Chapter 4 - Planning For a Mixed Environment
By using both Windows NT Workstation and Windows 95 in your organization's computing environment, you can meet all the needs of your users and the organization as a whole, while providing for efficient network management. These two operating systems enable organizations to take advantage of a new generation of 32-bit applications and technologies, and realize the advantages of a more reliable and manageable operating system. Use the tools and information in this chapter to help manage your migration to a mixed environment of Windows NT Workstation and Windows 95.
This chapter includes information on the following:
Determining Where to Deploy Windows 95 and Windows NT Workstation
The most important decision an organization needs to make is where to deploy Windows NT Workstation and Windows 95 in its computing environment. The primary criteria for this decision are hardware requirements, device driver support, and software compatibility.
When choosing where to deploy Windows 95 and Windows NT Workstation, you must make sure that destination computers meet the hardware requirements for the operating system they will be using. Also, make sure that the operating system provides support for all of the hardware devices (such as video cards, network adapters, etc.) being used on the destination computer. In many cases, your existing hardware inventory will determine where each operating system is deployed.
Windows 95 is designed to have less demanding hardware requirements, and will work very well with existing hardware. You can run Windows 95 on a computer with the following minimum hardware configuration:
Windows NT Workstation 4.0 has higher hardware requirements for Intel-based platforms:
Windows NT Workstation also supports symmetric multiprocessing (SMP) configurations and RISC-based platforms such as MIPS, Alpha, and the PowerPC.
Windows 95 provides a broader set of device driver support. Check the Windows NT Hardware Compatibility List (HCL) to ensure that Windows NT drivers exist for all of your devices.
Windows NT Workstation provides a standard, comprehensive set of protected environment subsystems that include the following:
These environment subsystems support most applications available today.
Windows NT Workstation supports most legacy applications, except where the methods used by those applications for accessing system resources would compromise security or reliability. This includes applications that require direct access to system hardware, a virtual device driver (VXD), or a Terminate and Stay Resident program (TSR).
Windows 95 was designed to provide the broadest range of software compatibility, and is often the best choice for older legacy applications. You should test your applications on both Windows 95 and Windows NT Workstation.
Installation Considerations for Windows NT Workstation and Windows 95
After you determine where to deploy both operating systems, review the installation options for Windows NT Workstation and Windows 95. When determining the ideal client configurations for computers in a network that will use both operating systems, be aware of the following installation issues:
For detailed information on how to roll-out Windows NT Workstation, see Chapter 1, "Deployment Strategy and Details," and Chapter 2, "Customizing Setup," in this deployment guide. For detailed information on how to roll out Windows 95, see Chapters 1 through 6 in the Windows 95 Resource Kit.
The term server-based setup refers to running the operating system from the server, rather than locally, on the client computer's hard disk. When server-based setup is used, the client computer starts with only the files needed to connect to the network and access the operating system files on the server.
Windows NT Workstation does not support server-based setup, due to reliability and security implementations of the operating system. However, Windows 95 can be installed on a server to run as a shared copy on client computers. The benefits of a shared installation include the following:
There are also some disadvantages to running operating systems from the server:
Upgrading from Windows 95 to Windows NT Workstation
Differences in the system registries and hardware device support preclude a software upgrade path from Windows 95 to Windows NT Workstation 4.0. Microsoft plans to provide a Windows 95–to–Windows NT Workstation upgrade path in the release following Windows NT Workstation 4.0.
To install Windows NT Workstation on a computer that is currently running Windows 95, you must perform a fresh installation, rather than upgrading Windows 95 with system settings intact. Applications will also need to be re-installed.
Customers planning to upgrade Windows 95 must use the following manual upgrade path:
You can upgrade to Windows NT Workstation version 4.0 from any of the following operating systems, keeping applications and system settings as you do so:
Dual Booting Between Windows NT Workstation and Windows 95
It is not recommended to set up a computer to dual-boot (giving the user a choice between Windows NT Workstation and Windows 95 when the computer is started). To avoid problems with hardware settings and application installation, choose one operating system for each computer.
If you require a dual-boot configuration, install applications while running Windows NT Workstation and again while running Windows 95, to ensure that the applications are included in the Registries of both operating systems.
Networking Windows NT Workstation and Windows 95
When determining ideal client configurations for a mixed environment of Windows NT Workstation and Windows 95, consider what types of networks these systems will need to support. Both Windows NT Workstation and Windows 95 provide network and protocol support for the following:
The networking implementation for Windows 95 is slightly different than that for Windows NT Workstation. In order to support all Microsoft networking products that use the Server Message Block (SMB) protocol, install the Client for Microsoft Networks redirector (Vredir.vxd). This allows Windows 95 computers to connect to computers running any of the following networking software:
Refer to Chapter 1, "Decide on the Preferred Client Configuration" for more information on network protocol support and configuration.
In Windows NT Workstation, a user can always connect to any network resource he or she has permission to access. If the current logon session is for a different account, the user can fill in his or her domain name and username in the Connect As text box in the Connect Network Drive dialog box.
In Windows 95, this "connect as" feature is not available. To connect to a network resource from Windows 95, the user must log on with an account that has access to that resource.
In either operating system, the net view command can also be used to map a network drive. For syntax and usage, use the net help command.
In Windows NT Workstation, persistent network connections are enabled by default. To disable persistent connections, clear the "Reconnect at Logon" checkbox in the Connect Network Drive dialog box.
In Windows 95, Quick Logon is enabled by default. This network logon option restores the mapping of drive letters to network resources, without actually establishing a session for each persistent network connection. If you want to establish sessions for persistent connections during logon, you can enable Logon and Restore Network Connections. For information on how to do so, see chapter 8, "Windows 95 on Microsoft Networks," of the Windows 95 Resource Kit.
For persistent connections from Windows 95, select the "Reconnect at logon" checkbox.
Windows NT operating systems allow users to set security permissions on directories, individual files, printers, and other resources. Windows 95 does not support security on individual files.
Before a user can share a resource on a computer running Windows 95, the computer must be configured for share-level or user-level security. Also, File and Printer Sharing services must be installed, using the Network option in Control Panel. The Printers dialog box is used to set access rights to printers in a similar manner.
For computers to share resources such as printers, volumes, CD-ROM drives, and directories, all the computers must be running a common protocol.
Security and Data Protection
Windows NT Workstation was designed to provide the highest levels of system security. Administrators should be aware of the differences in security implementations between Windows NT Workstation and Windows 95 when setting up both peer-to-peer networks and client-server networks.
One of the elements at the core of the Windows NT architecture is integrated security. In its simplest form, Windows NT Workstation includes a secure logon sequence (using the CTRL+ALT+DEL key sequence). This sequence prevents rogue applications from trapping the username and password sequence. In addition, the account lockout feature lets you specify the maximum number of logon attempts. If the correct password is not supplied within this number of attempts, the account cannot be used until an administrator unlocks the account, or a specified period of time has passed. This deters attempts to break into an account by guessing a password.
Windows NT Workstation ensures data and system protection through its ability to define the level of discretionary access control that users can have to the system. The Windows NT security model2 allows users to apply security to networking, and to all system objects. Administrators can "lock-down" Windows NT Workstation systems to ensure that end users do not damage key system files or change system configurations. The native Windows NT file system (NTFS) provides this security down to the file level.
Windows NT Workstation also supports multi-user capabilities while retaining a high level of security. Several users can share a single computer system while still maintaining total access control over their personal files. Further, multi-user capabilities allow multiple users to have unique desktops, program groups, and other capabilities.
Windows 95 was not designed to meet such high levels of security and data protection. When specifying a Windows 95 client configuration, administrators need to ensure that user-level security is provided by either Windows NT Server or NetWare, in order to provide pass-through authentication for users accessing resources on remote computers.
Several tools are available to help you manage networks using Windows NT Workstation and Windows 95 together. These include the following:
For detailed information on system policies, user profiles, and logon scripts, see Chapter 3, "Managing User Work Environments," in Windows NT 4.0 Concepts and Planning. In addition to providing extensive information on the implementation of these features in Windows NT Workstation and Windows NT Server, this chapter includes information on using Windows 95 user profiles on Windows NT Server networks.
Like Windows 95, Windows NT Workstation 4.0 now includes system policies, and the System Policy Editor. These are powerful tools for managing a mixed environment network.
System policies allow you to override local registry values for user or computer settings. When a user logs on, system policy settings overwrite the current settings in the user's registry. This allows administrators to control individual desktop and registry settings.
In Windows 95, however, the following apply:
System Policy Editor
To centrally manage both Windows NT Workstation and Windows 95 computers, use the System Policy Editor. This tool lets you manage groups of computers by configuring the registry settings of those computers. The alternative is to edit the registry on each computer, using Regedt.exe (for Windows 95) or Regedt32.exe (for Windows NT Workstation). System Policy Editor is easier to use, since it does not require a understanding of the registry structure and syntax.
When you use the System Policy Editor on a computer running Windows NT Workstation or Windows NT Server, a Ntconfig.pol file is created. This file is read and interpreted by the Windows NT Workstation client software, overriding any conflicting information in that computer's registry. When you use the System Policy Editor on a computer running Windows 95, a Config.pol file is created. This file is similar to the Ntconfig.pol file, but has a different file format and reflects differences in the registries of the two operating systems. Place these files on the logon share.
To apply system policies to a network that uses both Windows 95 and Windows NT Workstation, run the System Policy Editor once from each platform, to produce the two different files.
The System Policy Editor cannot be used to set binary values. Hardware component information is often stored as binary data. If you look at a Windows NT registry using RegEdit32.exe, you will see binary value entries marked with data type REG_BINARY. If you look at a Windows 95 registry using RegEdit.exe, you will see binary value entries marked with an icon showing 0s and 1s, rather than the letters ab. These values cannot be set using System Policy Editor. Use the Registry Editor, or make changes on a per-computer basis via the user interface.
You can use the System Policy Editor to edit the HKeyLocalMachine and HKeyCurrentUser portions of the interface. If you need to access a different part of the registry, such as HKeyDynData, use the Registry Editor.
The alternative to using the System Policy Editor is using the Registry Editor. Both Windows 95 and Windows NT Workstation allow administrators to view and edit the registry on individual remote systems.
You can edit the registry on each computer by using RegEdit.exe (for Windows 95) or RegEdt32.exe (for Windows NT Workstation). For information on the registry and the Registry Editor, see Part 5, "Windows NT Registry."
User profiles are useful for configuring or managing custom desktops on a Microsoft network (that is, one that uses Microsoft products for networking functionality). A user who logs on from different computers at different times can see the same desktop at every logon. Any changes the user makes to the profile appear the next time the user logs on.
In Windows NT Workstation, a user's computing environment is determined primarily by the user profile. Windows NT security requires a user profile for each account that has access to the system. User profiles are created by default when a Windows NT user logs on for the first time. You can also create and modify user profiles on a computer running Windows NT Server. To do so, select System from the Control Panel, and select the User Profile tab.
In Windows 95, user profiles are not created by default; they must be enabled by an administrator. For information on setting up User Profiles for Windows 95 computers on a Windows NT Network, see Chapter 15, "User Profiles and System Policies," in the Windows 95 Resource Kit. Also, to take advantage of user profiles from a computer running Windows 95, you must specify Client for Microsoft Networks as the Primary Network Logon client.
Profiles for computers running Windows NT Workstation or Windows NT Server are stored in the "Profile Path" directory on a Windows NT server. The "Profile Path" directory can be found in the user's account in User Manager for Domains. Windows 95 does not use this directory. Windows 95 profiles are stored in the home directory.
If a user works at a computer running Windows NT Workstation part of the time and at a computer running Windows 95 other times, that user can have two different profiles, one for each operating system. Changes to the settings for one operating system will not affect the settings for the other operating system. (Also, the profiles used by Windows NT Workstation 3.51 and Windows NT Workstation 4.0 differ, reflecting the differences in the interfaces. Users who move between versions of Windows NT Workstation will have different profiles for the two versions of the operating system.)
Because these operating systems use different profiles, some elements of the user environment are easier to control in a mixed environment by creating logon scripts.
Using Logon Scripts
Logon scripts are batch files or executable files that run automatically when a user logs on. They can be used when logging on to a computer running any of the following operating systems:
Logon scripts can configure users' working environments by making network connections and starting applications. You might want to use logon scripts to manage part of the user environment (such as network connections) without managing or dictating the entire environment. Or, you can use logon scripts to create common network connections for multiple users. If you are using LAN Manager 2.x logon scripts, you can continue using them after upgrading to Windows NT Workstation or Windows 95.
Note It is important that logon scripts are in place for every user if you are planning to use a system management software such as Microsoft's Systems Management Server. Logon scripts are modified by the management software in order to take inventory of all the computers on the network.
You can assign a different logon script for each user, or create logon scripts for use by multiple users. To assign a user a logon script, designate the path name of the logon script file in the user's account information on the domain controller. Then, whenever that user logs on, the logon script is downloaded and run.
A logon script is always downloaded from the server that validates a user's logon request. To ensure that logon scripts always work for users, logon scripts for all user accounts in a domain should be maintained on every primary domain controller (PDC) and backup domain controller (BDC) in the domain.
Systems Management Server
The best overall method of remote administration is a systems management program such as Microsoft's Systems Management Server (SMS). With SMS you can manage Windows NT Workstation and Windows 95 clients in much the same manner. Each computer on the network must be configured as an SMS client in order to enable remote administration. Logon scripts must be in place on each computer to be automatically included in the SMS database—otherwise you will have to configure each workstation manually. Windows NT diagnostics and Server Manager functionality are included in SMS for remote administration of Windows NT Workstations and Servers. For more information, see your Systems Management Server documentation.
The alternatives for remote administration are to manage Windows 95 clients from computers running Windows 95, and manage Windows NT Workstation clients from computer running Windows NT Server. For Windows 95 clients, see Chapter 16, "Remote Administration," in The Windows 95 Resource Kit.
Server Manager, included with Windows NT Server, is automatically configured for all computers on the network running Windows NT Workstation. Server Manager cannot view or modify computer properties, shared directories, or services on a Windows 95 client. However, it can list the Windows 95 clients on the network. For information on using the Server Manager application, see Windows NT Server Concepts and Planning.
Remote Control Agent and Help Desk Options for SMS must be configured on each Windows 95 Client to allow remote administration.
Performance Monitor, included with Windows NT Workstation and Windows NT Server, is a graphical tool for measuring the performance of Windows NT computers on the network.
Windows 95 includes a similar tool, System Monitor. These tools are used by administrators to identify bottlenecks or potential problems.
You can use Performance Monitor to monitor the activity on any computer on the network that is running either Windows NT Workstation or Windows NT Server. However, Performance Monitor cannot view the activity on a computer running Windows 95. Likewise, System Monitor can be used to monitor the activity on any computer on the network that is running Windows 95, but it will not view the activity on a computer running Windows NT Workstation or Windows NT Server. A network administrator should have access to a computer running Windows 95, in order to use System Monitor, as well as the computer running Windows NT Workstation or Windows NT Server, in order to use Performance Monitor.
In networks in which the servers run Windows NT Server, user account information can be stored in one of two places: either in a private local user accounts database, or in a domain user accounts database that is shared by all the Windows NT Server computers in the domain.
This section addresses some of the issues involved in logging on to a Microsoft network from computers running Windows NT Workstation and from computers running Windows 95.
Windows NT Workstation
To prepare for account logons from a Windows NT Workstation, use User Manager on the computer running Windows NT Workstation to set up local access to the Windows NT Workstation operating system. Then use the User Manager for Domains on the domain controller to set up access to the specific domain.
When a user logs on to a workgroup computer, that user's logon information is compared with the local user accounts database. When a user logs on to a computer that participates in a domain, that user can choose whether to log on locally, or log on to the domain. (If the domain trusts another domain, the user can alternately choose to log on to the trusted domain.)
If a user's local password doesn't match the password for the domain account, and that user tries to browse the domain or connect to a resource in the domain, access is denied. While tools such as Windows NT Explorer prompt for a valid password, the command-line interface and some applications simply deny access. It is always a better idea to have one set of credentials that apply everywhere in a trusted enterprise.
For a complete discussion of logon scenarios on a Windows NT Network, see the Chapter 2, "Network Security and Domain Planning," in the Windows NT Server Networking Guide.
If you want Windows 95 to validate user logons by checking the domain database, logon validation must be enabled on each computer running Windows 95.
To enable logon validation
For more information, see Chapter 8, "Windows 95 on Microsoft Networks" in the Windows 95 Resource Kit.
By default, password caching and unified user logon are enabled in Windows 95. These features work as follows:
When the user supplies a password in order to connect to a resource, that password is saved in a password list file. The next time the user accesses that resource, the password is supplied from the password list. The user only needs to remember one password, the one to log on to the user account.
Password caching and unified user logon are useful when the user needs to log on to multiple networks (for example Windows NT and Novell NetWare networks). To use unified logon, a user account must be available on the network and must contain user account information for the user.
1 OS/2 support is compatible with OS/2 version 1.3 for 16-bit applications. As a separate product available at a nominal cost, Microsoft also offers an additional 16-bit OS/2 Presentation Manager subsystem for Intel-based systems.
2 Windows NT was designed to meet C-2 level security specifications, as defined by the United States National Security Agency.