Windows NT 4.0 Manageability

[ Copies of some of my older work for a SAGE-AU column ]

A short column this month as I’m pretty pressed for time and working against a tight deadline, which I’ve definitely abused this time (sorry Donna!). This month, I’ll be dealing with the remote management blues. You’ll need a copy of the NT Server Resource Kit, 3rd Edition, and the NT Workstation Resource Kit, and if you’d like to get the full screen stuff happening, I suggest buying one of VNC, Control It! (nee pcAnywhere), or Timbuktu.

Step Zero

The biggest mistake I see with many naïve Windows NT installations is that the administrator installs every service and its dog on the off chance that it’ll be needed it later. Don’t do this – you can always install it later. As with all production systems, you install and run only those services that you actually require. By installing less, there’s more RAM for the real application or service to use, NT loads faster, and there’s probably fewer bugs or holes to exploit.

After installing any installation of Windows NT, it’s important to sort out any warnings or errors in the Event Log. These warnings are harbingers of doom for your social life if you leave them lie.

Another trick for easy performance boost and nice little trick to know is to set the page file to twice physical RAM for both minimal and maximal settings just after installation. This stops Windows NT resizing the page file on the fly, which under stress can cause a completely unresponsive server. By setting the page file just after installation, you get a fairly contiguous page file, which can help performance.

Event Manager

This first stop when diagnosing any problem with Windows NT is the Event Manager. If you only get one piece of information from this article, the key to successful problem resolution is Event Manager.

If the server is blue screened, take good note of the exception and which driver or application killed itself, and reboot. Then hit the event monitor to see if there was something in the lead up to the blue screen that might have triggered the BSOD. Since BSOD’s are rare (I’ve seen less than five in the last twelve months), most times the only entrails of the problem will be in the Event Manager. Check all three logs, and see if you can replicate the problem. At least you have some event codes to plug into TechNet to see what turns up.

Always set the log policy that suits your organization. If you’re not interested in the log contents, bump all three logs to 4096 KB, and over write as necessary. By leaving the logs with the default settings is asking for sudden unexplained application failure as NT will simply stop the logs from being used. Always check critical servers every morning, and other servers once per week. If this means you only have time to check logs, it’s time for a log management helper, like NetIQ or similar.


Don’t ignore the command line processor. The command shell has hidden talents, such as command history, scrollable windows and expanded batch functionality, including conditional operations (&&), command grouping and serialization. Try using the function keys in the command shell. F1 is a character by character version of ye olde F3. F2 allows you to copy part of the command history to a specific character (sort of like yank line with a search in vi). F3 displays the last command. F4 allows you to delete from the insertion point to a specific character in the command history. F7 allows you to browse previous commands. F8 does the last command with the insert point at the beginning of the line. F9 allows the selection of a specific command from the history buffer (equivalent to !5 in tcsh, which repeats command 5). You can make the command processor much easier to cut and paste from by turning on quick insert mode. I like to use 43 or 50 lines, and a smaller font with blue background and white text, but that’s just me.

The command line is useful under Windows NT remote troubleshooting because all the good stuff can be done using command line tools, particularly with net.exe. In W2K, the command line becomes even more useful. Microsoft have committed to be able to do everything (and I mean everything) by the command line. So far I count more than 400 executables in the Windows 2000 system directory. That’s more than double the total amount of Windows NT 4.0, even though all the graphical administration utilities are now Microsoft Management Console (MMC) snap-ins (which have a .msc extension). I think this bodes well.

For bonus points, besides posix.exe, what is the only other POSIX subsystem application that is delivered with Windows NT? Sorry, no prizes for this one.

Net.exe – Nifty Tool of the Week

Windows NT and Windows 9x both ship with a program called net.exe. Net allows you do the vast majority of your remote administration. The first thing you need to know is a little known depth called mailslots. Mailslots are an old OS/2 LanMan RPC holdover, one of six different IPC methods that is available to Windows NT. Mailslots allow you to impersonate a user by connecting first to the IPC$ share.

To invoke a new impersonated mailslot from the command line type the following:

Net use \\server\ipc$ * /user:domain\account

Remember to substitute the username, domain name and server to make it work for you. The asterisk allows you not to enter the password in the clear on the command line – important if you keep a command history or there are busy bodies wafting around your shoulders, say at work or a conference.

NT 4.0 and later allows you to use DNS names and IP addresses as well as hosts that WINS can find for you. For example, if you have no WINS replication or resolution to a PC (say your PC at home), you can connect to it like this:

Net use \\\ipc$ * /user:domain\account

Where obviously, you’d substitute with the necessary IP address, and substituting the domain and account details. You could connect to it via a dns name, like \\\ipc$. There are bugs in 4.0 prior to SP4 regarding the use of hexadecimal or octal representations for the IP address. Upgrade to SP4 to avoid this.

Why connect via a mailslot? Well, when you have a valid and active mailslot running, you can browse the machine, administrate it using the normal NT utilities, and use net commands against it, like net user or net statistics.

This is the hidden su-like interface to Windows NT. The cool thing is that you can use any account, and you still get through as long as physical communication is possible (ie you can ping the remote machine and ports 137-139 are not blocked in the middle). Make sure you do a

Net use \\server\ipc$ /del

when you’re finished.

Tip of the week: net stop/net start can avoid some reboots if you know what you’re doing. Many applications will ask for a reboot when all that’s really required is for the service(s) to be stopped and started. Practice before you trust this advice, but it can avoid downtime, so it’s worth a try. Sometimes logging out is that’s required as well. If availability is important to you, do try this. Otherwise, just reboot. It’s the NT way.

Windows NT Diagnostics

Run winmsd.exe from the start menu or start it from the Administrator Tools, and you get a handy little tool that can connect remotely. WINMSD can tell you what sort of processors you have and how much RAM, what sort of disks, etc, in one handy little utility. I’ve used this with some success when I needed to tell the difference between a PII/400 and a Xeon/400 at a site some 265 km from where I was sitting just this week. It works.

Resource Kits – Don’t Leave Home Without Them™

If you support NT for a living or just dabble with NT because you’re the only “computer” person working in your company or department, the resource kits are essential parts of the administrator’s toolkit. Right now, the NT Server 4.0 Resource Kit can be had for less than $300, but it’ll have a very short life span, so it’s not good value.

The workstation and server resource kits CD’s are available via TechNet (aka DogNet). TechNet costs about $800 per year, and is well worth the price. You have to order through Microsoft directly, rather than ordering through a dealer. The resource kit utilities are partially available via Microsoft’s ftp site. You can buy books of the resource kits for about $400, but they typically don’t have the latest versions of the CDs, and the paper text will be out of date within six months.

The resource kits contain many useful utilities, not the least being a telnet daemon, and the more useful “rconsole” (rconnect.exe). Both utilities give you access to a command prompt running on a remote NT server. Rconsole gives you full command shell functionality, and allows for most console programs to run (with the exception of things that change video modes, like Ghost 5.0 or games). Now that you know how to connect using mailslots above, you can do this inside a rconnect window as well. Layer upon layer upon layer…

I treat Resource Kits like dictionaries – they are deep, and you don’t have to know every nook and cranny, but if you spend a little bit of time every week getting know new tools, it’ll pay off in the end, or when you have a tight deadline.

Tip of the week: Check out the password filter in the resource kit. It does a great job of allowing you to define what sort of passwords your users can use. The downside? It needs to be on all workstations.


NT has some nice functionality for managing remote sites, but sometimes the functionality is hidden somewhat. For example, if you wish to add a printer on a remote server, this used to be a doddle in NT 3.x, but it’s sort of hidden in NT 4.0. The trick? Browse the server and dive into the Printers folder. Add New Printer wizard is now available. You can’t easily create LPR or JetDirect ports, but if the ports already exist, then you can setup and manage printers remotely again.

To tone down some of the more unnecessary NetBIOS broadcasts, you can turn off the Computer Browser service on NT Workstations and member servers. This stops these machines participating in Browser elections. If you have WAN sites with asynchronous or single channel ISDN connections, you might want to have a look at WINS replication intervals (every 30 minutes might be too often). The replication governor (look it up in TechNet) and possibly revisiting your WAN infrastructure to minimize WAN traffic by placing a NT Server at the other end.

NT Services for Unix have been released as an actual product. This has a number of the MKS shell tools and an NFS server and client. It’s not the complete MKS tool kit, but it’s better than nothing. Internet Explorer 5.0 and Office 2000 are due on March 18th. One is free, the other will cost more J


Windows NT may not be the most manageable or serviceable operating system without some additional third party helpers, but judicious use of the available tools coupled with a methodical approach can help look after most technical support issues. As with most operating systems, proper production management techniques will boost reliability and availability.

Published by vanderaj

Just another security geek

Leave a comment

Your email address will not be published. Required fields are marked *