Q: What's the Microsoft Browser Service? How do I set up a peer-to-peer network with Windows 95 workstations and a Windows NT Server running SQL Server so the Win95 machines can see the server and each other? The protocol is TCP/IP, and I'm considering adding a router with systems on the other side of the router attached to the SQL server.
The Microsoft Browser Service is a list of available network resources. The types of browsers are master browsers, backup browsers, and nonbrowsers. A master browser is a computer that collects and maintains a list of available network resources; only one master browser exists on the network. The master browser assigns backup browsers, which are computers available to take over the browser service in case something happens to the master browser. Nonbrowsers are computers that never participate in the browser service. By altering the NT Registry, you can determine which computers participate in the browser service. Start the Registry Editor (regedt32. exe in the \system32 directory), and go to the key hkey_local_machine\system\currentcontrolset\services\browser\parameters.
Range: yes, no, or auto
When the range value is Auto, the default setting, the computer for this Registry entry contacts the master browser, which decides whether this computer can be a backup browser.
If the range value is No, this computer will never participate in the browser service. If the range value is Yes, this computer becomes a backup browser and attempts to contact the master browser for a current browse list. If the backup browser can't find the master browser, it forces an election among the other backup browsers to select the master browser and is a candidate to become the master browser. Every time a computer that can become a browser comes on line, the master browser shares its resources with the backup browsers, making the systems go off line and come back on. When the machines come back on, the system updates the browser priority to include the new machine.
Before Win95, the browser service set a priority for determining which computers became browsers: NT Server was first, NT Workstation was second, and Windows for Workgroups (WFW) was third. Now, NT and Win95 argue over who will be first in the browser priority. So don't configure a Win95 machine as the master browser because NT will always want to be the master browser. Go to Control Panel on the Win95 computer, double-click File and Print Sharing for Microsoft Networks, and go to the Advanced properties dialog, as in Screen 1. Highlight Browse Master and disable it. Regardless of the types of machines in your network, a Primary Domain Controller (PDC) always has first rights to be the master browser.
In most cases, browser conflicts don't occur. However, when conflicts happen, you have to set the following parameter to No in the Network Section of system.ini on the WFW computers:
If this value is Auto, the default setting, the WFW computer is a browser.
If you want Win95 machines on the other side of a router to see the NT server when you're using Explorer or Network Neighborhood, set up one Win95 computer as a backup browser. This computer's lmhosts file needs to include a #dom entry pointing to the master browser (usually the same as the PDC) and to a backup browser (see the Registry setting above) on the other side of the router. You can substitute an NT workstation for a Win95 machine as a backup browser for the other Win95 machines. For name resolution, routers create barriers on remote networks, and the only way to overcome these barriers is to use Windows Internet Name Service (WINS) or, in the absence of WINS, lmhosts.
Q: How can I make new installation floppies?
If you use Explorer in NT 4.0, go to a command prompt, change to the CD drive, and insert the NT installation CD. Change to the I386 directory of the CD-ROM, and run winnt32 /ox if the OS is NT or winnt /ox if the OS is DOS. Screen 2 shows the various installation switches and their meanings. Note the addition of numerous options in NT 4.0.
Q: Do you know of any problems with using Service Pack 4 (SP4) for NT in a Novell NetWare environment?
Don't place SP4 on a NetWare volume and then run update. Doing so replaces certain NetWare command line utilities with the Microsoft equivalents. This replacement can be fatal.
Q: I recently upgraded to NT 4.0. When I log on locally, everything works fine. When I log on to a domain, the interface appears and the system crashes. Inevitably, the SCSI driver (DAC960) is the culprit. I've changed NICs but the problem persists. What's going on?
You have a conflict between the new DAC060 driver and the network redirector or server service. To fix this problem, open the computer and remove the NIC. Boot NT, and rename the DAC960 driver. Copy the July 1995 driver to the \system32\driver directory. Shut down the system, replace the NIC, and reboot.
Q: How secure is NT?
NT is only as secure as you make it. Whenever someone connects to you with TCP/IP, packets travel in both directions. Anybody who wants can view these packets by running nbtstat -s and net session at the command prompt.
Screen 3 shows these commands running for a small LAN. Except for clyde, I know the users, the computers, and the IP addresses involved. I also know that for any NT system, a user called administrator has access to administrative shares and that I can't change the administrator account or shares. Assuming the administrator account has a blank password (a common procedure), I can try connecting to the system by typing NET USE * \\18.104.22.168\C$ /USER:Administrator * at the command prompt.
This command tells the computer to connect the administrative share for C (C$) as the next available drive letter (first asterisk) for the USER Administrator, and the user will enter a password (second asterisk). If you know the password or if no password exists, you can gain access to the system. I've used this method to successfully connect to several machines.
If you use sensible passwords, protection is available but not perfect. The Kane Security Analyst (Intrusion Detection, 212-360-6104 or 800-408-6104) provides a dictionary of 20,000 easily guessed passwords. You can also attempt to violate NT's security by logging on as the USER Guest with the password Guest.
Despite these shortcomings, NT is reasonably secure on its own. However, any opening can be easy to exploit. For an in-depth look at NT security issues and ways to protect your network against unwanted visitors, see next month's issue of Windows NT Magazine.
Q: What about the new DOS reader (NTFSDOS) that lets you access the NT File System (NTFS) on the same physical drive? How can I keep prying eyes from viewing sensitive files?
The first and best defense is limiting physical access. Unfortunately, limiting access is not always possible. Darrell Prichard of Microsoft recently told me about several other options. The DOS reader can't handle compressed files, so you can simply compress your files and exclude access to the DOS reader. Another line of defense is Symantec's Norton NT Tools, which has a file manager that can encrypt files. Figure 4 shows the Norton Encrypt/Decrypt window. For more on NTFSDOS, see Mark Russinovich and Bryce Cogswell, "NTFSDOS Poses Little Security Risk," and the reply by Joel Sloss, "That Depends on Your Definition of Secure," on page 100
Q: I use a laptop to move files back and forth from my home to the office. I have a domain set up at home and another set up at the office. How can I set up trusted domains at the office so I don't have to keep configuring the laptop as a workgroup member?
If the notebook USER has an account on the office domain, you don't have to do anything. For example, I have a notebook (called laptop) that's part of a domain called Bobsplace2. When I take my notebook to the office, I connect it to the office domain (Bobsplace) but boot to the laptop's computer name and not Bobsplace2. This approach means I boot onto Bobsplace2 but with local security. Bobsplace now recognizes Bobsplace2, and I can connect to the resources I have access to.
Q: I recently added my system to a domain. Some settings were inconvenient to set up. For example, I lost the designated home pages I view with Netscape, so I have to boot locally to access the Internet. How can I fix this problem?
You're in luck. Netscape keeps information about its connections in the Registry. Log on to the computer locally. Start the Registry Editor, go to the key hkey_current_user\software\netscape\netscape navigator, and save that key. Screen 5 shows the Registry entry and Save Key dialog for Netscape Navigator. Use the default settings for all files. As you can see in Screen 5, I saved the key as Netscape1. Log off NT, and log on to the domain. Go to the key you just saved. Save the old key under a different name, such as Netscape2. Click restore to get the file you want, which in this case is Netscape1. Click OK when you see the prompt to overwrite the existing key. Netscape on the domain will now work as before and will update as needed.
Q: What's the difference between the EIDE and SCSI? Everyone says EIDE is faster, but SCSI is the controller of choice for high-end systems. What about Advanced Technology Attachment Packet Interface (ATAPI) compliance?
IDE (Intelligent, or Integrated, Drive Electronics) is the outgrowth of work started in the mid-1980s. Several vendors (notably Compaq) pushed for a standard to lower the cost of systems by eliminating controller cards. The emergence of IDE as a choice of drives has had a staggering effect on the computer industry.
The difference in price between SCSI and IDE was substantial. By 1994 and 1995, the number of less-expensive IDE drives sold led some to predict that SCSI was dead--even Apple started to offer IDE drives.
In 1994, Western Digital suggested an enhanced drive, EIDE, which lets you connect four EIDE devices compared to IDE's two devices. EIDE's Logical Block Addressing (LBA) also allows drives larger than 520MB. In fact, Seagate now offers an EIDE drive with more than 4GB of storage. And EIDE offers faster transfer rates. The real success of EIDE probably stems from Intel's decision to offer EIDE chipsets on its Pentium motherboards--the rest is history.
Part of the EIDE specification is the ATAPI solution, which allows non-hard drive storage devices such as CD-ROMs and tape drives. ATAPI has a SCSI command set that travels over 40-pin IDE cables. The basic function of ATAPI is to pass SCSI command packets via Programmed Input/Output (PIO). EIDE's secondary channel handles slower devices. Despite these similarities, ATAPI is missing several SCSI commands: command queuing, multiple Logical Units (LUs), and disconnect and reconnect.
As EIDE evolves, the IDE cable will no longer suffice. Cables will need to be better insulated and include termination to the cables. In many respects, EIDE seems to be evolving into SCSI.
In its simplest form, SCSI is a peer-to-peer bus system that lets any device communicate with any other device. In NT, SCSI's main advantage over EIDE is its command set.
For example, SCSI supports command queuing and disconnect and reconnect--you can establish a set of commands in a queue, and the device can go off line to perform a task and return to the queue without any negotiation with the Command Initiator. This approach is analogous to me giving you something to do, and when you finish that task, you find other tasks already set up for you to do without having to ask me. This queuing lets me ask someone else to perform a series of tasks simultaneously. In this sense, SCSI is optimized to do many things at the same time.
SCSI can also communicate in synchronous mode so data transfers can occur without a request-and-acknowledgment sequence. SCSI works best in a heavily used environment.
Like EIDE, SCSI is still evolving. UltraSCSI (sometimes called Fast20) can enhance SCSI's multitasking. An UltraSCSI device gives a sustained rate of 5MB per second (MBps) to 7MBps on slow devices and 10MBps to 14MBps on fast devices. SCSI traveling over fiber optic can achieve transfer rates in the 20MBps to 40MBps range. UltraSCSI will start appearing at the end of the year.
Q: I understand that NT 4.0 uses the unimodem protocol to recognize modems. I have an old modem that is not unimodem-compliant. How can I get NT to use modem.inf instead of unimodem?
To enable the modem.inf file instead of unimodem in Remote Access Service (RAS), start the Registry Editor (regedt32.exe) and go to the key hkey_local_machine\software\microsoft\ras\protocols. From the Edit menu, choose Add Value. Enter the following values:
Value Name: EnableUnimodem
Data Type: REG_DWORD
Exit the Registry Editor, and restart NT. Run the Network applet in Control Panel, and choose the Services tab. Select Remote Access Service from the list of installed services, and choose the Properties button. Remove any ports defined in the RAS Setup dialog. Choose the Add button, and re-add the ports. RAS will now use the modem.inf file to retrieve initialization information for the devices you add.
Q: I recently added 32MB more RAM to my system. NT sees it and runs well, but now I get random blue screens with either Kmode exceptions or IRQL problems. What's wrong?
Your new memory SIMMS are probably marginal. Move the new memory to the first two SIMM slots and see if you still get blue screens in the absence of the old memory.
If the system stays stable, mix the SIMMS and see whether you still have crashes. If you can't reproduce the error by following all these steps, you might have bad SIMM sockets.
Q: I'm sick and tired of the way NT 3.51 and 4.0 handle CD-ROM jukeboxes. How can I fix the mapping of CDs and the use of the jukebox? I see no need for $2000 in software for a standalone system.
You can't seamlessly integrate jukeboxes in NT without additional software. I recently discovered that Optical Technology Group (OTG) (301-897-1400 or fax at 301-897-3753) is giving away its JukeMeister product. JukeMeister's two components are an NT server running as a service for jukebox management and client software for mounting and dismounting CDs.