http://www.microsoft.com/TechNet/boes/bo/winntas/technote/nt201.htm (PC Press Internet CD, 03/1996)
| Updated: March 13,1996 |  Go To TechNet Home Page |
Keith Cotton is a subject matter expert for Microsoft Education Services within the Business Systems Division. Keith is a Microsoft Certified System Engineer and has his Novell CNE certification.
The Microsoft Networking Family
Windows NT Features
Architecture Overview
User and Group Accounts
Group Accounts
Managing Security Policies
File Systems
Windows NT Resource Security Model
Windows NT Network Architecture
Introduction to the Browser Service
Printing from Windows NT
Remote Access Service (RAS)
Both the Microsoft® Windows NT™ Server network operating system and the Windows NT Workstation operating system provide a 32-bit operating system for users who require a fast, multitasking environment. Corporate systems managers use Windows NT Workstation to establish a general purpose computing environment, which at the same time can reliably host a line of business applications. Developers and engineers, as well as financial and technical users, can take advantage of these operating systems for business needs such as mechanical and electronic design automation, architectural planning, engineering and construction, manufacturing and process control, custom software development, accounting, financial analysis, investment trader workstations, and real-time systems. In addition, any user who needs the power of a multiprocessing system can use the Microsoft Windows NT™ operating system to run multiple applications at the same time.
Windows NT Server 3.5 is a powerful network server operating system designed for organizations that must implement mission-critical business applications. Windows NT Server 3.5 provides the networking foundation for a new generation of server applications and tools, as well as file and print services. Its client-server platform is designed to integrate current and future technologies and provide a competitive advantage through better information access.
Windows NT Server 3.5 is the operating system for implementation of the Microsoft BackOffice strategy. BackOffice includes the following:
The Microsoft Windows NT Workstation 3.5 operating system includes all the capabilities of the Windows® for Workgroups operating system with integrated networking elevated to a more powerful, multitasking level. Windows NT Workstation can be used alone as a powerful desktop operating system, networked in a peer-to-peer workgroup environment, or used as a workstation in a Windows NT Server 3.5 domain environment.
Windows NT Workstation 3.5 can be used as a client in the Microsoft BackOffice strategy, accessing resources from all the BackOffice products.
Windows for Workgroups is a peer-to-peer network client based on the Microsoft Windows® operating system and designed for resource sharing among small numbers of people with similar tasks.
The Microsoft Windows operating system version 3.x is intended primarily for the single user in a desktop environment based on the Microsoft MS-DOS® operating system.
The Windows and Windows for Workgroups are both ideal products for group or small business environments
Features and Windows NT Workstation Windows NT Server 3.5
Services 3.5
Concurrent Client 10 inbound connection Unlimited
Connections limit; unlimited
outbound
Symmetric 2 processors (out of the 4 processors (out of
Multiprocessing box) the box)
Remote Access One session only Up to 256 sessions
Service
Directory Import only Import and export
Replication
Logon Validation No Yes
Services for No Yes
Macintosh®
Disk Fault No Yes
Tolerance
Windows NT Workstation combines the power of a 32-bit multitasking workstation with the ease of use, compatibility, and productivity of a personal computer. It provides unlimited outbound peer-to-peer connections and up to 10 simultaneous inbound connections. Remote Access Service (RAS) supports one inbound session for a user who is dialing in using a modem. Windows NT Workstation supports up to two processors in a symmetric multiprocessing environment. These features are a few of the reasons why Windows NT Workstation 3.5 is a powerful multitasking client desktop operating system.
Windows NT Server provides the network operating system foundation for enterprise networking. It is optimized to be an excellent file, print, and applications server that scales from small workgroups to an enterprise network. Windows NT Server supports up to four processors in a symmetric multiprocessing environment. Original Equipment Manufacturers' implementations of Windows NT Server support up to 32 multiprocessors. (See the hardware compatibility list for a list of OEMs.) In addition, Windows NT Server provides all services necessary for sharing business applications and host connectivity, including Macintosh support, unlimited network connections, and 256 inbound RAS sessions. Tools are integrated for building secure, reliable databases, accessing mainframe and minicomputer data, building a messaging infrastructure, and managing all the Windows NT server and client computers on the network.
By looking at the purpose of a workgroup and a domain, you will know when to implement Windows NT into a workgroup or a domain environment on your network.
A workgroup is a logical collection of computers grouped together for a common purpose, such as sharing departmental hard disk or printer resources. Members of the workgroup can see and access resources shared by other computers within the group. Each computer in the workgroup has to manage its own user accounts database and security policy. Each workgroup is identified by a unique name.
A domain in a Windows NT environment is a logical collection of computers sharing a common user accounts database and security policy. A domain also provides logon validation to ensure that domain user accounts and security policies are enforced within the domain. Each domain has a unique name.
Windows NT Workstation is designed to participate in either a workgroup or a domain. As part of a workgroup, Windows NT Workstation interacts within a common group of computers on a peer-to-peer level. In this environment, resources and user accounts are managed at each computer. A workgroup works well for small groups in which a small number of users needs access to resources on other computers.
Both Windows NT Server and Windows NT Workstation are designed to participate in a domain. Like a workgroup, a domain is a logical grouping of computers and users. Unlike a workgroup, where each computer has its own user account database, a domain is managed by servers and has one user accounts database that is shared by all the servers. The Windows NT Server network operating system is designed to administer domain account privileges, security, and network resources centrally; for example, a large company may have 1,000 computers in a network. A group of users on this network needs exclusive rights to share files and applications. A Windows NT Server domain provides them with a secured environment in which they can share the files and applications, and log on from any Windows NT Workstation that is part of that domain.
The Windows NT operating system uses an object model to provide user access to local and network resources, and to run applications of various types. An object can be thought of as any resource within the Windows NT system, such as files, directories, and printers. The object model used by Windows NT is that of a modular operating system, composed of a group of relatively independent components. Each component performs a specific task within the context of the operating system as a whole. This is accomplished through subsystems and executive services that form the foundation on which applications can run.
One of the features of Windows NT is its ability to execute applications written for multiple operating systems. This is accomplished through the environment subsystems in Windows NT. The environment subsystems can run applications written for several operating systems by emulating those operating systems.
Underneath the user applications lies the Windows NT operating system. The Windows NT operating system provides the support for user applications. It comprises many components, the majority of which are called the Executive and its Managers. The Executive Services can be compared to a company president who oversees an entire organization. In Windows NT the Executive Services coordinate the activities of the operating system, such as providing access to hard disk resources, printers, memory, and the network. The Managers can be compared to vice presidents who oversee specific areas of the company. In Windows NT the Manager services are the actual code that manages the specific functions overseen by the Executive.
The memory architecture for Windows NT is a demand-paged, virtual memory system. It is based on a flat, linear address space accessed by 32-bit addresses.
Windows NT uses a 32-bit flat memory model, which means that applications can access up to 2 GB of RAM directly, rather than 64K segments, allowing programmers to create larger applications.
The Virtual Memory Manager maps virtual addresses for the application into physical pages in the computer's memory (1). In doing so, it hides the organization of physical memory from the application. This ensures that when applications call for memory locations they are mapped to non-conflicting memory addresses.
Demand paging refers to a method by which data is moved in pages from (2 ) physical memory to a temporary paging file on-disk (3). As the data is needed by an application, it is paged back into physical memory. The algorithm for paging is optimized to perform per-process paging as opposed to systemwide paging.
This linear addressing scheme helps make Windows NT portable because it is compatible with the memory addressing of processors such as the MIPS® R4000™ and DEC™ Alpha AXP™.
A user account defines a user to Windows NT. This includes the name and password required for the user to log on, the groups in which the user account has membership, and any user rights for using the assigned computer. When a user logs onto a workstation and attempts to perform a particular action on that computer, Windows NT checks information in the user's account to determine whether the user is authorized to perform that action.
An individual may have more than one account, each account providing and allowing different capabilities within the Windows NT Workstation security system. For example, an administrator can have both an administrative account that provides the access rights necessary to manage the system, and a user account for routine use.
The Windows NT installation program creates three default user accounts with associated privileges when Windows NT Workstation is first installed: Administrator, Guest, and an "Initial User" account. Each default account has specific privileges on the system.
The Administrator account is used by the person who manages the computer's overall configuration. Through this account, an Administrator can perform such tasks as: managing security policies; creating, modifying, or deleting user and group accounts; modifying operating system software; creating and connecting to shared directories (including administrative shares); installing and connecting to printers; partitioning and formatting a fixed disk; and more.
The Guest account is provided as a convenience, so that occasional or one-time users can log on and be granted limited abilities on the local computer. This allows users without a valid user account on the computer to log on as Guest, and access appropriate resources for the Guest account while using the system.
An "Initial User" account is created during installation of Windows NT Workstation. This account, which is assigned a name during installation, is a member of the Administrator's group and therefore has all administrator rights and privileges.
Additional user accounts can be added to allow other users to log on locally or access local resources from over the network. This is done either by creating new user accounts, or by making copies of existing user accounts. Creating user accounts involves adding user information, adding the user to groups, and establishing the user environment profile.
Before creating new user accounts, it is a good idea to establish a standard naming convention. A standard naming convention speeds up the lookup process in User Manager when maintaining and troubleshooting the system, or if duplicate names occur.
When creating multiple user accounts with similar account properties, it is recommended that a template be created for each type of user. For example, create a template with all the appropriate options and group memberships established for users in the accounting department. Then, when an account is needed for a new user in the accounting department, you can simply copy the template.
User accounts can be copied, but not all of the items in the User Properties dialog box are copied to the new user account. The items copied directly from an existing user account to a new user account are as follows:
After copying an existing user account to create a new user, the following items are cleared:
Any rights and permissions that have been granted to a user account are not copied. The only way that user rights are copied, is if the user rights have been assigned to a group, since group memberships are copied.
It is possible to rename any user account, including the default accounts. When a user account is renamed, it retains all of its other properties. The only thing that changes is the account name.
Although you can delete user accounts at any time, it is recommended that you do so only if a user will never again need to log on or access that Windows NT Workstation. Deleting user accounts also removes security identifiers. Security identifiers (SIDs) are unique numbers that identify users who are logged on to the Windows NT security system. A security ID can identify an individual user or a group of users.
If a user account is deleted and a new account is created with the same name, it will have a different SID, and as such will be unable to access anything the previous account was able to access without reassigning the appropriate permissions and privileges. The new account must have the appropriate access permissions, user rights, and group memberships established for it to behave in the same way as the deleted account.
The user environment profile provides a location for storage of personal files and provides consistent network resources every time a user logs on. This provides a user with their own unique environment on desktops shared by multiple users.
The User Environment Profile dialog box allows you to configure the user's logon script name and location of the user's home directory.
When a user logs on to Windows NT, the user's profile can be configured so that a logon script runs automatically to configure the working environment for the user.
A logon script is normally a batch file (.BAT or .CMD extension) that issues MS-DOS or OS/2® operating system commands, or calls executable files, though an executable file can also be used for the logon script. When using executable files, remember to use the correct version of the executable if the user may be logging on at computers with different CPU types (e.g., x86, MIPS, Alpha). The %PROCESSOR% environment variable can be used to select the right executable in a logon script.
Other environment variables that can be used in logon scripts include %HOMEDRIVE%, %HOMEPATH%, %HOMESHARE%, %OS%, %USERDOMAIN%, and %USERNAME%.
A home directory provides the user with a consistent location to store all personal program and data files. In general, administrators should configure home directories so they are not accessible to anyone but the individual user. Home directories are normally stored locally on Windows NT workstations, but can be located on a server.
A group is defined as an account containing other accounts (members). Groups are basically "aliases" for a set of users, and can be assigned permissions and user rights just like a user account. As a result, the permissions and rights granted to the group are applied to its members automatically. This makes groups a convenient way to grant common capabilities to a collection of user accounts.
The limit to the number of groups to which a user can be a member is 1,000.
A group is an account that contains user accounts. The accounts contained within a group are members of that group. Groups are used to give users permissions to perform system tasks, such as backing up and restoring files or changing the system time, and to grant access to resources, such as files, directories, and printers.
Group accounts are useful because they simplify administration by organizing user accounts into a single administrative unit. Group accounts provide a convenient method of controlling access for several users who will be using Windows NT to perform similar tasks. By placing multiple users in a group, you can assign the same abilities and/or restrictions to all of the users at the same time by assigning the rights and/or permissions to the group. Without groups, user rights and access permissions would have to be assigned to the individual users accounts. User accounts can still be modified individually, even if they are members of one or more groups.
Windows NT Workstation allows the creation of local groups. Windows NT Sever allows the creation of both local and global groups.
This type of group can include any user accounts created in the local accounts database. Additionally, if the Windows NT Workstation has joined a Windows NT Server domain, a local group can also contain any global accounts from the Windows NT Server domain.
Local groups created on a Windows NT Workstation are only available on that workstation. They cannot be accessed on other Windows NT-based computers.
Global groups contain accounts outside of the local computer. They are assigned user rights and permissions to resources on the local computer where the global group resides, or from any Windows NT Workstation that has joined the domain. Global groups provide a way to create groups of users from the domain.
If your Windows NT Workstation is a member of a domain, then it is possible to grant permissions to any global groups that have been created in the domain.
There are several default group accounts built into the Windows NT Workstation operating system. The built-in groups are Guests, Users, Power Users, Administrators, Replicator, and Backup Operators. By default, all user accounts created on a Windows NT Workstation are made members of a group called Users.
There is also a special group account named "Everyone" The Everyone group includes every user account created on the local computer and as such, does not appear in the listing of group accounts and does not permit the adding of users. It can be used to assign user rights and access permissions to resources, and would permit every user (including Guest) the privileges assigned to the Everyone group.
The Guest group offers limited access to resources on the system. The Guest user account is automatically added as a member of the Guests group account.
Since anyone on a network can connect to a computer's shared resources through the Guests group, permissions must be assigned on shared resources to control how users can access those resources.
To grant a specific user the same access to the computer as someone who logs on as a Guest, add that user account to the Guests group.
The Users group account provides the user with the necessary rights to operate the computer as an end user, such as running applications and managing files. By default, every user account created is added to the Users group.
The Power Users group account gives members the ability to perform certain system administrative functions, without giving the user complete control over the computer.
A user logged on as a member of the Administrators group account has complete control over the entire Windows NT computer.
This group account is used when configuring the directory replicator service. The directory replicator service is used to automatically copy files, such as user logon scripts, between Windows NT-based computers.
The Backup Operators group account allows the user to backup and restore files on the computer.
Any user can backup and restore files for which they have the appropriate file and directory permissions without being a member of the Backup Operators group. The Backup Operators group overrides any permissions on files and directories that would normally prohibit a user from accessing those files, and allows users who are members of the group to backup any and all files on a drive, regardless of the file and directory permissions. Permissions to all files are only granted while the user is using Windows NT Backup to backup or restore files and directories.
Deleting a local group account removes only that local group. It does not delete any user accounts that were members of the deleted local group account. Groups that have been created with User Manager can be deleted, while the built-in groups provided with Windows NT Workstation, such as Administrators and Guests, cannot be deleted.
Security policies provide an administrator an additional level of computer and network control. However, an administrator needs to carefully consider what security policies need to be configured in an environment, and realize what affect the configured policy will have on the security of the local computer.
Windows NT provides the following security policies:
Security policy Description
Account Controls the way passwords are assigned and
maintained by users. It also controls the account
lockout feature of Windows NT.
User Rights Controls the explicit rights that can be assigned
to the group and user accounts of the workstation.
Audit Controls the types of events that will be recorded
in the audit logs.
The Account Policy sets the minimum and maximum ages, minimum length, and uniqueness of passwords, and configures the account lockout feature. Changes to this policy affect each user at the next logon. The Account Policy is accessed from the Policies menu of User Manager.
The User Rights Policy manages the rights granted to group and user accounts. User Rights authorize a user to perform certain actions on the computer. User Rights apply to the computer as a whole and are different from permissions, which apply to specific resources, such as files and printers.
In general, you will not need to change the User Rights policy for the default groups, because the User Rights of these groups should support the needs of typical users within each group.
There are two levels of User Rights that can be assigned: User Rights and Advanced User Rights. The most commonly modified rights are User Rights.
In choosing a file system, it is important to note that you can format multiple partitions with different file systems on the same Windows NT workstation, depending on the operating system and security needs of the computer.
File System Supporting Operating Systems FAT MS-DOS, Windows NT, and OS/2 HPFS OS/2 and Windows NT NTFS Windows NT
The FAT file system is widely used and supported by a variety of operating systems, such as MS-DOS, Windows NT, and OS/2. If you plan to dual boot your Windows NT Workstation computer with the MS-DOS operating system, the system partition must be formatted with the FAT file system.
The MS-DOS FAT file and directory naming convention can consist of three parts: a filename of up to eight characters, a period (.) separator, and a three-character extension.
The following table describes some basic characteristics of the File Allocation Table on Windows NT 3.5.
Filename/Directory length 255
File Size 4 GB (232 bytes)
Partition Size 4 GB (232 bytes)
Attributes Read-only, Archive, System, and
Hidden
Directories *Linked List
Accessible Through MS-DOS, OS/2, and Windows NT
* Linked List = To enable MS-DOS to locate a file, the file's directory entry contains its beginning FAT entry number. This FAT entry, in turn, contains the entry number of the next cluster if the file is larger than one cluster, or a marker that designates this is the last cluster. A file whose size implies that it occupies 10 clusters will have 10 FAT entries and 9 FAT links. This method of storing the information of files forms the linked list.
The following considerations are important in implementing a FAT file system:
HPFS is the same file system supported by OS/2. Windows NT provides no enhancements to the HPFS file system. It is typically used to ease the migration from OS/2 to Windows NT.
The following rules must be observed when naming files on HPFS partitions:
? " / \ < > * | :
The following considerations are important in implementing a HPFS file system:
The following table describes some basic characteristics of the High Performance File System:
Filename/Directory length 254
File Size 4 GB (232 bytes)
Partition Size 2 TB theoretical (241 bytes) 7.8 GB actual
(due to disk geometry)
Attributes *R, A, S, H and *Extended
Directories *B-tree
Accessible Through OS/2 and Windows NT
* R, A, S, H = Read-only, archive, system, hidden attributes
* Extended = Allows additional attributes, which are represented as text strings, and can be used by arbitrarily by applications. These extended attributes could be icons for the file, the names of the associated application, and so on.
* B-tree = The method in which HPFS searches for files. In a B-tree directory environment, the directory entries are stored alphabetically in the tree, and binary searches are used to search for the target file in the directory list.
NTFS is the preferred file system under Windows NT for a number of reasons, primarily security. However, there may be cases where it is necessary to use another file system on the same computer as Windows NT Workstation. If the computer will be running another operating system, at least one partition must be formatted with a file system supported by that operating system. Only Windows NT supports NTFS.
Here are some of the design goals of NTFS:
NTFS is the most POSIX.1 compliant of the supported file systems because it supports the following POSIX.1 requirements:
The following rules must be observed when naming NTFS files:
? " / \ < > * | :
The following considerations are important in implementing a NTFS file system:
The following table describes some basic characteristics of the NTFS File System.
Filename/Directory length 255 File Size 16 EB (264 bytes) Partition Size 16 EB (264 bytes) Attributes *Further extended Directories B-tree Accessible Through Windows NT
*Further extended = such as maintaining the file creation, as well as last modified, date and time for files and directories
If you have existing hard disk partitions that are FAT or HPFS, and wish to benefit from the enhanced features of NTFS, it is possible to convert the existing partition(s) to NTFS. Converting a partition from FAT, or HPFS, to NTFS preserves all data on the partition, unlike formatting the partition, which destroys all data. Windows NT includes an executable that converts FAT or HPFS partitions to NTFS. To convert a FAT or HPFS partition to an NTFS volume use the CONVERT.EXE utility provided with Windows NT. Note that the conversion is a one-way process, there is no way to convert an NTFS volume to FAT or HPFS.
Here's a summary of the advantages and disadvantages of each of the file systems.
File System Advantages Disadvantages
FAT Low system overhead. Using FAT with drives or
Best for drives and/or partitions over 200 MB may
partitions under about 200 decrease performance.
MB. Cannot set permissions on
files or directories.
HPFS Best for drives in the Not efficient for a volume of
200-400 MB range. under 200 MB, because of
Attempts to avoid overhead involved.
fragmentation by searching Does not support Hot Fixing.
for a band that can hold Cannot set file or directory
the entire file. permissions on Windows NT
HPFS partitions.
NTFS Best for use on volumes of Not recommended for use on
about 400 MB or more. volumes smaller than 400 MB,
Recoverability because of impact on
(transaction logging) performance. Disk space
designed into NTFS is such overhead ranges from 1 to 5
that a user should never MB depending on size of the
have to run any sort of partition.
disk repair utility on an
NTFS partition.
It is possible to set
permissions on files and
directories.
Windows NT supports multiple file systems. As a result you need to consider the differences in naming structures when transferring files from one file system to another.
For every long filename, (LFN) created on a Windows NT 3.5 FAT partition, there is an auto-generated short filename. This short filename complies with the 8.3 naming convention for backwards compatibility and provides an "alias" for the long filenames.
On FAT partitions, a LFN will take one directory entry for every 13 characters plus another directory entry for its alias. For example, if a filename is 12 characters long, it will have one directory entry for the LFN and another for the alias. A 36-character LFN will take three directory entries for the LFN, plus another for its alias, for a total of four directory entries. A directory entry is the listing in File Manager or a DIR command that displays all files and directories. Directory entries are used to store the LFN.
Each LFN entry has the following attributes:
No other MS-DOS filename entry will have all four of these attributes. A file may have RSH but would not also have a Volume attribute. Conversely, a Volume will not have RSH attributes. Having this special attribute combination should protect these entries from most disk utilities.
Under Windows NT 3.5, long filenames are converted to 8.3 names to create an alias for supporting MS-DOS-based clients. This conversion takes the first 6 characters of the long name and uses a ~number suffix to keep the name unique. For example, in the graphic below, My Term Paper A.doc becomes MYTERM~1.DOC and successive iterations would look like MYTERM~2.DOC, MYTERM~3.DOC, MYTERM~4.DOC
After the fourth file with the same first 6 characters, the naming convention changes. The fifth attempt will use the first two characters of the long name, but the next four will be generated by a hashing algorithm. For example, after the fourth attempt, My Term Paper E.doc becomes MY0F58~5.DOC. Notice the last two characters are "~5". Only when the hashing of the middle 4 characters fails to produce a unique name will the ~5 be incremented to a ~6 and so on. This method is used on both NTFS and FAT partitions to create alias' for long filenames.
If you are using HPFS, it is important to note that HPFS does not automatically generate short filenames. As a result, MS-DOS- and Windows 3.x-based applications will not be able to access files with long names on a HPFS partition, and dir/x will display a blank column where the 8.3 character-length filename is normally listed.
By creating 8.3 character-length filenames for files, NTFS and FAT allow Windows 3.x- and MS-DOS-based applications to recognize and load these files even though they have long filenames.
By default, COPY and XCOPY attempt to copy a file using its long filename. Therefore, when copying a file with a long filename from either HPFS or NTFS to FAT, the following error will occur if FAT long filenames are turned off:
The filename, directory name, or volume label syntax is incorrect.
When using COPY or XCOPY to copy from an NTFS partition to a FAT partition, consider using the /n switch. This switch will have COPY or XCOPY use the short 8.3 NTFS generated filename when copying the file from an NTFS partition. When trying to copy a file from an HPFS partition, the file will have to be renamed when copying to a FAT partition that has long filenames turned off, since HPFS does not generate short filenames.
NTFS supports case sensitive names, a requirement of POSIX. However, MS-DOS, WIN 16, OS/2, and the Win32® application programming interface do not currently support case sensitive naming. Therefore, any applications running in any of these environments may be confused by files with case sensitive names.
Disk Administrator is a graphical tool for managing hard disk drives. This tool encompasses and extends the functionality of character-based disk management tools, such as MS-DOS Fdisk and the Microsoft LAN Manager local area network software Fault Tolerance character applications, into one graphical interface. Primarily, it is used to set up, configure, and organize the system's hard disk(s) to function more efficiently.
Disk Administrator displays the system's disk resources through a status bar and legend. This legend can be customized by colors and patterns to display disk regions and types of disk usage.
Disk Administrator provides a simple way to manage disks by providing administrators the capability to create, format, and delete partitions within a graphical application.
As you recall, partitioning the hard disk on a new computer is performed during initial setup when you install Windows NT. After Windows NT is installed, use Disk Administrator to make changes to the computer's hard disks or to partition a new hard disk.
Keep in mind that a disk must be partitioned before it can be formatted with a file system. Disk partitions are a portion of a physical disk that functions as if it was a physically separate unit. For example, one hard disk could be partitioned to function as if it were two disks.
Windows NT protects its resources, including files, printers, and applications, by controlling access to them. For a resource to be protected or secured, the resource must be accessible to authorized users and inaccessible to unauthorized users. There are two basic approaches to resource security. One method associates an access code with each resource. Any user who knows the code receives access. Another method associates users with resources. Any user that is granted permission to the resource receives access. In Windows NT, users are associated with a resource.
All Windows NT resources are represented as objects that can be accessed only by authorized Windows NT services and users. An object in Windows NT is defined as a set of data used by the system, and the set of actions that manipulate that data. For example, a file object consists of data stored in a file and a set of functions that allow you to read, write, or delete data in that file. This definition can be applied to any object used by the system, including memory, printers, or processes.
Everything in Windows NT is represented to the operating system as an object. The following are examples of Windows NT objects:
All functions used to access an object, (for example, open a file), are directly associated with a specific object. In addition, the users and groups that are permitted to use the function are also associated with the object. Only users with the appropriate rights are allowed to use functions on an object. As a result, functions from one process cannot access objects that belong to another process. This characteristic of objects provides built-in security. Access to each object is controlled through an Access Control List (ACL).
The ACL contains the user (and group) accounts that have access and permissions to the object. When a user wants to access an object, the system checks the user's security identifier and group memberships with the ACL to determine whether or not this user is allowed to complete the request.
Every user of the system needs to have a user account which can be added to resource access control lists. This includes applications and services which need to access resources as well as people. When an administrator grants access to a resource, the user account is added to the ACL for that resource along with any specific permissions. For example User-1 has read permissions to a file, while User-2 has read, write, and delete permissions to the same file.
These ACL entries are called Access Control Entries (ACEs). Each entry identifies a user or group and the permissions that have been granted or denied for the object. An ACE is added to the ACL for each user or group that is granted or denied access to an object.
Entries that deny access are listed first in the ACL, and entries that permit access will be listed next. The only time this order is changed is if a company has written their own application that edits the ACL of a resource. In this case, they can place the ACE anywhere in the ACL they wish.
Access to resources begins with the user logging on. Windows NT requires that users log on before they can access any resources. When a user successfully logs on, he or she receives an access token that remains with the user process until logging off. Each time the user attempts to access a resource, the access token is compared to the resource ACL to determine whether access is granted or denied.
Windows NT requires each user to provide a unique username and password to log on to a computer. This mandatory logon process cannot be disabled.
When a user logs on to Windows NT, the security subsystem creates an access token for the user. The access token includes information such as the user's name and the groups to which the user belongs. Access to the system is allowed after the user has received this access token. During the time a user is logged into a system they are identified to the system by this access token.
When a user's process attempts to access any object, Windows NT checks the user ID and list of groups in the user process's access token against the object's Access Control List (ACL). This check determines if the user is granted the requested access to the object. The access token is permanently attached to each of the user's processes and serves as the process's "identity card" whenever it attempts to use system resources. Access tokens are objects and have attributes and services just like any other system object.
Even though user and group identifications are represented here as names, the computer actually stores this information as a security identifier (SID) and group security identifiers (group SIDs). A SID is a unique identifier used to represent a user, group, or some type of security authority. SIDs are used within access tokens and ACLs instead of usernames or group names. A SID is represented as a unique number, such as:
S-1-5-21-76965814-1898335404-322544488-1001
The result of identifying users by SIDs is that the same user account name may have been created multiple times on the same computer, but each instance of the account name will have a unique SID. For example, you have user account for User-1. If you delete this account and create a new account for User-1 using the same name, the new account will not have access to the same resources as the old account. This is a result of the SID being different, even when the account name is the same.
Windows NT compares the information in the access token to the information in the ACL to determine whether or not access should be granted. When a user attempts to access a resource on the system, the security subsystem compares the user's access token to the ACL to validate or deny the requested permission to the resource. It goes through the following steps:
1. Starting at the top of the ACL, it checks each Access Control Entry (ACE) to see if it explicitly denies the user (or any of the groups that appear in the user's access token) the type of access that is being requested.
2. It checks to see if the type of access requested has been explicitly granted to the user or any of the groups in the user's access token.
3. It repeats step 1 and 2 for each entry in the ACL until either it has encountered a deny, or until it has accumulated all the necessary permissions to grant the requested access.
4. If neither a deny or a grant appears in the ACL for each of the requested permissions, the user will be denied access.
When Windows NT grants access to an object, what it really does is gives the user's process a pointer (handle) to the object. A handle is an identifier used internally by the system to identify and access a resource. The system also creates a list of allowed permissions called the list of granted access rights. This information is then stored in the user's process.
In this way, an ACL is only checked when the object is initially opened. Subsequent actions performed on an opened object are checked against the list of granted access rights that have been stored in the user's process table for that handle.
A significant difference between the Microsoft Windows NT operating system and other operating systems is that networking capabilities are built into Windows NT. With MS-DOS, Windows 3.x, and OS/2, networking was added on top of the operating system. By providing both client and server capabilities within Windows NT, your computer is able to participate with other network computers to share files, printers, and applications. A Windows NT-based computer can participate as either a client or server in a distributed application environment, as well as in a peer-to-peer networking environment.
Windows NT provides the ability to interoperate in many different network environments simultaneously from a single Windows NT computer.
The following networking environments are supported by Windows NT:
To support this diverse network interoperability, Windows NT provides modular network components. This means a network component, such as a network protocol, can be replaced with a newer version without affecting the networking components. In addition, new components can be integrated with the default networking components to provide increased interoperability with other networking operating systems.
Windows NT networking components can be organized into three categories: file system drivers, transport protocols, and network adapter card drivers. Each plays a distinctive role.
These components communicate with each other through interface layers known as boundary layers. Boundary layers translate data into a format the receiving component understands. The boundary layers include programming interfaces, the Transport Driver Interface (TDI), and NDIS 3.0.
The Windows NT networking components and the boundary layers can be compared to the seven-layer OSI model.
File system drivers access system resources, such as an I/O call to an NTFS partition or a network file. They operate at the Application and Presentation layer of the OSI model, receiving input from user mode applications. FAT, HPFS, and NTFS each have their own file system driver for local file partitions. In addition, there are several file system drivers for use in a network environment.
Transport protocols define the rules governing communications between two computers. They operate at the Date Link layer and typically cover responsibilities up to the Session layer in the OSI model. Each transport protocol has advantages and disadvantages in its implementation, although it is possible to install and run several protocols at once.
Network adapter card drivers coordinate communication between network adapter card and the computer's hardware and software. For every network adapter card, there is a network adapter card driver. These drivers must be NDIS 3.0 compliant to operate with Windows NT. Network adapter card drivers operate at the Media Access Control sublayer while the card itself represents the Physical layer of the OSI model.
A boundary is the unified interface between the layers in the Windows NT network architecture model. Creating boundaries as a breakpoint in the network layers helps open the system to outside development. It makes it easier for vendors to develop network drivers and services, since the functionality that must be implemented between the layers is well defined. Vendors only need to program between the boundary layers instead of writing to the entire OSI model. Boundary layers eliminate the need for rewriting software written for adjacent layers by allowing software to be mixed and matched.
Programming interfaces provide a means of communicating over the network. There are several programming interfaces available. Windows NT supports NetBIOS, Windows Sockets, Remote Procedure Calls, and Network Dynamic Data Exchange (NetDDE).
The TDI boundary layer provides a common interface for a file system driver, such as a redirector or server, to communicate with the various network transports. This allows redirectors and servers to remain independent from transports.
The NDIS 3.0 boundary layer provides the interface to the NDIS wrapper and network adapter card drivers. All transport protocols call the NDIS interface to access network adapter cards.
NDIS (Network Driver Interface Specification) is a standard that allows for multiple network adapters and multiple protocols to coexist in a single computer. NDIS permits the high-level protocol components to be independent of the network interface card by providing a standard interface.
The network adapter card driver is at the very bottom of the Windows NT network architecture. Since Windows NT supports NDIS 3.0, it requires network adapter card drivers written to the NDIS 3.0 specification. NDIS 3.0 allows an unlimited number of network adapter cards in a computer and an unlimited number of protocols that can be bound to a single adapter card.
Boundary layer components are examples of the modular Windows NT network components.
At the center of the Windows NT networking environment are the components that provide the user with the ability to create and access resources across the network
Windows NT networking components, from the bottom layer going up, include:
Above the NDIS wrapper are the transport protocols. Windows NT ships with four transport protocols: NWLink, TCP/IP, NetBEUI, and DLC.
NetBEUI stands for NetBIOS Extended User Interface and was first introduced by IBM in 1985. NetBEUI was developed for small departmental LANs of 20 to 200 computers. It was assumed that these LANs would be connected by gateways to other LAN segments and mainframes. NetBEUI's primary disadvantage is that it cannot be routed, so it must be connected using bridges and not routers. As such, it is primarily used in a local area network consisting of mainly Microsoft clients and servers, including LAN Manager.
NWLink is an IPX/SPX-compatible protocol for Windows NT. It can be used to establish connections between Windows NT-based computers and MS-DOS-, OS/2-, Windows-, or other Windows NT-based computers through a variety of communication mechanisms. It is often used in environments that consist of both Microsoft and Novell networks, in which the Microsoft clients need access to resources on NetWare file servers.
NWLink is simply a protocol. By itself, it does not allow a Windows NT computer to access files or printers on a NetWare server, or to act as a file or print server to a NetWare client. To access files or printers on a NetWare server, you must use a redirector, such as Microsoft Client Service for NetWare (CSNW) or Novell NetWare Client for Windows NT.
TCP/IP stands for Transmission Control Protocol/Internet Protocol and is an industry-standard suite of protocols designed for wide-area networking. It was developed in 1969, resulting from a Defense Advanced Research Projects Agency (DARPA) research project on network interconnection. TCP/IP is commonly used in wide area networks that consist of a variety of network hosts.
DARPA developed TCP/IP to connect its research networks together. This combination of networks continued to grow and now includes many government agencies, universities, and corporations. This global wide area network is referred to as the Internet.
In Windows NT, TCP/IP allows users to connect to the Internet as well as any machine running TCP/IP and providing TCP/IP services.
DLC stands for Data Link Control, unlike the other protocols in Windows NT (NetBEUI, NWLink IPX/SPX, TCP/IP), the DLC protocol is not designed to be a primary protocol for use between personal computers, as it does not provide a NetBIOS interface. DLC only provides applications with direct access to the data link layer, and thus is not used by the Windows NT redirector. Since the redirector cannot use DLC, this protocol is not used for normal session communication between Windows NT-based computers.
DLC only needs to be installed on computers performing the above tasks and not on the other computers on the network. An example would be a print server sending data to a network HP® printer. Client computers sending print jobs to the network printer do not need to be using the DLC protocol, only the print server communicating directly with the printer needs the DLC protocol installed.
In distributed computing, the computing task is divided into two sections, a client component and a server component. The goal is to move the actual application processing from the client computer to a server system with the power to run large applications. Windows NT-based computers can perform the role of either the client or the server for distributed application support.
The client component of a client-server application is typically the user interface for the application. It runs on the client computer and utilizes a smaller amount of computing power than the server application, but typically requires a lot of network bandwidth to communicate with the server component.
The server component of a client-server application typically requires larger amounts of data storage, computing power, or specialized hardware. It includes operations such as database lookups and updates, or mainframe data access.
There must be a network connection between the client and server portions of distributed applications that allows data to flow in both directions. There are a number of different ways to establish this connection. Windows NT provides several different Interprocess Communication (IPC) mechanisms. Included are:
Named pipes provide connection-oriented messaging services that allow applications to share memory over the network. Windows NT provides a special application programming interface (API) which increases security when using named pipes. One feature added to named pipes is impersonation. When using impersonation, the server can change its security identifier to that of the client at the other end of the connection. For example, suppose a database server system uses named pipes to receive read and write requests from clients. When a request comes in, the database server program can impersonate the client before attempting to perform the request. Thus, if the client does not have the authority to perform the function the request would be denied, even though the server program might have the proper permissions to complete the task.
Mailslots are used to provide connection-less messaging services on a local area network. Windows NT implements second-class mailslots, which are used most commonly for the following:
The following programming interfaces provide communication between user mode applications and file system drivers.
NetBIOS is a standard programming interface in the personal computer environment for developing client-server applications. NetBIOS has been used as an IPC mechanism since the introduction of the interface in the early 1980s. From a programming perspective, higher level interfaces such as named pipes and RPC are superior in their flexibility and portability.
A NetBIOS client-server application can communicate over various protocols: NetBEUI protocol (NBF), NWLink NetBIOS (NWNBLink), and NetBIOS over TCP/IP (NetBT).
The NetBIOS Interface provides the NetBIOS mapping layer between NetBIOS applications and the TDI compliant protocols.
The Windows Sockets API provides a standard Windows interface to many transports with different addressing schemes, such as TCP/IP and IPX. The Windows Sockets API was developed to accomplish two things. One was to migrate the sockets interface, developed at the University of California, Berkeley in the early 1980s, into the Windows and Windows NT environments. The other was to help standardize an API for all platforms. Windows NT provides Windows Sockets support on both NWLink and TCP/IP transport protocols.
The RPC mechanism can use other IPC mechanisms to establish communications between the computers on which the client and the server portions of the application exist. If the client and server are on the same computer, the Local Procedure Call (LPC) mechanism can be used to transfer information between processes and subsystems. This makes RPC the most flexible and portable IPC choice.
The components of the remote procedure call mechanism are:
NetDDE provides information sharing capabilities by opening two one-way pipes between applications. NetDDE is an extension of Dynamic Data Exchange (DDE) that can be used between two computers across the network.
By default, the NetDDE services are not automatically started. They can be started using Control Panel Services option.
The ability to use and share file and print resources is accomplished primarily by two Windows NT components: Workstation (RDR) and Server (SVR). Both the Workstation and Server execute as 32-bit services. These services are implemented as File System Drivers (FSD). There is an FSD for each of the file systems (FAT, HPFS, NTFS, CDFS) as well as the Workstation and Server services.
The Workstation service of a Windows NT computer allows that computer to access resources on the network, including the ability to log on to a domain, connect to shared directories and printers, and use client-server applications over the network.
All user mode requests go through the Workstation service. This service consists of two components:
The Workstation service is dependent on the following components:
The redirector is a component through which one computer gains access to another computer. The Windows NT redirector allows connection to Windows NT, Windows for Workgroups, LAN Manager, LAN Server, and other Microsoft Networks servers. The redirector communicates to the protocols via the TDI interface.
When a process on a Windows NT computer tries to open a file that resides on a remote computer, the following steps occur:
The Windows NT Server service allows a Windows NT computer to create and secure shared resources, such as directories and printers, and to function as a server in a client-server application. Like the redirector, the Server service is implemented as a file system driver and directly interacts with various other file system drivers to satisfy I/O requests such as reading or writing to a file.
The Server service processes the connections requested by client redirectors, and provides them with access to the resources they request. Like the Workstation service, the Server service is composed of two parts:
Server service-A service that runs in the SERVICES.EXE process. Unlike the Workstation service, it is not dependent on the MUP service, since the Server is not a UNC provider. It does not attempt to connect to other computers, but other computers connect to it.
SRV.SYS-A file system driver that handles the interaction with the lower layers and interacts directly with various file system devices to satisfy command requests, such as file read and write.
It is possible to have more than one redirector installed on the system for use with other network operating systems such as NetWare. Applications reside above the redirector and server services in user mode. Like all other layers in the Windows NT networking architecture, there is a single unified interface to access network resources, independent of the redirector(s) installed on the system. This is done through two components: MUP and the Multi-Provider Router (MPR).
The MUP provides a communication link between applications that make UNC calls and the redirectors installed on the system. The MUP is a component that finds out which redirector should receive a UNC call from an application.
The MPR provides a communication link between applications that make Win32 Network API calls and the redirectors installed on the system.
When applications make I/O calls containing UNC names, these requests are passed to MUP. MUP selects the appropriate UNC provider (redirector) to handle the I/O request.
The UNC is a naming convention for describing network servers and share points on those servers. UNC names start with two backslashes followed by the server name. All other fields in the name are separated by a single backslash. A typical UNC name would appear as:
\\server\share\subdirectory\filename
Not all of the components of the UNC name need to be present with each command; only the share component is required. For example, dir \\server\share can be used to obtain a directory listing of the root of the specified share.
One of the major design goals for networking in the Windows NT environment was to provide a uniform platform upon which vendors could build networking services. MUP is a vital part in allowing multiple redirectors to coexist in the computer at the same time. MUP frees applications from maintaining UNC provider listings themselves. This allows a client computer to have multiple redirectors loaded, and use File Manager to browse and access network resources without having to a provide unique syntax to each network redirector.
The MPR provides a communication layer between applications that make Win32 Network API calls and the redirectors installed on the system.
Not all programs use UNC names in their I/O requests. Some applications use WNet APIs (which are the Win32 network APIs). The Multi-Provider Router (MPR) was created to support these applications.
MPR is very much like MUP. This layer receives WNet commands, determines the appropriate redirector, and passes the command to that redirector. Since different network vendors will use different interfaces for communicating with their redirector, there is a series of provider DLLs between the MPR and the redirectors. The provider DLLs expose a standard interface so that MPR can communicate with the provider, and they know how to take the request from MPR and communicate it to their corresponding redirector.
The provider DLLs are supplied by the network vendor that wrote the redirector and should be installed automatically when the redirector is installed.
To efficiently share resources across a network, users should be able to find out what resources are available. Windows NT provides the Computer Browser service to display a list of currently available resources.
The Microsoft Windows NT Computer Browser service provides a centralized location for a list of available network resources. This list is distributed to specially assigned computers that, along with their other normal services, perform browsing services. "Browser" computers eliminate the need for all computers to maintain a list of all shared resources on the network. The Browser service lowers the amount of network traffic needed to build and maintain a list of all shared resources on the network by assigning the browser role to specific computers. This also frees the CPU time each computer would have had to use creating a network resource list.
The responsibility of providing a list of network resources to clients is distributed among multiple computers on a network. The Browsing roles of these computers are known to the Browser service as Potential Browser, Master Browser, Backup Browser, and Browser Clients (Non-Browsers). Both Windows NT 3.5 Workstations and Windows NT 3.5 Server computers can perform any of these roles. These computers collect and maintain a list of available network resources. These roles are defined below:
The Master Browser is the computer that maintains the master copy of the network resource list, and is responsible for collecting the information used to create the list. It is also responsible for distributing the browse list to the Backup browsers.
An administrator can configure a specific computer to be the Preferred Master Browser. When this computer is started, it will designate itself as the Master Browser for the domain or workgroup. If there is already a Master Browser, and other computers are up and running in the workgroup before this one was turned on, the Preferred Master Browser forces an "election." The election process ensures that there will only be one Master Browser per workgroup or domain and results in the Preferred Master Browser assuming the role of the Master Browser. A Preferred Master Browser will not win an election over a Primary Domain Controller as a PDC always functions as the Master Browser of the domain. More about the election process is covered later in this chapter.
A Backup Browser is a computer that receives a copy of the network resource list from the Master Browser. It then distributes the list to the Browser clients upon request.
A Potential Browser is a computer that is capable of a maintaining a network resource (browse) list, but will not do so unless instructed to by a Master Browser.
A non browser is a computer that has been configured so that it will not maintain a network resource (browse) list. Client computers are commonly non-browsers.
The Windows NT Computer Browser service operates in the following manner:
1. After startup, all computers that are running the Server service announce their presence to the Master Browser in their workgroup or domain. This happens regardless of whether they have shared resources to advertise.
2. The first time a client computer attempts to locate available network resources, it contacts the Master Browser for the domain or workgroup for a list of Backup Browsers.
3. The client then requests the network resource list from a Backup Browser.
4. The Backup Browser responds to the requesting client with a list of domains and workgroups and the list of servers local to the client's domain or workgroup.
5. The user at the client either selects a local server or a domain or workgroup to view available servers.
6. Finally the user selects the appropriate server and searches for the desired resource on which to establish a session to use that resource, and contacts the appropriate server.
For example, a Windows NT Workstation computer that belongs to a domain is turned on (Step 1). A domain user logs on to the domain and starts File Manager. The user chooses the Connect Network Drive button on the toolbar and sees "Working..." in the Shared Directories box (Steps 2, 3, and 4). The user sees a list of workgroups and domains and selects the domain to expand the list of computers (Step 5). Then the user selects one of the computers and expands a list of available shared directories on that computer (Step 6).
Browser criteria is a means in which to determine the hierarchical order of the different types of computer systems that are in the workgroup or domain. Each Browser computer has certain criteria, depending on the type of system it is. The criteria include:
The criteria ranking is used during an election. An election is used as a "voting" process in determining which computer should be the Master Browser in the event the current Master Browser is determined unavailable.
The election process insures that only one Master Browser exists per workgroup or domain. An election is initiated by a computer when any of the following occurs:
Any of these computers can initiate an election by broadcasting a special packet called an election packet. This election packet contains that requesting computer's criteria value. All Browsers will receive the election packet. When a Browser receives an election packet, the Browser examines the packet and compares the requesting computer's criteria value with its own election criteria. If the receiving Browser has better election criteria than the issuer of the election packet, the Browser will issue its own election packet and enter what is referred to as an "election in progress" state. This process will continue until a Master Browser is elected, based on having the highest ranking criteria value.
To determine whether or not a Windows NT computer will become a Browser, when it initializes, the Browser service looks in the Registry for the following parameter:
\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\Browser\Parameters\MaintainServerList
For optimization purposes, it is possible to configure a computer to become a Browser, or to prevent a computer from becoming a Browser.
The MaintainServerList parameter can have the following values:
Parameter Value
No This computer will NEVER participate as a
Browser server.
Yes This computer will become a Browser server.
Upon startup, this computer will attempt to
contact the Master Browser to get a current
browse list. If the Master Browser cannot be
found, the computer will force one to be
elected. This computer will either be elected
as the Master Browser or become a Backup
Browser.
Yes is the default value for Windows NT Server
domain controller computers.
Auto This computer may or may not become a Browser
server, depending on the number of currently
active Browsers, and is referred to as a
Potential Browser. This computer will be
notified by the Master Browser as to whether or
not it should become a Backup Browser.
Auto is the default value for Windows NT
Workstation and Windows NT Server (non-domain
controller) computers.
A Windows NT Workstation or Windows NT Server can be configured as a Preferred Master Browser. When the Browser service is started on a computer configured as a Preferred Master Browser, the Browser service will force a Browser election to occur. Preferred Master Browsers are given an advantage in elections, such that if all other things are equal, a Preferred Master Browser will always win an election and become the Master Browser.
To configure a computer as a Preferred Master Browser, set the following Registry parameter value to True or Yes:
\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters\IsDomainMaster
Unless the computer has been already been configured as the Preferred Master Browser, this value will be False or No. This is true even if the computer is currently the Master Browser.
As the Master Browser and Backup Browsers are established, each has its own role to play in the operation of the browsing environment. The Browsers need to communicate with each other and provide service to client computers.
When a computer that is running the Server service comes online, it must inform the Master Browser that it is available. It does this by announcing itself on the network.
Each computer announces itself to the Master Browser periodically by broadcasting on the network. Initially each computer announces itself every minute. As the computer stays running, the announcement time will be extended to once every 12 minutes. If the Master Browser has not heard from the computer for three announcement periods, the Master Browser will remove the computer from the browse list.
In addition to announcing themselves, Backup Browsers call the Master Browser every 15 minutes to obtain an updated network resource (browse) list, as well as a list of workgroups and domains. The Backup Browser caches these lists and will return the browse list to any clients who send out a browse request to the Backup Browser. If the Backup Browser cannot find the Master Browser, it forces an election.
In addition, Master Browsers periodically announce themselves to the Backup Browsers with a broadcast. When Backup Browsers receive this announcement, they refresh their Master Browser name with the new information.
Master Browsers are responsible for overseeing the entire browsing system and are responsible for receiving announcements from Windows NT 3.1, Windows NT Advanced Server 3.1, Windows for Workgroups, Windows NT Workstation 3.5, Windows NT Server 3.5, and LAN Manager systems.
Master Browsers also return lists of Backup Browsers to Windows NT 3.1, Windows NT Advanced Server 3.1, Windows NT Workstation 3.5, Windows NT Server 3.5, and Windows for Workgroups clients for their local subnet. As was discussed earlier in this section, when a system starts and its MaintainServerList parameter is Auto, the Master Browser is responsible for telling the system whether or not to become a Backup Browser.
If the Master Browser has just won an election and its browse list is empty, it can force all systems to register with it. The Master Browser does this by broadcasting a "RequestAnnouncement" packet. All systems that receive this packet must answer randomly within 30 seconds. This 30 second range for responses prevents the Master Browser from becoming overloaded and losing replies, and also prevents the network from being flooded with responses.
If a Master Browser receives an announcement from another computer that claims to be the Master Browser, the Master Browser will demote itself from Master Browser and force an election. This ensures that there is never more than one Master Browser in each workgroup or domain.
The number of Browsers in a workgroup is determined by the number of computers in the workgroup.
Number of Number of Number of Master
Systems Backup Browsers
Browsers
1 0 1
2-31 1 1
32-63 2 1
In cases where a computer has its MaintainServerList parameter set to Auto, the Master Browser will determine the number of Backup Browsers based on the table. After this, for each additional 32 computers added to the workgroup, there will be another Backup Browser added to the workgroup.
In a domain there will be three Backup Browsers at most. This is regardless of the number of computers in the domain. If you have a large domain, you may want to either break it up, or increase the system performance for the Backup Browsers in the domain.
The Master Browser maintains a list of network resources and makes this list available to Backup Browsers on the network. A client computer goes to a Backup Browser to get the current list. A client computer needs to see the browse list whenever a "net view" command is run at the Command Prompt, or when the File Manager Connect Network Drive dialog box is displayed.
If this is the first time that the client has tried to access the browse list, it needs to find out which computers are the Backup Browsers for its workgroup or domain. The client does this by issuing a "QueryBrowserServers" broadcast. The QueryBrowserServers request is received and processed by the Master Browser for the client computer's workgroup or domain. The Master Browser returns a list of Backup Browsers that are active within the workgroup or domain being queried.
If a computer fails or simply goes off-line, it will be removed from the browse list in a predetermined time frame. If the computer played a role in the browse environment, further action takes place depending on what role it played.
If a Non-Browser computer fails to announce itself to the Master Browser, it will eventually be removed from the list. For example, if the computer is powered off without being shutdown or if the Server service fails, it will not announce itself. In this case, it is removed from the network resource list. After three missed announcement periods (between 1 and 12 minutes each) the Master Browser removes the computer from the browse list. Therefore, it may take up to 51 minutes before all of the Browsers know of a systems failure, up to 36 minutes for the Master Browser to detect the failure, and 15 minutes for all of the Backup Browsers to retrieve the updated list from the Master Browser.
If a Backup Browser fails, it will be removed from the Master Browser browse list in the same amount of time as a Non-Browser. This is because they announce themselves in the same manner. If a client attempts to retrieve a browse list from the missing Backup Browser, the client will select another Backup Browser from its list of three Backup Browsers. If all of the clients' known Backup Browsers fail, the client will attempt to get a new list of Backup Browsers from the Master Browser. If the client is unable to contact the Master Browser, the client will force an election.
When a Master Browser fails, a Backup Browser will detect the failure within 15 minutes. When this happens, a Backup Browser will force an election to select a new Master Browser.
When the computer is shut down normally it will make an announcement that will cause the Master Browser to remove it from the list. If a Backup Browser is shutting down, it will send an announcement to the Master Browser that does NOT specify the Browser service in the list of running services. If a Master Browser is shutting down, it will send a "ForceElection" broadcast so that a new Master Browser can be chosen.
Not only do Master Browsers need to communicate within a workgroup or domain, but they need to communicate between workgroups and domains. This allows users to be able to retrieve lists of other workgroups and domains. Windows NT adds a new level of functionality to the "net view" and File Manager connect requests that allows clients to retrieve a list of available workgroups and domains from the Master Browser.
Upon becoming a Master Browser, each Master Browser will broadcast a "DomainAnnouncement" to each domain every minute for the first five minutes of its life as Master Browser. After the first five minutes, the Master Browser will make "DomainAnnouncement" broadcasts once every 15 minutes. If a workgroup or domain has not announced itself for a period equaling three times the announcement period, the workgroup or domain will be removed from the list of workgroups and domains. Therefore, it is possible that a workgroup or domain will appear in the browse list for up to 45 minutes after the workgroup or domain has ceased operations.
It is the responsibility of the Master Browser in each workgroup or domain to receive "DomainAnnouncement" packets from other workgroups and domains. The Master Browser uses these announcements to build a list of available workgroups and domains. This list is also given to the Backup Browsers every 15 minutes so that they can return a list of network resources available in their workgroup or domain as well as being able to return a list of other workgroups and domains.
The "DomainAnnouncement" packet contains the name of the domain, the name of the Master Browser for that domain, and whether the Master Browser is running Windows NT Workstation or Windows NT Server. In addition, if the Master Browser is running Windows NT Server, the "DomainAnnouncement" will also specify if the system is the domain's PDC.
Windows NT uses its own printing terminology to describe the printing process.
Under Microsoft Windows NT, a printing device refers to the actual hardware device that produces printed output. A printer refers to the software interface between the application and printing device. Each printer appears as a separate window that is managed using the Windows NT Print Manager application.
Multiple printers can be routed to one printing device. For example, if you have a printing device capable of using both PostScript® and HP PCL modes, you might want to use Print Manager to create a printer for each mode. Each printer would use a different printer driver. Printers can be assigned priorities, or be configured to print during certain hours. For example, longer or lower priority jobs could be sent to a printer that prints only at night.
In Windows NT, print jobs are sent to a printer, where they are then spooled before being sent to the printing device. In many network environments, the term print queue is used instead of printer. For example: Windows NT users submit print jobs to a printer, but OS/2 and NetWare users submit print jobs to a print queue.
A physical port is a hardware connection, such as LPT1: or COM2:, between the local computer and a printing device.
A logical port is a network connection to a remote print server or printing device, referred to as \\server\printer. Windows NT allows you to create a printer to use a logical or a physical port as the print destination.
Local printing devices are attached directly to a Windows NT Workstation or Windows NT Server computer. Remote printing devices are accessed across the network. Network-interface printing devices are printing devices with built-in network cards, and are connected directly to the network.
In a printer pool, multiple printing devices are associated with a single printer. The devices within a printer pool must be identical or must all emulate the same type of printing device. In other words, they must all be able to use the same printer driver. Windows NT imposes no limits on the number of printing devices in a printer pool.
Printer pools enable administrators to add printing devices without modifying user environments. Since printer pools are created by adding new devices to existing printers, user configurations will not need to be changed.
Print Manager is the Windows NT administrative tool that allows administrators to perform all network printer administration tasks including creating, securing, connecting to, and configuring printers. Print Manager also allows users to interact with local and remote printers.
Print Manager is used to:
Print Manager can be started from the Print Manager icon in the Main group or from the Control Panel Printers icon.
The Create Printer dialog box is used to install and configure printer drivers on Windows NT-based computers. This works for either a local printing device (a printing device that is physically attached to the computer) or a network printer. If the print server is Windows NT based, then it may be easier to use the Connect to Printer command to avoid installing a local print driver.
The second way to access a printer is to connect to a printer.
To connect to a shared network printer on another Windows NT-based computer, use the Connect to Printer command. If you are printing to a printer on a Windows NT print server, the client computer does not need to have the appropriate printer driver installed locally. Instead, the printer driver is copied across the network from the print server to the client computer. This allows the application that is printing to query the printer driver for the current printer settings, such as font information. This provides two main benefits:
The Connect to Printer command is not intended for use in connecting to a shared printer on a Windows for Workgroups-based computer or other network printer server. If the command is used for that purpose, a message will appear informing the user that the computer being connected to does not have a printer driver and then give you the opportunity to create a printer.
The Windows NT printer drivers are platform specific. RISC-based computers cannot use Intel printer drivers, and vice versa. In addition, the printer drivers are different for each of the supported RISC platforms. Therefore, to perform a "connect to" from one platform to any other platform requires the drivers for each client platform to be installed.
To avoid installing a printer driver on every Intel-based computer that will be printing to a RISC-based Windows NT print server, the Intel version of the printer device driver should be installed on the print server. Likewise, if the print server is Intel-based and the client computers are RISC-based, you should install the RISC-based drivers on the print server. That way, when any platform client connects to a print server, the appropriate printer driver will be downloaded to the client for use.
Print Manager allows you to administer network print servers remotely. You can change the properties of existing printers, as well as install new printers or remove printers. To administer printers you must have Administrator or Full Control permission on the printer at the print server.
A printer pool is a grouping of multiple printing devices connected to a single printer. A printer pool allows users to print to a single printer and let the print spooler determine which printing device is available. When a printer is created, you should select the port in the Print To list that has the most efficient printing device attached to it. This will be the first printing device considered by the spooler.
To add more printing devices to the pool, choose the Details button in the Create Printer dialog box and select the additional ports you want. The selected ports can be of a mixed variety, such as serial, parallel, and so on. Routing is based on the order in which the ports are chosen, so add the fastest ports first. All printing devices in a printer pool must be able to use the same printer driver. This list box can also be used to remove a persistent network connection to a print server.
All printing devices in the printer pool share the same printer name and act as a single device. Pausing the printer will pause the entire printer pool, and changing any properties will affect all printing devices in the printer pool.
RAS connects users over phone lines through the Remote Access Service to a remote network. Once a user has made a connection, the phone lines become transparent and the user can access all network resources as if they were sitting at a computer in an office that was directly attached to the network. RAS makes a modem act like a network card, projecting your remote computer onto a LAN.
Windows NT RAS clients can connect to LAN Manager, Windows for Workgroups, Windows NT 3.1, and Windows NT Server 3.5 RAS servers. In addition RAS clients can also connect to non-Microsoft dial-in servers, such as UNIX-based dial-in servers (via the SLIP and PPP standards)
Windows NT RAS servers can be connected to by LAN Manager, Windows for Workgroups, Windows NT Workstation, and Windows NT Server 3.5 RAS clients. In addition non-Microsoft clients can also connect to Microsoft servers, such as UNIX-based dial-in clients (via the PPP standard).
Any network application that uses any of the following interfaces will work over RAS:
Windows NT RAS supports up to 256 simultaneous inbound connections in the Windows NT Server network operating system, and one inbound connection in Windows NT Workstation. A multiport serial device, such as a Digiboard® adapter, can provide multiple serial ports on one RAS server. The drivers for Digiboard adapters ship with Windows NT Workstation and Windows NT Server 3.5.
When accessing NetBIOS resources, the limit to the number of simultaneous connections is 250. This is a limitation of the number of NetBIOS names that can be registered by a single system. When using Windows Sockets over TCP/IP or IPX, there are no software limitations to the number of simultaneous connections that can be made to the RAS Server. The maximum number of simultaneous connections that has been tested by Microsoft is 256.
RAS software compression is now supported in Windows NT 3.5. This software compression is based on the Microsoft DRVSPACE compression algorithm (from the MS-DOS operating system 6.22) with an average 2:1 compression ratio. Using software compression can improve connection speeds as much as eight times faster than a connection without compression.
The RAS server is multithreaded and can take advantage of multiprocessors. This allows threads of the Remote Access Service to run on multiple processors in a computer at the same time, improving RAS performance.
RAS supports the following methods for establishing a connection between the RAS client and the RAS server.
Windows NT RAS uses standard modem connections over Public Switched Telephone Networks (PSTN).
An X.25 network transmits data with a packet-switching protocol. This protocol relies on an elaborate worldwide network of packet-forwarding nodes that participate in delivering an X.25 packet to the correct address.
All remote workstations will be able to use an X.25 network by dialing an X.25 Packet Assembler/Disassembler (PAD). Windows NT Server 3.5 Remote Access Services have direct access via X.25 adapters, and Windows NT Workstation computers have direct X.25 connectivity in addition to asynchronous access to X.25 PADs.
ISDN offers much faster communication speed than a standard telephone communicating at speeds of 64 to 128 kilobits per second.
Windows NT Remote Access Service implements a number of security measures to ensure that the remote user is a valid remote access user on the network. In some ways, going through RAS is more secure than sitting right at your network.
The RAS server uses the same user account database as the Windows NT 3.5 Server. This provides for easier administration, since users will log on with the same user account that they use at the office. This ensures that users will have the same privileges and permissions they normally have.
In order to connect, a user must have a valid Windows NT user account as well as the RAS dialin permission. Users must be authenticated by RAS before they are even allowed to attempt to log on to Windows NT.
All authentication and logon information is encrypted when transmitted over the phone line.
With auditing enabled, RAS will generate audit information on all remote connections, including activities such as authentication, log ons, and so on.
It is possible to add another level of security to a RAS configuration by connecting an intermediary security host between the RAS Client(s) and the RAS Server(s). When an intermediary security host is used, the user will have to type a password or code to get past the security device before a connection will be established with the RAS Server.
The RAS server can be configured to provide call backs as a means for increasing security. This allows another level of security by having the RAS server call the remote user to verify connection to the local network.
© 1995 Microsoft Corporation.
THESE MATERIALS ARE PROVIDED "AS-IS," FOR INFORMATIONAL
PURPOSES ONLY.
NEITHER MICROSOFT NOR ITS SUPPLIERS MAKES ANY WARRANTY, EXPRESS
OR IMPLIED WITH RESPECT TO THE CONTENT OF THESE MATERIALS OR THE
ACCURACY OF ANY INFORMATION CONTAINED HEREIN, INCLUDING, WITHOUT
LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE. BECAUSE SOME STATES/JURISDICTIONS DO
NOT ALLOW EXCLUSIONS OF IMPLIED WARRANTIES, THE ABOVE LIMITATION
MAY NOT APPLY TO YOU.
NEITHER MICROSOFT NOR ITS SUPPLIERS SHALL HAVE ANY LIABILITY FOR
ANY DAMAGES WHATSOEVER INCLUDING CONSEQUENTIAL INCIDENTAL, DIRECT,
INDIRECT, SPECIAL, AND LOSS PROFITS. BECAUSE SOME STATES/JURISDICTIONS
DO NOT ALLOW THE EXCLUSION OF CONSEQUENTIAL OR INCIDENTAL DAMAGES
THE ABOVE LIMITATION MAY NOT APPLY TO YOU. IN ANY EVENT, MICROSOFT'S
AND ITS SUPPLIERS' ENTIRE LIABILITY IN ANY MANNER ARISING OUT
OF THESE MATERIALS, WHETHER BY TORT, CONTRACT, OR OTHERWISE SHALL
NOT EXCEED THE SUGGESTED RETAIL PRICE OF THESE MATERIALS.
 |
Click Here to Search TechNet Web Contents | TechNet CD Overview | |
Microsoft TechNet Credit Card Order Form At this time we can only support electronic orders in the US and Canada. International ordering information. |
| Go To TechNet Home Page |
©1996 Microsoft Corporation |  Go To Microsoft Home Page |