2.1
What is Windows NT and
How is it Used at Fermilab?
Windows NT 4.0 is one of the family of Windows operating systems from
Microsoft. Its user interface is similar to that for Windows 95/98, and works
in much the same way as other Windows systems you may already be familiar with.
Windows NT 4.0 comes in two flavors: Windows NT Workstation (which is probably
what you have on your desktop machine) and Windows NT Server (which is usually
installed on "server" machines). NT was designed primarily for use in
multi-server networks and domains, which we discuss in the next section.
Why
choose Windows NT over Windows 95 or 98? NT is more expensive and requires more
hardware than 95/98, but offers superior performance and security. For the home
PC user, 95 or 98 is probably the right choice for at least three reasons:
lower cost, better compatibility with older hardware and applications, and the
fact that most home PC users won't need or use many of the extra features NT
provides. But at the office, where you are most likely connected to a network,
and you often need to run several applications at a time, NT is the better
choice. NT implements multi-tasking in a more sophisticated way.
The file system designed for it, NTFS, is more
secure and extensible than the updated FAT system
supported by 95/98 (for which a driver also comes with NT, and is used for
certain tasks; e.g., accessing a floppy drive). The compatibility that NT gives
up with respect to 95/98 allows it to provide a level of security appropriate
to a professional networked environment, which neither 95 nor 98 can do.
We determined that the best way to
provide as many people at the lab with as many PC computing resources as
possible was to implement an extensive NT network
(technically called a domain ). If you're
interested, you can find in many NT texts information about its design goals
and features -- reliability, performance, portability, scalability, security,
and so on. We simply want to encourage the Fermilab PC users to take advantage
of all the resources we've made available via our NT domain. Before listing the
benefits that you get by having an account on this domain (in section
2.4:
Resources and Services Available on the FNAL NT Domain ), first you should
understand what the domain is. Read on!
2.1.1 Client/Server Networks
At Fermilab, in order to access
common resources (e.g., printers, the internet, and many software packages),
and to send and receive email, you need to have your PC connected to a network,
rather than running stand-alone. For PCs running Windows NT, several
client/server networks are set up, generally by department, in which one or
more server machines (running Windows NT Server
4.0) run programs that provide services to many connected
client machines like yours. These programs are
called servers (there are mail servers, print
servers, file servers, and so on), and they wait for and respond to requests
from clients.
Server-based networks are scalable,
meaning that more server machines can be added and the resources can be
reorganized as the number of client machines grows.
The NT
software on your local machine is equipped to recognize local resources (those
directly attached to the machine in your office) as distinct from network
resources (those that must be delivered or accessed via the network), and
directs your requests accordingly. In terms of using resources and working with
files, you generally don't need to know if an application or document is local
or remote as long as you can find it on one of the drives available to you
via My Computer or
Network Neighborhood or
Windows NT Explorer . In practice however, you'll want to know what's
on your local drive(s) and what's not, so that you know what you are
responsible for managing.
2.1.2 NT Domains
Multiple client/server networks can be administered centrally by setting up an
NT domain that encompasses them. An NT domain is
really nothing more than a logical grouping of accounts (two types of accounts:
user and workstation, explained below), with at least one but usually many
server(s). The domain enforces a single point of administrative control,
security, and authorization for multiple resources and users.
NT security requires that all clients be
identified and authorized on the domain to access its resources.
There are two levels of authorization: the
workstation and the userid. This allows an authorized user to log in from
different workstations (each of which has a workstation account in the domain),
and it allows different users (each with a user account) to log in from a
particular authorized workstation.
You
as a domain user potentially have access to resources on any server in the
domain, not just the servers in your network. The individual resources
maintained on the servers in the domain have permissions set (usually by each
server administrator), therefore you will probably find that only some
resources are available to you. You simply log into the domain (which is the
usual way you log onto your PC if it's configured properly); you do not have to
log into a specific server to access a resource installed on it.
Getting a little more technical, an NT domain consists of at least one server
machine, the Primary Domain Controller (PDC), running the Windows NT Server
operating system. The PDC stores the master copy of the domain's user and group
database (called the Security Accounts Manager, SAM), and serves as the single
security point. To protect against problems if the PDC goes down, and also to
alleviate its load, additional servers called
Backup Domain Controllers (BDCs) can be added. The
PDC periodically downloads its SAM to the BDCs, and they can process the logins
to the domain.
NT domains, their communication
links, and their associated policies can be grouped for the purpose of managing
user and workstation accounts and domain resources. Domains are grouped
according to a domain model . At Fermilab we have
implemented what is known as a single NT domain
model.
2.2
The NT Domain (called FNAL) at
Fermilab
The
name of the NT domain at Fermilab is FNAL (in upper case).
Anyone authorized to use Fermilab's computers is
eligible for an account on the FNAL NT domain.
The single NT domain model
implemented at Fermilab was chosen for several reasons:
- It adheres to the HEPNT (High
Energy Physics NT) Committee recommendations.
- It paves the way towards
achieving a single userid and password for each user for all Fermilab computer
systems.
- It is the easiest model to
maintain.
- It implements many key features
(listed below) better than do other models.
A few of the key features the FNAL
NT domain incorporates are:
- A user can access the entire
domain (according to his or her permissions) via a single userid and password.
- A simple organized structure
makes it easy for users to find, use and control project data.
- The domain uses a secure file
system and provides reliable backup facilities to protect valuable data.
- The structure facilitates
consistent system management.
- The system can grow.
- The domain design can handle new
versions of the NT Operating System as they become available.
There are several other
NT domains and workgroups at Fermilab, run by individual groups, and not under
the management of the Computing Division. Depending on which group you belong
to, you may be eligible for an account on one or more of the other NT domains
on site. Check with your group leader or local PC administrator.
2.3
User Profiles in the FNAL NT Domain
Under
Windows NT, a user profile is a collection of
user-specific settings that define the user's working environment. These
settings include such items as the wallpaper, screen resolution, and
application settings (e.g., the last few files you were editing in a particular
application or a list of Web sites). Profiles vary in size depending upon the
complexity of the applications that take advantage of the profile area, and how
much data a user saves in the profile area. The profile areas for users range
from about 500K to over 25MB, with a typical size of about 5MB.
The
profile can be stored locally for use on a particular machine, in which case it
is called a local profile. Storing NT user profiles on
local machines in a networked environment is only practical if the users are
relatively static. Since Fermilab users often work at different locations
within the lab and travel, the PCS group generally configures NT accounts to
use what are called roaming profiles. A roaming profile
is stored on the server, and is available to you as you "roam" to
other NT machines, maintaining your same settings everywhere.
2.3.1 Roaming Profiles
The
system downloads your roaming profile to your client machine when you log onto
the NT domain, and copies it back to the server when you log off. At login, the
system checks to see if your local user profile is on the machine, and if so,
whether it is more recent than your server-based profile. If a local profile is
not there or if it is older, the system downloads your roaming profile from the
server onto that machine. If your local one is there and is more recent than
your roaming profile (this happens if you shutdown the machine without logging
off), the system informs you and asks you which profile you want to use.
Usually you'll want to choose the more recent local profile. To reduce network
traffic, the system also checks to see if the profile has changed before
storing it back on the server.
An updated roaming profile does
not get copied back to the server if you shut down the client machine without
logging off.
There are several advantages to using a roaming
profile. Most importantly, all the customization you have done with your
desktop is available to you wherever you log in. This customized information is
stored on a server that gets backed up regularly, so if your machine crashes,
you don't need to rebuild your environment. The PCS group can also perform
certain product upgrades and installs, add new shortcuts and add links to
updated programs without visiting users' desktops; they just need to make
changes to the stored profiles on the servers.
There are a few things to be aware of regarding
roaming profiles:
- Windows 95/98 systems do not
support roaming profiles.
- On a slow link, such as a
dial-up line or an ISDN connected computer, it can take a long time to load a
roaming profile. If you log in regularly via a slow link, you may want to have
a second NT domain account created for you with the roaming profile feature
disabled. Accounts for this purpose are usually set up as your username
followed by _home , e.g.,
joe_home . Contact
pcs-group@fnal.gov
if you wish to have a home account created.
- When using roaming profiles, it
is important to store wallpaper, sounds, and any other user-specific data to
your 'U' disk (see section
9.1: Storing your
Files ). If files are referenced locally and the data is stored on the
local machines, those files will not be found when you roam to another
computer.
- A roaming profile may get
confused if it gets downloaded to a system with an incompatible configuration.
For example, if the roaming profile is set up to download particular software,
and the software already exists on the machine, things may not work correctly.
By the same token, if it expects to find software that is absent, errors can
occur.
- Always remember to logoff your
machine in order to save your profile back to the server.
2.3.2 Local Profiles
As
mentioned in the previous section, local profiles are better when you connect
via slow link, since it can take a long time to load a roaming profile. If you
log in this way often, you might want a second NT domain account with only a
local profile (i.e. with the roaming profile feature disabled). The PCS group
typically creates these accounts as username_home .
The
disadvantage to relying on a local profile is that it is available only on the
specific machine where it resides. It cannot be made available to you when you
log in from a different machine. If you use only a
local profile, you should take care to back it up regularly because this
information will be lost if the machine has to be rebuilt.
Backup of data on local machines is the
responsibility of the user.