[ Go to January 1997 Table of Contents ]|
The NT Domain Dilemma
Ease the burden of adds, moves and changes in a large Windows NT network by mastering a few API calls.
The phone rang at close to 6 p.m. on a Friday-minutes before the start of my weekend. I was tempted to ignore the call, but I answered it anyway.
"I wonder if you can help us with a little problem," said the caller, who represented a large international company in the Midwest. "We're getting ready to move our servers to Windows NT, and we need someone to help us design the domains for our 40,000 users. A Microsoft consultant told us we should use a single master domain, but we're not sure that will work for us."
We talked for awhile. I explained that my core area is programming, although I do know a little about networks. I thought about the domain issue a bit over the weekend, and realized that this particular company's loose matrix structure just didn't fit the single master domain network administration model.
In that model, one master domain has all the user accounts-all users log into this master domain account. The master domain account then has rights to use resources in local domains. In other words, all of the local domains trust the master domain, but the master domain trusts no one.
I also realized that 40,000 users would probably overload the primary domain controller even if the company had numerous backup domain controllers. Microsoft's NT guidelines suggest 26,000 users as a practical limit for a domain security database. The guidelines also state that the performance of the domain controllers-the computers that authenticate users when they log into the domain-will degrade if you push much beyond that limit.
The alternative for a large company is to use multiple master domains distributed geographically, and as many resource domains as needed. Each master domain could trust the other master domains, and the resource domains could trust all of the master domains. This approach has a major catch: It's an administrative nightmare to move large groups of users among the domains as the organization evolves.
It struck me that Windows NT lacks robust tools to manage users in a dynamic scenario with multiple master domains. It also dawned on me that dynamic scenarios are the rule, not the exception, in today's businesses. Large companies are constantly acquiring other businesses, selling subsidiaries or reorganizing themselves. That means domain additions, moves and changes.
For administrators within large ever-changing companies, Windows NT Server provides a limited tool called User Manager for Domains, and three commands: net user, net group and cacls. User Manager lets you graphically manage only one user in one domain at a time. Similarly, net user lets you manage one user at a time from the command line, net group lets an administrator add and delete groups on a server or domain (and also add and delete users in a group), and cacls lets you set file permissions from the command line. You can write batch files to use the command-line utilities to manage multiple users, but it's a chore.
APIs are the answer
As I told the caller, my core expertise is programming, so I decided to tackle his domain question from an API standpoint. The general Windows NT design philosophy is that commands and utilities provide an interface to system APIs built into Windows NT. For instance, underneath the net commands there is a Net API. It's not properly a Win32 API set, since the Net functions were ported from LAN Manager, Microsoft's pre-NT network operating system.
The Net functions offer everything you need to manage users in domain security databases. For example, NetUserAdd lets you add a user to a specific server or domain and set his password and privilege level. As you can guess, NetUserDel lets you delete a user. NetUserEnum provides information about all user accounts on a server, although passwords are not returned to maintain security. NetUserGetGroups retrieves the list of groups to which a single user belongs, while NetUserGetInfo retrieves individual account information (but not passwords). Finally, NetUserSetGroups and NetUserSetInfo specify groups and account information.
For managing groups, NetGroupAdd creates a global group in a security database, and NetLocalGroupAdd creates a local group. NetGroupAddUser gives an existing account membership in an existing global group, so I wouldn't be at all surprised if NetUserSetGroups calls NetGroupAddUser multiple times. NetGroupEnum retrieves information about each group account on a server, and finally NetGroupGetUsers retrieves a list of users for a global group.
Let's examine a real-world scenario. Suppose a marketing group is moving from a branch office to the corporate headquarters. The users within the marketing department might have to be moved from one master domain to another, lose their permission to use shared disks and printers in the branch office, and gain permission to use similar resources at headquarters. In addition, all the marketing files would need to be moved from the branch office servers to headquarters servers.
We can accomplish all this programmatically, except for packing up everyone's desks. We'd do something that looks very much like the code in the Web version of this article (http://www.winmag.com/people/mheller/movemark.txt)
I don't suggest that you build a custom program every time you encounter this sort of problem. I'd build a slightly more general command-line utility, something with syntax on the order of movegroup
Maybe I'd write more about compilers and tools. Tools have certainly been a hot topic this year. Microsoft has added SQL stored procedure editing and debugging to Visual C++ to produce Visual C++ Enterprise Edition (VCEE); Borland has added object-oriented analysis and design tools to Borland C++ to bring forth Borland C++ Development Suite with Design Tools (BCDSDT); and Watcom has combined its C++ compiler with SQL tools, data viewing controls and a drag-and-drop rapid programming environment to create Optima++. Meanwhile, Symantec has built its Java programming environment, Cafe, into more of a RAD tool, Visual Cafe. Microsoft, never to be dismissed in the development tools market, has married Java with COM and the Visual C++ IDE to bear Visual J++ (see review in this issue)
Users send me mail to ask which compilers and tools they should buy. VCEE is positioned for corporate programmers who constantly write C++ programs with stored SQL procedures or triggers in SQL Server and Oracle databases. BCDSDT is aimed at C++ programmers trying to do OOA/D and integrating the visual analysis design with class creation (although it also has database tools). Optima++ targets corporate programmers who want to use C++ and SQL databases and want their development environment to be as easy and visual as possible.
BCDSDT is currently in a class by itself in fusing OOA/D with a C++ IDE, while VCEE and Optima++ are competing for the hearts and minds of database application developers. To make things more confusing, Blue Sky's Visual SQL 4.2 (see Reviews, November 1996) adds some significant database application-generation capabilities to Visual C++ that complement those added in VCEE.
These products are all excellent for their intended audiences-I can't find fault with any of them. Rather than suggest one product for everyone, I recommend that you match your needs and work style with the capabilities of the various packages.
One caveat: If you're just getting your feet wet with C++ , don't consider VCEE or BCDSDT. These products are complex, and will fill your computer's hard disk (VCEE and BCDSDT consume about 120MB and 200MB, respectively). Optima++, on the other hand, addresses the needs of novices. If Optima++ is still too much for your needs, you should probably pick the under-$100 "standard" edition of the Microsoft C++ or Borland C++ compiler.
I've spent almost as much time trying to learn Java as I have writing C++ programs.
I have an entire shelf of Java books. Several of them blur in my mind, possibly because their approach to the material is similar, or because their exposition is weak. On the other hand, there are some standouts that I can recommend.
First and foremost, you'll need authoritative references for the Java language and API. I suggest several from Addison-Wesley's The Java Series, which bear Sun Microsystems copyrights. These are The Java Programming Language (1996) by Ken Arnold and James Gosling, and both volumes of The Java Application Programming Interface (1996) by James Gosling, Frank Yellin and the Java Team. If you have Visual J++, you'll get both of the API reference volumes on CD-ROM. On that same CD-ROM, you'll receive The Java Language Specification (1997), by James Gosling, Bill Joy and Guy Steele. The specification is certainly worth having in book form if you're serious about Java. To round out the Addison-Wesley series, Mary Campione and Kathy Walrath's The Java Tutorial (1996) is excellent. It's the final book form of the Java tutorial that's been online at http://java.sun.com/doc/tutorial.html since 1995. The tutorial is a good starting point if you're new to the language.
Addison-Wesley has published several other Java books not in the same must-have class as The Java Series. O'Reilly has brought out books under The JAVA Series, not to be confused with the similarly named Addison-Wesley series. Sunsoft Press has a JAVA SERIES, published by Prentice-Hall, which also bears Sun Microsystems copyrights. In the JAVA SERIES, I especially like Gary Cornell and Cay Horstmann's Core Java (1996), which brings a refreshing attitude to the goal of teaching Java to experienced programmers, and David Geary and Alan McClellan's Graphic Java (1996), a 600-page tome on AWT (for Awkward Window Toolkit, Abstract Window Toolkit or Advanced Widget Toolkit, depending on whom you ask) that provides some nice original widgets and display classes.
Is there room in the world for yet another Java book? Authors and publishers think so: I get a new one almost every week. I'm afraid the flood won't end any time soon, since JDBC, the Java Beans initiative and several new Java API areas are on the horizon.
Senior Contributing Editor Martin Heller writes about and does Windows programming from Andover, Mass. Contact Martin at his Web page at http://www.winmag.com/people/mheller, via e-mail at firstname.lastname@example.org.
Copyright © 1997 CMP Media Inc.