Administering NT Domains from Win95

When NT isn't available, Windows NT Server Tools for Windows 95 gets the job done

Why would you want to administer a Windows NT domain from Windows 95?Obviously, NT is the best choice for administering an NT domain. However, NT maynot be available on every client machine from which you access administrativefunctions. For example, you may not have NT on your home PC or on your laptop.

If you're running Win95 on the desktop, Microsoft's Windows NT Server Toolsfor Windows 95 lets you perform many NT administrative functions. However,you'll find a few things you can't do--and a few things you can do, butshouldn't.

Installing the Tools
To install these tools, find Windows NT Server Tools for Windows 95 (acomplete implementation of the 32-bit NT Administrative Tools you're used to) onthe NT 4.0 CD in the directory clientssrvtoolswin95. If you don't have a copyof 4.0 handy, you can download the tools from Microsoft's Web site atwww.microsoft.com/windows/download/nexus.exe and expand the files to a directoryon your system. Double-click Add/Remove Programs from the Control Panelto install the tools. Click the Windows Setup tab, and choose Have Diskat the bottom of the screen. Specify the directory containing the filesrvtools.inf, and you'll see an entry for Windows NT Server Tools, asshown in Screen 1. Check the box next to the entry, and click Install tofinish the install routine.

The setup routine places the Server Tools programs in the srvtools directoryon your system's boot drive. You then need to manually place a reference to thisdirectory in the PATH= statement of your autoexec.bat file; you must addthis entry to make the tools fully functional. Why Microsoft didn't program theinstallation routine to automatically add this entry remains a mystery, but Iknow from experience that if you forget this parameter, you can't edit securityon NT files and print queues.

You're now ready to reboot to activate the tools on your PC. When you clickyour Start menu and go to Programs, you will see an entry for Windows NT ServerTools and the familiar User Manager, Server Manager, and Event Viewer programs.These programs function exactly as their NT-based counterparts do: You can add,delete, and modify users; manage servers; start and stop service processes, asshown in Screen 2; view event logs; and so on.

In addition, you can modify the NT security permissions for files and printqueues, thanks to extensions installed in Windows Explorer during the setupprocess. To modify permissions for a file, folder, or print queue, simplyright-click the item and choose Properties. Click the tab for Security to accessoptions for setting permissions, auditing, and taking ownership of the selecteditem, as shown in Screen 3.

While using NT Server Tools for Windows 95, you may have to log in or enteryour password for verification as you move from server to server. This isstrictly a requirement of NT Tools for Win95; it doesn't signify a problemwithin your domain's security model.

Run SMS Tools from Win95?
The idea may sound preposterous, but you can run part of the NT SystemsManagement Server (SMS) tools from Win95. (Spyros Sakellariadis explains SMS ina three-part series, "SMS: Inventory Your Desktop Systems;" May, June,and July 1996.) The SMS Network Monitor program is separate from the rest of SMSand doesn't require NT (if you look in the right places in Microsoft'sdocumentation and training manuals, you find that Microsoft designed the NetworkMonitor application to run on NT or Windows for Workgroups stations). If youalready have SMS and don't want to buy a portable network monitoring station,putting the Network Monitor program on a laptop is a good solution. (Forinformation about an alternative NT/95 network monitor, see "First Looks:NetXRay," August 1996.)

First you need to set up the Microsoft Network Monitoring agent on yourWin95 workstation. This is the same agent that provides network performancecounters to the System Monitor applet. Go into Control Panel again, and chooseNetwork. From the dialog, press Add to add a Service (if you don't see an optionto add a service, see whether it is disabled through a setting in the systempolicy editor). Select Have Disk, and then select the adminettoolsnetmon directory from your Win95 CD. You will see a selection for the MicrosoftNetwork Monitor Agent, as shown in Screen 4. Install it, and reboot.(Running the Network Monitor Agent puts your NIC in promiscuous mode,which will add a degree of overhead to your system: Your NIC will look at everyframe that comes across the network, instead of only those destined for theworkstation.)

You can now install the Network Monitor program. On your SMS or BackOfficeCD, find the setup.exe program for just the Network Monitor program. On theMicrosoft Select CDs, this program is in directory mextdisk1. Run the setupprogram, and choose a directory in which to install the programs. The installroutine will prompt you to set two passwords in the program: one password justfor displaying information and the other for capturing packets.

Once you complete the setup routine, the program will try to install theNetwork Monitor agent service. The setup routine recognizes that you've alreadyinstalled the agent and returns with the message, Network Monitorsuccessfully installed.

Now click the Start menu, and go to Programs. You'll see a new group forNetwork Analysis Tools, including the Network Monitor program. Launch theprogram, and log in with the password you set to capture packets. Click StartCapture, and watch your Win95 station go to work!

Remote Control with Caveats
Obviously, NT Server Tools for Win95 is well suited for management of yourenterprise via a remote-access connection such as Remote Access Service (RAS),Shiva, or 3Com AccessBuilder. Other client/server-based tools, such as Compaq'sInsight Manager and Cheyenne's ARCserve Administrator, can also help youadminister your domain over remote, dial-up connections.

However, you can't or shouldn't try a few administration tasks within Win95or with a dial-up RAS connection. First, you can't use Network Monitor if you'redialed up over a RAS connection or a similar type of bridge. With bridgedconnections, you see only traffic to or from your workstation--you have noaccess to the rest of your NT network.

Network Monitor does have an option to get packet data from a remotemachine that's running the monitoring agent. However, I don't recommend thisoption because of the obvious bandwidth difference--your CPU will act as if itwere trying to pull a watermelon through a garden hose.

Second, don't edit trust relationships in Win95 while you're either in-bandor dialed up via RAS. While in-band, you can create trust relationships betweendomains, but you can't verify them. Make sure you enter your passwords correctlyand build the trust relationship in the order Microsoft recommends.

Third, you can't promote Backup Domain Controllers (BDCs) to Primary DomainControllers (PDCs) while dialed up over RAS. (Ed Tittel and Mary Madden discussthe importance of PDCs and BDCs in "PDCs, BDCs, and Availability,"August 1996.) This is not a limitation of Win95 but of RAS-based administration.Because the promotion process must stop and restart the Netlogon service and RASdepends on Netlogon, the system will not let you complete the operation.

One last caveat: Before you set up any system for remote administration,consider the security consequences. (For a discussion of security concerns withremote administration, see the upcoming article by Tom Sheldon, "NTSecurity Tips," Windows NT Magazine, December 1996.)

You Have an Alternative
If NT is available, use it as your management platform. But when NT isn'treadily available, you can turn to Windows NT Server Tools for Windows 95 tohelp manage your NT domain. (For more information on administering NT domains,see Mark Minasi, "Domains and Workgroups," April, and Ed Tittel andMary Madden, "Domains, Trust Relationships, and Groups," June 1996.)