Manage users easily with groups

Send us your tips and questions. You can also visit Bob Chronister's online Tricks & Traps at http://www.winntmag.com/forums/index.html.

Unexpected Results from ATM Switches
Many of the answers to the questions in this column focus on troubleshooting what goes wrong or how to prevent or correct situations before they turn into problems. I seldom mention situations in which something good happens unexpectedly and leaves you pleasantly surprised. Let me give you a recent example of a situation in which something went right.

I use two asynchronous transfer mode (ATM) switches (a Whitetree 2500 and a Whitetree 3000) on my network. I've set up the 2500 as an all-ATM switch and the 3000 as an ATM or Ethernet switch. I recently added an AXIS 560 print server, which connects to the 3000 switch, and noticed that the print server exhibited network activity--even after I removed the print server from the network. As a result, I couldn't print to my HP 5MP or Epson 800 printers, which connect to the AXIS print server. After I tried everything I could think of, I called AXIS. The support technician helped me determine that I had scrambled the print server's firmware, and AXIS sent me a replacement unit. After I placed the new print server on the network, I tried to ping it. To my surprise, I was able to ping the print server. Keep in mind that I only use TCP/IP on my network, my network uses 199-series IP addresses, and my print server uses 192-series IP addresses.

I was able to use Netscape Navigator to examine the print server's configuration, as Screen 1, page 212, shows. (AXIS acknowledges that you can't use Internet Explorer--IE--to look at your print server's configuration because of security incompatibilities.) Even more interesting, when I entered the correct address for the original print server on my network, as Screen 2, page 212, shows, I was able to successfully update the TCP/IP parameters on the new AXIS print server.

I was amazed that I was able to ping across the IP addresses. I should not have been able to address the 192-series addresses from the 199-series addresses. This connection had to occur somewhere in the ATM switches.

The Whitetree switches use a combined ATM and Ethernet framework design. The Ethernet design uses store-and-forward switching rather than cut-through switching. In store-and-forward switching, the switch waits to send Ethernet frames until the source port receives the media access control (MAC) header addressing information. In cut-through switching, as soon as the source port starts processing the MAC header addressing information, the switch starts forwarding Ethernet frames to the destination port. Cut-through designs are faster with lower latency, but they won't work if a large speed difference exists between the source and destination (the case with my network). Unlike traditional Ethernet switches, the 3000 switch can use ATM networking to stream cells and reduce end-to-end latency. This added ATM switching ability is unique and is probably germane to how my network functions.

The point remains that my switches somehow established a connection across two IP address ranges (ATM can establish virtual paths between ports). I've replicated this scenario many times, and I'm mystified by the sequence of events.

Being able to access both sets of IP addresses makes working with my network easier. I can add devices such as print servers and directly configure them, even though the IP rules say this type of configuration is impossible. (If you have similar impossible stories to relate, please forward them to me so that I can share them with readers.)

NewSID
Last month I told you about ERD Commander, Mark Russinovich and Bryce Cogswell's simple utility that gives you boot-disk functionality for Windows NT. This month, I want to tell you about NewSID, another utility from this dynamic duo. NewSID lets you easily change security IDs (SIDs) in NT. Screen 3, page 214, shows the basic user interface. You can use NewSID to apply a random SID, synchronize SIDs, or change the computer name.

This application is outstanding for rolling out several computers because it eliminates the problem of creating identical SIDs when you clone systems after the GUI portion of the NT Setup--a situation in which Microsoft offers little support. Be aware that if you clone SIDs on multiple machines and you seek the company's help to resolve a problem, Microsoft will probably ask you to reinstall NT on the system in question. NewSID helps you get around this situation: You simply clone systems, run NewSID on each system, create a unique SID for every machine on the network, and avoid the whole cloned-SID dilemma.

In addition to generating a random SID for your computer, the utility provides a synchronizing feature that lets you obtain a SID from another computer. For the first time, you can move a Backup Domain Controller (BDC) from one domain to another (a useful move on small, constantly changing networks, such as a university IS department). Choose Synchronize SID when you start NewSID, and enter the target computer's name, as Screen 4, page 214, shows. You must have permission to change the security settings of the target computer's Registry keys, which typically means you must log on as a domain administrator to use this feature.

NewSID is available as a free utility from the Systems Internals Web site (http://www.sysinternals.com/newsid.htm). I keep a copy in my NT repair toolkit at all times.

In your December 1997 column, you explained how to replace a hard disk while preserving the Windows NT installation. You said to install NT and restore the installation from a tape backup, and possibly reinstall the software as an upgrade. When I attempted such a procedure, I kept getting STOP errors. The machine had a 2GB SCSI hard disk that I partitioned into two drives (C and D). I had installed NT with Service Pack 3 (SP3) on the C drive. If the original hard disk has NT with SP3, don't you have to load SP3 on the new hard disk before you can restore from tape?

Microsoft Support Online article Q166828 (http://support.microsoft.com/support/kb/articles/q166/8/28.asp) offers insight into the problems associated with STOP errors. Microsoft made serious changes to the post-SP1 versions of NT. I've previously discussed repair issues and described what information you must change on the NT installation disks to successfully repair post-SP2 systems. Since December 1997, I've revised my recommendations regarding how to replace a hard disk while preserving the NT installation. Now, I recommend the following steps:

  1. Have an up-to-date backup of all files on the damaged drive. If the drive is different from your NT boot drive, you need to restore the boot.ini file on the boot drive. The tape backup must be on a restorable tape.
  2. Install a new version of NT to a different directory (e.g., Ntfix), and install the tape drive driver.
  3. Restore the original drive contents from tape, and restore boot.ini if necessary.
  4. Reboot the system, and run your original version of NT.
  5. Delete the new NT installation.

I hope my original suggestions didn't cause any problems. I am currently evaluating this issue more fully.

Can you explain what Packet Over SONET (POS) is and how it compares to Gigabit Ethernet and asynchronous transfer mode (ATM)? Which protocol is ideal for a large corporate backbone?

Similar to the idea of Gigabit Ethernet replacing ATM, POS is the next proposed ATM killer. However, POS is in NT's distant, rather than immediate, future.

Synchronous Optical Network (SONET) is an emerging fiber-optic technology capable of transferring data at more than 1 gigabit per second (Gbps). SONET-based networks, such as ATM, deliver realtime voice, data, and video over a network. SONET uses an 810-byte frame that transmits every 125 milliseconds (ms). Each packet has only 28 bytes of overhead, which makes SONET transfers very efficient. Unlike ATM, SONET has standards for more than 622 megabits per second (Mbps), including OC-192 (10Gbps).

POS is a hardware solution that lets users plug their provider's SONET backbone into a router that supports SONET technology (for information about these types of routers, see Cisco's Web site at http://www.cisco.com). Whereas ATM is well suited for handling multimedia traffic, POS is a better network protocol for transferring data. For most corporations, multimedia is the wave of the future. If voice and video capacity is significant to your company, you will want to stick with using ATM on your network. If you're using a local network in which fast data throughput is essential, you might consider using a good Gigabit Ethernet switching solution. However, I prefer ATM switches and cards for my networks.

Can you summarize the command-line parameters that will let me install Microsoft Message Queue Server (MSMQ) 1.0 in an unattended fashion?

MSMQ is an important new Windows NT feature that provides loosely-coupled and reliable network communications services based on a messaging queue model. Using MSMQ, IS managers can easily integrate applications, implement push-style event delivery between applications, and build reliable applications that work over unreliable, but cost-effective, networks. (For information about MSMQ, see Ken Spencer, "NT 4.0 Option Pack," January 1998, and Microsoft's Web site at http://www.microsoft.com/msmq and the release notes for MSMQ Server.)

The MSMQ command-line parameters are /q or /qt, /b#, /r, and /u. The /q parameter specifies quiet mode, and the /qt parameter specifies totally quiet mode. You must specify /q or /qt to have MSMQ Setup run in unattended mode. I recommend that you use the /qt parameter.

The /b# parameter corresponds to the option buttons' order in the MSMQ Setup Installation Type dialog box. The number of available options (/b1, /b2, or /b3) depends on which type of dependent client, independent client, or server you are installing and, in the case of independent clients, the platform on which you are installing the software. If you don't specify a /b parameter, MSMQ assigns /b1 by default. When you're using unattended setup to install MSMQ dependent client software, /b1 is the only available setup button. When you're using unattended setup to install MSMQ independent client software, the /b# parameter refers to the Independent Client and Development Environment options.

When you use an unattended setup to install an MSMQ routing server or comparable system, you use the /b# parameter to specify Server, Installation Server, or Custom. Use /b1 (Server) to install the MSMQ server software and administration tools. Use /b2 (Installation Server) to install the MSMQ server software, administration tools, the MSMQ software development kit (SDK), and an MSMQ installation folder for computers running Windows 95, NT Workstation, or NT Server (Intel-compatible computers only). Use /b3 (Custom) to install the MSMQ server software, administration tools, MSMQ SDK, and an MSMQ installation folder for Win95 computers and all supported NT platforms.

The /r parameter runs an unattended reinstall, and the /u parameter runs an unattended uninstall to automatically remove your MSMQ data files. You can place all these parameters in batch files that point to the appropriate directories or shares on your network, and place the batch files or command lines in cmdlines.txt. You can specify that the command run as a run-once command, as I discussed in my April column. Example commands lines include

setup /qt /r

to run a reinstall,

setup /qt /u

to run an uninstall, and

setup /qt /b1

to run a simple install.

Unattended installations install to the C drive. How can I install to a different drive and place my temporary files on that drive?

You must create special folders in the i386\$oem$ directory to copy files to a drive other than the C drive during an unattended installation. For example, if you want to copy files to the D drive, you need to create a subdirectory in the $oem$ directory with the syntax i386\$oem$\D. Creating this subdirectory tells NT Setup to temporarily copy files to C and then move them to D later in the setup process.

If you boot to a network installation, NT copies the files in the i386\$oem$\drive-letter directory to the C:\$\drive-letter directory during the text-mode portion of setup. You can change the location of the $ directory by using the /T: parameter in the unattended reference. For example, /T:D tells winnt.exe to place the $WIN_NT$.~LS and $ on drive D. Furthermore, this switch places the operating system (OS) on drive D and copies all files during the GUI stage of the NT Setup. If sufficient space is not available on the target drive, NT Setup fails to copy any files and aborts the installation.

My company's Primary Domain Controller (PDC) is in New York City, and our Backup Domain Controller (BDC) is in Chicago. When users log on in Chicago, which domain controller authenticates their usernames and passwords? Can I force the BDC in Chicago to authenticate all Chicago user logons?

I'd be surprised if the PDC in New York City were handling the Chicago logons. Windows NT's logon process consists of several stages. On a computer running NT Workstation or a member server running NT Server, the Net Logon service processes logon requests for the local computer. For a domain controller, the Net Logon service processes logon requests for the domain.

Net Logon initiates the following processes: discovery, secure channel setup, and passthrough authentication. When you boot an NT workstation on a domain, the Net Logon service tries to find a domain controller running NT Server in the domain. After the service finds the domain controller, the service uses that machine for subsequent user authentication. In your case, the BDC is performing the initial authentication for the Chicago users. In theory, the BDC passes all information to corresponding domain controllers on all trusted domains.