Windows NT Server Configuration

 

Please note: If you are setting up an NT system for personal use, or for occasional sharing, please refer to the Windows NT Workstation setup page instead. Windows NT Server is optimized for enhanced network operation at the cost of desktop performance. Unless you truly need the domain authentication and/or resource sharing capabilities of Server, your needs will be better served by Workstation.

It is assumed that the reader is interested in Windows NT 4.0 Server and does not already have an operating workgroup or domain.

Contents:

• Setup requirements
• Network protocol choices
• Authentication models
• File system choices
• Setup
• Security
• Clients
• Sharing files
• Setting up network printers
• Services for Macintosh

Setup Requirements:

 Hardware Requirements:

• 486DX/33 or better processor, Pentium recommended
• 16 MB of RAM, at least 32 strongly recommended
• 140 MB of free space. (Plus 60 for latest service pack)
• At least one network interface card.
• 3.5" disk drive A:
• CD-ROM drive or Network installation share.

If at all possible, choose hardware listed on Microsoft's hardware compatibility list (HCL), Downloadable from Microsoft Hardware Labs. If you do use hardware that is not on this list, chances are still good that installation is possible, but you may need to download drivers from the hardware vendor. Also, Microsoft will only support approved hardware in the event of a driver problem.

Networking Requirements:

Obtain a unique machine name for your Windows NT Server. Machine names are registered in the NetDB database. At the same time, you will register a unique TCP/IP address for your machine.
Obtain a unique name for your domain or workgroup. These are registered at Domain Registration Page. If you are setting up a domain, set the domain name as an alias for the PDC in NetDB. This will simplify name resolution and prevent overlapping of domain names.

Protocol Choices:

There are three protocols widely used by Windows NT. They are TCP/IP, IPX/SPX compatible transport, and NETBEUI.

TCP/IP is the only generally routable protocol at Stanford. You must use TCP/IP to traverse subnets! When registering for a machine name, you should receive an IP address. If you do not want any access to resources outside your subnet, you may elect to use a different protocol.

IPX/SPX compatible transport is used mainly for communication between Novell servers and Windows NT Servers or clients.

NETBEUI is a proprietary protocol of Microsoft Lan Manager. It can be used for communication between members of the "Windows" family of products only. It does have the advantage of being the fastest protocol for small workgroup networking.

Authentication Models:

Windows NT can operate in one of two different authentication modes, Workgroup or Domain.

Workgroup is mainly for very small account databases and/or machine groups. Every machine in a workgroup handles it's own authentication and it's own controls over access to local resources. Because of this, every machine must have a local account for every user that will use the machine. This model is very quick to set up and everyone can maintain their own machine. The drawbacks are that whenever a change needs to be made to an account, it must be performed on every machine that account uses and that whenever a machine is added, all accounts that need to use that machine must be created again on that machine.

Domain is for larger groups. In a domain, a special server, called the Primary Domain Controller or PDC, holds the authentication database and verifies permissions when resources are accessed. This model is easier to manage since a change has to be made just once to a domain to have effect everywhere. Authentication can be maintained in case of a problem with the PDC by implementing one or more Backup Domain Controllers or BDCs. BDCs can also be arranged geographically to minimize the number of network hops an authentication request must make. This can improve network performance in larger implementations. Install a special version of Server (selectable during setup) to allow your Windows NT Server to perform the Domain Controller role.

File System Choices:

Windows NT supports two file systems, FAT and NTFS.

FAT, or File Allocation Table,  is the same file system as has been supported by all MS operating systems. It has been improved in NT and in Windows 95 to support long file names. It is NOT compatible with FAT-32, this feature will probably be added to Windows NT 5.0. Files and folders on FAT partitions cannot have permissions applied to them.

NTFS, or New Technology File System, is a more robust, transaction-based file system. Since it is transaction based, it can recover from some media and software errors. This also means that some disk area is lost for the transaction log. Files can be larger on NTFS partitions and cluster sizes can be kept smaller. Windows NT only supports compression on NTFS partitions. NTFS is required for Services for Macintosh. Files and Folders on NTFS partitions can be protected by permission lists. NTFS partitions are inaccessible to any other operating system.

Setup:

You do not have to format or create any partitions on a new machine before starting. You will need your three setup disks, your CD-ROM, a blank disk for a Emergency Repair Disk, and hardware support disks for any hardware not supported by Microsoft.

• Boot from the Setup Boot Disk. Unlike other MS operating systems, the disk does not have an executable "Setup.exe"
• Insert Disk Two when prompted
• At the welcome screen, press enter to start installing NT
• Verify information about your machine
• Press Enter to start detecting Mass Storage Devices (if any)
• Insert Disk Three when prompted.
• Press Enter to accept the list, or "S" if you have additional drivers.
• Select a partition or free space to install NT
• Choose to format the partition with the file system you have chosen (Or convert or leave intact for an existing system)
• Select a name for your NT root directory
• Remove all disks and Reboot
• Enter your name and company name (Or department name and company name)
• Select a licensing mode (Use Per-Server if unsure)
• Enter your selected computer name
• Select server type (If this will be the first server in a domain, you must select primary domain controller now.)
• Enter a password for the Administrator built-in account.
• Select whether or not to make an Emergency repair disk. (You should do this again after you have your server configured)
• Choose optional components, if desired or just click next.
• Choose your network participation ("Wired to the Network" in most cases)
• Chose whether or not to install Internet Information Server (Web, FTP, and Gopher servers. This can be a security risk)
• Let Windows NT find your network card.
• Install the protocols you have selected for your network.
• If you know you want to add on more network services, then do so now. Otherwise, just accept the default list.
• Inspect and accept the list of network components.
• When prompted, do not "Use DCHP to configure TCP/IP settings", enter settings for your computer.
• Join your domain or workgroup (In case of PDC, set name of Domain. Also, for other domain computers you will need to supply an administrator's username and password if you have not added the machine name to the domain using server manager from another server )
• Set your current time and time zone.
• Set and test video display configuration.
• Configuration settings will be saved and you will be prompted for a floppy disk to create the Emergency Repair disk if you selected to create one.
• Reboot and log on with the built-in account "Administrator"

Security:

When you set up your server, it will contain built-in accounts for initial access to the system. Use the Administrator account to create other users for your domain. Grant the users permissions by adding them into groups. There are built-in groups for various administrative tasks on the domain. By default, you must have some administrative rights to log on locally to a Domain Controller, but for safety, do not use an account with administrator rights for day-to-day use.  To assign custom permissions or resource permissions, create groups and add the appropriate users.

Note about groups in Domains: You will notice that there are two kinds of groups you can create, Global and Local. Global groups can be assigned permissions anywhere in the domain. Global groups can only contain users. Local groups can only be assigned permissions on the local machine. Since Domain Controllers share account information, Local groups are identical on all Domain Controllers. Local groups can contain Global groups and users.
For maximum flexibility, users should be added to Global groups in the domain by category, then these Global groups should be added to Local groups on the same server as is sharing a resource. Resource permissions should then be granted to these Local groups. Assigning local resource access directly to domain Global groups also works, however.

One place you might want to make changes is in the User Manager --> Policies --> Account Policies. This allows setting password strengths and lockouts.

Other security measures are available. For a more complete discussion, go to Microsoft Windows NT Server - Security Services, Microsoft Security Advisor Web site, or Securing Windows NT Server.

Clients:

Supported clients for Windows NT Server are MS-DOS, OS/2, Windows 3.x, Windows 95, Windows NT Workstation, and other Windows NT Servers.

Clients for MS-DOS, OS/2, and 16-bit Windows are available from the Windows NT Server CD. Setup disks can be created with the Network Client Administrator from your Windows NT Server.
Windows 95 and Windows NT come with the necessary client software for connecting to Windows NT Server.

"Samba" and other client software for Unix is available depending on the flavor of Unix software you are using (Note: After applying service pack 3 to Windows NT 4.0, fall-back to clear text passwords is not supported by default. Some versions of Samba can only authenticate with clear text. This setting can be turned back on in the Windows NT Registry.)

When configuring clients, make sure that "Use DNS for Windows resolution" is selected in the TCP/IP properties.

If you intend to access your server from another subnet for authentication, you will need to set up LMHOSTS files for each client or configure a WINS server. A sample LMHOSTS file can be found in %systemroot%\system32\drivers\etc\lmhosts.sam
If you do not need to authenticate across subnets, then you can access the resources on a server on another subnet simply by specifying the UNC path to the resource e.g. "\\Server\Resource". This succeeds via a DNS lookup, so DNS name must match the computer name and "Use DNS for Windows resolution" must be enabled.

File Sharing:

To create a file share,

• Select a folder you wish to share. (Creating the folder if it does not already exist).
• Right-click and select "Sharing", which will take you to the folder properties "Sharing" tab.
• Select the radio button for "Shared As".
• Select a share name and an optional comment.
• Click on "Permissions" to change permissions from default of Everyone: Full Control.

Share permissions only control who can access the share. File and folder access permissions, if any, are also in effect when the user attempts access to a resource. To set file and folder permissions, use the security tab from the file's or folder's properties' "Security" tab. User's access will be the most restrictive of the two sets of permissions.

Clients can then connect to the share by browsing their Network Neighborhood or by mapping a drive to the UNC path of the file share.

Setting up Network Printers

If the printer is connected to a Jetdirect card, configure either:

1. Microsoft TCP/IP Printing to access the TCP/IP LPR port.
2. AppleTalk Protocol to access the AppleTalk port. (Newer models)
3. DLC Protocol to access the HP network port.

  If you connect to an AppleTalk printing device do NOT capture the port. 
This is not necessary and will prevent anyone else from finding the device in the AppleTalk network.

• In My Computer --> Printers or START --> Settings --> Printers,
• Select Add new printer.
• Select "My Computer".
• Select the port that your printer is connected to or add a network port.
• Select the appropriate printer driver for your printer.
• Supply a name for the printer.
• Select "Shared" and a share name. Also select any optional drivers for other operating systems that you would like to install (You will need to supply the drivers).

Clients can connect to the printer by browsing the network or selecting "Add Printer" and "Network Server" and entering the UNC path of your shared printer

Services for Macintosh

If you wish to share files and printers for use by a Macintosh network, you will need to install Services for Macintosh from the Network Properties' "Services" tab. This will also install the Appletalk protocol on your machine if you have not already. You will be prompted to select an AppleTalk zone.

After installing SFM. Any folder on an NTFS partition can be shared as a Macintosh volume. A subdirectory of a volume cannot be shared as a volume. The same folder can be shared as a regular share and as a volume, with different names, if desired. Shared printers are automatically shared on the Macintosh network.

Return to WWW-NT home page
Last modified 3/5/98 by Ross Wilper
©1998 Trustees of the Leland Stanford Junior University