Improve company productivity with a Business Account.Sign Up


How to access parallel port in windows program using VC++ 5.0

Posted on 1998-09-01
Medium Priority
Last Modified: 2013-12-03
I'm trying to access the parallel port in a windows application. What I need to do with the parallel port is to read the port status and data, send data to the port. The reason is that i need to use the parallel port to interface with some external hardwares.


Question by:f22

Expert Comment

ID: 1414106
I don't know is this will help.

Last Updated: September 1997
This guide provides overview information about Windows NT Server 5.0 – beta-1, An early release of the next generation of Windows NT Server which will offer major enhancements in manageability, security, applications facilities, distributed services, and networking.
For the latest information on Microsoft Windows NT Server 5.0, visit
Microsoft Windows NT Server 5.0
Windows NT Server is a multi-purpose server operating system, built on a reliable, secure and open architecture. It is now the fastest growing server operating system because of the excellent value it provides to end users, system and network administrators and software. Windows NT Server satisfies the business needs of organizations of all sizes because it works with your existing investments in IT; everything you need to build solutions is built in to the product; and it is the easiest server operating system to install, implement, manage and use.
Building on the strengths of the world’s leading server operating system, version 5.0 of Windows NT Server will:
Dramatically reduce the cost of ownership of managing enterprise computing resources
Windows NT Server 5.0 Active Directory benefits end-users, developers, and administrators alike by providing a platform that unifies the access and management of network and operating system resources, resulting in significantly lower total cost of ownership.
Deliver the ultimate platform for developing and deploying distributed applications
Windows NT Server 5.0 is the platform that enables the next generation of distributed Internet applications. Built-in services, such as Active Directory, Internet Information Server, Microsoft Message Queue Server and Microsoft Transaction Server, provide developers with the infrastructure to rapidly develop richer, more scalable and reliable enterprise applications.
Enhance scalability and availability to address the needs of the largest, most mission-critical enterprise environments
Building upon the strengths of Windows NT Server 4.0, Enterprise Edition version 5.0 will offer substantial improvements in scalability via further SMP optimizations, Intelligent I/O, and the ability to address larger amounts of memory on 64-bit processors and will provide higher availability for mission critical data and applications with automatic recovery from failures.
Provide higher levels of security to meet the demands of the Internet-based Enterprise
Windows NT Server 5.0 Distributed Security Services will simplify enterprise administration, offer fine-grain access control and delegation of administration, as well as integrate Internet security technology based on public-key cryptography for higher levels of data integrity and privacy across public networks.
Prior to installing Windows NT Server 5.0 Beta-1, you should consult the “read1st.txt” and the “relnotes.htm” files in the root directory of the Windows NT Server 5.0 Beta-1CD-ROM for information essential to successfully installing the product..
The following pages describe many of the new features in Windows NT Server version 5.0. For supplemental information, including walk-throughs of new Windows NT features, see:
Windows NT Server 5.0 Feature Overview
Windows NT Server Beta 1 Release - Feature Overview
New Feature      Description


Active Directory      Active Directory is the new directory service in Windows NT Server 5.0 which stores information about all objects on the computer network and makes this information easy for administrators, developers and users to find and use. Active Directory provides a single, consistent, open set of interfaces for performing common administrative tasks, such as adding new users, managing printers, and locating resources throughout the distributed computing environment and also makes it easy for developers to “directory enable” their applications. Administrators and developers deal with a single set of directory service interfaces—regardless of the installed directory service(s).Active Directory is a standards-based enterprise directory featuring:·   Flexible hierarchical structure·   Efficient multi-master replication·   Granular security delegation·   High-level programming interfaces accessible by any language (Active Directory Services Interfaces – ADSI)·   Extensible to store new objects & properties·   Standards-based interoperability via LDAP v3 support·   Scalable to millions of objects per store·   Integrated Dynamic DNS server·   Com/DCOM, Java class store·   Users can search for resources from the “In the Directory” option on the Start/Find menu, or browse for resources in the Directory icon located in the Network Neighborhood.

Microsoft Directory Service Migration Tool      The Microsoft Directory Service Migration Tool provides an architecture to discover NetWare resources, model them offline, and migrate them to Active Directory. This release includes:·  Discovery of all NetWare user and group properties for both binderies and NDS·   Rudimentary File Migration·   Export to Active Directory
Storage Management       Disk Management has been improved in Windows NT Server 5.0 by allowing administrators to perform online tasks without shutting down the system or interrupting users (e.g. to create, extend, or mirror a volume) and by allowing administrators to back up data to a variety of magnetic and optical storage devices as well as tape. Management tasks such as mounting and dismounting media or drive functions are now done by a utility called the Windows NT Media Services (NTMS), which now presents a common interface to robotic changers and media libraries, enables multiple applications to share local libraries and tape or disk drives, and control removable media within a single-server system. Other enhancements include an enhanced version of the NTFS file system which offers many performance enhancements and support for file encryption and per-user disk quotas to monitor and limit disk space use.
New Backup Utility      The Windows NT 5.0 Backup Utility helps protect data from accidental loss due to hardware or storage media failure. Unlike previous versions of Windows NT Backup, which required users to back up data to tape drives only, this version allows users to back up data to a wide variety of storage media, such as tape drives, external hard disk drives, Zip disks, recordable CD-ROMs, and logical drives.
Distributed File System (Dfs) Support      The Microsoft Distributed File System (Dfs) implements a single namespace for disparate file system resources at a site. A Dfs is organized as a hierarchical structure of logical volumes, independent of the resource's physical location. To users, a Dfs volume provides unified and transparent access to network resources. In addition to all the functionality found in Dfs v4.1 (currently shipping for Windows NT Server version 4.0), this release includes:·   Fault-tolerant Dfs roots·  DNS naming·   Integration with Active Directory·   Nested junctionsMicrosoft Distributed File System (Dfs) for Windows NT Server is a network server component that makes it easier for users to find and manage data on the network. Dfs makes it easy to create a single directory tree that includes multiple file servers and file shares in a group, division, or enterprise. In addition, Dfs gives the user a single directory that can span a vast number of file servers and file shares, making it easy to "browse" the network to find the data and files needed. Browsing the Dfs directory is easy because Dfs subdirectories can be assigned logical, descriptive names no matter what the name of the actual file server/file share is.
Microsoft Management Console      The Microsoft Management Console (MMC) provides system administrators with a common console for viewing network functions and using administrative tools. MMC displays consoles that host programs called snap-ins, which provide the functionality needed to administer the network. In addition to providing integration and commonality of administrative tools, MMC also enables total console customization, so administrators can create management consoles that include only the exact administrative tools they need. Customization helps make administration more task-based, as the tools relate more closely to the tasks that need to be performed.
Group Policy Editor      The user interface for application deployment, policy options for computers and users, and scripts exists in a Microsoft Management Console (MMC) snap-in called the Group Policy Editor (GPE). The GPE snap-in is responsible for managing the settings for Group Policy as it is applied to a given site, domain, or organizational unit. The GPE also acts as an anchor point for third-party applications to build snap-in extensions or use .ADM files for managing application-specific policy. For this Beta release, only the Application assignment and Logon scripts will be functional.
Application Installation Service      The application installation service allows an administrator to specify a set of applications that will always be available to a user or group of users. If a required application is not available when needed, it is automatically installed in the system. The new Windows NT Server 5.0 transaction-based application installer plays a key role in the Zero Administration Windows initiative by providing several key features including:·   Standard package format & installation service which handles installing, repairing, removing, and dependency tracking of components.·   Resiliency so products can be repaired, transactions can be rolled back and redundant install points can be used to help maintain applications over time.·   Just in time (JIT) installations where applications can be designed to install components on-demand, as they are needed. ·   Support for lockdown allowing installation of advertised applications to be successfully completed even though the logged in users do not have enough rights to do it themselves.
Instrumentation      Web-Based Enterprise Management (WBEM) unifies access to instrumented components in the system, providing common access methods and schema.
Task Scheduler      Task Scheduler provides a friendly user interface for scheduling applications. This interface is the same on both Windows 95 and Windows NT, with the exception of added security features in Windows NT. The user interface is fully integrated into the operating system and is accessible from My Computer on the desktop. This new service replaces the System Agent that was included in the Windows Plus! Pack on Windows 95 and the AT service on Windows NT. It also offers a COM programming interface for developers.
Computer Management      The Computer Management snap-in is an administrator's computer configuration tool. It is designed to work with a single computer, and all of its features can be used from a remote computer, allowing an administrator to troubleshoot and configure a computer from any other computer on the same network.In other words, the Computer Management snap-in is a remote Administrative Tools folder or remote toolbox. It not only provides access to the base Windows NT Server tools (viewing events, creating shares, managing devices, and so on), but also dynamically discovers what server services and applications there are to administrate. There are three nodes in the namespace that are provided by the snap-in: System Tools, Storage, and Server Applications and Services. The features are provided by extension snap-ins. ·   System Tools. Contains the tools on every Windows NT computer: workstation, server, domain controller, and client. These tools include: Event Viewer, Service Management, Device Management and Diagnostic snap-ins.·   Storage. Manages all the snap-ins relating to disks. For Beta 1 there are no extensions of this node. Examples of future extensions are: Disk Administrator and Off-line Storage Management.·   Server Applications and Services. Used by snap-ins that optionally are installed on the system or are only on Windows NT Server. This node is dynamically populated depending on the computer the snap-in is focused on. For Beta 1 there are no extensions of this node. Examples of future extensions are: Networking Services such as DNS, DHCP, WINS, and BackOffice applications such as SQL.
File Service Management      This tool allows you to create shares and manage the sessions and connections on local or remote computers. It replaces functionality previously found in the System Control Panel application. In addition to its remote capabilities, it also allows the user to create shares for any of the installable file services offered from Microsoft: File and Print Services for Macintosh and File and Print Services for NetWare.
System Service Management      This tool allows you to stop, start, pause, and resume services on local and remote computers. It replaces the Service Control Panel application in previous versions of Windows NT. In addition to its remote capabilities, it also allows the user to interact with recovery enhancements to the Service Control Manager (SCM). This feature allows the user to have the SCM service manage the problem when a service fails. It can automatically restart the service, run a script or .exe file, or even reboot the server.
Device Manager      The Device Manager is a Microsoft Management Console snap-in that allows you to configure devices and resources on your computer.
Hardware Wizard with Device Manager      The new Hardware Wizard consolidates the most commonly used hardware-related tools and functions into a single wizard, making device management easier and faster. Adding new hardware, changing device properties, unplugging or ejecting devices, and resolving hardware conflicts are just a few of the operations that can be performed with the Hardware Wizard.
Win32® Driver Model (WDM)      The Win32 Driver Model (WDM) is an all new, unified driver model for Windows NT Server 5.0 and Windows 98. WDM will enable new devices to have a single driver for both operating systems. Windows NT Server 5.0 will continue to support existing Windows NT drivers.
Plug and Play      Windows NT Server 5.0 now supports Plug and Play, making it easy to install and troubleshoot new hardware. Plug and Play support in Windows NT Server 5.0 includes a new Hardware Wizard, the Device Manager, and improved support for laptops.
Windows NT Backup      User interface enhancements including backup and restore wizards, along with a Windows Explorer-like look and feel, will enable data protection for even novice users. In addition to our focus on ease of use, Windows NT Backup will provide other operating system integration such as scheduling support, Windows NT Media Services (NTMS) and library support, and logical media (any media supporting a writeable file system such as Windows NT File System (NTFS), File Allocation Table (FAT), or FAT32) support.
Disk quotas      Windows NT Server and Windows NT Workstation support disk quotas for volumes formatted for NTFS version 5.0 (NTFS volumes). You can use disk quotas to monitor and limit disk space use.
Disk Defragmentation Utility      Windows NT Server and Windows NT Workstation support the ability to defragment disk volumes which are formatted as FAT, FAT32, and NTFS.
Windows Scripting Host (WSH)      Windows NT Server 5.0 supports direct script execution from the user interface or the command. This support is provided via the Windows Scripting Host (WSH) and allows administrators and/or users to save time by automating many user interface actions, such as creating a shortcut, connecting to a network server, disconnecting from a network server, etc. The WSH is extremely flexible with built-in support for Visual Basic® scripts, Java scripts, and a language independent architecture which will allow other software companies to build ActiveX™ scripting engines for languages such as Perl, TCL, REXX, and Python. The Windows Scripting Host is a language-independent scripting host for 32-bit Windows platforms that includes Visual Basic Scripting Edition (VBScript) and JScript scripting engines. Windows Scripting Host runs from either the Windows-based host (Wscript.exe) or the command shell-based host (Cscript.exe), making it possible to execute scripts directly on the Windows desktop or command console without embedding those scripts in an HTML document.
DCOM      Distributed COM (DCOM) extends the Component Object Model (COM) to support communication among objects on different computers—on a LAN, a WAN, or even the Internet so that applications can be distributed at locations that make the most sense. DCOM makes it easy to write a distributed application that scales from the smallest single computer environment to the biggest pool of server machines and uses network bandwidth carefully, while providing great response times for end-users. DCOM also takes advantage of existing custom and off-the-shelf components and provides a smooth migration path to sophisticated load-balancing and fault-tolerance features.
Microsoft Transaction Server      Microsoft Transaction Server (MTS) is component-based middleware for quickly building scalable, manageable distributed transaction applications. MTS provides simple building blocks that can reliably and efficiently execute complex transactions across widespread distributed networks.
Microsoft Message Queue Server      Microsoft Message Queue Server (MSMQ) is store-and-forward middleware that provides assured delivery of messages between applications running on multiple machines across a network. MSMQ is an ideal environment for building large-scale distributed applications that encompass mobile systems or communicate across occasionally unreliable networks. Its store-and-forward queues are supported with intelligent routing, automatic prioritization, easy manageability, and high-performance message rates.
Internet Information Server      Internet Information Server (IIS) is tightly integrated with Windows NT Server providing transactional WEB services and complete FTP, and Gopher services. A Beta release of Microsoft Internet Information Server (IIS) version 4.0 is included with this Beta release of Windows NT Server version 5.0. IIS is a standard feature of Windows NT Server 5.0. Windows NT Workstation has a beta version of Personal Web Server version 4.0 that can be installed manually.
Index Server      Microsoft Index Server brings the power of Web searching to corporate intranets and Internet sites by automatically building an index of your Web server that can be easily searched from any Web browser with sample query forms. In Windows NT Server 5.0, Index Server also indexes the file systems, making finding files faster by searching on textual content. You can search based on file content by clicking Start, pointing to Find, and clicking Files or Folders.
64-bit VLM      Support for accessing up to 32 gigabytes of memory on Digital Alpha-based systems. Using the 64-bit addressing of processors such as Alpha allows applications that perform transactions processing or decision support on large data sets keep more data in memory for greatly improved performance compared to 32-bit memory addressing which provides access to up to 4 gigabytes of memory.
Job Object      Job object is a new kernel object which can be named and secured. It is used to collect group of related processes, enabling management and tracking of the process group.
Scatter/Gather I/O      Enables higher I/O throughput when application data is located in Discontiguous memory locations (which is typical), and data needs to be written to a contiguous file location.
Microsoft Cluster Server      Microsoft Cluster Server (MSCS) allows two servers to be connected into a "cluster" for higher availability and easier manageability of server resources. MSCS monitors the health of standard applications and servers, and can automatically recover mission-critical data and applications from many common types of failure, usually in under a minute. MSCS can also be used to move workload around within the cluster to manually balance processing loads, or to unload servers for planned maintenance without taking important data and applications offline.
I20, Fibre Channel support      The I2O architecture uses a dedicated processor with its own memory to off-load I/O processing from the main CPU(s). This results in greater throughput and lower CPU utilization. I2O, or Intelligent Input/Output architecture, features for Windows NT 5.0 include base support, specialized board support, network adapters, and redundant array of inexpensive disks (RAID) cards.Fibre Channel is a technology for 1-gigabit-per-second data transfer that maps common transport protocols such as SCSI and IP, merging networking and high-speed I/O in a single connectivity technology.
NTFS enhancements      Windows NT 5.0 adds enhancements to the NTFS file system. The new version of NTFS offers many performance enhancements and a host of new features, including per-user disk quotas, file encryption, distributed link tracking, and the ability to add disk space to an NTFS volume without rebooting.
Kerberos, public key and DPA support      Distributed security is the integration of Windows NT security and the Active Directory, providing:·   Scaleable policy and account management for domains.·   The ability to selectively delegate security administration.The combination of transitive domain trusts and strong authentication results in a single network logon for users. Accounts can have multiple security credentials. The new primary authentication protocol is Kerberos 5. Public key authentication through SSL/TLS connections is also supported for domain accounts, as is Compuserve's DPA authentication method.
Security Configuration Editor      Security Configuration Editor provides a one-stop security configuration and analysis tool for Windows NT. It allows configuration of various security-sensitive registry settings, access controls on files and registry keys, and security configuration of system services. A preliminary user interface is available in Beta 1 to preview the Security Configuration Editor.
Kerberos Authentication      Full support for Kerberos Release 5 security protocol provides fast, single log-in to Windows NT Server 5.0-based enterprise resources, as well as other environments that support this protocol.
Public Key Certificate Server      X.509-based public key certificate server and integration with Active Directory allows the use of public key certificates for authentication.
Smart Card Infrastructure      Smart cards are a key component of the public-key infrastructure that Microsoft is integrating into the Windows platform because smart cards enhance software-only solutions such as client authentication, single sign-on, secure storage, and system administration. Smart cards provide tamper-resistant storage for protecting private keys, account numbers, passwords, and other forms of personal information. Smart cards also serve to isolate security-critical computations involving authentication, digital signatures, and key exchange from other parts of the system that do not have a “need to know.” In addition, smart cards provide a level of portability for securely moving private information between systems at work, home, or on the road. Microsoft’s approach is simple and consists of:·   A standard model for interfacing smart card readers and cards with PCs·   Device-independent APIs for enabling smart card-aware applications·   Familiar tools for software development
Encrypting File System      Windows NT Files System (NTFS) Encryption provides protection for sensitive data. Can be enabled on a per-file or per-directory basis.
Dynamic DNS      Microsoft Domain Name Server for Windows NT Server 5.0 provides a dynamic DNS name server that is compliant with open and approved Internet standards for DNS. ·   With dynamic DNS, updates in distributed DNS record data are made and propagated automatically to all affected DNS name servers throughout your network. ·   Dynamic DNS reduces network administration costs by reducing the need for you to manually edit and replicate the DNS database each time a change occurs in a DNS client's configuration. Microsoft DNS Server also integrates the capability to pass dynamic updates through DNS with other network services such as Active Directory Services, Dynamic Host Configuration Protocol (DHCP), and Windows Internet Naming Service (WINS) to provide a robust solution for registering and locating named resources throughout your network. Microsoft Domain Name Server provides the capability to pass dynamic updates through DNS with other network services such as Active Directory Services, Dynamic Host Configuration Protocol (DHCP), and Windows Internet Naming Service (WINS) to provide a robust solution for registering and locating named resources throughout your network. Dynamic DNS reduces network administration costs by reducing the need to manually edit and replicate the DNS database each time a change occurs in a DNS client’s configuration.
Quality of Service      Admission control services enable the effective use and management of resources by preventing applications from consuming more traffic than the subnet can handle. Applications that implement Quality of Service (QoS) standards can reserve bandwidth and establish priority for transmission of data.
Multi-protocol routing      Windows NT Server 5.0 includes Routing and Remote Access Service (RAS) Admin, a tool that enables routing over IP and IPX networks on LANs or WANs.
IP Security      IPSEC support for policy-based network security management.
ATM      Support for Asynchronous Transfer Mode networking.
Communicate using IP Telephony      Microsoft Telephony API (TAPI) provides both PSTN telephony and telephony over IP networks. IP Telephony enables voice, data, and video transmission over LANs, WANs, and the Internet.Telephony service providers, included with Windows NT 5.0, provide the translation between hardware and software to enable multimedia- computers to act as telephony devices. Supported service providers include:·   Microsoft H.323 TAPI Service Provider·   Microsoft IP Conferencing Service Provider
Active Directory
Today’s Microsoft® Windows NT® Server network operating system offers the Windows NT Directory Services, a robust directory that delivers what customers need most—a single network logon and a single point of administration and replication. While these functions are critical to businesses, it is becoming increasingly clear that Windows NT Server enterprise customers need and want more from their directory services. They demand features such as a hierarchical view of the directory, extensibility, scalability, distributed security, and multimaster replication. To meet these needs, Microsoft is developing Active Directory which is included in Windows NT Server 5.0.
Active Directory is a directory service that is completely integrated with Windows NT Server and offers the hierarchical view, extensibility, scalability, and distributed security required by all business customers. For the first time, network administrators, developers, and users gain access to a directory service that:
·      is seamlessly integrated with both Internet and Intranet environments.
·      provides simple, intuitive naming for the objects it contains.
·      scales from a small business to the largest enterprise.
·      works with familiar tools, such as Web browsers.
·      provides simple, powerful, open application programming interfaces.
Beyond the Traditional Directory
Traditionally, directory services have been tools for organizing, managing, and locating “interesting” objects in a computing system. “Interesting” objects are things users (and applications) need to do their jobs: such as printers, documents, e-mail addresses, databases, users, distributed components, and other resources.
In their simplest form, directory services are like the white pages of a telephone book Using specific input (a person’s name, for example), a user can receive specific output (a person’s address and telephone number). Directory services also provide the functionality of the yellow pages Using general input (e.g., “where are the printers?”), a user can receive a listing of printer resources that can be browsed.
But directory services must do more as networked environments become larger and more complex, even before connecting to the global environment of the Internet. The Active Directory was created to meet the challenge of unifying and bringing order to diverse server hierarchies, or name spaces.
The Active Directory is a critical part of the distributed system. It allows administrators and users to use the directory service as a source of information, as well as an administrative service.
A Unified Directory
The Active Directory integrates the Internet concept of a name space with the operating system’s directory services, thus allowing enterprises to unify and manage the multiple name spaces that now exist in the heterogeneous software and hardware environments of corporate networks. It uses the lightweight directory access protocol (LDAP) as its core protocol and can work across operating system boundaries, integrating multiple name spaces. It can subsume and manage application-specific directories, as well as other NOS-based directories, to provide a general-purpose directory that can reduce the administrative burden and costs associated with maintaining multiple name spaces.
The Active Directory is not an X.500 directory. Instead, it uses LDAP as the access protocol and supports the X.500 information model without requiring systems to host the entire X.500 overhead. The result is the high level of interoperability required for administering real-world, heterogeneous networks.
A Single Point of Administration
The Active Directory allows a single point of administration for all published resources, which can include files, peripheral devices, host connections, databases, Web access, users, other arbitrary objects, services, and so forth. It uses the Internet Directory Name Space (DNS) as its locator service, organizes objects in domains into a hierarchy of organizational units (OUs), and allows multiple domains to be connected into a tree structure. Administration is further simplified because there is no notion of a primary domain controller (PDC) or backup domain controller (BDC). The Active Directory uses domain controllers (DCs) only, and all DCs are peers. An administrator can make changes to any DC, and the updates will be replicated on all other DCs.
The Microsoft Exchange 4.0 directory structure and storage engine provide the foundation for the Active Directory. The Microsoft Exchange storage engine provides multiple indexes for fast retrieval and an efficient mechanism for storing “sparse” objects. That is, objects that support many different properties but do not always have values for all of them. From this foundation, Microsoft has developed general-purpose directory services that scale from a small installation with a few hundred to a few thousand objects, to a very large installation with millions of objects.
The Active Directory supports multiple stores and can hold more than 10 million objects per store, thus offering unparalleled scalability while maintaining a simple hierarchical structure and ease of administration. When combined with the Microsoft Distributed File System (scheduled for release with Windows NT Server 5.0), the Active Directory will bring networks even closer to the goal of a single global name space.
Operating System Integration
The Active Directory is seamlessly integrated with Windows NT Server, which is the only operating system that offers traditional file and print, applications, communications, and Internet/intranet support built into the base product. Windows NT Server is the best file and print server for all of a business’s information and resource sharing needs, outperforming all other operating systems available today. It is also the best applications server available, offering the best scalability/price ratio in the industry. Additionally, Windows NT Server is an excellent communications platform, offering such features as Remote Access Services, TAPI, and PPTP.
The Directory as a Service Provider
In addition to handling the traditional administrative tasks of the directory services, the Active Directory will satisfy a wide variety of naming, query, administrative, registration, and resolution needs. The following diagram summarizes its overall function in the system.
Figure 1   The directory is a service provider used to locate all network services and information.
The architecture of the Active Directory allows it to scale from the smallest of businesses to enterprises supporting international corporations and entire government departments and services.
The Active Directory uses a tightly integrated set of APIs and protocols to extend its services across multiple name spaces, and to gather and present directory and resource information that resides on different operating systems and at distant locations. For example, Microsoft today provides a rich set of interoperability components for Novell NetWare 3.x/4.x customers. As protocols evolve, Microsoft will work with the industry to standardize communications with other environments as well. To make the migration to Active Directory services as painless as possible, Microsoft will also ensure that earlier releases of Windows NT Server interoperate with later releases.
Summary of Active Directory Features and Benefits
The Active Directory includes the following features and benefits:
Microsoft Windows NT 5.0 evolves the current Windows NT directory into a fully extensible, scalable directory service that can meet the needs of corporate Intranets, as well as commercial Internet providers.
The key features of the directory service are:
·      Hierarchical and scalable namespace
·      Speedy, convenient updates through multimaster replication.
·      Online backup and restore
·      Directory object extensibility via an extensible schema.
·      Support for open standards to facilitate cross-platform directory services, including support for the Domain Name System (DNS) and support for standard protocols, such as LDAP and HTTP.
·      Partitioning of directory for scalability
·      Open and extensible directory synchronization interfaces
·      Lightweight Directory Access Protocol (LDAP) as the core protocol for interoperability
·      Support for standard name formats to ensure ease of migration and ease of use.
·      A rich set of APIs, which are easy to use for both the scripter and C/C++ programmer.
·      Simple, intuitive administration through a simple hierarchical domain structure and the use of drag-and-drop administration.
·      Fast lookup and Internet publishing via the global catalog.
·      Support for services that have a short life span such as chat services, IP telephony, as well as other conferencing services.
·      Backward compatibility with previous versions of the Windows NT operating system.
·      Interoperability with NetWare environments.
Hierarchical and Scalable Namespace
Windows NT 4.0 is capable of storing up to 40 megabytes (MB) of objects per domain, which allows up to 40,000 users per domain in the registry-based Security Account Manager (SAM). Because Windows NT 4.0 uses a flat list organization for the namespace, administering a very large domain can be difficult. Administrative tools, such as the User Manager for domains, cannot start and display all objects quickly. Moreover, data represented in a flat list makes it hard to find a particular object.
To allow simpler, more flexible administration, the Windows NT 5.0 directory uses a structured database, based on Microsoft Exchange directory storage as its data store. Using the Extensible Storage Engine (ESE) allows the directory to scale up to 10-million objects in a single data store, overcoming the limitations of the registry-based SAM database in Windows NT 4.0. The Directory Service Agent (DSA) runs on top of the flat database and implements a hierarchical namespace. With this hierarchical namespace, the Active Directory takes the existing domain model forward to a new “tree of trees” model. By splitting the namespace into a hierarchy, you no longer need to view tens of thousands of users in a flat list.
Within a Windows NT 5.0 domain, you can create organizational units (OUs), which are containers that hold objects in the Active Directory. OUs contain objects such as users, groups, printers, and so forth, which can be organized into a logical structure that maps to the way you work and organize your business. Additionally, you can delegate administration based on permissions assigned to the organizational unit.
The Active Directory provides a rich model for access control permissions, which, in many ways, resembles managing permissions for files and directories. You can delegate managing the objects in any organizational unit by assigning ACLs (access control lists). ACLs allow you to delegate management to just those objects and properties you want. For example, you could give the help desk staff permission to reset passwords, but could prevent the same help desk staff from adding or deleting accounts.
By giving an administrator the right to create or modify objects in only one container, the administrator is confined to only that portion of the tree. This granular management of permissions allows you to provide fine-grained control of administrative responsibilities and boundaries. Using organizational units in the directory hierarchy reduces the number of domains needed to obtain a management hierarchy.
In addition to the trees of organizational units within a domain, you can form a tree of domains. These domains are linked into a hierarchical tree using Kerberos transitive trust. Transitive trust simplifies managing domains by requiring just a single “connection” to the tree. Windows NT-based user accounts are valid anywhere in the tree and provide the single user login that is so important for managing network applications that require authentication and authorization in a distributed environment.
Figure 2   The Active Directory “Tree of Trees”
Multi-master Replication
Windows NT 4.0 implements a single master replication model. The primary domain controller (PDC) is the only domain controller that has a read and write copy of the domain database. All other domain controllers are backup domain controllers (BDCs). The PDC replicates all changes in the domain database to the BDCs.
With Windows NT 4.0, the PDC must always be accessible for changes to be made to user accounts, groups, and so forth. If the PDC server is down or if there are network disconnects, the directory is unavailable for changes.
Windows NT 5.0 and the Active Directory implements a multi-master replication model. With multi-master replication, changes can be made on any domain controller in the domain. The domain controller then replicates the changes to its replication partners. This results in 100 percent availability of the directory for changes, even if single domain controllers are unavailable.
Online Backup and Restore
To achieve a very high availability of domain controllers, the Active Directory allows the backup of domain controllers while they are online.
Dynamically Extensible Schema
A directory’s schema defines the objects and properties that can be created in the directory. In the Active Directory, the schema consists of three tables, one for each of the following:
·      Objects
·      Attributes or properties
·      Syntax objects
For example, in the definition of a user, the Active Directory schema defines a user object, which contains links to the properties that can be set for users—such as a first name property, a last name property, and a password property.
The Active Directory allows you to extend the schema and to create new properties and objects. Developers can use this extensibility feature to create their own data structures in the directory for applications, thereby using the directory as a data store. For example, a human resource application already finds a huge amount of information about an employee in the directory. This information includes the employee’s first and last name, phone number, office number, and home address. Using the Active Directory, the application can extend the schema to add necessary attributes such as the employee’s salary.
Furthermore, the extended security model of the Active Directory allows you to define security very granularly. In the human resource application example, human resource employees have access to user objects that are important for their jobs. And while administrators are able to create and delete users, they do not have access to the salary property.
LDAP as the Core Protocol for Interoperability
To ensure that Windows NT 5.0 supports directory synchronization and interoperability across multiple operating systems and directories, the client access protocol for the Active Directory is the Lightweight Directory Access Protocol (LDAP). Microsoft Corporation is implementing this standard protocol for directory access and is also one of the driving companies behind the standardization process for LDAP within the Internet Engineering Task Force (IETF). Many proposals, such as those for directory replication, have been authored or co-authored by Microsoft. This demonstrates the Microsoft commitment to standards-based protocols and interoperability with other directory vendors.
In the Active Directory, LDAP version 2 and version 3 are implemented for client access. Since the standardization process for replication has not been finalized yet, the Active Directory implements a proprietary replication protocol in the first version. As soon as the standard is available, later versions may use LDAP for directory replication.
Advantages of Migrating to Windows NT 5.0
Many companies today have a large investment in Windows NT. Therefore, the primary goal for any migration is to protect the customer’s existing investment by allowing it to migrate seamlessly and gradually from Windows NT 4.0 to the Active Directory.
Support for Mixed Environments
Windows NT supports a mixed environment of Windows NT 5.0 Active Directory domain controllers and Windows NT 4.0 domain controllers. Customers can migrate at their own pace, based on business needs. Down-level clients will think they are accessing Windows NT 4.0 domain controllers. Windows NT Workstation and Windows® 95 clients that do not have the Active Directory access software will be able to log on to Active Directory domain controllers by using Windows NT LAN Manager (NTLM) challenge/response authentication.
This 100-percent backward compatibility allows businesses to migrate their domain controllers first and then migrate their clients, or to migrate a mix of servers and clients. There is never a point in the migration process that requires a mass migration to the new operating system version on either servers or clients. It is also never necessary to take a complete domain offline to migrate domain controllers or clients. Individual domain controllers are unavailable only during their OS (operating system) update. This guarantees that companies can migrate to the Active Directory without interrupting their business.
Simplification of Domain Models
The Active Directory design allows simple migration of both centralized and decentralized Windows NT 4.0 domain models. The typical master or multiple master domain model can be easily migrated to an Active Directory tree or forest.
The combination of the Active Directory and the improved security model allows customers to reduce the number of domains in the enterprise. The primary reason organizations choose a master domain model is to allow local staff to administer local resource domains without granting these users administrative rights to user accounts in the master domain. This is useful for both the central information technology (IT) departments and local users. Central IT staff do not have to travel to remote locations or perform administrative operations over slow WAN links, and local users receive support more quickly from local support staff. Moreover, local support personnel tend to have a better understanding of the daily processes of their local users.
The origin of many multiple master domain enrollments can be found in the limitations of Windows NT 3.1 domain controllers. In the first release, Windows NT could not hold more than 10,000 objects in the database, which was insufficient for larger companies. Therefore, customers had to create additional account or master domains and establish trusts between these master domains. In the Active Directory, the scalability will be sufficient to store all objects in one domain.
The former structure can be reestablished within a domain using an organizational unit hierarchy. Customers can use the migration to the Active Directory as a means reducing the number of domains and can thus simplify their network administration and simplify their network structure.
Control of Replication Traffic
The Active Directory’s improved replication engine allows you to differentiate between replication that happens using a local network connection and replication that happens over a slow WAN connection. It allows you to create sites, which are a collection of IP subnets with good connectivity. Within the same site, replication starts after a configurable deferral time. Between sites, replication is scheduled and can use WAN network bandwidth only at selected times.
In general, replication traffic in the Active Directory is reduced when compared with the same number of objects in Windows NT 4.0. Although the Active Directory defines more objects and more properties per object, the granularity of replication is finer, because replication in the Active Directory happens on a single property level. If you change only one property on an object, only this property will be replicated to the replication partners, not the object as a whole.
Active Directory: Support for Open Standards
The overriding goal of the Active Directory is to provide a unified view of the network that will greatly reduce the number of directories and name spaces with which network administrators (and users) must contend. The Active Directory is specifically designed to subsume and manage other directories, regardless of their location or their underlying operating system(s). To accomplish this, the Active Directory provides extensive support for existing standards and protocols, including standard name formats, and provides application programming interfaces (APIs) that facilitate communication with these other directories.
The Active Directory uses the Domain Name System (DNS) as its name system, and can exchange information with any application or directory that uses Lightweight Directory Access Protocol (LDAP) or Hypertext Transfer Protocol (HTTP),
Support for DNS
The Active Directory combines the best of DNS as a locator service with the best of X.500, while avoiding the failings of both and advancing Internet standards.
DNS is the most widely used directory service in the world. DNS is the locator service used on the Internet and in most private intranets. A locator service is used to translate a name—for example, MyMachine.Myco.Com—into a TCP/IP address. DNS is designed to scale to very large systems (it supports the entire Internet), while remaining “lightweight” enough for use in a system with just a few computers.
Creating Internet-Ready Names
The Active Directory also uses DNS as its locator service. In the Active Directory, Windows NT Domain Names are DNS names. Users will find the same simple naming used on the Internet in the Active Directory. Myco.Com can be both a DNS domain (that is, an area of addressing) and a Windows NT Domain. JamesSmith@Myco.Com is both an Internet e-mail address and a user name in the Myco.Com domain. Windows NT domains can be located on the internet and Intranet the same way any resource is located on the Internet—by means of DNS. This is shown in Figure 2.
Figure 3   DNS is the Windows NT Locator Service.
Creating an Easier to Manage DNS Environment
DNS has historically been somewhat difficult to manage because it required the manual maintenance of text files containing the friendly name-to-address mapping for every computer in an organization. In Windows NT Server version 4.0, Microsoft introduced a DNS Server with built-in Windows® Internet Naming Service integration. The DNS Server in Windows NT includes a graphical administration tool designed to make editing DNS files less cumbersome.
In a Windows NT Server-based network, client computers are automatically assigned TCP/IP addresses at startup using the Dynamic Host Configuration Protocol (DHCP). The clients then register their names and addresses in the Windows Internet Naming Service. This is shown in Figure 4.
Figure 4   DNS and WINS are integrated to provide dynamic DNS updates.
Microsoft’s solution for dynamically updating DNS tables—integrating DNS and the Windows Internet Naming Service—is a short-term solution. Currently, the Internet standards for DNS are being updated to support Dynamic DNS. Dynamic DNS eliminates the need for WINS because it allows clients with dynamically assigned addresses to register directly with the DNS server and update the DNS table on the fly. Servers running the Active Directory will use Dynamic DNS to publish themselves in DNS. By deploying Windows NT 4.0, DNS, and WINS today, systems administrators create the foundation for the Active Directory and Dynamic DNS.
Figure 4   Active Directory supports LDAP and HTTP protocols.
Support for LDAP and HTTP
The Active Directory further embraces Internet standards by directly supporting the Lightweight Directory Access Protocol (LDAP) and the Hypertext Transfer Protocol (HTTP).
LDAP is an Internet standard (RFC1777) for accessing directory services, and was developed as a simpler alternative to the X.500 DAP protocol. Microsoft is an active participant in the advancement of LDAP standards, and provides support for both LDAP version 2 and version 3 (currently in draft form) in the Active Directory.
HTTP is the standard protocol for displaying pages on the World Wide Web. Every object in the Active Directory can be displayed as an HTML page in a Web browser. Directory support extensions to the Microsoft Internet Information Server (IIS) translate HTTP requests for directory objects into HTML pages for viewing in any HTML client. Thus, users receive the benefit of the familiar Web browsing model when querying and viewing objects in the Active Directory.
Support for Standard Name Formats
Both users and applications are affected by the name format used in directory services. If a user or application needs to find or use something, that user or application must know the name or some property of the object in order to locate it. There are several common forms for names in directories, defined by both formal and de facto standards, and the Active Directory supports many of these formats. This extended support for diverse name formats allows users and applications to use the format that they are most familiar with when accessing the Active Directory. Some of these formats are explained next.
RFC822 Names
RFC822 names are in the form somename@somedomain and are familiar to most users as Internet e-mail addresses; e.g., JamesSmith@myco.Com. The Active Directory provides a “friendly name” in RFC822 form for all objects. For example, a user can use a friendly name as an e-mail address, suitable for display on a business card, and as the name used to log on.
The Active Directory supports access from Web browsers via the HTTP protocol and Microsoft Internet Information Server. HTTP uniform resource locators (URLs) are familiar to most users who have Web browsers, and are in the form HTTP://somedomain/path-to-page.
The Active Directory supports access to its contents via HTTP URLs in which somedomain refers to a server running Active Directory services and path-to-page is the path through the Active Directory hierarchy to the object of interest, for example:
LDAP URLs and X.500 Names
The Active Directory supports access via the LDAP protocol from any LDAP-enabled client. LDAP names are less intuitive than Internet names, but the complexity of LDAP naming is usually hidden within an application. LDAP names use the X.500 naming convention called attributed naming. An LDAP URL names the server holding Active Directory services and the attributed name of the object, for example:
UNC Names
The Active Directory supports the Universal Naming Convention (UNC) used in Windows NT Server-based networks to refer to shared volumes, printers, and files. A user can refer to a shared file published in the Active Directory by a UNC name, for example:
Active Directory: Application Programming Interfaces
The Active Directory provides powerful, flexible, and easy-to-use application programming interfaces (APIs). The availability of a rich set of APIs for the directory service encourages the development of applications and tools that make use of the directory’s services. The Active Directory includes three major API sets:
·      ADSI, the Active Directory Service Interfaces, a set of component object model (COM) interfaces for manipulating and querying multiple directory services.
·      MAPI, the Windows® Open Services Architecture Messaging API.
·      LDAP C API (RFC1823), an informational RFC that is the de facto standard in C programming for LDAP applications.
Each of these APIs is described next.
Active Directory Service Interfaces (ADSI)
To make it easier to write directory-enabled applications that access the Active Directory and other LDAP-enabled directories, Microsoft developed Active Directory Service Interfaces (ADSI). ADSI is a set of extensible, easy-to-use programming interfaces that can be used to write applications to access and manage the following:
·      Active Directory
·      any LDAP-based directory
·      other Directory Services in a customer’s network, including NDS
ADSI is part of the Open Directory Services Interface (ODSI), the Windows® Open Services Architecture (WOSA) architecture for manipulating and querying multiple directory services. ADSI objects are available for Windows NT 4.x, Novell NetWare 3.x, and 4.x, and the Active Directory, as well as any other directory service that supports the LDAP protocol.
Active Directory Service Interfaces abstract the capabilities of directory services from different network providers to present a single set of directory service interfaces for managing network resources. This greatly simplifies the development of distributed applications, as well as the administration of distributed systems. Developers and administrators use this single set of directory service interfaces to enumerate and manage the resources in a directory service, no matter which network environment contains the resource. Thus, ADSI makes it easier to perform common administrative tasks, such as adding new users, managing printers, and locating resources throughout the distributed computing environment, and ADSI makes it easy for developers to “directory enable” their applications.
ADSI is designed to meet the needs of traditional C and C++ programmers, system administrators, and sophisticated users. With ADSI, development of directory enabled applications is fast and easy. ADSI presents the directory as a set of COM objects, which provide behavior in addition to data.
Because ADSI objects are available for many popular directory services, ADSI is an ideal tool for building applications that will work with multiple directories. In addition, a service provider writer may choose to supply rich query by supporting OLE DB interfaces. Thus, tools that take advantage of the OLE DB interfaces can use Active Directory service providers.
ADSI objects are designed to meet the needs of three main audiences:
·      Developers. Typically, this audience will use ADSI with a compiled language such as C++, although Microsoft Visual Basic can be used for prototyping the application. For example, a developer could write an application to manage multiple directories, network printing, back up databases, and so on.
·      System administrators. Typically, this audience will access ADSI through a scripting language, such as Microsoft Visual Basic, although C/C++ can also be used to enhance performance. For example, with Active Directory an administrator could write a script to add 100 new users to the system and establish them as members of selected security groups.
·      Users. Like the system administrators, this audience will access ADSI through a scripting language. For example, a user might write a script to locate all print jobs in a group of print queues and display the status of each.
Windows Messaging API (MAPI)
The Active Directory provides support for MAPI so that legacy MAPI applications will continue to work with the Active Directory. Because of this, developers of new applications are encouraged to use ADSI to build their directory-enabled applications.
The LDAP API provides a “lowest common denominator” solution for developers who need their applications to work on many different client types. Similarly, existing LDAP applications will run against Active Directory services with little or no modification beyond extending the application to support object types unique to the Active Directory. Developers of LDAP applications are encouraged to migrate to ADSI, which supports any LDAP-enabled directory services.
Active Directory: Enabling Massive Scalability
Microsoft recognizes that not all businesses are the same size, and that there isn’t much value in a directory in which the small business suffers at the low end and the large business suffers at the high end. This is why the Active Directory performs very well on just a single computer, and also scales to a large enterprise environment.
Windows NT 4.0 scales quite well up to at least 100,000 users (using multiple domains), but the Active Directory can scale up to millions of users (10 million total objects) in a single domain, and even larger numbers in a domain tree. The administrative granularity of the Active Directory allows small domains to be created that are easy to administer and that allow organizations, and the networks that support them, to grow very large. Large enterprises are not be administered any differently than smaller businesses—they just have more administrators.
The Active Directory scales by creating one copy of the directory store for each domain. This copy of the directory store holds the objects that apply to that domain only. If multiple domains are related, they can be built into a tree. Within this tree, each domain has its own copy of the directory store, with its own objects, and the ability to find all the other copies in the tree of the directory store.
Rather than creating a single copy of the directory that gets larger and larger, the Active Directory creates a tree made up of small pieces of the directory, each containing information that allows it to find all the other pieces. The Active Directory breaks the directory into pieces so that the part of the directory someone uses most often is closest to them. Other users in other locations may want to use that same part of the directory, and they would also have a copy close to them. All replicas of that part of the directory are kept synchronized. If a record in any copy is modified, the change is propagated to the other copy. This allows the Active Directory to scale up to many millions of users in a tree.
Using Domain Trees
The key to the scalability of Active Directory is the domain tree. Unlike directory services that consist of a single tree structure and require a complex “top down” partitioning process, the Active Directory provides a simple and intuitive “bottom up” method for building a large tree. In the Active Directory, a single domain is a complete partition of the directory. Domains are subdivided into organizational units (OUs) for administrative purposes. This can be seen in Figure 5.
Figure 5   Active Directory uses domain trees and organizational units (OUs) to provide bottom up tree structures.
A single domain can start very small and grow to contain over 10 million objects. When a more complex organizational structure is required or a very large number of objects must be stored, multiple Windows NT domains can be easily joined together to form a tree.
Using the Container Hierarchy to Model the Organization
The ability of the container hierarchy in the Active Directory to nest organizational units within domains (as well as within other OUs) provides a hierarchical name space that administrators can use to reflect their organization and to delegate administrative control. A container contains a list of contents; for example, major company divisions. In this example, it is possible to select a division below a previous division and open it, and so on.
Moving to a container hierarchy with a finer-grained administrative model, such as the model used here, solves many problems. While large domains can still be used, finding things will be easy. Everything that exists in the domain tree will show up in the global catalog, a service that allows users to easily find an object, regardless of where it is in the tree.
Gaining Finer-Grained Administration
The robust domain trees provided by the Active Directory offer far greater administrative flexibility than the single-tree organizational structures of other directory services. Although single-tree domains can be built with the Active Directory, a better administrative option is to build a tree of domains, each with its own security boundary. A hierarchy of domains allows for finer granularity of administration without compromising security. Permissions can flow down the tree, with users being granted permissions (as well as granting permissions to others) on an organizational unit basis. This domain-tree structure easily accommodates organizational change with pruning, grafting, and merging.
Each domain in a domain tree has a copy of the directory service holding all objects for that domain and metadata about the domain tree, such as the schema, list of all domains in the tree, location of global catalog servers, and so forth. Since a single directory service store does not have to hold all objects for all domains, very large trees can be built without compromising performance.
Increasing Security
The Active Directory provides the fine-grained administration structure that allows for decentralized administration without compromising security. Because each domain is a security boundary, multiple security boundaries are possible. With this design administrators in domain A are not automatically administrators in domain B. The container hierarchy is important because, today, the scope of administration is the domain, and the administrator of a domain has authority over every object and service within that domain. The Active Directory grants privileges to users based on the specific functions they must perform within a given scope. Administrative scope can include an entire domain, a subtree of OUs within a domain, or a single OU.
With the Active Directory, very large structures of users can be created in which each user can potentially access all of the information stored in the directory, but the security boundaries remain clear. Security boundaries can also be much smaller than domains. For example, when a user account is created, it is associated with a particular domain, but it can also be put into an organizational unit. Permission to create users in an organizational unit can be delegated, allowing someone to create users or other directory objects in one place only, with rights within that OU only. In addition, OU hierarchies can be created. The Active Directory introduces many very specific permissions, all of which can be delegated and restricted in scope.
Extending the Directory Services via an Extensible Schema
To provide administrators with the power to create their own directory object types, the Active Directory is extensible through a schema mechanism. If a user has an important piece of information that the user wants to publish in the directory, he or she can create a whole new object type and publish it. For example, a wholesale distributor may want to create a warehouse object to put in its directory, with information that is specific to that business. New object classes can be defined and instances added.
The directory services themselves define a wide variety of classes. For example, the Active Directory provides standard objects for Domain, OU, User, Group, Machine, Volume, and PrintQueue, as well as a rich set of “connection point” objects used by Winsock, RPC, and DCOM services to publish their binding information.
The Global Catalog
All objects stored in the Active Directory have entries in the global catalog (GC), a service that contains directory information from all of the source domains in the tree. Designed for high performance, the GC allows users to easily find an object—regardless of where it is in the tree—while searching by selected attributes. These attributes are contained in an abbreviated catalog. This technique, known as partial replication, allows many common queries to be resolved from the GC without requiring a lookup in the source domain.
The global view may contain any type of object, for example, Users, Services, or Machines. A typical use of the global view would be to provide a global address book for purposes of mail or any mail-enabled application.
Figure 6 shows the structure of the global catalog.
Figure 6   The global catalog structure provides access to full and partial replication.
Multimaster Replication
The manner in which a directory service stores information directly determines the performance and scalability of that directory service. Directory services must handle a very large number of queries compared to the number of updates. Typically the ratio is 99 percent query and 1 percent update. For this reason, replicated storage is important. By creating multiple replicas of the directory and keeping them consistent, the number of queries that can be handled with no performance degradation is increased. This reproduction and synchronization of directory information is known as multimaster replication.
Updating the Directory in a Multimaster Environment
The Active Directory offers true multimaster replication. Some directory services use a master-slave approach to do updates: all of the updates must be made to the master copy of the directory, and these are then replicated to the slave copies. This is adequate for a directory with a small number of copies and an environment where all of the changes can be applied centrally, but this approach does not scale beyond small-sized organizations, nor does it address the needs of decentralized organizations. Because the Active Directory offers multimaster replication, individual changes made in one copy of the directory are automatically replicated to all other appropriate copies of the directory, whether connected via point-to-point or store-and-forward links.
Some directory services use time stamps to track updates. In a master-slave directory where all updates are made centrally, this is adequate, but in a multimaster replicating directory, time stamps are problematic. Unless time is perfectly synchronized among all copies of the directory, there is a chance for data loss or directory corruption. The Active Directory does not depend upon time stamps for detecting updates. Instead, it uses Update Sequence Numbers (USNs). Updates can be tracked because any time a user writes something into an object in the directory, it gets USN, which is held per computer and incremented any time a change is made to that object. If a user on one computer updates a user record, the current value for the update sequence number on that computer is incremented and then written into the object, along with the change and a unique signature of the first computer that wrote that change. The object also carries a USN for each property. When a property is updated, the new USN is advanced.
Changes are monitored, and the replication partners of one computer ask for all of its changes greater than the last USN received. The source computer will then search through the directory and find each object whose update sequence numbers are greater than the one presented by the partner machine.
Property changes are reconciled individually; when a change is replicated, only properties with a higher USN are updated. In the case of a collision (where two different computers have updated one property), the change with the later time stamp wins. The time stamp is used simply as an arbitrary “tie breaker,” so time synchronization is not important. Per-property reconciliation keeps the chance of collisions to a minimum.
Support for Volatile Objects and Properties
The architecture of the Active Directory supports the addition of objects and properties that are volatile, that is, frequently changing or short-lived. This type of information is not usually stored in traditional directories because the information loses its accuracy before directory replication can propagate it. The Active Directory provides a mechanism to transparently link alternate information stores into the directories. Volatile objects and properties are stored in separate storage with different replication characteristics while preserving a common user view of all objects, both static and volatile.
Active Directory: Administration Tools
Drag-and-Drop Administration
The Active Directory provides intuitive and powerful administration tools. Objects can be hierarchically organized so that they can model large organizations. And the graphical user interface delivers one of the most requested administrative tools—a drag-and-drop control console. This console has a graphical user interface that provides an object-view of administration. For example, to do pruning and grafting, the administrator would grab the top of the merge-from tree, and then drag it to the target domain. A dialog box asks the administrator to confirm the action. Of course, the administrator must have rights in the merge-from tree to merge it with another tree, and in the merge-to domain to bring new trees into it..
Note   Drag-and-drop directory administration is not implemented in Windows NT Server beta-1.
Scripting and COM Automation
Anything that can be done through a UI should be able to be done programmatically or from a script. To allow an administrator to write command procedures, the Active Directory provides full support for COM automation and scripting. This makes it possible to add, change, move, copy, and perform other administrative functions by scripted manipulation using Active Directory, and a scripting language such as Visual Basic, Java™, or others.
Active Directory: Backward Compatibility
A critical need for customers who have installed Windows NT Server versions 3.5x or 4.0 is backward compatibility. The Active Directory was designed from the start with backward compatibility built-in. The Active Directory provides complete emulation of the Windows NT 3.5x and 4.0 directory services; administrative tools and applications written to the Win32® API will continue to work unmodified in Active Directory environments. A next generation Windows NT Domain Controller installed in a Windows NT 3.5x or 4.0 Domain looks and acts exactly like a Windows NT 4.0 Domain Controller. This means that an investment in existing Windows NT network infrastructure and applications is protected. Customers can deploy Windows NT Server 4.0 today with complete confidence that their investment will support a smooth migration to the Active Directory.
Easy Migration from Windows NT 3.5x and 4.0
To provide smooth and trouble-free migration, the Active Directory is designed to operate in a mixed environment. A mixed domain, with both next generation and “down-level” Windows NT 3.5x and 4.0 domain controllers, works and acts just like a Windows NT 4.0 domain.
The migration process from down-level servers to the Active Directory can take place one domain controller at a time. Once a primary domain controller in the Windows NT 4.x domain has been upgraded, the domain can be joined to a Tree. The next section describes one example of how this migration process could work.
Migrating from Windows NT 4.0 to the Active Directory
This example uses a simple Windows NT 4.x domain with three domain controllers: one Primary Domain Controller (PDC) and two Backup Domain Controllers (BDCs). Figure 7 shows the initial configuration.
Figure 7   A simple Windows NT 4.x domain with a single Primary Domain Controller (PDC) and two Backup Domain Controllers (BDCs).
To begin the migration, you first upgrade the Primary Domain Controller (PDC) to Windows NT 5.0 and Active Directory.
The new DC/PDC populates the Active Directory from the Windows NT 4.0 domain directory during the upgrade (see Figure 8).
Figure 8   Mixed Domain
When you install Windows NT 5.0 at the PDC, you make the Active Directory the master copy of the domain directory. At this time, you can use Windows NT 5.0 graphical tools to perform system administration and account maintenance for the domain. The Windows NT 3.5x and 4.0 BDCs and the client systems in the domain are unaware of this change and continue to operate normally.
Your final migration step is to upgrade each BDC to Windows NT 5.0. As each BDC is converted, it becomes a peer of the PDC. Windows NT 4.0 replication is replaced by multimaster Windows NT 5.0 replication (see Figure 9).
Figure 9   Pure Domain—the former BDCs are now peers of the original Windows NT 5.0 DC.
When all BDCs have been upgraded, the mixed domain becomes a pure Active Directory/Windows NT 5.0 domain. Down-level client systems will continue to see the domain as a Windows NT 3.5x or 4.0 domain. Next-generation clients will see the domain as a next generation domain and will be able to make full use of the Active Directory capabilities.
Easy Migration from the Microsoft Exchange Directory
Many organizations today are deploying Microsoft Exchange to provide their messaging and groupware infrastructure. These organizations will have a significant investment in the Microsoft Exchange directory when the Active Directory is released. Future releases of Microsoft Exchange will use the Active Directory, eliminating the need for a separate Microsoft Exchange directory. This release of Microsoft Exchange will provide a directory migration tool to transparently migrate the contents of the Microsoft Exchange directory to the Active Directory.
This approach helps protect customer investment in Microsoft Exchange data and organizational structure and provides a smooth migration path from the Microsoft Exchange directory to the Active Directory.
NetWare Migration
Many customers with mixed network environments have asked for tools which ease the transition from Novell NetWare to Microsoft Windows NT. In earlier versions of Windows NT, this was accomplished with utilities such as NW Convert (nwconv.exe) which non-destructively migrated bindery based users, groups, files, and ACLs to Windows NT domain controllers.
With the introduction of Windows NT 5.0 and Active Directory, Microsoft has replaced NW Convert with a next-generation Directory Service Migration tool. This new utility non-destructively migrates both binderies and NDS, and permits administrators to model the account information before committing it to Active Directory.
Windows NT 5.0 Distributed Security Services
There are many areas in which security will change in Windows NT Server 5.0 to support the Internet-based Enterprise. Some of the changes reflect advances in supporting large organizations through the use of the hierarchical Windows NT Active Directory. Other changes take advantage of the flexibility of the Windows NT security architecture to integrate authentication using Internet public-key certificates.
Windows NT Distributed Security has many new features to simplify domain administration, improve performance, and integrate Internet security technology based on public-key cryptography. The highlights of the Windows NT 5.0 Distributed Security Services include:
·      Integration with Windows NT 5.0 Active Directory to provide scalable, flexible account management for large domains with fine-grain access control and delegation of administration.
·      Kerberos Version 5 authentication protocol, a mature Internet security standard, which is implemented as the default protocol for network authentication; it provides a foundation for authentication interoperability.
·      Strong authentication using public-key certificates, secure channels based on Secure Sockets Layer 3.0, and CryptoAPI to deliver industry-standard protocols for data integrity and privacy across public networks.
Private Key Security
Along with the Active Directory, the next release of Windows NT Server will implement a distributed security model. This distributed security model is based on the MIT Kerberos authentication protocol. Kerberos authentication is used for distributed security within a tree, and accommodates both public and private key security using the same Access Control List (ACL) support model of the underlying Windows NT operating system. The Active Directory is the store for the security system, including user accounts, groups, and domains. It replaces the registry account database and is a trusted component within the Local Security Authority (LSA).
A single sign-on to the Windows NT domain tree allows user access to resources anywhere in the corporate network. Easy-to-use administrator tools for security policy and account management reduce the cost of deploying the Windows NT operating system. Windows NT also provides a foundation for integrated security for the Microsoft BackOffice® family of products, including Microsoft Exchange, Microsoft SQL Server™, Microsoft SNA Server, and Microsoft Systems Management Server.
The MIT Kerberos V5 authentication protocol is supported with extensions for public key-based authentication in addition to password-based (secret key) authentication.
Public Key Security
The Active Directory also supports the use of X.509 v3 Public Key Certificates for granting access to resources for subjects (for example, users) that do not have Kerberos credentials. This type of user is most often someone from outside an organization who needs access to resources within the organization. For example, an aerospace firm may hire subcontractors who need access to specifications, plans, and so forth. The Active Directory allows X.509 v3 certificates issued by a trusted authority to be mapped onto Windows NT security groups. Thus, a non-Windows NT user with a certificate can be granted access to resources in the same way as a user with Kerberos credentials.
The list below introduces additional new Windows NT security features:
·      The Windows NT Active Directory provides the store for all domain security policy and account information. The Active Directory, which provides replication and availability of account information to multiple Domain Controllers, is available for remote administration.
·      The Windows NT Active Directory supports a hierarchical name space for user, group, and machine account information. Accounts can be grouped by Organizational Units, rather than the flat domain account name space provided by earlier versions of Windows NT.
·      Administrator rights to create and manage user or group accounts can be delegated to the level of Organizational Units. Access rights can be granted to individual properties on user objects to allow, for example, a specific individual or group to have the right to reset passwords, but not to modify other account information.
·      Windows NT Active Directory replication allows account updates to be made at any Domain Controller and not just the Primary Domain Controller (PDC). Multiple master replicas of the Active Directory at other Domain Controllers, which used to be known as Backup Domain Controllers (BDCs), are updated and synchronized automatically.
·      The Windows NT domain model changes using the Windows NT Active Directory to support a multilevel hierarchy tree of domains. Management of trust relationships between domains is simplified through tree-wide transitive trust throughout the domain tree.
·      Windows NT security includes new authentication based on Internet standard security protocols, including Kerberos Version 5 and Transport Layer Security (TLS) for distributed security protocols, in addition to supporting Windows NT LAN Manager authentication protocols for compatibility.
·      The implementation of secure channel security protocols (SSL 3.0/TLS) supports strong client authentication by mapping user credentials in the form of public-key certificates to existing Windows NT accounts. Common administration tools are used to manage account information and access control, whether using shared secret authentication or public-key security.
·      Windows NT supports the optional use of smart cards for interactive logon in addition to passwords. Smart cards support cryptography and secure storage for private keys and certificates, enabling strong authentication from the desktop to the Windows NT domain.
·      Windows NT provides the Microsoft Certificate Server for organizations to issue X.509 Version 3 certificates to their employees or business partners. Introduction of CryptoAPI certificate management APIs and modules to handle public-key certificates, including standard format certificates issued by either a commercial Certificate Authority (CA), third-party CA, or the Microsoft Certificate Server included in Windows NT. System administrators define which CAs are trusted in their environment and, therefore, which certificates are accepted for client authentication and access to resources.
·      External users who do not have Windows NT accounts can be authenticated using public-key certificates and mapped to an existing Windows NT account. Access rights defined for the Windows NT account determine the resources the external users can use on the system. Client authentication using public-key certificates allows Windows NT to authenticate external users based on certificates issued by trusted Certificate Authorities.
·      Windows NT users have easy-to-use tools and common interface dialogs for managing the private key/public-key pairs and the certificates they use to access Internet-based resources. Storage of personal security credentials, which uses secure disk-based storage, is easily transported with Microsoft’s proposed industry-standard protocol, Personal Information Exchange. The operating system also has integrated support for smart card devices.
·      Encryption technology is engineered into the operating system in many ways to take advantage of the use of digital signatures for providing authenticated data streams. In addition to signed ActiveX™ controls and Java Classes for Internet Explorer 3.0, Windows NT will use digital signatures for image integrity of a variety of program components. In-house developers can also create signed software for distribution and virus protection.
In addition to these changes, we expect third parties to host dynamic password authentication services on Windows NT Server and to integrate dynamic passwords with Windows NT domain authentication. The APIs and documentation to support these third-party products are available in the Win32® SDK for Windows NT 4.0.
The Windows NT 5.0 Distributed Security Services provides flexible solutions for building secure, scaleable distributed applications. Security administration and management will have richer features for delegation and fine-grain account control. The Windows NT Active Directory supports domains with a much higher number of accounts in a structured naming environment of organizational units. Interdomain trust management is simpler, providing greater flexibility to use domains in ways that reflect the needs of the Enterprise.
Windows NT security APIs for network authentication, data privacy, digital signatures, and encryption support secure application development for the Enterprise and the Internet. The SSPI and CryptoAPI interfaces, as well as higher-level COM and DCOM interface abstractions, make all the integrated security features of Windows NT available for applications to use. The robust security architecture of Windows NT is used consistently across all system components and will be extended to support strong authentication and public-key security. These features are unmatched by any other distributed application platform available today.
Windows NT Distributed Security integrates mature Internet standards for authentication while at the same time introducing new public-key security technology based on industry direction and available standards. Many of the Internet public-key security standards are still forming. Microsoft is involved in the development of these standards but recognizes they are likely to change over time. The Windows NT security architecture is specifically designed to incorporate new security technology in the form of protocols, cryptographic service providers, or third-party authentication technology. Customers deploying Windows NT have choices about what security technology to use, how to integrate security into their application environment with minimum impact, and when to migrate to new technology as it becomes available.
Security ConfigurATion Editor
The Microsoft® Security Configuration Editor is a Microsoft Management Console (MMC) tool designed to reduce costs associated with security configuration and analysis of the Windows NT® operating systems.
The Microsoft Management Console is a Windows®-based, multiple-document interface (MDI) application that makes extensive use of Internet technologies. MMC is a core part of Microsoft's management strategy and is designed to provide a single host for all management tools, facilitate task delegation, and lower total cost of ownership for enterprise users of Windows and Windows NT. MMC itself does not supply any management behavior, but instead provides a common environment for snap-ins, which define the actual management behavior. Snap-ins are administrative components integrated into a common host—the MMC interface.
Security Configuration Editor is a snap-in component for MMC that is designed to provide a central repository for security-related administrative tasks. With Security Configuration Editor, you will be able to use a common tool to configure and analyze security on one or more Windows NT-based machines in your network.
Why Security Configuration Editor is Necessary
The current version of the Windows NT network operating system has excellent security features built in. A single sign-on to the Windows NT domain allows user access to resources anywhere in the corporate network. The system provides tools for security policy and account management, and the Windows NT Domain model is flexible and can support a wide range of network configurations. Window NT 5.0 extends these features to provide support for Internet-aware enterprise networks and the new distributed services included in the operating system.
From the administrator’s point of view, Windows NT provides a number of graphical tools that can be used individually to configure various aspects of system security. However, these tools are not centralized—an administrator may need to open three or four applications to configure security for one computer. Using these applications is therefore considered costly and cumbersome by many security-conscious customers. In addition, security configuration can be complex—and with the distributed security features added in Windows NT 5.0, this complexity has increased.
While Windows NT 4.0 does provide adequate (if somewhat inconvenient) configuration tools, it lacks powerful tools for security analysis. The only tool provided that can be used to monitor security is Event Viewer, and it was not designed for performing corporate-level audit analysis. There are third-party tools for such analysis; however, those tools either lack enterprise-level features or are not comprehensive.
Security Configuration Editor, which is intended to answer the need for a central security configuration tool, will provide the framework for enterprise-level analysis functionality. Most importantly, it will reduce security-related administration costs by defining a single point where the entire system’s security can be viewed, analyzed, and adjusted as necessary. The goal is to provide a comprehensive, flexible, extensible, and simple tool for configuring and analyzing system security.
Security Configuration Editor Design Goals
The primary goal of Security Configuration Editor is to provide a single point of administration for Windows NT system security. To meet that goal, the tool must allow the administrator to:
·      Configure security on one or more Windows NT-based machines.
·      Perform security analysis on one or more Windows NT-based machines.
·      Complete these tasks from a single administrative window.
The process of configuring security in a Windows NT-based network can be complex and detailed in terms of the system components involved and the level of change that may be required. Therefore, Security Configuration Editor is designed to allow you to perform configuration at a macro level. In other words, the editor allows you to define a number of configuration settings and have them enacted in the background. With this tool, configuration tasks can be grouped and automated; they no longer require numerous, iterative key presses and repeat visits to a number of different applications to configure a group of machines.
Note that Security Configuration Editor is not designed to replace system tools that address different aspects of system security—such as User Manager, Server Manager, Access Control List (ACL) Editor, and so forth. Rather, its goal is to complement them by defining an engine that can interpret a standard configuration template and perform the required operations automatically in the background. Administrators can continue to use existing tools to change individual security settings whenever necessary.
To address the security analysis gap in Windows NT security administration, Security Configuration Editor will provide analysis at a micro level. The Editor is designed to provide information about all system aspects related to security. Security administrators can view the information and perform security risk management for their entire information technology (IT) infrastructure. In future versions, they will be able to create reports and perform specialized queries.
Security Configuration Editor Features
Security Configuration Editor is designed to be comprehensive, flexible, extendible, and simple.
Unlike other operating system features, security is a characteristic of the system as a whole. Almost every component of the system is responsible for some aspect of system security. Therefore, questions such as “Is my computer secure?” or “Is my network secure?” are extremely difficult to answer. Typically, a system administrator must examine many different system components and use many tools in an attempt to answer these questions. Microsoft’s goal is to have Security Configuration Editor be the resource for answering security-related questions, whether they are general (such as those listed above) or very specific. To provide comprehensive security administration and information, Security Configuration Editor allows you to configure and analyze all of the following:
·      System Security Policy – You can use the tool to set access policy, including how and when users can log on to the system, password policy, overall system object security, audit settings, domain policy, and so forth.
·      User Accounts – You can assign group memberships, privileges, user rights, and so forth.
·      System Services – You can configure the different services installed on a system, including network transport services such as TCP/IP, NetBIOS, CIFS File Sharing, Printing, and so forth.
·      System Registry – You can use the Editor to set the security values in the system registry.
·      System Store – You can use the Editor to set the security for local system file volumes and directory trees.
·      Directory Security – You can use the Editor to manage the security on objects residing in the Windows NT 5.0 Active Directory.
Security Configuration Editor allows you to define Security Configuration Templates that include settings for security attributes in each of the areas outlined above. Using these templates, you can configure the system. Additionally, you can perform a security analysis on the system by using these templates as recommended configurations.
The templates are text-based .inf files. Configuration information is specified in different sections, and the information is parsed by the Editor’s configuration engine. The architecture is sufficiently flexible to support new sections if you need to specify new areas of security configuration and analysis as the system evolves.
Security Configuration Editor will include a set of predefined templates. You can choose to use these templates as shipped, or you can use them as starting points for building your own customized templates. The Editor’s template-editing functionality provides this flexibility.
The Security Configuration Editor is architected to be extendible. You can add extensions as new areas of security configuration, or as new attributes within an existing area. Since the configuration information is stored in a standard .inf file format, it can be easily extended without affecting backward compatibility.
Additionally, system services is a currently defined area that has been architected to be extendible within itself. It permits any service writer to implement a Security Editor Attachment that can configure security settings for a particular system service, as well as perform any analysis that may be required. Different Windows NT systems can be configured to run different sets of services. Also, Microsoft expects that independent software vendors (ISVs) who develop services will want to add their service’s security configuration and analysis to this overall security framework.
The tool initially supports security configuration and analysis for several native Windows NT services, including CIFS Server and Spooler.
Because Security Configuration Editor is designed to reduce costs associated with administering a network, it is vital that the tool be easy to learn and use. The Editor contains no complicated options—only a simple uniform graphical user interface (GUI) for defining configuration templates and viewing security analysis data. The interface uses the standardized context menus and views supported by Microsoft Management Console. There are no superfluous graphics or statistics, only a simple tabular view of the information with visual cues to flag security problems. In addition, the Editor contains a command-line utility to allow administrators to run configuration and analysis as part of a script. Administrators can use the graphical interface or the command line to apply a configuration template and perform analysis, enabling them to easily fit the tool into an existing administration model. And they can use the graphical interface to define templates and browse through analysis data.
Encrypting File System
A standard safety measure on a personal computer system is to attempt to boot from a floppy disk before trying to boot from the hard disk. This guards users against hard drive failures and corrupted boot partitions. Unfortunately, it also adds the convenience of booting different operating systems. This can mean someone with physical access to a system can bypass the built-in security features of the Microsoft® Windows NT® file system access control by using a tool to read Windows NT file system (NTFS) on-disk structures. Many hardware configurations provide features like a boot password to restrict this kind of access. Such features are not in widespread use, and in a typical environment, where multiple users are sharing a workstation they don’t work very well. Even if these features were universal, the protection provided by a password is not very strong.
Typical scenarios where unauthorized data access becomes an issue include:
A stolen laptop—It only takes a moment for someone to pick up an unattended laptop. What if the thief is not interested in reselling your computer, but is interested in the sensitive information stored on its hard drive?
Unrestricted access—Office desktop systems are left unattended and anyone can come in and quickly steal information from an unattended computer.
The root of these security concerns is sensitive information, which typically exists as unprotected files on your hard drive. You can restrict access to sensitive information stored on an NTFS partition if Windows NT is the only operating system that can be run and if the hard drive cannot be physically removed. If someone really wants to get at the information, it is not difficult if they can gain physical access to the computer or hard drive. Availability of tools that allow access to NTFS files from MS-DOS® and UNIX operating systems makes bypassing NTFS security even easier.
Data encryption is the only solution to this problem. There are a number of products on the market that provide application-level file encryption using password-derived keys. However, there are some limitations with most of these approaches:
Manual encryption and decryption on each use. Encryption services are not transparent to the user in most products. The user has to decrypt the file before every use and re-encrypt it when finished. If the user forgets to encrypt a file, the file is unprotected. And, because the user must go to the trouble of specifying that a file be encrypted (and decrypted) on each use, it discourages the use of encryption.
Leaks from temporary and paging files. Many applications create temporary files while a user edits a document (Microsoft Word for one). These temporary files are left unencrypted on the disk, even though the original document is encrypted, making data theft easy. And, application level encryption runs in Windows NT user mode. This means that the user’s encryption key may be stored in a paging file. It is fairly easy to gain access to all documents encrypted using a single key by simply mining a paging file.
Weak security. Keys are derived from passwords or pass-phrases. Dictionary attacks can easily breach this kind of security if easy to remember passwords are used.
No data recovery. Many products do not provide data recovery services. This is another discouragement to users, especially ones who do not want to remember another password. In the cases where password-based data recovery is provided, it creates another weak point of access. All a data thief needs is the password to the recovery mechanism to gain access to encrypted files.
EFS addresses all the problems mentioned above and more. The following four sections go into detail on the encryption technology, where encryption takes place in the system, user interaction, and data recovery.
EFS Encryption Technology
EFS is based on public-key encryption, taking advantage of the CryptoAPI architecture in Windows NT. Each file is encrypted using a randomly generated key, which is independent of a user’s public/private key pair; thereby stifling many forms of cryptoanalysis-based attack.
File encryption can use any symmetric encryption algorithm. The first release of EFS will expose DES as the encryption algorithm. Future releases will allow alternate encryption schemes.
EFS also supports encryption and decryption on files stored on remote file servers.
Note   In this case EFS only addresses encrypting data on disk. It does not encrypt data that is transferred over the network. Windows NT provides network protocols such as SSL/PCT to encrypt data access over the network.
Where EFS Lives
EFS is tightly integrated with NTFS. When temporary files are created, the attributes from the original file are copied to temporary files as long as all files are on NTFS volume. If you encrypt a file, EFS encrypts its temporary copies also. EFS resides in the Windows NT kernel and uses the non-paged pool to store file encryption keys, ensuring that they never make it to the paging file.
User Interaction
The default configuration of EFS allows users to start encrypting files with no administrative effort. EFS automatically generates a public-key pair for file encryption for a user, if one does not exist.
File encryption and decryption is supported on a per file or entire directory basis. Directory encryption is transparently enforced. All files (and subdirectories) created in a directory marked for encryption are automatically encrypted. Each file has a unique encryption key, making it safe for rename operations. If you rename a file from an encrypted directory to an unencrypted directory on the same volume, the file remains encrypted. Encryption and decryption services are available from Windows NT Explorer. Additionally, command line tools and administrative interfaces are provided for advanced users and recovery agents so they can take full advantage of this capability.
A file need not be decrypted before use—encryption and decryption is done transparently when bytes travel to and from the disk. EFS will automatically detect an encrypted file and locate a user’s key from the system’s key store. Since the mechanism of key storage is based on CryptoAPI, users will have the flexibility of storing keys on secure devices, such as smart cards.
The initial release of EFS will not support file sharing. However, the EFS architecture is designed to allow file sharing between any number of people by the simple use of their public keys. Users can then independently decrypt files using their own private keys. Users can be easily added (if they have a configured public key pair) or removed from a group of permitted sharers.
Data Recovery
EFS provides built-in data recovery support. The Windows NT 5.0 security infrastructure enforces the configuration of data recovery keys. You can use file encryption only if the system is configured with one or more recovery keys. EFS allows recovery agents to configure public keys that are used to enable file recovery. Only the file’s randomly generated encryption key is available using the recovery key, not a user’s private key. This ensures that no other private information is revealed to the recovery agent accidentally.
Data recovery is intended for most business environments where the organization expects to be able to recover data encrypted by an employee after an employee leaves or when encryption keys are lost. The recovery policy can be defined at the domain controller of a Windows NT domain. This policy is enforced on all machines in that domain. The recovery policy is under the control of domain administrators who can delegate this to designated data security administrator accounts using Windows NT Directory Service delegation features. This provides better control and flexibility on who is authorized to recover encrypted data. EFS also supports multiple recovery agents, by allowing for multiple recovery key configurations to provide organizations with redundancy and flexibility in implementing their recovery procedures.
EFS can also be used in a home environment. EFS will automatically generate recovery keys and save them as machine keys when there is no Windows NT domain. Home users can also use the command line tool to recover data using the administrator’s account. This reduces the administrative overhead for a home user.
Smart Cards
The need for security and enhanced privacy is growing as electronic forms of identification replace face-to-face and paper-based ones. The emergence of the global Internet, and the expansion of the corporate network to include access from outside the firewall, have accelerated the demand for solutions based on public-key technology. A few examples of the kinds of services that public key technologies enable are: secure channel communications over a public network, digital signatures to ensure image integrity, and authentication of a Web browser to a Web server. In the next release of the Microsoft® Windows NT® operating system, public-key technology will be integrated with the core security infrastructure and the new Active Directory. This integration will enable a broad range of choices for IT organizations that administer an expanding Enterprise.
Why Smart Cards?
Smart cards are a key component of the public-key infrastructure that Microsoft is integrating into the Windows® operating system platform because smart cards enhance software-only solutions such as client authentication, single sign-on, secure storage, and system administration. Smart cards provide tamper-resistant storage for protecting private keys, account numbers, passwords, and other forms of personal information. Smart cards also serve to isolate security-critical computations involving authentication, digital signatures, and key exchange from other parts of the system that do not have a “need to know.” In addition, smart cards provide a level of portability for securely moving private information between systems at work, home, or on the road.
Development Obstacles
The smart card industry has been plagued by incompatibility among applications, cards and readers, and a poor developer tool chain based on proprietary APIs and protocols. The lack of a standard model for interfacing smart card readers to PCs, device-independent APIs for application development, and resource sharing across multiple applications has limited smart card solution deployment. The lack of a standard model creates high development and maintenance costs and overall system administration complexity.
In order to promote interoperability among smart cards and readers, the International Standards Organization (ISO) developed the ISO 7816 standards for integrated circuit cards with contacts. These specifications focused on interoperability at the physical, electrical and data-link protocol levels. In 1996, Europay, MasterCard, and VISA (EMV) defined an industry-specific smart card specification that adopted the ISO 7816 standards and defined some additional data types and encoding rules for use by the financial services industry. The European telecommunications industry also embraced the ISO 7816 standards for their Global System for Mobile communications (GSM) smart card specification to enable identification and authentication of mobile phone users.
While all of these specifications (ISO 7816, EMV, and GSM) were a step in the right direction, each was either too low-level or application-specific to gain broad inter-industry support. Application interoperability issues such as device-independent APIs, developer tools, and resource sharing were not addressed by any of these specifications.
PC/SC Workgroup
The PC/SC (Personal Computer/Smart Card) Workgroup was formed in May 1996 in partnership with major PC and smart card companies: Groupe Bull, Hewlett-Packard, Microsoft, Schlumberger and Siemens Nixdorf. The main focus of the workgroup has been to develop specifications that solve the previously mentioned interoperability problems. In December 1996, the workgroup published its specifications on for public review and comment.
The PC/SC specifications are based on the ISO 7816 standards and are compatible with both the EMV and GSM industry-specific specifications. By virtue of the companies involved in the PC/SC Workgroup, there is broad industry support for the specifications and a strong desire to move them onto an independent standards tract in the near future.
Since its founding and initial publication of the specifications, additional members have joined the PC/SC Workgroup. New members include Gemplus, IBM, Sun Microsystems, Toshiba, and Verifone.
Microsoft's Approach
Microsoft’s approach is simple and consists of the following:
·      A standard model for interfacing smart card readers and cards with PCs.
·      Device-independent APIs for enabling smart card aware applications.
·      Familiar tools for software development.
·      Integration with Windows and Windows NT platforms.
Having a standard model for how readers and cards interface with the PC enforces interoperability among cards and readers from different manufacturers. Device-independent APIs serve to insulate application developers from differences between card and reader implementations and future designs. This preserves software development costs by application becoming obsolescence due to hardware changes. Developers will be able to use the standard Win32® platform software development kit (SDK) and device driver kit (DDK) to develop PC-compatible smart card products. In addition, smart card-aware applications and service providers can be developed using high-level language tools such Visual C++®, Visual J++™ and Visual Basic® development systems.
Smart card support has been incorporated into the NetPC, Windows NT 5.0, and PC98 design specifications. Microsoft has released its implementation of the PC/SC specifications on Windows NT 4.0 and Windows 95 that is publicly available for download from Inquiries about Microsoft’s support for smart cards should be directed to
Smart cards offer application developers a secure mechanism for enhancing solutions aimed at the growing Internet and intranet markets. These markets encompass a variety of applications including games, financial services, remote access, and network administration—to name just a few. By enhancing software-only solutions, smart cards enable a new breed of applications positioned to take advantage of future opportunities in the emerging digital economy.
Client Authentication
Client authentication involves identification and validation of a client to a server over a secure protocol such as Secure Sockets Layer (SSL) 3.0. Authentication can be achieved using either passwords or public-key certificates mapped to user accounts or groups that have previously established access control privileges. In the case of public-key certificates, a smart card can be used to enhance the authentication process as a secure store for the private key and/or as a cryptographic engine in association with an SCCP. The following diagram shows how the smart card architecture integrates with the Microsoft Internet Explorer 3.0 and Internet Information Server 3.0 client authentication solution.
Single Sign-On
Single sign-on means the ability to log a user onto multiple servers (that is, services) based on the user entering a single set of inputs such as a user name, domain, and password. These inputs can be presented directly to the logon server using Windows NT LAN Manager or Kerberos protocols or they can be accessed from a secure store containing a public-key certificate that is presented to the server and is completely hidden from the user. In the case of Windows NT LAN Manager or Kerberos based single sign-on, access to services is determined by the privileges previously granted to an account. For public-key based single sign-on, domain access is determined by a user’s previously registered public-key certificate that maps to an established user account or group and his/her private-key used to respond to a challenge from the logon server.
By developing a Graphical Identification aNd Authentication (GINA) DLL that is smart card aware, a smart card containing public-key certificates takes on the functionality of a credential cache that can be used to log a user on to multiple domains. Because a smart card is inherently secure, the credential cache is also secure and is present only when the user is present. Given the limited storage capacity of a smart card, it is more likely that the smart card would contain one certificate that maps to a user account administered through a directory service. The user object describing the account would then contain the additional credentials associated with the account thereby obviating the need for the smart card to store all credentials associated with a given user.
Key Management
One of the most vulnerable aspects of public-key based certification is protection of the private key material. Software-only key management solutions such as a CSP based on Crypto API are enhanced through the use of smart cards to store the private key. Because they are physically portable, smart cards also provide a secure mechanism for moving keys between systems. A smart card that supports cryptographic operations can be used to hide the private key from other parts of the system. This serves to minimize the risk of attack from malicious programs.
Future Directions
Because smart card support will be standard on the next generation of Windows platforms, a new breed of enhanced applications and services can be envisioned to work in tandem with Zero Administration Initiative for Windows, Internet Explorer, Crypto API, and the Microsoft Wallet. For example, with Zero Administration Initiative for Windows features such as system lockdown and user roaming can be enhanced through the use of smart cards by helping to enforce policies and simplifying system administration tasks. Because public-key security can be mapped onto the Windows NT security model, smart cards can be used to help lower the costs of administering PC networks by integrating with future ZAW system administration tools. Users would use smart cards to gain access to the corporate network and their machines. Credentials contained on the cards would map to user profiles with requisite permissions covering application installation, machine configuration, and so on.
The Distributed File System
The Microsoft Distributed File System (Dfs) implements a single namespace for disparate file system resources at an enterprise. A Dfs is organized as a logical tree structure, independent of the physical resource. The Dfs tree topology is automatically published to the Active Directory, resulting in fault tolerance for the Dfs root.
The volumes that you add to a Dfs root are the leaves or branch nodes which represent shared network directories. You can distribute shared resources using a single tree or multiple Dfs trees. Using standard Windows NT security, such as group access rights, you can limit access to Dfs volumes. A Dfs tree is a single DNS namespace: the DNS names for the Dfs volumes resolve to the host server(s) for a Dfs root. The Active Directory mediates volume references between multiple hosting servers for a Dfs tree.
To users, a Dfs tree provides unified and transparent access to appropriate network resources. For example, assuming adequate access rights, the Dfs tree in the previous illustration might appear to a user as:
Any existing subdirectories in a referenced resource are published to the Dfs with the parent directory, as with the C++ and Java subdirectories in the preceding illustration,.
The Dfs client module is built into the SMB (Server Message Block) protocol which is automatically installed with Windows NT 5.0 Server and Workstation.
How Dfs Works
The Dfs tree structure, or topology, is published to the Active Directory, which serves as the central arbiter of the topologies for all Dfs trees. Additionally, the Active Directory replicates the Dfs topologies for all Dfs trees to each Dfs root server. This distributes the load on participating servers, and implements fault tolerance for the Dfs root. The distribution of the Dfs topology information optimizes user access to a Dfs volume . In the event that a participating server fails, the Dfs topology is restored and synchronized with the Active Directory when the server is returned online.
In all other respects, directory services operate identically for a Dfs as for the standard Windows NT file system. For example, after creating a Dfs root, you can publish it to the Active Directory as a volume object. You can then use any directory service browsing tool to access the volume.
Publishing to a Dfs Tree
You can expand a Dfs tree by adding logical volumes to the Dfs root or to any Dfs branch node in the tree. The new Dfs volume that is added may reference a single directory having no children, a parent directory, a Windows NT volume, or an entire Dfs tree (resulting in a subtree). Assuming adequate access rights, you can also access any local child directories that exist in or are added to a referenced resource.
To add a Dfs volume as a branch node which may have child Dfs volumes rather than as a leaf, the referenced volume or directory must be on a Windows NT 5.0 server that is currently running the Dfs service. This is necessary to support Dfs references to child volumes.
Aside from creating the necessary Administrator privileges , the Dfs service does not implement any additional security measures . The standard access rights and permissions assigned to the Dfs root or volume to which the new volume is added determine which individuals may add a Dfs volume.
Access rights are not related to the Dfs tree structure. For example, assuming users have the appropriate access rights to the referenced resource access a child Dfs volume even though they have no access to the parent volume. In this case, however, they would not have access to any files in the child Dfs volume.
Note   This feature is not available in the beta 1 release of Windows NT Server 5.0.
Dfs roots or volumes can refer to a replicated set of shares. By assigning alternate, replicated resources to a Dfs root or volume, you can ensure that users have uninterrupted access to necessary files. When a user requests a Dfs connection using a DNS name, the Dfs service passes all replicas to the Dfs client. The Dfs client then selects the nearest replica, based on the site topology information obtained from the Active Directory. In this way, if a replica is unavailable, the client does not need to query the Dfs server for another. If the user requests a Dfs connection using a UNC name, the Active Directory does not mediate the connection, and the request is passed directly to the specified server.
Assigning a replica to a Dfs root updates the Dfs topology at the Active Server with the alternate tree reference. When a user specifies a DNS name to request a connection to the Dfs root, the Dfs service passes all replicas for the Dfs root to the client. The Dfs client then selects the nearest replica, based on the site topology information obtained from the Active Directory. You can use replicas for Dfs roots to distribute large modules of shared information across larger contexts, such as between domains, sites, or enterprises.
To support synchronization of replicas, the referenced resource for a replica must be located on a Windows NT 5.0 NTFS partition. Replicas can be assigned only to a Dfs root or branch node (Windows NT 5.0 Dfs resource).
Referenced resources on the following platforms are supported as leaf volumes only. Any local child directories that may exist in these referenced resources are also accessible (assuming adequate access rights).
The Uses of a Dfs
Dfs is particularly useful if your site is fits the majority of the following characteristics:
·      The user base for shared resources is distributed across a site or sites.
·      Most users require access to multiple shared resources.
·      Network load balancing could be improved by redistributing shared resources.
·      Users require uninterrupted access to shared resources.
Access to Resources
The Dfs tree is an abstract representation for presenting access paths and naming conventions more appropriately for your users. Because the network and file system architectures are transparent to users, they do not influence the directory hierarchy or the conventions for user access. This enables you to centralize and optimize access to resources based on a single, hierarchical namespace. Users can browse through a Dfs tree without knowing or caring where the referenced resources are physically located.
Furthermore, you can change the referenced resources for Dfs volumes, without affecting the Dfs tree or user access. Scheduled file server maintenance, software upgrades and other tasks that normally require taking the referenced server offline can be accomplished without disrupting user access. A particularly useful aspect of a Dfs in this respect, is as the filing system for Microsoft Internet Information Server. By selecting the root for the web site as a Dfs root, you can move resources within the Dfs tree without affecting any HTML links.
Fault Tolerance
A Dfs 5.0 root is fault-tolerant by design. This is fault tolerance at the abstract, logical representation level. Each Dfs tree topology is stored in the Active Directory and replicated to every participating Dfs root server. Changes to a Dfs tree are automatically synchronized with the Active Directory. This ensures that you can always restore a Dfs tree topology if the Dfs root is offline for any reason. You can also implement fault tolerance at the file and content level by assigning alternate resources to a Dfs volume. Any branch node on the Dfs tree can be serviced by a set of replicated resources. If a client connection to one alternate resource fails for any reason, the Dfs client attempts a connection to another. The Dfs client cycles through the available alternates until an available one is found.
Network Load Balancing
If you intend to have multiple Dfs trees, your initial criteria for load balancing is the location of Dfs roots. These can be located anywhere on the site. A Dfs volume can represent any shared volume or directory at the site, so you can distribute shared resources for optimal network performance without being constrained by the location of the associated user base. Since you can easily change the resource assigned to a Dfs volume, load balancing can be a dynamic process. You can move or add resources as needed without affecting the Dfs tree or disrupting user access.
If you intend to assign replicas to Dfs roots or volumes, you do need to include replication traffic in your load-balancing calculations. Client connections are optimized for DNS-based connection requests: a Dfs client will automatically select the nearest replica based on the site topology information. However, the members of a replica set must still be synchronized.
Policy-based Management
Policy-based management in Windows NT Server version 5.0 is also a critical part of the Zero Administration Initiative for Windows initiative and is designed to drive down the cost of administering standard Windows-based systems. It aims to increase client operating system manageability by synchronizing the state of a networked personal computer and user access/security profiles with required states, defined at a client’s associated server. Policy-based management will automate such tasks as operating system updates, application installation, user profiles, desktop system lock down, and so on. Policy-based management will complement the function of value-add management products, such as Microsoft Systems Management Server, to return desktop control to the central administrators through the Zero Administration Initiative for Windows initiative.
Lower Costs and Improve Manageability
The "Zero Administration" Initiative for Windows (ZAW) is a key component of Microsoft‘s Windows Client Strategy. It refers to a set of core technologies that will give IT professionals new levels of control and manageability over their Windows-based environments by automating such tasks as operating system updates and application installation, and providing tools for central administration and desktop system lock down. Users will be able to easily roam between different PCs without requiring their applications and files to be reinstalled each time. The "Zero Administration" Initiative for Windows will also enable application software developers to more easily develop and deploy a wide range of applications. All of these benefits will be realized without sacrificing compatibility with existing Windows-based software.
The Benefits
You’ll be able to let users roam between PCs without requiring their applications and files to be transferred between machines. Users can run their applications and access their data from anywhere. HelpDesk and support calls will be dramatically reduced because the user experience is simple. Users won’t have to deal with system and application updates. And, because the desktop configuration can be locked down from a central point, users can’t inadvertently delete system files or change system settings.
In particular, ZAW will offer the following:
·      Centralized administration and control of desktop computers, with the ability to lockdown desktop configurations.
·      Automatic operating system updates and application installations from a central location.
·      Stateless desktop computing, with persistent central data storage.
·      Side-by-side machine replacement in case of desktop hardware failure.
·      Client-side ability to cache data, thus improving performance, reducing network traffic, and enabling work to continue if the network fails.
These features will reduce the cost and complexity of managing a network of desktop computers. Applications are centrally stored and can be updated at any time without end-user input. The operating system is always up to date on the desktop, thanks to the automatic checking that occurs when the machine boots. Desktop PCs will become truly replaceable because all files and data are centrally stored. Yet, with client-side caching, users will get the performance and functionality of local access to data.
Application Setup and Management
Installing and keeping applications up-to-date across a large organization is a key problem area today. Administrators must worry that a new application might have side effects, rendering other applications unusable. Often, the end user must be informed that a new application is needed and they must run an installation on their personal system. In the Windows NT 5.0 environment, an administrator will be able to assign applications to a user or group of users. The icons for these applications appear on the uses’ desktop or in the program files folder, and when the user needs the application it is there. Alternatively, administrators can publish applications for use on the network, making these applications available to anyone who can or needs to install them.
Application Assignment
Assigned applications are those that an administrator wants a user or machine to have. When a user logs on, the desktop and Start Menu are populated with shortcuts to the applications. The assigned applications appear to be fully installed on the computer, but are not. The first time an application is activated, it is installed automatically and silently. Subsequent invocations bypass the setup process and start the application immediately.
Assigned applications are completely managed by the administrator. An administrator can assign an application to a group and then upgrade the application, ensuring all users who have installed the prior version will be upgraded the next time they activate the application. In addition, the administrator can remove an application, causing all users who have been assigned the application to have their copy of the application uninstalled.
Application Publication
Published applications are those that the administrator makes available for on-demand use. Unlike assigned applications, published applications do not appear to be installed on the computer. There are no Start Menu or desktop references to a published application, nor are its icons on the desktop.
A published application stores its attributes in the Class Store. By publishing optional applications in the Class Store, an administrator can make a large number of applications available to an entire enterprise.
Published applications can be activated on-demand in a number of ways. Users can use the new Add/Remove Programs Wizard to browse and select desired applications. Published applications are automatically installed when you attempt to open a file whose file type is unknown to the local system. In this case, the Class Store is queried. If the Class Store knows the file type, it returns a path to the application’s setup program. The application is then installed silently and started immediately thereafter.
The Windows NT Server 5.0 Beta 1 CD contains several sample applications which you can use to evaluate application assignment and publication. These sample applications, along with detailed setup instructions, can be found on the Beta 1 CD at %cdroot%\preview\x86\colorful.
Microsoft Management Console
Microsoft® Management Console (MMC) is an ISV-extensible, common console framework for management applications. MMC will be released as part of the next major release of the Microsoft Windows NT® operating system. When released, MMC will run on both the Windows NT (4.0 and later versions) and Windows® operating systems (current and future versions).
MMC itself does not supply any management behavior, but instead provides a common environment for Snap-Ins, which will be written by both Microsoft and independent software vendors (ISVs). Snap-Ins define the actual management behavior. Snap-Ins are administrative components integrated into a common host (MMC). The MMC environment provides for seamless integration between Snap-Ins—even those provided by different vendors. (For further details on Snap-Ins see the section on “How MMC Works.”)
A system administrator can create tools from various Snap-Ins, and then save these tools for later use or for sharing with other administrators. This approach allows the administrator to efficiently create custom tools with different levels of complexity for task delegation, task coordination, and workflow management. For example, an administrator can combine simple tasks into one tool, and then give that tool to a subordinate or trainee. The same administrator can also design different tools for daily, weekly, and monthly administrative tasks.
Microsoft Management Console (MMC) for Windows NT Server is a network server component that provides a common framework for all network administration programs.
·      MMC displays a console that hosts programs, called snap-ins, to administer parts of your network.
·      The different snap-ins in a console are organized in a tree structure and provide all the tools and information an administrator may need to complete a task.
·      Separate windows in the console can display different views of the console required to complete a task.
·      Administrators can perform all elements of complicated administrative tasks in a single console instead of switching between different applications, properties dialog boxes, and locations on the network.
·      Administrators can incorporate Web pages into a console, from which they can get information or the latest files required to maintain the network.
Why is Microsoft Developing MMC?
MMC is the result of Microsoft's internal effort to create better tools to administer Windows. The MMC development team defined a common host for many of its own tools. The MMC project’s initial goal was to support simplified administration through integration, delegation, task orientation, and overall interface simplification—all key customer problems. As Microsoft addressed that goal, it increased the project's charter to include all Microsoft administration tools, and to offer this generalized framework for management to its many ISVs as well.
MMC is a core part of Microsoft's future management strategy. Most Microsoft development groups will use MMC for future management applications in all versions of Windows and in all of the BackOffice® family of applications. The initial release of MMC has the following goals:
·      To provide a single host for all management tools: MMC does not replace existing enterprise console and management applications; it allows them to be packaged as Snap-Ins so that they can be accessed from a single interface.
·      To facilitate task delegation: Using MMC, a system administrator can group subsets of administrative tasks into tools, and forward those tools to other administrators or to subordinates for task completion.
·      To lower total cost of ownership for the desktop: Task delegation, logical grouping of tools and processes, and management through a single interface allows systems administrators to better organize their tools and tasks and simplify remote administration.
What is MMC?
The Microsoft Management Console is a Windows-based multiple-document interface (MDI) application that makes extensive use of Internet technologies. Both Microsoft and ISVs extend the console by writing MMC Snap-Ins, which are responsible for actually performing management tasks.
MMC does not replace existing enterprise management applications, such as HP OpenView or IBM Tivoli Management Environment. Instead, it extends these tools by allowing them to interact with or be packaged as Snap-Ins so that they can be accessed from the MMC interface. For example, an enterprise management application could detect an event and send an alarm to a Snap-In. A system administrator would then see the event in an MMC session and would take appropriate action.
Figure 1   MMC provides a common interface for management tools, including enterprise management applications.
MMC programming interfaces permit the Snap-Ins to integrate with the console. These interfaces provide user interface extensions only—how each Snap-In performs its tasks is entirely up to the Snap-In. MMC interfaces allow Snap-Ins to share a common hosting environment and provide cross-application integration. The console itself offers no management behavior.
Figure 2   Programming interfaces allow Snap-Ins to integrate with the console. MMC is not concerned with interfaces and behavior beyond the MMC programming interfaces.
Both Microsoft and ISVs can develop management tools to run in MMC and both Microsoft and ISVs can write applications to be managed by MMC administrative tools. Once the prerelease phase is complete, MMC will be part of the Windows Software Developers Kit (SDK) and available for general use1.
Do Non-MMC Tools Work with MMC?
Non-MMC tools can be integrated with MMC via Snap-Ins, or they can be run separately. A systems administrator can have non-MMC management programs running on the computer at the same time as one or more instances of MMC, and use the operating system to switch between them.
Additionally, an administrator can create shortcuts in the console to the non-MMC tools. These shortcuts will be saved when the MMC tool (or document) file is saved. Within MMC, administrators can create shortcuts to any executable program (.EXE), script, or URL.
Windows NT Server 5.0 MMC-based Administrative Tools Overview
Task      Tool

Manage Active Directory       
Manage Active Directory objects.      Directory Management in the Administrative Tools program group.
Join a domain to the domain tree       Domain Controller Promotion Wizard (Dcpromo.exe).
Manage domain trust relationships      Domain Tree Management in the Administrative Tools program group. Right-click a domain, click Properties, and click the Trusts tab.
Manage site topology and replication of the directory      Sites Topology in the Administrative Tools program group.
View and modify the directory schema      Schema Management snap-in. (1)
Manage users and groups      
Manage user accounts and groups      Directory Management in the Administrative Tools program group.
Delegate administrative control to other users      Directory Management in the Administrative Tools program group. Set inheritable permissions on the containers where the control is to be delegated.
Assign logon scripts      Group Policy Editor snap-in. ( 1)
Manage security      
Manage and monitor overall system security      Security Configuration Editor snap-in. (2)
Configure permissions, auditing, and ownership for shares      File Service Management in the Administrative Tools program group.
Configure permissions, auditing, and ownership for users, groups and other directory objects      Directory Management in the Administrative Tools program group. Right-click the object, click Properties, and click the Security tab.
Configure domain security policy      Directory Management in the Administrative Tools program group. Right-click a domain, click Properties, then click Edit under domain security policy.
Configure computer security policy for all computers in a domain      Directory Management in the Administrative Tools program group. Right-click a domain name, click Properties, then click Choose Policy or Edit under Computer security policy.
Configure computer security policy for an individual computer      Directory Management in the Administrative Tools program group. Right-click a computer name, click Properties, then click Change under Computer security policy.
Map public key certificates to user and group accounts      Directory Management in the Administrative Tools program group. Right-click a user, then click Name Mappings.
Manage servers and resources      
Manage the computers in a domain      Directory Management in the Administrative Tools program group. Click the Computers folder under the domain name.
Manage a server's shared volumes, folders, and files      File Service Management in the Administrative Tools program group.
Publish shares as volumes in Active Directory      Directory Management in the Administrative Tools program group. Right-click a container, point at New, and then click Volume.
Manage disk storage and protecting data      Disk Management in the Administrative Tools program group.
Monitor and limit disk-space use by individual users.      The Disk Quotas application. In Windows NT Explorer or My Computer, right-click the NTFS volume for which you want to use quotas, click Properties, and then click Quota.
Manager server connections and open files      Computer Management in the Administrative Tools program group.
Install and manage hardware and software      
Add hardware to the computer      Hardware Wizard in Control Panel.
Configure devices      Device Management in the Administrative Tools program group.
Add and configure network cards      Hardware Wizard in Control Panel.
Add and configure most network services      Add/Remove Programs in Control Panel. Click the Windows NT Setup tab, click Networking Options, and click Details.
Add and configure Gateway Service for NetWare      Network option in Control panel, Clients tab.
Configure IP Security      IP Security Management snap-in. (1)
Configure Admission Control Services      Network option in Control Panel, Services tab.
Monitor performance counters.      System Monitor in the Administrative Tools program group. To add counters, right-click the System Monitor control graph, and click Add Counters.3
Run Visual Basic Scripting Edition (VBScript, .vbs) and JScript (.js)scripts.      Windows Scripting Host. Type the following at the command prompt: wscript [host parameters] [script name] [script parameters]
Manage services      System Service Management in the Administrative Tools program group.
Notes      1.  To run a snap-in, start Microsoft Management Console (MMC) by clicking Start, clicking Run, and then typing mmc. Then, on the Console menu, click Add/Remove Snap-in, and select the snap-in you want to run.2.  To run Security Configuration Editor, you must first register it with MMC by clicking Start, clicking Run, and then typing regsvr32 wsecedit.dll. Then you can run the snap-in by following the steps in footnote 1 of this table.3.  For more information on System Monitor, see the Smonctrl.hlp file, which is installed in the \%Winnt%\Help directory (where %Winnt% is your Windows NT folder).
Group Policy Editor
Windows NT v. 4.0 included System Policy Editor, a tool administrators could use to configure and modify user profiles and computer settings stored in the Windows NT Registry database. Using System Policy Editor, you could create a system policy to control user work environment and actions, and enforce system configuration settings for all computers running Windows NT Workstation and Windows NT Server.
In Windows NT v. 4.0 a policy is a set of Registry settings that system administrators can specify to define the computer resources available to an individual or to a group of users. Policies define the various components of the desktop environment, including the applications available to users, the applications that appear on user’s desktops, the options displayed in the Start menu, granting or denying permissions for users to modify their desktops, and so on.
In Windows NT v. 5.0, System Policy Editor is replaced by Group Policy Editor, a tool that is based on its predecessor and provides enhanced capabilities for configuring user and computer settings for groups of computers and users. A group s defined as a Site, Domain or Organizational Unit (SDOU). The Group Policy Editor is a Microsoft Management Console Snap-In that includes built in features for setting policy, and can be extended by third parties to host other policy settings. To use the Group Policy Editor, you must have a domain controller running Windows NT Server installed.
The Group Policy Editor generates a group policy, a defined group of settings that are applied to computers or users as they are initialized. You can use Group Policy Editor to configure the following:
·      Registry settings that are written to the HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER trees to specify the behavior of system services, customize desktop appearance, and configure application settings.
·      Scripts to be run by the computer at startup and shutdown.
·      Scripts to be run when the user logs on or off of the computer.
·      Files defined by administrators to be placed on the user's computer (for example, a custom Microsoft Word document on the user's desktop).
·      Application assignment and publishing (see following section).
Application Assignment
Microsoft installer technology is the new transaction-based application installer responsible for managing application installations over time. Microsoft installer technology also plays a key role in the Zero Administration Windows (ZAW) initiative by providing several key features including:
·      Standard package format and installation service. Built directly into Windows, Microsoft installer technology handles installing, repairing, removing, and dependency tracking of components (components are defined as collections of files, registry entries, shortcuts, and so on that must all be managed together).
·      Resiliency. Products can be repaired, transactions can be rolled back and redundant install points can be used to help maintain applications over time.
·      Just in time (JIT) installations. Applications can be designed to use the Microsoft installer technology management API to install components on-demand, as they are needed. Functions for locating and forcing the installation of components are included in the Microsoft installer technology management API.
·      Policy-based Management. Microsoft installer technology supports application advertisement, a feature that, in conjunction with other Zero Administration Windows (ZAW) features can make a computer appear to have an application installed on it without actually performing the installation. The installation is performed at first use.
·      Support for lockdown. Microsoft installer technology runs as a service on Windows NT Server, allowing installation of advertised applications to be successfully completed even though the logged-on users have not been granted the privileges to do it themselves.
·      Management and package API. Microsoft installer technology provides a set of functions that allow applications to take advantage of the Microsoft installer technology management framework. Functions for reconfiguring, repairing, locating, and forcing the install of applications and application components are examples of Microsoft installer technology's management API. In addition, a set of package creation and population functions are provided for use by setup ISVs so that tools can be developed for creating standard Microsoft installer technology packages.
To assign an application to a user, you use the Group Policy Editor. When the user logs on, the desktop and Start menu are populated with the assigned application's icons, link files, and so on. The assigned application appears to be fully installed on the computer, but it is not. The first time it is activated, the application installs automatically. Subsequent invocations of the application bypass the setup process and start the application immediately.
Unlike assigned applications, published applications do not appear to be installed on the computer. The Start menu and desktop contain no references to a published application, nor are its icons on the desktop. A published application stores its attributes in the Class Store.
Published applications can be activated on demand in one of the following ways:
·      Users can use the new Add/Remove Programs wizard to browse and select the desired published applications. Using this wizard makes a Published program appear as an assigned application. The wizard creates the Start menu or necessary desktop references, and when the user selects the program for the first time, it installs and starts running.
·      Published applications automatically install when a user attempts to open a file whose file type is unknown to the local system. In this case, the Class Store is queried. If the Class Store knows about the file type, it returns a path to the application’s setup program. The application then installs and starts.
Windows Scripting Host
The Windows Scripting Host is a language-independent scripting host for 32-bit Windows platforms that includes both Visual Basic® Scripting Edition (VBScript) and JScript scripting engines.
Windows NT Server 5.0 Beta 1 supports direct script execution from the user interface or the command line (a script is simply a series of commands that can be automatically executed). This support is provided via the Windows Scripting Host (WSH) and allows administrators and/or users to automate many user interface actions, such as creating a shortcut, connecting to a network server, disconnecting from a network server, etc. The WSH is extremely flexible with built-in support for Visual Basic scripts, Java scripts, and a language independent architecture which will allow other software companies to build ActiveX scripting engines for languages such as Perl, TCL, REXX, and Python.
WSH can be run from either the Windows-based host (WSCRIPT.EXE), or the command shell-based host (CSCRIPT.EXE). When you double click on a .VBS or .JS file in the user interface, the Windows-based host is used. To execute a script in command line mode, you must explicitly start the command shell-based host using the syntax “CSCRIPT XXX.VBS”.
Windows Scripting Options
Microsoft currently provides the following hosts for running the VBScript, and JScript scripting languages across the Windows platform.
·      Microsoft Internet Explorer
      Internet Explorer enables scripts to be run on client machines from within HTML pages.
·      Internet Information Server (IIS)
      Internet Information Server now supports Active Server Pages, which enables scripts to be run on Web servers; in other words, it enables server-side scripting over the Internet or an intranet.
·      Windows Scripting Host
      Windows Scripting Host enables scripts to be run directly on the Windows desktop by clicking on a script file, or from the command console, without the need to embed those scripts in an HTML document. Windows Scripting Host provides a low-memory scripting host that is ideal for both interactive and non-interactive scripting needs such as logon scripting, administrative scripting, and so on.
Windows Scripting Host Architecture
The Windows Scripting Host serves as a controller of ActiveX Scripting engines, just as Microsoft Internet Explorer does. Because the scripting host is not a full Internet browser, it has a smaller memory footprint than Microsoft Internet Explorer; therefore, Windows Scripting Host is appropriate for performing a variety of scripting tasks, from complicated scripts to simple, quick tasks.
The scripting host reads and passes the specified script file contents to the registered script engine via the IActiveScriptParse::ParseScriptText method provided by the script engine.
The scripting engine relies on the extension of the file instead of using the SCRIPT tag (used in HTML). This way, the script writer doesn’t have to be familiar with the exact ProgID of various script engines. The scripting host maintains a mapping of the script extensions to ProgIDs and uses the Windows association model to launch the appropriate engine.
Task Scheduler
Every new system or application offers some kind of scheduling service, something that automatically invokes scripts or programs at specified times. The most common, and in many ways the least useful, is the StartUp program group, present in all of the Windows operating systems. The problem with the StartUp group and all the other schedulers is that they are all designed for different needs and are rarely built to integrate with all the components in a system, or work seamlessly in more than one system. The Windows 95 Plus! Pack provided the System Agent which included a user interface as well as a set of application programming interfaces (APIs). Windows NT came with the AT command, not an especially user-friendly tool that required a fair amount of familiarity with the arcane world of the command prompt. Many applications provide a place for users to configure some scheduling mechanism for performing recurring, necessary maintenance tasks. None of these schedulers work well together, and few provide any programmable interfaces.
A Common, Flexible, and Extensible Interface
Task Scheduler provides a friendly user interface that is the same one on both Windows 95 and Windows NT, with the exception of added security features in Windows NT. The interface is fully integrated into the operating system, and is accessible from the My Computer icon on your desktop. Users can drag-and-drop programs right into Task Scheduler to quickly add a new task or use the provided “Create Scheduled Task” wizard.
You can schedule any script, program, or document to be invoked at any time or any interval, every day to once a year, and on events like system boot, user logon, or system idle. A task is saved as a file with a .job extension, which enhances the ability to move from computer to computer. Administrators can create scheduled maintenance task files and place them where needed. You can access the Task Folder remotely from the Network Neighborhood as well as send tasks in e-mail.
On Windows NT, scheduled tasks are created and executed based on standard Windows NT security permissions. Tasks are persisted as files and are configurable by Windows NT File System (NTFS) access control lists (ACLs) to set who can view, delete, modify, or use them. The items that make up the task, the scripts, programs, and documents, are also still controlled by whatever ACLs are present. Under Windows NT, this provides a high degree of control over how files are accessed.
Note   When you move a .job file on a Windows NT system, a user’s credentials will not transfer with the file. They must be reentered after moving the file. This is because the credentials are not stored with the task, but by the security system of Windows NT.
Since Windows NT is a multiuser environment, when tasks are created, a user name and password are required that will set the current security context in which the task will execute. This allows multiple tasks to run on a single computer in the security context that was supplied. Multiple users can each have their own individual scheduled tasks.
File System Enhancements
Windows NT Server 5.0 includes several enhancements to the Windows NT File System (NTFS)
Using the New Version of NTFS
The new version of NTFS offers many new features. This section describes how you can take advantage of the new NTFS features by formatting or converting a volume to NTFS version 5.
Creating NTFS version 5 Volumes
You can convert FAT and FAT32 volumes to NTFS version 4 by running the tool Convert.exe. You can upgrade NTFS version 4 volumes to NTFS version 5 by running the tool Chkntfs.exe. Both of these tools can be run from any command prompt window, or from the Run command on the Start menu. The data on your volumes remains intact during conversion or upgrade.
Older versions of Windows NT cannot access NTFS version 5. Continue using NTFS version 4 if you have removable volumes that need to be accessed by older versions of Windows NT, or if you dual-boot your computer to an older version of Windows NT.
Convert.exe uses the following syntax:
convert drive: /fs:NTFS
Parameter Description
drive: Specifies drive letter to convert
/fs: Specifies file system format to convert to
Chkntfs.exe uses the following syntax:
chkntfs /E drive:
Parameter Description
/E Enables automatic NTFS volume upgrade
drive: Specifies a drive letter
Chkntfs.exe enables NTFS upgrade. The actual upgrade process runs the next time you reboot the computer. To upgrade more than one disk volume, run Chkntfs on each volume, and then restart the computer.
NTFS upgrade will be automated and simplified in the Windows NT 5.0 Beta 2 release.
New NTFS Features
·      Improved volume management
·      Grow NTFS volumes without rebooting
·      Force dismount even with open files
·      File encryption
·      Secure data against theft
·      New encryption API
·      Per-user, per-volume disk quotas, based on file ownership
·      Monitor and constrain disk usage. Beta 2: remote administration
·      Native property sets
·      Change log
·      Junction points
·      Object IDs
·      Sparse files
·      Find files by owner
·      Bulk ACL checking
Native Property Sets
NTFS 5 now supports native property sets on any file or directory. You can use the native property set support to attach property sets to files in the same way you can create property sets in OLE compound files today. Index Server indexes properties automatically, allowing for searches based on properties such as document author. Potential applications of property sets include: Flat file annotation; Metadata caching, e.g., thumbnail images, and Content management.
Volume Change Log
NTFS 5 also has a volume-wide change log that tracks all changes to files and directories over long periods of time, across system reboots. Changes are tracked per-file. You can use the change log to analyze I/O and reliably track a wide variety of changes to file system data. For instance, file creation, renaming, and deletion; data and property writes; changes to security, compression, and encryption. Other potential applications include: I/O analysis; application state recovery.
Junction Points Preview
Windows NT 5.0 Beta 1 offers a preview of a new feature called "NTFS junction points". NTFS junction points are similar in nature to the junction points in DFS (the Distributed File System); both are tools for grafting storage namespaces together.
NTFS junction points are transparent to applications unless the application explicitly wants to be aware of them. This means you can use junction points to reroute applications or users accessing a local NTFS directory to any other directory.
Local file system volumes "mounted" on top of NTFS junction points can be accessed through the junction points even if they do not have drive letters assigned to them. This means you can link many volumes into the local namespace  . . .  you are no longer limited to 26 drive letters. Plug n Play and new volume management capabilities ensure that the junction point remains robust during detection of new storage devices.
Distributed Link Tracking
NTFS 5 implements a Volume-wide indexed ID for each file. The benefits include "Distributed Link Tracking," which helps preserve shortcuts when you move files.
Windows NT 5.0 provides a distributed link tracking service enabling client applications to track link sources that have been moved. A link source is an object referenced by a link client. For example, in a Word document that contains an OLE link to an Excel worksheet, the Word document is the link client and the Excel worksheet is the link source. Another example is a Shell Shortcut; the Shortcut is the link client, and the referent file is the link source.
The distributed link tracking service allows link clients to locate a link source file that has undergone any one of the following changes:
·      the name of the link source file has changed
·      the link source file has been moved within the same volume
·      the link source file has been moved between two volumes on the same computer
·      the link source file has been moved between two computers in the same domain
·      a volume has been physically moved from one NT5 computer to another NT5 computer in the same domain,
·      an NT5 computer has been renamed within a domain,
·      the network share name under which link source is shared has changed,
·      any combination of the above scenarios
The distributed link tracking service is subject to the following constraints:
·      Only link source files on NTFS V5 volumes are tracked by the new tracking service. If a link source is moved to another file system, such as FAT or NTFS V4, attempts will still be made to track the link source (using the same mechanism that existed in NT4), but this tracking is less likely to be successful. If the file is moved back to an NTFS V5 volume it will be tracked using the tracking service again, but only for link clients that were created after the link source file was moved.
·      The distributed link tracking service do not currently offer any support for computers that are not in a domain. Such support will be added in a subsequent beta release of NT 5.0.
·      While the link tracking service is running on a computer, NTFS V5 volumes on that computer cannot be locked. As a result, it is not possible to perform some volume operations, such as formatting or running the chkdsk utility (with the /f option). Some of these utilities offer the option of performing their services on the next reboot, but format does not. To format a volume, or to allow a volume utility to operate without waiting for a reboot, stop the tracking service using the System Services management console, or with the following command from a command prompt
      net stop "Tracking Service"
      On completion of the volume utility, restart the tracking service with the management console, or with the command
      net start "Tracking Service"
This inability to lock NTFS V5 volumes will be removed in a subsequent beta release of NT 5.
Disk Quotas
Windows NT Workstation and Server version 5.0 support disk quotas for volumes formatted with NTFS version 5.0. You can use disk quotas to monitor and limit disk space use. Events are automatically logged when users exceed warning thresholds and quota limits.
Quotas are tracked on a per-user, per-volume basis, and users are charged only for the files they own. For example, you can limit each user on drive C to 5 MB of disk space. Quota settings are independent across volumes; that is, the quota on drive C does not affect quotas on drive D.
The Windows NT 5.0 final release will include disk quota support for the following:
·      Policies for wide-scale remote management of disk quotas
·      Improved support for finding all files owned by a given user
For security reasons, when a member of the local computer's Administrators group creates a new file, the file is owned by the Administrators group. For example, if a user is a member of the Administrators group and he creates a file, the file will be owned by Administrators, rather than by the individual user. Therefore, to track disk quotas on an individual basis, users must log on under separate user accounts that are not members of the Administrators group.
Quota information can be saved along with other volume information during a backup. Restoring a backup copy of a file will always override quota limits, provided the user performing the restore operation has backup privileges.
Content Indexing
Index Server now provides indexing for files stored in any Windows NT Server 5.0 file system as well as on a single Internet Information Server Web site.
Sparse File Support
Sparse file support allows an application to create huge files without actually committing disk space for every byte. For example, you may need a file that's 42GB in size, but you'll only actually write data to the first 64KB and last 64KB. Using sparse files, NTFS will only allocate physical disk space to the portions of the file that you write to. In this case, the sparse file would only use 128KB of space on disk, but in all other respects, the file would act as if it were 42GB. Some interesting applications include sparse arrays and circular queues. 2
Find Files by Owner, bulk ACL checking
NTFS 5 introduces the capability to perform a Volume-wide scan for files by owner (using the owner’s security ID or SID). This allows operations such as:
·      Finding all files that user X owns
·      Cleaning up a user’s files (e.g., quotas)
A related feature is Bulk ACL Checking which allows test for accessibility against multiple files at once by specifying an arbitrary access mask. This allows operations such as:
·      What can user X do with these N files?
·      Check multiple ACLs simultaneously for file access
Storage Management
Windows NT Server 5.0 offers several new storage management features with the goals of making storage management easier, less costly and delivering increased capability to administrators.
Online volume management
Veritas is providing this new component which is implemented as a remote-able MMC-based admin tool that offers:
·      Disk Management The Disk Management MMC snap-in is a graphical tool for managing disk storage. It replaces the Disk Administrator and offers new features, including:
·      Online disk management. You can perform online administrative tasks without shutting down the system or interrupting users. For example, you can create, extend, or mirror a volume without rebooting the system. You can also add disks without rebooting.
·      Disks are self describing. Metadata describing disk configuration is kept on each disk and replicated. Self-identification of VM-managed disks ensures that disk controller and other disk reconfigurations or cluster disk ownership transfers are error-free
·      Simplified tasks and intuitive user interface. The Disk Management snap-in is easy to use. It provides shortcut menus to show you which tasks you can perform on the selected object. Wizards guide you through creating partitions and volumes and initializing or upgrading disks.
Media Services (NTMS)
Highground is providing this component which for the first time provides a single driver for all applications to access storage media such as tapes, robotic changers, etc. Applications can share tape/optical libraries and NTMS abstracts access to devices for ISVs.
Windows NT backup
Seagate Software is providing the Windows NT Backup update with the following new features:
·      Windows NT 5.0 Backup is now media-centric instead of tape-centric. You can back up data to a variety of magnetic and optical storage devices as well as tape.
·      Management tasks such as mounting and dismounting media or drive functions are now done by a utility called Windows NT Media Services (NTMS).
·      NTMS presents a common interface to robotic changers and media libraries.
·      NTMS enables multiple applications to share local libraries and tape or disk drives, and control removable media within a single-server system.
·      The NTMS snap-in gives administrators the ability to add NTMS objects, view and modify properties of NTMS objects, inject and eject media, perform inventories, mount and dismount media, and check status information.
·      NTMS objects can be physical objects (such as libraries, drives and media) or groups of media (called media pools).
·      Other enhancements to Windows NT Backup include a new user interface with backup and restore wizards, property sheets, and Network Neighborhood access.
Previous versions of Windows NT Backup featured a tape drive centric design. The user selected a tape drive to use for tape operations. Windows NT Backup then performed any requested operation on the tape in the tape drive. With the introduction of Media Services, Windows NT Backup is in the process of changing to a media centric design. The user selects which tape is to be used and Media Services handles picking the best tape drive to use. Because this support is not fully implemented yet, this release will work in either mode. Windows NT Backup will detect when Media Services is running and display media pools. If Media Services is not running, then tape drives will be displayed.
Remote Storage Management (HSM)
Windows NT Server 5.0 will include support for Hierarchical Storage Management (HSM) via components from Eastman Software. HSM offers an option for customers who want to reduce online storage management costs. HSM delivers “infinite” storage view where files automatically migrate to most cost-effective location, from online disk, to a tape library for example. The file system maintains a reference to the file so that the user’s experience is that the file still resides on the online volume, and when accessed, the HSM system retrieves it from second tier storage automatically and transparently.
Windows NT Server 5.0 will include the following HSM features:
·      Seamless file migration and recall
·      Two tiers, supporting either optical, and tape as second tier
·      Great driver support for secondary storage devices using NTMS
·      NTMS and MMC integrated
·      Shell integration, and Windows NT 5.0 file system integration such as replication, quotas, content indexing
·      Migration/truncation/recall/ validation
·      Read without recall
·      Managing volumes to specified levels/settings
·      Recall notification
·      Integration with Windows NT job scheduler
·      Explorer property pages integration
·      Disk administration integration
·      Basic database recovery and backup
·      Media copies
Defragmentation utility
Windows NT 5.0 Beta1 offers a preview of a new feature called "Defrag." The disk defragmentation utility reorganizes clusters on a disk volume so that files, directories, and free space are physically more contiguous. Depending on the extent of fragmentation, overall system performance can be improved significantly, as it relates to disk I/O, after the disk defragmentation utility is executed.
The defragmentation utility will work with disk volumes which are formatted for FAT, FAT32, or NTFS file systems. For this release, the defragmentation utility is a command line function. The next release of the defragmentation utility will integrate with the Microsoft Management Console as a "snap-in." The utility functions in two independent phases - analysis and defragmentation. When running the analysis version of the utility, no changes are made to the disk volume.
Only one instance of the disk defragmentation utility can be executed at a time. For example, two disk volumes cannot be defragmented simultaneously. Instructions for configuring and running the defragmentation utility can be found in \Preview\Defrag\Readme.txt on the Windows NT 5.0 Beta 1 compact disc.
Networking Enhancements
Networking enhancements in Windows NT Server 5.0 include:
·      Simplified networking configuration
·      TCP/IP Performance Enhancements
·      Dynamic DNS
·      IP Security
·      Quality of Service (QoS) Admission Control Services
·      Multi-protocol Routing and Remote Access (RRAS)
·      Asynchronous Transfer Mode (ATM) networking support
·      IP Telephony
Simplified Networking - Automatic IP Network Addressing Feature
The Windows NT 5.0 TCP/IP stack supports a new mechanism for automatic address assignment of IP addresses for simple LAN-based network configurations. This addressing mechanism is an extension of dynamic IP address assignment for LAN adapters, enabling configuration of IP addresses without using static IP address assignment or installing a DHCP server (Dynamic Host Configuration Protocol).
If a network LAN adapter is configured for TCP/IP and the TCP/IP properties page is configured for "Obtain an IP address automatically," then Windows NT 5.0 TCP/IP will attempt to find and use a DHCP service on the attached network to obtain a dynamically assigned IP address. If a DHCP service is not found, then the Windows NT 5.0 computer uses Automatic Addressing by assigning the adapter an IP address out of the Ipv4 network 10 IP address space ("net10 address"). This allows two computers to be plugged into a LAN hub and boot up without any IP address configuration and to be able to use TCP/IP networking for internetworking. Each computer using Autonet addressing will get an IP address and test to determine that the IP address is unique and not already in use on the LAN.
If the Windows NT 5.0 system initially does not detect a DHCP service and configures an Automatic IP address and then subsequently discovers a DHCP service on the network, the Windows NT 5.0 system will use an IP address offered by the DHCP service and switch from net10 addressing to IP addresses assigned by a DHCP server
TCP/IP Performance Enhancements
Support for TCP Large Windows (TCPLW)
Windows NT 5.0 TCP/IP supports TCP large windows as documented in RFC 1323. TCP large windows can be used for networks that have large bandwidth delay products such as high-speed, transcontinental connections or satellite links.
Large window support is enabled if an application requests a Winsock socket to use buffer sizes greater than 64K. Programs will not show performance improvements unless you increase their Winsock buffer size.
Support for Selective Acknowledgments (SACK)
Windows NT 5.0 TCP supports Selective Acknowledgments as documented in RFC 2018. Selective Acknowledgments allow TCP to recover from IP packet loss without resending packets that were already received by the receiver. Selective Acknowledgments is most useful when employed with TCP large windows.
Support for Fast Retransmission and Fast Recovery
Windows NT 5.0 TCP/IP supports Fast Retransmission and Fast Recovery of TCP connections that are encountering IP packet loss in the network. These mechanisms allow a TCP sender to quickly infer a single packet loss by reception of duplicate acknowledgments for a previously sent and acknowledged TCP/IP packet. This mechanism is useful when the network is intermittently congested. The reception of 3 (default value) successive duplicate acknowledgments (DUP ACKS) indicates to the TCP sender that it can resend the last unacknowledged TCP/IP packet (fast retransmit) and not go into TCP slow start due to a single packet loss (fast recovery).
Dynamic DNS
Microsoft Domain Name Server for Windows NT Server 5.0 provides a dynamic DNS name server that is compliant with open and approved Internet standards for DNS.
·      With dynamic DNS, updates in distributed DNS records data are made and propagated automatically to all affected DNS name servers throughout your network.
·      Dynamic DNS reduces network administration costs by reducing the need for you to manually edit and replicate the DNS database each time a change occurs in a DNS client's configuration.
·      Microsoft DNS Server also integrates the capability to pass dynamic updates through DNS with other network services such as Active Directory Services, Dynamic Host Configuration Protocol (DHCP), and Windows Internet Naming Service (WINS) to provide a robust solution for registering and locating named resources throughout your network.
IP Security Management
Microsoft IP Security Management governs end-to-end secure communication.
·      Sensitive data sent across a network is protected from unauthorized access.
·      Once an administrator has implemented IP security for an enterprise, communications are secured transparently.
·      No user training or interaction is required.
·      IP security protects communication between hosts using any protocol in the Transmission Control Protocol/Internet Protocol (TCP/IP) suite.
·      IP Security Management eliminates the need for separate packages for each protocol.
Admission control services - QoS
Admission control services enable the effective use and management of subnetwork resources by preventing applications from consuming more traffic than the subnet can handle. Applications that implement Quality of Service (QoS) standards can reserve bandwidth and establish priority for transmission of data.
QoS is a set of service requirements that the network must meet while transmitting a flow of data. QoS-based services and protocols provide a guaranteed, end-to-end, express delivery system for Internet Protocol (IP) traffic.
The first phase of Microsoft Windows NT QoS strategy provides the Admission Control Service (ACS). The ACS enables QoS-aware applications to reserve bandwidth and establish priority for transmission of critical data without over-committing network resources.
Multi-protocol routing
Windows NT Server 5.0 includes Routing and Remote Access Service (RAS) Admin, a tool that enables routing over IP and IPX networks on LANs or WANs.
The Windows® operating system is emerging as the communications platform of choice, due to the extensive network communications support included across the entire operating system family. Microsoft is making several enhancements to this built-in communications support with Windows NT Server 5.0, including quality of service support, ATM support, and unified Internet and traditional telephony support. Many of these enhancements are outside the scope of this paper and are covered by other materials. Here is a brief list of some of the communications enhancements planned for Windows NT 5.0 that relate to RRAS.
Windows ATM Services
Windows NT 5.0 provides new and improved support for hardware and software that uses Asynchronous Transfer Mode (ATM).
·      New user- and kernel-mode APIs enable applications and drivers to create and manage ATM virtual circuits (VCs). These APIs can be used to determine quality of service (QoS) and stream multiple information types (data, voice, video, and so on) through each VC.
·      An ATM LAN Emulation client module to enable your existing network applications and protocols that use Ethernet or Token Ring to run well over an ATM network.
·      New driver development and testing programs to assure reliable support for a variety of available ATM network adapters.
·      An ATM Call Manager that conforms to the ATM Forum UNI specification for signaling over ATM.
·      Support for direct TCP/IP over ATM. Client and Server modules are provided that the Microsoft TCP/IP stack to operate directly and more efficiently over ATM media.
·      Integrated ATM support for Winsock 2. The Winsock 2 ATM service provider extends NDIS 5 native ATM access up to user-mode WinSock 2 applications that want direct access to ATM.
·      Integrated ATM support for allowing user-mode Win32 TAPI applications to create and manage virtual circuits over ATM.
·      Integrated ATM support for DirectStreaming. The NDIS 5 DirectStreaming Raw Channel Access (RCA) filter brings ATM virtual circuits into the Win32 DirectStreaming environment.
·      Support for PPP dial-up over ATM. With Dial-Up Networking, you can create and use a PPP dial-up connection over any installed ATM adapter that supports and uses a NDIS 5 miniport driver.
·      Wakeup on directed traffic
Routing and Remote Access (RRAS) Enhancements
RRAS capabilities are enhanced by the addition of Extensible Authentication Protocol, Bandwidth Allocation Protocol, and RRAS User Profiles in the Windows NT Server 5.0 time frame, along with other core communications enhancements in the operating system.
·      Extensible Authentication Protocol (EAP),which allows third-party authentication modules, such as secure ID cards, to plug into the Microsoft Windows NT RRAS PPP implementation.
Extensible Authentication Protocol
The Extensible Authentication Protocol allows new authentication methods to be used with RAS, something that is especially important for the deployment of token card security mechanisms. EAP is the interface that allows third-party authentication modules to plug into the Microsoft Windows NT RAS PPP implementation. Microsoft is adding support for EAP to RRAS in the Windows NT 5.0 time frame.
EAP was proposed to the IETF as a PPP authentication protocol to allow for the authenticator to request more information about the peer before determining the specific authentication mechanism. This is accomplished by postponing this decision from the Link Control Protocol (LCP) phase to the Authentication phase.
·      Bandwidth Allocation Protocol, which dynamically adds or drops multi-link connections according to administrator-set load parameters.
Bandwidth Allocation Protocol
Routing and Remote Access Service will introduce the Bandwidth Allocation Protocol (BAP) in the Windows NT 5.0 timeframe. BAP brings additional efficiencies to Multi-link PPP by dynamically adding or dropping additional links to accommodate traffic flow.
BAP is especially valuable to operations that have carrier charges based on bandwidth utilization. The network manager uses a simple graphical user interface to set the parameters at which multi-link lines are dropped or added. For example, a manager could set the system so that an extra line was dropped if link utilization dropped below 50 percent for more than 10 seconds. Likewise, the system can be set to add a line if bandwidth utilization goes above 50 percent (or whatever value the network manager chooses) for more than perhaps 20 seconds. Because ISDN lines can be added nearly instantaneously BAP provides a very efficient mechanism for controlling connection costs while dynamically providing optimum bandwidth.
RRAS User Profiles
RRAS User Profiles Support, which simplifies remote access management by allowing network managers to create group profiles (such as a Marketing Profile, or Maintenance Profile) to set remote access dial-up rights and use parameters. Routing and Remote Access Service will work with the Windows NT Server 5.0 Active Directory to store remote access attributes and profiles for each user. Network managers will be able to assign users to either predefined or customized profiles with system use parameters. Administration will be simplified with user object profiles edited from the Microsoft Management Console (MMC) of Windows NT Server 5.0. In addition to general profile categorizations, such as by workgroup, the system stores information specific to each user, with a pointer to the profile.
Communicate using IP Telephony
Microsoft Telephony API (TAPI) provides both PSTN telephony and telephony over IP networks. IP Telephony enables voice, data, and video transmission over LANs, WANs, and the Internet.
Telephony service providers, included with Windows NT 5.0, provide the translation between hardware and software to enable multimedia- computers to act as telephony devices.
Supported service providers include:
Microsoft H.323 TAPI Service Provider
Microsoft IP Conferencing Service Provider
See the following section for more information on IP Telephony and TAPI 3.0
Telephony API 3.0
What is TAPI 3.0?
As telephony and call control become more common in the desktop computer, a general telephony interface is needed to enable applications to access all the telephony options available on any machine. Additionally, it is imperative that the media or data on a call is available to applications in a standard manner.
TAPI 3.0 is an architecture that provides simple and generic methods for making connections between two or more machines, and accessing any media streams involved in that connection. It abstracts call-control functionality to allow different, and seemingly incompatible, communication protocols to expose a common interface to applications.
IP Telephony is a demand poised for explosive growth, as organizations begin an historic shift from expensive and inflexible circuit-switched public telephone networks to intelligent, flexible and inexpensive IP networks. Microsoft, in anticipation of this trend, has created a robust computer telephony infrastructure, TAPI. Now in its third major version, TAPI is suitable for quick and easy development of IP Telephony applications.
Convergence of IP and PSTN Telephony
IP Telephony
IP Telephony is an emerging set of technologies that enables voice, data, and video collaboration over existing IP-based LANs, WANs, and the Internet.
Specifically, IP Telephony uses open IETF and ITU standards to move multimedia traffic over any network that uses IP (the Internet Protocol)—offering users both flexibility in physical media (for example, POTS lines, ADSL, ISDN, leased lines, coaxial cable, satellite, and twisted pair) and flexibility of physical location. As a result, the same ubiquitous networks that carry Web, e-mail and data traffic can be used to connect to individuals, businesses, schools and governments worldwide.
TAPI 3.0 is an evolutionary API that supports convergence of both traditional PSTN telephony and telephony over IP networks.
What are the Benefits of IP Telephony?
IP Telephony allows organizations and individuals to lower the costs of existing services, such as voice and broadcast video, while at the same time broadening their means of communication to include modern video conferencing, application sharing, and whiteboarding tools.
In the past, organizations have deployed separate networks to handle traditional voice, data, and video traffic. Each with different transport requirements, these networks were expensive to install, maintain, and reconfigure. Furthermore, since these networks were physically distinct, integration was difficult if not impossible, limiting their potential usefulness.
IP Telephony blends voice, video and data by specifying a common transport, IP, for each, effectively collapsing three networks into one. The result is increased manageability, lower support costs, a new breed of collaboration tools, and increased productivity.
Possible applications for IP Telephony include telecommuting, real-time document collaboration, distance learning, employee training, video conferencing, video mail, and video on demand.
Performance & Scalability
64-bit Very Large Memory (VLM)
Windows NT Server 5.0 Enterprise Edition will include access to Very Large Memory (VLM) on systems which use the 64-bit Digital Alpha CPU. The purpose of this VLM support is to enable applications which manage large data sets, such as databases, to access more memory which can result in significant performance gains.
Support for VLM is provided to developers via VLM (Very Large Memory) APIs. These APIs are extensions to the existing APIs that deal with virtual memory. For example, VirtualAllocVlm and VirtualFreeVlm act like their 32-bit equivalents, but use 64-bit addresses and size parameters.
Current Intel CPUs such as the Pentium Pro and Pentium II do not offer 64-bit memory addressing, and thus cannot support VLM in Windows NT Server 5.0. However it is possible to use an additional gigabyte of memory for the application address space via a feature called 4 Gigabyte Memory Tuning. By default, the 4GB address space of Windows NT is divided into two regions: the lower 2GB for each process and the upper 2GB for the system. In the Enterprise Edition of Windows NT, it's possible to expand the per-process area to the first 3GB and shrink the system area to the upper 1GB.
Job Object
Job object is a new kernel object which can be named and secured. It is used to collect group of related processes, enabling management and tracking of the process group. Windows NT enforces job quotas and security context.
This enables the monitoring and control of :
·      Per-process CPU time
·      Per-job CPU time
·      Minimum and Maximum working set (memory usage)
·      Active Process Count
·      CPU Affinity (which CPU(s) in a multi-processor system can run the process(es)
·      Priority Class
Scatter/Gather I/O
Scatter/Gather support enables higher I/O throughput when application data is located in Discontiguous memory locations (which is typical), and data needs to be written to a contiguous file location. Scatter/Gather is also VLM-enabled on Alpha in Windows NT 5.0.
WriteFileGather takes pointers to one or more pages in memory, "gathers" them together, and writes them out to the file as one chunk. ReadFileScatter reads in one or more pages from the file system, and "scatters" them to buffers set up beforehand. The advantage of the scatter/gather technique is that the program doesn't need to work with intermediate buffers that contain the data as a single logical chunk.3
Spin Count
The Windows NT 5.0 kernel offers several improvements for developers with regard to thread execution. A problem that Windows NT 5.0 addresses via new APIs is that of a particular process specific memory block or resource that's constantly being acquired and released. For example, a linked list that you constantly add and delete items from. Usually these resources are guarded by a critical section. However, if a thread blocks on a critical section, under the hood it's calling WaitForSingleObject, which is relatively expensive.
If you know that the critical section for a resource is usually acquired and released in fairly short order, you can optimize the critical section so that threads won't spend as much time in an expensive WaitForSingleObject call. The dwReserved field of a critical section is now used for a spin count. If the spin count is set, a thread that would normally block while waiting for a critical section will instead enter a loop where it continually checks if the critical section can be acquired. If the loop executes "spin count" number of times, the thread gives up and reverts back to the old behavior by calling WaitForSingleObject. The goal is that the blocking processor should acquire the critical section faster by this method than by using WaitForSingleObject.
The spin count value can be set via two new APIs, InitializeCriticalSectionAndSpinCount and SetCriticalSectionSpinCount. On a uniprocessor machine, using spin counts doesn't buy you anything. However, the spin count APIs can be called on uniprocessor systems with no ill effects.4
New Device Support
Windows NT Server 5.0 supports several new hardware standards that are designed to improve performance. They include:
Fibre Channel
The Fibre Channel Standard (FCS) [1] defines a high-speed data transfer interface that can be used to connect together servers and storage devices. The standard addresses the need for very fast transfers of large volumes of information and could relieve system manufacturers from the burden of supporting the variety of channels and networks currently in place, as it provides one standard for networking, storage and data transfer.
Fibre Channel (FC) ports can be connected as point-to-point links, in a loop or to a switch. The ports in a point-to-point connection are called N_Ports; if they can work in a loop they are called NL_Ports. An FC switch, or a network of switches, is called a fabric. The ports of a fabric are called F_Ports. Both optical and electrical media are supported, working from 133 Megabits/sec up to 1062 Megabits/sec, while distances up to 10 km are possible.
IEEE 1394 is a standard for high speed peripheral interconnect. The most compelling attributes of IEEE 1394 are simple connectivity combined with bandwidth for multimedia. The benefits include a single connection for A/V data and control. Several classes of IEEE 1394 devices will take advantage of these attributes in 1997.
One class of devices Microsoft expects to see on IEEE 1394 are external adapters, which simply plug into a PC's IEEE 1394 port to provide data conversion necessary to connect the PC with conventional interfaces. Examples include conversion of IEEE 1394 digital format to interface with the installed base of audio or video devices.
Other examples of device classes that can take advantage of IEEE 1394 benefits include Parallel Port, Networking, and so on. Although some of these devices represent market migration tools, external adapters provide flexible expansion interfaces and eliminate the need to open the PC case. These Plug and Play devices should be relatively inexpensive and can consume IEEE 1394 cable power, eliminating the need for a separate power supply.
Another area of interest is IEEE 1394 connectivity for use in mobile/docking stations. With the smaller IEEE 1394 and USB connector footprints, port consolidation simplifies the laptop while allowing additional interfaces to migrate to the docking station. Even primary PC storage will be affected by IEEE 1394 expansion interfaces.
Windows NT Server 5.0 will provide support for I2O hardware. The I2O architecture is an industry initiative that promotes the interoperability, performance and ease-of-use of I/O subsystems. Over 100 companies are part of the I2O Special Interest Group (SIG). The goal of this architecture is to provide an open, standards-based approach that complements current drivers and supports the development of a new generation of portable, Intelligent I/O products.
The significant benefits of Intelligent I/O include:
·      Offloads certain I/O operations resulting in more power for complex calculations resulting in reduced CPU utilization
·      Standardization of drivers
·      Makes adoption of new technologies such as RAID and Fibre Channel easier
·      Developers can write device drivers that are portable across operating systems.
·      Offers the flexibility to change transports
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED IN THIS DOCUMENT.

1      Until then, as with most developer-oriented alpha and beta products, the programmatic interfaces are subject to change.
2      Matt Pietrek, Microsoft Systems Journal, November 1997
3      Matt Pietrek, Microsoft Systems Journal, November 1997
4      ibid



Author Comment

ID: 1414107
I got the files told by "waty". But the runing result is "bad handle value". How to solve this problem. Anyway, this example did give some helpful infomation

Accepted Solution

warmcat earned 300 total points
ID: 1414108
What the hell was theh95's answer all about?  Did I miss f22 asking about ZAW and NT 5.0?

f22, zoom on down to

If you need to work under NT as well as '95 or '98, download

If you have questions, ask 'em here or mail me at




Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

For a while now I'v been searching for a circular progress control, much like the one you get when first starting your Silverlight application. I found a couple that were written in WPF and there were a few written in Silverlight, but all appeared o…
Whether you've completed a degree in computer sciences or you're a self-taught programmer, writing your first lines of code in the real world is always a challenge. Here are some of the most common pitfalls for new programmers.
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA.…
Watch the video to learn how one can deal with PST file corruption issue with an outstanding Kernel for Outlook PST Repair Tool easily. Using this tool, non-technical users can swiftly perform the repair process to restore their essential data witho…

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question