Manage users easily with groups

Send us your tips and questions. You can also visit Bob Chronister's online Tricks & Traps at http://www.winntmag.com/forums/index.html.

Unexpected Results from ATM Switches
Many of the answers to the questions in this column focus on troubleshooting what goes wrong or how to prevent or correct situations before they turn into problems. I seldom mention situations in which something good happens unexpectedly and leaves you pleasantly surprised. Let me give you a recent example of a situation in which something went right.

I use two asynchronous transfer mode (ATM) switches (a Whitetree 2500 and a Whitetree 3000) on my network. I've set up the 2500 as an all-ATM switch and the 3000 as an ATM or Ethernet switch. I recently added an AXIS 560 print server, which connects to the 3000 switch, and noticed that the print server exhibited network activity--even after I removed the print server from the network. As a result, I couldn't print to my HP 5MP or Epson 800 printers, which connect to the AXIS print server. After I tried everything I could think of, I called AXIS. The support technician helped me determine that I had scrambled the print server's firmware, and AXIS sent me a replacement unit. After I placed the new print server on the network, I tried to ping it. To my surprise, I was able to ping the print server. Keep in mind that I only use TCP/IP on my network, my network uses 199-series IP addresses, and my print server uses 192-series IP addresses.

I was able to use Netscape Navigator to examine the print server's configuration, as Screen 1, page 212, shows. (AXIS acknowledges that you can't use Internet Explorer--IE--to look at your print server's configuration because of security incompatibilities.) Even more interesting, when I entered the correct address for the original print server on my network, as Screen 2, page 212, shows, I was able to successfully update the TCP/IP parameters on the new AXIS print server.

I was amazed that I was able to ping across the IP addresses. I should not have been able to address the 192-series addresses from the 199-series addresses. This connection had to occur somewhere in the ATM switches.

The Whitetree switches use a combined ATM and Ethernet framework design. The Ethernet design uses store-and-forward switching rather than cut-through switching. In store-and-forward switching, the switch waits to send Ethernet frames until the source port receives the media access control (MAC) header addressing information. In cut-through switching, as soon as the source port starts processing the MAC header addressing information, the switch starts forwarding Ethernet frames to the destination port. Cut-through designs are faster with lower latency, but they won't work if a large speed difference exists between the source and destination (the case with my network). Unlike traditional Ethernet switches, the 3000 switch can use ATM networking to stream cells and reduce end-to-end latency. This added ATM switching ability is unique and is probably germane to how my network functions.

The point remains that my switches somehow established a connection across two IP address ranges (ATM can establish virtual paths between ports). I've replicated this scenario many times, and I'm mystified by the sequence of events.

Being able to access both sets of IP addresses makes working with my network easier. I can add devices such as print servers and directly configure them, even though the IP rules say this type of configuration is impossible. (If you have similar impossible stories to relate, please forward them to me so that I can share them with readers.)

NewSID
Last month I told you about ERD Commander, Mark Russinovich and Bryce Cogswell's simple utility that gives you boot-disk functionality for Windows NT. This month, I want to tell you about NewSID, another utility from this dynamic duo. NewSID lets you easily change security IDs (SIDs) in NT. Screen 3, page 214, shows the basic user interface. You can use NewSID to apply a random SID, synchronize SIDs, or change the computer name.

This application is outstanding for rolling out several computers because it eliminates the problem of creating identical SIDs when you clone systems after the GUI portion of the NT Setup--a situation in which Microsoft offers little support. Be aware that if you clone SIDs on multiple machines and you seek the company's help to resolve a problem, Microsoft will probably ask you to reinstall NT on the system in question. NewSID helps you get around this situation: You simply clone systems, run NewSID on each system, create a unique SID for every machine on the network, and avoid the whole cloned-SID dilemma.

   Prev. page   [1] 2 3     next page



You must log on before posting a comment.

If you don't have a username & password, please register now.

Reader Comments

<i>In Tricks & Traps (August), the section about which servers authenticate user passwords prompted several letters from readers. The following letter contains an excellent suggestion for maintaining proper secure channels across WANs. “My company has an international domain with about 30 Backup Domain Controllers (BDCs) throughout the world. Quite often, we find that servers on different sites from the users authenticate user passwords. Here’s what we think happens when the secure channel is set up from the Resource Domain BDC to the Master Account Domain BDC. “The Resource Domain BDC contacts the Windows Internet Naming Service (WINS) server and gets a list of 10 Master Account Domain BDCs (I think the WINS server is clever enough to return the closest one if it’s on the same subnet, plus another nine). The Resource Domain BDC then sends a request to all 10 servers to set up a secure channel. After the Resource Domain BDC has sent all 10 requests, it starts listening for responses and configures a secure channel with the first server that responds. “The problem occurs because the Resource Domain BDC doesn’t start listening until it has finished all 10 requests; if the local server responds too quickly, the Resource Domain BDC misses the response and configures the secure channel to another BDC (in our case, a BDC in another country). This secure channel isn’t automatically reset unless the connection is lost. If your local BDC is offline for a couple minutes, all the secure channels reestablish with alternative BDCs and stay that way as long as they can contact the alternative BDC. “I find that the easiest tool to use to solve this problem is </i>Microsoft Windows NT Server 4.0 Resource Kit’s <i>Domain Monitor. You can use Domain Monitor to disconnect an incorrect secure channel. However, the process is hit-and-miss because you just initiate the same process I described before. Usually after a couple of disconnects, you can establish a secure channel with the correct server. We have seen quite a few performance problems develop because of this issue, so we’ve added the task of ensuring the correct secure channels to our daily checklist.”<br> --Bob Chronister</i>

Bob Chronister- August 11, 1999

Hi,

We have approx 25 sites in Europe and have a BDC in most we are finding that Workstations from different locations at random are going accross the WAN for authentication to other BDC's is their anyway that I can force the machines to stay on their local LAN for authentication on their local BDC ???? Thanks, for your help.

kalek- February 13, 2002

We are having the same problem. The client machines in one office go over the wan to a Remote BDC before using the local PDC or BDC. I would also like to know how to force which BDC does the authentications.

Thomas- November 19, 2003