Windows NT Workstation Versus Windows NT Server
Why Two Products?
When Microsoft introduced Windows NT in 1993, they offered two products: Windows NT 3.1 and Windows NT Advanced Server 3.1. The problem was that the exact roles of these two products had not been clearly defined in Microsofts marketing strategy. This led to confusion about which product should be used in what environments.
With the introduction of 3.5 in late 1994, Microsoft changed the product names, their feature sets, and gave a clear indication of what roles each product was designed for. Windows NT became Windows NT Workstation, and Windows NT Advanced Server became Windows NT Server.
Windows NT Workstation was designed as a robust, 32-bit multithreaded, multitasking operating system that was capable of running high-end engineering or mission-critical client/server applications.
Windows NT Server became the cornerstone of Microsofts enterprise-class network operating system. Windows NT Server was designed to provide file, print, and application services to diverse clients.
Features Common to both Windows NT Server and Windows NT Workstation
Windows NT Workstation and Windows NT Server are both built using the same core technologies, resulting in products with more similarities than differences. Some of the features common to both Windows NT products are
- High-performance client/server platform
- Network foundation
- GUI management tools
- NetWare integration
- Robust TCP/IP services
- Remote access service
- Integrated C2-level security
- Built-in backup
- Advanced file systems
High-performance Client/Server Platform
The Windows NT platform was designed to provide a powerful operating system platform capable of scaling from the simplest file and print services network, to the largest enterprise network providing file and print services to thousands of users, as well as advanced messaging and application services.
To achieve this, Windows NT was designed with a microkernel capable of preemptively dispatching threads to up to 32 processors. This provides scalability, both for servers and for high-demand workstations. Furthermore, by providing preemptive multitasking, NT can prevent any single process from monopolizing the processor.
Windows NT is a true 32-bit operating system, with no internal 16-bit code, unlike Windows 95, which still has a considerable amount of 16-bit code under the hood for compatibility with older versions of Windows. As a result, Windows NT is capable of taking full advantage of the powerful features of todays most advanced microprocessors, including Intels new Pentium Pro processor.
In order to properly fit the role of a mission-critical operating system, Windows NT provides memory protection for all user-level processes. The NT kernel runs in its own 32-bit, virtualized address space. Additionally, every 32-bit program runs in its own address space. With 16-bit Windows programs, you have the option of running each process in its own memory space, or in a memory space shared by other Windows programs. In any case, programs cannot write to another programs address space, preventing an errant program from stepping on other programs or on the operating system itself.
On the hardware side, NT supports 4GB of RAM per system and 2GB of virtual memory per application. Additionally, it can address up to 402 million TB of data storage per system. With the capability to take advantage of this kind of hardware, NT is fully capable of meeting the needs of enterprise-level client/server needs.
Additionally, Windows NT, unlike Windows 3.x and Windows 95, is capable of running on many different processor architectures, although Windows 3.x and its descendants are supported only on the Intel x86 platform. Windows NT will also take full advantage of powerful RISC processors such as the DEC Alpha AXP, MIPS R4400, and IBM/Motorola PowerPC processors. This means that no matter how much processing power you need, Windows NT will be able to accommodate you. Although the newest and fastest Pentium and Pentium Pro processors are still around 200 MHz, the latest Alpha and MIPS RISC chips scream at well over 300 MHz!
The core networking components are virtually identical between NT Server and NT Workstation. As mentioned in chapter 1, networking was built into the Windows NT from the beginning; it is one of the fundamental elements of the NT architecture.
For many people coming from an MS-DOS/Windows networking background, file and print services are traditionally based on either a client/server model or a peer-to-peer model. Windows NT is more like a hybrid of the two. Essentially, an NT Server is optimized to act as a server, but you can also use it as a workstation. Likewise, NT Workstation is optimized as a desktop workstation, but it can also be used as a server. This differs greatly from the Novell model, wherein you have dedicated servers and dedicated clients that are built on completely different architectural models.
Windows NT uses the NDIS 3.0 standard to support numerous different transport protocols. Support is built into the product for TCP/IP, NetBEUI, IPX/SPX, DLC, and AppleTalk. Windows NT can provide traditional Microsoft file and print services over TCP/IP, IPX/SPX, and NetBEUI. DLC is supported for printing to network-connected printers and IBM mainframe connectivity. AppleTalk is supported on NT Server for providing Macintosh file and print services and on NT Workstation for administering NT Servers running File and Print Services for Macintosh.
Both NT Server and NT Workstation provide standard TCP/IP utilities, including Telnet and FTP clients. Additionally, an FTP Server service can be installed to provide TCP/IP-based file transfer between NT and UNIX hosts or any other system with an FTP client.
GUI Management Tools
Windows NT includes a full set of powerful GUI tools for administering most parts of the operating system. These tools include
- User Manager: This utility allows you to create and manage user accounts and groups, as well as user rights, and system-wide password and auditing policies. On an NT domain controller, it is also used for setting up inter-domain trust relationships, which allow user accounts in other domains to be granted access to local resources. This application actually comes in two flavors: User Manager and User Manager for Domains. User Manager is installed on NT Workstations and stand-alone NT Servers, and is used for administering the local user account database. User Manager for Domains has all the features of User Manager and includes features related to domain management. Another advantage of the User Manager for Domains is that it permits you to remotely manage the user account databases on other NT systems. It is installed by default on all NT Servers installed as domain controllers. Additionally, it can be installed on NT Workstations, and NT Servers that are not configured as domain controllers. A version is also available for Windows 3.1x and Windows 95. The User Manager and User Manager for Domains is discussed in greater depth in Chapter 16, User Administration.
An NT domain is a group of workstations and servers that can be administered together. A common user account database resides on the NT domain controllers, which provide user authentication services for other members of the domain. This enables a user to have a single account for logging onto all computers in the domain. Furthermore trust relationships can be set up between domains that enable you to grant access to a local resource to user accounts from a trusted domain. More information on NT domains can be found in Chapter 4, Installing Windows NT Server, and Chapter 15, Administering the Server.
- Server Manager: The Server Manager is a GUI utility used for checking and controlling many server-related functions of an NT system. It can be used to check the status, start, pause, or stop services. It can also be used to obtain a list of currently logged-on users, including what files they have open. You can also use the Server Manager to send broadcast messages to logged-on users. The Server Manager is the utility that is used to create domain system accounts for NT Workstations, stand-alone servers and domain controllers. Although Server Manager is installed by default only on NT Servers configured as domain controllers, it can also be used to administer NT Workstations and NT Servers not setup as domain controllers. Additionally, it can be installed on NT Workstations, and a version is also available for Windows 3.1x and Windows 95. The Server Manager is discussed further in Chapter 15.
- Disk Manager: Disk Manager is used to create and format disk partitions, as well as set up advanced disk partitioning, including volume sets, striped sets, and mirrored sets. This utility is installed on all Windows NT systems and can be used only to configure local drive systems. The Disk Administrator is discussed in greater depth in Chapter 6, File System Management, and striped and mirrored disk sets are discussed in Chapter 23, Fault-Tolerant Systems.
- Performance Monitor: This is a very powerful application in Windows NT. Although NT is very good at dynamic performance tuning, it is not able to do everything on its own. Performance Monitor enables you to graphically view hundreds of performance counters to ensure that your system is operating at its peak. You can use Performance Monitor to view the performance counters in real time, log counters for later reference, or even send administrative alerts or run external programs when certain thresholds are met. Performance Monitor is installed on all Windows NT systems. A great feature of the performance monitoring system in NT is that the performance counters are fully extensible, meaning that applications can be written to make their own performance counters available to the Performance Monitor applications. So, depending on the way your system is configured, you might have more performance counters than a baseline system. For instance, if you install the TCP/IP protocol stack and the SNMP service, you will get additional counters for TCP-, IP-, and ICMP-related information. Performance Monitor can be used to monitor the events on both the local and remote system simultaneously. Using the Performance Monitor to optimize system performance is discussed in Chapter 19, Performance Tuning and Optimization.
- Event Viewer: The Event Viewer enables you to view the system log, application log and security log. These logs keep you informed of the status of various system events, and, if you are auditing security-related events, the Event Viewer can be used to keep track of these as well. The Event Viewer is also used to set the maximum size for each event log and configure how the system should respond if the log fills up. The Event Viewer is installed on all Windows NT systems and can be used to view events on the local or on remote systems. A version of the Event Viewer for remotely viewing the event logs of an NT system is available for both Windows 3.1x and Windows 95 systems. Using the Event Viewer is discussed in Chapter 15.
- RAS Admin: This administrative utility is installed as a component of the Remote Access Service (RAS), which enables users to use a modem, or other supported communications device, to connect to the network as a standard network node. The RAS Admin enables you to designate which users are allowed to dial into the RAS server. RAS Admin can also be used to configure the dial-back capability of the RAS server on a user-by-user basis. The RAS Admin utility can be used to configure the local RAS server, or a remote RAS server. You can find more information about RAS in Chapter 20.
- DHCP Manager: Use the DHCP Manager program to administer the DHCP Server service, which enables DHCP-enabled network clients to dynamically obtain TCP/IP configuration information at startup. This program can be used to create and configure DHCP scopes, as well as administer leases. The DHCP Manager is installed with the DHCP Server service, and can be used to administer local and remote DHCP servers. DHCP is discussed at greater length in Chapter 12.
- WINS Manager: The WINS Manager is used for managing the WINS Server service, which provides NetBIOS name registration and resolution services on a TCP/IP network. The WINS Manager can be used to graphically manage push and pull replication partners, as well as the mapping of static address and other WINS-related features. The WINS Manager is installed along with the WINS Server service. It can be used to manage either local or remote WINS databases. WINS is discussed at greater length in Chapter 12, WINS, DHCP and DNS.
Microsoft has gone to great lengths to ensure that Windows NT integrates well with other desktop operating systems and network operating systems. Making both NT Workstation and NT Server fit seamlessly into a NetWare environment was a high priority. NetWare integration is primarily provided by the following two components:
- NWLink: NWLink is a high-performance, NT-native IPX/SPX-compatible protocol that Microsoft designed for Windows NT. This stack is fully compatible with the IPX/SPX specifications, including SPX II.
- Client Services for NetWare: Microsoft provides a Novell NCP requester with NT Server and NT Workstation. This service, called Client Services for NetWare (CSN), allows an NT system with NWLink installed to access file and print resources from Novell 3.1x and Novell 4.x servers. You can even run many of the Novell DOS-based administration tools over CSN.
Robust TCP/IP Services
Microsoft recognizes that TCP/IP is unarguably the most important network protocol in use today. The world is continuing to advance toward a world-wide computer network infrastructure, and the primary protocol for that network is TCP/IP.
Traditionally, Microsoft services were built on NetBEUI, which, although small and fast, is more suited to small networks due to its high level of network broadcasts and its inability to be routed. To make their software more universal, Microsoft has virtualized their entire networking platform so that you can mix and match protocols, requesters and services. This means that you can use the traditional Microsoft networking services over NetBEUI, IPX/SPX or TCP/IP and the result is the same to the user. It is now possible to build your entire Microsoft-based network using TCP/IPor IPX/SPX. Having a single networking protocol can make network management easier. Additionally, it can improve client performance by not requiring each workstation to load multiple network protocols for communicating with different services.
Recognizing the importance of TCP/IP, Microsoft expended great effort to ensure that the TCP/IP implementation in Windows NT was robust and as fast as possible. The results are a highly optimized, 32-bit stack, the core of which is similar in its Windows for Workgroups 3.11, Windows 95, and Windows NT implementations. In addition to focusing on the speed of the stack, Microsoft has tried to provide TCP/IP-based services to make the stack more functional. The following are some of the features of the TCP/IP stack in Windows NT:
- NetBIOS interface: The Windows NT TCP/IP stack supports NetBIOS for establishing session-level logical names on the network, as defined in Request for Comment (RFC) 1001 and 1002. Additionally, this interface provides support for network dynamic data exchange (Network DDE), which allows the sharing of information embedded within documents.
- Dynamic Host Configuration Protocol (DHCP) client: Windows NT can use a DHCP server to dynamically acquire TCP/IP configuration information such as IP address, DNS addresses, netmask, and gateway addresses. This makes it easier to configure TCP/IP on client workstations and enables you to make enterprise-wide TCP/IP configuration changes without having to modify each workstation by hand. Configuring NT Server as a DHCP client is discussed in Chapter 11.
- Windows Internet Name Service (WINS) client: WINS provides dynamic naming services for Windows network clients. This eliminates the need for static name resolution provided by LMHOSTS files. It also provides a dynamic name service for machines running DHCP. Configuring NT Server as a WINS client is discussed in Chapter 11.
- Common TCP/IP connectivity utilities: Windows NT includes Telnet, FTP, TFTP, rsh, rexec, RCP, and finger clients to allow you to take advantage of standard TCP/IP-based services. These utilities are discussed in Chapter 11.
- TCP/IP diagnostic utilities: The Windows NT TCP/IP stack includes arp, hostname, ipconfig, nbtstat, netstat, ping, route, and tracert for performing diagnostics and troubleshooting of your system and network. These utilities are discussed in Chapter 11.
- TCP/IP printing support: If you choose to install the optional support for TCP/IP printing, you will be able to print to queues on UNIX machines or network printers that accept Berkley-style LPR requests as defined by Request for Comment (RFC) 1179. Additionally Windows NTs TCP/IP Print Server service can accept LPR print jobs. NT includes the lpr and lpq utilities for sending remote print jobs from the command line and for querying the status of a print queue on a remote TCP/IP print device. TCP/IP printing support is examined more closely in Chapter 13.
- SNMP Support: The SNMP agent allows your Windows NT system to be remotely monitored and administered though SNMP management software such as HPs OpenView, IBMs SystemView, or Suns SunNet Manager.
- Performance monitoring: When you install the TCP/IP protocol and the SNMP service on a Windows NT system, additional TCP/IP-related objects will become available in the Performance Monitor application. This allows you to track numerous different TCP/IP performance counters and statistics for your systema tremendous aid in locating bottlenecks and identifying potential problems before they occur. You can find out more about performance monitoring in Chapter 19.
Remote Access Service
The Remote Access Service (RAS) in Windows NT is a very robust tool for creating WAN connections to support todays advanced client/server computing environments. RAS enables remote users to gain dialin access to the network using the NetBEUI, IPX, or TCP/IP protocols. RAS uses the point-to-point protocol (PPP) to support network connections over standard modems, ISDN, and X.25 WAN links.
RAS is fully integrated with the NT security database so that users can use their standard NT user account and password for authentication. If a greater degree of security is necessary, RAS can take advantage of third-party security hosts.
RAS is compatible with UNIX systems via PPP, NetWare, Shiva LanRovers, Windows, Windows for Workgroups, Windows NT Server, Windows NT Workstation, and LAN Manager.
One of the exciting new technologies supported in Windows NT 4 is called Point-to-Point Tunneling Protocol (PPTP), which is supported through the RAS service. PPTP enables you to create virtual private networks (VPNs) across any type of network link. One of the VPN is security. You can tell NT to encrypt data using RSA Data Security Incorporateds RC4 encryption algorithm. This provides data security and enables you to use the Internet as a secure "private" network. A second advantage of the VPN concept is that you can easily and securely use any Internet Service Provider (ISP) to dial into, while still maintaining data security.
For more information on RAS and PPTP, see Chapter 20.
Integrated C2-Level Security
When Microsoft designed Windows NT, they concentrated on making it secure. Because NT was intended for use in enterprise environments, it was vital that NT be able to prevent unauthorized access to business-critical information. Microsoft deemed that designing the system to meet and exceed the U.S. National Security Agencys criteria for C2-level secure systems would result in a product that would satisfy the needs of the commercial sector as well. Additionally, by going through the lengthy C2 certification procedure, Microsoft would have a certifiable security metric that could be used to demonstrate the security of their system.
As part of the security system, Windows NT requires that the actions of all users, both local and remote, be verified against a built-in security database. So access to any part of the system would only be granted after a user provides a valid user account and password.
Furthermore, NT provides mechanisms to protect its built-in security database. One such mechanism is that, by default, NT does not allow passwords to be sent in clear text over the network. Additionally, no user or process can directly modify the systems security database. All interactions with this database are done through well-defined messages that are passed between the various software components. Additionally, you can create a password policy that requires users to have passwords of a certain length, or even create a policy that disables accounts after a designated number of failed logon attempts.
To protect the data stored on the system, NTFS, Windows NTs preferred file system, uses access control lists (ACLs) to provide file and directory protection on a user-by-user basis. Each object also has a owner, who is the ultimate authority when it comes to granting or denying access an object.
For more information on taking advantage of NT Security, see Chapter 25.
Security is important for protecting your data from accidental or intentional mishandling; however, regular backups are important for protecting your data from other kinds of problems. Recognizing this, Microsoft includes a full-featured, graphical tape backup utility with Windows NT. This utility, called NT Backup, was made for Microsoft by Arcada Software and is very similar to Arcadas commercial software package, Backup Exec.
Arcada was recently acquired by Seagate and rolled into a division of Seagate called the Seagate Storage Group.
NT Backup can take advantage of any tape device supported by Windows NT. It can perform typical backup operations, including normal, copy, incremental, differential, and daily. With NT Backup you can have a backup set span multiple tapes, or include multiple backup sets on one tape.
Additionally, NT Backup supports NTs integrated security model through the use of user rights, and by allowing you to back up and restore files and directories with or without the access control lists (ACLs). NT Backup can also be used to backup NTs Registry and has full support of long filenames.
If you want to schedule regular backups, you can build batch jobs and use NTs built-in system scheduler to run the jobs as necessary.
The NT Backup utility is discussed in Chapter 23.
Advanced File Systems
Windows NT supports two major files systems:
- NT File System (NTFS)
- File Allocation Table (FAT)
These three file systems are discussed in greater depth in Chapter 6.
One of the big surprises in Windows NT 4 was the discontinuation of support for the High-Performance File System (HPFS), originally developed for OS/2, and supported on NT 3.1, 3.5, and 3.51.
To build a truly robust operating system, you must make sure that all components of the system are up to the task. So when designing Windows NT, Microsofts engineers chose to develop a new file system that fit in line with NTs goals: performance, stability, scalability, and reliability. The result was NTFS.
NTFS is an advanced file system that uses journalinga concept similar to logging to provide recoverability. In face, the transaction-processing concepts used in NTFS combined with its relational database model, make NTFS look more like a high-performance database than a traditional file system. To provide improved speed, NTFS was built on a "lazy-write" model, rather than the "careful-write" model that is used by the traditional FAT file system.
NTFS is the only file system in Windows NT that supports file-level security permissions. This is done through an access control list (ACL), which contains the details of exactly what users are granted permissions to a resource and what level of permissions they have been granted.
In addition, NTFS supports many other advanced features including:
- Long filename support
- Support for software-level sector sparing for fault tolerance
- Support for international filenames through the use of Unicode
- File-level compression through the use of an attribute bit
- Support for multiple data forks in a file, which is necessary for supporting Macintosh files
Windows NT supports FAT primarily to provide backward compatibility. However, the FAT implementation in NT differs somewhat from the implementation in DOS. One difference is that Windows NT allows for long filenamesup to 255 characters.
Both Windows NT and Windows 95 support FAT in the same way.
There are many disadvantages of using FAT under NT. For example, FAT does not give you the recoverability provided by NTFS. Additionally, FAT does not support ACLs, so you cannot assign security permissions to individual files or directories.
There are times in NT where you must use the FAT file system. For instance FAT is the only file system support on floppy drives. Also, because of their design, the boot partition on RISC computers running NT must be FAT.
There are some things in FATs favor though. Because of overhead involved in keeping the journal log under NTFS, there are situations in which FAT might be faster for writing information.
Additional Features in Windows NT Server
The features discussed above are shared by both the NT Workstation and the NT Server products. There are many features available in the NT Server product that are not available in the Workstation product. Some of the most important features are
- Increased server capacity for servicing more simultaneous connections
- Fault-tolerant disk driver for supporting disk mirroring and disk striping with parity (RAID 1 and RAID 5)
- Enhanced TCP/IP server services, such as DHCP, WINS, and DNS
- Internet Information Server 2.0
- Additional NetWare integration tools
- Unified domain-based security model
- Network client administrator
- Directory replication
- Services for Macintosh
- Remoteboot (RPL) for clients
- Client-licensing manager
- BackOffice suite integration
- Network Monitor Tool
Increased Server Capacity
Whereas NT Workstation is limited to 10 incoming network connections, Windows NT Server has no such limitation. In fact, there is no software-defined limit to the number of clients that can simultaneously connect to an NT Server. The limit of 10 network connections in NT Workstation is not simply a whimsically chosen number. After careful benchmarking and analysis, Microsoft determined that NT Workstation and NT Server performed similarly up to about 10 simultaneous incoming network connections. After that, NT Server was much more capable of handing the load. This has to do with differences in the internal optimization of the two products, including the pageability of the server code and the difference in the number of system worker threads.
Fault-Tolerant Disk Driver
Because NT Server is designed to meet the needs of high-end, mission-critical systems, Microsoft has included a fault-tolerant disk driver, called FTDISK.SYS, with NT Server. This driver uses redundant array of inexpensive disks (RAID) levels 1 and 5 to handle fault-tolerant disk configurations such as disk mirroring, disk duplexing, and disk striping with parity.
- Disk Mirroring: Disk mirroring is a process in which a partition is exactly duplicated on two separate physical disks. This process is commonly known as RAID 1. By having an exact duplicate on a second disk, if the primary disk fails, the fault-tolerant driver will automatically use data from the backup drive, thereby virtually eliminating unscheduled down time caused by drive failure. Disk mirroring can be used with any file system typeFAT, HPFS, and NTFS. Mirrored partitions do not need to be created on drives with the exact same geometry; so if a drive fails, you do not need to worry about replacing it with the exact same model. An obvious advantage to disk mirroring is 100% data redundancy. Additionally, if the hard drive controller is able to issue multiple simultaneous disk requests, disk mirroring can provide a speed improvement when reading data. One of the disadvantages of mirroring is that it requires twice the amount of drive space compared to the actual storage. When building large drive arrays, this can be quite costly.
- Disk Duplexing: Disk duplexing works the same way as disk mirroring, except that duplexing uses a separate disk controller for each drive. In the definition of the different RAID levels, there is no categorical difference between disk mirroring and disk duplexing, so they both fall under the categoryRAID 1. Disk duplexing can protect against not only drive failures, but also against controller failures, which although uncommon, do occur. Additionally, disk duplexing can provide increased performance because one controller can handle a read request while the other controller is busy servicing a separate request.
- Disk Striping with Parity: The disk striping with parity that Microsoft includes with NT Server is classified as RAID level 5. With this feature you can spread the contents of one logical volume across from 3 to 32 physical drives. NT spreads information and a parity byte across all drives in the array. If there is a failure on any one drive, NT can reconstruct the data on the defective drive from the data and parity information stored on the remaining drives. With disk striping with parity, the drives can be on the same or on multiple controllers. It is important to realize that this method protects only against a single point of failure. If there is a failure in more than one of the physical drives, the data cannot be recovered. Additionally, depending on the speed of the hardware and the number of devices involved in the stripe set, writing to a RAID 5 volume can take longer because of the overhead involved in NT calculating the parity bits.
Both Windows NT Server and NT Workstation can take advantage of hardware-based RAID solutions, which can provide increased performance, compared to NT Servers software solution.
You can find more information about RAID 1 and 5 in Chapter 23.
Enhanced TCP/IP Server Services
There are two major TCP/IP-related enhancements provided by Windows NT Server. These are
- DHCP Server service: The Dynamic Host Configuration Protocol (DHCP) is a client/server-based system that allows dynamic assignment of IP addresses and configuration information from a centralized server. This method of assigning IP information offers many advantages over the traditional static method. First, it allows you to move a computer to any location on the network and it will automatically configure itself with the appropriate settings for its new subnet. This can greatly cut down on the administrative headaches associated with incorrectly configured computers. Second, it allows you to quickly and easily make global changes for either a specific subnet, or for an entire network. For instance, if the address of a DNS server changes, you can make a single change to the DHCP server and all DHCP clients will be made aware of the new server when they renew their IP lease. In a traditional, static environment, you would most likely have to go to each computer on the network and make the change.
- WINS Server service: The Windows Internet Naming Service (WINS) provides dynamic NetBIOS name registration and resolution on a TCP/IP network. It is often configured to work hand in hand with the DHCP service. Without WINS, DHCP would not be as effective. This is because WINS can provide dynamic name services for computers that are assigned a dynamic IP address by a DHCP server. In the traditional TCP/IP realm, IP addresses were assigned to a particular machine, so the static naming system used by DNS servers was sufficient. However, with dynamic IP addresses, a more flexible solution was neededhence WINS. Additional benefits include no longer needing LMHOSTS files for NetBIOS name resolution, reduction of IP broadcast traffic in Microsoft internetworks, and inter-subnet browsing.
- DNS Server service: The Domain Name System (DNS) is a standard TCP/IP service that provides static name resolution on a TCP/IP network. The DNS server service included in NT Server 4 provides integration of the DNS service with the WINS service providing the best of both worlds, called dynamic DNS. Dynamic DNS permits a standard DNS client to resolve IP address for computers that get their IP addresses dynamically from a DHCP server.
These TCP/IP server services are discussed in Chapter 12.
Internet Information Server 2.0
One major difference between Windows NT Server and NT Workstation is very fast Internet server that is at the foundation of Microsofts Internet strategy. It supports the hypertext transport protocol (HTTP), which is the fundamental transport protocol of the World Wide Web, as well as support for FTP and gopher services.
Microsoft includes a service in NT Workstation, called Peer Web Services, which appears to be virtually identical to the IIS. However, the greatest limitation to Peer Web Services is that it only accepts 10 incoming connections, limiting its use for anything but the smallest application.
Through the use of the Internet Server API (ISAPI) programming interface, the IIS service can be extended to provide other services, such as a full-text search engine, such as the forthcoming product Microsoft product code-named Tripoli.
You can find more information on IIS, and using NT as an Internet server in Chapter 28, Windows NT as an Internet Server.
Increased RAS Server Capability
Although the RAS client in NT Workstation and NT Server are virtually identical, the RAS server service provided in Windows NT Server has two major features that set it apart from its NT Workstation sibling:
- Up to 256 simultaneous RAS connections: The RAS server service in NT Workstation allows only a single incoming call, whereas NT Server can handle up to 256 simultaneous RAS connections. This enables NT Server to be provide enterprise-level communications services. With the introduction of the Point-to-Point Tunneling Protocol (PPTP) in NT, this allows you to create up to 256 Virtual Private Networks (VPNs).
- Support for third-party security products: Windows NT Server has an extensible API set that allows it to be integrated with third-party security products, such as Security Dynamics ACE server, which requires users to provide an additional level of authentication by entering a code from an electronic credit card-like device they carry with them.
You can find more in-depth coverage of the Remote Access Service in Chapter 20.
Additional NetWare Integration Tools
Microsoft has realized that the most effective way to challenge Novell in the networking world is to make their products integrate as easily as possible with Novell networks. NT Server adds two main utilities that help narrow the once insurmountable chasm between the two products. The following two Novell-related services are provided in NT Server:
Microsoft sells an add-on product for NT Server, called File & Print Services for NetWare, which makes an NT Server look exactly like a Novell 3.x server.
These NetWare-related tools are discussed in greater detail in Chapter 22.
Unified Domain-Based Security Model
One of the foremost features included in NT Server, but not in NT Workstation is the capability for NT Server to act as a domain controller. Without a Windows NT Server on your network to act as the primary domain controller, you would lose all of the functionality provided by a domain structure. Some of these additional features are
- Server-based user profile storage: When logging on to a Windows NT or Windows 95 system that is a member of an NT domain, you can store your user profile on the NT Server. The benefit of this is that when you logon to other workstations in the domain, you will get the same desktop and set of preferences. These are called personal profiles.
Additionally, you can chose to use mandatory profiles, which cannot be changed by the user and can be used to limit the users activities. Any changes made to the desktop or other settings by the user during an interactive logon session are not saved when the user logs off.
- Netlogon service for processing logon scripts: If you set up a domain, users who log onto Windows 3.x, Windows 95, and Windows NT systems can be made to use a logon script. These scripts are stored on the domain controllers and can be used to perform such actions as connect drive and printer assignments, or even to run programs such as running a virus scanning program.
- Trust relationships: In a NT Server-based network, the domain is the logical administrative unit for user accounts and server permissions. One of the great features of the NT domain structure is that it allows you to set up trust relationships between domains. These trust relationships enable you to grant access to your resources to users with accounts in trusted domains. This enables users to access resources in different domains without needing a separate account for each domain.
- Single network logon: Under NTs domain structure, you create a single account for a user, and this account can be used to logon or access resources anywhere within the domain. Additionally, if you set up trust relationships, this account could potentially be used to access resources throughout an entire enterprise. This is beneficial over many other systems that require you to create a separate account on each server.
Network Client Administrator
The Network Client Administrator is a tool that many people just dont seem to know what to do with. It was introduced in version 3.5 to make a system administrators job easier when installing client-end software. This utility generates a boot disk that when booted in a client system can be used to automatically install Microsoft client software over the network from the server. The Network Client Administrator can be used to install the following client software which Microsoft has included on the NT Server CD:
- Windows for Workgroups 3.11
- Windows 95
- 32-bit TCP/IP for Windows for Workgroups 3.11
- NT administration tools for Windows 3.1 or Windows 95
- Network Client for MS-DOS 3.0
- RAS for MS-DOS 1.1a
- LAN Manager for MS-DOS 2.2c
- LAN Manager for MS OS/2 2.2c
The Network Client Administrator is discussed in-depth in Chapter 21.
The Directory Replication service in Windows NT allows you to maintain identical copies of files and directories on multiple computers. When you make changes to any of these files or directories, the change is replicated to other computers configured to import replication changes.
Both Windows NT Servers and NT Workstations can be configured to import directories. However, only Windows NT Servers can act as a directory replication export servers.
The Directory Replication service is useful for replicating logon scripts among all the Windows NT logon servers in a domain.
Services for Macintosh
Out of the box, Windows NT Server is able to act as a file and print server for Macintosh clients as well as print to AppleTalk-based printers. This makes it easier than ever to support both Macintosh and Windows networking clients from a single server product. There are five major services that are provided by NTs Services for Macintosh (SFM):
- File Services for Macintosh clients: With SFM installed, you can make any NTFS partition available to users with Macintosh computers. Protection is provided for these resources using NTs integrated user database, so no special accounts need to be created for Macintosh users. Additionally, Microsoft provides a User Authentication Module (UAM) that uses encrypted passwords to enable the Macintosh client to negotiate a secure logon with an NT Server.
One of the problems commonly encountered with integrating PC and Macintosh systems is the 8.3 limit on filenames imposed by DOS. Because SFM files are hosted on an NTFS partition, which is capable of handling files with 255-character names, NT is easily able to accommodate the Macintoshs 32-character filenames.
In fact, in many ways NT provides far more robust Macintosh services than any current Macintosh product. To test the scalability of NT Servers SFM services, Microsoft has performed limits testing with more than 1,000 simultaneous Macintosh connections. This is good evidence of the robustness of NT as a Macintosh file server solution.
- AppleTalk routing: NT Server has native support for AppleTalk routing. This means that NT Server is able to forward data between AppleTalk subnets and can fully participate in an AppleTalk internetwork. Additionally, NT Server is capable of acting as an AppleTalk seed router for creating new AppleTalk zones.
- Print services for Macintosh clients: With SFM, all print devices created on your NT Server are automatically made available to Macintosh users. This feature, along with the ability to print PostScript code to non-Postscript printers and its capability to print to printers on an AppleTalk network, make NT Server a robust printing platform for Macintosh computers.
- Printing PostScript to non-PostScript printers: SFM includes a Macintosh print processor service that uses Microsofts TrueImage raster image processor (RIP) for converting PostScript language code into bitmapped images that can be sent to non-Postscript printers. Because PostScript is the most common page description language for printing on Macintosh computers, the RIP enables you to print from Macs to non-PostScript devices connected to your NT Server. You can also use this service to print PostScript code from any system, including PC and UNIX machines, to non-PostScript printers attached to your NT Server.
- Printing to AppleTalk-based printers: An additional feature provided by SFM is the capability for an NT Server to send print jobs to printers using the AppleTalk protocol. This can be done if the printer is connected to the same Ethernet network as the server, or if the NT Server has a LocalTalk card installed and is connected to the same LocalTalk network as the printer. In either case, the NT Server can either simply print to the AppleTalk printer or capture the printer to prevent other computers from printing directly to it. You might want to do this to force people to use the NT Server as a print server, or for job auditing purposes.
In-depth coverage of the Services for Macintosh is provided in Chapter 10.
Remoteboot (RPL) for Clients
The Remoteboot service enables you to boot an MS-DOS, Windows 3.1, or Windows 95 workstation over the network from a shared software installation located on your NT Server. The clients network card must have a remote program load (RPL) chip. Remoteboot can give you increased workstation security, software, and operating system version control and decreased workstation costs.
The Remoteboot service is covered in Chapter 15.
Microsoft offers two methods of client licensing for BackOffice products: per server or per seat. To help system administrators enforce their licensing policy, Microsoft has begun including the Client-Licensing Manager applet with NT Server. This program is the forerunner of a more sophisticated license monitoring software expected later this year.
The Client-Licensing Manager allows you to designate the number of licenses you own for various BackOffice applications and enforces the licensing policy by denying services to users if all available license have been exhausted. You can use this application to manage licenses for all BackOffice products on your network from a single location.
The Client-License Manager also keeps track of license usage statistics, enabling you to view the highest number of current connections. This is extremely valuable for capacity planning.
The Client-License Manager also supports local, domain, or enterprise-based license metering. You can set up central servers that will act as repositories for all licensing information. You can choose how frequently Windows NT replicates information to the master license server.
An additional use for the Client-License Manager is for generating historical reports of when new licenses were purchased and for which products.
Network Monitor Tool
Windows NT 4.0 now includes the Microsoft Network Monitor Tool, which enables you to directly view traffic network traffic as it passes across the network wire. This tool was previously only available as part of Microsofts Systems Management Server (SMS) package, but is now included with NT Server 4. The Network Monitor Tool is a very important troubleshooting device, because it permits you to actually disassemble the packets that are passed across the network and isolate where problems are occurring. For example, if you are having trouble getting a DHCP client to locate a DHCP server on the network, you could watch to see where the communications are getting held up, and quickly resolve the problem. Without being able to look at the raw network data, problems like this are often based on a tremendous amount of guesswork and can be very time consuming.
Optimization of NT Server and NT Workstation
Windows NT Server and Workstation have more differences than just their feature sets. The actual code that controls the internals of each system is optimized so NT Workstation performs best as a desktop operating system for client/server and mission critical applications, whereas NT Server provides a robust, fault-tolerant operating system capable of being the foundation of an enterprise-level network by providing application, file, and print system.
The following differences have been made to the two products to make each best fit its intended market:
- Write-throttling cache in NT Server
- Pageability of the server code
- Preloading of the Virtual DOS Machine (VDM) in NT Workstation
- Difference in the number of system threads
- Adjustable optimization for file/print services or application services in NT Server
Write-Throttling Cache in NT Server
To better meet their particular roles, Windows NT Server and NT Workstation handle the flushing of dirty cache data differently. This mechanism, known as write throttling, essentially results in NT Server holding dirty information in cache longer than NT Workstation. This allows NT Server to better perform its role as a server. NT Workstation, on the other hand, flushes its cache more frequently, resulting in a smaller memory overhead for the cache.
Pageability of Server Code
SRV.SYS is the driver in Windows NT that is responsible for processing high-level file system requests and then passing them to the appropriate low-level device driver. In Windows NT Workstation, SRV.SYS is highly pageable, which translates to a lower memory footprint, but might result in additional paging. In NT Server, this driver is less pageable, meaning a larger dedicated memory footprint. This is part of the reason that NT Server needs more memory than NT Workstation. By not allowing parts of the SRV.SYS code to be paged out, NT Server is better able to respond quickly to requests.
Preloading of Virtual DOS Machine in NT Workstation
When you interactively log onto a Windows NT Workstation, the system preloads the Windows NT Virtual DOS Machine (NTVDM). Preloading the NTVDM allows NT Workstation to load 16-bit applications faster but results in a slightly longer logon time. Also, preloading the NTVDM consumes more memory if you will not be running 16-bit code. Because NT Server is not intended to be a regular logon workstation, there is no need to preload the NTVDM. If an interactively logged-on user on an NT Server starts a 16-bit application, NT Server will load the NTVDM and then dispose of it when the application is exited.
Differences in the Number of System Threads
NT Server creates more worker threads than NT Workstation. These worker threads provide access to key system resources and ensure that access to these resources is handled in an equitable manner. By using more threads, the core services of Windows NT Server are more responsive to incoming user requests and are better able to distribute the system load across processors in an SMP system. Using a smaller number of system threads in NT Workstation results in a smaller system overhead, leaving more resources for user-based applications.
Adjustable Optimization for File/Print Services or Application Services
Windows NT Server allows you to choose whether you want to optimize your server for file and print services, or as an application server. This provides you the option of targeting what services you want to receive the highest priority. Because NT Workstation is not designed to be a high-performance server, it does not allow for this optimization.