Best NT Practices

Good habits for NT administrators

In 1996, "Getting Started with NT" began life as "New to NT." Every month since then, I have offered advice about a variety of topics important to Windows NT systems administrators. This month, I summarize my top NT administrative practices for installation, configuration, networking, and troubleshooting. (For more detailed information about these subjects, see "Related Articles in Windows NT Magazine," page 174.) Next month and in subsequent months, I will shift the focus of this column to Windows 2000 (Win2K).

Develop Good NT Installation Habits
The most important recommendation I can make regarding installation is to spend the necessary time to get familiar with the unattended installation process. Then, you can script your installs to save time.

If you use software such as GHOST, you might find that you have problems with different network and video cards. These problems can arise if you have a collection of assorted computers or even nonstandard computers from one vendor. You will definitely experience a problem with SIDs if you simply copy a completed NT installation. A better choice is to use an image of an NT installation at the second reboot, just before NT starts collecting information about your computer. Then, you can complete the installation, make all the appropriate choices, and get a unique SID. At the very least, if you GHOST images of a full OS, use a SID changer software package. Don't leave duplicate SIDs in your system, because they will cause problems when you upgrade to Win2K.

Make a CD-ROM with images of as many network card driver disks as you can. Most of the network cards listed on the original NT 4.0 installation CD-ROM are 3 years old. NT either does not autodetect the newer ones or detects them as invalid cards. Copy the CD-ROM to your hard disk before you begin the NT installation on your GHOST reference computer. Regardless of which card is installed on the target computers, you will already have the drivers on the hard disk. You can always clean up this directory later.

Make an Emergency Repair Disk (ERD) during or immediately after the installation. Some companies write the administrator password on this ERD and have a responsible person lock the disk in a safe. If your administrator were to change all the administrator-level passwords and leave the company, could you get back into your NT installation? If you had the original ERD, perhaps you could. You would have to restore the original SAM, thereby losing your current accounts database. But after you were connected, you could restore the SAM from a recent backup.

Simplify Software Installation
Use Microsoft Systems Management Server (SMS) Installer or a third-party software installer to simplify remote software installation for your users. Life will be much easier at the Help desk if all users have the same software version with the same options installed.

Keep Up After Installation
Be sure to update the ERD for each of your critical servers. At the least, run the Rdisk utility occasionally and update what is in the repair directory on the hard disk, even if you do not build an ERD every time. I recovered a system by restoring the repair directory from tape to another computer—to a separate location, of course—then copying the files onto a disk, which became my ERD.

Use NTFS on all your computers. Back in the early days of NT, many systems administrators made a small FAT partition for the boot files and stored NT files and data on NTFS partitions for security and recoverability. Being able to recover from boot problems with the old familiar DOS-based tools provided a certain comfort level. Now that administrators are more conversant with NT, leaving an unsecured partition on a hard disk does not make sense. This guideline is even more valid now that disk sizes are hitting the 20GB range and FAT is running out of steam.

Build an NT boot disk for your critical computers. If you are consistent about which drive and directory you use for NT, one NT boot disk will suffice for all your computers. For any server on which you have mirrored your NT files, you must have a boot disk that will boot to the mirror disk.

Install a second copy of NT on critical servers. Sean Daily recommends this technique in "Recovering from NT Startup Failures, Part 1," September 1999, and I have found the technique useful on several occasions. All you need is a basic, no-frills installation of NT Workstation or NT Server, preferably on a separate hard disk. If the main installation is damaged, you can boot to the backup copy and perform recovery from there.

Streamline Networking Processes
Reduce the number of protocols running on your network. Some administrators have never removed the old protocols from networks that have evolved from NetBEUI through Nwlink (IPX/SPX) to TCP/IP. Every extra protocol means more system overhead. For processes such as browsing, this overhead is especially heavy. In browsing, every computer with resources to share announces its presence on the network every 12 minutes on every protocol it has loaded. You do not need NetBEUI to run Microsoft products, as many people think. You do need NetBIOS, but that API works over TCP/IP.

Use DHCP to assign your network IP addresses. Screen 1 shows the setup for a DHCP server. Unless you have a very small network, keeping track of IP addresses can become a chore. DHCP automates the process and reduces the potential for error. You can install WINS and DNS on the same NT server to prepare for the transition to Win2K and dynamic DNS (DDNS). You can also use the DHCP service to configure your clients with the WINS and DNS server addresses.

Save Your Feet
You can administer NT remotely from a central location, often an NT workstation. Load the administration tools from the NT Server CD-ROM (\winnt cd\clients\srvtools) to administer the server-based services such as DHCP, WINS, and Domain user accounts. Most Microsoft BackOffice software, including SQL Server and SMS, has an interface that lets you administer it from a location other than the server on which the software resides.

Troubleshoot from a Distance
You can do more than just administer servers remotely. You can also remotely run most of the diagnostic tools, such as NT Event Viewer, Performance Monitor, and Windows NT Diagnostics. If you get into the habit of fixing problems remotely, you will find that you can take care of more users than you can with local administration. Screen 2 shows Performance Monitor keeping tabs on both a local computer and a remote computer during a data transfer.

Establish a Baseline
Run Performance Monitor periodically on your crucial systems to establish a baseline for the counters during normal operations. Then, if problems occur, you can easily spot anomalous behavior. You can also use this data to identify trends and anticipate upgrading a server if demand increases.

Check Your Logs
Everyone knows to look in the event logs whenever a problem comes up. An even better plan is to check the logs regularly in case they are reporting a problem that has not become apparent to users. Also, remember to check the security log. It might warn you of break-in attempts before an intruder manages to connect and do some real damage.

Use System Policies
Use the NT system policies to establish centralized administration of users' computers. You can eliminate or reduce the severity of many Help desk problems by restricting users' ability to reconfigure their systems. Consider using system policies to display a warning message as users log on. The notice needs to state that the computer is the property of the company, for use by only authorized employees for approved purposes. Although such a notice will not deter an intruder, it will establish that the intruder is not welcome. This point can make a difference in a court case. Screen 3 illustrates how you set up a Logon banner on the Default Computer Properties' Policies tab, but this step is just the starting point.

Pick the Right Registry Editor
Making changes to the Registry is potentially dangerous, and Microsoft warns you not to do it—or to do it at your own risk. Of course, most of the fixes and workarounds Microsoft gives you involve Registry changes.

You can take a few precautions to avoid accidental changes. First, use regedt32 to turn on the read-only option for the Registry. Then, if you make any accidental changes, the Registry will discard them. Second, if you must make changes, make sure that you back up the Registry during your routine NT backups. Also, before you make any changes, use the regedt32 backup option to back up the key or the hive to a file.

For searching the Registry, regedit offers much better search capabilities than regedt32 does. However, regedit lacks the read-only safeguard. Screen 4 shows local and remote computer Registries in regedit.

Apply Permissions Wisely
Microsoft's recommended policy is to first place users into global groups, then assign permissions to local groups, and finally place the appropriate global groups (containing users) into the desired local groups (with the resources the users need to access). Although this process looks like a lot of work, it pays off in the long run because permissions are easier to control. Typically, do not give permissions directly to a user. Someone might need to take over for that user from time to time, leading to password sharing and other security holes.

Back It Up
We all know that we need to do backups, but do not fall prey to the excuse I'll get around to it one of these days—because you never do. As a first step, schedule the NT Backup utility using the At command or Winat to back up your crucial data and OS directories. If you decide that you can live without backups, at least make sure that you have a backup copy of your résumé, because you might be looking for it soon. And by the way, RAID is not a substitute for backups. RAID might provide fault tolerance, but remember that tolerance has its limits; if you lose two disks in a RAID array, you will have to restore from backup tape or a disk file.

Take Advantage of the Newsgroups
Microsoft makes servers available to host newsgroups that focus on Microsoft products. You can access several newsgroups that deal with NT concerns, including everything from general topics such as domains to very specific topics such as Dfs. The Microsoft server is You need not subscribe to the Microsoft servers or to the newsgroups on other servers. The point is that you can learn a lot from these newsgroups, whether you just read or actively post questions and answers. Microsoft does not officially take part in these groups, although some Microsoft employees might answer questions. Many people are willing to share their knowledge and experience. Before you start posting questions, check out the messages already posted—other people have the same problems you do. And you might find a reference to an FAQ list, with some of the answers you are seeking. At least you will find that you are not alone.

Subscribe to NT Resources
You already subscribe to, or at least read, Windows NT Magazine. If you are a new subscriber and want to check out previous issues of the magazine, you will find them at Also, every 6 months, Windows NT Magazine publishes an updated Article Archive CD-ROM that contains all the magazine's articles since September 1995 (the premiere issue), including the illustrations. You can find out how to order the latest Article Archive CD-ROM at the magazine's Web site.

Other essential subscriptions include Microsoft TechNet and, if you are a developer or programmer, the Microsoft Developer Network (MSDN). The TechNet CD-ROMs include the Knowledge Base, a searchable database of problems and solutions for all Microsoft products. Recently, Microsoft included 120 evaluation copies of software such as SQL Server 7.0 and SMS 2.0. The company has also distributed some of its online seminars as CD-ROMs. With the TechNet CD-ROM on your computer, you have access to the same information that the Microsoft frontline support staff has. A subscription to TechNet will pay for itself the second time it gives you an answer you would otherwise call Microsoft for. Microsoft offers the MSDN subscription at several levels. Briefly, MSDN includes software development kits (SDKs), Device Driver Kits (DDKs), and a lot of information about BackOffice products and other Microsoft business products.

Educate Yourself
I might be biased because I am a Microsoft Certified Trainer (MCT), but I think that to keep your network running smoothly, you must invest in education. You do not always have to seek instructor-led training; you can choose among many alternatives, such as self-paced training kits, online training, and computer-based training. The important point for you or your employees is that your job description must require training each year. Although I believe that on-the-job experience is crucial, training helps make that experience even more valuable and cuts a lot of time out of the learning process.

Be Flexible
Each NT administrator develops a list of dos and don'ts by experience. You probably have a few best practices of your own. Be prepared to reevaluate them before you move to Win2K. Otherwise, your best practices can turn into bad habits or an unwillingness to change with the times.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.