Module 1: The Windows NT 4.0 Environment
Differences between Windows 95 and Windows
NT workstation |
Technical area |
Windows 95 |
Windows NT workstation |
Minimum
hardware |
486 with 8-16 MB
RAM |
Pentium with
12-32 MB RAM 12 MB on a RISC-based computer |
Hard disk
space |
40 MB |
110 MB |
Software
compatibility |
Very high |
High: does not
allow apps. to access hardware directly. |
Hardware &
device compatibility |
Very high |
High: supports
most devices |
Installation
and deployment |
Comprehensive
detection code and can configure most |
Less
comprehensive detection code, and static driver support |
APM & Plug
and Play |
Built-in (also
for laptops) |
Non built-in
(some by OEM) |
Performance |
Preemptive
multitasking for 32-bit Apps. |
Preemptive
multitasking for all Apps. |
Reliability/stability |
High,
improved over WFW |
Very high:
all Apps run in protected memory space. |
Security |
Support for
server-based logon validation |
Complete
protection down to file-level (when using NTFS) |
- Supports 4 microprocessors in a Symmetric Multiprocessing
Environment (SMP). Some implementations by OEM support up to 32 microprocessors.
- 256 inbound RAS connections.
- Supports RAID.
- Integration of IIS (Internet Information Server) means; Web
install and management is simply part of the OS.
- With IIS version 2.0 : Administering web sites remotely
from any computer with an internet browser installed and providing a fast secure platform
for HTTP, FTP and Gopher services.
- Administrative Wizards to help perform tasks.
- File & printer sharing for MAC.
- DNS-, DHCP- and WINS-server.
- Windows NT Directory Services (NTDS) --> Manages secure
distributed directory database and provides services for end users and network
administrators.
Note: |
Hardware requirements for NTS are:
- 486DX/33,
- 16MB RAM,
- and 125MB disk space.
|
Common features:
- Multi-platform.
- Multitasking and multi-threading operations.
- Security:
- Mandatory logon.
- Discretionary access control.
- Memory protection.
- Auditing.
- Support for following OS:
- MS-DOS
- Win16
- Win32
- OS/2
- POSIX (UNIX)
- Supports 4 GB of RAM, 16 Exabytes of HD-space.
- File systems supported are: FAT, NTFS, and CDFS.
Differences:
- Windows NT server is tuned for server-based application such as SNA server, SQL server,
SMS and MS exchange server. Windows NT workstation is designed for multitasking desktop
operating system.
- Windows NT workstation has a limit of ten incoming concurrent sessions while
Servers is limited by licenses.
Windows NT Architecture Overview |
- Windows NT uses User mode and Kernel mode to maintain
operating efficiency and offering integrity.
- is applicable to Applications and subsystems.
- It has the following limitations:
- No direct access to hardware.
- Limited to assign address space.
- May need to use hard disk space as virtual RAM.
- Processes at a lower priority level than Kernel mode.
- Windows NT Executive runs here to protect executive
services.
- Apps cannot directly access the memory of any kernel mode
service.
- Only Kernel mode components can access resources (i.e.
hardware) directly
- Windows NT works underneath user Apps and environment
subsystems to provide support for the applications. These operating components are in the
Windows NT executive.
There are three types of Kernel mode
components in the Windows NT Executive:
- Executive services:
- Managers --> are the various modules
that manage I/O, objects, security, processes, Inter Processes Communications (IPC),
virtual memory and window/graphic management.
- Device drivers --> these are modules that
control hardware access.
- Microkernel: Provides most basic OS system
services, such as thread scheduling and interrupt handling.
- Hardware Abstraction Layer (HAL): Code that
isolates most hardware interface differences from Windows NT, making it more portable.
The Windows NT Memory Model |
- The memory architecture of Windows NT is a demand-paged
virtual memory system, based on a flat linear 32-bit address space; which allows each
process in Windows NT to have access to up to 4 GB of memory.
Virtual Memory Architecture |
- Windows NT gives each application, a private memory range
called "Virtual Memory Space" and mapping that virtual memory to physical
memory.
- Windows NT maps the memory addresses in 4 KB blocks called Pages.
Each virtual memory space has room for 4 GB of addresses. This space is made up of 1 MB of
4 KB pages.
Each of the pages in the applications virtual memory space
can have one of the following three characteristics:
- Most are empty (or unused by the application).
- Pages used are redirected to physical RAM by a pointer
(invisible for the application).
- Some pages that have not been used recently contain another
pointer to a 4KB section of the paging file on the hard disk.
Using the Virtual Memory Process, some of the applications
code is kept into RAM while some of it is on the physical disk. The process of managing
this is called: "Demand Paging", and follows these 4 steps:
- Application attempts to store data in memory.
- Virtual Memory Manager intercepts the request, determines
the number of pages to use, and then maps unused physical memory to any empty address
space in the applications Virtual Memory Space as needed.
- If there is not enough physical memory available, the
Virtual Memory Manager uses demand paging to find 4KB pages of RAM that hasn't been used
recently, and copies the data to the paging file (pagefile.sys). Newly freed RAM is
remapped to fulfill the applications request. (i.e. it gets rid of the old stuff not being
used and swaps it to the pagefile for the stuff the application wants.)
- When the data in the pagefile is needed, pages are copied
back into RAM. The new RAM location is mapped back to the same virtual address required by
the application. ( i.e. just the reverse of #3)
Virtual Memory Advantages |
This way of memory addressing makes Windows NT portable,
because it is compatible with the addressing of other microprocessors like:
- MIPS R4000.
- IBM RS6000.
- DEC Alpha AXP.
Computers in a Domain:
Advantages |
Disadvantages |
Centralized
account and security administration. |
Requires at least
one Windows NT Server domain controller. |
Single user logon
provides network-wide resource access. |
Requires
additional planning prior to deployment. |
In a domain Windows NT computers perform the
following tasks:
- User validation, using the directory database.
- Allow resources access to users defined in the directory
database.
- Function as part of an administered group.
The Workgroup model (uses 1 browserlist):
Advantages |
Disadvantages |
Does not require
a Windows NT domain controller. |
No centralized
account management. |
Simple design and
implementation. |
Inefficient for
networks that have many computers. |
Easy when using
only a few computers in at close range. |
Limited
centralized administrative control. |
- The logon procedure on Windows NT is mandatory and cannot
be disabled. It provides users with individual configurations, including; desktop and
network connections, that are saved when a user logs of.

There are five steps to a successful logon process:
- WinLogon requests a user name and password. The user name and password are sent to the
Local Security Authority (LSA) in the security subsystem.
- The LSA queries the Security Accounts Manager (SAM) to see if the user name and password
are authorized
- The SAM checks the user name and password against information in the directory database.
- If access is approved, the LSA creates an access token with the granted access rights
and passes it back to the WinLogon process.
- The logon process calls for a new process for the user, usually Explorer.exe, to which
the user's token is attached.
Logging on to a Domain ( see pic at end of module)
There are ten steps to a successful domain logon process:
- WinLogon requests a user name and password. These are sent to the Local Security
Authority (LSA) in the security subsystem.
- The security subsystem passes the request to the client's Net Logon service.
- The client's Net Logon service send the request to the Net Logon service on the first
available domain controller.
- The domain controller's Net Logon service passes the request to the domain controller's
Security Accounts Manager (SAM)
- The SAM queries the domain directory database for username and password approval.
- The domain controller's SAM passes the result of the logon attempt to the domain
controller's Net Logon service.
- The domain controller's Net Logon service passes the result to the client's Net Logon
service.
- The Net Logon service passes the result to the client's Local Security Authority.
- If access is approved, the client's LSA creates an access token with the granted access
rights and passes it back to the client's WinLogon process.
- WinLogon calls the Win32 subsystem to create a new process for the user, passing the
access token to the subsystem. Win32 attaches the token to the new process.
Creating a Computer Account |
- Before computers can logon to a domain, they must have an
account in the domain.
- If you can't create an account and are on a computer
running NTWS or a member server, you will have to use the network program in the control
panel. If the account does not exist yet in the domains database, select the "create
computer account in the domain" option.
Remember: To do this, an account name that has
"Add computer to the domain" rights is required.
|