Under the hood, Windows NT 4.0 is almost the same as its predecessors. I say "almost" because Microsoft has taken the opportunity to make a few significant changes that will forever alter the way some programs run under NT and how you interact with the operating system.

NT 4.0 has a lot of good to offer--a new user interface (UI) taken from its sibling Windows 95, a built-in Domain Name System (DNS) server, the Internet Information Server (IIS) Web server and Web page creation tools, a new Telephony Application Program Interface (TAPI), a network monitor, new automated setup tools, and the hundreds of little ruffles and flourishes that distinguish it from its 3.x predecessors. Mac users will be happy to see that NT 4.0 Server includes some new file and print services (to learn about these services, see the sidebar, "Windows NT 4.0 Services for Macintosh," page 123). But 4.0 also has its share of problems, such as the uncertainty about changes in system stability that result from moving the UI to kernel mode, the client license question, and the elusive documentation.

NT 4.0's changes are more evident in Workstation than Server. This fact doesn't mean Microsoft is finished with NT Server by any means. Improvements to the next major NT release, NT 5.0, will spotlight Server, so stay tuned.

The User Interface
The most obvious change to NT 4.0 is its UI. At a glance, I have a hard time telling whether a machine is running Windows 95 or NT 4.0. Screen 1 shows the new and improved UI. The Win95 interface is a vast improvement over the Windows 3.x interface and a pleasure to work with. But improvement comes at a cost: Low-speed 486 workstations that run well under NT 3.x can be sluggish under NT 4.0. Server performance, however, seems unaffected. My company's 33MHz 486DX file server runs painfully slow when accessing the NT 4.0 UI. However, the same machine zaps files out onto the network under NT 4.0 as fast as or faster than it did under NT 3.51.

True to its secure nature, NT 4.0 improves the usability of its user profiles. These profiles let users have their own desktop, persistent network connections, and personal directories. If you install Microsoft Office, NT stores your application settings and documents in user profiles.

Unfortunately, I've found a few gotchas with NT 4.0's new profiles. Throughout my NT 4.0 beta process, I performed a lot of reinstalls. Because I write notes to myself, to-do lists, and the like, I put these notes on my desktop. Under NT 4.0, this is not a good habit. Every time you reinstall NT 4.0 as a fresh install, you delete any user profiles, including any desktops and data on them. Worse, NT 4.0 treats personal directories to the same immolation. Applications such as Word put documents in the user's personal directory by default, so users can lose months of work. The moral of the story: Don't keep your Word documents in your personal directory, and don't leave necessary items on the desktop--use shortcuts instead.

NT creates a new user profile when you create a new user account. Separate user profiles are useful, but their administration can be cumbersome. Like many network administrators, I have two user accounts: my mere mortal account and my Administrator account. I have no way of installing a program such as Office and telling it, "While you're at it, remember these settings for user Mark2."

In the same way, if you dual-boot Win95 and NT, you may have to install all your programs twice, which can take a lot of time. If you're installing everything twice, load Win95 and all your 32-bit Windows applications on the system first. Then load NT and search for the program files--winword. exe, excel.exe, ppt.exe, etc. Click Taskbar's Advanced Configuration to create shortcuts from these programs to your Start Programs menu. This is the only approach I know that works, but it's clumsy. You end up wasting time re-creating your groups every time you install NT or log on as a new user in NT.

The UI Shifts to Kernel Mode
One area where NT never impressed anyone was its realtime animation support. For example, you can play the Microsoft Hearts game against the computer or other players on an NT 3.51 network, but it crawls. The animation that shows cards appearing on the baize is glacially slow. The Win95 Plus Pack's Pinball game also runs under NT 3.51, but is unplayably slow. NT 4.0, in contrast, runs both applications quickly, seemingly as fast as Win95.

To accomplish realtime animation, Microsoft modified NT's architecture. All versions of NT Server and Workstation consist of modules, and each module has a privilege level of user mode or kernel mode. NT allocates an area of memory that user-mode modules can't work outside of. This limitation is important because programmers often make the mistake of letting their programs attempt to write data outside the program's allotted memory space. NT prevents this practice so that the ill-mannered program can't overwrite data or program areas of another program and make the victim program crash or behave strangely. So, the worst that a user-mode module can do is overwrite its own data areas--a user-mode program can crash only itself.

In contrast, kernel-mode modules are trusted with the entire computer--they can access any hardware and any memory. A mistake in a kernel-mode program can cause the program to damage dozens of other programs.

So why build anything to run in kernel mode when such programs can be so dangerous? First, these programs are necessary--something (a program, driver, or other software) has to manipulate the computer's hardware. Second, kernel-mode programs don't go through as much OS red tape as user-mode programs. Parts of the OS that are kernel-mode programs run quicker than parts that are user-mode programs. But when the kernel-mode parts fail, they can crash the system.

With NT 4.0, Microsoft moved the user interface from user mode to kernel mode. The first result is immediately obvious: Applications with a lot of animation, such as Pinball or Hearts, run much faster than they did on NT 3.51. Most Win95 games should run smoothly under NT 4.0. This newfound ability is clearly part of Microsoft's strategy--for the first time, NT has a joystick driver that loads by default when you install NT.

But what you gain in speed, you give up in reliability. NT 4.0's UI definition now includes third-party video and print drivers as trusted parts of the OS. And that scares me. In fact, video drivers aren't written to be stable; they're written to be fast and to crank out a lot of WinMarks or Winstones or whatever the graphic benchmark du jour is. Similarly, many good printer manufacturers, such as Hewlett-Packard, update their print drivers several times a year. A standard part of my Windows 3.x troubleshooting routine was to get the latest HP drivers when things started crashing. An update was often the solution. Imagine the frustration of having a major file or database server go down during a busy day just because your printer doesn't like some TrueType font!

Microsoft says that as long as you buy video boards and printers that Microsoft has tested--those on the Hardware Compatibility List (HCL)--you'll have no trouble. Perhaps Microsoft is right. But I've already noticed that my NT 4.0 workstations are less stable than those running 3.51. I've even crashed an NT machine with an old MS-DOS game.

My advice on living with a kernel-mode UI is simple: Run the 640 * 480 16-color VGA driver on your servers. This driver is well understood, well written, and well tested. Also, put your shared printers on a relatively small number of dedicated print servers. If they crash, they rob only your network printing function, not your file and application services.

The License Issue
One major drawback of upgrading to NT Server 4.0 is the cost: You must rebuy all your client licenses. The true cost of switching from NT 3.x to NT 4.x is that you must buy an upgrade for each client license, at a list price of $25 apiece. In a firm with 10,000 employees, that's a quarter of a million dollars in upgrades--yikes! You didn't have to repurchase your licenses when you went from NT 3.5 to 3.51 because it was a minor upgrade, says Microsoft. To make matters worse, NT 5.0 is quickly approaching, which means you may have to fork over all the cash again in a year or so.

I asked a Microsoft representative whether large companies will want to upgrade their workstations now and save money by waiting for NT 5.0 before upgrading their servers--he sidestepped. He explained that anyone with more than 50 employees needs to be on Microsoft's Select plan, which lets the company pay a kind of flat subscription fee. This fee entitles the company to distribute any Microsoft product, including client licenses. This approach leads me to believe that Microsoft's pricing strategy is aimed at fairly small businesses. Before upgrading, check whether your firm is part of the Select program. If not, do the math. Signing up for this plan or waiting for NT 5.0 may pay you well.

NT 4.0 Simplifies Intranetting
NT 4.0's TCP/IP tools underscore Microsoft's focus on Internet tools. You can't throw out your UNIX machines and run your entire Internet on NT just yet, but 4.0 brings you a step closer.

NT 4.0 ships with a built-in DNS server, which replaces the need for a third-party solution. (For more information on DNS and Windows Internet Name Service--WINS--in NT 4.0, see Spyros Sakellariadis, "Configuring and Administering DNS," August 1996.) As with other standard DNS servers, NT accepts traditional bind files. I recommend that you use these bind files to run the server. The setup wizards are somewhat quirky. (If you don't have O'Reilly's DNS and Bind by Paul Albitz and Cricket Liu, get it--Web address www.ora.com/catalog/dns. It's good and describes in excruciating detail how to set up a standard DNS server and how to create bind files.)

After you set up DNS to use the bind files, you can hand-enter the names and IP addresses of every PC on your network. To add these names and addresses, you use the new DNS manager. Screen 2 shows this administrative tool. NT 4.0 improves on the traditional bind system by letting you query a WINS server.

Suppose you have a computer named ruby in a domain jewels.com. If I try to PING ruby.jewels.com, my computer uses DNS to get the IP address for ruby.jewels.com. Eventually, the DNS request filters its way to the DNS server at jewels.com. If the network administrator hasn't added ruby's IP address to the system DNS, the DNS server asks the WINS server at jewels.com, "Do you know a computer named ruby?" If so, the DNS server responds to the initial request with ruby's IP address. Very neat, and very dynamic.

Be prepared to work with your Internet Service Provider (ISP) if you install the dynamic WINS connection: The WINS directive confused my ISP's UNIX-based DNS servers, forcing me to remove WINS from my DNS server. If I remove the WINS directive, the UNIX DNS and NT DNS machines communicate just fine. So WINS and DNS linkage is a great feature, but I'm sad to say it doesn't work if your ISP doesn't use NT machines.

NT ships with NSLOOKUP, a useful tool for troubleshooting DNS problems. Getting help for this tool is a bit arcane, however: You must access a command prompt, type NSLOOKUP, and then type a question mark on a line by itself. Perhaps one day we'll see an implementation of NSLOOKUP's older sibling, DIG, on NT. (DIG, a common UNIX utility for debugging DNS servers, is much more powerful than NSLOOKUP.)

Microsoft's NT-based Web server, IIS, and newly acquired Web development tool, FrontPage, ship with NT 4.0 Server. Both tools let you set up and publish your Web pages without third-party tools. FrontPage automates several basic Web page functions such as saving form results to a file, building a discussion group on a Web site, adding time and date stamps, and offering search engines. FrontPage could benefit from templates. I get tired of having to tell it to make every Heading 1 paragraph dark green. But all in all, FrontPage is a wonder and a real addition to NT.

NT 4.0 lets you implement IP routing without two separate network cards in your system, which simplifies routing between a RAS connection and a LAN connection. NT 4.0 includes the algorithm for Routing Information Protocol (RIP) routing and support for bootp forwarding, but doesn't support the common intranet routing protocol, Open Shortest Path First (OSPF), or External Gateway/Border Protocol (EGP/EBP) routing.

Although making a system into a LAN-to-WAN Internet gateway is easier with NT 4.0 than with 3.51 (for more on gateways in NT 4.0, see my column, "Unlock Your Gateway to the Internet," June 1996), it's still a chore. A Microsoftie in the routing group tells me that this process won't be simplified until NT 5.0.

LAN-to-LAN routing with RAS is possible in NT 4.0. You can have a network uptown and a network downtown talk via NT machines and modems, ISDN, or frame relay rather than routers. But this routing still takes some work. On the down side, NT's TCP/IP still doesn't dynamically reroute reliably. For example, if you give your system two default gateways and shut down the first, NT won't figure out how to use the second to access the Internet.

When you're ready to access the Internet, NT 4.0's multilink Point-to-Point Protocol (PPP) lets you connect faster than before. Previously, you could connect to the Internet with only one ISDN channel at 56 Kilobits per second (Kbps) or 64 Kbps. Now you can attach two ISDN adapters, enable the multilink PPP to dial your ISP, and let NT combine two data streams into one, giving you 112 Kbps or 128 Kbps. You can use several modems, direct serial connections, and ISDN connections--anything RAS and Dial-Up Networking (DUN) support. However, this configuration works only if your ISP supports multilink PPP. (Most don't yet, but many will soon.)

NT 4.0 brings virtual private networking to the Internet with the Point-to-Point Tunneling Protocol (PPTP). With PPTP, you can connect to your corporate server over the Internet from a remote location. To begin, under DUN, you install two modems: the physical modem attached to your system and a bogus modem called the PPTP service.

To attach to your network over the Internet, you make two dial-up connections. The first is the usual PPP-based dial-up connection to the Internet. Then you run the second dial-up connection and tell it to place a call, not with your modem but with your PPTP service. When Dial-Up Networking prompts you to enter the dial-up phone number, you (and this is the undocumented part) fill in the IP address of your corporate RAS server (that server must also be running PPTP). The second dial-up connection is a domain logon, where your message runs past any firewalls straight to the RAS server, which then authenticates you. From that point on, you're connected to your corporate network as if you were on site or had dialed directly into your office's RAS server.

Telephony Application Program Interface
NT 4.0 also includes the Telephony Application Program Interface (TAPI), a nice feature that unified communications programming under Win95 and will no doubt benefit NT as well. With old operating systems, each communication program had to load its own modem-specific drivers. So if you ran four different communications programs on your computer, you ended up telling four different programs what kind of modem you had. Under NT 4.0, you can buy communications applications that are TAPI enabled, which means they can interrogate your system for modem information rather than interrogating you.

Network Monitor
In all the years I've worked with PC networks, one of the most desirable, sought-after, and expensive tools for network troubleshooting has been the network sniffer. Put simply, a sniffer lets you see everything going through your network cable. A full-blown network sniffer records every piece of data that goes back and forth on the network--a troubleshooter's dream and a security officer's nightmare. At one point, one network sniffer product was going for $18,000.

Microsoft's sniffer application, the Network Monitor, ships as part of the Server Management System (SMS), but SMS is expensive and a Network Monitor should have been part of NT Server from the start. With NT Server 4.0, Microsoft takes a step in the right direction by including a slightly dumbed-down version of Network Monitor.

Screen 3 shows the Network Monitor included in NT Server 4.0. To access the Network Monitor, open the Control Panel and click the Network service. Highlight the Services tab, and click Network Monitor Tools and Agent to create the service. Note that Network Monitor does not install with NT Server by default, so you may have to add the Network Monitor Tools and Agent. If you don't see the service listed, click Add and add it from the NT installation CD.

Microsoft probably dumbed down the NT version of Network Monitor to keep the full-blown version viable as a standalone product. (The full-blown version of Network Monitor that ships with SMS tracks and records all data going on the network.) The version of Network Monitor that ships with NT Server records only network frames originating with or destined for the particular server on which it is running. So, if you want to use Network Monitor to examine traffic from your server to machine X and from machine X to your server, you'll love the Network Monitor version that ships with NT Server. If, however, you want to use Network Monitor to examine traffic moving between machine X and machine Y, you can't do that with the version that ships with NT 4.0 Server, assuming that your server is neither machine X nor Y. Still, it's a neat tool.

Simplifying Setup
The NT 4.0 Setup program acts like a typical Microsoft Wizard, but it doesn't let you use Back to undo decisions at many important steps, and that's annoying. For example, if you designate a server as a Backup Domain Controller (BDC) early in the Setup process and later find out the machine can't contact the Primary Domain Controller (PDC) to verify your authorization to install a new BDC, you're stuck: You can't backtrack to install a simple server. You have to turn the computer off and start over.

No matter how good or bad the Wizard is, however, the only perfect Wizard would be one that asks you every question relevant to the installation and says, "Go get some lunch, and I'll get this set up." I hate babysitting an NT installation, and Microsoft includes a tool, Setup Manager, with NT 4.0 to make it easier.

Setup Manager asks you questions about how to set up your computer, and then generates a setup script. You feed the setup script to WINNT32 or WINNT. These two setup helper programs come with NT and use the information the scripts supply. The result is an almost unattended installation.

WINNT32 can do the entire installation unattended, except for the End User License Agreement. I'm not sure what good an unattended installation is if you have to attend to the F8 key to acknowledge that you have read and agree to the End User License Agreement. Microsoft probably has an undocumented parameter on WINNT32 to get past this, like the /iw parameter for Windows 95 unattended installations. Microsoft appears to have added FrontPage too late for it to be part of the unattended installation. You can't install FrontPage automatically when the rest of NT installs.

NT 4.0 simplifies installing applications to several machines, thanks to two utilities: sysdiff and rollback. Sysdiff lets you take snapshots of a system's configuration at any moment, and rollback lets you return the configuration to that point. The idea is this: Suppose you're about to put a new drawing program called Esketch on 500 NT workstations. You don't want to run the Esketch setup program 500 times, so you run sysdiff before you install Esketch on the first computer. Then you run sysdiff after you install Esketch. Sysdiff then reports exactly what changed and gives you a script to help you quickly roll out Esketch to other machines.

At least sysdiff and rollback are supposed to work that way. They've been around for the past few months, but I've yet to see any documentation on them (nor will any documentation appear in the NT box, according to a Microsoft representative). Instead, look for help on the Web at some point.

My biggest quibble with NT 4.0 is that the documentation for the new features--PPTP, FrontPage, sysdiff and rollback, and the DNS server--is virtually nonexistent. The few clues in the Help files are the only documentation available, at least in the beta versions. Microsoft reported recently that, "94 percent of all bugs reported in the NT 4.0 beta test program were found internally." No wonder. No one else could even get the new subsystems running. As of this writing, Microsoft has hinted that more information will be available in the Resource Kit, which will appear in November (according to one Microsoft source) or in the first quarter of 1997 (according to another).

NT 4.0's new UI, Web support, and setup tools add up to a much improved OS. Just make sure you select the best licensing option for your needs and stick with video boards and printers from Microsoft's HCL. On the whole, NT 4.0 is worth buying, but much of what NT Server fans are waiting for won't appear until NT 5.0. (For a summary of the good and the bad, see the sidebar above.)