Some of the main topics in this chapter are
Many of your activities as an administrator in an NT infrastructure will involve maintaining, monitoring, and troubleshooting your servers. Fortunately, Microsoft provides several tools to help you keep your environment running smoothly.
Server Manager makes it possible to maintain servers throughout your enterprise. Event Viewer enables you to review messages that processes running on your server have logged. Windows NT Diagnostics and System Properties provide a tremendous amount of information about your servers that you'll need for more effective troubleshooting. Several Web-based tools, Windows 95 tools, and new wizards provided with NT 4.0 facilitate simpler server administration.
Server Manager is a very powerful tool for managing your NT servers throughout the enterprise. It enables you to maintain any server, either locally or remotely, for which you have the appropriate permissions. You can create disk shares and add computers to the domain. You can view connected users and resources in use and disconnect users if necessary. You can even send messages to connected users. You can also use this tool to configure replication between servers, set up alerts, and start and stop services.
You start Server Manager on NT by either double-clicking its icon in the Administrative Tools group or by running it from a command line by using SRVMGR.EXE. You can see in Figure 18.1 how Server Manager shows all the computers in the domain used to authenticate your account. The following information listed in Table 18.1 is presented in the main view for each machine in the domain.
Server Manager displays all machines in a domain.
| Column | Description |
| Icon | The icon displayed to the left of every machine symbolizes what the machine's function is. There are four icons. The first three represent an active PDC, BDC, or workstation. Finally, there's a grayed-out icon if the machine is not currently available on the network. |
| Name | This is the name assigned to the machine. |
| Type | This column shows what the machine's type is. It shows whether it's a PDC, BDC, member server, or workstation. It also displays the version number of the operating system installed (unfortunately, it doesn't display service pack levels). Even if a machine is off or doesn't support administration via Server Manager, it can still be displayed. |
| Description | This is the machine's description. Your enterprise will be easier to administer if you assign a description to every machine in your enterprise. If the machine is off or can't be remotely administered, nothing will be shown in this field. |
NOTE: During troubleshooting, don't use the icon to make the determination of whether a machine is available on the network. Sometimes a machine shows as active in Server Manager even when it's not available and vice versa.
To change the domain for which computers are displayed, choose File, Select Domain, and provide a domain name. In an environment with many domains, you can save time by typing the domain without waiting for all domains in the enterprise to be enumerated. Another way to save time is to type a specific computer name in this dialog box. This causes the main menu to only list that specific computer, instead of a list of computers in a domain. Be sure to precede the computer's name with \\ (for example, \\SERVER01).
NOTE: You can use the command NET VIEW /DOMAIN:domainname from NT or NET VIEW /WORKGROUP:domainname from 95 to see a list of the computers in a domain.
Server Manager not only shows Windows NT Servers but also Windows NT Workstations and WFW and 95 workstations with file and print sharing enabled. To filter 3.x and 95 workstations from this list, choose View from the main menu and check Show Domain Members Only. To show only workstations or servers, choose View and select Servers or Workstations respectively instead of All.
Choose Options and check Low Speed Connection if you're administering a domain across a low-speed link. This prevents the list of computers in a domain from being fully enumerated when you use Server Manager. Press F5 or choose View, Refresh to manually update the screen.
NT Servers and Workstations require a computer account in a domain for security to work correctly. To understand this, it helps to relate to how user accounts are used for authentication. A person can only gain access to resources in a domain by having a username and password that gives them rights to such resources. In the same way, a computer can only be used to gain access to resources in a domain if the computer has a valid account in the domain.
NOTE: Actually, user accounts and computer accounts are very similar. When you create a computer account in a domain, a hidden user account with special attributes is created with the name computername$. The password is set as the computername, as well. After the computer is added, and periodically thereafter, the password is changed to a random password that only the computer knows to ensure the account stays secure.
You can also think of a computer account as a one-way trust relationship between the computer and the domain. The need for a computer account provides an extra layer of security by not only limiting who can access resources but also what machines they can use to access these resources.
NOTE: The need for NT machines to have a computer account in a domain is why you can't manually type in a domain name from the NT logon prompt. It wouldn't do any good, because even if you could fill in the domain name yourself, any attempts to log on as a user in a domain other than the one your computer was a member of, or that was trusted by the domain your computer was a member of, would fail.
There are two ways for a computer to join a domain. NT provides the capability during installation to specify an administrative account and password for the domain to which you want to add the machine. Sometimes, however, this won't be convenient. If you let users install their own machines, for example, you won't want to give an administrative logon to them, and you probably won't want to physically be at the machine to type in the administrative account and password for the user. In this case, use Server Manager to create the computer account before the NT machine is set up. To create a computer account:
This dialog box enables you to add a computer to a domain.
3. Fill in the computer name.
TIP: Server Manager forces the computer name to uppercase. You can use the command prompt to add a name that has lowercase letters in it. The command to add a computer account is NET COMPUTER \\computername /ADD.
NOTE: As mentioned in a previous note, a hidden user account is created when a computer account is added to the domain. This can cause conflicts if a user account with the same name already exists. If you get an error you should check User Manager to see if a user account exists with the name computername$.
5. You can repeat steps 2-4 as many times as necessary until you've added all the computer accounts you need. Once you're done, click Close.
Server Manager displays new computer accounts, as shown in Figure 18.3.
New computer accounts are grayed out until the computer joins the domain.
CAUTION: Be careful when creating computer accounts ahead of time. When you create the account ahead of time, anyone can install a new NT machine by using that account!
To remove a computer, highlight the machine and choose Computer, Remove from Domain or press Delete.
TIP: At the command prompt, you can use NET COMPUTER \\computername /DEL.
Be careful when deleting computer accounts. If you accidentally delete a computer account in Server Manager, just creating a new computer account with the same name won't recreate the link between the computer and the domain. You need to move the workstation to a different domain or workgroup temporarily, create a new computer account for the machine in the original domain, and then move the computer back to the original domain.
You can't just move a computer from one domain to another and then back again, either. Before moving a computer back into a domain it used to be a member of, you must delete the old computer account and make a new one.
A disk share is required for users on the network to access files on an NT server, hence the name. Think of a share as a shortcut to the associated directory. Disk shares make accessing file resources easier, while also making access more secure, by assigning a name and permissions to a directory on a server. It's easier because the name \\SEAST_PDC\ DOWNLOADS is much easier to remember than \\SEAST_PDC\C$\FILES\INTERNET\ DOWNLOADS. It's more secure because you can assign permissions to the share itself, preventing users from committing actions they shouldn't on the files in the referenced directory and its subdirectories. Highlight a server and then choose Choose Computer, Shared Directories to see the shares on the selected computer.
TIP: To display all shares from the command prompt, type NET SHARE. To display information about a specific share, type NET SHARE sharename. When displaying a specific share, the users currently connected to the share will also be displayed.
Adding a Share. To create a share from Server Manager, choose New Share from the previous dialog box. Then fill in the share's name, path, and a comment specifying what files the share points to (see example in Figure 18.4).
Fill in the appropriate information in the New Share dialog box to create a share.
NOTE: If the share's name is longer than eight characters, MSDOS workstations won't be able to connect to it.
You can end your share's name with a $ if you want the share to be hidden when browsing. This is useful for administrative shares you don't want regular users to know about and for home directories. If you don't hide home directories on a server, browsing the shares on that server, and finding the share you need in that list of shares, will become inordinately difficult as you add more users.
TIP: Creating home directory shares makes it possible for each user to map to the root of their home directory, instead of mapping to a common HOME share, and then changing to their specific home directory. For example, instead of user JDOE mapping drive H: to \\SEAST_PDC\HOME and then changing to the H:\JDOE directory, he can map drive H: directly to \\SEAST_PDC\JDOE$ and access files from the root of H:. If you come from a Novell environment, you'll notice that this enables you to accomplish what Netware accomplishes with its MAP ROOT command.
You can also assign permissions to the share. Choose Permissions from the New Share dialog box. A standard permissions dialog box then appears, as in Figure 18.5. Use this dialog box to modify who has rights to do what with the directories and files referenced by the share.
You can add permissions to the share.
NOTE: Share rights are different from NTFS permissions. If you use both types of security, the user will be able to do only the least permissive of these rights. For example, say the directory C:\TESTDIR is shared as TEST. If C:\TESTDIR gives Everyone Full Control, but the share TEST only gives Everyone Read access, Everyone will only have Read access. On the other hand, if the share TEST had Everyone assigned Change access, but no permissions on the directory were assigned to Everyone, you would be able to connect to the share but not access any files under C:\TESTDIR.
TIP: When using NTFS security, you can leave Everyone with Full Control on the share, which is the default. As mentioned in the preceding note, this will not compromise security as long as you use the NTFS security permissions correctly. If you do choose to use both share and NTFS permissions, you'll have to do double work each time security changes.
To add a share from the command prompt, use the following syntax:
NET SHARE sharename=drive:path [/USERS:number | /UNLIMITED] [/REMARK:"text"]
Deleting a Share. Deleting a share is simple with Server Manager. Simply highlight the share in the Shared Directories dialog box, and click Stop Sharing. Be careful, though. When you click Stop Sharing, you won't get to confirm your choice; the share is removed immediately.
To delete a share from the command prompt, use the following syntax:
NET SHARE sharename /DELETE or NET SHARE drive:path /DELETE
Specifying the sharename immediately deletes that share. Because you can have multiple shares for the same path, if you specify the drive:path when deleting shares, all shares pointing to that path will be removed immediately.
Modifying a Share. Server Manager enables you to change any property of a share except for the name of the share itself. To change the other properties, highlight the existing share, choose Properties, and make the changes you need.
When you change the path for a share, Server Manager actually deletes the old share completely before creating a new share with the original share's properties.
CAUTION: Server Manager doesn't check the new path before deleting the old share, so by the time you are notified the new path is invalid the old share is gone. Therefore, if you make a mistake, don't hit Cancel at the Share Properties dialog box. Instead, change the path back to what it was originally so that the share is recreated as it was before you started this whole process.
NOTE: If you delete a directory that's shared without removing the share itself, you'll have an orphaned share. NT will notify you of these shares when you restart the server by logging an event such as the one in Figure 18.6. When viewed under Server Manager, an orphaned share's icon is dimmed, as in Figure 18.7.
Orphaned shares are logged when the Server service starts.
Orphaned shares are dimmed when viewed.
Server Manager enables you to control services on NT servers and workstations. The only real difference between using Server Manager and Control Panel to manage services is that Server Manager enables you to control services on remote computers.
NT Services are those processes that run in the background of your NT server regardless of whether anyone is logged on or not. To see what services are running on your server and what their properties are, you can either go to Control Panel, Services or go to Server Manager, highlight the server you wish to view, and choose Computer, Services. Figure 18.8 is an example of the services on a server:
NT Services can be controlled from the Services dialog box.
On this screen, you have the following information about each service:
| Item | Description |
| Service | Shows the service's name. |
| Status | If the service is started or paused, this will reflect that; if it's not running, this field will be blank. |
| Startup | Shows how the service is set to start when the server boots. |
| Startup Parameters | Some services enable you to pass them parameters to modify the way they start; this is where you specify these parameters for a service. |
You can Start, Stop, and Pause services from this screen. Not all services respond to a request to pause them. Usually, services that deal with network requests probably can be paused. When paused, these services won't disconnect users who are already attached but will prevent further users from connecting. For example, you can pause the Server service when you want to let users who are already logged in stay connected, without allowing any new users to log on to the server.
NOTE: You can also control services from the command prompt. To do so, use the syntax NET START, NET STOP, or NET PAUSE, followed by the service name (if the service name has spaces in it, surround the name with quotes). If you need to control services remotely from the command line, the NT Resource Kit has a utility to do so.
You can modify a service's properties from this screen by highlighting a service and choosing Startup. Figure 18.9 appears.
Startup Type determines how the service starts when the server boots. If you set the service to Automatic, it starts each time the server starts. If you set it to Manual, it won't start at bootup, but you will be able to start it from the Services screen. If you set the service to Disabled, it won't be possible to start the service until it is changed to Manual or Automatic.
You can configure a service.
NOTE: Even if the service is initially set to Disabled, you can change it to Manual or Automatic and then start it from the Services screen without having to reboot.
You might notice that some services that are set to Manual still start at bootup. This is because of service dependencies. Some services require other services be started before they themselves can load. If so, the service that is loading tries to start the service it depends upon. If the latter service is set to Manual or Automatic, it starts, and then the calling service continues to load. If the latter service is set to Disabled, or can't start for some reason, however, the calling service will fail to load as well.
Services must run with a security context. You can set the service to log on in the context of the System Account, or log on in the context of a specific user. When run under the System Account, services can access most resources on the local system, but cannot access resources on remote servers. When using the System Account, you can specify whether or not to Allow Service to Interact with Desktop. If you check this box, you will see dialog boxes and other feedback from the service. With this box unchecked, you'll never visually see any part of the service when it runs. To set up a service to run under the System Account, select System Account, and check the Allow Service to Interact with Desktop, if necessary.
When you run a service under the context of a specific user, the service can access whatever the user's security enables them to access. To set up a service to run under a user account, select This Account:, input the user name, and then the password twice to verify that you put the right password in.
If a service uses a user account instead of the system account, you can run into problems if the password for that user account changes. If the service is accessing resources that require a check of the user account password each time that resource is accessed, the access will be denied. The service might stop running and generate an event, or worse, hang without notification. If the service doesn't fail as it runs, you might not see a problem until the service is restarted, at which point you'll get errors such as the following in the event log:
If you try to start a service manually and the logon account is set up incorrectly, NT will notify you with an error message. When you get such an error message, check the user account's password. Also check to make sure the account isn't disabled or locked out. Any time you need to change the password for the user account under who's security context a service runs, you must change the password on every service that uses that account. This is why it's best to set up accounts specifically for the services you have installed. For example, if you use SQL Server, you should set up an account called _SQLService (the underscore is so that user accounts for services show up at the top of User Manager.) You should very seldom need to change the password for this account. On the other hand, if you set up the service to use an account that someone also uses to log on to the network, your services will fail the first time that person needs to change her password.
Server Manager provides you with the capability to see the users connected to a server. It also enables you to see what resources are in use and by whom. This information is critical when you have file-locking problems or when you need to perform maintenance on a server but don't want to interrupt a user, causing a data loss.
You can pull up a server's Properties dialog box, as shown in Figure 18.10, by either double-clicking the server or highlighting the server and choosing Computer, Properties.
You can display a server's properties.
The information provided in Table 18.2 is displayed in the Server Properties dialog box:
| Item | Description |
| Sessions | Shows how many users are connected to the server |
| Open Files | Shows how many files are marked open at the server |
| File Locks | Shows how many file locks there are on the server |
| Open Named Pipes | Shows how many IPC channels are open to the server |
| Description | Shows the comment for the server you're viewing |
There is much information available to you from the Server Properties dialog box. The following explains each option involving user connections and resource usage.
Users. Choose this option when you want to view the users connected to a computer (see Figure 18.11). You can see how many files the user (Connected User or Computer) has open (Opens), how long the user has been connected (Time), how long it's been since they last accessed anything on the computer (Idle), and whether they're connected with guest privileges (Guest). When you click a specific user, the bottom list box displays what resources (Resource) the user is connected to, the number of open connections the user has to the resource, and how long the user has had the resource open.
You can view who's logged on from Server Manager.
NOTE: A user in this context can actually be a user account or a computer account. If the computer has a resource open, the Connected Users column will be blank.
You can disconnect a user from the resource by clicking Disconnect. To disconnect all users from all resources, click Disconnect All.
CAUTION: Be very careful when disconnecting users from open resources. If they have unsaved data on that open resource and you disconnect them, the data can be lost. Also realize that disconnecting a user doesn't prevent the user from reconnecting later.
Shares. This option shows you what shares are in use on the selected computer (see Figure 18.12). You can see how many connections (Uses) have been made to the specified share (Sharename), what the share's physical path is, and how many users are connected (Connected Users.) After you select a share, you can see the names of each user that's connected (Connected Users), how long they've been connected (Time), and whether or not the user has any files open on the resource.
You can close all connections to a share by choosing Disconnect. To disconnect users from all shares, choose Disconnect All.
You can display resources that have been shared on the computer.
In Use. Use this option when you want to see the specific resources that are open. You can see open named pipes, files, and other resources (Path.) The user that opened the resource is shown (Opened By), what access the resource was opened for, such as read or write (For), and how many locks have been placed on the resource (Locks). You can also see the total resources opened (Opened Resources) and the total number of file locks (File Locks) (see Figure 18.13).
Open Resources on the computer.
TIP: If you're going to shut down the server, use this option to see what kind of trouble it will cause. If no users have any files open, you can feel confident in shutting the server down. If files are open for Read access, you'll need to be a little more wary because sometimes files are read before they're written to (remember, this isn't showing what rights the user has been assigned to the file; it's only an indication of what the user is doing with the file at that time.) Finally, if a file's open for Write access, you'll probably want to contact the user first to ensure he won't lose data in that file when the server shuts down.
As with the other options, you can close one resource (Close Resource) or all resources at the same time (Close All Resources). Choose Refresh to poll the server again for open resources.
NT's Directory Replication service enables you to maintain an identical copy of files on more than one computer. This gives you load-balance access to these files so that all of your users don't have to hit the same server. The biggest single use of this service is to replicate logon scripts from the PDC to all the BDC's in a domain. System policies are also often replicated. However, any file can be replicated. You can, for instance, have copies of updated virus signature files distributed throughout your enterprise.
CAUTION: Be careful what kinds of files you replicate with this service. You shouldn't replicate files that can be changed in more than one location because any copies of the source file will get overwritten when it changes. You also should consider whether or not to replicate a file that changes often. The frequent replication of such an oft-changing file could offset the benefit of load-balancing that replication gives you.
TIP: Directory replication can also function as a very simple backup mechanism with files for which a daily tape backup isn't frequent enough.
Understanding the Directory Replication Process. Directory replication works by setting up one or more export servers and one or more import servers. The export server must be NT Server, but the import servers can be NT Server or Workstation. The source files are located on the export server and are periodically copied to the import servers.
CAUTION: If you set up more than one export server in a replication scheme, be sure to replicate directories with different names. If you don't, they'll take turns overwriting each other on the import server as changes are made to the files.
Export and import servers can be in the same or different domains. However, the domain in which the import servers are located must trust the domain in which the export server is located. The main reason for this is because security rights are replicated along with other attributes. Because security is assigned on the export server, the import server must be able to recognize the security rights. Without a trust relationship, however, the import server in one domain can't recognize the accounts in the other domain.
At this point, it will be useful to have a directory structure from which to draw examples. Figure 18.14 shows just such an example. The following list shows some important points about this diagram.
This is an example of export and import server directory structures.
Why have a server import from itself? If you don't, and you have an export server that imports from another server, you won't have all the replicated directories in one place on the export server. In the preceding example, if you didn't have Export Server 1 importing from itself, then the user would have to look in the export directory for Scripts, VirusUpd, and Announcements, while the user would have to look in the import directory for CorpBrochures.
Configuring the Service Account. The Directory Replicator service runs under the context of a user account that you create for this purpose. The user account should only be used as a service account and must meet the following criteria:
The service account can have any name except for Replicator, because this is a built-in local group.
TIP: If you start your service names with an (underscore), they will be grouped together at the top of User Manager, making them easier to work with.
Starting Directory Replicator. Each import and export server must have the Directory Replicator service running. To set up this service to run on each server:
2. Double-click the Directory Replicator service. Figure 18.15 gives an example of how the service should be set up. It's important that the service be set to start up automatically and to use the service account you created previously.
Configure Directory Replicator service's startup properties.
The Directory Replicator service account is assigned some permissions automatically.
Setting Up the Export Server. To set up a server to export directories, bring up the Directory Replication dialog box, as shown in Figure 18.17 by running Server Manager, double-clicking the server you're configuring, and choosing Replication from the Server Properties dialog.
Follow these steps to enable directory exporting on the server:
Leave From Path as it is, unless you want to change the export path from the default, which is windir\SYSTEM32\REPL\EXPORT.
This is the Directory Replication dialog box.
NOTE: An export server can only export one directory tree. This tree will be shared as REPL$. If you change the From Path, the directory replication service will stop, the REPL$ share will be moved to the new path, and the service start again.
NOTE: If you're replicating to computers on different subnets from the export server, replication can be unreliable if you use the domain name. Instead, use the computer name of each import server.
NOTE: When entering a domain or server name, no validation on the name is done. The name is accepted as is. This can be helpful if you're getting ready to set up several computers that will be import servers. You can specify their names on the export server ahead of time.Also, you can't distinguish between a server name and a domain name in the To List on the Directory Replication dialog box. Be sure you've keyed in the computer name correctly.
After you've selected all the computers you'll export to, you're done configuring the export server.
Managing the Export Server. Click the Manage button under Export Directories on the Directory Replication dialog box to bring up the Manage Exported Directories dialog box (see Figure 18.18).
This is the Manage Exported Directories dialog box.
This dialog box shows the subdirectories under the export path that are being replicated and provides information relevant to each of these subdirectories. Table 18.3 explains the details contained in this dialog box.
| Item | Description |
| Locks | Locks can be added to a subdirectory to prevent it from being exported. This option shows how many locks have been placed on the subdirectory. The only time you'd probably have more than one lock on a subdirectory is if several people needed the directory to be locked. The directory wouldn't replicate until each person removed his lock. |
| Stabilize | If the directory has been set to Wait Until Stabilized, it won't begin to replicate changed files unless the file hasn't changed for two minutes. This option helps prevent a file from being corrupted due to a change being made in the middle of the replication process. |
| Subtree | This indicates whether you've selected Entire Subtree. If this option is selected (it is by default) all subdirectories under the selected one are exported. If this option is turned off, only the files in the subdirectory are replicated. |
| Locked Since | If the directory is locked, this indicates when the lock was added. |
To place locks on a subdirectory, highlight the subdirectory and click the Add Lock button. To remove a lock, click the Remove Lock button.
All subdirectories of the export path are replicated by default. If you want to remove a subdirectory from being replicated, highlight it and click Remove. If you want to add a subdirectory of the export path to be replicated manually, choose Add.
NOTE: These two options, Add and Remove, actually serve no useful purpose. Subdirectories are added to this list automatically when exporting takes place, even if they are not yet showing up in the list or have been removed from the list with the Remove command. The only reason I can think of that they would be there is to reset all the properties shown in Table 18.3 on a subdirectory in the case of corruption.
Setting up the Import Server. Setting up the import server is largely the same as setting up the export server. Bring up the Directory Replication dialog box and follow these steps:
2. Change the To Path only if you don't want to use the default, which is windir\SYSTEM32\REPL\IMPORT.
NOTE: Many people set up a small system partition on their NT servers and then have a large data partition. If this is the case in your organization, you might want to change the default export and import directories on your servers that participate in directory replication to prevent the system partition from running out of space. This shouldn't be a problem, though, if you're only replicating things, such as logon scripts.
Managing the Import Server. Click the Manage button under Import Directories on the Directory Replication dialog box to bring up the Manage Imported Directories dialog box, as shown in Figure 18.19.
This is the Manage Imported Directories dialog box.
This dialog box shows the subdirectories under the import path that are being replicated and provides information relevant to each of these subdirectories.
NOTE: Check the event logs on the import servers if you're getting any status other than OK. Also, you can try to stop and restart the Directory Replication service and see if that fixes the problem.
If you need to prevent imports from taking place on a certain subdirectory, choose Add Lock. Imports will stop until you choose Remove Lock.
All subdirectories under the export servers' export paths are imported by default. If you want to remove a subdirectory from being imported, highlight it and click Remove. If you want to add a subdirectory to be imported manually, choose Add.
Setting the Logon Script Path. Although the logon script path doesn't directly have anything to do with the directory replication process, it is placed on the Directory Replication dialog box because directory replication is most often used to replicate logon scripts from a domain's PDC to the BDC's. Therefore, the logon scripts are usually under a subdirectory of the import path. By default, this is windir\SYSTEM32\REPL\IMPORT\SCRIPTS.
If you set up an export server to replicate logon scripts, and you don't have that server import to itself, you must change this path to point to the SCRIPTS directory under the export path.
The Logon Script Path is shared as NETLOGON. If you change the Logon Script Path, you'll need to remove the NETLOGON share from the old path and create it again on the new Logon Script Path. It should have the same permissions as the original share.
NT sends alerts when certain conditions occur on the server, such as security failures, power outages with UPS's, or low disk space. To configure where these alerts are sent, do the following:
2. Double-click the server for which you want to configure alerts.
3. Choose Alerts.
4. To configure a user or computer to receive alerts, type that user's or computer's name in the New Computer or Username: text box, and click Add.
5. To remove a user or computer from those that receive alerts, highlight the name in the Send Administrative Alerts To: box, and click Remove.
NOTE: You must have the Alerter service running for a computer to send alerts, and you must have the Messenger service running on the computer that will receive alerts.
You need a way to see when system and application processes that run on your server create events during the course of their operation. Most times, they have no user interface and run in the background. NT provides the event log to give these processes a centralized location to log these events. Event Viewer is the window that enables you to see what's going on. It gives you one location to which you can go to see what's taking place with the server itself and with the applications running on the server. It's also the place you can go to monitor actions that involve security. Figure 18.20 shows Event Viewer's startup screen.
Event Viewer's startup screen shows the events for a particular log in chronological order.
There are three log files in which processes can log events, as shown in Table 18.4.
| Type | Description |
| System | The system log is used to record events that take place at the system level of the server. Such things as hardware failures or server startup problems are recorded here. |
| Security | This log is used to record activities involving security on the server. This log records activity that you've set up under auditing from User Manager. Some examples are failed logons or drive access. |
| Application | This log is used to record activities generated by applications running on the server, such as database programs or Web servers. |
To view the details of each logged event, either double-click the event, highlight it and press enter, or choose View, Detail. Figure 18.21 shows the Details dialog box.
Viewing the event details gives you a significant amount of data to use when debugging problems on your server.
The following information in Table 18.5 is shown when you view the details of an event log entry.
| Item | Description |
| Date | The date the event was logged. |
| Time | The time the event was logged. |
| User | The name of the user's logon account that was associated with the event that took place. |
| Computer | The computer on which the event occurred. |
| Event ID | Each event has a numeric ID associated with that is unique to the source that generated the event. |
| Source | The process that generated the event. |
| Type | Five types of events, as listed in Table 18.6. |
| Category | The source can categorize events however it chooses. For example, SQL Server has many event categories, such as Server, ODS, and Kernel. |
| Description | This is a text description that provides any additional information relavent to the event that was generated. You should always view this text when troubleshooting a problem. |
| Data | This is raw data that usually will not be useful to you but could be of great importance to the vendor who wrote the process. Many times, the vendor's tech support department will want to know the data contained in this field. |
When viewing the details of an event, you can use the Previous and Next buttons to navigate through the event log. Table 18.6 lists the five types of events.
NOTE: Microsoft has a product called Technet available in CD form that contains a comprehensive knowledge-base to help troubleshoot problems you have with their products. When searching this information for help with a specific event, searching on the Event ID usually yields the most hits.
| Type | Description |
| Information | These are informational messages; they're normally nothing you should worry about. |
| Warning | Warning messages might not affect the operation of the server in general but are cause for concern. Often these messages indicate that potential problems exist and should be proactively taken care of. |
| Error | These messages are the most serious. Most errors deserve immediate attention. |
| Success Audit | When auditing a server's security, success audits indicate that a person was allowed to perform the action they were attempting. |
| Failure Audit | Failure audits indicate that a user tried to perform an action for which they had insufficient security rights. |
NOTE: Realize that with the preceding event types, it's up to the source's vendor to determine what type is assigned to each event. There is no guarantee that all informational messages can be ignored or that all warning messages merit attention. For example, I have seen backup programs that log a successful backup as a warning! Until you're familiar with your server, you should view all events.
To configure a log's settings choose Log, Log Settings. Each log file can be configured differently. By default, each log file can hold 512k of data. In an active system, this space can be used up relatively quickly. To prevent this from happening, you can take one or both of two approaches. You can increase the size of the log file under Maximum Log Size, enabling it to hold more events, or you can set one of the options listed in Table 18.7 under Event Log Wrapping:
| Option | Description |
| Overwrite Events as Needed | This option enables older events to be overwritten with newer ones if the file becomes full. |
| Overwrite Events Older than X Days | (default) This option is a combination of the other two--it enables the event log to overwrite events only if they're over X days old. If your oldest event is less than X days old and the log file fills up, you'll see an error message, and no further events will be recorded in that log. |
| Do Not Overwrite Events (Clear Log Manually) | This option means NT will never automatically overwrite any events in the log file. If it becomes full, the operator will have to clear it. |
NOTE: Overwrite Events Older than X Days is the best option from a security standpoint. If you used Overwrite Events as Needed, a hacker could breach security and make sure any audit was removed by generating events over and over until any trace of illegal activity was overwritten.
To clear an archive log, choose Log, Clear All Events. You'll be asked if you want to save the event log before you clear it. If you say Yes, you'll be able to archive the file. Before the log file is finally cleared, you'll be asked to confirm. When you clear a log file, the information is deleted permanently.
TIP: You might want to clear and archive your log files periodically. Log files can be cumbersome if they're too big, and viewing large event logs over WAN links can be slow.
Archiving a log enables you to save the information contained in a log to a file on disk. You can archive your log files to one of three formats:
To archive a log, display the log you want to archive and then choose Log, Save As. Choose the type of archive file you want to save it to, and provide a name. Then click Save.
NOTE: Include the name of the log in the filename, so you can remember which log file it is. For example, you might want to save it as SEAST_PDC-System.
To view an archived log file that was saved as an Event Log File, choose Log, Open. After you select the file name, you'll need to specify which type of log file you're opening. If you choose the wrong log file type, the information displayed in the Details view will be incorrect.
If you want to view only a subset of information contained in a log file, you can choose View, Filter. This brings up the dialog box shown in Figure 18.22. You can choose to filter by any of the event properties in Table 18.5 except the description. Use the View From and View Through options to narrow the events displayed to a certain time range. When choosing a Category, only categories for the Source you selected will be available. You can't specify a Category without specifying a Source first.
Filtering an event log makes viewing the information more manageable.
TIP: You'll often want to filter out informational events so that you can more easily focus on the warning and error messages.
To turn off filtering, choose View, All Events.
You can only sort events by date. To do so, choose View, Newest First (the default) or View, Oldest First.
Searching for events can provide similar functionality as filtering events. When you search an event log file, however, you can see where the target events are located in relation to other events that have occurred. This can help you correlate one event with another. For example, if you searched the application log file for Exchange errors, you might notice that an Exchange service shut down each time SQL started.
Choose View, Find or press F3 to specify what you want to search by. Specifying your search criteria is very similar to specifying your filtering criteria. The dialog box is shown in Figure 18.23. The most important difference is that you can search the description field, whereas you can't set up a filter based on it.
You can specify your find criteria.
After you've set up your search criteria, you can search for the next matching event by pressing F3. This criteria will remain active until you clear it by clicking Clear in the above dialog box or until you switch to another log file.
You can view many properties relating to your server by looking at the System Properties dialog box. Right-click My Computer and choose Properties, or run Control Panel and choose System. There are six tabs on the System Properties dialog box. Each one displays information relating to certain aspects of the system.
This tab displays the version of NT you're running, who the software is registered to, and what type of computer the software is running on. It also shows the amount of physical RAM you have.
The Performance tab enables you to view and set how much of a performance boost the application running in the foreground will get. On a server, the processes running in the background, such as SQL Server or Exchange, and the processes running in the foreground, such as a word processor, get equal processor time. If you have a server that runs a foreground process that needs to be able to use the processor more, however, you can move the slider bar toward Maximum.
CAUTION: Be careful with this option. You can affect performance on your background processes greatly if you change this setting.
You can also display and change the size of the paging file and registry on your server from this tab. To do so, click the Change button. The dialog box in Figure 18.24 appears.
Use this dialog box to change virtual memory settings and adjust the maximum size of the Registry.
TIP: Keep an eye on your current registry size. If it begins to approach the maximum you've set for the registry file, you should increase the maximum to accommodate it. Increasing the maximum registry size doesn't mean that disk space and RAM are immediately allocated. It only enables the disk space and RAM to be allocated in the future, if needed.
This tab enables you to view the environment variables that have been set on the server. There are two types of environment variables: system variables, which are available regardless of who's logged on, and User Variables, which are only set and available for the specific user under which they're specified.
You can set new environment variables, change existing environment variables' values, and delete environment variables from this tab, as well by using the Set and Delete buttons. When creating a new environment variable, you must click the System Variables or User Variables list box before creating the new variable. This tells the system which type of environment variable you're creating.
NOTE: You can't change the name of a variable. You must delete the variable and then create a new variable, using whatever you want it to be called.
NOTE: You must be an administrator to create new system variables.
This tab serves two purposes. The first is to specify which operating system you want to boot to by default and how long you'll be given a choice of OS's when the system first boots.
TIP: You might not want to wait 30 seconds before a server boots. Change this time to something like 5 seconds so that if the server reboots after a crash while users are on the system, they can get back on more quickly. Twenty-five seconds might not seem like that long, but if you have a help desk, I'd bet they'd tell you otherwise!
The Startup/Shutdown tab is also used to set up Recovery options for your server. When your server blue-screens (a STOP error), these options are important in determining what happens next. The following explains each option.
TIP: The dump file is as large as the memory you have. This means that it can take a lot of disk space, and it can take a while to write to disk. If you don't have a lot of disk space to spare or you need your server to reboot as soon as possible after a crash, don't select this option.
If you choose Automatically reboot, the server reboots after performing any of the actions you've selected.
This tab enables you set up hardware profiles used to specify which drivers load when booting up. For example, if you want to have a spare NIC in your server, you could have a default profile that loaded the first NIC card's drivers but have another profile that you could select that would load drivers for the second NIC in case the first one failed. Profiles are created here, but you specify the hardware devices that are loaded when the profile is selected in the Services or Devices option under Control Panel.
Windows NT will try to determine automatically which profile to use by analyzing your system to see which profile matches the hardware in your system. If it can't make this determination automatically, you can have it either wait indefinitely until someone makes a selection, or it can wait up to the number of seconds you specify. If a selection hasn't been made at that point, it will use the profile at the top of the Available Hardware Profiles: list.
User profiles are discussed elsewhere in this book. This tab is used to view the profiles stored on the system, delete a stored profile, change the type of the profile from local to roaming, and copy the profile to a new user. When copying the profile to a new user, you should specify that this user is allowed to access the profile.
Windows NT Diagnostics provides information about how your server is configured. To run it, choose Start... Administrative Tools... Windows NT Diagnostics. This tool can be used to view the local server or a remote server. There are many tabs of information on this dialog box, described as follows.
This tab shows what version of NT you're running, including Service Pack revision (see Figure 18.25). It also displays to whom the software is registered.
This is the Version tab.
The tab shown in Figure 18.26 shows the type of computer you're running NT on, the HAL that's being used, the BIOS version and date, and the number and type of processors in the computer.
The tab in Figure 18.27 shows information about your display adapter. The BIOS data and version, model and driver versions are all included.
This is the System tab.
This is the Display tab.
The tab in Figure 18.28 enables you to view all the drives and current network connections on your computer and their statistics. You can sort the drives by type or by letter. To view the properties for a drive, click the drive, and click the Properties button.
This tab displays information on how your server is using the memory in the system (see Figure 18.29). You can view how much of your physical memory is in use, how much of your paging file is being used, how big the file cache is, and other statistics.
The Services tab, shown in Figure 18.30, displays all the services and devices installed on your system, and whether or not they're running. To choose between displaying services or devices, click the Services or Devices buttons. You can see detailed properties by highlighting the service and clicking the Properties button. You can also view this information from Control Panel, Services or Control Panel, Devices.
This is the Drives tab.
This is the Memory tab.
This is the Services tab.
The Resources tab displays how the devices in your system are using IRQs, I/O ports, DMA channels, and memory (see Figure 18.31). You can choose to view a certain resource's usage by choosing the corresponding button at the bottom of the screen. Double-clicking a device gives more details about the resource in use.
This is the Resources tab.
If you want to view all the resources a device has in use, click the Devices button at the bottom of the tab, and then double-click the device name, as shown in Figure 18.32.
Double-click a device to see all the resources it's using.
The Environment tab shows you all the environment variables set on your computer (see Figure 18.33). You can choose to view either the system variables or the variables set for the user that's currently logged on by choosing the corresponding button at the bottom of the screen.
This is the Environment tab.
The Network tab, shown in Figure 18.34, shows you information concerning your network hardware and software. Table 18.8 provides more information on each category.
This is the Network tab.
| Button | Description |
| General | Shows basic information about who's logged on and their access privileges |
| Transports | Shows the NIC's installed on your system |
| Settings | Gives detailed information about your server's network configuration |
| Statistics | Shows dynamic information about your server's network performance |
You can save the information in one or all of the tabs to a report. This report can be an overall summary or can include all the data from the tabs. You can send this report to a text file, to the clipboard to be pasted into another application, or directly to the printer. Figure 18.35 shows the Create Report dialog box.
TIP: It's a good idea to save a report on each of your servers periodically as an archive. This way, if you experience problems with a server, one troubleshooting method can be to compare the server's present configuration with how it was configured in the past, to see if anything has changed.
Create a report from Windows NT Diagnostics.
Microsoft has created a set of tools called Nexus for Windows 95. The programs included are a version of Server Manager, User Manager, and Event Viewer for Windows 95. These tools also enable you to change permissions, enable auditing, and take ownership of NT directories and files on NT volumes and on NT printer queues. Finally, you can administer servers with FPNW installed. To install these tools:
2. Go to Control Panel, and choose Add/Remove Programs.
3. Choose the Windows Setup tab.
4. Select Have Disk. Specify the path to the client files.
5. Select the tools shown in Figure 18.36 and click Install. The tools will be installed to C:\SRVTOOLS.
6. Edit your AUTOEXEC.BAT file and add C:\SRVTOOLS to the path. If you don't do this, you won't be able to modify directory and file permissions on the NT volume, or printer permissions. You will still be able to use User Manager, Server Manager, and Event Viewer.
7. Restart your computer.
Select the tools and click Install.
Once done, you can access Server Manager, User Manager, and Event Viewer from a group under Programs named Windows NT Server Tools. These tools look exactly like their NT counterparts.
You can access permission pages as shown in Figure 18.37 by using Explorer to browse to the file or printer resource you want to modify.
Modify permissions from Windows 95.
These tools work and look like their NT counterparts, with some exceptions:
You must verify your password when modifying users under Windows 95.
NT 4.0 comes with Administrative Wizards (see Figure 18.39) to help the less experienced administrator perform their duties on the server. For more advanced administrators, using these wizards many times will take more time than performing the task from the main application involved.
The Administrative Wizards available in Windows NT 4.0.
Table 18.9 provides a description of each of the available wizards
| Wizard | Description |
| Add User Accounts | This wizard takes you step-by-step through the process of creating a user. |
| Group Management | This wizard walks you through either creating a new group, or modifying properties of an existing group. |
| Managing File and Folder Access | This wizard takes you through the process of modifying NTFS security on files and folders and creating shares. |
| Add Printer | This loads the same wizard you access when you choose Start... Settings... Printers... Add Printers. You can set up a local or networked printer from here. |
| Add/Remove Programs | This loads the same dialog box you get to from Control Panel... Add/Remove Programs. You can install or remove applications or modify your NT installation through this dialog box. |
| Install New Modem | This loads the same dialog box you get to from Control Panel... Modems. You can add new modems or modify existing ones through this dialog box. |
| Network Client Administrator | This loads the same dialog box you get from Start... Administrative Tools... Network Client Administrator. |
| License Compliance | This wizard displays the installed products on your servers that do not have enough licenses. It bases this on what you've set up in License Manager, which is discussed in Chapter 7, "Installing NT Server 4.0." |
If you want to make the Administrative Wizards your central focus of administration, you should check the Show this Getting Started screen next time you log on box.
Microsoft has made a product called Web Administration for Windows NT Server 4.0 available from their Website at http://www.microsoft.com/ntserver/webadmin/webadmindl.htm. This tool allows you to perform administration of your servers using any standard HTTP-based browser. Follow these instructions to install this administrative tool (note that you must have IIS 2.0 or later on the server to which you're installing the Web tools.)
2. Run the file. It will extract the files to the %inetsrv_root%\scripts\NTAdmin and %inetsrv_root%\wwwroot\NTAdmin directories and add the required entries to the registry.
3. Configure IIS for either Basic or CHAP password authentication.
TIP: If you'll be using Microsoft's Internet Explorer, use CHAP password authentication. It is more secure than Basic, because the password never has to traverse the network.
After you install Web Administration, you can access the Web Administration tool by pointing your browser to http://servername/NTAdmin/NTAdmin.htm. You'll see the screen displayed in Figure 18.40. Each of the available options is described, as follows.
You can administer most aspects of your server from the Web Administration tool.
You can see at a glance how your server is performing.
| Option | Description |
| Server Configuration | Enables you to display the same information contained under Windows NT Diagnostics |
| Performance Statistics | Enables you to view the values in performance monitor counters. You can only view the numeric values; there are no charts available from here. Also, there is no way to have the information update automatically; you can only get a snapshot at the time you choose to view the information. When you choose an object to view, it is nice that all counters under that object are displayed on the same page. |
| Server Statistics | This page shows you various statistics about your server. |
© Copyright, Macmillan Computer Publishing. All rights reserved.