• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Security implications of using TCP/IP over NetBeui, and software deployment using GPOs -vs- SMS

PeeluckyDuckee

Diamond Member
All server machines are running Windows NT 4.0 Server. All client machines are running either Windows 4.0 NT Workstation or Windows 95. There are WINS and DHCP Servers in the environment, no DNS servers. All client machines are DHCP clients, assigned both a primary and secondary WINS server. Clients have IP addresses, but also use NETBEUI and WINS server to resolve names.

The environment of 14,000 or so clients belong to one big domain. My question is whether it is appropriate to use NETBEUI/WINS instead of TCP-IP/DNS to service clients??

Also, the environment is currently using SMS to deploy software. They will be moving to a Windows 2000 environment with Windows 2000 Server and XP machines. What is the difference between using GPOs to deploy software versus SMS? What are some of the benefits of SMS that is not available in W2K? Remote Control of client workstations?

As far as I've seen, SMS in NT has proven to be flaky at best. Would it be worth the time and effort to continue using SMS in the newer environment?


Thx.
Plucky
 


<< All server machines are running Windows NT 4.0 Server. All client machines are running either Windows 4.0 NT Workstation or Windows 95. There are WINS and DHCP Servers in the environment, no DNS servers. All client machines are DHCP clients, assigned both a primary and secondary WINS server. Clients have IP addresses, but also use NETBEUI and WINS server to resolve names.

The environment of 14,000 or so clients belong to one big domain. My question is whether it is appropriate to use NETBEUI/WINS instead of TCP-IP/DNS to service clients??

Also, the environment is currently using SMS to deploy software. They will be moving to a Windows 2000 environment with Windows 2000 Server and XP machines. What is the difference between using GPOs to deploy software versus SMS? What are some of the benefits of SMS that is not available in W2K? Remote Control of client workstations?
>>

Here's how this breaks down for you:

* NetBEUI is not routable, not recommended by MS for any environment of any significant size (like, say >25)
* WINS can be used with TCP/IP
* GPOs need AD for deployment
* AD needs DNS for deployment
* W2K uses a Dynamic DNS server, so behaves much like WINS, maintenance-wise

Last, but not least:
* I have no experience with SMS, so cannot compare to GPO.

and in conclusion, might I add...
GREAT GOOGLY MOOGLY!!!!! 14,000 CLIENTS USING NETBEUI RATES AN ULTRA SHOCK-BLOCK!!!!!!

:Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q :Q:Q

(last two huddling for comfort)
 
As far as SMS (System Management Server) is concerned, it has pretty much been superceded by the services offered by Active Directory, and the functionality is mostly built into Win2k. The "Computer Management" console allows administrators to remotely perform all sorts of useful actions over the network if the machines are on the same Active Directory Domain.

BTW, you wouldn't happen to work for the VA Hospital System would you? As of two years ago, it had the 3rd largest NT installation in the world...
 


<< BTW, you wouldn't happen to work for the VA Hospital System would you? >>

Ummm...not in Canada, he wouldn't...
 
kylef - no I do not work for specified company.

Yes, so many client machines running netbios is shocking eh. There seems to be 9-10 WINS servers to handle user requests. Perhaps the wins servers are set to query the DNS servers if it cannot resolve or not resolve in a timely manner? If that's the case, the client workstations don't directly need to know or get assigned DNS servers? Do you understand what I'm trying to say?... Perhaps my account isn't showing me everything on the network I want to see.....

Miraculously though, ping times among many servers are fairly low and fast. There must be something out of the picture I don't know about. Hmmmm....

SMS seems to be flaky at best on NT 4.0, caused a lot of troubles. For help desk purposes, remote administration is required. Unless terminal services application mode is deployed or some other remote software (ala PCAnywhere), SMS will be continued to be used I'm assuming. This company paid a lot of $$$ for SMS and really wants to hold onto it. A batch of 100 or so client workstations had to be reimaged at the beginning of SMS' deployment, for whatever reason related to SMS, and is continuing to cause grief to this day. I'm not familiar with SMS at all, never touched it. Just heard horror stories on it.

BTW, Windows 95 is the worst OS I've dealt with to date. Very flaky, definitely not meant to be a network operating system. Can't even begin to troubleshoot the machine w/o it dying on you constantly 🙁

 
Silly question, but how on earth do you connect 14000 clients without subnetting? Using Netbios broadcasts for name resolution is a little silly on that scale anyway. Use TCP/IP and WINS for name resolution, unless you upgrade everything to 2K, in which case, jump to DNS. Get rid of netbeui (or Netbios over TCP/IP, whichever you're running). Microsoft says: "thou shalt not use netbios in environments of over 250 users" - I'm surprised you havnt hit serious issues with that many clients.

Using GPOs to install software is quick and easy - I would recommend it if all your applications can be put into MSI packages.
 


<< Silly question, but how on earth do you connect 14000 clients without subnetting? Using Netbios broadcasts for name resolution is a little silly on that scale anyway. Use TCP/IP and WINS for name resolution . . . Get rid of netbeui (or Netbios over TCP/IP, whichever you're running). Microsoft says: "thou shalt not use netbios in environments of over 250 users" - I'm surprised you havnt hit serious issues with that many clients. . . . >>



The business is apparently using WINS and 9 or 10 WINS servers, so shouldn't they use NetBIOS? (Maybe Peerlucky meant NetBIOS instead of NetBEUI?) There are many things not so obvious about how routing/networks/subnetting is performed on this sample network (additionally, the speed seems to be good from user perspective).

Network browsing would be interesting, but since NetBEUI doesn't route, this would obviously make smaller local groups. But the more interesting part is the larger size and if they actually use NetBEUI in addition to NetBIOS and WINS. If so, why the use of multiple protocols? Win3.x can use TCP/IP 32bit extensions, why use NetBEUI?
 
my bad, I really meant to say NetBios. The client workstations get access to the internet thru a proxy server, perhaps that is a sign of something more on the server side that just WINS servers?

I recall seeing a checkbox, something to the effect of "Netbios over TCP/IP" also on 95 client machines. Network browsing is fairly fast (subjectively), but at what rate I would not know since NT and 95 machines does not provide you with any built-in means of knowing when the NICs are functioning. Its almost a guessing game. Scripted installs can get messy too if a user who's logged onto her machine, then software gets pulled down from the network. Before the software finishes installing on the users' computer, the user shuts down or logs off.

I do know that VLANs are used in the network too. How many though I'm not sure.
 
GPO's just push out apps. Where as SMS will tell you want apps are installed, hardware inventory, and allow remote control. SMS 2.0 and active directory with GPO's go hand in hand. They complement each other very well, so microsoft says. As far as remote control for workstations go, you have netmeeting's remote desktop control component. Terminal services for remote control is only available on win2k servers, and XP workstations (I think).

Alternatives to sms are intel landesk, and altris express.

Also when it comes to migrating to active directory, you'll most likely need to keep about half of the wins servers around. windows 2000 falls back on wins for resolving netbios names (machine names). Personally I would take half of the wins servers, and upgrade them to be active directory domain controllers, and install the dynamic dns service - since active directory requires dns.
 
Back
Top