Network Operating Systems

1
Network Operating Systems
Microsoft Windows Networks
2

Microsoft Networks

• Can be peer-to-peer or client server or server
  based
• Each machine is identified by unique computer
  names
• Resources are specified with their UNC names -
  \\computername\sharename\directory\file
• These resources are referred to as shares.
• The access a user is granted to a share is
  referred to as a permission.

Mkt1
Mkt2
Mkt1_SRV
Mkt3
Share //Mkt3/Files
3
How Windows communicates

• Windows machines rely on names for
  communication

Machines on Windows networks offer their services
based on share names
Connections are established between machines
based on computer names
4
NetBIOS Name Service

• All resources on Windows networks must have
  unique names. This naming is controlled by a
  protocol call NetBIOS
• Names on NetBIOS networks must first be claimed
• This claiming process can be done either by
  broadcasts, or by querying a WINS server (running
  on a NT server).

-OR-
5
NetBIOS vs. NetBEUI
NetBIOS today is the upper layer (5,6,7)
protocol used to establish the communications
between applications running on two different
machines. NetBEUI is a lower layer (3,4)
protocol. If you choose not to use NetBEUI
you can also run NetBios over NWLink (IPX/SPX) or
TCP/IP
NetBIOS was originally developed by IBM. At that
time its functionality could roughly be mapped
to the 7 layers of the OSI model.
6
NetBEUI

• NetBEUI is the traditional protocol supported
  with Windows networks
• It is small, fast and easy to use
• However it is a raw frame protocol (no network
  layer address)
• NetBEUI is not routable

7
Browsing the Network

• Shares on Windows networks are made accessible
  to clients through browsing
• Browse lists are maintained by a process called
  the Master Browser
• A Master Browser is elected each time the
  Windows Network starts. (priority NT servers,
  Win95 machines, then WFW machines)

• View browse list using Network Neighborhood
• or type the command
• net view \\server-name /workgroupworkgroup-nam
  e

8
Microsofts Workgroup Model
Microsoft peer-to-peer networks are defined by
what is called the Workgroup model

• a logical grouping of computers and users
• any machine can be a client or a server
• each computer maintains its own user database
• all configuration is done locally on each PC
• suitable for small networks

9
Microsofts Domain Model

• Microsoft client-server networks are defined by
  what is called the Domain model

• A Domain is
• a logical grouping of computers and users
• client-server type model
• best for larger organizations
• requires an NT Server

• NT Directory Services
• a centralized user database is maintained at an
  NT server called a Domain Controller
• single user login gives access to all networked
  resources

10
Domain Controllers
PDC - Primary Domain Controller (NT not 2000)

• maintains the master copy of the user database
• tracks changes made to domain accounts
• authenticates users
• one PDC must exist in each domain

11
Replication
BDC - Backup Domain Controller (NT not 2000)

• can be installed to provide redundancy
• authenticates users to reduce load on PDC
• Synchronized to the PDC- the PDC automatically
  replicates a copy of the user database to the BDC
• can be promoted to PDC if existing PDC fails

12
NT Administrative Tools

• User Manager for Domains
• Server Manager
• My Computer/Explorer
• Network Control Panel
• Event Viewer
• Disk Administrator
• Windows NT Diagnostics
• Performance Monitor
• RDISK

13
User Manager for Domains

• Add/configure user accounts
• Add/configure groups
• specify home directories, logon hours, logon
  workstations etc for users accounts
• administer rights

Start-gtPrograms-gtAdministrative Tools-gtUser
Manager
14
Server Manager

• view statistics about the computers in a domain
• add new computers to a domain
• send messages to other computers
• view, create, change permissions on shares
• promote a BDC to PDC
• synchronize the PDC to the BDC

Start-gtPrograms-gtAdministrative Tools-gtServer
Manager
15
Network Control Panel

• Add/Configure Network Components (i.e. Adapter,
  Protocols and services)

Start-gtSettings-gtControl Panel-gtNetwork
16
My Computer/Explorer

• Use My Computer or Explorer to create shares
• Special Hidden Shares
• \\server-name\sharename
• does not show up on the browse list
• attached to with a NET USE command
• NET USE S \\NTSERV01\C

17
Event Viewer

• View File, System or Security error messages

18
Windows NT Diagnostics

• View various diagnostics about the NT computer
• such as memory, resource settings, version
  information

19
Performance Monitor

• Tracks performance statistics
• such as memory usage, server traffic, disk
  performance, processor utilization

20
Disk Administrator

• View/Configure drives and partitions

21
NTFS vs. FAT

• NT supports the following file systems
• FAT (File Allocation Table)
• widely used
• complete access for various operating systems
• maximum partition size is 4 GB (2GB in W9X)
• NTFS4 (Windows NT File System)
• allows file level and local security
• enhanced performance and reliability
• file compression is possible
• maximum partition size is 2 Terabytes

22
Emergency Repair Disk

• You can create or update an Emergency Repair
  Disk by running (In W2000 this would be
  accomplished by running the Backup Wizzard).
• It is used to verify/repair a corrupted NT/2000
  system
• Use RDISK /S (or Backup Wizzard)to backup user
  and security info to the disk
• You should recreate this disk every time you make
  changes to NT/2000
• The information contained on the Emergency Repair
  Disk is stored on your hard drive in
  C\WINNT\REPAIR.
• It is not a bootable disk - use setup disks and
  select Repair option

23
Creating an NT Boot Disk

• NTLDR - NT OS Loader
• NTDECTECT.COM - Identifies/loads hardware
• BOOT.INI - configures disks and partitions
• Ntbootdd.sys - for SCSI without BIOS
• Other device drivers necessary for operation of
  the system
• some files are accessed from the hard disk

24
BOOT.INI

• BOOT.INI is hidden and read-only ascii-text file
• Builds the Boot Loader Menu which defines
• timeout
• operating systems installed
• partition locations referred to as ARC paths

25
Network Operating Systems

• Windows NT
• Managing Users and Resources

26
Windows NT Domains

• Access to an NT domain is based on both a user
  account and a computer account
• Is based on SAM (Security Accounts Database)
• Security database on NT that contains all user
  accounts, group accounts, and computer accounts
  within a domain. It also holds passwords, policy
  settings, records of permissions, etc.
• this is what is replicated between PDC and BDC.
• SID - the security ID a unique identifier for
  each user, group or computer account.

27
Multiple Domains Trusts

• Multiple domains may be created within an
  organization to help organize or categorize
  divisions or users.
• Trusts are then established to grant inter-domain
  access when multiple domains exist
• Trusting Domains - grant access
• Trusted Domains - receive access
• One-Way, Two-Way, or Universal Trusts

Trusted Domain
Trusting Domain
28
User Account Configuration

• User Manager for Domains
• make sure you use the right User Manger
• Accounts created for NT domains are global
  accounts

29
Computer Account Administration

• All NT workstation computers must be added to the
  domain before the computer can be used to access
  the domain.
• Computer accounts can be created from Server
  Manager or from the NT workstation.

30
Groups

• Groups allow you to simultaneously grant rights
  and permissions to multiple users.
• Try to use groups as much as possible when
  assigning rights and permissions to ease
  administration.

Several built-in groups exist - ie. Domain
Admins, Domain Users, Backup Operators Two types
of groups exist - local and global groups
31
How to use NT Groups

• Using NT groups effectively eases NT
  administration in multiple domains
• Global Groups - contain only users from one
  domain
• Local Groups - contain user accounts and global
  groups from one or many domains
• A-G-L-P
• create Accounts in one domain
• create a Global group in that domain and place
  users in it
• create a Local group in the other domain
• grant the local group Permissions to resources
  from the other domain
• make the global group a member of the local
  group

32
3 Ways of Securing Network Resources

• Users access to a share (ie read, write, delete)
  is referred to as share permissions.
• File/directory level security is available if you
  use the NTFS file system and NTFS Permissions.
• A right is the authorization to perform a system
  related task (ie backup, change time, shutdown)

33
Setting Share Permissions

• Right click the folder and select the Sharing tab

• No Access - overrides all other permissions
• Read (RX) - Read Execute
• Change (RWXD) - Read, Write, Execute and Delete
• Full Control ( RWXDPO) - Read, Write, Execute,
  Delete, Change Permissions, Own
• Share level permissions are enforced by the
  network OS therefore
• are only in affect when accessing the share over
  the network

34
Setting NTFS Permissions

• Right click the folder or file and select the
  Security tab

• For Folders/Files
• No Access - None/None
• List - (RX)/Not Specified
• Read - (RX)//(RX)
• Add - (WX)/Not Specified
• Add Read - (RWX)/(RW)
• Change - (RWXD)/(RWXD)
• Full Control - (All)/(All)
• NTFS permissions are enforced by the NTFS file
  system
• are in affect when logged in locally
• they also can be set on files as well as folders

35
Evaluating Access to Resources

• Permissions flow down the folder hierarchy
• Permissions and rights are additive
• except
• No Access overrides all permissions and rights
• when combining share and NTFS permissions the
  most restrictive always wins
• NTFS file permissions override folder permissions

36
An Example of setting permissions

• Guidelines for setting up user Home directories
• Use NTFS
• a folder named USER is automatically created when
  installing NT. On this folder grant the
  following
• Share level Full Control to the Everyone group
• NTFS directory permissions of Read and Execute to
  Everyone
• NTFS file permissions of None to Everyone
• NTFS Full Control for both for Administrators
• Create home directories for each individual user
  under the USERS folder and grant each user NTFS
  Full Control to their own directory.

37
Setting User Rights

• A right is the authorization to perform a system
  related task (ie backup, change time, shutdown)
• From User Manager
• for Domains, select
• Policies, User Rights

38
Configuring the User Environment
The User Environment Profile of a users account
can be used to configure the following

• Logon scripts
• Simple text files that can be .bat, .cmd, or .exe
  
• should be stored in
• C\WINNT\SYSTEM32\
• REPL\IMPORT\SCRIPTS
• Home Directory
• The location of the users home folder
• Default for Save as and Open in MS Apps
• User Profile Path
• the location of the Users profile in UNC format
  \\servername\sharename

In User Manger for Domains gt Select a User gt
Click the Profile button
39
User Profiles

• stores user specific configuration and desktop
  settings
• automatically created when a user logs in
• locally stored on \winnt_root\profiles,
  systemroot\profiles or c\winnt\profiles
• Two default folder exist - All Users and Default
  Users
• can be placed on a network share to be configured
  as roaming profiles or mandatory roaming profiles

40
User Profiles

• Includes these sub-folders
• Application Data - Win95 or NT application
  specific data
• Desktop - shortcuts and other desktop settings
• Favorites - favorite URLs etc.
• NetHood - Hidden, contents of Network
  Neighborhood
• Personal - Personal programs
• PrintHood - Hidden, contents of printer window
• Recent - recently opened files
• SendTo - contents of the SendTo menu
• Start Menu - contents of the Start Menu
• Templates - hidden, Win95 and NT template files
• Also includes
• Ntuser.dat and Ntuser.dat.log - registry settings

41
User Profiles

• Roaming User Profiles - by placing the profile
  sub-directory on a network share, the user
  profile can be downloaded to any machine the user
  logs in to.
• Mandatory Roaming User Profiles - by change the
  Ntuser.dat to Ntuser.man, the profile cannot be
  modified by the user.

42
System Policies

• A set of registry settings that defines system
  configurations and user restrictions
• can be based on machine, user or group
• policies are created using poledit
• the policy is stored as Ntconfig.pol
• Ntconfig.pol should be stored in
  C\WINNT\SYSTEM32\
• REPL\IMPORT\SCRIPTS
• Three settings
• Enabled (checked)
• Disabled (un-checked)
• Neutral (grayed)

43
NETLOGON Share

• The NETLOGON Share provides directory replication
  to synchronize login scripts, policies and other
  user files from PDC to BDC.
• Important for authentication in multiple domain
  controller environments.
• C\WINNT\SYSTEM32\REPL\EXPORT

44
Windows 2000 Products

• 2000 Professional
• Desktop Replacement for NT (not W9x)
• Up to 2 processors
• 2000 Server
• Up to 4 processors
• Up to 4GB RAM
• Server Web functionality

45
Windows 2000 Products (cont)

• 2000 Advanced Server
• Up to 8 processors
• Up to 8GB RAM
• Clustering functionality (improved fault
  tolerance)
• 2000 Data Center Server
• Up to 32 processors
• Up to 64GB RAM
• Large database and data warehouse applications

46
Windows 2000 Cababilities

• Sharing resources
• Managing resources
• Security
• Scalability compatibility
• Reliability
• Distributability
• Fault tolerance
• Internet Integration E-commerce

47
Windows 2000 New Features

• Active Directory Services (ADS) similar to NDS
• Advanced PnP capabilities
• Defrag tool now included
• Support for FAT16, FAT32, and NTFS5 (for NT 4.0,
  SP 4 includes compatability between NTFS4 and
  NTFS5)
• Distributed Network Architecture (DNA) no more
  PDC BDC just Domain Controllers

48
Windows 2000 New Features (cont)

• Kerberos Security use of encryption key
• Microsoft Management Console (MMC) all
  management functions managed from one place
• IntelliMirror Roaming Profiles same desktop
  settings regardless of location.
• Power Management similar to W9x
• Supports more languages

49
Windows 2000 Server Security

• Account or Interactive Login Security
• Object Security
• Services Security

50
Windows 2000 ADS Guidelines

• Simplicity
• Least of domains possible
• One domain on small networks
• US OUs to reflect organizational structure
  keep to a minimum
• Established naming conventions