Q: What are theadvantages of the Windows NT 4.0 interface over its predecessors?

By now, many of us arefamiliar with NT 4.0's interface, which you see in Screen 1. What's mostimpressive about this interface is its ability to change appearance. You don'thave to reboot to change several display characteristics, which is a blessingelsewhere in the OS. For example, you can add tape drivers without rebooting.These slight changes do wonders to make NT a mainstream network OS.

Q: I've heard about NT4.0's new administrative tools and wizards. What do they let you do?

The administrative toolsyou see in Screen 2 and the setup wizards in Screen 3 ease setup and maintenanceof both NT Server and Workstation. Microsoft markedly improved the installationroutine by adding a procedure that restarts the installation process following acrashed installation.

Q: I've run NT 3.51 for along time, and it's proven stable. Why should I upgrade to NT 4.0? Doesn'tmoving the graphic heaps to ring 0 make NT 4.0 more subject to crashing?

Every reason I can think ofsuggests that moving to NT 4.0 is not only a good idea but essential. Allsoftware revisions will target NT 4.0--in part, because NT shares DLLs withWindows 95.

Microsoft increased the graphic speed in NT 4.0 by moving the graphic heapto ring 0. Although this restructuring allows faster video processing, it alsomakes every NT 3.51 video and print driver obsolete in NT 4.0. (Print driversare in the GUI, which means they're also in ring 0. Because ring 0 code cancrash the system, a bad print driver can now crash the system.) In fact, if youhave an NT 3.51 workstation attached to an NT 4.0 server, you can't print fromthe NT 3.51 workstation to the NT 4.0 server without adding the NT 3.51 printdriver locally. This configuration can be a serious issue in large networks.

NT 4.0 will have new video drivers to accommodate moving the graphic heaps,but many new features (easier setup and control with wizards, addition ofTelephony API--TAPI--network browsing, hardware profiles, etc.) make ita preferable OS. All these improvements are substantial.

In all my testing with NT 4.0, I haven't encountered a graphic-inducedcrash. Moving the heap to the kernel makes sense. Upgrade!

Q: Will NT 4.0 finallyhave joystick drivers?

Yes, NT 4.0 installsjoystick drivers by default, which means Microsoft is serious about addingcomponents to NT 4.0 that aren't in NT 3.51. In a similar move, Microsoftincluded the Wang imaging applet, which Screen 4 shows. This applet lets youdate-stamp bitmaps, a handy feature for faxing. Although not in the NT 4.0release, fax capabilities will probably appear in an early NT 4.0 Service Pack.

Q:My system recentlycrashed, and I don't have the boot floppies to access the NT installation CD. Ican't access the hard drive because it uses NT File System (NTFS). How can I getto the hard drive to fix it?

All is not lost. You needto create a DOS boot floppy, which requires you to load realtime drivers. DOS6.22 will do just fine. Place a blank, formatted 1.44MB 3.5" floppy(remember, NT 4.0 allows only 3.5" floppies) into a drive on a systembooted into DOS. Assuming A is the 3.5" drive, type sys A: at the Cprompt, and press Enter. This command creates a bootable floppy.

Change to the A drive, and type MD SCSI to create a SCSI directory on thefloppy in the A drive. Copy the following files from the DOS directory to theroot directory on the A drive.

fdisk.exe

format.com

himem.sys

emm386.exe

smartdrv.exe

mouse.com (this file can be in a different directory and is optional)

mscdex.exe

Change to the directory that contains the SCSI drivers.

The following list of sample drivers is for the Adaptec 2940 (PCI), theAdaptec 2742 (EISA), and the Adaptec 1542 (ISA). Copy the drivers to the a:scsidirectory.

aspi4dos.sys

aspi7dos.sys

aspi8dos.sys

aspicd.sys

aspidisk.sys

These drivers let you access a SCSI drive on any of the three controllerslisted above.

Create the following config.sys and autoexec.bat files in the A drive rootdirectory. (Note: I kept all possibilities open when defining these files incase you find other drivers you want to add.)

CONFIG.SYS

DEVICE=A:HIMEM.SYS

DEVICE=A:EMM386.EXE NOEMS

BUFFERS=40

FILES=70

DOS=UMB

LASTDRIVE=T

FCBS=4,0

SHELL=A:COMMAND.COM /E:4096 /p

DOS=HIGH

STACKS=9,256

[menu]

Menuitem=PCI

Menuitem=ISA

Menuitem=EISA

Menucolor=12,1

Menudefault=PCI. 10

[PCI]

STACKS=9,256

DEVICE=A:SCSIaspi8dos.sys /d

device=c:scsiaspidisk.sys /d

DEVICEhigh=a:SCSIASPICD.SYS /D:ASPICD0

[EISA]

device=A::scsiaspiedos.sys /D

DEVICE=c:scsiaspidisk.sys /D

DEVICEhigh=a:SCSIASPICD.SYS /D:ASPICD0

[ISA]

DEVICE=A:scsiaspi4dos.sys /d

DEVICEHIGH =A:SCSIASPIDISK.SYS /D

DEVICEHIGH =A:SCSIASPICD.SYS /D:ASPICD0

[COMMON]

AUTOEXEC.BAT

ECHO OFF

prompt $p$g

path=A:;A:SCSI;

IF "%CONFIG%"

"PCI"GOTO PCI

IF"%CONFIG%"

"ISA"GOTOISA

IF "%CONFIG%" == "EISA"GOTO EISA

:PCI

LH A:DOSmouse.COM

LH A:SCSIMSCDEX.EXE /D:ASPICD0 /M:12 /L:S

LH A:smartdrv.exe 2048 2048

GOTO EXIT

:ISA

LH A:DOSmouse.COM

LH A:SCSIMSCDEX.EXE /D:ASPICD0 /M:12 /L:S

LH A:smartdrv.exe 2048 2048

GOTO EXIT

:EISA

LH A:DOSmouse.COM

LHA:SCSIMSCDEX.EXE /D:ASPICD0 /M:12 /L:S

LH A:smartdrv.exe 2048 2048

GOTO EXIT

:EXIT

When you boot the floppy, you get a choice of menus. Pick the menu for theappropriate controller card. Change to your CD-ROM drive, insert the NTinstallation CD, go to the I386 directory, and run winnt /b. This procedureeliminates all floppy drives from consideration and lets you repair the harddrive or perform a new installation. Remember, you don't need an emergencyrepair diskette if the install program can locate the NT directory.

On a RISC-based machine, you can run the programs from the CD-ROM. If youhave the proper BIOS and CD, you can also install directly from the NTinstallation CD. You can also try NTFSDOS, a scary little utility that lets youaccess an NTFS volume when you boot from a floppy. For more on NTFSDOS, see MarkRussinovich and Bryce Cogswell, "NTFSDOS Poses Little Security Risk,"and Joel Sloss, "That Depends on Your Definition of Secure,"September.

Q: I recently installedAMI's latest firmware revision for my Titan II motherboard on a system with anAMI Titan II motherboard with two Pentium 150s, 128MB of 60-nanosecond parityRAM, 3940U with a scanner and five CD-ROMS, 3940UW with four 2MB Atlas Wide SCSIdrives, Matrox Millennium adapter with 4MB RAM, and Windows NT 4.0 beta 2. Now Iget the message, "No ROMBASIC, system halted," and my system won'tboot. What happened? Is this an NT beta issue?

This problem is not an NTbeta issue but is at the board level. In fact, the error message tells you whatthe problem is: The system can't see any OS. If you watch the controller's POST,you notice that the system sees the 3940U before the 3940UW. I called AMI, andthe company verified this assumption.

With the old motherboard firmware, the system read the PCI cards from theEISA bus to the edge of the motherboard. Although this approach to card scanningseems logical, the PCI slots are numbered from the edge of the motherboard. Withthe latest firmware, the system reads the PCI bus from the edge of themotherboard to the EISA bus, so the boot position of the drives has changed. Tosolve this problem, simply swap the controller card positions.

Consider yourself lucky--the old Adaptec cards had problems with IRQsharing. With a 2940W with a 3940U, the system always saw the 3940U first,regardless of the card position on the bus.

Q: I'm trying tostandardize on a network card. I can't soft-reset my system when I use 3Com'sFast Ethernet card--NT starts to load and then hangs. What's going on? If I lookat Event Viewer after I successfully boot, I've noticed that NT stops the bootprocess on the initiation of the 3Com card. Event Log sometimes states that abus-mastering slot isn't available for the card. Are the problems related?

I commend you for isolatingthe problem. In fact, Event Log is telling you exactly what's wrong--the 3Comcard isn't resetting properly. To solve this problem, disable the card'sbus-mastering feature.

Screen 5 shows this Registry entry for a 3Com EISA network card. After youreboot, you can verify that bus mastering is off. Run Event Viewer, and look atthe first instance of El59x. Click the event to display a message that states,BusMaster support has been turned 'OFF' for slot xx (where xxrepresents the appropriate slot number for the card).

The purpose of the bus-mastering network card is to relieve the CPU ofnetwork work. You've bought a card to function one way, and now you have todecide whether to disable this feature. Should you accept such a compromise? I'daccept the cold reboot option.

Q: How can I make aNetBEUI boot diskette to install Windows for Workgroups (WFW) from an NT 4.0server? I notice that Microsoft doesn't offer WFW on the NT 4.0 CD. Can you showme basic setup and anything I need to be aware of in this setup?

Microsoft wants you toinstall Win95 rather than WFW and no longer supports WFW in new softwarereleases. Many other vendors, including Adobe with its latest revision of AdobeType Manager, support this upgrade-or-be-left-behind philosophy. Still, you caneasily create a boot disk for installing WFW.

Start by creating a shared directory called clients on a server harddrive. Copy the client directory from the NT 4.0 Server CD to the directory youjust created. Remove the NT 4.0 Server CD, and insert the NT 3.51 CD. Copy theWFW directory in clients to the client directory on the server hard drive.Make a DOS boot floppy and place it in the 3.5" drive (we might as wellgive up on 5.25" drives). Go to the Administrator folder on the server, andchoose Network Client Administrator. Select Make Network InstallationStartup Disk. Be sure the wizard points to the client directory. Screen 6shows the dialog for making a WFW installation diskette with the following files(using an NE2000 as a network card).

CONFIG.SYS

files=30

device=a:etifshlp.sys

lastdrive=z

DEVICE=A:NETHIMEM.SYS

DEVICE=A:NETEMM386.EXE NOEMS

DOS=HIGH,UMB

AUTOEXEC.BAT

path=a:et

a:etet start

net use z: \"servername"Clients

echo Running Setup...

z:wfwetsetupsetup.exe /#

Files in the et subdirectory

emm386.exe

himem.sys

ifshlp.sys

ne2000.dos

net.exe

net.msg

protman.dos

protman.exe

protocol.ini

setup.ini

shares.pwl

system.ini

wcsetup.inf

wfwgsys.cfg

Make sure the following lines are correct in protocol.ini:

[ms$ne2clone]

drivername=MS2000$

; INTERRUPT=3

; IOBASE=0x300

; SlotNumber=1

If the interrupt is not 3, change the lines above to specify the proper IRQ.Do the same for both IOBASE and SlotNumber, and remove the semicolon from thebeginning of each line.

Note the following in system.ini:

[network]

filesharing=no

printsharing=no

autologon=yes

computername=WFWG

lanroot=A:NET

username="username"

workgroup="workgroupname"

reconnect=no

directhost=no

dospophotkey=N

lmlogon=0

logondomain="domainname"

preferredredir=full

autostart=full

maxconnections=8

For username, I typically use a logon with Administrator privileges. If youdon't want to set such a high security level, make sure the user can at leastaccess the client share. The workgroupname and the domainname have to be thesame if the logon is to a domain.

In this setup, the network boots, and WFW installs immediately. I prefer tochange to the client directory and install the appropriate version by copyingall the setup files locally and running setup. You can easily modify theautoexec.bat to accomplish all this automatically.

Q: I know you considersecurity a major risk with accessing the Internet. Can you provide somespecifics? This issue has me concerned.

Security across theInternet clearly has me concerned. Suppose you send information over the Netthat you mean to keep secret. Guess what? Anyone can use sophisticated searchengines such as Digital's AltaVista to find your message, even with newsgroups.This breach of security means that most Internet messages are public.

Once you connect to the Internet, you also expose yourself to viruses suchas the Concept virus. Connecting a virus scanner to your email service isbecoming a way of life. For a review of virus scanners, see Jonathan Chau, "VirusScanners for NT," page 53.

Another area of concern is how you send information over the Internet.TCP/IP is a broadcast protocol. Hackers can listen in, analyze the packets ofinformation traveling across a LAN, and use this information to access yoursystem. They often use this method to access UNIX-based systems.

You can also encounter various setup errors. Without proper security,hackers can easily break into any system. How many users have a proper passwordor any password at all? Such users argue that security is unnecessary becausethey control their environment. In fact, these users are at extreme risk. Withthe Internet, you can't be too careful.

So how do you implement security over the Internet? First, rigorouslyimplement security and passwords. Second, share only what you need to share andsecure the bulk of the network from outside intrusion.

Consider routers. They filter packets and can prevent the passage ofspecific packets, but the filtering is application independent. Many users argueabout the efficacy of packet filtering because of setup and testing issues. Forexample, you can add a proxy server to convert all IP datagrams to HypertextTransfer Protocol (HTTP) before sending data. For a review of Microsoft's proxyserver, see Mark J. Edwards, "Microsoft's Internet Access Server,"September 1996, and "Configuring Microsoft's Internet Access Server,"on page 153.

You can add encryption to the server, (for information on digitalencryption, see Lawrence Hughes, "Secure Enterprise Email," May 1996; "DigitalEnvelopes and Signatures," September; and "Exchanging Email: Signed,Sealed, Delivered," page 103). Or as a better solution, you can have afirewall, which lets you control access to your systems. The best areapplication firewalls such as Raptor Systems's Eagle NT. Firewalls load theapplication stack and execute the program. They can determine potential securitybreaches and shut down the server. For more on network and Internet securityissues, see John Enck, "Confronting Your Network Security Nightmares,"on page 81.

Q: Can you explain RAIDand what it's for? I know NT Server and NT Workstation use RAID in differentways.

RAID was originallyRedundant Arrays of Inexpensive Disks. Today, it usually refers to RedundantArrays of Independent Disks. NT uses four levels of RAID. The simplest level isa bunch of drives, or a volume in NT language. This unnumberedRAID level treats several drives as one drive and provides no redundancy orspeed advantages. The second level of RAID, RAID 0 or striped drives, is similarto the unnumbered RAID level, but the system writes data in stripes across thedrives: The striped data allows simultaneous I/Os to all drives. RAID 0increases I/O speed. As you increase the number of drives, you also increase theprobability of a drive failure. Both NT Workstation and Server support RAID 0.

RAID 1 (mirroring and duplexing) and RAID 5 (striping with parity) fallroughly into the realm of fault tolerance. Mirroring is when both drives sharethe same controller, and duplexing is when each drive is on a separatecontroller. RAID 1 is probably the best RAID level for fault tolerance andspeed, but it's very expensive. All data writes to at least two drives--so, forexample, RAID duplicates data written to drive A to drive B. With RAID 5, youcompromise speed, safety, and price. Striping is at the block level with errorcorrection distributed across all drives. For a five-drive set, one drive canhave parity information, leaving four drives for data.

With the possible exception of RAID 0, where you don't care about dataintegrity, I don't think RAID applications in NT are a good idea. You have toset up RAID 1 and 5 at the hardware level. Hardware RAID is based onSCSI systems that are BIOS independent, which lets you repair the RAID withouttaking the system down. In fact, some high-end RAID enclosures (chassis) let youconfigure the system on the fly and repair the RAID system without shutting downNT.

So what are the implications of RAID for fault tolerance? Many users assumethat tape backup is an example of fault tolerance--it's not. For example, I justfinished a low-level format of a 4GB hard drive. After the formatting, Irestored the files on the drive that I had backed up. The backup took 30minutes, the low-level format took 45 minutes, and the partitioning andformatting took 20 minutes. The tape restore took only 15 minutes. This wholeprocess took about two hours. In true fault-tolerance situations, downtime iszero. The NT fault-tolerance tools don't satisfy the zero downtime criterion.

By the way, the most likely part of a system to fail is the power supply.For more information on fault tolerance, see Mark Smith, "Closing In onClusters," August 1996, and Joel Sloss, "Digital Clusters for WindowsNT," August.

Q: I successfullyinstalled a new copy of NT on my G drive, and I want NT to restore my previousfiles on drives E and F, which were partitions on a hard drive. However, Ireplaced that drive with a new one, and NT is now on drive E and not G. How canI fix this problem?

This problem is easy tosolve and prevent. After you configure your drives, be sure to commit thechanges in Disk Administrator. If you do, NT will stay on drive G. Because youdidn't run Disk Administrator to commit the changes with the new setup, you needto boot to a DOS disk and run fdisk.exe. Create the partitions and driveletters, and reboot. Drives E and F will be present, even if NT can't recognizethe format. Format the drives with Disk Administrator and commit the changes.Now run your backup application, and restore the data from the tapes.

Although much of NT 4.0 is the same as NT 3.51, new problems andworkarounds have emerged. In future Tricks and Traps, we'll look at specific NT4.0 issues and how to resolve them. Check out Dr. Bob's technical forum on ourWeb site, www.winntmag.com.