Microsoft Windows NT Virtual Lecture

Key Features of NT

Windows NT Protocols

* indicates the default protocols for installation

Common Uses of NT

SIDs and SAMs


Security Identifiers

A Security Identifier, or SID, is a unique number that is generated by the computer to associate with every user account, group, and machine account known to the computer. Some special concerns and points of interest:

Security Account Manager

The Security Account Manager, or SAM, tracks all information that relates to the policies and account restrictions created on the computer. The file is located in the %systemroot%\system32\config directory. Conceptually, the SAM database is similar in scope and function to the Netware bindry.

Microsoft's Network Domain Model

NT computers can be logically grouped in one of following two logical ways:

The Workgroup Model

A workgroup is a peer-to-peer collection of computing devices. It is a relationship where all devices can act as both a client and/or a server. Each machine in the workgroup maintains its own database of accounts and security policies. Windows for Workgroups, Windows 95, and AppleTalk are all peer-to-peer networks.

Most local area networks created with Microsoft products follow the workgroup model. Generally, people believe that they are getting the advantages of the domain model, but have not created a working domain. Workgroups are very easy to create, and they will suit only the smallest local area networks (2-20 nodes).



Advantages                      Disadvantages

simple design to implement      no central management

easy to share resources         duplicate accounts

distributed resources           everybody must be an administrator

convient for a limited number   inefficient for large networks


The Domain Model

The Microsoft domain model has several key advantages over the morkgroup model. Key to this model is the concept that all devices on the network share a single database for network accounts, and they can be administered as a group. Each NT workstation and server still retains a local database for the purpose of logging into the machine without logging into the network.

It is necessary to have a central place to store this database and to control changes. Therefore, all Domains must have a Primary Domain Controller, or PDC. The PDC must be the first machine created in the domain, and the name given to the domain must be unique. Also, an important design consideration: Microsoft gives a pratical limit of 15,000 accounts per domain. Depending on which model your domain's design is based upon, I would suggest a much lower number.



Advantages                      Disadvantages

centralized administration      administration becomes more complex

centralized access control      sharing resources becomes more complex

control of user's environment   additional administrative overhead

grouping of resources           browsing may become a problem

Domain Trust Relationships

Definitions in a Trust

Trusts - A trust relationship is a link between two domains that allows one domain to recognize the users of another domain and to permit those users to access to local resources. Trusts are limited to NT domains. (hint: to make the trust effective immeadiately, always permit first)

One-Way Trust - All trusts in NT domains are One-Way trusts. Only one domain trust the other to authentican users, and therefore, only users from the trusted domain can have access in both domains. A One-Way trust (as the name implies) This type of trust is typically used when all user accounts reside in one domain and resources (printers, file and print servers, etc.) reside in another domain.

Two-Way Trust - Two-Way trusts are the collection of establishing two One-Way trusts where both domains trust one another. Users from both domains can have access in both domains.

Trusting - A trusting domain accepts the authentication (or rejection) of user accounts from the domain controllers of another domain. This process is accomplished through Pass-Through Authentication (see below), and it is transparent to the user. Typically, resources are located in the trusting domains.

Trusted - This is the domain whose users will have access to both domains. A trusted domain can validate its users even though they are physically logging into within another domain. Under almost every senario, user accounts will reside in the trusted domain.

Pass-Through Authentication

Pass-Through Authentication is the process by which a NT Workstation or NT Server validates a user attempting to logon. The process is quite simple. If the user is logging on from a NT Workstation, the user specifies where his account resides from a list provided by the local machine. This list includes the local machine, the domain to which the machine belongs, and any domains which the machine's domain trusts. This is because a NT Workstation can be a functioning member of a domain. If the user is logging on from another resource which does not conform to the NT domain security standards, then the user must specify where his account resides by typing it in manually.

The process of manually typing in a domain name is a source of many problems for administrators of NT domains, and is a very pratical reason to consider using NT Workstations as a client in NT domains.

Microsoft's Single Domain Model

The Single Domain Model consists of a single domain. It is the simplest to understand and the easiest to implement administer. All accounts reside on one PDC and access to resources is granted to individuals and groups within that domain.

The performance of a Single Domain can become a serious problem as the number of accounts increase. NT Workstations, NT Servers, BDCs, and the PDC all create accounts within the domain in addition to the accounts that an administrator will create for individual users and groups.

Microsoft's Master Domain Model

The Master Domain Model adds several levels of complexity over the Single Domain Model. Most importantly, the use of trusts, account distribution, and resource distribution. Trusts establish the linkage and hierarchy of the relationships between the domains.

Another important concept is the addition of two new terms: master domain and resource domain. A master Domain is the domain which contains all of the user's accounts, and in the Master Domain Model there is only one master domain. The master domain is the trusted domain. A resource domain is the domain that contains departmental or geographic servers, file and print servers, and other resources; it is the trusting domain. Under the Master Domain Model, there can be as many resource domains as necessary. This can help to reduce inter-LAN (or WAN) traffic. However, it should be noted that domains are logical groupings of machines, and there does not have to be any relationship bewteen domains and physical location.

Microsoft recommends against using the Master Domain Model for more than 15,000 users. However, due to performance considerations I would recommed a smaller number of about 7500 users.

Multiple Master Domain Model

The use of the Multiple Master Domain Model is generally limited to very large installations of NT. The Multiple Master Domain (as the name implies) is very similar to the Master Domain Model except for the existance of multiple master domains. This is generally created to overcome the number of account limitation discussed in the Master Domain Model section.

This model is considerably more difficult to administer and can cause a great deal of difficulty when planning group memberships and access rights. As we will discuss later, every global group for each master domain must be added to the other master domains, and all of the global groups must also be added to the proper local groups of the resource domains in order to perserve the network level administration and access control.

Microsoft's Complete Trust Domain Model

The Complete Trust Domain Model (more commonly called the 'Complete Mess') is a design in which all domains within a network trust all of the other domains. This allows for accounts and resources to be allocated anywhere in a network. However, the task of administrating a complete trust network is very difficult. As noted above, several potential pitfalls exists. The most notable is the lack of a central authority to plan and develope the network. NT is based on the princible of a central design and control. It is under these circumstances that NT works best, and I would not recommend the complete trust model to anyone.

NT Server Functions

User and Groups Accounts

NT Files Systems

Installation Considerations for NT

NT Installation Methods