CHAPTER I

Mrunows i\T (2000)

Concepts Reínforced
OSi Model Client/Server Technology Model
LAN Software Protocols and Standards
Network Architecture Network Operating Systems
Network Operating Systems Functionality
Architectures

Concepts Introduced
Hardware Adaptation Layer NT Communication Protocols
NT Architecture NT Functionality
NT Servers NT Clients
NT Interoperability NetWare /NT Interoperability

After mastering the material in this chapter you should:

'1', rjnderstand the major architectural and functional features

of
Windows NT
2. understand the key differences between windows NT 4.0 and win-
dows 2000 Professional
3. understand the communication protocols underlying the windows
NT nefwork operating system
4. understand the options and limitations for interoperabirity between
Windows NT and other platforms such as I_INIX, NetWare, and
Macintosh
5. understand the remote access options associated with windolys \J
304 Chapter Seven Windows NT (2000)

Nx INTRODUCTION

Like Netware, windows NT is a fully integrated network operating system

incorporating both standard operating system and network operating syster,
functionality into a single integrated product. unlike Netwaré, windows lvT
was designed from the outset to be both portable and scalable. portability is
evidenced by windows NT's unique ability to execute over multiple different
CPUs such as Intel x86, and DEC Alpha. scalability is provided through sym-
metrical multiprocessing support. Portability and scalability are only two oi
the important architectural characteristics exhibited by Windows NT that will
be explored in this chapter. windows NT distinguishes itself from Netware bl
its ability to successfully support high-pon'ered applications such as database
engines, in addition to admirably performing print and file services.
The overall purpose of this chapter is to introduce the reader to the
important architectural and functional characteristics of windows NT. While
direct comparisons between Net\\¡are and Windows NT will be made
throughout the chapter, the outlir-Le of the chapter is similar to that of the
chapter on NetWare (Chapter 6) rn order to ease comparison.
The current l'ersion of \\'indon,s NT is NT 4.0. Microsoft is readying
windows 2000 (a.k.a \\-rndorvs NT 5.0) for release sometime in early 2000,
This chapter rvi1l focus on the basic characteristics of windows NT as imple-
mented in \T 1.0 and announced for Windows 2000.
Har-ing carefully reviewed the chapter on Netware and windows NT as
part of an overall top-down, business-oriented networking analysis, the
reader should feel comfortable making recommendations as to whether
either of these two powerful and popular network operating systems will
meet their identified networking needs.

*i \ITNDOWS NT 4.0

Windows NT was developed by Microsoft as a ,,New Technology,, (NT)

platform to address the shortcomings of the windows 3.x and LAN Manager
product lines. The key new technologies introduced in windows NT wére
preemptive multi-tasking and virtual machines. NT quickly gained accep-
tance in small to mid-size environments where its ease of use features out-
weighed its network object management architectural limitations.
The initial release of windows NT was 3.1 (to correspond to windows
3.1) rather than the traditional 1.0. After releasing versions 3.5 and 3.51,
Microsoft released NT 4.0 in mid-1996. I{T 4.0 combines the user interface
initially released with Windows 95 with the stabilitv of the Windows NT
architecture.

0verall Architecture
windows NT 4.0 is an integrated network operating system designed to sup-
port single server environments through enterprise-wide deployments. win-
dows NT 4.0 is available in three versions:
 Windows NT 4.0 305
. Windows NT Workstation
o Windows NT Server
ücrrt,
¡tem
¡ Windows NT Server Enterprise Edition
;NT
ty is windows NT workstation is architecturally identical to NT server. The dif-
rent two platforms are available iervices and performance tuning.
lgrenc_e_s_i1lhe
ym- since NT workstation is designed to serve as a user wórkstation, some NÍ
'o of
server network services are not included. Examples of NT server service
will that are not available in NT workstation includé web, FTp, and DNS ser-
eby vices. similarly, in NT workstation, processor priority is focused on fore-
base ground applications at the expense of backgrorr.d ,".rri."r.
windows NT workstation is just one of the possible client platforms that
the can interact with windows NT server. In addiiion, several cómputers run-
hile ning windows NT workstation can be linked to each other in a peer-to-peer
nde network architecture. windows NT workstation computer supports or,ty to
the incoming connections.
windows NT Server Enterprise Edition expands NT servers, scalability.
ring sMP extensibility is increased to support up to zzprocessors on systems on
000. special hardware. Clustering and load balancing support allow multiple Nt
to be tightly integrated. using windows NT Load Balancing sórvices
Ple- ?-::y:l:
(WLBS), up to 32 NT servers can be clustered into a single networf address,
fas g-reatly- increasing processing capacity. From the persplctive of a network
the client this cluster of servers appears to be a single
-[Link]".
Windows NT Server Terminal Server edition includes special extensions
ftrcr
nill that support ultra-thin clients. ultra-thin clients, also known as network
computers (NC), act as a graphical terminal to applications that are actually
ru¡ning on the server.-Compared to traditional ilient/server applications á
network computer solution required significantly *or" ,"r,r^"i resources
because the server runs the applications fór each cíient. A complete descrip-
tion of network computers is provided in Chapter 10. Figure z-i lists the kéy
w) characteristics of the NT 4.0 platform.
ger
e[e
EP
nrt-
0perating System Architecture and Characteristics
NYS
In addition to scalability and portability, stability is a very important func-
51,
tional characteristic of windows NT. Compared to windóws ^3.x and win-
ilce
dows 9x, windows NT is relatively crash pioof. This system stabilify can be
f\iT
largely attributed to rigid enforcement óf structur"á u.."r, to hárdware
resources. Application programs and ApIs are prohibited from interacting
directly with hardware resources in windows ñT. Instead, applicatiorrs urrá
APIs must access hardware resources by requesting services itrrougn system
services collectively referred to as the NT Executive.
TP
ln- As illustrated in Figure 7-2, communication between the various NT
Executive sub-systems and the I/O manager is controlled by the NT Kernel,
306 ChapterSeven Windows NT (2000)

Network Windows NT 4.0 Windows NT 4.0

Operating System Windows NT 4.0 Server Server Terminal
Characteristic Server Enterprise Edition Server Edition
Hardware and Platform

Supported Processors Intel x86 (386 or better) Intel x86 (386 or better) Intel x86 (386 or better)
Digital Alpha PowerPC Digital Alpha PowerPC Digital Aipha PowerPC
(\Mhile originally supported, (While originally supported, (While originally supported,
support was dropped suppo¡t was dropped with support was dropped with
with Service Pack 3) Service Pack 3) Service Pack 3)

Required Memory 32 MB 64j¡'{B 128 MB

Symmetrical 4 processors 16 Processors (Up to 32 16 Processors (Up to 32
Multi-Processing processors is possible processors is possible
with special hardware) with special hardware)
Operating System

Program Structure 32 Bir 32Bit 32 BíT

Memory Architecture Virtual Machines Virtual Machines \¡irtual Machines

Preemptive Yes Yes Yes
Multi-tasking
Clustering No Yes Yes

Load Balancing No Yes Yes

File Svstem FAT FAT

NTFS NTFS NTFS
User Interface GUI GUI CUI
Network Drivers NDIS NDIS NDIS
Application Program Win 32 Win 32 Win 32
Interface(s)

CD-ROM Support Yes Yes Yes

Management and Administration

Network Object Domain Name Services Domain Name Services Domain Name Services
Management System

Administrative Administration can be Administ¡ahon can be Administration can be the

Location performed either from the performed either from the performed either from
server, from clients using sen'er, Érom clients using server, from clients using
uiility applications, or via utility applications, or via utility applications, or via
HTTP(W\NW) HTTP 04nVW) HTTP (W!\nV)
Network Services
Thin Client (Network No No Yes
Computer) Support

(continued)
 Windows NT 4.0 307

Network Protocols IPX/SPX IPXlSPX IPX/SPX

Supported NetBEUI NetBEUI NetBEUI
TCP/IP TCP/IP TCP/IP
Apple Talk (Macintosh AppleTalk (Macintosh Apple Talk (Macintosh
support only) support only) support only)
DLC (Printing only) DLC (Printing only) DLC (Printing only)
Murtiprotocor Rouring Yes (Capabilities can be Yes (Capabilities can be
#jfffiTÍ:ff*r"
product)
expanded via add-on
product)
expanded via add-on
product)
Native Services File and print FTP Web File and print FTP Web File and print FTP Web

Common Third-party Electronic maii Electronic mail Electronic mail

Services Database Database Database
Firewall Firewall Firewail
etc. etc. etc.

Clients Supported DOS DOS DOS

Windows 3.x Windows 3.x Windows 3.x
Windows 9x Windows 9x Windows 9x
Windows NT Windows NT Windows NT
UNIX UNIX UNIX
os/2 os/2 os/2
Macintosh Macintosh Macintosh

Figure 7-1 Windows NT 4.0 Server Technology Analysis Grid

sometimes referred to as the microkernel. Communication with hardware

resources is allowed to occur by either of the following methods:

r Through the systems services layer, through the NT kernel, through

the hardware absttaction layeq, to the hardware resources
. Through the systems services layer, through the I/O manager and its
sub-systems, through the hardware abstraction layer, to the hard-
wale resoulces

This stable architecture with structured communication between sub-

systems affords NT another architectural characteristic known as modular-
ity of design, which allows entire sub-systems to be easily added or
replaced. For example, replacement of the current Windows NT security
sub-system with a Kerberos enabled authentication system would be a rela-
tively straightforward modification.

Hardware Abstraction Layer As illustrated in Figure 7-2, rnost of the hard-

ware-specific portions of Windows NT are isolated in a sub-section known
as the hardware abstraction layer or HAL. The hardware abstraction layer
in Windows NT provides similar functions as the BIOS in DOS. The HAL can

,'tttitf"
308 Chapter Seven Windows NT (2000)

The Windows NT KernelArchitecture

Applicat¡ons

-Dos-
Protected
subsystems
(servers)

NT executive

[N/[Link] __+,
pass ng

Svstem
tráp

Hardware
man pulat¡on

Figurb 7-2 Windows NT Architecture

be thought of as a hardware ApI. It takes standard calls from the kernel and
converts them into specific instructions for the underlying hardware. From
the perspective of the kernel, every HAL looks identicai To execute win-
dows NT on any given CPU chip, the follor,r'ing major steps are required:

r Develop a hardware-specific version of the hardware abstraction

layer
o supply a compatible Microsoft C compiler since windows NT is
written in C
o License the Windows IrJT source code from Microsoft
r Recompile the windows Nr source code on the C compiler that exe-
cutes on this new CPU

Routines or system cal1s embedded within the HAL can be called from
either the NT kernel or from device drivers included in the IrJT I/o manager.

NT [recutive The NT executir¡e is cornprised of the NT kernel plus a variety

of sub-systems known collectively as system services. Among these system
services are the following:
 Windows NT 4.0 309

I/O Manager
Local Procedure CalI Manager
Object Manager
Process Manager

Virtual Memory Manager

Security Reference Monitor

NT Kernel The NT kernel runs over the hardware abstraction layer and
controls the overall traffic flow of messages throughout the operating sys-
tem. The NT kernel is more specifically concerned with handling inter-
rupts and exceptions for communication between sub-systems and
between hardware resources and the operating system. As part of the man-
agement of all inter-sub-system communication, the kernel is responsible
for constantly checking the NT executive's security sub-system to ensure
that requests for services have been properly authorized. More specifically,
thé NT kernel is responsible for:

. Thread scheduling in NT's multithreaded environment

. Multiple processor synchronization when NT runs on a SMP capable
computer
r Interrupt and exception handling
. System crash recovery
and o Security checking and enforcement
rom
A-in- lnterrupt handling occupies the majority of the NT kernel's time since an
l: interrupt to the NT kernel is generated for every NT executive sub-system
interaction. The NT kernel runs in privileged mode and is therefore never
tion paged out of memory.

iT is I/0 Manager The I/O Manager is in charge of managing all input and out-
put for the Windows NT operating system. As illustrated in Figure 7-2, tlne
I/O manager is particularly concerned with managing the communication
between:
exe-
¡ Device drivers
. Network drivers
hom
ager.
r Cache Manager
. File Systems Drivers
rietr-
stem Device drivers, otherwise known as hardware device drivers, are specif-
ically written to support a particular hardware device such as a printer, key-
310 Chapter Seven Windows NT (2000)

board, or mouse. windows NT provides a standardized environment within

the I/o manager in which these device drivers can execute. Thanks to this
standardized environment, device drivers will operate on any platform on
which windows NT is supported. Device drivers are written in-c, like win-
dows NT, and can be easily swapped or added.
Network drivers will be discussed in more detail in the Communication
Protocols section of this chapter. Many of the network drivers supported by
Windows NT have been previously mentioned. For example:

' NetBIoS, Redirector, and the SMB server interface to applications

and file systems.
o Communication protocols such as TCp/Ip, NeIBEUI, and IpXlSpX
provide transport services.

' NDIS provides the ability for a network interface card to support
multiple protocols as well as the ability for a network operatingiys-
tem to communicate with more than one NIC in a single computer.

The cache manager works closely with the file systems supported by NT
to optimize file services offered to applications. By effectively manáging
cache memory, the cache manager can minimize the number of physical
readlwrites to disks, thereby optimizing the performance of applióation
programs. cache management becomes especially critical when Nj is oper-
ating in an SMP environment due to the increased processing speed.
windows NT supports multiple different file systems-incruaing ran
(Dos) and NTFS. In order for NT to communicate with these multipie dif-
ferent file systems, an intermediate layer of software interacts with bbth NT
and the particular file system that is required. These specially written inter-
mediate layers of software are known as file system drivers. when file sys-
tems services are required by applications, the file system is accessed by the
I/O manager via the proper file system driver.
The modular design of the I/o manager allows these categories of dri-
vers to be changed and allows simultaneous support of multiplé file systems
and drivers. often, requests for r/o services come from application pro-
grams indirectly via the win32 subsystem. The I/o managei overseeJ the
interaction among the various categories of drivers to ensure that applica-
tion programs are delivered requested services in a timely fashion. Cómmu-
nication among these various drivers is standardizedby the I/o manager
through the use of I/O request packets.

Local Procedure Call Facilifi, Windows NT adheres to a client/server rnodel

internally. Application programs that request services of the NT operating
system via sub-system services are considered clients, whereas the NT oper-
ating sub-systems that service those requests are considered servers. The
internal communication within windows NT between internal client

ffi
 Windows NT 4.0 311

requests and server responses is controlled by the Local procedure

Call
racility, a message-passing system. The exact nature of the message passing
between application programs and NT svstem services will be exfloiea rurl
ther in the Application Services section of this chapter.

0biect illanager objects in the context of \\'indor,r,s NT are anything that the
NT operating system or anv of its sub-sr-stems can manipulati access, or use
in any way. Files, directoriós, ancl applicarion program threads are all exam-
-t
ples- of objects. object categories diirer in tl-," pJ of operations that
can be
performed on them and in the auihorization iei el required to perform the
given operation. The object manager is responsible foi or-e¡all Áanagement
of all l{T objects including enforcement ofnaming conr entjons and autho-
rization. In a very real sense, the object mutlug"i is responsible for object
security.

Process Nlanager A process can be thought of as the execution environment

of an application program. The processlncrudes the executable code of the
application as well as the required memory space in which to execute the
program. The process manager is ultimately responsible for the creation,
maintenance, and termination of processes within windows NT and com-
municates with the object manager and virtual memory manager in order to
provide the required resources and protection for pro.órr"r.

l'irtual Nlemon ]l'lanager To allow apprication programs to easily access large

amounts of memory_ space beyond the limits ór tn" physicáily instailJd
memory/ windows NT uses portions of the disk drive as virtuál memory.
Every process is able to access up to 4 GB (gigabytes) of virtual memory pro-
vided adequate disk space is available. In á proáess known as demaná
ing, the virtual Memory Manager transparently moves program code and
iag-
data between assigned physical RAM and the disk-bas"á p{i"g file unbe-
knownst to the unsuspecting process. Much like the objectLinaler and the
process manager, the virtual memory manager also ensures thai processes
are protected from each other by preventing processes from writing into
each other's memory space.

securif'Reference lt{onitor yet another source of security for processes and

the objects they manipulate is the security reference mónitor. The security
reference monitor is primarily concerned with performing authentication
and authorization for processes that wish to acáess objectJ and users that
wish to access the system via the logon process. The secúrity reference mon-
itor also generates audit reference meJsages to ensure ptbpe, records are
kept that accurately record a wide variety óf system activltiei.

Nlultiprocessing, Multitasking, xlultithreading Thanks to its limited functional

focus on the management of overall traffic flow through the operating s,vs-
312 Chapter Seven Windows NT (2000)

tem, the NT kernel can be executed on any CPU in a sMP (symmetrical

Multi-Processing) computer. This anangement allows any processor in an
NT multiprocessor afrangement to offer full multithreaded operating sys-
tem functionality. Windows NT 4.0 is able to run on as many as 16 processors
simultaneously.
windows NT is a preemptive multitasking operating system implying
that applications are preempted or replaced with other application Pfogfams
once iheir allotted amount of CPU cycles has been consumed. Tn this sce-
nario, the Windows NT operating system never relinquishes full control of
the CPU or memory resources to the application proglams. Windows NT
retains the ability to interrupt any application program.

llenrory Architecture Windows NT offers protected memory application

execution via the use of Ring 0 and 3 assignments. windows NT applica-
tions are normally executed in user mode (ring 3) where they are limited to
their own protected memofy area. This Pfevents applications from writing
into each other's memory space and thereby causing general protection
faults and system crashes. In order to access the I/O managel portion of
the NT executive, applications must enter kernel mode (Ring 0). Architec-
turaliy, user mode and kernel mode processes and sub-systems are illus-
trated in Figure 7-2.

N'IULTITHREADED KERNETS AND Sll'IP SCAI,ABITIT}

SMP scalability refers to the percentage of increased performance achieved

lii:$háiper for each additional CPU. For example, 100% SMP scalability implies that
Focus
adding a second CPU witl double the original performance or computing
poweiof a computer and that adding a third CPU will triple the original per-
?or-url"" of a iomputer. In reality, due to the operating system overhead
caused by having to coordinate the efforts of multiple CPUs, 100% scalability
is impossible to achieve.
Not all network operating systems achieve the same level of sMP
scalability. Network operating systems vary in their level of SMP scalabil-
iiy depending on whether or not the network operating system's kernel is
multithreadeá. Althougl:-os/2and windows NT are both considered mul-
tithreaded operating systems capable of sMP, only windows NT',s kernel is
multithreaded. In other words, although multiple threads can execute
simultaneously across multiple CPUs in user mode in os / 2, when a thread
requires I/O services and is required to enter kernei mode, only a single
thread can be in kernel mode at any single point in time. In contrast, in
windows N! multipte threads executing on multiple CPUs can be in ker-
nel mode simultaneously. Figure 7-3 illustrates the effects of single-
threaded and multithreaded kernels within multithreaded operating
systems.
 Windows NT 4.0 313

Single Threaded Kernel

Single Kernel-l\¡ode thread of execution.
l\.4ultiple. simultaneous threads ot execution
threads blocked from Kernel l\y'ode

q U
o o
o o
E o J= o
tr z U z
g
.t)
.E zcc É
u
Y

Multi-Threaded Kernel

Multiple, simultaneous threads of execution Multiple, simultaneous lhreads of execution

ro
lm lr;|t;t lJ
*Jlvooe lllvooe lJlr¡oo"
l
U
o
o o
o (5o
tr
U
a =
f ffiffiffi
lFins3i lninosl lRins3l
=
J
U
z¡c
U
Y
z
É,

Ell Ell E!11

Figure 7-3
EIEE4
Single Threaded vs. Multithreaded Kernel

File sysfems As previously mentioned, NT supports the following file

systems:

' FAT (Fi1e Allocation Table)-Compatible with Dos (only file system
supported on diskettes)
. NTFS (NT File System)-Windows NT
. CDFS (CD File System)

windows NT can also support simultaneous access to Netware files stored

on Netware servers thanks to a layer of software that acts as a sort of redi-
Tllr1 for file system requests known as the Multiple provider Router
(MPR). The MPR is an open interface that accepts requests to any
supported
file system from application programs adhering to the win3z Ápt. ti is the
MPR's_ responsibility to examine each request lor file system services and
route the request to the server housing the requested file system.

4
 3'1,4 Chapter Seven Windows NT (2000)

FAT The FAT filesystem provides support for the legacy DOS file system.
Using FAI, filenames are limited to eight characters plus a three-character
extension, whereas filenames in Windows NT can be up to 256 characters in
length. To resolve this difference in available length, a FAT-compatible eight-
plus-three conventional name is automatically created for files with long
filenames. For example, although this chapter was created as "Chapter
[Link]" on an NT computer with NTFS, when it is edited on a laptop running
Windows 98 with FAI, the file is loaded as "[Link]". Both FAT and
NTFS partitions can be created on the same disk and files can be easilr-
copied between the two file systems by NT. NT's FAT file system allows file-
names of up to 256 characters on floppy diskettes.

NT FAT \TRSUS FAT32

.,;ir::rii t,lt:.ill'l'
It is important to differentiate between the traditional16 bit FAT file sys-
i:}i:Prtiillícal Advice tem as implemented in DOS, Windows NT, and the original release of Win-
:ll$ltl Information dows 95 and FAT32, the revised FAT filesystem introduced in Windows 95
OEM Service Release 2 (SR2 or Windows 958) and Windows 98. Windows
NT 4.0 can only access disk partitions formatted with FAT16. FAT32 parti-
tions created with Windows 95 or 98 are not accessible by Windows NT 4.0.

ffi NTFS

NTFS took the positive attributes of the FAT file system and added features
required to support very large files and disk drives and features to increase
security, reliability, and recoverability. Figure 7-4 summarizes the key fea-
tures of NTFS.

NTFS FIIE SYSTEII RDCO\NRABTTITY

,.tt '
NTFS treats its file system activity in a manner similar to distributed data-
In:S6U'O*t base transactions: If transactions are not successfully completed for any rea-
Focus son, a mechanism is in place to either re-post or roll-back those transactions
to maintain database integrity.
The same scenario applies to NTFS. File system activity is looked upon
as a series of transactions that is documented by the log file service of NTFS.
In the unlikely event of a Windows NT system crash, two types of file system
transactions would require scrutiny:

¡ Transactions that were being held in disk cache for lazy-write posting
and were therefore not physically written to disk when the system
crashed.
o Transactions that were is the midst of posting when the system
crashed.

{p
 NTFS 315
L
NTFS Feature Explanation /Importance
r
L
Access Control Ar,cess control permissions b" [Link] to indirril,rul
¡ rlres as well as to directories."un
), Master File Thble Contains records for each file and
r dir""t.t; NTF9
/t 5.*.".0r_:.o"je¡ning the organization of NTFS una tf,"
ryrasrer t,lte láble (MFT) are redundant
I in case the
primary record becomes corrupted.
r Small files (less than 1500 bytes) are
stored entirely
within the MFT for faster access.
NTFS File Attributes File attributes are contained *itn u filJ,
list of file attributes can be customized
Wf ."_r¿ft
"
for particular envi_
ronments_(Mac, LINIX) and can be added
to in order to
extend NTFS funcüonality.
Filenames NTFS allows filenames up to 255 characters
erates 8-plus-3 names foipef
b"t,jro g;
n /OOS compatibility.
F POSIX Compliance
I9SIX compliance allows UNIX [Link].,, to u**-
files stored in NTFS on Windows
NTFS needs to support some unique
ñi. h;;;;" do rhis,
POSIX file attributes
such as:
. case-sensitivefilenames
. hard-Iinks that allow a given file to be accessed
by
more than one filename
additional time stamp attributes to show
when a
gtven file was last accessed or modified
Macintosh Support Windows NT Services for Macintosh
to b"
a-ccessed by both Macintosh
users and"no*Jl",
Windows NT
clients. To the Mac users, the NI server
lool, fit un
AppleShare server. NTFS supports .[Link] "
l,tuc iile attrib_
utes such as resource an¿ Aati forks
as well as the Finder
utility. Macintosh access confrol permissions u.e ulso ,.rp_
ported.
Hot Fixing If NTFS finds a bad sector on a SCSI airt,
it _itt *to.*ti
cally move the affected files and mark thát
segment as
bad without the need for any user intervention.
File System Recovery NTFS uses the cache manager to buffer
¿irt *¡t"J*
Process 99*" as lazy-write, and also runs a transaction
log on all disk writes to allow NTFS To,".o"",
[Link]
from system crashes.

Figure 7-4 NTFS Features

3't 6 Chapter Seven Windows NT (2000)

The log file service records two types of information: Re-do information
allows transactions that were still sitting in disk cache to be re-posted. Peri-
odically, NTFS checks the cache to note the status of transactions that had
been physically written to disk. In the event of a system crash, these check-
points make the recovery process more expedient. Undo information allows
transaction entries that were in the midst of posting to be rolled-back or
undone.
The NTFS file system is self-recovering. No file clean-up utility needs to
be run by the users. Upon initialization, NTFS checks to see if it went down
dirty. If the filesystem is determined to be dirty, it performs an analysis pass
with the help of the log file service to determine where it left off when the
system crashed. NTFS then re-posts filesystem transactions based on the log
file service's re-do and checkpoint information and removes partial or cor-
rupted transactions based on the log file service's undo information. This
entire process of file system recovery takes only a matter of seconds. In con-
trast, a file recovery on a 1..2 GB NWFS partition under NetWare 4 takes
approximately 35 minutes.

":r:
i iiti.. ..,..., N{,{STER FIIE TABTE DESIGN INSURES FASTACCESS I\D RELL{BILITY
..,,,,',1']]:::ll']]::,,:,,lll :]l',,1,:' The design of the Master File Table attempts to accomplish two key, often
contradictory, objectives :
',:tll':EháiPer
Focus

Fast performance and lookups, especially on small files and directo-

ries
Reliable performance thanks to numerous redundant features

Interestingly, the Master File Table is able to accomplish both of these

objectives quite well. First, the definition of the records within the MFT
allows small files and directories to actually be included on the MFT
record, thereby precluding the need for any further searches or disk
accesses. For larger directory files, NTFS uses a hierarchical B-tree struc-
ture to ensure fast performance and directory lookups on larger directories
as well.
Reliability is ensured through the relationship of the following redun-
dant features as illustrated in Figure 7-5:

Redundant MFT Master Records-MFT Mirror Record

Redundant MFT Files and Data segments-MFT Mirror File
Redundant boot sectors

.r*1ffiilil1ri

,-¡¡4$f¡d!l
 NTFS 317

xr
d-
d
k-
trS
of Location of Master Also holds location
File Table and of Master File Table
Master File Table and l4aster File
t0 Mitror File data
segments
Table l\¡iror File
data segments.
tTr recorded here.

ÉS
he
bg
Dr- Describes key
lvlaster F¡'e
his Table
characterislics
rr-
k€s

numbers, the l¡rst 16 are

reserued for MFT management.

Eigure 7-5 Built-in Reliability in the Master File Table Design

Fault rolerance windows NT offers the following fault-tolerant features,

most of which have been described in detail in previous chapters:

. Disk Mirroring, in which all data written to one disk are also written
to a second redundant disk. In the event that the primary disk fails,
rese the redundant disk takes over immediately.
,[ T
o
ffi=Í Disk Duplexing, which improves upon disk mirroring by ensuring
that the two mirrored disks are also supported by separate disk con-
üisk
ruc- trollers, thereby eliminating another potential point of failure.
ries ¡ Disk Striping with Parity, otherwise known as RAID 5, allows data to
be reconstructed from among the redundant array of disks in the
Iun- event of a disk failure. Software-based RAID offers a less expensive
alternative to hardware RAID sub-systems available from a variety
of vendors.
. UPS support is especially important because of the function of the
cache manager within Windows NT. In order to optimize system
performance, physical writes to disk are not always performed
immediately upon the execution of a "save" command. This infor-
mation is often stored in cache memory until a convenient time to

J
318 Chapter Seven Windows NT (2000)

access the disk. If the system should shut down unexpectedly, all
information stored in cache memory is lost. By having the ability to
support uninterruptable power supplies, NT can execute an orderlt-
system shutdown when necessary, thereby saving all cached infor-
mation.

Nlanagement and Administration

Windows NT 4.0 uses a domain naming system approach to network object

management. While this approach provides greater scalability than indepen-
dent servers, it is not as scalable as a complete directory service solution.
Administration of NT svstems is made easier by the graphical nature of
the system. NT systems can be administered from the server itself, from
clients on the network using optional tools, or via the web using the webad-
min package in conjunction with the optional NT web server.

Domains antl \\brkg-roups Unlike NetWare 4 and 5, Windows NT does not

have a single, universal database in which all user and network resource
information is stored and maintained. Instead, Windows NT networks are
organized around the concept of domains. A domain is a collection of Win-
dows NT servers that share a single security sub-system that controls access
to all resources in the domain.
Information concerning the resources in a domain and the users allowed
access to those resources is housed in a Windows NT server designated as
the primary domain controller. All domains must have one, and only one,
primary domain controiler. Other NT servers in the domain can be desig-
nated as backup domain controllers for increased reliability, or they can sim-
ply be designated as resource servers to offer a variety of services to
authorized users.
Windows NT computers, especially Windows NT Workstation clients,
can alternatively belong to workgroups, rather than domains. The key dif-
ference between workgroups and domains is that in a workgroup, there is no
domain controller, and therefore each workgroup computer must maintain
its own security sub-system. In a workgroup, users log into a particular com-
puter, whereas in domains, users iog into the domain. This difference is not
unlike the differences between the logging into particular servers in Net-
Ware 3 and logging into the universal NDS database in NetWare 4 and
above. Figure 7-6 illustrates some key features of domains and workgroups.

Trust Relationships In order for users to access network resources located in

remote domains without the need to duplicate the local user account and
security information into the remote domain, a mechanism for domains to
coordinate authentication must be established. The mechanism used to coor-
dinate authentication between domains is known as a trust relationship. In
a trust relationship (or trust for short), the trusting domain trusts the trusted
 NTFS 319

Domain
Primary
Domain
Controller

All security and access control list informat on is maintajned

onlhe Primary Domain Controller Copies are stored on
Backup Doma¡n Controllerc'f ot reliability.
Backup Domain Controllers promoted in case of primary
Domain Controllet failure.
Any Primary or Backup Domain Contrcller can log you in.

Workgroup

Windows for Windows NT

Workgroups Workstation

+ Files and directories can be shared among the workgroup, but

:::i#iJ:TÍ:?:""r:::fi ii[,:"rmaintaininstheirownuser

Figure 7-6 Domains and Workgroups

domain to properly authenticate its users. If a domain trusts another

domain, it will allow users from the trusted domain to be included in access
control lists for its resources.
Take the example of domain B trusting domain A. When a user from
domain A wishes to access a resource in domain B, domain B will ask for the
user's authentication credentials. The user will respond with their creden-
tials for domain A. Domain B will then send this credential set to domain A
and ask if they are correct. If they correct the resource server on domain B
will grant the appropriate access level as determined by the access control
list for the resource. This process is known as passthrough authentication.
Interdomain trust relationships are defined separately for each direction,
meaning domain A granting trust to domain B and its users is a separate
issue from domain B granting similar trust to domain A. Interdomain trust
relationships are strictly point-to-point. In other words, just because
domains A and B have a two-way trust relationship and domain B also has a
320 Chapter Seven Windows NT (2000)

two-way trust relationship with domain C, this does not mean that users o::
domain Ahave access to domain C'
Interdomain trust accounts that allow NT server domain controllers t.-
one t':
perform passthrough authentication to other domains ate, in fact, only
itrree typls of trustáccounts supported by Windows NT. The other
two are:

workstation trust accounts allow the workstation to connect to ¿

domainby providing passthrough authentication for a windows N-T
server in ih-e domain. in essence, the workstation is able to authenti-
cate itself, or remote users who have logged directly into the
work-
station and now wish to access domain-based resources'
Server trust accounts allow NT servers to download copies of the
master domain database from a domain controller. This trust rela-
tionship enables backup domain controllers'

Figure 7-7 tllustrates a variety of trust relationships supported by Win-

dows NT.

DOIIIAIN ARCHITICTURES

The number and structure of domains and interdomain trust relationships

,,$:Eháiper ,rury significantly from one organization to another' Decisions as to the
"" Focus prop", áottiui" archiiecture for a gÑen organization will hinge largely on the
"un
and location of users, ánd the number and iocation of system
'-,rrá¡",
administrators. Following are descriptions of five major models for possible
domain architectures as rirell us sotr-té key positive and negative attributes of
each:

. single Domain Architecture-As the name implies, all users and

network resources ate otganized into a single domain of up to 10'000
users. This is a flat architecture with no interdomain trust relation-
ships involved. All security management is performed from a single
location.
¡ Multiple Non-Trusting Domains Architecture-If multiple divi-
sions ór departmentt -ithitl a given organization do not need access
to each other,s data or netr,tork resources, then multiple indepen-
dently managed domains can be established without defining any
trust relationships between the domains'
. Master Domain Architecture-This is a hierarchical architecture in
which a single master domain is established into which all users are
defined. [Link] sub-domains all offer interdomain tlust accounts
to the single master domain, but the master domain does not allow
trusted access from the sub-domains. The advantage of this architec-
ture is that access to departmental data can be controlled by trust
relationships, and a11 mánagement is performed from a single cen-
 NTFS 321

Workstation Trust Accounts

f_l
I ffiret.d
tñd

ffi
I l-w
I \*#ffi

=---'-"
,ffi,
ffi
NT Seryer NT Workstaüon

+
+
-
NT Workstation '?"wishes to access Workstation "8"
Workstation "8" passes login infomation io the domain múo{hr iff aültÉ¡tbatbf,.'

Server Trust Accounts

Pr¡mary
f-_t
le=s1 authenü€tion i:l
t= Backup

fl
Domain I= Doñain
Controller I F=-*ffi Conlrcl¡er
t-d¡iffi
Fffi
ffi
ffiffi copv of Domain Securitv Database

,ffi
M

NT Seryer
r> The Backup Domain Controller is able to receive a copy oi the Domain Security
Database due to Seruer [Link] Account.

lnterdomain Trust Accounts

lnter-Domain

Trust Account

authentication requesl

pass{hrou gh authentication

NT Seruer
-
LOCAL
DOMAIN '"n"2

NT Workstation

-> Local workstation requests access to Foreign Domain Server.

+ Foreign Seryef Requests authentication from Local Domain Controller
+ Local Domain Controller performs pass-lhrough authentication.

Figure 7-7 Tiust Relationships in Windows NT

fialized location. Because all user information is managed by the sin-

gle master domain, this architecture is limited to 10,000 total users.
. Multiple Master Domains Architecture-This two-tiered architec-
ture supports multiple master domains, with up to 10,000 users each.
All sub-domains offer interdomain trust accounts to all master
domains. This architecture is appropriate for very large organiza-
tions and involves increased maintenance of the multiple master
domains and the interdomain trust relationships.
322 Chapter Seven Windows NT (2000)

o Multiple Trust Architecture-In this idealistic, flat architecture, all

domains offer interdomain trust accounts to all other domains. The
difficulty with this architecture is that all domains are independentlr-
administered and trust relationships must be established for even'
possible domain-domain combination. This architecture can gro\\-
quite large, since 10,000 users per domain are permitted. However,
the totaliy decentralized management of the the domains may not be
appropriate for all organizations.
Figure 7-8 illustrates these various alternative domain architectures.

Single Domain Architecture

+ Up to 1 0,000 users
+ Centralized Management
+ No trust relationshiPs

Multiple Non-Trusting Domains Architecture

t""; ffi;;l b-;;;;l ffi;;l +

+
1 0,000 users per domain

| ^ lt:-]Li-_l L:-] + Each domain independently managed

No trust relationships

Mult¡ple Trust Architecture

rDomarnl
--t f--_,_l
luomalnl
+
+
10,000 users per domain
lAl ct De-centralized management
+
lll Total domain to domain trust

i_---_'l
uomarn f-''_l
uomaln
I e l-l o I

llrl I

Master Domain Architecture

+ Sub to [,'laster domain trust
+ lnter-Sub domain trust as desired
+ Centralized management
+ 10,000 user limit

Multiple Master Domains Architecture

t
l=ñ;l + 1o'ooo users per Master Domain
óo;;:n
- L* [Link]"t". management responsib¡lities
3- | + Appropriate for large organizations
-

Figure 7-8 Alternaüve Domain Architectures

 Components of the Windows NT Security Model 323

Securif Security is an integral part of the Windows NT operating system.

As a result, security in Windows NT offers not only user authentication and
authorization services typically associated with network operating system
security, but also an assurance that the programs and processes launched by
those authorized users will only access system resources to which they have
appropriate permissions. In Windort's |.1"I, no interprocess communication
takes place without the knowledge and approval of the Windows NT secu-
rity system.
The overall security system is organized arou¡d the concept of objects.
In Windows Nl examples of objects are files, directories, print queues, and
other networked resources. A11 objects are assigned permission levels that
are associated with individual users or user grouPs through access control
lists. Examples of permission levels are:

. read
r delete
. write
' change permission level
¡ execute
. take ownership
. no access
o print
By monitoring permission levels, the NT security system can monitor
and control who accesses which objects as well as how those objects are
accessed. In addition to monitoring and control, NT security can also audit
and report on these same object accesses by users according to permission
level. The components of the Windows NT security model are illustrated in
FigureT-9.

ffi COMPONENTS OF THE WNDOWS NT SBCURITY MODET

A logical start for introducing the interacting comPonents of the Windows

NT security model is the logon Ptocess. This is actually a client presentation
layer function, identified as a separate component in order to allow login
processes for a variety of different computer platforms to interact with the
Windows NT security model in a standardized manner.
The platform-specific login process interacts with the local security
authority that actually provides the user authentication services. Specifi-
cally, the local security authority generates a security access token for autho-
rized users which contains security IDs (SID) for this user and all of the user
g{oups to which this user belongs. This security access token accompanies
every process or program launched by this user and is used as a means to
 324 Chapter Seven Windows NT (2000)

Win32
Subsystem

USER MODE

KERNEL MODE
Security
Reference
Monitor
Sub-System

Figure 7-9 Windows NT Security Model

reference whether or not this user and their spawned pfocesses have sufti-
cient permissions to perform requested SeIViceS or access requeste-i
resources. The local security authoritV also controls the security model's
audit policy and generates audit messages that are stored in the audit log.
All of the user and user gfoup ID and permission level information i.
stored in and maintained by the seculity account manager which interact:
with the local security authority to verify user IDs and permission levels.
The user accounts database is physically stored on the primary domain con-
troller except in cases where an individual workstation may have a need to
verify specific User IDs for remote access to that workstation. The link:
between components of the NIT security model involved in the logon plocess
are designed as secure communication channels in order to ensure ihat traf-
fic which is supposedly received from a given workstation or computer is
aciuaily from that computer. This authentication is accomplished in win-
dows NT by a process similar to ihe Challenge Handshake Authentication

frrmm,',.
 Components of the Windows NT Security Model g2S

Protocol (CHAP), which_ is employed in Netware 4.r for a similar purpose.

Passwords are encrypted before being transmitted during the logon process.
The only kernel mode portion of the NT security *ád"t is lhe security
reference monitor (SRM) which serves as the ru..riity engine or back-ená
application for all of the previously mentioned securityc[eñt applications. It
is the security reference model that has the ultimate responsibiiiiy for ensur-
ing that users have the proper authority to access requestéd network
resources. The sRM is able to meet this responsibility by comparing the
requested object's security description as documented in aócess controilists
(ACL) with the requesting user's security information as documented on
their security access token. Besides access validation the SRM is also respon-
sible for audit checking and generating audit messages.

Communiealion Prolocols

As illustrated in Figure 7-10, windows NT offers not just a choice of multiple

communication protocols, but the ability to run multiple communication
protocols simultaneously. windows NT supports the following communica-
tion protocols:

. TCP/IP
o NWLink (IpXlSpX)
. NeIBEUI (NBF)

SESSION {,.: ,é.

Transport Driver lnterface

FIAI\5T'(JH I
:sFoiLPIgló€i Options
NBF I DLC NWLINK TCP/IP I
I

APPLETALK
NETWORK
(NETBEUt) f (rP)tsPX)

DATALINK NDIS Compliant Driver

PHYSICAL Network lnterface Card to Windows Network

Figure 7-L0 NT Communication Protocol Architecture

326 Chapter Seven Windon's NT (2000)

. DLC

' APPleTalk

Collectively this protocol selection not only provides connectivity betw.e¿:

\T clients and servers, but also provides compatibility with other nehr-c:,
operating systems.
This section focuses on the implementation of these protocols in ii.
Windows NT environment. Refer to Chapter 4 for more detailed informatr¡ -
on each of these protocols.

Nl¡Link (IPX/SPX) IPX/SPX is the traditional communication protoc:

stack for NetWare. IPX/SPX is supported in the Windows NT environme::
through a protocol stack known as NWLink that allows IPX/SPX to ser,.
as the native communication protocol for all communication between \,
clients and NT servers. As a result of having IPX/SPX serve as NT's nat.', =
transport protocol, interoperability with NetWare clients and servers --.
easily enabled through NetWare interoperability products available fro:
Microsoft such as:

Cateway Service for NetWare

File and Print Services for NetWare

Each of these NetWare interoperability products will be described in mo:

detail in the Windows NT Interoperability section of this chapter.

NetBEUI (NBF) NeIBEUI Frame (NBF) is the Windows NT version of t¡:

NeIBEUI protocoi stack included for backward compatibility purposes l-i';
such NetBEUI-based network operating systems as Microsoft LAN Manage :
and OS/2 LAN Server. As the expansion of NettsEUI (NetBIOS Extende:
User Interface) implies, NetBEUI is merely an extended version of the oriE:-
nal NeIBIOS API. NBF can also be chosen as the native transport protocol fc:
Windows Itll thereby supplying transport serr-ices for all communicatic:
between NT clients and NT servers.

AppleTalk AppleTalk is included as a communication protocol in order :-

support NT's Services for Macintosh (SFM). These independently cor-
trolled services, which include File [Link] for Macintosh and Print Server fc:
Macintosh, allow an NT server to act as an AppleShare server for Macintos:
clients. Files can be easily retrieved and maintained from the NT server'b'
the Mac clients. To the Nlac clients, the connection is totally transparent. \
additional software needs to be added to the Mac clients. At the same tim¿
the files stored in the AppleShare section of the NT server are also accessib,=
to NT clients with proper permission levels. Thus, Services for Macintos:
plus the AppleTalk communication protocol provide a transparent interop-
erabiliiy enrrironment for NT and Mac clients.
 Components of the Windows NT Security Model 827

Dtc DLC or Data Link Control is a windows NT communication protocol

that has been traditionally reserved for communication with IBM mainframe
computers. Recently, this same communication protocol has been used to
communicate between windows NT servers and printers that are attached
directly to the network by network interface caids such as the Hewlett-
Packard LaserJet 4si equipped with a JetDirect card. In order to successfully
complete such a communication, the mainframe or network-attached printer
must also support the DLC protocol as well.
Figure 7-17 is a f'nctional illustration of the use of the Ipxlspx, NBF,
AppleTalk, and DLC communication protocols.

IP)(/SPX
Windows NT
Client

Netware Windows NT
Server
Server

AppleTalk
Windows NT Windows NT
Client Server
AppleTalk & TCP/lP or
NBF or IPVSPX

Maclntosh
CIient

NBF
Windows NT
Client
LAN
Manager Windows NT
Server Server

DLC
Windows NT HP LaserJet
Client with JetDirect card

DLC & TCP/IP or

Windows NT NBF or IPX/SPX
Server

"lk
IBM
mainframe

Figure 7-1L Use of IPX/SPX, AppleTalk, and DLC in Windows NT

328 Chapter Seven \\Iinclorvs NT (2000)

T(P/lP and Related Protocols Although the intricacies of TCP/IP and the
related protocols of the Internet Suite were covered in Chapter 4, a btiei
description of supported protocols and services wili be given here. In addi-
tion, significant issues reiated to Windows NT's implementation of TCP/IP-
related protocols such as the Dynamic Host Configuration Protocol
(DHCP) and the related Windows Internet Naming Service (WINS) will
also be discussed. Figure 7-72 summarizes some of the TCP/IP protocols
and services supported by Windows NT.

ProtocoVservice Category Details/Explanation

Communication Protocols TCP-Transmission Control Protocol: transport layer protocol that ensure
reliability of IP transmission
IP - Internet Protocol: network layer communication protocol which pro-
vides end to end addressing and communication
UDP - User Datagram Protocol - Transport layer alternative protocol to
TCP for transmission of short datagram messages that don't require relia-
biiity checking overhead of TCP
Special Delivery Protocols . ARP - Address Resolution Protocol
a ICMP - Internet Control Message Protocol

Remote Access Protocols a PPP - Point-to-point protocol

o SLIP - Serial Line Internet protocol
a Both PPP and SLIP can be used for remote access of TCPliP-based computers

APIs . Windows Sockets 1.1 and 2.0

Utilities o FTP - file transfer protocol
a TFTP - trivial ftp - simpler version of FTP
a Telnet - remote terminal login protocol
a LPR - line printer protocol * used to print a file to a host print server
a RCP - remote copy protocol
o REXEC - Remote execution protocol ailor,r's cornmands to be executed on
remote hosts
Note: some utilities may only be available from add-on product * Windows
NT Resource Kit.
Diagnostics o LPQ - used to obtain status of a print qr-rer-re
o PING - used to verify connections to a particular host
a Tracert - used to trace the route of a packet from source to destination
a Netstat - displays protocol statistics and netn'ork connections
a Nbtstat - displays protocol statistics and network connections using
NeIBIOS over TCP/IP

Services a WINS * Windort s Internet Name Service

a DHCP * Dynamic Host Configuration Protocol

Management Protocols . SNMP - Simple Netrvork Management Protocol. NT actually supplies an

SNMP agent r,r'hich is able to forward network statistics in SNMP format to
enterprise network managernent systems such as HP Openview, Sun Sun-
net Manager, and IBM Systemview.

Figure 7-12 TCP/IP Protocols and Services in Windows NT

 DHCP and WINS 329

TCP/IP can be used as the native communication protocol between all NT

r:rrrrr: .,',,11,¡1,1.""""" clients and servers. Flowever, this is not the real advantage to using TCP/IP
iial Advice as a communication protocol. The real Lrenefits io TCP/IP are apparent only
,,,.,,Prá
,.,.':i¡-ñd Information when one looks outside the local NT clients alLd servers. TCP/IP is the com-
munication protocol of the Internet, as iteLl as most other public and private
inter-networks. As a result, communicahon .rnisi.-1e oi the 1ocal NT network
becomes much easier when TCP IP is cl',oser., ¿s ;he communication proto-
col. In addition, TCP/IP has Lrecome ii..e ie i¿.:.. ;..mmLrn communication
protocol across almost e\-er\ comFrr-rtrng rlai-c::r' -:'--..gilrable. Although
many computers use comrnuúcation protoct'rrs ..::-er ii'.a¡. TCP'IP, most
computers are also able to speak to each other Lrsns TCP IP

DHCP iTND WINS

TCP /IP, like any network operating system communication protocol,

depends on an organized addressing scheme in order to know where to find
intended recipients of interprocess communication. Traditionally, IP
addresses were associated with the network interface cards within comput-
ers and were therefore more or less permanently associated with a physical
machine. Two forces contributed primarily to the need for an alternative to
the permanent, physically oriented IP addressing scheme:

An overall lack of possible IP addresses due to the explosive growth

of the Internet which depends on IP addressing. As a result, a solu-
tion was sought that could assign IP addresses dynamically as
needed from a pool of available IP addresses, rather than having IP
addresses permanently assigned to computers that were not being
used.

The explosive growth of remote and mobile computing. Some way

,tll
had to be found to give remote and mobile users IP addresses as
needed without having to permanently assign unique IP addresses
to everyone's office computer as weli as their laptop or notebook
ll
computer.

The solution was the Dynamic Host Control Protocol, or DHCP. DHCP allows
NT servers using TCP/IP to dyrramically assign TCP/IP addresses to NT
workstations, Windows for Workgroups clients, Windows 9x clients, or DOS
clients running the TCP/IP-32 protocol stack. The DHCP server is included as
'lii part of the TCP/IP protocol stack for NT server and references a DHCP data-
I base for lists of available IP addresses. IP addresses issued by DHCP are
leased, rather than being permanently assigned, and the length of time that IP
addresses can be kept by DHCP clients is known as the lease duration. Dial-in
users are typically assigned an IP address only for the duration of their call. If
necessary, specific IP addresses can be reserved for specific clients. DHCP
must be enabled on Windows clients supporting the TCPIIP protocol stack in

.d
 330 Chapter Seven Windows NT (2000)

order to be able to request IP addresses from the DHCP server. For more infor-
mation on BOOTP and DHCP, please refer to Chapter 4.
Because users and their workstations are easier to remember and access
by name rather than address, NT keeps track of user names and associatei.
IP addresses with a service known as wINS (windows Internet Name ser-
vice). wINS is a Microsoft proprietary client/server name resolution system.
I

Each client is configured with the address of at least one wINS server. At
boot time the client registers its name and IP address with the WINS server.
In this manner the wINS server builds a comprehensive database of names
and IP addresses of the machines on the network regardless of the manner i¡.
which they received their IP address.
When a WINS enabled client wants to connect to another station, i:
sends a name query to the wINS server which responds with the current IF
address of the destination computer. The client is then able to conneci
directly to the destination via IP.
The Internet uses a different naming service knon'n as DNS or Domain
Name System. While DNS normaily only works r,r'ith machines whose IF
addresses never change (static addresses), use of the Microsoft DNS server
for NT allows DNS to query the wINüs database to present accurate DNS
information on dynamically assigned hosts. As a result, users assigneo
DHCP addresses who are logged into the WINS database will still be acces-
sible from the Internet via the DNS database. The DHCP serve4 WINS
server, and DNIS server can all be physically located on different server com-
puters. Figure 7-13 illustrates the interaction of DHCP, WINS, and DNS
clients and servers.

Nefil'ork seniees windows NT network services provide the transport

mechanism by which other services such as printing, security, file systems,
and application support are delivered. These multipurpose network services
are the result of a structured, modular architecture of interacting compo-
nents as illustrated in Figure 7-14.
Following is a layer-by-layer description of the Windows NT Network
Services Architecture:

The network interface card at the base of the Windows NT Network

Services Architecture provides the physical connectivity from everl
Windows NT client and server to the Windows NT network.
The first layer of software in the architecture is the NDIS (Network
Datalink Interface Specification) driver software that supports both
multiple transport protocols per network interface card and multiple
network interface cards per computer.
Support for a variety of different transport protocols allows Win-
ffi
dows NT to interoperate successfully with most popular client and
r server networking platforms. These protocols will be explained in
fl more detail in the Communication Protocols section of this chapter.

F
 DHCP and WINS 331

::
.: DHCP - no WINS - load
load leveling leveling
:- of available lD across
addresses multiple
across servers with
multiple bi-directional
seryers replication

WINDOWS SERVER

Windows Client

WindowsClient
using DHCP

Client requests for dynamic lP address

Server response with dynamic lP address -¡

Figure 7-1,3 DHCP, WINS, and DNS

. The transport driver interface (TDI) is actually a protocol specifica-

tion that provides alayer of transparency between session lal'er red -
rectors and transport layer protocols. It fulfills a role sirnilar to the
NDIS specification's role between the network and data-1ink layer
protocols. This allows session layer redirector soflrvare to be written
independently of the particular transport layer software with which
the redirector software will need to communicate.
332 Chapter Seven Windows NI (2000)

Figure 7-14 Windows NT Network Services Architecture

Just as Windows NT is able to support multiple transport protocols

simultaneously, it is also able to support a variety of redirectors
simultaneously. It is the redirector's job to determine whether
requests for files and services can be handled on the local computer
or if they must be forwarded to a particular remote computer via the
appropriate transport protocol. Redirectors in Windows NT are also
able to request additional services from any of the systems services
available in the NT executive. The various options for redirectors
will be described further in the Applications Services section of this
chapter.

Finally, Windows NT applications must have some way to pass their

requests for files and services to the redirector layer. The Win32 APL
 lnterprocess Communication -[Link]'

described in previous chapters, is the standard interface specification

by which NT applications pass requests for services to the NT net-
work operating system.

Application Senices Application services within Windows NT are primarily

--l concerned with providing support for distributed or client/server applica-
t/
tions. More specifically, Windor,r's NT is responsible for providing communi-
cation services between the client and server portions of distributed
applications. Communication betr,r'een client and server portions of distrib-
uted applications fa11 into tr,r'o major categories:
t, Synchronous I/O or interprocess communication refers to the situa-
tion where a client application spa\\¡ns a thread for information or
processing and waits for the results of that thread before continuing
with the execution of the client application. Synchronous I/O is
sometimes also referred to as connection-oriented communication.
Asynchronous I/O refers to the situation where a client application
spawns a thread for information or processing and proceeds with the
execution of the client application without waiting for the results of
the spawned thread. Depending on how the client application is
written, the server portion may notify the client application when
the requested information has been delivered, or the client program
may be required to check back for any newly delivered information
on a regular basis. Asynchronous I/O is sometimes also referred to
as connectionless communication.

As illustrated in earlier chapters on client,/server software architectures, dis-

tributed applications interact with network operating systems via APIs or
application program interfaces. In the case of Windows NT, this API is the
Win32 API.

tri INTERPROCESS COITMUNICATION

The next requirement in establishing a distributed application between a

ciient and server is to offer some type of mechanism for interprocess com-
munication. Some way needs to be offered for the application to sparrn
threads and establish links from ciients to servers in order to receir-e
requested files and services. Windows l{T offers at least six different oplion.
for interprocess communication establishment as illustrated in Figure ---1
The Windows Sockets interprocess communication mechanis¡:' -:'-- =
commonly known as WinSock, is the most flexible of all of the Lnt¿::-
mechanisms currently supported by Windows NT. ,---
The term sockets in the name of this interprocess commlLrLi.
nism is a reflection of this protocol's derivation from Berkele.,' -
334 Chapter Seven Windows NT (2000)

Earlier versions of the WinSock protocol were able to allow programs writ-
ten to support this protocol to operate transparently over a variety of differ-
ent vendors' TCP/IP protocoi stacks. WinSock2 added to this functionalitr-
by allowing WinSock-compliant applications to operate transparently over
IPX/SPX, AppleTalk, DECnet, and OSI transport protocols as well. The
importance of this multiprotocol support from an application developer's
standpoint is that only one version of an application needs to be developed
and maintained rather than several network protocol specific versions.
A WinSock-compliant application uses the WinSock interprocess com-
munication mechanism by loading the [Link] fite. A DLL or dynamic
link library (DLL) file is loaded into memory as needed at run time by Win-
dows NT rather than having to be compiled into, and permanently added to
the application programs themselves. As illustrated in Figure 7-\5, the
[Link] file includes two distinct interfaces:

' The WinSock API is used by applications developers for including

appropriate commands within their WinSock compliant applications.

' The WinSock SPI (Service Provider Interface) translates the API calls
to enable WinSock compliant applications to access multiple differ-
ent network transport protocols through the transport driver inter-
face.

wtNsocK 2
COMPLIANT
APPLICATION

ÁPi-
j
X
J. :,
.J::i,.r..
.6:r,1.'t.
. ,rr,:,,
.r
,

()..,,:,
,O.' .:rr
qr,.,' .,.:
-l Z,:":.',,':

*,*.o"^, 3..,:,"'..,

I spl

TRANSPORT
DRIVER
INTERFACE

NBF osr DLS NWLINK TCP/IP DECNET APPLETALK

(NETBEUT) IP)ISPX

Eigure 7-15 Winsock2 Provides Network Transport Independence

 Interprocess C ommunication 335

NetBIOS can also be used by application to establish client to serr-er or

interprocess communication. NeIBIOS is an API that allou.s \etBIOS com-
pliant applications to communicate with the NeIBIOS [Link] rr-hr¡h. in
turn, establishes communication via the NetBEUI Frame (NBF) transptrt
protocol. The NeIBIOS API is implemented by the NetBios DLL. \eiBicS
éstablishes sessions between client and server computers which are then
able to exchange messages that adhere to the SMB (Server Message B1ock,
format.
Two other interprocess communication mechanisms included in win-
dows NT, primarily for backward compatibility with applications written
for other network operating systems, are as follows:

. Named Pipes is included as an interprocess communication mecha-

nism used by the OS/2opetating system.
¡ Mailslot is an interprocesscommunication mechanism used by the
OS/2 LAN Manager network operating system.

The open software Foundation (osF) has developed an entire architec-

ture for the development of distributed applications known as the Distrib-
uted Computing Environment (DCE). DCE will be explored in detail in
Chapter 9. The interprocess communication service defined within DCE is
known as RPC or Remote Procedure Call. Windows NT, along with many
other operating systems, supports RPC. Remote Procedure Calls is more like
a"sLlpe{'interprocess communication mechanism in that it has the ability to
.rse othet interprocess mechanisms such as named pipes, NeIBIOS, or
WinSock, should that be what a particular application requires. Client and
server programs that wish to use the RPC service simply issue program calls
for thai service via specialized calls to the RPC mechanism known as stubs.
while the stub calls are compiled within the program, the interprocess
communication is executed with the help of the RPC runtime module. All
computing platforms that support the RPC interprocess communication
mecñanism must have a compatible RPC runtime module. In this way, the
RPC runtime module becomes the common interprocess communication
mechanism across all of the various computing platforms attempting to
communicate with each other.

Application [Link] S en'ices

In addition to offering basic file and print services, windol.s \T r. 'r'een

-'.-eil

suited to use as an application server. Many different application' :.ar e

ported to the Windows NT platform, including multiproiocol rolter=: lnter-
net services such as web servers/ proxies, and firerr-alis; an.-l database
servers. It is in the installation of these applications that \\-l-rdotts \T truly
distinguishes itself. This section will focus on the major .ervtces included in
the Windows NT 4.0 distribution.
336 Chapter [Link] \\¡indows NT (2000)

File and Print Sen'ices File and print services represent an entry into the
server NOS market. Windows NT provides basic file services to clients. Stan-
dard file service capabilities such as security and concurrent access are pro-
vided. File services are accessed by clients through redirectors using the
SMB protocol as discussed in the preceding section.
Recailing that printer sharing is a key NOS application, it should come
as no surprise that Windows NT does an especially good job of offering man-
aged print services to client workstations. In keeping with the overail modu-
lar design of Windows Nl printer services are organized around the
Windows NT printing model as illustrated in Figure 7-16.
The importance of the modular design of the Windows NT Printing
Model should be clearly evident from Figure 7-6. At many layers of the
model, a variety of options are available, depending on the particular envi-
ronment of the user. For example, choices can be made for:

o print providers for interoperability with Macintosh, NetWare, or

UNIX-based printers
r printing monitor programs compatible with a variety of manage-
ment platforms
. a r,vide variety of types and brands of printers

If not for the modular design of the Windows NT Printing Model, mono-
lithic printing spoolers would have to be developed for every possible
unique combination of spooler, monitor, and printer-a mammoth under-
taking. The basic building blocks of the Windows NT Printing model are:

Clients are any application program able to produce a request for

print services and pass that request to the spooler. The clients may be
local or network attached.
The router receives all requests for print services and determines
whether this print request can be fulfilled locally or if it must be
shipped out to another print provider more qualified to deal with
this print request.
Print providers, whether local or remote, examine the spooled print
request and determine which print processor should be used to
process the print job. In addition, the print provider also determines
which print monitor is in charge of dealing with printer port output.
Finally, the appropriate print monitor actually forwards the print job
to the proper print device, whether local or network attached.

lnttrnet Sen'ices NT Server 4.0 comes bundled with Internet Information

Server (IIS), a full-feature Internet server. IIS provides web, FTP, and
Copher server capabilities natively and is written in a modular format to
 Interprocess Communication 337

(Windows NT & UNIX)

Numerous brands
of supPorted
printing devices

Figure 7-L6 Windows NT Printing Model

allow other Internet services (such as a proxy server) to be al;-:. l=:'-ei':=

oi
IIS include its tight integration with the windows NT sec¡'riii- :: -\ccess
";e-
to web pug", .ui b" setln the same manner as access to ¡r1-.:: r,:s.
orher ker-
IIS features include support forActive serYer Pase. . n:esraied Tar-a
'-\SF
support, and a built-in message queue manager'

, ,, .,."4mrrrrrrrili
i
338 Chapter Seven Windows NT (2000)

Daiabase and Back0ffice Seryices To facilitate Windows NT Sen-er's use i:

an application server, Microsoft has released the BackOffice familr'
of prr:-
ucts. BackOffice is a collection of server products that support the der-eltr:-
ment of enterprise applications on the windows NT platform. Backot¡¡=
services include:

Exchange Server-e-mail services

Proxy Server-an extensible firewall and web cache server

Site Server-a web site environment for development and deplor
-

ment of web aPPlications via IIS

systems Management server-a collection of centralized manag=-
ment tools for iomputer inventory, software distribution, and dia:-
nostic services
SNA Server-an integration platform for Microsoft networks and
legacy SNA systems
SQL Server-a relational database management system (RDBMS) for
development of client/server applications

ffi MNDOWS 2000 (NT 5.0)

Known in
The next generation of the windows NT family is windows 2000.
áurr"topt iut'tt as Windows NT 5'0, Windows 2000 expands ulgn many of the
in SMP capability, clustering'
capaUifities of Windows NT 4.0. Improvements
ioá¿ [Link], and the replacement of the domain naming system
with a
to larger enterprises' This
true directory-service allow Windows 2000 to scale
compared with Windo*'s
section wil focus on the changes in Windows 2000
NT 4.0.

0verall Architecture

windows 2000 will be available in four different versions: Professional,

Server, Advanced Server, and Datacenter Server' Similar
to Windows NT
4.0 workstation, windows 2000 Professional is designed to serve
as a
server is the intro-
robust network client operating system. windows 2000
ductory server platform' Delivering file, print, web- and communication
to medium-
ser\-er functions, Windows 2000 Seiver is designed for small
size enterPrises.
!\¡indorvs 2000 Adr,anced server is designed to scale to larger enter-
prises. The replacement i¡ the product line for Windows NT 4'0 Enterprise
'rditior.,,
wináo-,r,s 2000 Advarrced server adds clustering, load balancing,
 Windows 2000 (NT 5.0) 339

*as and doubles SMP support as compared to the Windows 2000 Server plat-
rrod- form.
eiop- Windows 2000 Datacenter Server is designed for large enterprise
Hice deployments. with support for increased numbers of processors and mem-
ory along with clustering and load balancing, Windows 2000 Datacenter
Server is optimized for large data warehouses, transaction processing, and
scientific calculations. The key features of each server version of Windort's
2000 are listed in FigureT-17.

Flol -

nage- Network Operating Windows 2000 Windows 2000

riiag- System Characteristic Windows 2000 Server Advanced Server Datacenter Server

Hardware/Platf orm
= and Supported Processors Intel x86 (386 or better) Intel x86 (386 or better) Intel x86 (386 or better)
Digital Alpha DigitalAlpha DigitaiAlpha
Lciior
Min Memorv 64 MB 128 MB 128 MB

Min Disk 1GB 1GB iGB

Symmetrical 2 Processors 4 Processors 16 Processors
Multiprocessing
Operating System
NI\-n 1rl
of the Program Structure 32Blt 32Bit 32Bit
:ering, Memorv Architecture Virtual Machines Virtual Machines Virtual Machines
¡rith a
PreemptiveMulti-tasking Yes Yes Yes
>. This
'rdol,r's No Yes Yes
Ciustering
Load Balancing No Yes Yes

File system FAT FAT FAT

FAT 32 FAT 32 FAT 32

NTFS NTFS NTFS

sional,
rrs NT User Interface GUI GUI GUI
easa Network Drivers NDIS NDIS NDIS
l intro-
Application Program Wín32 Win 32 Win 32
iq,ation
:,lium- Interface(s)

CD-ROM Support Yes Yes Yes

'enter-
erprise
ancing,
340 Chapter Seven Windows NT (2000)

Management and Administration

Network Object DomainName Domain Name Domain Name
Management System Services Services Services
Directory Services Directory Services Directory Services
(Active Directory) (Active Directory) (Active Directory)
Administrative Location Administration Administration can be Administration can be
can be performed either performed either from performed either
from the server, from the server, from clients from the server, from
clients using utility using utility applications, clients using utility
applications, or via or via HTTP (WWW) applications, or via
HTTP (WWW) HTTP (WWW)
Network Services
Network Protocols IPX/SPX IPX/SPX IPXlSPX
Supported NetBEUI NetBEUI NetBEUI
TCP/IP TCP /IP TCP /IP
AppleTalk (Macintosh AppleTalk (Macintosh AppleTalk (Macintosh
support only) support only) suppori oniy)
DLC (Printing only) DLC (Printing only) DLC (Printing only)
Multiprotocol Routing Yes (Capabilities can Yes (Capabilities can be Yes (Capabilities can be
be expanded via add-on expanded via add-on expanded via add-on
product) product) product)
Native Services File and print FTP Web File and print FTP Web File and print FTP Web
Common Third-party Electronic mail Electronic mail Electronic mail
Services Database Database Database
Firewall Firewall Firewall
etc. etc. etc.
Clients Supported DOS DOS DOS
Windows 3.x Windows 3.x Windows 3.x
Windows 9x Windows 9x Windows 9x
Windows NT Windows NT Windows NT
UNIX UNIX UNIX
os/2 os/2 os/2
Macintosh Macintosh Macintosh

Figure 7-77 \\ rndorvs NT 2000 Server Technology Analysis Grid

0perating Svstem Architecture and Characteristics

The operating svstem architecture improvements in windows 2000 are

designed to extend windows NT 4.0's architectural stability and enhance
scalabilitr-. l\ihile maintaining the virtual machine memory architecture
 I
I

Windows 2000 (NT 5.0) A\

I

usedinWind.owsNT4.0,Windows2000increasesaddressablememon-. on Intel
Windows 2000 provides support for up to 4 GB of [Link]\4
on 64-bit processor
Pentium II Xeon pro."r,o" and up to 32 GB of RAM
Alpha family and future Intel proces-
svstems such as the Digital/Compaq
pñ[Link] memory supported, more data
,á;;;;;u|iü t-hÉamount or
increased data processing
can be cached in memory, proviáing greatly
performance.

Multi-processingOneofthemaindifferencesbetweenthevariousversions
Windows 2000 Server prod-
of Windows 2000 lies in Sltn st'ppo't' The base
(two-p;;cessor) sMR whereas the mid-range win-
uct is limited to two-way's"irr".
dows 2000 Advanced offers four-way sMP. For large enterprise
up to 16-way SMP.
[Link], Windows 2000 Datacenter Servei supports
Windows 2000 is tuned
Regardless of the number of processors supporteá'
for newer hardware
for better efficiency u,-,a pto"ia"s enhattcbá support
configurations.
InadditiontoSMPimprovements,betterprocessorutilizationismade
ln an l2o-compliant
possible through ,uppo* fár the Intel I2O architecture.
memory' handles all I/o
svstem a separate pt;;;;;;-t"mplete with its own
services'
;il;;;;;í;;g' tt-'" ,,.,ui'-' protessor(s).to focus on application
use of "scat-
i"i"i7ó",put peifoÁance ii further enhanced through the
in noncontiguous
7-.íijutnnr l/ó tnat increases access speed. to data held
memory locations.

ClusteringV\[Link]-
ical enterprise level ,iuig"sMp servers"present a single [Link] of
"p¡ii.;;r",
failure. If client/servár'computing is to succeed,
,"irr"tt must provide both
availability'
i-righ and be faillsafe."To provide such fail-safe high
"""il"Uility illuitrated in Figure 7-L8, a sefver cluster
two servers can be clustered. As
[Link]-
server'
iir," of a network client, the cluster appears to be a single is sent to the
When a client ."q"";i; áuiu fto- the ciuster' the request
primary server fails' the
prirrrutf ,"rrrer for fuiflllment' In the event that the
active iluster connections' Ide-
backup server will automaticaliy pigk fP the
don't realize that a failure
ally, this process h"p;; ;; qú[Link] tÉat users
occurred. Windows'ioOo ptot'iaes support
for such fail-over clustering
Services (MSCS)'
tn-"gf, the Microsoft Clu;tering If a single SMP server
A second use for clusters is to increase scalability.
carurot provide adequate proce_ssing [Link]
for a lárge-enterprise applica-
tion, multiple s"rrrer's .urr'b" cluste"red together to collectively meet these
7-19' when a client makes a
processing requirements' As shown in Fig"ure
request to the cluster, u ttt"t"' controller
ieroutes the request to one of the
Selvelsthatmakes"p.n"[Link]/henachangeismadeon
oneserverinthecluster,thechangeisautomaticallypropagatedthroughthe
cluster to ensure data integritY'
 Before failure

After failure

Figure 7-18 Fail Over Clustering

Eigure 7-19 Scalability Clustering

 Windows 2000 (NT 5.0) 343

Closely related to clustering is the concept of load balancing, which is

the procesÁ of ensuring that the members of a cluster receive similar levels of
use. Ideally the workload of the cluster should be balanced acloss the indi-
vidual members of the cluster. In this environment the cluster's constituent
servefs not only provide increased scalability, but also provide fail-over sup-
port. Althougn Mscs does not currently support such clustering, Microsoft
ñas stated intentions to include such capability in future releases of MSCS
for the Windows 2000 Server family.

Storage Services Windows 2000 presents multiple improvements in storage

services. The NTFS file system has been enhanced in several ways:

. Dynamic Partition Allocation-Additional space can be allocated to

an NTFS partition dynamically without the need to re-boot the sys-
tem.
. Distributed Link Tracking-If the name or path to a link or shortcut
is changed, the system can automatically search for the intended des-
tination.
o Disk Quotas-Maximum disk usage and policies can be set on a per-
user basis.
. Encryption-Data encryption can be set on a per-file or per-directory
basis to secure sensitive data. The public key encryption system runs
as an integrated service in a manner completely transparent to the
user.

windows 2000 introduces Remote storage services (RSS), a Hierar-

chical storage Management (HSM) application. RSS provides an inexpen-
sive method to increase storage capacity by constantly monitoring file
usage and the level of free disk space on an NTFS partition. As shown in
Figure 7-20, RSS automatically moves data that have not been accessed
reiently to remote media when the level of free space on a disk falls belort'
a set level. By moving infrequently used data to slower, less expensive
media such aé opücal disk or magnetic tape, RSS frees local disk space for
newer, more commonly accessed files. The RSS service keeps a pointer on
the local disk that points to the file on the remote media. When a user has
to access the remote file, it is automatically copied back to local disk- From
the perspective of the user, the entire process is seamless, although access
to dáta that have been archived is slower due to the latencv of the renxote
media.
The capabilities of RSS are expanded upon by the Removable Storage
Manager (RSM) service. RSM provides a standard intertace to multiple tape
autoloaders and robotic tape and optical disk changers. Through the use of
such hardware and the TSM service, the amor¡nt of data RSS can archive is
increased beyond the capacity of a single tape or disk.
344 Chapter Seven Windows NT (2000)

Windows 2000 optical dr¡ve

Server

Figure 7-20 Remote Storage Services

The Distributed File System (DFS) is a netwolk storage service tha:

allows resotllces on multiple servers to be combined into a virtual directon
tree. From the perspective of a network user, it appears that all of th..
resources are in a single directory. DFS simplifies the process of finding dat:
on the network. lJsers are no longer required to remember selver and sharÉ
names; they need only remember the location of the data within the DFS
directory.

Management and Administration

As mentioned in chapter 6, Total Cost of ownership (TCO) is one of the ke..

concerns of network administrators. Windows 2000 provides several ma¡.-
agement and administrative features that allow it to reduce the cost of imple-
menting and maintaining a Windows-based network system. Enhancemenl.
to the Windows NT Server 4.0 web-based administration capabilities, a nei ''
directory service, and new client and user synchronization tools combine t.
strengthen the management capabilities of Windows 2000.

Active Directory The biggest change in Windows 2000 is undoubtedly th"

release of Microsoft's directory service. Dubbed the active directory, th"
change from the previous domain system to a directory service resolr-e.
many scalability issues that were prevalent in windows NT 4.0. similar ¡.
functionality to NDS in NetWare environments, the Active Directory (AD I

i: distributed database containing information about network resources.

Actile Directory is designed to be a single solution for all of an orgaru-
zation's directorv needs. As shor,r'n in Figure 7-2L, l]ne Active Directory nt':
onlr- pror-ides authentication [Link] for the network, but also integrate:
directlr- inio e-mail and other [Link]. This unified directory approac:
presents an administration point for the network, thus eliminating the
overhead associated n'ith maintaining duplicate directory structures.
 Windows 2000 (NT 5.0) 345

Unified Directory Service

(Active Directory)
<;Í¡a-**l+tx
h#+*?
[.:-ük*maj t
Ft.q=-ü#,d
q¡rriñ
i"rmé-ffi éik* t+-*ffimc;ll
tl@#t*ql
l::::.,
l
l- -l'l .:..-?:"9i4:'1
-.:il.i1j:::1
;:
l-:1 ;'t" .{ rl
f:"'-L'd'*Sri "'P : J
l" .¡**., :j:*:."r"il
\-:r-:j t-;t-:r--

ffiffi
" ":l:'-.- '..1 I r. : -*¡ ., r i':.'1":i
,.b'ry¡uro
L -csr$tda$enl
t
I iL t*,"'ry-
E-naHcúJ I
-J

l-:,*d*-***&_¡l t.¡peqqelq l

[:q'fft-:"*s1{.':". F{ffit@J -:1

@l4*trfq-Tt

Figure 7-21 Active Directory-A Unified Directory Service

While the Active Directory is similar in functionality to NDS, it is quite

different in structure. Where NDS is designed from a top-down perspective
where a single tree is divided into multiple branches (organizational units),
Active Directory works from a bottom-up perspective where multiple orga-
nizational units are combined into trees and trees are combined into forests.
As shown in Figure 7-22, the smallest physical section of the Active
Directory is a domain. Similar to a Windows NT 4.0 domain, an Active
Directory domain consists of a group of closely related network objects. To
increase granularity, Active Directory domains can be broken into multiple
sections, or organizational units (OU), each of which can be further broken
down into additional OUs, creating a multilevel structure.
With the ability to contain up to 10 million objects, a single domain mav
provide enough capacity for many smaller, single location organizations. Ii
an organization requires more than 10 million objects, or if the organization
has multiple locations, multiple domains can be arranged into a tree. .{n
Active Directory tree consists of multiple domains arranged in a hiera¡chical
manner.
For very large enterprises, multiple trees can be combined into a¡ Acbive
Directory forest. A forest is a collection of trees. This bottom-up" build-it-as-
you-go approach to directory structure allows an orgatúzation to sta¡t rtith a
simple directory design and grow it as the company expands. As nill be dis-
cussed in a subsequent section, it also is a great help in migrating from Win-
dows NT Server 4.0 or NetWare to Windows 2000.
346 Chapter Seven Windows NT (2000)

o
óa
ó-

.^
a\
Qo\
oa
7\
DOIVIAIN

'ooo Jl
/ 6a Dor\,lArN

) DoMAIN
I--a
ó
'DoMA¡l-! TREE

Figure 7-22 Active Directory Structure

Complete data about a domain are kept on each domain's controlle:¡

Unlike Windorvs NT 4.0, which used primary and backup domain ct-:--
trollers, the Active Directory uses multiple domain controllers (DC) that a;
as peers. To ensure high availability, each DC can perform all domain cc:-
troller duties. Domain changes automatically proliferate across domain ccr-
troliers using multi-master replication.
In addition to a complete copy of all information pertaining to t:'=
domain, each domain controller contains meta-data (high-level data) abo--
the other domains in the directory hierarchy. In this manner, client reque::-
for data from other domains can be routed to the domain controller for t:=
destination resource.
--
The Active Directory uses a DNS namespace. As illustrated in Figure
23, each Active Directory domain is analogous to a DNS domain (i.e
[Link]). Each server and workstation r,r'ithin an AD organization ur :
must be in the same DNS domain. A tree is similarly analogous to a D\:
sub-domain (i.e., [Link] and [Link]). Forests can combir'¡
trees from different second-level DNS domains (i.e., [Link] ar--'
[Link]).
One of the main problems rvith the NT 4.0 Domain system was th¿-:
admiisiration \\-as limited to the domain level. Active Directory ha.
resolr-ed tl-ris issue bv a1lou'ing administrative control to be assigned on "
per-OU basis to further the administrative granularity within a domain. T:
make securitv configuration easier to manager, permissions can be aiso L'.
set to flor,r' dorvn AD trees and domains.
 Windol-s 2r¡00 i\T I0) 347

Figure 7-23 Active Directory io DNS Namespace Mapping

Although Active Directory is not an X.500 style directory, it does support

the Lightwéight Directory Access Protocol (LDAP). An IETF and OSI stan-
dard, LDAP ullo*s any compliant application to gain access to the data
stored in the NDS database provided plopel authentication credentials ale
presented. More detailed information on LDAP can be found in Chapter 5.

I,DAP CIIENTS
' tla,-.,'.,,.;,,,.'....,,,',
Both Netscape Communicator and Microsoft Internet Explorer contain
l $liáiper address book utilities that are LDAP compliant. By opening the address
Focus book and pointing it at the IP address of a Netware server running LDAP
services, directory information can be accessed. Depending on need the
server can be configured either to allow anonymous access to the directorr-
or to require an SSL connection to authenticate the user before allorl-ins
access.

NTIGR{TION TO ACTIVE DIRECTORY

-¡:or-erL'
The Active Directory solves many scalability and manageabililr
associated with Windows NT 4.0. However, a clean migration paih a :equirei
'"r.,
App-lie,{.,,,'
to convert the many NT 4.0 domain installations to Actir-e Duecior,'.
Prob'lerir,..' .,,.:'

Sohing r'\-r,..dorr-s
windows 2000 takes a two-phase approach to migratinq oller
domain-based networks to Active Directory. The erislLne \T f.t-r Priman-
348 Chapter Seven Windows NT (2000)

Domain Controller is migrated to Windows 2000. Once the Primary Doma:

Controller migration is completed, a1l Backup Domain Controllers can :-=
migrated. To maintain operation during the migration process, Windo'",-'
2000 server emulates an NT Server 4.0 domain controller. Once the domain:'
migrated, existing network clients will see ihe Windows 2000 Active Dire.-
tory domain as a Windows NT 4.0 domain. Newer client network operatr-:
systems wiii include the ability to view the domain as an Active Directo:-'
domain and expand the client capabilities.
In addition to migrating from this older Microsoft directory solution. .
means of migrating Novell solutions to Active Directory adds to the viabih:
of Windows 2000 as a NetWare alternative for larger organizations. Windor'.'.
2000 also includes a NetWare migration utility that can migrate both binder'
based NetWare 3 and NDS-based NetWare 4 and 5 servels to Active Directo:-.

Client and User' 'lbols One of the key concerns for distributed computr-r:
users is providing a consistent desktop and network view for users regalr-
less of which node they log into. This problem is exacerbated by the rap-"-
adoption of notebook computers. These portable machines are consisteni,-"
moved around the network and often are not even connected to the netwol\
To provide as consistent an environment as possible, Windows 2000 intr¡-
duces three new technologies: the application installation service, IntelliNfl:-
ror, and client-side caching.
The Application Installation Service is designed to provide a consister
set of applications to be available to a user. Applications are assigned:-
users or groups of users. Whenever a user logs into a network station, th.
application installation service will ensure that the required applications ar=
installed on the station. If not, the service will install the applications as par:
of the login sequence. In addition to providing a more consistent enviro:-
ment to usefs, the application installation service promises to greatly redu¡=
time and expense associated with the distribution and maintenance of ne:-
work applications.
To further enhance the capability of Windows to provide a consiste:':
desktop and operating environment to mobile users, IntelliMirror sen-ic¿-
can be deployed. IntelliMirror can be thought of as a next-generation roan- -
ing profile that ensures a usel's desktop, data, and applications are availal'-.
wherever they log into the network. To ensure that a user's environment l.
always availabie, IntelliMirror caches user data on each workstation ar-*
automatically synchronizes updates to a central server.
Although these technologies can greatly increase the consistency of =
Llser's operating enrrironment, another issue with notebook computers ::
access to data when the notebook is not connected to the network' Th¡
\licrosoft Briefcase service, introduced in Windows 95, provided a means .:
svr-rchronizing manually selected files between a notebook and the networr
\\-indorrs 2000 expands on the capability of Briefcase with the introductic:
of Clier-rt-side caching. Client-side caching transparently synchronizes dar:
betrteerL the notebook and the network. Whenever the user logs into the ne:-
 ll'.

.:' ,.:- . ' -: j,- .. + i_

-:,
I *j¡tjt ,, ,-.", ,*, : ",...=':
Windows 2000 (Nfl$flE 3,49,-' :.. -: - .-:
! :l i \:. ''., ..' - ; .:
work, the system will analyze the cached data and automatic4llv synchro= .' .-.'.'

nize with the network copy of the data, ensuring that an updaied é'ppy of the;'* ,r *j'i
user's data is aiways available regardless of whether the user is cbnqected, t to .'
s 'r
o'
the network , ...r."' ''. -. -- ",,..,a-'ts
White these features address many of the administrative concerñs'o{-. *'n'.j#F
*-
client systems, Microsoft provides the Systems Management Server produbts--
for iarger systems that require tighter administrative control.

Securit-v In the Internet age, one of the most dynamic network operating
system areas is security. NT Server 4.0 provides excellent security in stand-
alone mode, but network security has been probiematic with new vulnera-
bilities exposed and patched on a consistent basis. As mentioned in a
previous section, NIT 4.0 uses a modular security system. Windows 2000 uti-
lizes this modular system to enhance nefir'ork securitv by integrating stan-
dardized authentication and encryption technologies.
In addition to the standard Microsoft passlvord auihentication and access
control list authorization system, Windows 2000 integrates support for Ker-
beros Version 5 directly into the operating system. A standardized authentica-
tion and authorization system, Kerberos support allows Windows 2000 to
directly integrate with other client/server and mainframe-based security sys-
tems while enhancing the security model of a Windows only network. Please
refer to Chapter 16 for additional information on Kerberos.
In addition to Kerberos support, the Windows 2000 authentication
model provides a public key server and integrates smart card support
directly into the security infrastructure. By providing a public key certifi-
cate server, Windows 2000 al1ows an organization to implement public key
encryption technoiogies in their organization without the hassle and
expense of relying on external commercial certificate servers. Smart card
support integrates into the certificate sen ices to a1low the use of smart cards
to enhance the standard software-only solutions for client authentication,
logon, secure storage, and system administration.
In addition to these enhancements to the Windows security infrastruc-
ture, support for the NTFS file encryption and the IP Security Protocol (cov-
ered in other parts of this section) further enhances the security of
Windows-based networks.

Communication Protocols

Although communication protocol support was one of the strengths of \Vu-i-

dows NT 4.0, keeping up to date with evolving protocols is required to
remain a viable network operating system choice. The continued expan:rt':-
of the Internet into mainstream corporate computing has made TCP IP ::-
de facto network protocol. Windows 2000 enhances the NT TCP /IP -:r:'-=-
mentation to add support for the IP Security protocol, netrr-ork :--1,'-:=.-
translation, IP telephony, and dynamic DNS.
350 Chapter Seven Windows NT (2000)

Support for the IP Security Protocol (IPSec) is added in Windows 200',

Designed to improve security over Internet connections, the IP Security Prc-
tocol is an IETF protocol for encrypting TCP/IP traffic. windows 2000 inte-
grates IPSec usage into the Windows security policies, making its usag.
completely transparent to the end user. By implementing IPSec, communic¿-
tion to trusted hosts on the Internet and on Virtual Private Network (VP\
links across the Internet can be protected.
Windows 2000 introduces the Network Address Translator (NAT). -\.
mentioned in Chapter 4, the number of IPv4 addresses available is rapidl'.
dwindling. As a means to increase security and eliminate the need to assig:
officially registered IP addresses to all internal clients, many organization-'
are assigning special IP address ranges that have been reserved as prir-a:=
addresses. These addresses will never be assigned to an actual Internet hos:
As shown in Figure 7-24, the NAT service is a special firewall/proxy sen-.:
used to allow internal hosts with such private addresses to access exteln.-
Internet hosts. Additional, detailed information on Network Address Tran.-
lation can be found in Chapter 12.
While alternative services running on both NT and other operating sr-.-
tems also provide this functionality, the Windows 2000 NIAT service has tht
advantage of seamlessly integrating with the Windows DHCP and DNS sr s'
tem. Internal hosts are automatically assigned appropriate configuratic:
information to access the Internet through the firewall. Integration with tb=
Windows security model also allows Internet access to be assigned as part c:
the overall Windows security policy, thus streamlining Internet securi:-"
management.
Another major communication protocol improvement is the implementa-
tion of Dynamic DNS. Dynamic DNS (DDNS) is an IETF standardized exte:-
sion to DNS that allows a client to register its iP address with the DNS sen-e:
\A4ren a client acquires an IP address in a dynamic means from either a L,{\-
based DHCP selver of flom a dial-in remote access server, the client registe:.
the IP address and the computer's domain name with the DDNS seryer.

INTRANET INTERNET
iPr ,.,aie lP Addresses) (Assigned lP
ie. 192..168.x.x Addresses)

Figure 7-24 Netu-ork Address Translator

 NI W,{Ni/Remote Access 351

CI- By adopting DDNS, the proprietary Windows Internet Naming System

t> (WINS) is no longer required, allowing a single standards-based narrring sys-
ts tem for use not only by Windows networking and the Active Directory but
EF by all other TCPlIP-based application layer protocols.
h-
t{)
Application Layer Seruices
As
[y The strength of NT has traditionally been its ability to act as an application
8Fl server. Support for virtual machines and a strong service model have
Irs allowed NT to become a key application server for many organizations. The
# key application services included in Windows 2000 are file and print ser-
Ét vices, transaction and message queuing services, and Internet and streaming
¡€r multimedia services.
naf While Windows 2000 introduces few changes to the Windows print sys-
¡rÉ"- tem, a couple of items are noteworthy. The addition of the Active Directory
makes it easier for users to locate printers by navigating AD trees. Out of the
Y's- box driver support has been expanded to include more than 2,500 different
lbe printers. The Introduction of the Internet Printing Protocol enhances Win-
ys- dows 2000's ability to work with Internet technologies.
ixt The Intemet Printing Protocol (IPP) offers features that tightly integrate
the the Internet with the Windows 2000 printing model. Using IPP Windows
tof 2000, users can print directly to a URL over the Internet, thus easing the
df-r process of locating and submitting jobs to the print system. IPP also includes
the ability to publish printer status and job information in an HTML format,
& allowing any web browser to be used to manage the print system.
Et- Windows 2000 includes integrated transaction sewices that provide
Tef client/server application developers a standardized means of ensuring that
Lhü- all transactions are successfully completed. Windows 2000 transaction ser-
Fs vices include the ability to process transactions across a wide range of data
sources including SQL databases, CICS/VMS applications, or message
queues. More information on these technologies can be found in Chapter 9.
Internet Information Server (IIS) has been enhanced with the release of
Windows 2000. Support for new Internet technologies such as dlmamic
HTML (DHTML), XML, and DAV have been added to IIS. A new manage-
ment console enables all Internet services to be integrated and managed not
only at the server, but also via the web itself. The integrated streaming media
services allow the delivery of high-quality audio, illustrated audio, and
video to clients across the TCP/IP networks.

ffi& NTWAN/RBMOTEACCESS

As telecommuting and an increasingly mobile workforce have become more

commonplace, network operating system architectures have had to adjust to
these business-level requirements. Although LAN remote access solutions
352 Chapter Seven Windows NT (2000)

rvi11 be explored in depth in Chapter 14, Windows remote access is briefly

drscussed here.
\{indows provides the Remote Access Service (RAS) that allows remote
clients to connect to the network via a wide range of technologies including:

Dial-up phone setvice, sometimes referred to as POTS (Plain Old

Telephone Service)
Dlsi'farNe'fwork)
: 3;:I:::ffiffi:*
The RAS server software is responsible for authentication of remote users
and overseeing the communication sessions established with remote clients.
In simple terms, it is the job of the RAS server to make sure that the remote
client is provided all required services as if it were a local client. The actual
servicing of the remote client's requests is performed by the NT network oper-
ating system. The RAS server is responsible for ensuring that the remote
client's requests reach the NT server and that server resPonses reach the
remote clieni. The RAS server is able to support up to 256 simultaneous con-
nections and also supports data compression in order to opiimize the
throughput of information between the local server and the remote client. Fig-
we 7-21 llLtstrates the interaction of the components of a RAS architecture.
More details concerning the hardware, media, and network services required
to enable remote access to LANs in general will be covered in Chapter 14.

-+-
Windows '9x Client with
integral modem and
running Remote
Access Software

Software

ú._l
ll n¡e#ll
lLffil ISDN Digital Network Seruice
I-:rr----:--
t: -il ... out to other network
Windows for Windows NT/2000 attached resources -
Workgroups Client with Server running Remote including Netware servers
integral ISDN adapter Access Software
and running Remote
Access Software

Figure 7-25 Windows NT Remote Access Service Architecture

-lqFr
 WindowsSen'erlnteroperability 353

l-r In keeping with the overall objective of RAS to allo$. the remote client all
of the functionality of local clients, RAS allows temote clients to run NBF,
te TCP /IP, or IPX/SPX communication protocols in any combination. As illus-
w trated in Chapter 4, the only layer that must change for the trip across the
WAN is the data-link layer. In this case, the wide area data-link lar-er proto-
td cols that encapsulate the upper layer protocols are PPP (Point-to-Point Pro-
tocol) and SLIP (Serial Line Internet Protocol).
Because RAS supports TCP/IR NBF(NeIBEUI), and IPX/SPX, \et\\are
applications, NT applications, and NeIBIOS applications can all be accessed
and executed by the remote client. NetWare servers available to local clients
are equally available to remote clients. Any additional gateway senices
efs offered by the local NT selver such as Internet gateways or SNA gater,r'al-s to
ús. IBM mainframes are equally accessible by remote clients. Figure 7-26 tllus-
ñ trates the communication protocol architecture of RAS clients and servefs.
Baf
Er-
# ffi WNDOWS SBR\TR INTEROPERABITITY
üÉ
orF Because of increased demands to be able to share information more quickly
the and easily within a company, as well as the increased number of corporate
ng- mergers and acquisitions, interoperability between different types of net-
llfe- work operating systems has become an increasingly important functional
d characteristic. Windows natively provides tools design to promote interop-
erability with NetWare and UNIX systems.

NT/2000 RAS Client NT/2000 RAS Server

NT RAS NT RAS
IHASI
API T--': NETBIOS IP IPX
'\-,2 i
I
gateway router router
rrüt 1

Fd Sockets - NETBIOS \ Direct NETBIOS

! communication
SPX I TCP for call TCP SPX
management, NETBEUI
NETBEUI
dialing, hang-
IPX I IP
up, call status
IP IPX

PPP PPP NDIS

Network
lnterface Card
fi
: POTS
Ffs ISDN
to local
WAN Service nehvork
x.25
-^
Figure 7-26 NT Client/Server Communication Protocols
3s4 Chapter Seven Windows NT (2000)

\\indol s/'l\etWare Interoperability

windows interoperability with Netware is provided through Gateway ser-

vices for NetWare and File and Print Services for NetWare, optional compo-
nents of Windows NT Server. Gateway Service for NetWare provides
Windows clients access to NetWare resources, while File and Print Services
for Netware provides Netware clients access to windows resources.
As illustrated in Figure 7-27, Gateway Sewices for NetWare attaches to
the NetWare server as á standard NetWare client. Once connected, the Win-
dows server presents the NetWare resoulces as locally attached Windolts
resoulces. Thó clients request access to the resources via standard Windon-s
shares using the SMB protocol. Upon receiving the request, Gateway ser-
vices for NetWare restructures the request for transmission to the NetWare
server using the NCP protocol. The response from the NetWare server is sim-
ilarly translated from NCP to SMB for transmission to the Windows client'
As án be seen, this process is very inefficient. If the Windows and NetWare
servers are both on th" same network segment, each request results in dou-
ble the network traffic-once for the SMB request and once for the corre-

Windows Clients

SYS:PUBLIC

Figure 7-27 Gateway Services for NetWare

 WindowsServerlnte¡opera:-',n- 355

sponding NCP request. In addition to network traffic inefficieno-. Gaie-,ra...

Services for Netware also uses significant amounts of the windorr-s :q:-. cr'!
processor to translate information between SMB and NCp. Despite these
issues, cateway services for Netware works well and provides a solurion i.-,r
q
the occasional traffic or an excellent migration path fiom Netware to l\lLn-
€ dows.

SETTING GATE\\AY SERT'ICES FOR NBT\IARE RIGHTS AND PERPIISSIONS

""'lillilll"'
The Gateway services for Netware service authenticates to the Netware
,,t¡:Pr¡riii'éal Adyi ce server using preset authentication credentials. Every request forwarded
:i:.::l&nd Information from the windows server will appear to the Netwaré r"r..ur to be coming
from this user. Therefo¡e, the rights given to this account provide an upper
limit to the rights windows clients have to the Netware r"ronr."r. when the
Netware resources are re-shared by Gateway services for Netware, more
restrictive permissions can be assigned to individual windows users. The
best solution is to give the windows server all rights to the Netware resource
and set permissions for individual windows users on the Gatewav for Net-
Ware server.

Netware clients can gain access to windows resources through File and
Print services for Netware. File and print services for Netwalre allow a
windows server to appear as a Netware 3 server. Netware clients authenti-
cate and attach to the windows server just as they would a Netware server.

By examining the array of products available from Microsoft, it should

,i,.'ll,
become clear that although interoperability with Netware is certainly
M$iffijar achievable, their primary purpose is to form a suite of products that mak'e
*,*m the transition from NetWare to NT as painless as possiblé.
,illilll:itl¡irlll]:\
iltiñ:::;;;¡l;tlt:;:;:

Windows/UN[X Interoperability

With the emergence of windows NT as an application server, interoperabil-

ity with UNIX has become a key issue. Theré are two basic approáches to
YryLX/NT interoperability: making NT speak UNIX .[Link]ér protocols
(NFS) and making UNIX speak NT upper{ayer proiocols'(sMB). The
remainder of this section will focus on NFS impleméntations on NT. Tech-
nologies that allow UNIX to integrate into a native windows environment
will be covered in Chapter 8.
The Network File System (NFS) is UNIX,s native network file system.
Inte_roperability with UNIX is dependent on making windows ,p"ák th"
NFS protocol. There are many different NT NFS soluti-ons available. In addi-
tion to Microsoft's UNIX services for NT many third-party software vendors
have developed versions of the NFS file sysi"tn thai run on the windorrs
platform, thereby offering file system inteioperability as well as client ancl
356 Chapter [Link] \\Iindorts \T (2000)

ser\-er interoPerabilitY. These products should be reviewed carefully since

thev can differ in:

. Support for the Network Information System (NIS)

o Level of compatibility with standard NFS functionality
r Performance on reads, writes, copies, and deletes can vary signifi-
cantlY
o Number of simultaneous clients supported
. Support for multithreaded architecture
. Pricing policy

In addition to allowing windows clients to connect to UNIX lesources,

another key Windows/UÑX interoperability issue is slpq-91t for the UNIX
X-Windows system. X-Windows is the system used by UNIX system to pre-
sent a graphiéal user interface to UNIX applications. There are several prod-
ucts oñthe market that allow Windows clients to integrate into X-Windows'
Detailed information on UNIX networking, NFS, and X-Windows is pro-
vided in Chapter 8.

sullilt{R}

Windows NT is a powerful network operat- with native NetWare file systems as well. In
ing system gaining significant market share terms of communications protocols, NT is
thánics to its ability to serr¡e as a powerful able to support TCP/IP, iPX/SPX, or NBF
applications server as well as offering file and (NeIBEUI Frame) as its native communication
print services. The reliability, scaiability,,and protocol providing all transport services
portability that characterize Windows NT are between NT clients and servers. In addition,
directly attributable to its architecture, includ- NT also supports DLC and AppleTalk com-
ing a CPU-specific hardware abstraction layer munications protocols f or interoperability
and strict enforcement of program access to with IBM mainframes, networked printers,
hardware resources through the NT kernel. and Macintosh comPuters.
One of NT's big advantages over market Unlike NetWare 4, which organizes an
leader NetWare is its ability to support SMP entire enterprise network's obiects into a sin-
u'ith its multithreaded kernel. gle NDS database, an NT enterprise network
Windows NT is designed for interoper- is divided into numerous independent
ability or extensibility on a number of levels. domains. User accounts and access lists for
For example, NT support numerous file sys- each domain are administered by designated
tems including FAI, NTFS, and AppleShare. computers known as primary domain con-
In addition, it is also able to communicate trollers. Users are able to access network
 Key Terms 357

attached resources on numerous domains NT includes remote access services that pro-
thanks to specialized trust relationships estab- vide both outstanding security as well as
lished between domain controllers. sophisticated interop erabilitl' ¡ft ¿n¡s to sup-
An upcoming release of Windows NT port of multiple commrurications protocols. In
now called Windows 2000, will expand on the short, NT RAS offers tull lunctionality to
shortcomings of Windows NT 4.0 by imple- remote clients eqr-rir-alent to that available to
menting a comprehensive directory services locally attached IA-indoiis clients.
solution. Improvements in SMP capability, Market sur\¡e\-s are ¡.rl-:istently showing
clustering, and load balancing are designed to increased interest in \\-,[Link]¡r'' s \T as an enter-
allow Windows 2000 to scale to larger enter- prise network operatln: sr. >:em [Link]
prises. well suited to high-eni e"lii':atrons or data-
In recognition of the increased emphasis base server roles.
on remote and mobile computing, Windows

:ES
;\
-: KEY TERIIS

.f'..:

access control lists File and Print Services for \IPR

ACL NetWare NISCS
Active Directory file system drivers \luli:.. '.1,.:=: I -:-:-.
AD forest \--:., --.--
AppleTalk Gateway Services for NetWare \ful:r:-= )" - r-l:-:=-,¡.g
Application Installation HAL Do::.. :,:..,-: ::. iaal1i-re
Backoffice hardware abstraction layer \ful..:-= J:---,' ;t: [Link]
cache manager Hierarchical Storage \ f ui ::,- - :--.. : -l,r¡iitecfure
I
CD File System HSM \-:*-:: -=:

CDFS I/O Manager \-\.

Client-side caching I/O request packets \BF
l)ata-Link Control ilS \¿,3: - i F:ar'e
DCE IntelliMirror \¿:. , --:i -ilclress Translator
DDNS Interdomain trust accounts \¿:-,..': :,r ¿:iters
demand paging Internet Inf ormation Server \¿:.,.'..:. Frle System
Device drivers Internet Printing Protocol \t:
DFS IPP \I Executive
Distributed Computing Kerberos \T F:.e Svstem
Distributed File System kernel mode \-T Kernel
DLC lease duration \-TFS
DLL Local Procedure Call Facilitv \l\l_ink
DNS local security authority object manager
Domain Name System log file service passthrou gh authen tication
Domains Logon process Point to-Point-Protocol
Dynamic DNS Mailslot portability
Dynamic Host Configuration Management POTS
Dynamic Link Library Master File Table PPP
Environment MFT primary domain controller
FAT Microsoft ustering Serr''ces
Cf privileged mode
Fiie Allocation Table modularity of design process manager
358 Chapter Seven Windows NT (2000)

security reference monitor tree

Protocol DHCP trust
public key certificate server Serial Link Internet Protocol
Server trust accounts trust relationshiP
RAS user accounts database
Remote Access Service Service
Services for Macintosh user mode
Remote Procedure Call Virtual MemorY Manager
Remote Storage Services SFM
SID Windows lnternet Namin g
Removable Storage Manager Windows Sockets
RPC Single Domain Architecture
SLIP WINS
RSM WinSock
RSS
SMP scalabilitY
SRM WinSock2
scalabilitY workgrouP
security access token Stubs
TDI Workstation trust accounts
securitY account manager X-Windows
securitY ID transport driver interface

RE\lEw QUESTÍO\s

management, number of users supported'

1. What is meant by the NT characteristic of
functiána[ty offered, and target organizatic:
portabilitY? Give examPles'
Describe.u.h luy"t of the NT network ser-
2. Wnut it áeant by the NT characteristic of 17
vices architecture' How does each layer con-
scalabilitY? Give examPies'
tribute to NT's ability to suPport multiple
3. Differentiate between ihe various versions of transport Protocols?
NT 4.0.
18. What is the role of interprocess communlca-
4. Differentiate between the following: NT Exec- tion in general and what advantage, if any'
utive, NT Kernel, and Hardware Abstraction
does WfnSock 2 offer over alternative IPC
Layer.
- How does the NT kernel ensure system relia-
protocols?
19. Lxphin the relationship between the various
bility?
of the NT securitY model'
6. Uoó do the various sub-systems of the kernel ^ó[Link]"t
20. What functionality is offered by Services tor
interact and what controls this interaction?
Macintosh?
7 Differentiate between user and kernel mode on
21. What architectural eiements are required
Ln \T. implement Services for Macir-
NT in order to
Erplarn the implication of SMP scalability'
tosh rt'ithout requiring any hardware or sott-
S

9. Horr is it possible for NT to support multiple

ware changes to the Mac clients?
úle sr siems simr-rltaneouslY?
22. What is Baikoffice? What functionality is
10. Differenha:e'¡etl'een FAT and NTFS'
included in Backoffice?
11. Desc¡ibe L'oin the rmportance and functionai-
23 Differentiate between the various editions oi
ity of \TFS ú,e svstem ¡ecoverabilitrr
laver lVindows 2000.
12. Describe the ¡ur,c¡lu¡r. ot each module or clus-
21. Explain the difference between fail-over
of the NT Printrng model' clustering' \Alhich is
rr-ork- teiing and scalabiiity
13. Differentiáte between domains and
native to Windows 2000?
grouPs in NT 4.0.
14. íVny utu trust relationships important to NT
25. What is the primary benefit of Windows 2000
clustering?
4.0 domain-based user accounts?
26. Explain ñow Remote Storage Services allows
15. What is passthrough authentication?
foibetter utilization of hard disk space'
L6. Differeniiate between the various NT 4'0
domain architectures in terms of domain
27. What is the Active DirectorY?
 Activities 359

28 Explain the difference between domains, JJ. Explain what NAI is and how it is most ofien
trees, and forests in terms of the Active Direc- used.
tory. J+ \Atrhat arethe key features of the Internet
29. How are the Active Directory and DNS Printing Protocol?
related? 35. What is NFS and what alternatives are avail-
30. How would an NT 4.0 domain consisting of able for support of NFS by NT?
six NT Servers be migrated to Windows 2000 36. \Alhat are the business layer issues behind the
and the Active Directory? demand for tightly integrated remote access
31. What improvements in security were intro- services?
duced in Windows 2000? 5/. Describe NT RAS in terms of supported com-
What is different about DDNS compared to munication protocois, WAN services, func-
normal DNS? Why is this difference signifi- tionality, and architecture.
cant?

1. Interview several organizations that have 5. Interview several organizations that have
implemented NT. Determine the domain implemented NT. Focus especially on those
architecture employed in each case. organizations that have implemented DHCP.
Describe the organization structure and What was their motivation? What has been
relate the organization size and structure to iheir experience with DHCP to date? What
the chosen domain architecture. In your unique requirements come into play when
opinion, was the domain architecture impie- DHCP must be supported across networks
mented the best alternative? Why or why using interneiworking devices such as
not? routers?
2. lnterview several organizaüons that have 6. Inten'iew several organizations that support
implemented NT. Document the chosen com- both Nf and NetWare LANs. \ /hich interop-
munications protocol in each case. Draw net- erability products are employed and what
work diagrams indicating the functionality is deLir-ered by each product? Is
communications protocols that must be sup- each product employed more for interoper-
ported at clients and servers. Determine why ability or transition? Be su¡e to note u'hether
each communication protocol was chosen in NetWare LANs are 3.x or 4.x.
I
each case. Were there alternatives that could Investigate several organizations that have
tt- have been implemented in any cases? implemented NT RAS. Draw detailed dia-
t- J. Interview several organizations that have grams of their architecture including any
implemented NT. Determine the functional additional hardware or software required. Be
use of NT. Is it being used as an application sure to also include business motivation and
server? database server? file server? print delivered functionality. Were alternatives to
server? more than one? What other network NT RAS considered?
operating systems are being employed for 8. I¡rterview several organizations that are con-
which function? sidering, or have recently upgraded to Win-
4. Investigate DLC as implemented on network dows 2000. What were the business reasons
attached printers such as the HP 4Si. What for the upgrade?
m functionality does DLC offer? What is 9. Interview several organizations that are con-
required on both the printer and NT in order sidering or have recently upgraded to Win-
to implement it? Are alternatives to DLC dows 2000. What were the business reasons
available? for the upgrade?

,,, ,,, lt,'lll

360 Chapter Seven Windows NT (2000)

10 Interview several organizations that are con- sis grid describing the key features of these
sidering or have recently upgraded to Win- products.
dows 2000. What islwas their migration L4 Gather information concerning comparative
plan? market share of NetWare and NT from profes-
11. Interview several organizations that installed sional periodicals. Present your findings in
Windows 2000. How did they implement the graphical format. Explain your results. What
Active Directory? How is their directory trends are developing? Is NetWare or NT
structure designed? being adopted more in some market segments
12. Interview several organizations that have than in others? As a network manager, what
upgraded to Windows 2000. Did they find would be r-our strategic plan for a network
any unexpected problems in the upgrade operatir-rg s\-stem given the results of your
process? research?
13 Research products designed to integrate Win-
dows and UNIX. Prepare a technology analy-

Crss Srunv
Georgia Public Broadcasting Cets with the ATNI Prograrn

Georgia Public Broadcasting cost of $250,000. While the certai¡ IPX and other applica-
(GPB) believes the arrival of fiber network chewed up half tions are likely to be around
IP convergence is no longer a the project budget, the organi- for a rr-hile.
question, but rather, simply a zation figured fiber cabie The network is anchored
matter of time. would provide a solid infra- br' 16 Madge Networks Col-
This conclusion has driven structure for at least 15 years. lage 750 ATM switches, which
the public radio and television The fiber infrastructure is support a batch of servers and
station to build a high-speed the foundation for the nert' 180 rvorkstations. The ATM
ATM network designed to ATM network that GPB netn'ork lets GPB deliver
handle data, voice and video. started rolling out about a 155M bitlsec to the desk-
As a public broadcasting year ago. The organization top-plenty of bandwidth
company, GPB isn't used to previously ran an FDDI and even for emerging multime-
having a lot of money for its Ethernet network. dia applications, says Bill
projects. But when the com- The station chose AT\l Burson, the organization's
pany moved into new facili- becauseit deemed the tech- assistant director of IT.
ties a couple of years ago, nology best suited to han- GPB is awaiting tools from
GPB gave its IT department dling multiple protocols and Madge that will let the com-
$500,000 to build a corporate highspeed multimedia appli- pany monitor the ATM net-
network that would last well cations. \¡\hile CPB is in the work's performance via
into the next century. midst of migrating to an ail-IP Hewlett Packard OpenView,
The station began by network based on NetWare says Burson, who is part of a
wiring the building with mul- 5.0, the need for multiproto- three member team responsi-
timode fiber-optic cable at a col support is key because ble for GPB's entire network.
 Business Case Studv Quesr.-:--' 361

GPB chose Madge because Ethernet are fast, theY've Yet Madge that will let GPB ¡-:::-
:he vendor offered its Prod- to be tested like ATM, Burson antee bandwidth to desktoP
icts at one-third of the list says. users, an important consicler-
:rice. Also, at the time of the Today the network is suP- ation for time-sensitive aPPLi-

ransaction, Madge was the porting typical aPPlications, cations such as video.
.',nly major player supporting such as Microsoft Office, and Next year, GPB exPects to
\ovell's IPX protocol, Burson Oracle database aPPlications add voice to its AIM network
with the used to store GPB member traffic mix. The organization
=ays. The one catch
\ladge deal was ihat GPB had information. plans to attach its Mitel
.o agree to be a showroom for But the station Plans to SX2000 PBX, which comes
rhe vendor. begin running video over its equipped with an ATM inter-
"It hasn't been a Problem network by year-end. GPB is face, to the ATM net. The sta-
at all," Burson saYs. "Madge considering hooking uP a tion figures it will connect its
representatives were in here Real Networks RealVideo voice system to its member-
half a dozen times when we server to its ATM network. ship database server, Burson
iirst moved in, and that's Video applications on taP says. This plan will enable
about it." include online video ediiing callers to be identified bY
While AIM to the deskioP and the exchange of videos their phone numbers and will
is taÍe/ Burson's grouP with other educational orga- tet GPB put members' latest
decided ATM was the onlY nizations. information in the hands of
technology that would let "We should be streaming call center agents more
GPB send voice and video on video internally instead of quickly.
the network over which all of handling VHS tapes," Burson It remains to be seen how
-!:_
iis data is running. AIM has says. "But until recentlY, ATM handles voice and
proven standards, such as video servers were cost-Pro- video. But to date, ATM has
Multi-Protocol over ATM, hibitive and the quality was- proven to be more stable and
--I that let usets suPPort mixed n't good enough." far less complicated to deal
l-'- protocol environments. While Burson is awaiting avail- with than people might think,
'i.h technologies such as Gigabit able bit rate software from Burson says.
.-.1
-F\ f with the ATM Program," Netuork world' r'o1 16' no 14
source: DenisePappalardo, "Georgia Public Broadcasting-Gets
(April 5, 1999), p.'i4. Copyright (Ápril 5, 1999), Network World'

l>\-
;:r1
:E-
BUSINESS CASE STUDY QUESTI0NS " " "
Eili
-t:
Activities 2. Detail any questions about the case that may
occur to you for which answers are not clearly
1. Complete a top-down model for this case by
:-am stated in the article.
gleaning facts from the case and placing them in
-
ih. ptop"t layer of the top-down model' After
!r 1-4.

Business
completing the top-down modei, analyze and
rC !-

..::.- detail those instances where requirements were 1. What r,r'as the key business driver for Georgia
clearly passed down from upper layers to lower Public Broadcasting?
--: a layers of the model and r.t'here solutions to those 2. What are Georgia Public Broadcasting's plans
._
! ,\l--: requirements were passed up from iower layers for telephonY integration?
::k. to upper layers of the model'
362 Chapter Seven Windows NT (2000)

Application 2. Georgia Public Broadcasting has an all ATM

l. What applications are currently running over network. Is this typical?
the network? Technology
2. \44rat applications are expected to be running 1.. What was the key reason for selecting Madge
over the network when completed? as a technology vendor?
Data 2. V\4rat types of clients are used in the network?
1. What types of data are going to be supported 3. What protocols are supported on the network?
over the network?
Network
1.. Why did Georgia Public Broadcasting select
AIM?