Windows NT Server 4.0 Notes


Module 1: The Windows NT 4.0 Environment

Differences between Windows 95 and Windows NT workstation

 

Technical area

Windows 95

Windows NT workstation 

Minimum hardware 486 with 8-16 MB RAM Pentium with 12-32 MB RAM 12 MB on a RISC-based computer
Hard disk space 40 MB 110 MB
Software compatibility Very high High: does not allow apps. to access hardware directly.
Hardware & device compatibility Very high High: supports most devices 
Installation and deployment Comprehensive detection code and can configure most Less comprehensive detection code, and static driver support
APM & Plug and Play Built-in (also for laptops) Non built-in (some by OEM)
Performance Preemptive multitasking for 32-bit Apps. Preemptive multitasking for all Apps.
Reliability/stability High, improved over WFW Very high: all Apps run in protected memory space.
Security Support for server-based logon validation Complete protection down to file-level (when using NTFS)

 

Features of NT Server:
  • Supports 4 microprocessors in a Symmetric Multiprocessing Environment (SMP). Some implementations by OEM support up to 32 microprocessors.
  • 256 inbound RAS connections.
  • Supports RAID.
  • Integration of IIS (Internet Information Server) means; Web install and management is simply part of the OS.
    • With IIS version 2.0 ­ : Administering web sites remotely from any computer with an internet browser installed and providing a fast secure platform for HTTP, FTP and Gopher services.
  • Administrative Wizards to help perform tasks.
  • File & printer sharing for MAC.
  • DNS-, DHCP- and WINS-server.
  • Windows NT Directory Services (NTDS) --> Manages secure distributed directory database and provides services for end users and network administrators.
Note:
Hardware requirements for NTS are:
  • 486DX/33, 
  • 16MB RAM, 
  • and 125MB disk space.

 

Comparing NTS & NTWS

Common features:

  • Multi-platform.
  • Multitasking and multi-threading operations.
  • Security:
    • Mandatory logon.
    • Discretionary access control.
    • Memory protection.
    • Auditing.
  • Support for following OS:
    • MS-DOS
    • Win16
    • Win32
    • OS/2
    • POSIX (UNIX)
  • Supports 4 GB of RAM, 16 Exabytes of HD-space.
  • File systems supported are: FAT, NTFS, and CDFS.

 Differences:

  • Windows NT server is tuned for server-based application such as SNA server, SQL server, SMS and MS exchange server. Windows NT workstation is designed for multitasking desktop operating system.
  • Windows NT workstation has a limit of ten incoming concurrent sessions while Server’s is limited by licenses.
Windows NT Architecture Overview
  • Windows NT uses User mode and Kernel mode to maintain operating efficiency and offering integrity.
User mode
  • is applicable to Applications and subsystems.
  • It has the following limitations:
    • No direct access to hardware.
    • Limited to assign address space.
    • May need to use hard disk space as virtual RAM.
    • Processes at a lower priority level than Kernel mode.
Kernel mode
  • Windows NT Executive runs here to protect executive services.
  • Apps cannot directly access the memory of any kernel mode service.
  • Only Kernel mode components can access resources (i.e. hardware) directly
  • Windows NT works underneath user Apps and environment subsystems to provide support for the applications. These operating components are in the Windows NT executive.

There are three types of Kernel mode components in the Windows NT Executive:

  • Executive services:
    • Managers  --> are the various modules that manage I/O, objects, security, processes, Inter Processes Communications (IPC), virtual memory and window/graphic management.
    • Device drivers --> these are modules that control hardware access.
  • Microkernel: Provides most basic OS system services, such as thread scheduling and interrupt handling.
  • Hardware Abstraction Layer (HAL): Code that isolates most hardware interface differences from Windows NT, making it more portable.
The Windows NT Memory Model
  • The memory architecture of Windows NT is a demand-paged virtual memory system, based on a flat linear 32-bit address space; which allows each process in Windows NT to have access to up to 4 GB of memory.
Virtual Memory Architecture
  • Windows NT gives each application, a private memory range called "Virtual Memory Space" and mapping that virtual memory to physical memory.

  •  
  • Windows NT maps the memory addresses in 4 KB blocks called Pages. Each virtual memory space has room for 4 GB of addresses. This space is made up of 1 MB of 4 KB pages.


     

    Each of the pages in the applications virtual memory space can have one of the following three characteristics:

    1. Most are empty (or unused by the application).
    2. Pages used are redirected to physical RAM by a pointer (invisible for the application).
    3. Some pages that have not been used recently contain another pointer to a 4KB section of the paging file on the hard disk.
Virtual Memory Process

Using the Virtual Memory Process, some of the applications code is kept into RAM while some of it is on the physical disk. The process of managing this is called: "Demand Paging", and follows these 4 steps:

    1. Application attempts to store data in memory.
    2. Virtual Memory Manager intercepts the request, determines the number of pages to use, and then maps unused physical memory to any empty address space in the applications Virtual Memory Space as needed.
    3. If there is not enough physical memory available, the Virtual Memory Manager uses demand paging to find 4KB pages of RAM that hasn't been used recently, and copies the data to the paging file (pagefile.sys). Newly freed RAM is remapped to fulfill the applications request. (i.e. it gets rid of the old stuff not being used and swaps it to the pagefile for the stuff the application wants.)
    4. When the data in the pagefile is needed, pages are copied back into RAM. The new RAM location is mapped back to the same virtual address required by the application. ( i.e. just the reverse of #3)
Virtual Memory Advantages

This way of memory addressing makes Windows NT portable, because it is compatible with the addressing of other microprocessors like:

  • MIPS R4000.
  • IBM RS6000.
  • DEC Alpha AXP.
Workgroups and Domains

 Computers in a Domain:

Advantages

Disadvantages

Centralized account and security administration. Requires at least one Windows NT Server domain controller.
Single user logon provides network-wide resource access. Requires additional planning prior to deployment.

 In a domain Windows NT computers perform the following tasks:

  • User validation, using the directory database.
  • Allow resources access to users defined in the directory database.
  • Function as part of an administered group.

The Workgroup model (uses 1 browserlist):

Advantages

Disadvantages

Does not require a Windows NT domain controller. No centralized account management.
Simple design and implementation. Inefficient for networks that have many computers.
Easy when using only a few computers in at close range. Limited centralized administrative control.
  • The logon procedure on Windows NT is mandatory and cannot be disabled. It provides users with individual configurations, including; desktop and network connections, that are saved when a user logs of.

Loggin on Locally

There are five steps to a successful logon process:

  1. WinLogon requests a user name and password. The user name and password are sent to the Local Security Authority (LSA) in the security subsystem.
  2. The LSA queries the Security Accounts Manager (SAM) to see if the user name and password are authorized
  3. The SAM checks the user name and password against information in the directory database.
  4. If access is approved, the LSA creates an access token with the granted access rights and passes it back to the WinLogon process.
  5. The logon process calls for a new process for the user, usually Explorer.exe, to which the user's token is attached.

Logging on to a Domain ( see pic at end of module)

There are ten steps to a successful domain logon process:

  1. WinLogon requests a user name and password. These are sent to the Local Security Authority (LSA) in the security subsystem.
  2. The security subsystem passes the request to the client's Net Logon service.
  3. The client's Net Logon service send the request to the Net Logon service on the first available domain controller.
  4. The domain controller's Net Logon service passes the request to the domain controller's Security Accounts Manager (SAM)
  5. The SAM queries the domain directory database for username and password approval.
  6. The domain controller's SAM passes the result of the logon attempt to the domain controller's Net Logon service.
  7. The domain controller's Net Logon service passes the result to the client's Net Logon service.
  8. The Net Logon service passes the result to the client's Local Security Authority.
  9. If access is approved, the client's LSA creates an access token with the granted access rights and passes it back to the client's WinLogon process.
  10. WinLogon calls the Win32 subsystem to create a new process for the user, passing the access token to the subsystem. Win32 attaches the token to the new process.
Creating a Computer Account
  • Before computers can logon to a domain, they must have an account in the domain.
  • If you can't create an account and are on a computer running NTWS or a member server, you will have to use the network program in the control panel. If the account does not exist yet in the domains database, select the "create computer account in the domain" option.
  • Remember: To do this, an account name that has "Add computer to the domain" rights is required.

 

Logging on to a Domain
 


E-mail Me! Comments and suggestions? E-mail me at grantwil@sk.sympatico.ca
Last Updated: Wednesday, March 10, 1999 Grant Wilson, Tisdale, SK. Canada