Network Monitor’s online Help is comprehensive, but it doesn’t teach you about the contents of packets on the network. Instead it refers you to several excellent books on the topic. To see the list, click Help Contents. Double-click Reference and double-click Reference Guide to Books on Networking.
MANAGING THE BOOT PROCESS
It seems as though all roads lead to the NT boot process. If you can’t get the operating system booted, it’s not much fun for anyone. In this section, I provide you with some important background to help you to understand, diagnose, and gain control over the process of getting NT up and running.
Understanding ARC Path Names
If you were paying attention during the text-mode phase of NT installation or if you’ve ventured into the BOOT.INI file, you’ve probably noticed some extremely arcane notations that refer to the disk drives on your computer. These device path names are called ARC path names (or sometimes just arcnames). Recall that ARC stands for Advance RISC Computing, a standard designed to allow NT to run on a wide variety of RISC-based computers. Well, for better or worse, ARC path names are used on the Intel CPU platform as well, so understanding how they work is essential to management of the NT boot process.
Multis vs. SCSIs
ARC path names generally appear in one of the following forms:
multi(a)disk(b)rdisk(c)partition(d)\...
scsi(a)disk(b)rdisk(c)partition(d)\...
where the letters within parentheses are replaced by decimal numbers. The multi element refers to IDE, EIDE, and ESDI disk controllers. So multi(0) refers to the first such disk controller installed in the computer, and multi(1) points to a secondary disk controller. Drives on the same controller (up to a maximum of two per controller) are identified by either rdisk(0) or rdisk(1). In ARC path names that start with multi, the second element of the name is always disk(0).
For example, if you have two IDE controllers installed, and each has two drives attached, the ARC path names for the four drives are:
multi(0)disk(0)rdisk(0)
1st drive on 1st controller
multi(0)disk(0)rdisk(1)
2nd drive on 1st controller
multi(1)disk(0)rdisk(0)
1st drive on 2nd controller
multi(1)disk(0)rdisk(1)
2nd drive on 2nd controller
The scsi element refers, as you might have guessed, to SCSI host adapters. The element scsi(0) refers to the first SCSI adapter in the computer, scsi(1) to the second, and so on. Multiple SCSI hard disks on the same adapter are identified using the disk element with the SCSI ID number of the drive. For example, scsi(0)disk(6) refers to the drive with SCSI ID 6 on the first SCSI adapter. In ARC path names that start with scsi, the rdisk element is typically rdisk(0). If you have more than one SCSI logical unit number, or LUN, per SCSI ID, rdisk refers to the LUN. Most configurations these days have just one LUN per SCSI ID, so the rdisk number is typically zero.
Partition Numbers
So far, I’ve been showing you incomplete ARC paths. (Shame on me.) Let’s turn our attention to the partition element of the ARC path name, to complete the picture.
Cross-Reference: Before proceeding, you may want to review the section called “Primary versus Extended Partitions” in Chapter 9.
The partition element identifies the specific partition or logical drive on the physical hard disk. Partitions are numbered starting from one, according to the following rules:
Primary partitions are numbered first, in order of their appearance on the physical drive.
Logical drives within extended partitions are numbered next, in order of appearance of the extended partitions and in order of appearance of the logical drives within the extended partition.
DOS extended partitions, unused partitions, and EISA configuration partitions aren’t recognized by NT and aren’t assigned a partition number.
Caution: The element partition(0) has a special meaning. It’s reserved to refer to the entire physical disk, ignoring all partition boundaries and logical drives. Don’t use it in your ARC path names, or you’ll run into trouble.
Now that you’ve identified the partition or logical drive on a specific hard disk on a particular adapter, you can venture into more familiar territory. The remainder of the ARC path name uses normal disk directory (or folder) notation. For example, if NT is installed on the second IDE disk attached to a single IDE controller and the drive has one primary partition, the ARC path name of the SystemRoot directory is expressed as:
multi(0)disk(0)rdisk(1)partition(1)\WINNT
Multiple Paths to the Same Drive
In some cases, you’ll see multi used to refer to a SCSI adapter. The scsi element is used only when you have a bootable drive on a SCSI adapter with its BIOS disabled, a dual channel SCSI adapter, or multiple SCSI adapters. The real difference between multi and scsi is that multi relies on the BIOS to access the disks, whereas scsi relies on an NT device driver, NTBOOTDD.SYS, loaded during the boot sequence.
So, it’s possible to refer to the same SCSI drive in two different ways, if the SCSI adapter’s BIOS is enabled and the NT device driver is present. To refer to the second physical drive, with a SCSI ID of 6, you could use either of the following ARC path names:
multi(0)disk(0)rdisk(1)
scsi(0)disk(6)rdisk(0)
Dealing with Dual Channels
Many modern SCSI adapters have more than one channel on a single adapter, allowing attachment of up to 14 SCSI devices. Manufacturers have implemented these dual-channel adapters in different ways. In most cases, the following approach works.
Dual SCSI channels are typically labeled A and B or 0 and 1 by the manufacturer. Assign 0 to the first channel and 1 to the second. Calculate the disk element of the ARC path name by multiplying the channel number by 32, then add the drive’s SCSI ID. For example, a drive with SCSI ID 4 on channel 0 would be:
scsi(0)disk(4)rdisk(0)
But a drive with SCSI ID 5 on channel 1 would be
scsi(0)disk(37)rdisk(0)
Understanding the NT Boot Sequence
Understanding the NT boot sequence on both Intel and RISC platforms can help you to pinpoint problems if NT ever refuses to start. In the following sections, I present an overview of the steps that NT goes through to get itself up and running.
Starting NT on Intel Platforms
When you install Windows NT Server on an Intel-based computer, the Setup program alters the system partition’s boot sector to look for and run a program called NTLDR, which lives in the root of the system partition. (NT Setup saves the old DOS boot sector, which looks for IO.SYS and MSDOS.SYS, in a file called BOOTSECT.DOS.) Setup also creates a file called BOOT.INI in the root of the system partition or modifies it if it already exists. If DOS is found on the computer, a DOS boot choice is inserted in the BOOT.INI menu of operating system choices. Likewise, if Setup finds OS/2, the alternate operating system boot choice is OS/2. With this in mind, you can understand the following steps of the Intel boot sequence:
When you restart the Intel computer, the system BIOS reads the MBR (master boot record) from the first sector of the system partition. The boot sector code then loads and starts NTLDR (which is short for NT Loader).
NTLDR starts running and immediately switches the Intel CPU from DOS real mode to 32-bit mode.
Tip: You can tell when NTLDR starts running–the screen clears and an “OS Loader” message is displayed in the upper left corner of the display.
NTLDR reads and interprets the BOOT.INI file, which contains a list of bootable operating systems. Based on information in BOOT.INI, NTLDR presents a menu of operating system choices.
You either select an operating system from the menu or let the default operating system boot after the timer counts down to zero.
Note: If the default operating system starts immediately without presenting a boot menu, the time-out in the BOOT.INI file has been set to zero. I cover the contents of BOOT.INI in detail later in this chapter.
If step 4 resulted in selecting a version of NT, go to step 6. Otherwise,BOOTSECT.DOS (the old DOS boot sector) is loaded and run. Whatever operating system was the default before installing NT is then booted, and the boot sequence is complete. (In other words, the computer doesn’t proceed to step 6 if you selected a non-NT operating system in step 4.)
NTLDR starts NTDETECT.COM (the hardware recognizer), which collects hardware configuration information, passes it back to NTLDR, and terminates.
At this point, the Intel-specific portion of the boot process is complete. The boot sequence continues with step 1 in the section entitled “Continuing the Boot Process” later in this chapter.
Starting NT on RISC Platforms
On RISC-based NT platforms, the boot selection menu is built into the ARC firmware. In addition, NTDETECT.COM isn’t needed because all of the information that it gathers is already stored in the ARC firmware. Here’s how the RISC boot process starts:
When you restart the RISC computer, the self-test gathers hardware configuration information and places it in the ARC firmware for later use.
The ARC firmware determines where its boot drive is. It reads the MBR (master boot record) from the first sector of the system partition to determine if it’s formatted with the FAT file system.
If the system partition’s file system isn’t FAT, the computer won’t be able to boot NT.
The ARC firmware looks for and loads OSLOADER.EXE. OSLOADER.EXE picks up relevant hardware configuration information from the ARC firmware.
The ARC firmware then displays a menu of boot choices, the format of which varies between RISC manufacturers.
You select an operating system from the firmware menu.
At this point, the RISC-specific portion of the boot process is complete. The boot sequence continues with step 1 in the next section.
Continuing the Boot Process
After the platform-specific portions of the boot process are complete, as described in the previous two sections, the boot sequence continues with the following steps. I’ll use the generic term loader to refer to both NTLDR on Intel and OSLOADER.EXE on RISC.
At this stage, NTOSKRNL.EXE (the NT kernel) and HAL.DLL (the hardware abstraction layer) are loaded into memory. The loader then pulls the registry subtree HKEY_LOCAL_MACHINE\SYSTEM into memory from the SYSTEM registry database file.
Based on information in the registry, the loader brings low-level device drivers into memory. It then passes control to NTOSKRNL.EXE.
You can tell when the kernel begins executing because it immediately turns the display blue and changes it to 50-line text mode. The drivers loaded at this point are those with a Startup Type of Boot, as described in the “Devices Application” section of Chapter 8.
The kernel initializes the drivers loaded in step 2 and uses them to load any additional drivers. The additional drivers loaded at this stage are those marked with a Startup Type of System, as described in Chapter 8.
The HKEY_LOCAL_MACHINE\HARDWARE registry subtree, described in Chapter11, is populated with configuration data gathered by the loader. At this point, the kernel also initializes the registry control sets.
The kernel starts a process called Session Manager (SMSS.EXE), which manages the next phase of the boot sequence. It typically starts AUTOCHK.EXE (a special version of CHKDSK designed to run before the operating system is completely booted) to make sure that the disk data structures are healthy.
If you scheduled a file system conversion from FAT to NTFS to run at the next restart, Session Manager performs the conversion at this step.
If all is well on the disks, Session Manager creates the NT paging files, according to information in the registry. It then starts the Win32 Subsystem (CSRSS.EXE).
The Win32 subsystem immediately runs Winlogon, which in turn starts the service controller (SERVICES.EXE), the local security authority (LSASS.EXE), and the print spooler (SPOOLSS.EXE).
Note: If you use the Task Manager Processes tab to peek at the running processes, you can see the order in which things were started. The kernel shows up as System. It’s followed by SMSS.EXE, CSRSS.EXE, WINLOGON.EXE, SERVICES.EXE, LSASS.EXE, and SPOOLSS.EXE. (SERVICES.EXE used to be called SCREG.EXE in the Windows NT 3.x products.)
Drivers and services marked with a Startup Type of Automatic are loaded at this stage. See the sections called “Devices Application” and “Services Application” in Chapter 8 for details on driver and service startup types.
The remaining high-level components of Windows NT Server are loaded, and the computer displays the Begin Logon dialog box.
Order Your SQL Fundamentals CD Today! Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.
You've Deployed SharePoint...Now What? This one-day free online conference delivers the technical knowledge needed to kick MOSS up a notch. In one information-packed day, independent SharePoint experts will present practical, real-world information and provide take-away, ready-to-use solutions
What Would You Do If You Ran Microsoft? ITTV's 2008 inaugural video contest, "If I Ran Microsoft..." is your chance to tell it like it is. Be goofy or be serious, but don"t miss this chance to have fun, win prizes, and go viral in a major way.
Maximize Your SharePoint Investment This web seminar discusses how true bi-directional replication of SharePoint content from one server to another enables branch offices to maintain access to current SharePoint content.
Windows IT Pro
Register
Contents. Double-click Reference and double-click Reference Guide to Books on Networking.
