April 1996 Enterprise Windows

NT Backup

Internet Routing

Choosing a Database

Product Pipeline

Enterprise Administrator

by John D. Ruley

I'm going to do something that's unheard of in a column-I'd like to ask you to go to the Product Pipeline in this section. Please do come back to my column after you've looked.

Different, isn't it? What you're seeing is a reflection of how things change in this business. Just a year or two ago, the idea of a page full of new 32-bit Windows products focused on the enterprise would have been ridiculous. Now, a page is barely enough to hold them. That's the nature of things in the enterprise world these days.

Also in this special section, you'll find 10 more pages covering enterprise databases, NT backup and Internet routing. I know from your letters that these are three of the top concerns network administrators, system managers and high-end workstation users have today. I hope you'll find the articles as interesting and useful as I have!

P.S.: If you're looking for my regular Windows NT column this month, you'll find it on our World Wide Web site. Point your browser at http://www.winmag.com/ew. As I said last month, if you don't have Web access yet, now's the time to get it!

Compiled by John D. Ruley

MindWire NT
Internet applications server that combines Web-server functionality with a client/server applications platform. Currently Intel-only; a Digital Alpha version is in the works.
From $2,495, 10-user license
Durand Communications Network
805-961-8700, fax 805-961-8701

NEC RISCstation 2250 and RISCserver 2250
High-performance graphics workstation and communications/database server powered by single or dual Mips VR4400 CPUs.
RISCstation 2250, $5,415-$12,347;
RISCserver 2250, $11,111-$23,436 (all street)
NEC Technologies
800-NEC-INFO, 708-860-9500

NEC Enterprise Server Management (ESM)
Enhanced SNMP-based network management for NEC's Mips VR4x00-based RISCserver products. Included with RISCserver 2250; available as a free upgrade for earlier models.
NEC Technologies
800-NEC-INFO, 708-860-9500

Microsoft BackOffice 1.5
Microsoft's integrated suite for NT Server 3.51; includes SQL Server 6.0, SNA Server 2.11, Systems Management Server 1.1 and MS Mail 3.5-all of which now run natively on NT Server. Supports NT on all platforms.
$2,199 per server, plus $269 per client (street); upgrade pricing available
Microsoft Corp.
800-426-9400, 206-882-8080

Saros Document Server for BackOffice
Saros' document management product integrates with BackOffice on Intel and Digital Alpha systems. A demo CD is available.
$895 per server, plus $495 per client (includes Microsoft SQL Server)
Saros Corp.
800-82-SAROS, 206-646-1066

Stratus RADIO
Windows NT Server version of Stratus' unique fault-tolerant clustered server hardware, previously available only as a UNIX platform.
$63,000-$110,000
Stratus Computer
800-258-0990,508-460-2000

Shablamm
Nitro Personal Workstation
High-performance NT or Windows 95-based workstation featuring a single or dual Pentium 150MHz CPU and exclusive True Cache XBI memory architecture. The company claims up to twice the performance of conventional memory.
$5,799, single CPU; $7,899, dual CPU (requires NT Workstation)
ShaBLAMM Computer
800-SHABLAMM, 408-730-9696

Microsoft Internet Information Server
Microsoft's Web server, formerly known by its beta code name Gibraltar, which will be included in the next release of NT Server. Now available for NT Server 3.51. Supports all NT Server platforms.
Free (downloadable from Microsoft's Internet site at http: //www.microsoft.com/infoserv/
Microsoft Corp.
800-426-9400, 206-882-8080

FireWall/Plus
Windows NT (Intel or Digital Alpha) version of an easy-to-use packet filter gateway (configurable as an Internet firewall), previously available only for DOS.Around
$13,000Network-1
Software and Technology
800-NETWRK1, 212-293-3068

Kane Security Analyst
Windows NT (all platforms) version of enterprisewide network-intrusion-detection and security-verification tool previously available only for Novell NetWare.
$495 per server (includes license for 10 workstations)
Intrusion Detection
800-408-6104, 212-348-8900

NiwRAS Kit
Enhancement to Windows NT Remote Access Service (RAS) that supports switched 56Kb, T1, BRI and leased lines at data rates well above those of ISDN.
$995 per node (includes hardware)
Niwot Networks
303-444-7765, fax 303-444-7767

Inforeports for Windows NT
Database report generator with DTP capabilities. Supports DB2, Informix, CA-Ingres, Oracle, Rdb/VMS and Sybase databases directly; others via Platinum InfoHub, MDI and ODBC. A companion server-based production reporting product is also available.
$695 (direct)
Platinum Technology
800-442-6861, 708-620-5000

Batch Job Server 1.25 for Windows NT
An NT-based batch job management-service tool for use in situations ranging from data warehousing to report distribution. Jobs can be submitted from local and remote NT, UNIX or IBM mainframe systems.
From $75 per server (single user)
Camellia Software Corp.
360-264-5307

by: Richard Furnival

The first step in a scheduled backup is to create a batch file containing the necessary commands to perform the operation. In this example, the NTBACKUP.EXE application is used, but any backup software that supports command-line operation can be used. Using a text editor of your choice, create a file called BACKUP1.BAT.
@echo off
%systemroot%\system32\ntbackup backup
c: \ /v /d /b "Server C: " /t normal
%systemroot%\system32\ntbackup backup
d: \ /v /a /d "Server D: " /t normal

To perform a backup regularly (regardless of the console status on the backup server), use the built-in scheduler service. By default, the scheduler uses the built-in NT system account-but that only allows you to back up files local to the NT Server. To circumvent this, reconfigure the scheduler service to log on using an account with domain-wide privileges.

To do so, start Control Panel and select the Services icon. Select the Schedule Service and ensure that it is stopped. Next, open the User Manager and create a new account called Scheduler, and assign it a password of your choice. Place this account into the Domain Backup Operators group. Make sure this account is not restricted from accessing any other machines on your network. Now return to Control Panel/Services and select the Schedule Service again. This time choose Startup and select the Automatic radio button. Under "Log on as," choose This Account. Select the newly created Scheduler account, and enter the password you chose in step two above. Start the Schedule Service, and exit Control Panel.

Now we can use the AT.EXE character-mode command or WinAT.EXE GUI-based utility (from the NT Resource Kit) to assign the BACKUP1.BAT job to the scheduler. Assign this operation to any time you wish, preferably during times of low network use. Also, be sure to add or check the "Interactive" switch to the AT or WinAT command, as you may need to control the backup program from the console during the backup operation. Now, whenever the computer is running the schedule service, BACKUP1.BAT will run at the appointed time.

at \\server1 23: 00 /interactive /every: monday, wednesday, friday c: \bat\backup1.bat

At times, you may wish to back up your server from a remote client workstation. This is easily accomplished, provided you have the proper server access privileges established. By default, Windows NT Server establishes administrative shares that are hidden from most users, called drive$, (where drive is the drive letter as in C$) and ADMIN$ among others. Any domain administrator or backup operator running Windows NT Server or Workstation, Windows 95 or Windows for Workgroups may access these administrative shares.

Once you are logged on to the client with the appropriate privilege level, connect to any server drives you wish to back up. You may use any backup program you want, but be aware that DOS, 16-bit Windows and Windows 95 backup programs do not allow you to back up the all-important NT Registry. Instead, you'll need to use the REGBACK.EXE program from the NT Resource Kit. (The accompanying chart shows which programs can perform this critical operation.)

The following example (BACKUP2.BAT) demonstrates the use of a Windows 95 machine to perform the backup operation. The Windows 95 BACKUP.EXE program requires the use of a previously prepared .SET file that contains the specific backup options for each batch job.

net use j: \\server1\c$
net use k: \\server1\d$
"c: \program files\accessories\backup.exe" "server1 full backup.set"
net use j: /del /yes
net use k: /del /yes

Many networks have clients that perform important functions critical to enterprise network operations. All these systems should be regularly backed up, but it is unwise for administrators or backup operators to leave this to the local user of these resources.

In the previous examples, most of the components necessary for this operation have been discussed. The primary requirement is that the client is configured to share the critical directories for administrative access remotely.

To do this, create a share on each client called C$, just like the default NT administrative share. Provide full access to domain administrators and the newly created Scheduler account.

Of course, all Windows NT Server or Workstation clients will have administrative shares established and implement user-level security by default. You can remotely back up these clients by using these same procedures. The sample batch file (BACKUP3.BAT) demonstrates the commands necessary to access and back up any portion of the local workstation as required. This batch file would be run from a Windows NT machine using the NTBACKUP.EXE application.

@echo off
net use J: \\ADMN_2\C$ /YES
%systemroot%\system32\ntbackup backup j: \ /v /a /d "ADMN_2 C: " /t normal
net use J: /DEL /YES
net use J: \\ENGR_5\C$ /YES
%systemroot%\system32\ntbackup backup j: \ /v /a /d "ENGR_5 C: " /t normal
net use J: /DEL /YES

The fourth scenario in our fictitious enterprise deals with running a server-hosted backup when you lack access to that server's keyboard. There is a set of utilities in the NT Resource Kit called Remote Commands Service (RCMD) that will aid in this task. RCMD comprises both client and server components. The client is a character-based command-line program, RCMD.EXE. The server component, RCMDSVC.EXE, is installed and run as a service, just like the Scheduler. Follow the instruction in the Resource Kit to install RCMD on your server and Windows NT client.

Once RCMD is installed, type rcmd \\<server_name> <command> to execute a program or batch file on the remote server. In our first example, a server batch file called BACKUP1.BAT was used to automatically perform a backup operation. Now let's assume that this command is stored on a server called SERVER3 that is located in a remote office, and is not currently a scheduled activity. Simply type rcmd \\server3 backup2.bat in a console window on your NT client, and the backup will commence. RCMD will terminate when the batch file has completed.

Of course, if equipment never failed, or if files were never erased accidentally, all this talk of backups would be a moot point. Now that we have established our backup procedures, how do we restore any lost files or crashed systems? Using most backup programs' restore option is relatively straightforward; refer to that program's documentation for specific instructions. The bigger challenge is what to do when an enterprise server collapses under the weight of a catastrophic failure. When your network users are wandering around looking lost and the CEO turns to you for solutions, you'd better have a plan ready to use.

If the system is mission-critical, I suggest that you have-at a minimum-spare critical components such as hard drives, power supply, network cards and the like. The best hardware backup is a complete system with the server software already installed. This system can be used as a backup domain controller that can be quickly promoted to primary status if necessary.

If the system has been lost completely, follow this restoration procedure: First, install NT Server in the mode that was operating prior to the crash (PDC, BDC, Workgroup Server). If you have promoted a BDC to primary status, restore the original server as a BDC. The restored server may be promoted later, as necessary. Once the system has been isolated from the LAN and is restarted, use the backup software to restore nonstandard server files such as user log-in scripts and the latest copy of the original Registry. When using NTBACKUP.EXE, be sure to select the Restore Local Registry check box to restore the Registry files from the backup. Restore all other lost files, and shut down the system. Reconnect the server to the LAN and restart the system. At this point, you should be back in business as the network hero.

On a large NT network, you're likely to find the built-in backup inadequate. It lacks support for NT-standard UNC names, only allowing you to back up devices which have been assigned drive letters. It's also not multithreaded-so backup won't see much benefit from additional CPUs in a multiprocessor server, and it does not support compression. Fortunately, alternatives are now available, as you'll see from the table.

Editor's note: A longer version of this article is available on our World Wide Web site: Point your browser toward http://www.winmag.com/ew.

by: Karen Kenworthy

The figure on the following page shows how a typical LAN can be connected to the Internet. As you can see, the secret to interconnecting networks is the machine called the gateway or router. This machine has at least two network connections-one to your local network and one to the network of a company already on the Internet (your ISP). The ISP link is created by NT's Remote Access Service (RAS) dialer, via either an analog or ISDN modem, or a high-speed X.25 connection.

The gateway machine acts as a helpful mail clerk. It monitors network traffic arriving from the ISP and forwards packets intended for machines on the LAN to its LAN connection. Packets arriving from the LAN, intended for machines elsewhere on the Internet, are sent to the ISP via the gateway's RAS connection. As a result, any LAN client can communicate with the world via the gateway, without its own direct Internet connection.

To accomplish this, all you need is a network with at least one machine running NT Server 3.5 (or higher) and a modem. Then follow these five steps:

1. Open an account with a suitable ISP.
2. Obtain a block of IP addresses large enough to give each machine on your network its own address.
3. Register a "second-level" Domain Name.
4. Install TCP/IP protocol drivers on each of your network's machines.
5. Configure NT Server's RAS dialer and enable static routing.

Although the Internet is a collection of networks, the data traffic it carries flows between individual machines. Without the ability to address each computer uniquely, the Internet would not be possible.

Each of your LAN's client machines must be assigned an IP address, and your gateway must be allotted at least two (one for each of its network connections). IP addresses are distributed in blocks of consecutive numbers. Each block's size is always a power of two ( 2, 4, 8, 16 and so forth). When figuring how many addresses you need, count your network connections, add a few for future growth, then round up to the next power of two.

Where you should obtain your block of addresses depends on how many you need. If you need a large block, it's best to go straight to the source-InterNIC, the clearinghouse for Internet information related to U.S.-based Internet sites. It maintains both Web (http://internic.net) and ftp (ftp://ftp.internic.net) sites, containing applications, instructions and other information you need to request blocks of addresses.

Blocks assigned by InterNIC come in three sizes: 8-bit (256 addresses), 16-bit (65,536 addresses) and the 24-bit economy size (16,777,216 addresses). If you have more modest needs, you can usually obtain a small block of addresses from your ISP.

IP addresses are 32-bit binary numbers, though they are normally written as four groups of decimal numbers separated by periods. Each group of digits reflects, in decimal, the value of one of the address' 4 bytes. For example, an IP address consisting of 16 binary 1s, followed by 16 binary 0s (in hex, FF00) would be written as 255.255.0.0.

In addition, you'll need to know your subnet mask. This 32-bit number allows your computer to separate each IP address into its two parts. The high-order bits of the subnet mask are all binary 1s, indicating the location of the address' unchanging high-order bits unique to your network. The rest of the mask contains only binary 0s, indicating those low-order bits that uniquely identify each machine.

Although IP addresses are a perfectly natural way for computers to distinguish one machine from another, we humans have trouble remembering 32-bit numbers. We're much better at remembering and using alphabetic names. That's why the Internet includes many machines, called Domain Name Servers (DNS), which can convert easy-to-remember machine names (called Domain Names-not to be confused with NT's Domains) into numeric IP addresses.

Internet Domain Names consist of two or more parts, called levels. Each level is separated from the next by a period (called a dot for this purpose). The right-most, or first, level indicates the location or type of organization operating the machine. Within the United States, commercial businesses are assigned the .com first-level domain, educational institutions are assigned to .edu domain, and charitable and other organizations are given the .org first-level domain. Outside the United States, the domain name's first level is usually the two-letter ISO abbreviation for the country where the machine is located.

The second level of domain names is selected by the machine's operator. In most cases, the name chosen indicates the operator's name. For example, the second-level domain name chosen by WINDOWS Magazine is "winmag." Since WINDOWS Magazine is a commercial business, its full domain name (first and second levels) is winmag.com.

To ensure all second-level domain names are unique, each one must be registered with InterNIC. For an initial $100 fee, the name you choose will be registered for 2 years. After that, you'll be subject to an annual, $50 renewal fee.

Note: If you prefer, you can ask your ISP to help with domain name registration, but be careful. Make sure your name is specified on the application as the technical contact. Otherwise, as far as the InterNIC is concerned, your ISP will own your name and have all rights to it. While each machine that can communicate over the Internet must have an IP address, only those machines you wish to make available to others need domain names. Machines without domain names can still be accessed by those who know the machine's IP address, but not assigning a domain name makes outside access less likely.

The TCP/IP protocol is the lingua franca of the Internet. As a result, local clients that will have Internet access must have the TCP/IP protocol installed and bound to its network interface card.

Fortunately, both Windows NT and Windows 95 include 32-bit TCP/IP drivers as part of their standard CD-ROM distribution. For those clients running WFWG 3.11, you can obtain 32-bit TCP/IP drivers from Microsoft at its ftp site (ftp://ftp.microsoft.com). The name of the self-extracting archive file that contains the drivers is /peropsys/windows/public/tcpip/wfwt32.exe. Or if you prefer, you can download the archive file from WINDOWS Magazine's software library section of the WINMAG forums on AOL and CompuServe.

After you've installed and bound the TCP/IP drivers, it's time to configure them. Naturally, you'll want to enter the IP address of the machine's connection to the local network, your network's subnet mask and the machine's Internet domain name (or that of the gateway machine, if the client has no domain name). Also, be sure to enable Domain Name Service and specify the IP address of your ISP's Domain Name Server.

When configuring a network client, enter the IP address of the gateway's Network Interface Card (NIC) connecting it to the local network, not the IP address of the gateway's connection to your ISP. When configuring the gateway machine's TCP/IP driver, leave the Gateway IP number field blank.

All other TCP/IP driver settings (WINS, Advanced Settings and so forth) should be left at their default values, unless the features they control are being used on your network.

Now, all you need to do is configure NT and its RAS Dialer. Start by changing two of the entries in the Registry: DisableOtherSrcPackets and IpEnableRouter.

The value of DisableOtherSrcPackets determines what happens to packets arriving from the ISP via the RAS connection. If the value is 1 (the default), OtherSrc packets (those whose source address is anything other than the IP address of the RAS connection) are disabled or discarded. Obviously, this dramatically limits the connection's usefulness, so change the value to 0 (don't disable OtherSrc packets).

The IpEnableRouter value determines what happens to packets originating on your LAN, but destined for machines elsewhere on the Internet. The default value of 0 instructs NT to discard those packets. That's why you must change this value to 1, causing NT to route outbound packets through the RAS connection.

Both entries are in the HKEY_LOCAL_MACHINE subtree. The location of DisableOtherSrcPackets is \System\CurrentControlSet\Services\RasArp\Parameters\DisableOtherSrcPackets. You'll find lpEnableRouter at \System\CurrentControlSet\Services\Tcpip\Parameters\ lpEnableRouter.

Once you've updated the Registry, configure the RAS dialer to use either the PPP or SLIP protocol (whichever your ISP recommends). First, run Remote Access and click the Edit button. If the Advanced >>> button is now displayed, click it to obtain access to the advanced RAS settings.

Finally, click the Network button, then select either the PPP or SLIP protocol. If selecting PPP, be sure to place a check mark next to the TCP/IP box. All other check boxes should be left in their default condition unless your ISP requires a nondefault setting.

Now you're ready to use the dialer to contact your ISP. Be sure to have your ISP account name and password handy, along with any other information your ISP requires during a log-in. Once you've completed the log-in procedure, press the Done button on the dialer's interactive log-in window and you're on the Net.

So, your network is now a citizen of the world, a full-fledged Internet member. And since the TCP/IP protocol supports remote printing and file sharing, all the files and printers on your client machines are now public property (to anyone who knows or can guess your machine names and passwords).

If sharing your local printers and files with the rest of the world is not something you relish, you'll probably want to take steps to prevent it. For machines running Windows 95's built-in TCP/IP driver, just run the Network applet in Control Panel, select TCP/IP binding from the network component's list, then click the Properties button. You'll then see a dialog box similar to the one shown above. Click once on the Bindings tab, uncheck the "File and printer sharing for Microsoft Networks" and you're done. You've locked the door to outside access. For NT clients, you can disable TCP/IP bindings for the Server and Workstation services with the Bindings button on the Control Panel/Network applet.