003, don’t use /workgroup: in the command; instead, use /domain:.
From Windows for Workgroups or Windows NT 3.x Open the File Manager, click Drive, and then
click Connect Network Drive. You’ll see a window with two panes. The browse list for your workgroup
and a list of the other workgroups on the network appears as the list of possible servers in the top pane and,
when you click a server, that server’s shares appear in the bottom pane. To see the browse list for a
workgroup other than your own, double-click the name of the workgroup in the top pane.
From Windows 9x or Windows NT 4 Open the Network Neighborhood folder. You’ll see the servers
in your workgroup represented as PC icons in a folder. Double-click one of the servers, and a folder
will open up showing you the shares. To see the browse list for a workgroup other than your own,
double-click the Entire Network icon and you’ll see a list of workgroups. On Windows NT 4, click
Entire Network and then Microsoft Network, and you’ll get a list of the other workgroups.
Continued on next page
Copyright ©2003 SYBEX, Inc., Alameda , CA www.sybex.com
38 CHAPTER 2 THE BASICS: NETWORKING SOFTWARE, SERVERS, AND SECURITY
As it’s an unusual product, let me just explain that the Workgroup Add-On for MS-DOS is a
separate Microsoft product that lets you use a DOS machine as a peer-to-peer server. (Also, it’s pretty
old, so I have no idea where you’d get a copy these days.) Again, I recommend that you disable file
and print sharing on all of these machines except, of course, for the machines dedicated to the task
of being servers, all of which are probably running NT Server.
And once you’re in a workgroup, you’ll no doubt want to see your browse list; the sidebar “How
Do I View a Browse List?” tells you the specifics.
Now, if you tried that on a working network, then you might have gotten one of NT and family’s
less helpful responses, like “System error 1230 has occurred.” That gives me the chance to offer another
important bit of advice for anyone using a modern Microsoft operating system: how to convert a
numeric error code into a bit of explanatory English text—see the sidebar for more information.
Before leaving the topic of the browser, let me offer one more piece of advice: try to avoid it,
as it’s unreliable. If your users need access to particular file shares, then you can deliver access to those
shares in a few ways. First, you can map file shares, which means that you can create imaginary drive
letters on your user’s workstations. In other words, if the user often uses \\server1\compdata, then
you could set up her workstation so that she’d see a new drive V: which isn’t a local hard disk—
although it looks like a local hard disk—but is instead a network drive. Or you could simply create a
shortcut to the UNC on her desktop. You’ll learn how to do both of those things in Chapter 11.
How Do I View a Browse List? (continued)
From Windows 2000 If your system is in a workgroup, open My Network Places and then the icon
labeled Computers Near Me. If your system is part of a domain, then that icon isn’t available. Instead,
open My Network Places and the icon labeled Entire Network, then the icon named Microsoft Windows
Network. You’ll see one or more icons representing the workgroups on your network—open the
one representing your workgroup and you’ll see your workgroup’s browse list.
From Windows XP or Server 2003 Open My Network Places. It might be on your desktop, or it
might be on the Start menu, or you might have to right-click the Desktop and choose Properties, then
click the Desktop tab, followed by the Customize Desktop button, then check the box next to My
Network Places and click OK twice. My Network Places will be on your desktop. Once you have My Network
Places open, then you’ll either see a Network Task on the left of the folder labeled View
Workgroup Computers or you might have an icon labeled Entire Network, in which case you should
double-click that, then double-click Microsoft Windows Network. You’ll then see an icon of three PCs
representing your workgroup—click that and you’ll get your workgroup’s browse list.
How to Convert a Numeric Error Code to English Text
Just type net helpmsg number, where number is the error code. For example, you’ll probably stumble
across error 5 now and then: “access is denied.” It means that you didn’t have the right to do something
that you tried to do. Another common one is error 53, “the network path was not found.” It means that you
tried to access some server that the system can’t find or, as is usually the case for me, you misspelled the
server’s name.
Copyright ©2003 SYBEX, Inc., Alameda , CA www.sybex.com
SO WHY USE NT/2000/SERVER 2003? 39
Summary: The Necessary Evils
I hope in this section that I’ve provided a bit of an answer to the question, “Why do we have to worry
about all of this stuff just to get a mail server up and running?”
Ÿ First, you need a piece of server software that can accomplish whatever it is that you’re trying
to do—Web server, mail server, or whatever.
Ÿ Next, you need to be compatible with and connected to a physical network that connects to
your clients—either the public Internet or a private network of some kind.
Ÿ Then your server must move its data around in the same way that your clients’ machines do,
using the same network language or protocol, probably TCP/IP. TCP/IP itself will require
some server functions as well, to maintain it.
Ÿ It wouldn’t be necessary in a perfect world, but in our imperfect world your network needs to
protect its data with a security system, and in today’s world that unfortunately means an
elaborate security system.
Ÿ Finally, you’ll need some way of finding what you put in that network, once you’ve got it working.
Active Directory will become that way in the future, but for now it’s a kludgy thing called
the Computer Browser that you see in My Network Places.
So presumably you now see why your network needs so many moving parts. Why buy them from
Microsoft?
So Why Use NT/2000/Server 2003?
I hope that by now I’ve convinced you that networking seems like a good thing. But you could build
your network atop any number of operating systems, including Unix, Linux, Novell NetWare,
IBM’s OS/400 or MVS, or Compaq’s VMS, just to name a few. Why NT or its most recent incarnation,
Windows Server 2003?
Well, understand when I answer that question that (1) I’m not from Microsoft, (2) I’m not
here to sell NT/2000/2003 to you, I’m just here to tell you how to make it work, and (3) the reality
of the matter is that every one of the OSes that I just named are good products that have not only
their adherents and detractors, but that also have many solid positive features. After decades of
business computer use, the market has filtered out both the truly terrible products and some perfectly
good but inadequately marketed products, leaving only products that are at least competent (and
always well-marketed). So if you want to read that Server 2003 is not only your best choice, but also
that you’re a total fool to try to use anything else, then I’m afraid you’ve come to the wrong place. Yes,
I like NT, including its latest incarnation (Server 2003), but it’s not the only answer.
But it is a very good answer. Here’s why.
It’s the Market Leader
Most stats that I see say that the Microsoft family of operating systems has the largest market share—
43 percent of servers according to the last set of numbers that I saw. Being part of the biggest market
share means that it’s easier to find consultants, support, and third-party tools. Oh, and it also means
that there’s plenty of demand for your services once you become an expert!
Copyright ©2003 SYBEX, Inc., Alameda , CA www.sybex.com
40 CHAPTER 2 THE BASICS: NETWORKING SOFTWARE, SERVERS, AND SECURITY
Its Familiar GUI Makes It Easier to Get Started
The fact that Windows Server 2003 uses a GUI that is basically the same as Wintendo—oops,
I meant Windows 9x/Me—means that hundreds of millions of people already know how to navigate
the 2003 Desktop. Yes, some things have been moved around, but in general once you know
Windows, you know how to get around on 2003.
In contrast, I have recently done a lot of work with Linux and, while it’s a quite powerful operating
system, the user interface is not for novices; even its multitude of GUIs are still clumsy, although that’ll
probably change with time. (That’s not to say that you shouldn’t use Linux—just that I think the
Microsoft OSes have an easier-to-use GUI.) With 2003, you can often figure out how to solve a
problem by noodling around in the GUI—it lends itself more to exploration than would an operating
system that relies mainly upon command-line commands to control it.
Many Tools Come “in the Box”
When NT 3.1 first came out, it was pretty amazing that it came with a dial-in module and a host
of other goodies that you had to buy separately in order to run its competition at the time, Novell
NetWare. NT had a free TCP/IP stack when many other OSes were charging big bucks for it, a
free Web server, and so on. Since then, other server operating systems have continued to include
more and more things with the basic operating system—for example, the variety of tools that comes
with Linux is nothing short of stunning—but Microsoft has kept the heat on the competition by
including a variety of new tools with every release. At this point, the basic version of Server 2003
includes (in addition to its basic functionality of a file and print server) a Web server, an FTP server,
a sophisticated Internet router, automated workstation rollout tools (Remote Installation Services),
centralized software distribution tools (Group Policies), a two-level disk storage system (Remote
Storage Manager), encryption (Encrypted File System), an e-mail server, a SQL-based database server
and lots of other tools.
Not all of the tools are stellar; for example, the disk quota system, which allows you to keep any
given user from stealing all of the disk space on the shared file servers, is pretty lame. But because
Server 2003 provides at least a basic quota functionality, the many shops that are trying to minimize
the number of vendors they deal with can get an awful lot of their networking needs met in just
one package: Server 2003.
When you view Microsoft products, bear in mind that you usually won’t encounter really cuttingedge
tools; in my judgment, that’s not Microsoft’s market niche. Instead, they seem to focus on
incrementally improving existing products, as well as adding new tools by imitating competitors. Not
being the first on the block can sometimes be a pretty good thing, as you get to watch the competition’s
mistakes. Very little in Windows Server 2003 is truly never-seen-before-in-the-world new.
Instead, it’s a distillation of a lot of other people’s good ideas. Yes, some may see that as stealing
other people’s good ideas, and there’s some merit to that view. And Microsoft has what some might
call an unfair advantage in that they’ve got enough money to keep trying and trying and trying; for
example, their first two networking products, MS-NET and LAN Manager, were pretty weak
compared to the competition’s, but they had the money and tenacity to keep slugging away it, finally
releasing the far-better NT product. Another example of this strategy occurred in 2001, with
Microsoft’s release of the Pocket PC 2002 operating system. They’re trying to crush the PalmOS
guys in the palmtop market, and they’ve made two weak attempts with Windows CE 1.0 and 2.0, but
Copyright ©2003 SYBEX, Inc., Alameda , CA www.sybex.com
A BRIEF HISTORY OF NT 41
they’re learning. I don’t know if Pocket PC will beat PalmOS—as a long-time Palm user, I tend to
think not—but they’ll definitely steal more of PalmOS’s market share with Pocket PC than they ever
did with Windows CE.
And while Microsoft’s detractors like to paint Microsoft as nothing but a bunch of rip-off artists,
it’s actually hard to find who originated these ideas. Some say that Microsoft stole Novell and Apple’s
best ideas; well, Novell certainly didn’t invent networking, and their IPX/SPX protocol is blatant
“theft” of a Xerox protocol. Apple didn’t invent the GUI that Microsoft supposedly stole—Xerox
did. (Hmmm, maybe there’s a pattern here.) Nor is Active Directory a rip-off of an original Novell
product, Netware Directory Services—NDS is based on a directory standard called X.500 and terms
that many people think that Novell invented, like “organizational unit,” are X.500 terms. In any case,
it is something of a comfort for people to be able to buy a single product that is a decent fit for just
about all of their networking needs, instead of looking for the best of breed in each area. Why?
Anyone who’s ever tried to troubleshoot a multivendor network problem knows why: Both vendors
just point the finger at the other vendor and say, “That’s him—he’s the guy causing your problem.”
(They’re hoping you’ll get tired and go away. Most of us do, sadly.)
In contrast, the same people are developing all of 2003’s pieces; so you have to believe that at some
point someone would have noticed if they didn’t fit together. Or that if someone didn’t notice it before
they shipped, they’ll get around to fixing it afterward.
In sum, why use 2003? It’s fairly reliable, it does most of what you want a network operating
system to do, it’s reasonably priced, and enough other people use it that you’re probably not going
to go terribly wrong.
A Brief History of NT
Let’s finish this chapter with a look at how NT has grown and changed since its early days.
Even in the early 1980s, Bill Gates knew that networking was a key to owning the computer
business. So, on April 15, 1985, Microsoft released its first networking product, a tool called
MS-NET, and its companion operating system, DOS 3.10. Most people knew about the new DOS
and were puzzled at its apparent lack of new features. What it contained, however, were architectural
changes to DOS that made it a bit friendlier to the idea of networks.
Now, Microsoft wasn’t big enough at that time to create much hoopla about a new network operating
system, so they let others sell it—no matter how high or low you looked, you couldn’t buy a product
called MS-NET. Instead, it sold mainly as an IBM product under the name of the IBM PC Network
Support Program; IBM viewed it as little more than some software to go along with their PC Network
LAN boards and, later, their Token Ring cards. The server software was DOS-based, offered
minimal security, and, to be honest, performed terribly. (Believe me, I know; I used to install them for
people.) But the software had two main effects on the market.
First, the fact that IBM sold a LAN product legitimized the whole industry. IBM made it possible
for others to make a living selling network products. And that led to the second effect: the growth of
Novell. Once IBM legitimized the idea of a LAN, most companies responded by going out and
getting the LAN operating system that offered the best bang for the buck. That was an easy decision:
NetWare. In the early days of networking, Novell established itself as the performance leader. You
could effectively serve about twice as many workstations with Novell NetWare as you could with any
of the MS-NET products. So Novell prospered.
Copyright ©2003 SYBEX, Inc., Alameda , CA www.sybex.com
42 CHAPTER 2 THE BASICS: NETWORKING SOFTWARE, SERVERS, AND SECURITY
As time went on, however, Microsoft got better at building network products. 3Com, wanting to
offer a product that was compatible with the IBM PC Network software, licensed MS-NET and
resold it as their 3+ software. 3Com knew quite a bit about networking, however, and recognized the
limitations of MS-NET. So 3Com reworked MS-NET to improve its performance, a fact that didn’t
escape Microsoft’s attention.
From 1985 to 1988, Microsoft worked on their second generation of networking software. The
software was based on their OS/2 version 1 operating system. (Remember, Microsoft was the main
driving force behind OS/2 from 1985 through early 1990. Steve Ballmer, Microsoft’s number two
guy, promised publicly in 1988 that Microsoft would “go the distance with OS/2.” Hey, the world
changes and you’ve got to change with it, right?) Seeing the good work that 3Com did with
MS-NET, Microsoft worked as a partner with 3Com to build the next generation of LAN software.
Called Microsoft LAN Manager, this network server software was built atop the more powerful
OS/2 operating system. As with the earlier MS-NET, Microsoft’s intention was never to directly
market LAN Manager. Instead, they envisioned IBM, 3Com, Compaq, and others selling it.
IBM did indeed sell LAN Manager (they still do in the guise of OS/2 LAN Server). 3Com sold
LAN Manager for years as 3+Open but found little profit in it and got out of the software business.
In late 1990, Compaq announced that they would not sell LAN Manager because it was too complex
a product for their dealers to explain, sell, and support. Microsoft decided then that if LAN Manager
was to be sold, they’d have to do the selling, so on the very same day as the Compaq withdrawal, they
announced that they would begin selling LAN Manager directly.
Note Interesting side note: Ten years after Compaq decided that their sales force couldn’t sell network software,
they reversed direction and said that they’d sell a special version of Windows 2000 called Datacenter Server. It’s
special because you cannot buy it from Microsoft—you must buy it preinstalled on specially certified vendor hardware.
In other words, the hardware vendors (Compaq’s not the only one selling Datacenter) now believe that they can sell
complex network operating systems. I wish them the best of luck, but stay tuned to see the outcome of this particular
marketing maneuver!
LAN Manager in its first incarnation still wasn’t half the product that Novell NetWare was, but
it was getting there. LAN Manager 2 greatly closed the gap, and in fact, on some benchmarks LAN
Manager outpaced Novell NetWare. Additionally, LAN Manager included administrative and security
features that brought it even closer to Novell NetWare in the minds of many network managers.
Slowly, LAN Manager gained about a 20 percent share of the network market.
When Microsoft designed LAN Manager, however, they designed it for the 286 chip (more
accurately, I should say again that LAN Manager was built atop OS/2 1.x, and OS/2 1.x was built
for the 286 chip). LAN Manager’s 286 foundation hampered its performance and sales. In contrast,
Novell designed their premier products (NetWare 3 and 4) to use the full capabilities of the 386 and
later processors. Microsoft’s breakup with IBM delayed the release of a 386-based product and, in a
sense, Microsoft never released the 386-based product.
Instead of continuing to climb the ladder of Intel processor capabilities, Microsoft decided to
build a processor-independent operating system that would sit in roughly the same market position
as Unix. It could then be implemented for the 386 and later chips, and it also could run well on other
processors, such as the PowerPC, Alpha, and MIPS chips. Microsoft called this new operating system
NT, for new technology. Not only would NT serve as a workstation operating system, it would also
Copyright ©2003 SYBEX, Inc., Alameda , CA www.sybex.com
A BRIEF HISTORY OF NT 43
arrive in a network server version to be called LAN Manager NT. No products ever shipped with that
name, but the wallpaper that NT Server displays when no one is logged in is called LANMANNT.BMP to
this day.
In August 1993, Microsoft released LAN Manager NT with the name NT Advanced Server. In
a shameless marketing move, they labeled it version 3.1 in order to match the version numbers of the
Windows desktop products. This first version of NT Advanced Server performed quite well.
However, it was memory-hungry, lacked Novell connectivity, and had only the most basic TCP/IP
connectivity.
September 1994 brought a new version and a new name: Microsoft Windows NT Server version 3.5.
Version 3.5 was mainly a “polish” of 3.1; it was less memory-hungry, it included Novell and
TCP/IP connectivity right in the box, and it included Windows for Workgroups versions of the
administrative tools so network administrators could work from a Workgroup machine rather than
an NT machine. Where many vendors would spend 13 months adding silly bells and whistles, NT 3.5
showed that the Microsoft folks had spent most of their time fine-tuning the operating system,
trimming its memory requirements, and speeding it up.
In October 1995 came NT version 3.51, which mainly brought support for PCMCIA cards
(a real boon for us traveling instructor types), file compression, and a raft of bug fixes.
NT version 4, 1996’s edition of NT, got a newer Windows 95–like face and a bunch of new
features, but no really radical networking changes. Under the hood, NT 4 wasn’t much different from
NT 3.51.
From mid 1996 to early 2000, no new versions of NT appeared, an “upgrade drought” such as
we’d not seen in quite some time from Microsoft. Then, in February 2000, Windows 2000 (“NT 5.0”)
shipped. 2000 included a whole lot of new stuff, but perhaps the most significant was a new way of
storing and organizing user accounts and related information: Active Directory domains. Closely
following AD in importance was the then-new notion of group policies, something that you’ll see has
become quite important to anyone wanting to run a network based on XP and Server 2003.
The next version of NT shipped in pieces for the first time since 1993. First NT Workstation 5.1
or, as it’s better known, XP Professional and its lesser sibling, XP Home. Microsoft intended to
follow up with the server version of NT 5.1, but events conspired to compel them to wait a bit longer,
and produce NT Server 5.2—that is, Windows Server 2003. As you read in the last chapter,
it’s a “1.1” version of Windows 2000, a welcome improvement to 2000’s fit and finish.
That’s not the end of the story for NT. Sometime in 2004 or 2005, we will see a re-unified
NT (5.3? 6.0? Time will tell) code-named Longhorn. That in turn will pave the way for yet another
version of NT, code-named Blackcomb, but let’s wait for another edition or two of this book to cover
that product.
Well, I hope this chapter wasn’t boring for those already expert in NT—I did warn you!—and
helped bring the newbies up to speed. No matter what version of NT you’re running, however, you’ll
need to configure it. And there are, as there always have been, two main ways to do it. The preferred
way is through the GUI with windowed programs that offer help and a bit of error-checking, or its
somewhat more complex relatives, the command-line tools. The less-preferred, but often necessary,
way is to directly tweak some setting in its lair … a place called the Registry. The next two chapters
introduce these two configuration approaches.
0 comments:
Post a Comment