
Our book entitled  "Windows NT Administration: Single Systems
to Heterogeneous Networks" contains an appendix that invites
readers to send in administration questions. This is a free service. 
The questions help us to select new material for future editions
of the book.

This file contains many of the more general questions that
we have received recently. If you are administrating an NT
machine or network, then you may find some of the answers
useful. If you have questions of your own, feel free to send them
to us. The email address for our information server is
"info@iftech.com". This server distributes free supplements,
updates, corrections, etc. Send questions to "questions@iftech.com".
These are internet email address. If you address a message
to "INTERNET:info@iftech.com" in Compuserve's email program,
it will reach the internet correctly.

--------------------------------------------
Frequently Asked Questions (Administration)
Updated 5/11/94
A supplement to "Windows NT Administration: Single Systems
to Heterogeneous Networks" by Marshall Brain and Shay Woodard,
ISBN 0-13-176694-5. To order a copy call 1-800-947-7700.
Copyright (C) 1994 by Interface Technologies, Inc. All Rights Reserved.
Provided by the Interface Technologies information service. Send mail
to info@iftech.com for more information.


=====================================================================
1) Why are all script files (logon scripts, at scripts, etc.)
located in the directory c:\winnt\system32\repl\import\scripts?

The NT Advanced Server supports a replication service that causes
the advanced server to automatically copy files into this particular
directory. When you have the Advanced Server running on a network,
you place your script files in its export directory and they
end up in this import directory on the target machines. Forcing
you to put these scripts in these directory prepares you for
the day when the replication service starts working on your network.
The book describes how to set up the replicator on your advanced
server.

=====================================================================
2) When I disconnect a machine from the network and try to run
it stand-alone, it will not boot. Why?

If the machine has an Ethernet network adapter installed, try 
attaching a terminating resistor to the BNC connector on the card.

=====================================================================
3) I've given EVERYONE permission to access a certain directory or 
printer, but certain users get "permission denied" messages. Why?

The EVERYONE group uses the guest accounts on all of the different
machines to authenticate users. For example, say Mary tries to
connect to a disk that has EVERYONE permissions, but the machine 
holding the disk does not have an account for Mary. What NT will
try to do is let Mary's machine log in under the Guest
account. If either machine does not have a guest account, or if
the guest account on either machine is disabled, or if the guest
accounts on the two machines have different passwords, the 
authentication will fail and Mary won't be able to connect. 

=====================================================================
4) I have a machine that has no network card installed, but I want
to configure it for use with RAS. How do I do that?

When you first install NT, it will get to the network portion of
the install and it will try to detect the network card. Let it
do that automatically, and it will come to the realization that
there is no network card and give you a "remote" option. At
that point select the remote option and you should be OK.
Just set up the modem with the RAS server and then set up the 
client to dial, and you are ready to go.
   When we first did our NT installation on a Gateway Nomad, we
has a normal mouse hooked to COM1. When the installation program
got to the "remote network" part, it looked out and saw the mouse
on COM1, realized there was no COM2, and then aborted the net installation
halfway through. This left the system in an awkward state network-
wise when NT booted, and RAS would NOT work. I diddled with this
for about 2 hours. When I looked in the event log, I got an error
on the NetBEUI portion, so in the network applet of the Control
Panel I removed the NetBEUI portion and reinstalled it. Then I
got an error in the NetBIOS portion, so I removed and reinstalled
it. Then I got an error in the workstation portion. I removed and
reinstalled it. But then a funny thing happened--when I rebooted
and came back and clicked the network applet in the Control Panel, 
NT automatically brought up Windows NT Setup and proceeded to
completely reinstall the network portion. This time, since I had
no mouse connected, everything went OK and RAS worked fine. 
   I do not know what triggered the reinstallation, but I suspect that if
you were to remove NetBEUI, NetBIOS, and Workstation, that would
do it. (BTW, during reinstallation I got messages about stuff being
already loaded and to "use Update to reconfigure". I never had to update
anything, so I'd say those messages are meaningless.) Looking back, it 
probably would have taken less time to reinstall NT from scratch using
the PS/2 mouse.

=====================================================================
5) I try to run Microsoft Works (16-bit version) under NT, but when
I try to print to a network printer I get an "invalid port"
message because the port is NET:. Is there a work-around?

Printing works fine from Microsoft Word, but not from Works. You might
try looking for a later version of the product, or simply switch over
to Word, or print from a local printer. 

=====================================================================
6) A user of mine typed "telnet" and it said "contact your system
administrator", so he contacted me. What do I do now?

Look at chapter 14 of the book, which discusses the installation
of the TCP/IP module. That module is required for the telnet
command to work. Once you install and configure the TCP/IP module,
telnet will work.

=====================================================================
7) How can I send a message to one user, or all users, on the network?

First, you have to make sure that the "messenger" service is automatically
starting on all workstations on the net. See Chapter 7. Then you can say:

	net send name "message"

Where "name" is the name of a machine or a user, and "message" (in
quotes as shown) is your message. To broadcast a message say:

	net send /BROADCAST "message"

For more information, type:

	net help send

at the command line.

=====================================================================
8) The following is a big question, its followups, and the answers:

>We have an HP 7000 running UNIX and 5 PCs. The PCs are running INGRES 
>Windows4GL on Windows 3.1 and are accessing the INGRES server running
>on the HP. The PCs use LANWorkPlace for DOS (a Netware product for
>providing TCP/IP). We are now expanding the network to include 20 PCs and
>a file server. We have options of either going to Novell or Microsoft.
>Netware being around for a long time is quite stable, whereas with
>NT comes uncertainty. Still, NT looks better in the long run and is
>certainly better than having 3 different environments (Netware,
>Windows, and UNIX). 
>
>If we go with NT, should we install NT or Windows for Workgroups
>on the PCs? Should we install Windows NT or NTAS on the file server?
>Would uou be able to share with me some of the reasoning behind
>going with NT? What has been your experience integrating UNIX, 
>WFWG and NT? What types of problems have you faced? It will
>surely help me a lot in implementing the network at our project.

In our office we have a network very similar to the small one you
describe. It consists of a UNIX box, 3 NT machines, a WFWG machine,
and a portable running WFWG that hooks in via RAS. We use the NT
machines to work on. We all came from a UNIX environment, and we
prefer NT because: 1) it is secure, 2) it handles TCP/IP 
inherently, without having to use an add-on package, 3) it is
a real system--preemptive multi-tasking, multiple threads--so
you can do more. We have the WFWG machine on the net for 3 
reasons: 1) we have a CD-ROM drive that NT does not yet
recognize, so the WFWG machine handles it and shares it on the net,
2) we have a fax modem and winfax, and winfax does not run under NT,
and 3) we use stacker on the hard disk to double the space, and
archive older material to that drive--NT does not support stacker
functionality. The portable runs WFWG because it does not have
enough memory to run NT, and because we use stacker on its
120 meg hard disk to turn it into a useful-size drive.

Our experience with NT is that it is stable and complete. I, for
example, do all of my work in NT every day without incident. One of
our NT machines runs NTAS and acts as our domain controller. That
is extremely nice because it centralizes the account list and
lets anyone log in anywhere on the net. This is not possible with
WFWG. Overall, an NT/WFWG network works EXTREMELY well, and
everything interoperates without problems on a daily basis. The
UNIX machine integrates as well, and we can, for example, telnet
to it to read mail, ftp, etc.

In your letter you ask whether to run WFWG or NT on the PCs. There
are 2 reasons to run NT: 1) security (that's important to us), and
2) flexibility. With WFWG, each person "has their own machine" and
it is not very easy to move around. With NT machines and NTAS 
on one machine acting as the domain controller for the network, it
does not really matter which machine you log into--your account
can move around to different machines.

The only problems with making every machine an NT machine are 1)
NT really needs to have at least a 25Mhz 486 with 16 meg RAM, and
2) some hdwr and sw, like winfax and our CD-ROM drive, do not work under
NT. We solved that problem by putting all non-compatible stuff
on our one WFWG machine. WFWG is good for low-end machines, and it
will integrate into an NT network very nicely.

Followup questions:

> What happens to the office productivity apps like word, XL etc? Do they 
> reside on one of the m/c running let us say NT like a traditional network 
> copy of the app. or all these apps reside on each of the machines locally?

You can do either. For example, I have a copy of normal Word 2.0 on my
machine's hard disk. However, I run a copy of Works over the net. Word 6.0
comes with specific instructions for running over the net.

In my case, Word prints over the net to a laser printer on the WFWG machine,
and that works fine. We do not have any applications here that do not run
under NT, with the exception of that winfax code. 

> Have you found any 3rd party NFS software for the NT?

There is something called SOSSNT. It is available on compuserve, and I believe
its also on Microsoft's FTP site. We have used it without problems.
 
> Is the NT tape Backup good enough to backup any disk on the network and 
> then restore it back?

Yes, it can see all drives on the net. We backup to a WangDAT DAT drive
and can do the whole net (about 1.2 Gig) in roughly 2 hours.
Conner also sells a more advanced program called Backup Exec.

> How do you find the performance on the network?

Quite good. For example, all of our home directories are on the NTAS
machine, and even when compiling its got good performance. 
 
> What kind of Ethernet adapters are you using (Have started sounding 
> INQUISITIVE here ??; but I do want to know so as not to go wrong on the 
> config I am planning). Are they 16/32 bit EISA /ISA

We are using Intel Ether Express 16 cards in all machines, because they
were originally Windows for Workgroups machines and that's the card that
ships with WFWG when you get the hw/sw bundle. No problems. Regular
16-bit ISA cards.
 
> Please tell me the graphic cards/accelerators you find good enough to 
> work with and haven't found any driver availability problems with NT?

We have all Gateway machines. Three have VESA bus cards from ATI, and NT
ships with those drivers. (There is, BTW, a hdrw compatibility list 
available in the winnt forum). The WFWG machine has some weird card
with its own drivers. The UNIX machine has an old VGA card. The portable,
when it was running NT, supported only 640x480 graphics and that worked
fine. The VESA cards are very fast.

> I also come from the UNIX background and here I am trying to replace NT 
> by UNIX ( in future may be when the DB server we are running on UNIX is 
> available for NT too). I would also love some feedback on running NT on 
> RISC. Do you have any thoughts on the which OS will perform better (just 
> raw performance) on same H/w running the same apps.?

I have never had a chance to compare, for example, SCO UNIX vs. NT
running on the same hardware, or OSF/1 vs. NT on an Alpha box. 
The last issue of byte ran a comparison of two Alphas, one with UNIX
and one with NT, but I don't have that issue here. You might want to 
check it out.
 
> Your tips are quite important to me and I do look forward to them

Hope that helps. Good Luck!

MB.

=====================================================================
9) When I work from home I use RAS, and I would like for it to connect
automatically whenever I log in. How can I do that?

There is a command called "rasdial" that you can use. Type 
"rasdial /?" for more information on parameters. Add it to
your login script.

=====================================================================
10) I am using WfWG ver. 3.11, and want to use RAS to connect to
my NT machine with a modem (or null-modem cable). However, the
maximum speed seems to be 9600 bps. Is there a way to speed things
up? 

If you try to connect WfWG to NT via RAS with a null-modem cable
and it does not work, then you probably have the speeds for the NT
server and RAS clients out of sync. Once they match, it should
connect provided all the cabling is correct. You set the speed in
NT in the Network applet of the Control Panel. In WfWG, you set the
speed by clicking the "edit" button for the null-modem entry and
then clicking the "modem" button and changing the "Initial Speed".
If the Initial Speed seems to be limitted to 9600 bps, exit WfWG
and edit the file named serial.ini. Change both the MAXCARRIERBPS
and MAXCONNECTBPS entries to 38400.

=====================================================================
11) How much memory does an NT machine really need to be "comfortable"?

It depends on what kind of machine it is and what the machine is doing,
but we can give you some feedback from personal experience in our office.
In our office we have 486-based PCs running NT. We do a lot of compiling
with Visual C++. We also do a lot of word processing with Microsoft
Word ver 2.0 and 6.0. To do that, you need at least 16 meg. However,
24 meg is where NT is "comfortable". For example, to insert a drawing
in a microsoft word document with 16 meg takes 30 seconds, but with 24
meg it takes 7. There is not a tremendous improvement if you add any
more. 24 meg is therefore, in our experience, a good low-end
number to shoot for. 32 meg is a good round number to shoot for. 
Also note that if you have to decide between spending money on memory
or a faster CPU, memory will have a much bigger effect if you are
currently at or below 16 meg of RAM. 

=====================================================================
12) I have a user who has been running Microsoft Word without
difficulty for the past month. Today when the user starts Word
2.0 it dies with a "divide by zero" error. When he runs Word 6.0
it gives an application error. What is wrong?

Try shutting down and rebooting the machine. Something has become
corrupted in the 16-bit subsystem.

=====================================================================
13) I have created a new group called "Students" and then
created new accounts that are members of that group only. I
gave the Students group only the right to Log On Locally. However,
students are still allowed to shutdown the machine. Since I
haven't given them the right to shut down, why are they able
to do it? 

If you look at the shutdown right in the User Rights dialog of the 
Policies menu of the User Manager, you will see that the group 
Everyone has the right to shut down the machine. You should
eliminate Everyone from that right.

=====================================================================
14) How can you find out who are the members of a particular
group in the User Manager? 

Use the Properties option of the Users menu of the User Manager.

=====================================================================
15) How can I administer the account list of another machine
on my network? For example, I have a peer-to-peer network
and I want to administrate all of the account lists from
my machine without having to walk around to each one.

In the Resource Kit you will find the User Manager For Domains (or
if you have the Advanced Server it contains the same tool). In the User
menu there should is a Select Domain option. If you type "\\machinename"
into the domain area you will be able to edit the local account list
on the machine named "\\machinename". You can run the User Manager for 
Domains on any NT machine.

=====================================================================
16) When I select certain physical disk counters in the performance 
monitor they remain at zero at all times. Why?

Open an NT command prompt and type "diskperf -Y", and then shutdown 
and reboot the machine. This will turn on the disk counters but degrade 
performance by 2%-3%.

=====================================================================
17) No security events are appearing in the security portion of the event 
log. How do I fix this?

Three things must happen for security logs to work: 1) The Event Logging 
service must be turned on in the Services applet of the Control Panel, 2) 
The Audit portion of the User Manager must be turned on, and 3) You 
must select security events in the User Manager, File Manager, Registry 
Editor or Print Manager. Use the Audit option in the Security menus of the 
different programs to enable the security events you want to monitor. You 
must enable security logging in the User Manager.

=====================================================================
18) When I use the "net send" command to send messages to another user, 
the user never receives the message. What is causing this problem?

Usually this problem is solved by turning on the Alerter and Messenger 
services in the Server applet of the Control Panel.

=====================================================================
19)The "at" command does not work properly. What causes this problem?

Usually this problem is solved by turning on the Schedule service in the 
Server applet of the Control Panel.
 
=====================================================================
20) I need to add 20 accounts to the system. Is there an easy to do this?

Set up an account template and then copy that template 
to create each new account. The new accounts will receive all of the 
attributes of the template, and then you can modify the user specific 
information such as user ID, user name/description, and password.
    A template is simply a normal account that does not contain
a user name. Give it a generic ID such as "sales" or "accting". 
Then use the Copy option in the User menu to copy it.

=====================================================================
21) I need to add 200 accounts to the system. Is there an easy to do this?

If you need to add 200 accounts, the use of the graphical User Manager can 
be cumbersome. In this case you will probably want to create a program or 
script the uses the "net users" command to create new accounts. 

=====================================================================
22) I have a shared directory (or FTP server) on my machine, and so many 
people are connecting to it that the machine is totally bogged down. Is 
there a way to control the load on my machine?

In both the FTP server and the File Manager's Share As dialog, you can 
specify the maximum number of connections allowed. Use this feature to 
keep connections to a reasonable level.

=====================================================================
23) How do I change the PATH and other environment variables for all of 
my users? 

Use the Registry Editor (regedt32.exe) to change the 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session 
Manager\Environment key. Add your new variables and/or change existing 
variables here.

=====================================================================
24) I get a message about a full event log file when I log in. How do I clear 
out the event log? How do I archive the events?

The evnt log has a Clear Log option that clears events from each of the 
three different logs. Before clearing, it will ask you if you want to save the 
events. Save the events and then preserve that file on disk or tape. Be sure 
to save each log to a separate archive file, and name the file so you can 
later restore it to the proper log.

=====================================================================
25) I've forgotten the administrative password. What can I do? 

If you have an emergency repair disk for the machine, you can reload the 
SAM database. This will return the machine to the account situation you 
had just after createion. This configuration will have two or three accounts 
(administrator, guest, and possibly a user account). These accounts will 
have the passwords you gave them during installation, and you will lose all 
other accounts. If you cannot remember the admin password on the 
emergency repair disk (or if you do not have an emergency repair disk), 
then you will have to reinstall NT using the install disks.

=====================================================================
26) Should I use the FAT or the NT File System?

You should not use the FAT file system unless you have
to. The NT File System is secure and much more robust.
The only reason for using a FAT file system is because
you need to have both DOS and NT on the same machine in 
a dual boot configuration.
    If you have a FAT partition that you want to convert
to NTFS, see the CONVERT command in the NT Command Prompt.

=====================================================================
27) I want to be able to log in on different machines and have
my account information come to that machine. How do I make my
account follow me around?

First you need an NT Advanced Server acting as a domain controller
on your network. This will centralize your account list. Second
you need to use the NTAS Profile Editor to create a personal
profile for yourself and store it in a central place. The profile
will hold all of your personal information like colors, fonts,
etc. Because it is stored centrally by the profile editor, it
can move around. See the book "Windows NT Administration: Single
Machines to Heterogeneous Networks" for more information on 
profiles. You will probably want to locate your home directory
and email information centrally as well.

=====================================================================
28) How do I find out what all keys in the registry mean?

Look in the regentry.hlp file in the resource kit.

=====================================================================
29) How do I display a legal notice whenever anyone logs in?

In the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon key add two keys of type REG_SZ named 
"LegalNoticeCaption" and "LegalNoticeText" to act as the dialog title and 
body respectively.

=====================================================================
30) I am trying to use mail in NT, and for some reason it has "jammed".
I get error messages when I try to send mail, or it says it cannot find
the post office. How can I fix it?

If you have WfW machines on your net, it is probable that one of them
has hung. If you go quit mail and schedule+ on all machines and then restart,
that will solve the problem. Rebooting the postoffice machine will not
solve the problem.

=====================================================================
31) The following question is rather long, but brings a different
perspective to some of the security issues. (Some people get quite
temperamental in their email - sheesh!)

> HI!
>  
> I just read your article "Appendix G: Security Issues on NT Workstations and
> Networks" and must take some exception to the last two paragraphs.
>  
> "If you need a relatively secure email system, you'd be better off hooking a
> UNIX machine into your network and letting it handle email and FTP locally and
> on the Internet."
>  
> Whoa! Are you saying that Unix is more secure than NT? The thrust of your
> article was file permississions. There are several ways for users to exploit
> holes in Unix "security" model that allow you to get the contents of any file
> on the system. Including the UNENCRYPTED e-mail files. You seems to be saying
> in your article that getting an encrypted file is not as secure as restricting
> access to an unencrypted file. I prefer to have my sensitive data encrypted.
>  
> "As mentioned in Section 14.1, FTP clients pass unencrypted passwords on the
> network. People can potentially snoop on the network to discover your passwords.
> Anonymous FTP accounts also create a security hole because anyone can log in
> and copy files. You may want to eliminate all anonymous access to close this
> hole."
>  
> WRONG WRONG WRONG. Geez, what a rookie statement. The way to secure FTP on NT
> is to allow NOTHING BUT ANONYMOUS connections. You tell the FTP service to log
> anonymous users in under a user account. You then secure your filesystem (NTFS
> of course) so that the anonymous user can only read from locations on the
> system that you want them to read. I'm especially paranoid in that I do not
> allow files to be transferred TO my NT machine. If someone wants to send me
> files that can email them to me.
>  
> Taking the these two issues (email and FTP) together brings up an interesting
> dilemma for you. On the one hand you are telling your clients to use Unix for
> securing their e-mail because only you and root can read the files. Then in the
> FTP section you tell people that anyone can snoop on the network to get your
> password. Well, correct me if I'm wrong, but couldn't that same person snoop
> the network and see all unencrypted email coming from the Unix host too? Haven't
> you just lowered the security of the email?

Here is where we are coming from on email. Assume that you have 
a UNIX network and an NT network and they are secure. That is,
you have properly set up the passwords and no one has leaked
the root password, etc. On the UNIX network you cannot do anything with
anyone's email. On the NT network, ANY user can 1) completely destroy
the entire post office, or 2) copy the entire post office to a tape
and walk away with it to examine at his/her leisure. It is encoded,
but given sufficient time and resources you can break the encoding
and examine anything you like. Therefore, UNIX provides the secure 
system. I do, however, agree with you on UNIX's propensity for
free-text transmission of email.

Here is where we are coming from on ftp. Again assume that you have
a UNIX network and an NT network and they are secure. That is,
you have properly set up the passwords and no one has leaked
the root password, etc. In this case, then no one can log in or
access the ftp servers unless they have an account. That is
secure, because only trusted and authenticated people are 
allowed to access the files they have permission on. If you
allow anaonymous FTP then anyone in the world can log in and
copy files from the anonymous-accessible directories. That 
is insecure. Of course, if you are TRYING to distribute information
in the anonymous-accessible directories then you are happy
about that lack of security, but it still insecure because 
you have no control over who has a access to the information.

=====================================================================
32) I normally use Windows NT at the office, but I have a Windows 
for Workgroups portable that I use on the road. 
I want to RAS in and access the post office that is on an NT 
machine so I can check my email. When I dial via RAS, I log in 
using my normal NT logon ID and password. I get in fine. However,
I cannot connect to the post office--it says "access denied" when I
double-click on the machine holding the post office. What is 
happening, and how do I get around the problem?

There is a problem (feature?) in the authentication process when you
log in to an NT network from a WfWG machine. Because you logged in
as a specific user (rather than "guest"), it does not understand that
you are a member of the group "everyone". Therefore, it will not
let you connect to the NT machine using the browser. However,
if you type the path directly (e.g. "\\NTAS\wgpo"), it will ask
you for the password and then let you connect. After that initial
connect, subsequent connections will be transparent.