Monday, June 9, 2008

The Basics: Networking Software, Servers, and Security

In a lot of

ways, Windows Server 2003, Standard Edition (which I’ll call “Server 2003” or “2003”

in this chapter) should be named “NT 2.1.” Anyone coming into the Microsoft networking story

without any previous experience with some version of NT, Windows 2000, or Server 2003

probably feels just as lost as someone who gets dragged into a movie theater to see

The Empire Strikes

Back

while knowing nothing of the original

Star Wars

. They end up asking things like, “Who

is

the

tall guy with the black shiny mask and the bad attitude; and speaking of attitude, what is

with

that

woman whose hairdo looks like she strapped a couple of Danishes on her head?”

In this chapter, I’ll give you a bit of history on Server 2003 and then take a very high-altitude

look at why we’re using Microsoft’s networking software in the first place. This is

not

intended

to prepare you for a test on networking essentials, nor is it a complete book on NTs past and

present. (When I say “NT,” remember that Windows Server 2003, Standard Edition is really just

NT Server 5.2.) What I’m trying to accomplish in this chapter is to answer the questions:

Ÿ

Why should I care about all of this networking stuff, anyway?

Ÿ

Why does Microsoft’s networking software approach networking the way that it does? Here,

I’m referring to the fact that much of why Server 2003 works the way that it does is simply

because NT always did it that way—

so knowing more about NT’s history makes 2003 make

more sense.

What’s the Point of Networks and Networking?

In a way, this chapter is penance for my youthful misdeeds.

When I was in the seventh grade, I had a math teacher named Mr. Schtazle. Seventh-grade math

was a kind of potpourri of mathematical topics—I recall one chapter that took pains to drill into our

heads the difference between precision and accuracy—and I’d plague the poor man at the beginning

of every chapter by asking him, “How will we use this?”—a slightly more-polite version of “why do

Copyright ©2003 SYBEX, Inc., Alameda , CA www.sybex.com

22 C

HAPTER

2

THE BASICS: NETWORKING SOFTWARE, SERVERS, AND SECURITY

we care?” Well, nowadays I find that when I’m teaching a room full of people about Windows 2000,

I’ve

got to be careful to answer that question, “Why do you care?” even if it isn’t asked. Because if I

don’t answer that, then many people in the room will leave the class with a pretty good notion of

how

to accomplish a bunch of tasks but not a really good feel for

why

they’d do the tasks in the first

place. And you know what? Answering the “Why do I care?” question can be pretty rough some times.

So, Mr. Schtazle, if you’re out there…my apologies.

Let’s consider the two questions that I asked a paragraph or two back:

Ÿ

Why network in the first place, and

Ÿ

If we agree that networking is a good thing, why do we do it this way?

The answer to the first question will turn out to be pretty straightforward: Networking solves a

set of problems for us. The answer to the question, “Why do we do it this way?” is a bit longer.

First and foremost, you’re doing this to try to solve some problem that networking can help you

with. Your company might want, for example, a great Web site, or to be able to send and receive

e-mail, or a simple file and print server for a small office. These are the goals; a network is the means

or tool to reach them. In short:

The ultimate goal of any networking project is to provide some kind of service

.

Everything else is just a necessary evil—but there are a

lot

of those necessary evils!

Second, there are many kinds of services that networks can provide, and every kind of service needs

different software to make it work. For example, suppose you wanted to set up a Web site on the

Internet. Network services, including Web sites, need two main pieces: a

server

piece and a

client

piece.

To put up that great Web site, you’ll create the site itself with HTML and drop that HTML onto a

Web server. One way to get a Web server is by taking one of your computers and putting a piece

of software on that computer to make it function as a Web server. But that’s only half the story—in

order for your customers to enjoy that Web server’s content, they will need a piece of client software

called a

Web browser

. That’s our first networking piece:

Every network service needs server software and client

software

.

Third, you need to ensure that there’s a way for your information to get from your server to your

clients, a physical system that the service can travel over. If the clients and servers are in the same

building, then you only need a local area network (LAN), and setting that up only requires pulling

wires through the building. If, however, you want to offer your service to the world, as in the case

of a Web server, then you’ll need some kind of WAN (wide area network) connection to the Internet.

In other cases, you’ll need a WAN connection, but not to the Internet: many organizations with more

than one location connect those locations via private communications links with names like

leased

line

,

T1

, or

frame relay

. That’s our next networking piece:

Networks need connection hardware (switches, hubs,

routers, modems) and links (phone lines, network cables, frame relay, DSL, cable modem, ISDN, etc.) or the clients can’t

connect to the servers

.

Fourth, to provide a service over a network, your server and your clients must agree on how to

transmit information over that network. That agreement is called a

network protocol

, and the one that

you’ll most probably use in the Windows 2003 world is called the Transmission Control Protocol/

Internet Protocol (TCP/IP). You may have heard of it before, as it’s the network protocol that

the Internet uses, but you needn’t be on the Internet to use it. In short:

Clients and servers must speak the

same network protocols

.

Fifth, once you’ve got the channels open, and before information starts flowing in both directions,

you’ll almost certainly need to worry about security. When you use the tool that is networking, you

Copyright ©2003 SYBEX, Inc., Alameda , CA www.sybex.com

WHAT’S THE POINT OF NETWORKS AND NETWORKING?

23

want to be sure it doesn’t increase your risk, and in fact you can shape the tool so it reduces hazards.

Briefly:

Networks need security

.

Sixth and finally, once you’ve set up that terrific network service, you need a way for people to

find

that great service. You do that with a “naming” system. Windows 2003 has two of them—one that

appeared years ago before the first version of NT, and a newer (to NT, anyway) method that the

Internet’s been using for years. The last network piece, then is that:

Networks must provide a way for users

to find their services

.

Let’s examine these pieces in order, take a closer look at why they work the way that they do, and

get some insight into how Windows 2003 in particular handles them.

Network Client and Server Software

The reason that we network computers in the first place is so that computers acting as clients can benefit

from the services of computers acting as servers. For example, suppose you want to visit my Web site,

www.minasi.com

.

Two of the ingredients that you’ll need to make that possible are software:

Ÿ

You’ll need a computer running a program that knows how to request Web information and

then how to receive it—in other words, a

client application

.

Ÿ

I’ll need a computer running a program that knows how to listen for requests for Web

information and then how to deliver that information—in other words, a

server application

.

As sometimes occurs

too

often in the computer business, you’ve got choices about both the client

and the server.

The Client Piece: A Web Browser

I’ve said that first you’ll need a computer, of course, one that’s running a Web browser program like

Netscape Navigator or Internet Explorer. But let me rephrase that in basic network client-server

terms.

There is technically no such thing as “the World Wide Web.” Instead, there is an agreement

about how to transfer text, pictures, and the like, and that agreement is called the HyperText

Transfer Protocol—which is normally shortened to HTTP. The phrase World Wide Web just

refers collectively to all of the HTTP servers on the Internet. When you think you’re surfing a

Web page, what really happens is this:

1.

Your client computer asks the Web server (oops, I meant

the HTTP server

) something like, “Do

you have any documents?”

2.

The Web server responds by saying, “Here’s my default document,” a simple text file that

is the so-called home page for that Web server. The Web server sends that file to your client

using the HTTP protocol.

3.

Once your client receives the text file, it notices that the page is full of references to

other

files.

For example, if the home page that you requested has pictures on it, your Web browser

(HTTP client) didn’t originally know to ask for them, so the Web server (HTTP server)

didn’t send them. Your client notices the lack of the images and requests that the server send

them, which it does—again using the HTTP protocol.

Copyright ©2003 SYBEX, Inc., Alameda , CA www.sybex.com

24 C

HAPTER

2

THE BASICS: NETWORKING SOFTWARE, SERVERS, AND SECURITY

Here, “HTTP client” just means a program that knows how to speak a language that transfers

a particular kind of data—Web data. Your computer is deaf to the Web unless it knows how to

request and receive data via HTTP.

Notice what

client

means here. It doesn’t refer to you, or even to your computer. Instead, it just

means a program that your computer runs.

The Server Piece: A Web Server

Next, let’s consider what’s sitting on my side of the conversation.

I’ll need a computer running a special piece of software that is designed to listen for your computer

(or anyone else’s, for that matter) requesting to see my Web pages via the HTTP protocol, and that

can respond to those requests by transferring those pages to the requesting client software. You

might

call such a piece of software an “HTTP server” program, although almost no one calls it by that

name. You’d more

commonly

call it “Web server” software. There is a variety of Web server software

that I might run on my Windows Server 2003 computer, but I’m most likely to run the one that

comes free with Server 2003, a program called Internet Information Services (IIS) 6. Alternatively,

I might find, download (probably using HTTP!), and install a popular piece of free Web server

software called Apache.

Once again, notice carefully what “server” means here. It does not really refer to the particular

computer hardware that I’ve got stashed in my network room connected to the Internet. Instead,

“server” means “the program running on Mark’s computer that listens for HTTP requests and knows

how to fulfill them.”

Now that I’ve gone through all of that, consider again the question that I asked at the beginning of

the chapter—why are you bothering with a network? The answer is probably “because you want

to offer a Web site, either internally or on the public Internet, and you that think that IIS is the best

(highest-performance, cheapest, or some combination of the two) Web server software around”—

which means that you must use Server 2003, as it’s the only operating system that supports IIS 6.

(Or you could use an earlier version of Server and an earlier version of IIS, but why not go with the

latest and greatest?)

Other Types of Servers

I’ll tend to use the Web client-server example for this discussion. But I don’t want to lose sight

of the fact that there are quite a few client-server systems, besides Web servers, that are in common

use and that you may want to use 2003 to create. Returning to the theme of this chapter, then—

“Why do I care or why do I need this stuff?”—networks offer several valuable services, and you

may want to set up a computer to act as a server and offer some of those services. Here are a few

besides the Web server example.

File Servers

File servers act as central places to store data files. Why put them on a server

rather than just keep them on your local computer? Well, in some cases someone else created

the file, and placing a file on a central server is a simple way to make the files available to others.

The other good thing about storing files in a central location is that they’re more easily backed

up that way. 2003 comes with file server software built in.

Print Servers

Print servers let you share printers. Not everyone wants to put a printer on their

desk, and besides, if you share the printers, you can afford more expensive (and presumably better)

models. 2003 comes with print server software built in.

Copyright ©2003 SYBEX, Inc., Alameda , CA www.sybex.com

WHAT’S THE POINT OF NETWORKS AND NETWORKING?

25

E-Mail Servers

Mail servers are essential if you’re going to do e-mail. Some computer (or

computers) must act as the post office, collecting e-mail from the local users and sending it to

other mail servers across the Internet and acting as a receiving point for other mail servers to

send mail destined for your organization. You

can

outsource this function by letting your ISP

act as your mail server, but running your own mail server gives you more flexibility. (However,

it

does

require a persistent connection to the Internet.) 2003’s new features include a basic e-mail

server. Yes, it’s “basic” because Microsoft

really

wants to sell you Exchange as your mail server.

But it’s not a bad server for many people’s needs.

Group Scheduling Servers

The centralized nature of servers means that they’re a great place

to keep track of scarce resources like meeting rooms or your time. 2003 does not come with a

scheduling server, as Microsoft wants to sell you Exchange to do that sort of thing. But there are

alternatives to Exchange; there are some terrific Web-based scheduling tools that work great on

2003—for one example, take a look at

www.mattkruse.com/scripts/calendar/

or other tools,

like Lotus Notes.

E-Commerce Online Stores

If you’ve got something great to sell, then the Web’s one place

to do it. There are thousands of online stores on the Web, and a good number of them run on

2003. While 2003 includes a Web server, it doesn’t include the other software that you’d need to

create a complete online store. But there are a lot of consulting and programming firms that would

be happy to help you create an online store atop 2003!

Networks Need Connection Hardware and Links

If I want to offer a server service and ensure that you can enjoy that service, then we’ll both need to be

physically attached to the same network—the same series of cables, satellite links, or whatever—or

your computer’s requests will never get to my computer in the first place. That probably means that

we’re both on that huge network-of-networks called the Internet, but we could just be working for the

same company in a single wired building, or a multilocation firm connected by a private intranet.

Now, notice that if I’m going to run a Web server, I’ll need to be connected to our common

network (Internet or otherwise) persistently: I couldn’t decide to run a Web server out of my

house and just dial in to the Internet now and then. Of course, if I’m only serving some private

network that we share, then an Internet connection is unnecessary, as we already have connection

to a common network.

People who worry about the physical connection part of networking concern themselves with

getting cables run through walls, calling the phone company to arrange for persistently connected

data links of various kinds—links with names like DSL, cable modem, frame relay, leased lines, T1

or T3 lines—and then work with a family of hardware that helps get the bits going off in the right

direction—devices with names like switches, hubs, and routers.

Does 2003 help you with this part of the job? In some parts, it can. Switches and hubs are very

basic, simple devices, and 2003 has nothing to do with them—although clearly 2003 depends on

their presence in order to network! Routers are, however, more complex devices. You probably know

that the market leader in the router world is a firm named Cisco Systems, but you may not know that

a router is really just a small, single-purpose computer. If you wanted to, you could use a computer

running Server 2003 to replace a Cisco router. Additionally, if you wanted to allow people outside

your network to dial in to your network, you could use a Windows Server 2003 to make that

possible. (It’s not the best answer, as you’ll see in Chapter 6, but it

is

possible.)

Copyright ©2003 SYBEX, Inc., Alameda , CA www.sybex.com

26 C

HAPTER

2

THE BASICS: NETWORKING SOFTWARE, SERVERS, AND SECURITY

Clients and Servers Must Speak the Same Protocols

But simply being connected to the same wire isn’t enough—we need a common communications language.

If I were to pick up a phone and dial some number in Beijing , I’d have a physical connection

with whatever poor soul picked the phone on the other end—but that would be the extent of our

interaction. In the same way, computer networks need to agree on things like, “What’s the biggest

block of data that I can ever send you?” and, “How shall I acknowledge that I actually

got

that block

of data?” or, “Should I bother acknowledging receipt of data at all?” and hundreds of other questions.

The answers to all of those questions are contained in the “network language” or, in network

techie terms, the

network transport protocol

. It probably won’t surprise you that more than one network

transport protocol exists, and over the years NT has generally supported three of them:

Ÿ

NetBEUI (Network Basic Input/Output System Extended User Interface), an old Microsoft/

IBM/Sytek protocol designed to support small networks

Ÿ

IPX/SPX (Internet Packet Exchange/Sequenced Packet Exchange), the protocol that Novell

NetWare predominantly used for years

Ÿ

TCP/IP (Transmission Control Protocol/Internet Protocol), the protocol of the Internet

and intranets

Although you have three choices, it’s a good bet that your Microsoft software-based network uses

TCP/IP. Why TCP/IP? Well, there have been some really great protocols over the years, but as the

Internet uses TCP/IP and as the Internet is so popular, TCP/IP has sort of trumped the other

protocols. In fact, it’s impossible to do a fair number of things that 2003 and its predecessors

Windows 2000 and, to a lesser extent, Windows NT 4 are capable of

without

TCP/IP. So I’m

going to assume for our discussion and indeed for most of this book that your network will use

TCP/IP.

Oh, and one more thing—once you’ve decided that TCP/IP is your network protocol of choice,

then you’ll need to install several

more

servers to support TCP/IP’s infrastructure. And here again,

when I say “more servers,” I’m not suggesting that you have to buy more PCs, although you might.

What I mean is that you’ll have to install software on some computer or group of computers to

perform three basic pieces of plumbing or infrastructure jobs:

Ÿ

A Domain Naming System (DNS) server keeps track of the names of the computers in your

network (an important task, believe it or not).

Ÿ

A Dynamic Host Configuration Protocol (DHCP) server configures the specifics of TCP/IP

on each computer in your network, both great and small.

Ÿ

A Windows Internet Name Server (WINS) does something like what DNS does—keeps

track of names—but isn’t really necessary on a “pure” Windows 2003 network—its main job

is to support older Microsoft operating systems like Windows 9

x

, Me, and NT 3.

x

and 4.

You’ll learn more about the specifics of DNS, DHCP, and WINS in Chapter 7. I should point

out that if you’re a one-person shop, then you might not need all of that, as your ISP might

be handling it for you—but I’m assuming throughout this book that you are probably a network

administrator/manager for a network of at

least

a few computers, and possibly for a tremendous

number of computers.

Copyright ©2003 SYBEX, Inc., Alameda , CA www.sybex.com

WHAT’S THE POINT OF NETWORKS AND NETWORKING?

27

Keeping the Bad Guys Away: Security

Once you’ve gotten the first four things done, then your job’s finished, in a sense—people can now

read and write files on that file server, view pages on that Web server, print to that shared printer, set

up meetings with you over your scheduling server, and so on. I mean, hey, networking’s all about

sharing, so just open the doors and let ’em in!

As you’ve probably realized, there’s a missing piece here: security. While there’s a lot to security,

it basically boils down to two things:

authentication

and

permissions

.

Ÿ

First, you want to be able to identify who’s entering your network. That’s authentication.

Ÿ

Second, once you know for sure who you’re talking to—once you’ve authenticated—then you

must be able to look up somewhere what that person is allowed to do, his

permissions

. For

example, a network logon could figuratively go something like, “Okay, now I know you’re

Jack…but I’ve been told to deny Jack access to everything.” Merely being authenticated

doesn’t mean that you get access!

Authentication

The first part of security is called

authentication

, and you usually accomplish it through usernames

and passwords, although as time goes on you’ll eventually use the more science-fiction means of

authentication: One day, the computer may recognize you by your fingerprint, face, voice, retina

blood vessel pattern, or some other item that’s distinctly you. The geek term for those authentication

approaches is

biometric

.

For now, however, it’s user accounts and passwords that identify users. I realize that nearly everyone

who’s reading this book has undergone an authentication at some point—you’ve logged in to a

network some time. It all sounds simple, doesn’t it? And yet user accounts and passwords present

special problems.

Storing Authentication Information

First, you’ll need some kind of program that lets administrators create user accounts and store them

in a file. In their simplest form, user accounts consist of a database of usernames and passwords.

That’s no big deal—it’s a very simply structured database, and there are tons of database programs

out there—but don’t forget that you need to

encrypt

that information. Otherwise, there’s the possibility

that someone could come along and steal the database file, take it home, and perhaps crack it

for your user’s passwords.

Just such a thing happened to NT 4. NT stored user information in a file named SAM. If you leave

me in the same room as your server, then I can copy that SAM onto a floppy and take it off-site to

analyze it. Wasn’t it encrypted? Well, yes, but sometimes encryption isn’t enough—a group of hackers

figured out how to crack SAM’s encryption. With just a bit of work, anyone could extract passwords

from an NT SAM. (Which is a good reason to keep your servers behind lock and key, so that it’s

harder for someone to steal your account files.) Windows 2000- and 2003-based domains (a term

I’ll define soon) use a more sophisticated encryption scheme on its user account/password file

(which is named

NTDS.DIT

, not SAM), but unfortunately even that file can be cracked with some

determination. Again, let me stress that this is only a danger if you let someone physically sit down

at the servers that do logons, a set of servers called domain controllers, so don’t worry that 2003 isn’t

secure. Any security person can tell you that you should

never

give the bad guys physical access to

your important servers—lock ’em up!

Copyright ©2003 SYBEX, Inc., Alameda , CA www.sybex.com

28 C

HAPTER

2

THE BASICS: NETWORKING SOFTWARE, SERVERS, AND SECURITY

The tool that lets administrators create, modify, or delete user accounts is called Active Directory

Users and Computers.

Active Directory

refers to Windows 2000 and 2003’s system for storing usernames

and passwords. It’s called a directory because

directory

is the current network lingo for “database

of user accounts.” Personally, I think it’s kind of confusing—in my mind, directory conjures up

visions of drive letters, like C:\DOS—but it’s the current argot, so it’s worth knowing. And, in case

you’re wondering, the “Active” part is just Microsoft marketing; don’t look for any deep meaning

there. (It’s not like Novell makes a product called Comatose Directory or Lethargic Directory.)

Authenticating without Compromising Security

So you’ve got a server somewhere that contains the list of usernames and passwords. Those are only

good if someone can use her username and password to be authenticated and get access to things

on the network. So you need some way for a user sitting at her workstation computer to be recognized

by that server. You’re already familiar with this recognition process: we call it logging on.

Suppose I’m sitting at my Windows XP workstation and I want to get to some files on a file server

named files-r-us.bigfirm.biz. Before files-r-us will give me access, I’ve got to submit myself for

authentication—I’ve got to log on. One of the many programs that comes with every version of NT

since version 3.1 is called

winlogon.exe

, and it’s the program that pops up when you first turn

your workstation on, asking you to punch in your username, password, and domain. (Again, I’ll

explain what a domain is in a minute.)

So imagine that I’m trying to access some data on files-r-us. Files-r-us responds by asking my

workstation, “What’s his name and password?”

Now

I’ve got a problem.

You see, what I’d

like

to do is to just say over the network line, “This is Mark and his password

is ‘swordfish.’” Then files-r-us can just look in its directory file of usernames and passwords and

see if it has a user named Mark with a password of “swordfish.” If so, then it lets me in. If not, it

doesn’t. Simple, eh?

Well, there’s one flaw here—the part where my workstation passes “swordfish” over the network.

A class of programs called “sniffers” can record and display any data that passes over a network wire.

So passing passwords around on an unencrypted Ethernet cable isn’t a great idea. That means

you’ve got another challenge: how to prove to a server across the network from you that you’ve got

Mark’s password without actually showing that password to the server.

Over time, networks have come up with different answers, but Active Directories, whether based

on Windows 2000 or 2003, use an old authentication method called Kerberos which some folks at

MIT first invented in the mid ’80s. It replaces an older method employed by NT 3.

x

and 4 called

NTLM, which was short for NT LAN Manager, a reference to one of NT’s predecessors. What

follows is an extremely simplified version of how Kerberos works. (It’s actually a wildly simplified

description, but it’ll help you understand the more complete explanation that you’ll see in the next

section.)

Let’s return to files-r-us. I try to access its data, so files-r-us needs to first log me in. It does that

by saying, “I’ll tell you how to access my data,” and sends me some instructions on how to get to its

data. But the data is

encrypted—

with my password! In other words,

anyone

could claim to be me, and

files-r-us would happily send these vital instructions-for-connection. But only I can decrypt those

instructions, so only I can benefit from them. So files-r-us ensured that only someone with my

password could gain access, without sending my password over the wire.

Copyright ©2003 SYBEX, Inc., Alameda , CA www.sybex.com

WHAT’S THE POINT OF NETWORKS AND NETWORKING?

29

Centralizing and Sharing User Account Information: Domains

But my simple example about trying to access one file server is, well, a bit

too

simple. Most companies

will end up with more than one server, and in fact it’s not unusual to end up with dozens

or hundreds of servers. And that leads to the following problem. Recall that I said a page or so

back that if you’re going to employ user accounts, then you’ll need a file to store them in. But what

if you have more than one server? What if in addition to the server named files-r-us.bigfirm.biz, I’ve

also got a mail server named postoffice.bigfirm.biz and a Web server named www.bigfirm.biz?

I might want to log in to any one of those three, so they

all

have to be able to accomplish logons. But

now let’s examine what that actually means in terms of keeping track of user accounts. Should

each server contain a complete copy of

NTDS.DIT

, the file containing the names and passwords

for users?

That might work, but it’d be a pain, for several reasons. First,

NTDS.DIT

can get pretty big, and I’d end

up burning up a lot of disk space copying it to every server in my enterprise. Second, if servers are

connected by low-speed WAN links, the process of copying the changes to

NTDS.DIT

to all of the

servers on my network (a process called

directory replication) would take up a lot of time and network bandwidth.

Third, do I really want to have to create a network “storm” of file copying amongst the servers

every time someone just changes his password? And finally, what about the issue of securing the

NTDS.DIT file in the first place? If I copy NTDS.DIT to every single server in the enterprise, there are bound

to be a few that are out in the open, not physically secured. It’d be easy for an intruder to copy the

NTDS.DIT from a poorly secured computer and spirit it off-site, to crack it at leisure.

The better idea that we’ve used in networks for years is to put the user directory, the NTDS.DIT, not

on every single server, but instead on a relatively small subset of the servers. Those NTDS.DIT-holding

servers then serve in the role of logon server, doing the job of authenticating for the other servers. In

Microsoft parlance, a logon server is more commonly called a domain controller. So, to return to the

example of accessing data on files-r-us, imagine that files-r-us is not a domain controller and doesn’t

contain a copy of NTDS.DIT, and that another computer, vault.bigfirm.biz, is a domain controller

and contains a copy of NTDS.DIT. In this newer arrangement, I don’t directly log into files-r-us but

instead enlist the aid of vault.bigfirm.biz in order to authenticate with files-r-us.

In a purely Active Directory network (which can only include Windows 2000, XP, and 2003 systems),

vault.bigfirm.biz would help me log in to files-r-us with Kerberos. In order to understand how

Kerberos works, you first need to understand that under Kerberos, not only do the users have passwords,

the server programs do also. Thus, the file server program running on files-r-us has its own

password. So both the user and the server each have passwords—remember that.

When I tell my workstation to try to get some data from files-r-us, my workstation sees that

it’ll need to get me logged in to files-r-us. It does that by asking the domain controller, vault, to

give me something called a “ticket” to the file server service on files-r-us. The domain controller

responds by handing my workstation an encrypted piece of data, which is the Kerberos ticket.

The ticket can be decrypted with my password, making its contents a mystery to anyone but me

(or my workstation, which obviously knows my password). My workstation decrypts the ticket,

which contains two things. First, it contains a message saying “your special one-time-only password

for accessing the file server at files-r-us is ‘opensesame.’” Second, it contains another encrypted

message—but this one’s not encrypted with my password, so I can’t decrypt it! But my workstation knows

to send it to the file server, which decrypts it successfully, as the file server has its own passwords.

Once the file server receives and decrypts the part of the Kerberos ticket that I sent it, the file server

Copyright ©2003 SYBEX, Inc., Alameda , CA www.sybex.com

30 CHAPTER 2 THE BASICS: NETWORKING SOFTWARE, SERVERS, AND SECURITY

sees that that ticket piece says something like, “The special one-time-only password for communicating

with Mark is ‘opensesame.’ And by the way, you should have gotten this message from Mark

sometime between 10:45 A.M. and 10:50 A.M. from his IP address, which should be 117.39.82.3.”

Once the file server gets its half of the Kerberos ticket, it knows a few things:

Ÿ The user claiming to be Mark who wants access to the file server is indeed Mark.

Ÿ Any messages from that now-authenticated person named Mark should have originated from

IP address 117.39.82.3.

Ÿ If Mark and the file server really want to maintain a secure connection, they could even encrypt

their communications using this shared—but secret—password, opensesame.

Security Roles and Definitions: Domains, Domain Controllers, and Member Servers

Armed with this information, I can define a few Microsoft networking terms.

Domain You just saw an example where one machine (vault) let me log in to another machine

(files-r-us). I haven’t mentioned this yet, but before I could get anywhere I needed to log in to the

computer at my desk, my workstation—and when I first tried to log in to my workstation, it was

once again vault.bigfirm.biz that authenticated me. Clearly, then, my workstation and files-r-us

“trust” vault.bigfirm.biz in some fashion.

The collection of machines that share the same list of user accounts, the same NTDS.DIT, is a

domain. Or, to put it a bit more specifically: several computers hold a copy of NTDS.DIT and are

willing to act as “logon servers” (domain controllers) with that NTDS.DIT. The collection of

machines that are willing to accept logons from those domain controllers (in Microsoft terms, who

“trust” those domain controllers) and the domain controllers themselves are collectively called

a domain. So my workstation, vault, and files-r-us are all part of the same domain.

Domain Controller A server, such as vault.bigfirm.biz, that contains a copy of the user

account/password data, and that therefore can let users log in to servers, is a domain controller. Domain

controllers exist to centralize the user account/password information so that you needn’t put

the NTDS.DIT on every server.

Member Server A machine that is running NT 3.x, 4.0, 2000, or Server 2003 but not acting

as a domain controller will not contain a copy of NTDS.DIT and therefore can’t authenticate domain

members. Such a machine is called a member server.

Permissions and Access Control Lists (ACLs)

Once a server has determined that I am indeed me, does that mean that I’ll get access to the server’s

information? Not necessarily. Authentication just identifies me. The next step in security is access

control, also known as (depending on what network operating system you are using) rights, permissions,

or privileges.

Ever since its earliest versions, NT (which includes Windows Server 2003) has had a very

flexible system of file and directory permissions. As you’ll see later in this book, you can exert

very fine-grained control, such as specifying that Mary can read or write to a given file, that Bill can

only read it, and that June cannot access the file at all. Don’t get the idea, however, that permissions

Copyright ©2003 SYBEX, Inc., Alameda , CA www.sybex.com

WHAT’S THE POINT OF NETWORKS AND NETWORKING? 31

refer only to files. There are permissions to do things like create, modify, and destroy user accounts,

and even permissions to create domains in the first place. The flexibility of these permissions is one

of Microsoft networking’s great strengths.

Just about everything in the Microsoft networking world has security on it. Want to read a

file? You need the permissions to read it. Want to shut down the program that provides the Web

server? You need the permissions to shut it down. Want to create a new user account on your network?

You need the permissions to create a new user.

These permissions are stored as a list. In the case of the file, the operating system sets aside a little

space for every file that it creates, and keeps the permissions in that space. A set of permissions for

a file, then, might look like

Ÿ A user named June can do anything that she wants to the file.

Ÿ Another user, Joe, can only read it.

Ÿ Any user in a group named Cube-dwellers can read or modify the file, but not delete it.

Ÿ The operating system can do anything that it wants to the file.

In Microsoft networking-speak, that list is called an access control list or, inevitably, ACL. Each

of the four entries are called access control entries or ACEs. You will learn in this book that lots of

things have ACLs, and adjusting those ACLs is how you configure security in your network.

Access to Earlier Security Systems

The last challenge that Windows 2000 and 2003’s security designers faced was the so-called “legacy”

support—ensuring that they could interact with the security systems built into Windows for

Workgroups, Windows 9x, NT 3.x, and 4. I’ve described in very broad strokes how Kerberos works,

but Windows and NT didn’t use anything like that and in fact couldn’t do Kerberos logons; Kerberos

first appeared in the Microsoft networking world in February 2000, with the introduction of

Windows 2000. Microsoft knew that you wouldn’t be very happy if they required you to throw away

all of your old Windows 9x and NT systems before you could implement Active Directory, so

Windows 2000, XP, and Server 2003 know a variety of logon methods—NTLM 1.2 for Windows 9x

and NTLM 2.0 for NT 3.x and 4—in addition to Kerberos.

It’s hard to overstate the importance of security. For example, in the past, one of Novell’s main

advantages over NT was in the way that it stored user accounts and handled logins—Novell’s security

was faster and more flexible. Sure, one could argue that Novell moved data around file servers more

quickly, but not so much more quickly that anyone would really modify a buying decision. Basically,

people were buying Novell for Novell’s security system, something called NetWare Directory Services

(NDS). NDS was essentially a big-time user database, something with a more enterprise feel to it than

NT’s older SAM-based system. In short, security is important.

Names: Finding Servers and Resources

When PC-based networking first appeared, we didn’t do much Web work—the earliest common

LAN functions were file and print services. So from the very beginning (all of 15 years ago) of

PC-based networking, we’ve done file and print services; they’re the most basic network services. But

now suppose that you’ve got a network with more than one server on it, and you want to find out

Copyright ©2003 SYBEX, Inc., Alameda , CA www.sybex.com

32 CHAPTER 2 THE BASICS: NETWORKING SOFTWARE, SERVERS, AND SECURITY

which server has a printer available for sharing, or you can’t remember which server holds that share

called hrdocuments; how do you search for network functions?

That’s one of the oldest problems in networking, and not just in Microsoft networking.

Microsoft’s most current answer to the “how can I find resource X on the network?” question is

to store that information in the Active Directory database. But they’re not there by any means yet and,

even if you have an all-Windows 2003 and XP network (which is unlikely), you’ll find that by

default the Active Directory isn’t all that much help in finding file and printer shares. I’m sure

that’s going to change as new versions of NT appear, but for now, we Microsoft operating systems

users are pretty much stuck with an old technology known colloquially as the Network Neighborhood

or, in Windows 2000 and later, My Network Places. Here’s where it came from and how

it works.

How would you set up a system that provided a centralized directory of services on a network,

a kind of “yellow pages” that lets a user quickly find a file share or shared printer? Microsoft networking

uses a name server system called the computer browser or browse services—it has nothing at all

to do with the Web, it’s had that name since before the Web existed—where you, the network

administrator, don’t have to do anything; the name servers set themselves up automatically. Sounds

good? Well, it is for small networks, but it gets troublesome for larger ones—which is why

Microsoft is trying to phase it out.

The servers in a Microsoft network that contain information about network services are called

browse masters or master browsers. What’s different about the concept of Microsoft browse servers is

that no one computer is fixed as the browse master. Instead, when your computer logs in to your network,

it finds a browse master by broadcasting a request for one, saying, “Are there any browse masters out

there?” The first browse master to hear the workstation (there can be multiple browse masters,

as you’ll see) responds to the workstation by saying, “Just direct all your name service requests

to me.”

When a server starts up, it does the same thing. It broadcasts, “Are there any browse masters out

there?” and when it finds one, it says to it, “I am a server with the following shares. Please add me

to your list of servers.” The list of servers that a browse master maintains is called the browse list,

not surprisingly.

Tip This is the really irritating thing about the browse list: it’s broadcast-based. That means that if your network isn’t

100 percent broadcast-friendly, then you’ll sometimes end up with an incomplete list of servers on your network. So if

you have a network built in more than one segment (and who doesn’t?), or you use some kinds of Ethernet switches rather

than hubs, then you may experience missing servers in the browse list. That’s part of why Microsoft is trying to phase out

the browse list. But for now, understand that the browse list is a largely lame and unreliable technology. You’ll see later

on, in Chapter 7, that you can install a service called the Windows Internet Name Service (WINS) to reduce the chance

that the browser breaks, but trust me—you’ll eventually come to a point where you’ve done everything that you can do,

but the browser still doesn’t work. When that happens, don’t feel bad—we’ve all been there. I’ll suggest some ways to make

it work better and reduce your dependence on the browser a bit later in this section.

By now, you may be wondering, “How come I’ve never seen one of these browse lists?” You

have. If you ever worked with earlier versions of NT or with Windows for Workgroups, then

you saw Figure 2.1 when you opened the File Manager and clicked Disk/Connect Network Drive.

Copyright ©2003 SYBEX, Inc., Alameda , CA www.sybex.com

WHAT’S THE POINT OF NETWORKS AND NETWORKING? 33

FIGURE 2.1

Sample browse list

from Windows for

Workgroups or

Windows NT

version 3.x

From Windows 9x or Windows NT 4, you can see a browse list by opening the Network Neighborhood

folder, as in Figure 2.2.

FIGURE 2.2

Sample browse list

from Windows NT 4

or Windows 9x

From DOS or indeed any command line, you can see a browse list by typing net view or net view

\\ machinename. You see a screen like the one in Figure 2.3.

Copyright ©2003 SYBEX, Inc., Alameda , CA www.sybex.com

34 CHAPTER 2 THE BASICS: NETWORKING SOFTWARE, SERVERS, AND SECURITY

FIGURE 2.3

Sample browse list

from a command line

Note What’s with that \\ thing? Microsoft’s network software has, since 1985, used a way of writing the names

of servers and of shares on servers called a Universal Naming Convention or UNC. It looks like \\servername\

sharename. So, for example, if I had a server named bigserver that contained a file share called mydata, I’d refer to

that share as \\bigserver\mydata—that would be the UNC for that share. You’ll learn more about this in Chapter 11,

on file shares, but I wanted to explain the mystifying \\ briefly here. And by the way, you pronounce “\\” as “whackwhack”

in the Microsoft world. Now, to my way of thinking, that’d mean that a regular forward slash— / —would

be pronounced “backwhack” in Microsoftese, but I’ve never gotten confirmation on that.

Each figure shows you the list of servers available: Aldebaran, Artemis, and Astro, just to list a

few. Other servers—Daffy and MWM66—appear only in some of the browse lists because a few

minutes passed between taking the screen shots, and a few “test” servers went up or down in those

few minutes. In all three cases, the workstations that these screens were taken from got their

browse lists from a local browse master.

You can drill down further into these browse lists, as well. In Windows 9x/Me, Windows NT 4,

2000, XP, or Server 2003 (in 2000, XP, or Server 2003, open My Network Places), you can

double-click any one of those servers and see the list of shares that the servers offer; that too, is

information from the browse list. In Windows for Workgroups or Windows NT 3.x, you’d just

click a server once, and the list of its shares would appear in the bottom pane of the dialog box. From

DOS or any other command line, you’d get the list of servers by typing net view, as you’ve already

seen, and then you get the list of shares for any given server by typing net view \\ servername, where

servername is the name of the server whose shares you want to see.

When Browse Lists Get Too Large: Workgroups to the Rescue

As I’ve described them so far, browse lists seem pretty convenient. But in the little test network

that I used for the previous screen shots, you saw only a few servers. Hell, everything works fine on

small networks.

Now let’s talk about your network. Sit down at a corporate network of any size and you see dozens,

hundreds, or thousands of servers. Scrolling down through a 500-server browse list would be a bit

Copyright ©2003 SYBEX, Inc., Alameda , CA www.sybex.com

WHAT’S THE POINT OF NETWORKS AND NETWORKING? 35

time-consuming—to say nothing of how much work the browse master would have to do to keep

it up-to-date! The problem to solve is, then, managing the size of the browse list. There are two

ways to do that:

Ÿ Reduce the number of servers in your enterprise.

Ÿ Divide the enterprise-wide browse list into several smaller browse lists called workgroups.

Disable Peer-to-Peer Sharing on Workstations

The first answer is actually a bit off the main topic, but let me digress for a moment and talk about it

before returning to the main item: workgroups. When I say, “Reduce the number of servers,” I’m

talking about an unfortunate side effect of running Windows for Workgroups, Windows 9x/ME,

Windows NT, 2000, or XP workstations—they all have the capability to become peer-to-peer

servers. The browse masters don’t distinguish between industrial-strength servers running NT Server

and low-octane peer-to-peer servers, so you could end up with a browse list that’s supposed to only

list your servers, but actually lists all of your servers and workstations. In general, I think peer-to-peer

networking is a bad idea. If a piece of data is important enough to be used by two employees, then

it’s a company asset that should be backed up regularly and so should go on a managed file server, not

a desktop machine that’s probably backed up once a decade. My recommendation is this: Disable

the peer-to-peer sharing option on your Windows for Workgroups, Windows 9x/ME, Windows

NT, 2000, and XP workstations. How you do this depends on the operating system of the workstations

in question. In NT 3.x and 4, open the Control Panel and then the Services applet; locate the

service called Server and stop it, as well as disabling it for future reboots. In Windows 9x, go to

Control Panel/Network/File and Print Sharing and make sure both options, to share files and

printers, are unchecked. In Windows for Workgroups, make sure the sharing control in Network

Setup is set not to enable file or printer sharing. In Windows 2000 and later, right-click My Computer

and choose Manage, then find the Services folder and stop the Server service. (You’ll see more

about doing this later in the book.)

Not only will your network have less traffic—workstations will no longer have delusions of serverdom,

so they won’t be chattering at the browse master all of the time—but not loading the server part

of the workstation’s operating system saves RAM on the workstation.

Divide the Browse List into Workgroups

The other approach to keeping a browse list to a manageable size is to subdivide it in some way.

That’s a reasonable thing to suggest if you realize that, no matter how large an organization seems

to be, it’s usually composed of lots of smaller groups, such as Manufacturing, Sales, Marketing,

Accounting, Finance, Personnel, Senior Management, and so on. Each of those groups can be called

workgroups, and you can pretty much chop up your enterprise into workgroups in any way you like

(but a rule of thumb says that a workgroup should be a group of people for whom 95 percent of the

data generated by that group stays within that group).

From a more network-technical point of view, the minimum definition of a workgroup is just

a group of workstations that share a browse list. (That’s my definition, not Microsoft’s.) The idea is that

when someone in Accounting opens up her browse list, you want her to see just the Accounting

servers, not the Manufacturing servers, as she has no use for the Manufacturing servers. (Besides,

Copyright ©2003 SYBEX, Inc., Alameda , CA www.sybex.com

36 CHAPTER 2 THE BASICS: NETWORKING SOFTWARE, SERVERS, AND SECURITY

there’s a good chance that she doesn’t have permission to access the Manufacturing servers anyway—

but I’ll get to workgroups and security in a little bit.) How do you join a workgroup? See the sidebar

“How Do I Join a Workgroup?”

Note Workgroup names are like Windows 9x and NT 3.x/4.x machine names and can be up to 15 characters long.

So, to review what you’ve seen so far:

Ÿ Network browse lists allow a user at a workstation to see all of the servers on the network, and

from there to see all of the shares on a given server.

How Do I Join a Workgroup?

Generally, all you need to do is to tell the networking software on your workstations and servers that

they’re members of a given workgroup. There isn’t any “security” in being part of a workgroup—you

pretty much just declare yourself a member and you are a member. (As a matter of fact, if you misspell the

name of the workgroup, you end up accidentally founding a whole new workgroup all by yourself, which

I’m sure was not your intention!)

Specifically, you designate which workgroup you’re a member of in one of the following ways:

From a DOS or Windows for Workgroups workstation In the [network] section of the SYSTEM.INI

file you’ll find a WORKGROUP=parameter. (You’ll have a SYSTEM.INI even if you’re just running DOS,

because the network client software creates one.) You can also set the workgroup from the MS-DOS Network

Client Setup program, or in the Windows for Workgroups’ Network applet of the Control Panel.

From Windows 9x Open the Control Panel and double-click the Network icon. In the property sheet

that you see, click the Identification tab. You see the place to fill in the workgroup name.

On Windows NT 3.x Open the Control Panel and double-click the Network applet. You’ll see a button

labeled Domain or Workgroup. (NT has a kind of confusing way of blurring workgroups and domains,

which I’ll make clearer later in this chapter.) Click that button, and you can change the workgroup you’re

a member of. Again, NT complicates choosing a workgroup somewhat, so read the rest of this chapter if

you want to change an NT workgroup.

On Windows NT 4 Open the Control Panel and double-click the Network applet. Like Windows 9x,

Windows NT 4 has a property sheet with an Identification tab. Click Change to change the workgroup.

Again, with NT you may see no references to workgroups at all; instead you see references to

domains. Read on to understand the differences.

On Windows 2000 If you’re a member of a domain, then do not join a workgroup—I’ll explain that

in a minute. Otherwise, right-click My Computer and choose Properties. Click the Network Identification

tab and then the button labeled Properties. Fill in a new workgroup in the field named Workgroup;

then close the dialog box and reboot.

On Windows XP and Server 2003 Right-click My Computer and choose Properties. (You may have

to click the Start button to find My Computer.) Click the tab labeled Computer Name, then the button

labeled Change. In the resulting dialog box, you’ll see the choice to become a “Member of:” either a

domain or a workgroup. Click the radio button next to Workgroup and fill in the workgroup name,

then close the dialog box and reboot.

Copyright ©2003 SYBEX, Inc., Alameda , CA www.sybex.com

WHAT’S THE POINT OF NETWORKS AND NETWORKING? 37

Ÿ Browse lists can get fairly long, so you can partition your entire network into workgroups, which

are just groups of people that share a browse list.

Ÿ When you request a browse list, you don’t get the entire list of servers in your enterprise

network, you only get the list of servers within your workgroup.

Ÿ Each workgroup has one or more servers that act as gatherers of browse information. They’re

called browse masters or master browsers, and they’re picked automatically.

Ÿ Machines that are only workstations and don’t act as servers even in a peer-to-peer capacity

do not appear on browse lists.

As the question of what machines go on a browse list and what machines don’t is important to the

length of a browse list, let me list the kinds of machines that can act as servers in a Microsoft

enterprise network:

Ÿ Windows 3.x (with the Workgroup Add-On for MS-DOS clients)

Ÿ DOS (with Workgroup Add-On for MS-DOS clients)

Ÿ Windows for Workgroups

Ÿ Windows 9x/Me

Ÿ NT Workstation

Ÿ NT Server

Ÿ Windows 2000 Professional

Ÿ Windows Server 2003

How Do I View a Browse List?

Microsoft has built different browse programs into its various network client software.

From a DOS or NT/2000/XP/2003 Command Line Type net view. That shows you the list of

servers. You can view the shares on a given server by typing net view \\servername. To see the browse

list for a workgroup other than your own, type net view /workgroup:workgroupname.

From NT, 2000, XP or Server 2003, don’t use /workgroup: in the command; instead, use /domain:.

From Windows for Workgroups or Windows NT 3.x Open the File Manager, click Drive, and then

click Connect Network Drive. You’ll see a window with two panes. The browse list for your workgroup

and a list of the other workgroups on the network appears as the list of possible servers in the top pane and,

when you click a server, that server’s shares appear in the bottom pane. To see the browse list for a

workgroup other than your own, double-click the name of the workgroup in the top pane.

From Windows 9x or Windows NT 4 Open the Network Neighborhood folder. You’ll see the servers

in your workgroup represented as PC icons in a folder. Double-click one of the servers, and a folder

will open up showing you the shares. To see the browse list for a workgroup other than your own,

double-click the Entire Network icon and you’ll see a list of workgroups. On Windows NT 4, click

Entire Network and then Microsoft Network, and you’ll get a list of the other workgroups.

Continued on next page

Copyright ©2003 SYBEX, Inc., Alameda , CA www.sybex.com

38 CHAPTER 2 THE BASICS: NETWORKING SOFTWARE, SERVERS, AND SECURITY

As it’s an unusual product, let me just explain that the Workgroup Add-On for MS-DOS is a

separate Microsoft product that lets you use a DOS machine as a peer-to-peer server. (Also, it’s pretty

old, so I have no idea where you’d get a copy these days.) Again, I recommend that you disable file

and print sharing on all of these machines except, of course, for the machines dedicated to the task

of being servers, all of which are probably running NT Server.

And once you’re in a workgroup, you’ll no doubt want to see your browse list; the sidebar “How

Do I View a Browse List?” tells you the specifics.

Now, if you tried that on a working network, then you might have gotten one of NT and family’s

less helpful responses, like “System error 1230 has occurred.” That gives me the chance to offer another

important bit of advice for anyone using a modern Microsoft operating system: how to convert a

numeric error code into a bit of explanatory English text—see the sidebar for more information.

Before leaving the topic of the browser, let me offer one more piece of advice: try to avoid it,

as it’s unreliable. If your users need access to particular file shares, then you can deliver access to those

shares in a few ways. First, you can map file shares, which means that you can create imaginary drive

letters on your user’s workstations. In other words, if the user often uses \\server1\compdata, then

you could set up her workstation so that she’d see a new drive V: which isn’t a local hard disk—

although it looks like a local hard disk—but is instead a network drive. Or you could simply create a

shortcut to the UNC on her desktop. You’ll learn how to do both of those things in Chapter 11.

How Do I View a Browse List? (continued)

From Windows 2000 If your system is in a workgroup, open My Network Places and then the icon

labeled Computers Near Me. If your system is part of a domain, then that icon isn’t available. Instead,

open My Network Places and the icon labeled Entire Network, then the icon named Microsoft Windows

Network. You’ll see one or more icons representing the workgroups on your network—open the

one representing your workgroup and you’ll see your workgroup’s browse list.

From Windows XP or Server 2003 Open My Network Places. It might be on your desktop, or it

might be on the Start menu, or you might have to right-click the Desktop and choose Properties, then

click the Desktop tab, followed by the Customize Desktop button, then check the box next to My

Network Places and click OK twice. My Network Places will be on your desktop. Once you have My Network

Places open, then you’ll either see a Network Task on the left of the folder labeled View

Workgroup Computers or you might have an icon labeled Entire Network, in which case you should

double-click that, then double-click Microsoft Windows Network. You’ll then see an icon of three PCs

representing your workgroup—click that and you’ll get your workgroup’s browse list.

How to Convert a Numeric Error Code to English Text

Just type net helpmsg number, where number is the error code. For example, you’ll probably stumble

across error 5 now and then: “access is denied.” It means that you didn’t have the right to do something

that you tried to do. Another common one is error 53, “the network path was not found.” It means that you

tried to access some server that the system can’t find or, as is usually the case for me, you misspelled the

server’s name.

Copyright ©2003 SYBEX, Inc., Alameda , CA www.sybex.com

SO WHY USE NT/2000/SERVER 2003? 39

Summary: The Necessary Evils

I hope in this section that I’ve provided a bit of an answer to the question, “Why do we have to worry

about all of this stuff just to get a mail server up and running?”

Ÿ First, you need a piece of server software that can accomplish whatever it is that you’re trying

to do—Web server, mail server, or whatever.

Ÿ Next, you need to be compatible with and connected to a physical network that connects to

your clients—either the public Internet or a private network of some kind.

Ÿ Then your server must move its data around in the same way that your clients’ machines do,

using the same network language or protocol, probably TCP/IP. TCP/IP itself will require

some server functions as well, to maintain it.

Ÿ It wouldn’t be necessary in a perfect world, but in our imperfect world your network needs to

protect its data with a security system, and in today’s world that unfortunately means an

elaborate security system.

Ÿ Finally, you’ll need some way of finding what you put in that network, once you’ve got it working.

Active Directory will become that way in the future, but for now it’s a kludgy thing called

the Computer Browser that you see in My Network Places.

So presumably you now see why your network needs so many moving parts. Why buy them from

Microsoft?

So Why Use NT/2000/Server 2003?

I hope that by now I’ve convinced you that networking seems like a good thing. But you could build

your network atop any number of operating systems, including Unix, Linux, Novell NetWare,

IBM’s OS/400 or MVS, or Compaq’s VMS, just to name a few. Why NT or its most recent incarnation,

Windows Server 2003?

Well, understand when I answer that question that (1) I’m not from Microsoft, (2) I’m not

here to sell NT/2000/2003 to you, I’m just here to tell you how to make it work, and (3) the reality

of the matter is that every one of the OSes that I just named are good products that have not only

their adherents and detractors, but that also have many solid positive features. After decades of

business computer use, the market has filtered out both the truly terrible products and some perfectly

good but inadequately marketed products, leaving only products that are at least competent (and

always well-marketed). So if you want to read that Server 2003 is not only your best choice, but also

that you’re a total fool to try to use anything else, then I’m afraid you’ve come to the wrong place. Yes,

I like NT, including its latest incarnation (Server 2003), but it’s not the only answer.

But it is a very good answer. Here’s why.

It’s the Market Leader

Most stats that I see say that the Microsoft family of operating systems has the largest market share—

43 percent of servers according to the last set of numbers that I saw. Being part of the biggest market

share means that it’s easier to find consultants, support, and third-party tools. Oh, and it also means

that there’s plenty of demand for your services once you become an expert!

Copyright ©2003 SYBEX, Inc., Alameda , CA www.sybex.com

40 CHAPTER 2 THE BASICS: NETWORKING SOFTWARE, SERVERS, AND SECURITY

Its Familiar GUI Makes It Easier to Get Started

The fact that Windows Server 2003 uses a GUI that is basically the same as Wintendo—oops,

I meant Windows 9x/Me—means that hundreds of millions of people already know how to navigate

the 2003 Desktop. Yes, some things have been moved around, but in general once you know

Windows, you know how to get around on 2003.

In contrast, I have recently done a lot of work with Linux and, while it’s a quite powerful operating

system, the user interface is not for novices; even its multitude of GUIs are still clumsy, although that’ll

probably change with time. (That’s not to say that you shouldn’t use Linux—just that I think the

Microsoft OSes have an easier-to-use GUI.) With 2003, you can often figure out how to solve a

problem by noodling around in the GUI—it lends itself more to exploration than would an operating

system that relies mainly upon command-line commands to control it.

Many Tools Come “in the Box”

When NT 3.1 first came out, it was pretty amazing that it came with a dial-in module and a host

of other goodies that you had to buy separately in order to run its competition at the time, Novell

NetWare. NT had a free TCP/IP stack when many other OSes were charging big bucks for it, a

free Web server, and so on. Since then, other server operating systems have continued to include

more and more things with the basic operating system—for example, the variety of tools that comes

with Linux is nothing short of stunning—but Microsoft has kept the heat on the competition by

including a variety of new tools with every release. At this point, the basic version of Server 2003

includes (in addition to its basic functionality of a file and print server) a Web server, an FTP server,

a sophisticated Internet router, automated workstation rollout tools (Remote Installation Services),

centralized software distribution tools (Group Policies), a two-level disk storage system (Remote

Storage Manager), encryption (Encrypted File System), an e-mail server, a SQL-based database server

and lots of other tools.

Not all of the tools are stellar; for example, the disk quota system, which allows you to keep any

given user from stealing all of the disk space on the shared file servers, is pretty lame. But because

Server 2003 provides at least a basic quota functionality, the many shops that are trying to minimize

the number of vendors they deal with can get an awful lot of their networking needs met in just

one package: Server 2003.

When you view Microsoft products, bear in mind that you usually won’t encounter really cuttingedge

tools; in my judgment, that’s not Microsoft’s market niche. Instead, they seem to focus on

incrementally improving existing products, as well as adding new tools by imitating competitors. Not

being the first on the block can sometimes be a pretty good thing, as you get to watch the competition’s

mistakes. Very little in Windows Server 2003 is truly never-seen-before-in-the-world new.

Instead, it’s a distillation of a lot of other people’s good ideas. Yes, some may see that as stealing

other people’s good ideas, and there’s some merit to that view. And Microsoft has what some might

call an unfair advantage in that they’ve got enough money to keep trying and trying and trying; for

example, their first two networking products, MS-NET and LAN Manager, were pretty weak

compared to the competition’s, but they had the money and tenacity to keep slugging away it, finally

releasing the far-better NT product. Another example of this strategy occurred in 2001, with

Microsoft’s release of the Pocket PC 2002 operating system. They’re trying to crush the PalmOS

guys in the palmtop market, and they’ve made two weak attempts with Windows CE 1.0 and 2.0, but

Copyright ©2003 SYBEX, Inc., Alameda , CA www.sybex.com

A BRIEF HISTORY OF NT 41

they’re learning. I don’t know if Pocket PC will beat PalmOS—as a long-time Palm user, I tend to

think not—but they’ll definitely steal more of PalmOS’s market share with Pocket PC than they ever

did with Windows CE.

And while Microsoft’s detractors like to paint Microsoft as nothing but a bunch of rip-off artists,

it’s actually hard to find who originated these ideas. Some say that Microsoft stole Novell and Apple’s

best ideas; well, Novell certainly didn’t invent networking, and their IPX/SPX protocol is blatant

“theft” of a Xerox protocol. Apple didn’t invent the GUI that Microsoft supposedly stole—Xerox

did. (Hmmm, maybe there’s a pattern here.) Nor is Active Directory a rip-off of an original Novell

product, Netware Directory Services—NDS is based on a directory standard called X.500 and terms

that many people think that Novell invented, like “organizational unit,” are X.500 terms. In any case,

it is something of a comfort for people to be able to buy a single product that is a decent fit for just

about all of their networking needs, instead of looking for the best of breed in each area. Why?

Anyone who’s ever tried to troubleshoot a multivendor network problem knows why: Both vendors

just point the finger at the other vendor and say, “That’s him—he’s the guy causing your problem.”

(They’re hoping you’ll get tired and go away. Most of us do, sadly.)

In contrast, the same people are developing all of 2003’s pieces; so you have to believe that at some

point someone would have noticed if they didn’t fit together. Or that if someone didn’t notice it before

they shipped, they’ll get around to fixing it afterward.

In sum, why use 2003? It’s fairly reliable, it does most of what you want a network operating

system to do, it’s reasonably priced, and enough other people use it that you’re probably not going

to go terribly wrong.

A Brief History of NT

Let’s finish this chapter with a look at how NT has grown and changed since its early days.

Even in the early 1980s, Bill Gates knew that networking was a key to owning the computer

business. So, on April 15, 1985, Microsoft released its first networking product, a tool called

MS-NET, and its companion operating system, DOS 3.10. Most people knew about the new DOS

and were puzzled at its apparent lack of new features. What it contained, however, were architectural

changes to DOS that made it a bit friendlier to the idea of networks.

Now, Microsoft wasn’t big enough at that time to create much hoopla about a new network operating

system, so they let others sell it—no matter how high or low you looked, you couldn’t buy a product

called MS-NET. Instead, it sold mainly as an IBM product under the name of the IBM PC Network

Support Program; IBM viewed it as little more than some software to go along with their PC Network

LAN boards and, later, their Token Ring cards. The server software was DOS-based, offered

minimal security, and, to be honest, performed terribly. (Believe me, I know; I used to install them for

people.) But the software had two main effects on the market.

First, the fact that IBM sold a LAN product legitimized the whole industry. IBM made it possible

for others to make a living selling network products. And that led to the second effect: the growth of

Novell. Once IBM legitimized the idea of a LAN, most companies responded by going out and

getting the LAN operating system that offered the best bang for the buck. That was an easy decision:

NetWare. In the early days of networking, Novell established itself as the performance leader. You

could effectively serve about twice as many workstations with Novell NetWare as you could with any

of the MS-NET products. So Novell prospered.

Copyright ©2003 SYBEX, Inc., Alameda , CA www.sybex.com

42 CHAPTER 2 THE BASICS: NETWORKING SOFTWARE, SERVERS, AND SECURITY

As time went on, however, Microsoft got better at building network products. 3Com, wanting to

offer a product that was compatible with the IBM PC Network software, licensed MS-NET and

resold it as their 3+ software. 3Com knew quite a bit about networking, however, and recognized the

limitations of MS-NET. So 3Com reworked MS-NET to improve its performance, a fact that didn’t

escape Microsoft’s attention.

From 1985 to 1988, Microsoft worked on their second generation of networking software. The

software was based on their OS/2 version 1 operating system. (Remember, Microsoft was the main

driving force behind OS/2 from 1985 through early 1990. Steve Ballmer, Microsoft’s number two

guy, promised publicly in 1988 that Microsoft would “go the distance with OS/2.” Hey, the world

changes and you’ve got to change with it, right?) Seeing the good work that 3Com did with

MS-NET, Microsoft worked as a partner with 3Com to build the next generation of LAN software.

Called Microsoft LAN Manager, this network server software was built atop the more powerful

OS/2 operating system. As with the earlier MS-NET, Microsoft’s intention was never to directly

market LAN Manager. Instead, they envisioned IBM, 3Com, Compaq, and others selling it.

IBM did indeed sell LAN Manager (they still do in the guise of OS/2 LAN Server). 3Com sold

LAN Manager for years as 3+Open but found little profit in it and got out of the software business.

In late 1990, Compaq announced that they would not sell LAN Manager because it was too complex

a product for their dealers to explain, sell, and support. Microsoft decided then that if LAN Manager

was to be sold, they’d have to do the selling, so on the very same day as the Compaq withdrawal, they

announced that they would begin selling LAN Manager directly.

Note Interesting side note: Ten years after Compaq decided that their sales force couldn’t sell network software,

they reversed direction and said that they’d sell a special version of Windows 2000 called Datacenter Server. It’s

special because you cannot buy it from Microsoft—you must buy it preinstalled on specially certified vendor hardware.

In other words, the hardware vendors (Compaq’s not the only one selling Datacenter) now believe that they can sell

complex network operating systems. I wish them the best of luck, but stay tuned to see the outcome of this particular

marketing maneuver!

LAN Manager in its first incarnation still wasn’t half the product that Novell NetWare was, but

it was getting there. LAN Manager 2 greatly closed the gap, and in fact, on some benchmarks LAN

Manager outpaced Novell NetWare. Additionally, LAN Manager included administrative and security

features that brought it even closer to Novell NetWare in the minds of many network managers.

Slowly, LAN Manager gained about a 20 percent share of the network market.

When Microsoft designed LAN Manager, however, they designed it for the 286 chip (more

accurately, I should say again that LAN Manager was built atop OS/2 1.x, and OS/2 1.x was built

for the 286 chip). LAN Manager’s 286 foundation hampered its performance and sales. In contrast,

Novell designed their premier products (NetWare 3 and 4) to use the full capabilities of the 386 and

later processors. Microsoft’s breakup with IBM delayed the release of a 386-based product and, in a

sense, Microsoft never released the 386-based product.

Instead of continuing to climb the ladder of Intel processor capabilities, Microsoft decided to

build a processor-independent operating system that would sit in roughly the same market position

as Unix. It could then be implemented for the 386 and later chips, and it also could run well on other

processors, such as the PowerPC, Alpha, and MIPS chips. Microsoft called this new operating system

NT, for new technology. Not only would NT serve as a workstation operating system, it would also

Copyright ©2003 SYBEX, Inc., Alameda , CA www.sybex.com

A BRIEF HISTORY OF NT 43

arrive in a network server version to be called LAN Manager NT. No products ever shipped with that

name, but the wallpaper that NT Server displays when no one is logged in is called LANMANNT.BMP to

this day.

In August 1993, Microsoft released LAN Manager NT with the name NT Advanced Server. In

a shameless marketing move, they labeled it version 3.1 in order to match the version numbers of the

Windows desktop products. This first version of NT Advanced Server performed quite well.

However, it was memory-hungry, lacked Novell connectivity, and had only the most basic TCP/IP

connectivity.

September 1994 brought a new version and a new name: Microsoft Windows NT Server version 3.5.

Version 3.5 was mainly a “polish” of 3.1; it was less memory-hungry, it included Novell and

TCP/IP connectivity right in the box, and it included Windows for Workgroups versions of the

administrative tools so network administrators could work from a Workgroup machine rather than

an NT machine. Where many vendors would spend 13 months adding silly bells and whistles, NT 3.5

showed that the Microsoft folks had spent most of their time fine-tuning the operating system,

trimming its memory requirements, and speeding it up.

In October 1995 came NT version 3.51, which mainly brought support for PCMCIA cards

(a real boon for us traveling instructor types), file compression, and a raft of bug fixes.

NT version 4, 1996’s edition of NT, got a newer Windows 95–like face and a bunch of new

features, but no really radical networking changes. Under the hood, NT 4 wasn’t much different from

NT 3.51.

From mid 1996 to early 2000, no new versions of NT appeared, an “upgrade drought” such as

we’d not seen in quite some time from Microsoft. Then, in February 2000, Windows 2000 (“NT 5.0”)

shipped. 2000 included a whole lot of new stuff, but perhaps the most significant was a new way of

storing and organizing user accounts and related information: Active Directory domains. Closely

following AD in importance was the then-new notion of group policies, something that you’ll see has

become quite important to anyone wanting to run a network based on XP and Server 2003.

The next version of NT shipped in pieces for the first time since 1993. First NT Workstation 5.1

or, as it’s better known, XP Professional and its lesser sibling, XP Home. Microsoft intended to

follow up with the server version of NT 5.1, but events conspired to compel them to wait a bit longer,

and produce NT Server 5.2—that is, Windows Server 2003. As you read in the last chapter,

it’s a “1.1” version of Windows 2000, a welcome improvement to 2000’s fit and finish.

That’s not the end of the story for NT. Sometime in 2004 or 2005, we will see a re-unified

NT (5.3? 6.0? Time will tell) code-named Longhorn. That in turn will pave the way for yet another

version of NT, code-named Blackcomb, but let’s wait for another edition or two of this book to cover

that product.

Well, I hope this chapter wasn’t boring for those already expert in NT—I did warn you!—and

helped bring the newbies up to speed. No matter what version of NT you’re running, however, you’ll

need to configure it. And there are, as there always have been, two main ways to do it. The preferred

way is through the GUI with windowed programs that offer help and a bit of error-checking, or its

somewhat more complex relatives, the command-line tools. The less-preferred, but often necessary,

way is to directly tweak some setting in its lair … a place called the Registry. The next two chapters

introduce these two configuration approaches.

0 Responses to “The Basics: Networking Software, Servers, and Security”