Microsoft NT - "One User - One Login". NT groups users into Domains (more than 10 users) or Workgroups (less than 10 users), in almost all NT cases Domains will be used. Domains (logical groups of users) are controlled via Domain Controllers.

Domain Controllers - These NT servers are divided into two types, primary domain controllers (PDC) and backup domain controllers (BDC). There is only one PDC per Domain while there can be many BDCs. The PDC holds the main user/machine database (SAM - Server Access Manager) while the BDCs hold a copy. The size of the SAM grows at 1 kilobyte per user and 0.5 kilobytes per PC. The SAM must consist of less than 40000 users. Any changes to user rights has to be done to the main database, this means that if the PDC is down, no changes can be made. In large domains (many users and/or distant locations), users validate a local BDC to minimize the use of PDC. Any changes to the database are echoed to the BDCs. There should be one BDC per 2000 users. If a Domain is going to span network subnets, than a BDC needs to be on that segment. The PDC can only send changes of the SAM to 10 BDCs at a time.

Domain Controller Hardware requirements - In General the BDCs should be more "powerful" in both memory and CPU than the PDC. The amount of RAM should be 3 times the size of SAM database (at largest 40Meg to 128 Meg of RAM) and the processor should be "fast as possible." Multiple processors are only beneficial to programs that use them (of course the NT OS does.)

Domain relations - Domains can have relationships called Trusts. Domains are trusted, trusting, or both. When one domain (A ) is trusting of another domain (B) its accounts/rights can be administrated by the second domain(A can be administrated by B). This makes the second domain (B) the trusted domain. A general rule of thumb is the fewer the trusts, the better. Trusts are not transitive. If domain A trusts domain B and domain B trusts domain C, than domain A does not automatically trust domain C. Turning a domain controller off does not delete the trust with another domain controller, and the trust is re-established when the controller is turned back on.

Login Process - Every domain, user, and PC is identified by a unique SID. When a user attempts to login, their user id and password are passed to the domain controller (usually BDC) for verification. When a user is verified he is handed a token. The token is generated at the time of verification and it defines the users rights in that domain. If the user tries to login to a different domain, they must be verified by a domain controller in that domain. This kind of login process is called Pass Through Authentication. At its largest size (40Meg/40000 users) user logins may take from 5-10 minutes.

User Accounts - Of course user names must be unique. When assigning rights Microsoft wants you to follow the AGLP rule. Accounts ==> Global Groups ==> Local Groups ==> Permissions. The User guest is automatically disabled when NT is installed and Microsoft suggests that the group Domain Users.

Browsers - Each domain (or sub domain via BDC) has to maintain a list of shares (shared folders either via server/workstation/95). The PDC of a domain is the domain master browser while local groups of PC hold elections to determine who is the most powerful computer. This computer, each computer broadcasts its qualifications, becomes the master browser and maintains a list of shares. The backup browsers catalogue the shares around them and then sends this information to the master browser. Any changes to the browse list is then propagated to the other backup browsers from the master browser. The master browser also sends this info to the PDC. When a user opens up the network neighborhood, they get a copy of the share list from the nearest backup browser. It may take up to twenty minutes for a PC to be removed or added to the full share list.

WINS - WINS servers provide NetBIOS name to IP/MAC address resolution. Once a PC has an IP (DHCP or static) it registers its NetBIOS name (computer name) using a broadcast (confined to current subnet unless broadcasts are forwarded across subnets) and all WINS servers that see this broadcast place the IP/NetBIOS name/MAC address in its table. When ever a PC wants to connect to a specific computername it can obtain this from DNS (if available) or from the WINS server. If the PC is told the IP of the WINS/DNS server it will ask the WINS directly (and/or the DNS at the same time) to get the IP of the desired computername. If no specific WINS server is know, the PC resorts to a broadcast to reach a WINS.

Memory - NT wants lots of memory, the more the better. You can’t have too much memory.

Virtual Memory - On NT Server the page file (virtual memory file) should be twice the size of physical RAM while on NT Workstation should be the physical RAM size + 12 Meg.

Controllers - Microsoft recommends RAID 5 if possible using PCI controllers. This will improve speed and reliability. IDE controllers should not be used unless nothing else is available.

Caching - Disk Caching should be used unless there is not enough physical RAM to support it.

Protocols - Reducing the number of protocols in use can greatly increase NT performance. The less protocols the better. NT defaults to TCP/IP and does not require any other in a Windows only environment (assuming other Windows stations can access IP.)

Network Adapters - 32 bit adapters should be used and if multiple protocols are in use multiple adapters should also be (one protocol per adapter).

Network Services - For large networks Domain controllers should not be used for DHCP or WINS, while in smaller domains these services can be combined.

Applications - Domain Controllers should not be used for applications such as SNA or SQL. In small domains the BDCs can act as file and print servers but in larger domain separate "application" servers should be created.

Time Sync - Each NT server should be synched to the same time to optimize database information changes.

Login Speed - Put BDCs near users, limit the number of services provided by BDCs and limit the number of protocols.

Shared Folders - If a PC shares its drive it constitutes not only a security problem, but it increases network traffic. Shares should be reduced as a general rule of thumb as the server should be used for transferring data between users.

WINS servers - The number of WINS servers should be minimized as traffic between WINS servers can be large (relatively) as the size of the WINS table grows. As a PC defaults to WINS broadcasts to register itself and resolve names, a large number of PC can create a lot of network traffic. If WINS is going to be used, the WINS IP address should be known to all PC on the network. If DHCP is used this information can be sent to the PC along with its other relevant IP information. WINS servers can be combined with DHCP servers, but should not be the same as the BDCs.

Fat Partion - Every NT server should have a C: drive of at least 300 Meg formatted FAT. If a FAT partition does not exist (only NTFS) than crash recovery involves more work and a greater chance of total re-install of NT.

Backup - NT servers should be backed up regularly. When using the built in backup application, the "save registry" should be enabled.

UPS - Smart UPS to shutdown the server gracefully. When NT starts it builds a hardware list and it will poll the hardware com ports. This will trigger a "powerout" signal to the UPS and make it think that the power is now off. To prevent this the following switch should be placed in the Boot.ini

/noserialmice=COMx (where x is the com port that the UPS uses.)

Event Log - The Event Log needs to be parsed routinely to see if any hardware problems may be occurring.

WinNT Diagnostics - AKA winmsd.exe. Should be used regularly as a checkup to see if any problems may be occuring..

Emergency Repair Disk - AKA ERD. The ERD should be updated regularly using the command

rdisk /s

Emergency Kit per Server - Each Server should have beside it:

-DOS formatted Boot disk - containing fdisk, format, edit, deltree, sys, etc

-Server Boot Disks (3) - That are used to install and repair NT. Can be create with winnt /ox

ERD - recently updated.

-Disk Formatted using NT (2) - One should contain the server manager and domain manager.

-NT CD-ROM

-Driver Disk - Containing any NT drivers for special hardware.

ipconfig /all - shows IP network adapter configuration

route print - shows active TCP/IP routes

ipxroute config - shows IPX network adapter config

ipxroute servers - shows current IPX servers

ipxroute table - shows IPX routes

ping xxx.xxx.xxx.xxx - IP ping to determine if xxx.xxx.xxx.xxx is alive.

drivers - Shows installed drivers with date and version. Only included with resource kit.

\\computername\X$ - this will mount drive X on computername. You have to have rights to X

Create Emergency Kits for Each Server - including erd and boot floppies.

Double Virtual Page File Size on each NT Server (it should be twice the physical RAM size.)

Make Sure AutoReboot is in effect on each Server