
Last Updated May 18, 1996.   

Fundamentals of Windows NT

Presented by: Keith Cotton 
Keith Cotton is a subject matter expert for Microsoft Education Services 
within the Business Systems Division. Keith is a Microsoft Certified 
System Engineer and has his Novell CNE certification. 
The Microsoft Networking Family 
Windows NT Features 
Architecture Overview 
User and Group Accounts 
Group Accounts 
Managing Security Policies 
File Systems 
Windows NT Resource Security Model 
Windows NT Network Architecture 
Introduction to the Browser Service 
Printing from Windows NT 
Remote Access Service (RAS) 
------------------------------------------------------------------------

The Microsoft Networking Family


Both the Microsoft Windows NT Server network operating system and the 
Windows NT Workstation operating system provide a 32-bit operating 
system for users who require a fast, multitasking environment. Corporate 
systems managers use Windows NT Workstation to establish a general 
purpose computing environment, which at the same time can reliably host 
a line of business applications. Developers and engineers, as well as 
financial and technical users, can take advantage of these operating 
systems for business needs such as mechanical and electronic design 
automation, architectural planning, engineering and construction, 
manufacturing and process control, custom software development, 
accounting, financial analysis, investment trader workstations, and 
real-time systems. In addition, any user who needs the power of a 
multiprocessing system can use the Microsoft Windows NT operating 
system to run multiple applications at the same time. 

Windows NT Server 3.5


Windows NT Server 3.5 is a powerful network server operating system 
designed for organizations that must implement mission-critical business 
applications. Windows NT Server 3.5 provides the networking foundation 
for a new generation of server applications and tools, as well as file 
and print services. Its client-server platform is designed to integrate 
current and future technologies and provide a competitive advantage 
through better information access. 
Windows NT Server 3.5 is the operating system for implementation of the 
Microsoft BackOffice strategy. BackOffice includes the following: 
  *	Microsoft Windows NT Server 3.5 
  *	Microsoft SQL Server client-server database management system 4.21a 
  *	Microsoft Systems Management Server centralized management for 
	distributed systems 
  *	Microsoft SNA Server connectivity for IBM enterprise networks 2.1 
  *	Microsoft Exchange Server client-server messaging and groupware 

Windows NT Workstation 3.5


The Microsoft Windows NT Workstation 3.5 operating system includes all 
the capabilities of the Windows for Workgroups operating system with 
integrated networking elevated to a more powerful, multitasking level. 
Windows NT Workstation can be used alone as a powerful desktop operating 
system, networked in a peer-to-peer workgroup environment, or used as a 
workstation in a Windows NT Server 3.5 domain environment. 
Windows NT Workstation 3.5 can be used as a client in the Microsoft 
BackOffice strategy, accessing resources from all the BackOffice 
products. 

Clients


Windows for Workgroups is a peer-to-peer network client based on the 
Microsoft Windows operating system and designed for resource sharing 
among small numbers of people with similar tasks. 
The Microsoft Windows operating system version 3.x is intended primarily 
for the single user in a desktop environment based on the Microsoft 
MS-DOS operating system. 
The Windows and Windows for Workgroups are both ideal products for group 
or small business environments 
Document Contents 
------------------------------------------------------------------------

Windows NT Features


Features and         Windows NT Workstation    Windows NT Server 3.5    
Services             3.5                                                
Concurrent Client    10 inbound connection     Unlimited                
Connections          limit; unlimited                                   
                     outbound                                           
Symmetric            2 processors (out of the  4 processors (out of     
Multiprocessing      box)                      the box)                 
Remote Access        One session only          Up to 256 sessions       
Service                                                                 
Directory            Import only               Import and export        
Replication                                                             
Logon Validation     No                        Yes                      
Services for         No                        Yes                      
Macintosh                                                              
Disk Fault           No                        Yes                      
Tolerance                                                               


Windows NT Workstation


Windows NT Workstation combines the power of a 32-bit multitasking 
workstation with the ease of use, compatibility, and productivity of a 
personal computer. It provides unlimited outbound peer-to-peer 
connections and up to 10 simultaneous inbound connections. Remote Access 
Service (RAS) supports one inbound session for a user who is dialing in 
using a modem. Windows NT Workstation supports up to two processors in a 
symmetric multiprocessing environment. These features are a few of the 
reasons why Windows NT Workstation 3.5 is a powerful multitasking client 
desktop operating system. 

Windows NT Server


Windows NT Server provides the network operating system foundation for 
enterprise networking. It is optimized to be an excellent file, print, 
and applications server that scales from small workgroups to an 
enterprise network. Windows NT Server supports up to four processors in 
a symmetric multiprocessing environment. Original Equipment 
Manufacturers' implementations of Windows NT Server support up to 32 
multiprocessors. (See the hardware compatibility list for a list of 
OEMs.) In addition, Windows NT Server provides all services necessary 
for sharing business applications and host connectivity, including 
Macintosh support, unlimited network connections, and 256 inbound RAS 
sessions. Tools are integrated for building secure, reliable databases, 
accessing mainframe and minicomputer data, building a messaging 
infrastructure, and managing all the Windows NT server and client 
computers on the network. 

Workgroups and Domains


By looking at the purpose of a workgroup and a domain, you will know 
when to implement Windows NT into a workgroup or a domain environment on 
your network. 

Workgroup


A workgroup is a logical collection of computers grouped together for a 
common purpose, such as sharing departmental hard disk or printer 
resources. Members of the workgroup can see and access resources shared 
by other computers within the group. Each computer in the workgroup has 
to manage its own user accounts database and security policy. Each 
workgroup is identified by a unique name. 

Domain


A domain in a Windows NT environment is a logical collection of 
computers sharing a common user accounts database and security policy. A 
domain also provides logon validation to ensure that domain user 
accounts and security policies are enforced within the domain. Each 
domain has a unique name. 
Windows NT Workstation is designed to participate in either a workgroup 
or a domain. As part of a workgroup, Windows NT Workstation interacts 
within a common group of computers on a peer-to-peer level. In this 
environment, resources and user accounts are managed at each computer. A 
workgroup works well for small groups in which a small number of users 
needs access to resources on other computers. 
Both Windows NT Server and Windows NT Workstation are designed to 
participate in a domain. Like a workgroup, a domain is a logical 
grouping of computers and users. Unlike a workgroup, where each computer 
has its own user account database, a domain is managed by servers and 
has one user accounts database that is shared by all the servers. The 
Windows NT Server network operating system is designed to administer 
domain account privileges, security, and network resources centrally; 
for example, a large company may have 1,000 computers in a network. A 
group of users on this network needs exclusive rights to share files and 
applications. A Windows NT Server domain provides them with a secured 
environment in which they can share the files and applications, and log 
on from any Windows NT Workstation that is part of that domain. 
Document Contents 
------------------------------------------------------------------------

Architecture Overview


The Windows NT operating system uses an object model to provide user 
access to local and network resources, and to run applications of 
various types. An object can be thought of as any resource within the 
Windows NT system, such as files, directories, and printers. The object 
model used by Windows NT is that of a modular operating system, composed 
of a group of relatively independent components. Each component performs 
a specific task within the context of the operating system as a whole. 
This is accomplished through subsystems and executive services that form 
the foundation on which applications can run. 

Environment Subsystems


One of the features of Windows NT is its ability to execute applications 
written for multiple operating systems. This is accomplished through the 
environment subsystems in Windows NT. The environment subsystems can run 
applications written for several operating systems by emulating those 
operating systems. 

Executive Services


Underneath the user applications lies the Windows NT operating system. 
The Windows NT operating system provides the support for user 
applications. It comprises many components, the majority of which are 
called the Executive and its Managers. The Executive Services can be 
compared to a company president who oversees an entire organization. In 
Windows NT the Executive Services coordinate the activities of the 
operating system, such as providing access to hard disk resources, 
printers, memory, and the network. The Managers can be compared to vice 
presidents who oversee specific areas of the company. In Windows NT the 
Manager services are the actual code that manages the specific functions 
overseen by the Executive. 

The Memory Model of Windows NT


The memory architecture for Windows NT is a demand-paged, virtual memory 
system. It is based on a flat, linear address space accessed by 32-bit 
addresses. 
Windows NT uses a 32-bit flat memory model, which means that 
applications can access up to 2 GB of RAM directly, rather than 64K 
segments, allowing programmers to create larger applications. 
The Virtual Memory Manager maps virtual addresses for the application 
into physical pages in the computer's memory (1). In doing so, it hides 
the organization of physical memory from the application. This ensures 
that when applications call for memory locations they are mapped to 
non-conflicting memory addresses. 
Demand paging refers to a method by which data is moved in pages from (2 
) physical memory to a temporary paging file on-disk (3). As the data is 
needed by an application, it is paged back into physical memory. The 
algorithm for paging is optimized to perform per-process paging as 
opposed to systemwide paging. 
This linear addressing scheme helps make Windows NT portable because it 
is compatible with the memory addressing of processors such as the MIPS 
R4000 and DEC Alpha AXP. 
Document Contents 
------------------------------------------------------------------------

User and Group Accounts


A user account defines a user to Windows NT. This includes the name and 
password required for the user to log on, the groups in which the user 
account has membership, and any user rights for using the assigned 
computer. When a user logs onto a workstation and attempts to perform a 
particular action on that computer, Windows NT checks information in the 
user's account to determine whether the user is authorized to perform 
that action. 

Multiple User Accounts Provide Different Levels of Security 


An individual may have more than one account, each account providing and 
allowing different capabilities within the Windows NT Workstation 
security system. For example, an administrator can have both an 
administrative account that provides the access rights necessary to 
manage the system, and a user account for routine use. 

Default User Accounts


The Windows NT installation program creates three default user accounts 
with associated privileges when Windows NT Workstation is first 
installed: Administrator, Guest, and an "Initial User" account. Each 
default account has specific privileges on the system. 

Administrator Account


The Administrator account is used by the person who manages the 
computer's overall configuration. Through this account, an Administrator 
can perform such tasks as: managing security policies; creating, 
modifying, or deleting user and group accounts; modifying operating 
system software; creating and connecting to shared directories 
(including administrative shares); installing and connecting to 
printers; partitioning and formatting a fixed disk; and more. 

Guest Account


The Guest account is provided as a convenience, so that occasional or 
one-time users can log on and be granted limited abilities on the local 
computer. This allows users without a valid user account on the computer 
to log on as Guest, and access appropriate resources for the Guest 
account while using the system. 

Initial User Account


An "Initial User" account is created during installation of Windows NT 
Workstation. This account, which is assigned a name during installation, 
is a member of the Administrator's group and therefore has all 
administrator rights and privileges. 

Creating User Accounts


Additional user accounts can be added to allow other users to log on 
locally or access local resources from over the network. This is done 
either by creating new user accounts, or by making copies of existing 
user accounts. Creating user accounts involves adding user information, 
adding the user to groups, and establishing the user environment 
profile. 
Before creating new user accounts, it is a good idea to establish a 
standard naming convention. A standard naming convention speeds up the 
lookup process in User Manager when maintaining and troubleshooting the 
system, or if duplicate names occur. 

Copying User Accounts


When creating multiple user accounts with similar account properties, it 
is recommended that a template be created for each type of user. For 
example, create a template with all the appropriate options and group 
memberships established for users in the accounting department. Then, 
when an account is needed for a new user in the accounting department, 
you can simply copy the template. 

New User Items Copied


User accounts can be copied, but not all of the items in the User 
Properties dialog box are copied to the new user account. The items 
copied directly from an existing user account to a new user account are 
as follows: 
  *	The description. 
  *	Group account memberships. 
  *	Profile settings, such as home directory. 
  *	"User cannot change password" is copied from source account. 
  *	"Password never expires" is copied from source account. 

New User Items Settings after Copying


After copying an existing user account to create a new user, the 
following items are cleared: 
  *	The Username and Full Name 
  *	"User must change password at next logon" 
  *	"Account disabled" 

Any rights and permissions that have been granted to a user account are 
not copied. The only way that user rights are copied, is if the user 
rights have been assigned to a group, since group memberships are 
copied. 

Renaming User Accounts


It is possible to rename any user account, including the default 
accounts. When a user account is renamed, it retains all of its other 
properties. The only thing that changes is the account name. 

Deleting and Disabling User Accounts


Although you can delete user accounts at any time, it is recommended 
that you do so only if a user will never again need to log on or access 
that Windows NT Workstation. Deleting user accounts also removes 
security identifiers. Security identifiers (SIDs) are unique numbers 
that identify users who are logged on to the Windows NT security system. 
A security ID can identify an individual user or a group of users. 

Deleting User Accounts


If a user account is deleted and a new account is created with the same 
name, it will have a different SID, and as such will be unable to access 
anything the previous account was able to access without reassigning the 
appropriate permissions and privileges. The new account must have the 
appropriate access permissions, user rights, and group memberships 
established for it to behave in the same way as the deleted account. 

Setting the User Environment Profile


The user environment profile provides a location for storage of personal 
files and provides consistent network resources every time a user logs 
on. This provides a user with their own unique environment on desktops 
shared by multiple users. 
The User Environment Profile dialog box allows you to configure the 
user's logon script name and location of the user's home directory. 

Logon Script Name


When a user logs on to Windows NT, the user's profile can be configured 
so that a logon script runs automatically to configure the working 
environment for the user. 
A logon script is normally a batch file (.BAT or .CMD extension) that 
issues MS-DOS or OS/2 operating system commands, or calls executable 
files, though an executable file can also be used for the logon script. 
When using executable files, remember to use the correct version of the 
executable if the user may be logging on at computers with different CPU 
types (e.g., x86, MIPS, Alpha). The %PROCESSOR% environment variable can 
be used to select the right executable in a logon script. 
Other environment variables that can be used in logon scripts include 
%HOMEDRIVE%, %HOMEPATH%, %HOMESHARE%, %OS%, %USERDOMAIN%, and 
%USERNAME%. 

Home Directory


A home directory provides the user with a consistent location to store 
all personal program and data files. In general, administrators should 
configure home directories so they are not accessible to anyone but the 
individual user. Home directories are normally stored locally on Windows 
NT workstations, but can be located on a server. 
  *	A home directory is used as the default directory when the command 
	prompt is started. In addition, the home directory is also the default 
	directory for saving a file in applications that do not supply a default 
	working directory. 

Assigning Group Membership


A group is defined as an account containing other accounts (members). 
Groups are basically "aliases" for a set of users, and can be assigned 
permissions and user rights just like a user account. As a result, the 
permissions and rights granted to the group are applied to its members 
automatically. This makes groups a convenient way to grant common 
capabilities to a collection of user accounts. 
The limit to the number of groups to which a user can be a member is 
1,000. 
Document Contents 
------------------------------------------------------------------------

Group Accounts


A group is an account that contains user accounts. The accounts 
contained within a group are members of that group. Groups are used to 
give users permissions to perform system tasks, such as backing up and 
restoring files or changing the system time, and to grant access to 
resources, such as files, directories, and printers. 
Group accounts are useful because they simplify administration by 
organizing user accounts into a single administrative unit. Group 
accounts provide a convenient method of controlling access for several 
users who will be using Windows NT to perform similar tasks. By placing 
multiple users in a group, you can assign the same abilities and/or 
restrictions to all of the users at the same time by assigning the 
rights and/or permissions to the group. Without groups, user rights and 
access permissions would have to be assigned to the individual users 
accounts. User accounts can still be modified individually, even if they 
are members of one or more groups. 
Windows NT Workstation allows the creation of local groups. Windows NT 
Sever allows the creation of both local and global groups. 

Local Groups


This type of group can include any user accounts created in the local 
accounts database. Additionally, if the Windows NT Workstation has 
joined a Windows NT Server domain, a local group can also contain any 
global accounts from the Windows NT Server domain. 
Local groups created on a Windows NT Workstation are only available on 
that workstation. They cannot be accessed on other Windows NT-based 
computers. 

Global Groups


Global groups contain accounts outside of the local computer. They are 
assigned user rights and permissions to resources on the local computer 
where the global group resides, or from any Windows NT Workstation that 
has joined the domain. Global groups provide a way to create groups of 
users from the domain. 
If your Windows NT Workstation is a member of a domain, then it is 
possible to grant permissions to any global groups that have been 
created in the domain. 

Default Group Accounts


There are several default group accounts built into the Windows NT 
Workstation operating system. The built-in groups are Guests, Users, 
Power Users, Administrators, Replicator, and Backup Operators. By 
default, all user accounts created on a Windows NT Workstation are made 
members of a group called Users. 
There is also a special group account named "Everyone" The Everyone 
group includes every user account created on the local computer and as 
such, does not appear in the listing of group accounts and does not 
permit the adding of users. It can be used to assign user rights and 
access permissions to resources, and would permit every user (including 
Guest) the privileges assigned to the Everyone group. 

Guests


The Guest group offers limited access to resources on the system. The 
Guest user account is automatically added as a member of the Guests 
group account. 
Since anyone on a network can connect to a computer's shared resources 
through the Guests group, permissions must be assigned on shared 
resources to control how users can access those resources. 
To grant a specific user the same access to the computer as someone who 
logs on as a Guest, add that user account to the Guests group. 

Users


The Users group account provides the user with the necessary rights to 
operate the computer as an end user, such as running applications and 
managing files. By default, every user account created is added to the 
Users group. 

Power Users


The Power Users group account gives members the ability to perform 
certain system administrative functions, without giving the user 
complete control over the computer. 

Administrators


A user logged on as a member of the Administrators group account has 
complete control over the entire Windows NT computer. 

Replicator


This group account is used when configuring the directory replicator 
service. The directory replicator service is used to automatically copy 
files, such as user logon scripts, between Windows NT-based computers. 

Backup Operators


The Backup Operators group account allows the user to backup and restore 
files on the computer. 
Any user can backup and restore files for which they have the 
appropriate file and directory permissions without being a member of the 
Backup Operators group. The Backup Operators group overrides any 
permissions on files and directories that would normally prohibit a user 
from accessing those files, and allows users who are members of the 
group to backup any and all files on a drive, regardless of the file and 
directory permissions. Permissions to all files are only granted while 
the user is using Windows NT Backup to backup or restore files and 
directories. 

Deleting Local Groups Account


Deleting a local group account removes only that local group. It does 
not delete any user accounts that were members of the deleted local 
group account. Groups that have been created with User Manager can be 
deleted, while the built-in groups provided with Windows NT Workstation, 
such as Administrators and Guests, cannot be deleted. 
Document Contents 
------------------------------------------------------------------------

Managing Security Policies


Security policies provide an administrator an additional level of 
computer and network control. However, an administrator needs to 
carefully consider what security policies need to be configured in an 
environment, and realize what affect the configured policy will have on 
the security of the local computer. 
Windows NT provides the following security policies: 

Security policy    Description                                          
Account            Controls the way passwords are assigned and          
                   maintained by users. It also controls the account    
                   lockout feature of Windows NT.                       
User Rights        Controls the explicit rights that can be assigned    
                   to the group and user accounts of the workstation.   
Audit              Controls the types of events that will be recorded   
                   in the audit logs.                                   


The Account Policy


The Account Policy sets the minimum and maximum ages, minimum length, 
and uniqueness of passwords, and configures the account lockout feature. 
Changes to this policy affect each user at the next logon. The Account 
Policy is accessed from the Policies menu of User Manager. 

The User Rights Policy


The User Rights Policy manages the rights granted to group and user 
accounts. User Rights authorize a user to perform certain actions on the 
computer. User Rights apply to the computer as a whole and are different 
from permissions, which apply to specific resources, such as files and 
printers. 
In general, you will not need to change the User Rights policy for the 
default groups, because the User Rights of these groups should support 
the needs of typical users within each group. 
There are two levels of User Rights that can be assigned: User Rights 
and Advanced User Rights. The most commonly modified rights are User 
Rights. 
Document Contents 
------------------------------------------------------------------------

File Systems


In choosing a file system, it is important to note that you can format 
multiple partitions with different file systems on the same Windows NT 
workstation, depending on the operating system and security needs of the 
computer. 

File System   Supporting Operating Systems                     
FAT           MS-DOS, Windows NT, and OS/2                     
HPFS          OS/2 and Windows NT                              
NTFS          Windows NT                                       


The File Allocation Table (FAT) File System


The FAT file system is widely used and supported by a variety of 
operating systems, such as MS-DOS, Windows NT, and OS/2. If you plan to 
dual boot your Windows NT Workstation computer with the MS-DOS operating 
system, the system partition must be formatted with the FAT file system. 

FAT Naming Conventions


The MS-DOS FAT file and directory naming convention can consist of three 
parts: a filename of up to eight characters, a period (.) separator, and 
a three-character extension. 
The following table describes some basic characteristics of the File 
Allocation Table on Windows NT 3.5. 

Filename/Directory length  255                                    
File Size                  4 GB (232 bytes)                       
Partition Size             4 GB (232 bytes)                       
Attributes                 Read-only, Archive, System, and        
                           Hidden                                 
Directories                *Linked List                           
Accessible Through         MS-DOS, OS/2, and Windows NT           


* Linked List = To enable MS-DOS to locate a file, the file's directory 
entry contains its beginning FAT entry number. This FAT entry, in turn, 
contains the entry number of the next cluster if the file is larger than 
one cluster, or a marker that designates this is the last cluster. A 
file whose size implies that it occupies 10 clusters will have 10 FAT 
entries and 9 FAT links. This method of storing the information of files 
forms the linked list. 

FAT File System Considerations


The following considerations are important in implementing a FAT file 
system: 
  *	You cannot undelete a file on any of the supported file systems because 
	undelete utilities access the hardware directly, which is not allowed 
	under the Windows NT operating system. However, if the deleted file is 
	on a FAT partition and the system is restarted under the MS-DOS 
	operating system, it may be possible to undelete the file if it has not 
	been written over. 
  *	FAT has minimal file-system overhead (less than 1 MB). 
  *	FAT is the most efficient file system for partitions less than 200 MB. 
	Performance declines with large numbers of files, because FAT uses a 
	linked list for the directory structure. If the amount of data in a file 
	grows, the file becomes fragmented on the hard disk, and the process of 
	retrieving the file from disk becomes slower. 
  *	FAT is the required file system for the boot partition on ARC-compliant 
	computers (RISC processors-based computers supported by Windows NT). 
  *	A FAT partition cannot be protected by the file or directory security 
	features of Windows NT. 

The High-Performance File System (HPFS)


HPFS is the same file system supported by OS/2. Windows NT provides no 
enhancements to the HPFS file system. It is typically used to ease the 
migration from OS/2 to Windows NT. 

HPFS Naming Conventions


The following rules must be observed when naming files on HPFS 
partitions: 
  *	HPFS supports long filenames up to 254 characters, with multiple 
	extensions. 
  *	The names preserve case, but are not case-sensitive. 
  *	Names can contain any characters (including spaces) except the 
	following: 

? " / \ < > * | : 

HPFS File System Considerations


The following considerations are important in implementing a HPFS file 
system: 
  *	HPFS files with long filenames are not visible to Windows 16-bit and 
	MS-DOS - based applications running under Windows NT, because short 
	filenames are not created automatically. 
  *	HPFS partitions are typically used to ease the migration from OS/2 to 
	Windows NT. 
  *	HPFS does not scale well to large drives. With drives larger than 400 
	MB, you might see some performance degradation. 
  *	HPFS has approximately 2 MB of overhead in system files. 
  *	An HPFS partition cannot be protected by the file or directory security 
	features of Windows NT. 

The following table describes some basic characteristics of the High 
Performance File System: 

Filename/Directory length  254                                           
File Size                  4 GB (232 bytes)                              
Partition Size             2 TB theoretical (241 bytes) 7.8 GB actual    
                           (due to disk geometry)                        
Attributes                 *R, A, S, H and *Extended                     
Directories                *B-tree                                       
Accessible Through         OS/2 and Windows NT                           


* R, A, S, H = Read-only, archive, system, hidden attributes 
* Extended = Allows additional attributes, which are represented as text 
strings, and can be used by arbitrarily by applications. These extended 
attributes could be icons for the file, the names of the associated 
application, and so on. 
* B-tree = The method in which HPFS searches for files. In a B-tree 
directory environment, the directory entries are stored alphabetically 
in the tree, and binary searches are used to search for the target file 
in the directory list. 

NT File System (NTFS)


NTFS is the preferred file system under Windows NT for a number of 
reasons, primarily security. However, there may be cases where it is 
necessary to use another file system on the same computer as Windows NT 
Workstation. If the computer will be running another operating system, 
at least one partition must be formatted with a file system supported by 
that operating system. Only Windows NT supports NTFS. 
  *	Another advantage of NTFS is that it has considerably larger partition 
	capacities than the other file systems. Under NTFS, a file can be up to 
	16 exabytes in size. 
  *	The minimum NTFS partition size is 5 MB. 

Design Goals of NTFS 


Here are some of the design goals of NTFS: 
  *	Provide improved reliability (desirable for high-end computers and file 
	servers). 
	  o	NTFS is a recoverable file system because it keeps track of transactions 
		against the file system. When a CHKDSK is performed on FAT or HPFS, the 
		consistency of pointers within the directory, allocation, and file 
		tables are being checked. NTFS will automatically log all directory and 
		file updates. That information can be used to redo or undo failed 
		operations due to system failure, power loss, and so on. 
	  o	In addition, NTFS supports hot fixing. Hot fixing is a trouble shooting 
		technique. For example, if an error occurs because of a bad sector on 
		the hard disk, the file system moves the information to a different 
		sector and marks the original sector as bad. This is all done 
		transparently to any applications that are performing disk I/O, i.e. the 
		application never knows that there were any problems with the hard 
		drive. 
  *	Support the Windows NT security model, so that permissions and auditing 
	can be configured on files and directories. 
  *	Remove the file and partition size limitations of FAT and HPFS file 
	systems. NTFS supports much larger file and partition sizes than the 
	previous file systems. 
  *	Support POSIX requirements. 

NTFS is the most POSIX.1 compliant of the supported file systems because 
it supports the following POSIX.1 requirements: 
  *	Case sensitive naming-Under POSIX, README.TXT, Readme.txt, and 
	readme.txt are all different files. 
  *	Additional time stamp-The Additional time stamp supplies the time at 
	which the file was last accessed. 
  *	Hard links-A hard link is when two different filenames, which can be 
	located in different directories, point to the same data. 

NTFS Naming Conventions


The following rules must be observed when naming NTFS files: 
  *	File and directory names can be up to 255 characters long, including 
	extensions. 
  *	Names preserve case, but are not case-sensitive. NTFS makes no 
	distinction between filenames based on case. 
  *	Names can contain any characters (including spaces) except the 
	following: 

? " / \ < > * | : 

NTFS File System Considerations


The following considerations are important in implementing a NTFS file 
system: 
  *	Recoverability is designed into NTFS so that users will not have to run 
	a disk repair utility on an NTFS partition. 
  *	NTFS provides security on files and directories, but no file encryption. 
  *	There is no way in which a deleted file can be undeleted on an NTFS 
	partition. 
  *	NTFS utilizes more system file overhead than FAT or HPFS. 
  *	The recommended minimum partition size for an NTFS partition is 50 MB 
	because of the overhead involved in using NTFS. 
  *	It is not possible to format a floppy disk with NTFS because of the 
	amount of overhead involved in NTFS. 
  *	Fragmentation is greatly reduced on NTFS partitions. NTFS always 
	attempts to locate a contiguous block of hard disk space large enough to 
	hold the entire file being stored. Once on the drive, if a file grows in 
	size, it could potentially become fragmented depending on the drives 
	disk space usage. To un-fragment the file, copy the file to another 
	drive and copy it back to the original drive again. When it is copied 
	back to the original drive, NTFS will attempt to place it in a 
	contiguous block on the drive. 

The following table describes some basic characteristics of the NTFS 
File System. 

Filename/Directory length     255                                
File Size                     16 EB (264 bytes)                  
Partition Size                16 EB (264 bytes)                  
Attributes                    *Further extended                  
Directories                   B-tree                             
Accessible Through            Windows NT                         


*Further extended = such as maintaining the file creation, as well as 
last modified, date and time for files and directories 

Converting to NTFS


If you have existing hard disk partitions that are FAT or HPFS, and wish 
to benefit from the enhanced features of NTFS, it is possible to convert 
the existing partition(s) to NTFS. Converting a partition from FAT, or 
HPFS, to NTFS preserves all data on the partition, unlike formatting the 
partition, which destroys all data. Windows NT includes an executable 
that converts FAT or HPFS partitions to NTFS. To convert a FAT or HPFS 
partition to an NTFS volume use the CONVERT.EXE utility provided with 
Windows NT. Note that the conversion is a one-way process, there is no 
way to convert an NTFS volume to FAT or HPFS. 

File System Advantages and Disadvantages


Here's a summary of the advantages and disadvantages of each of the file 
systems. 

File System    Advantages                  Disadvantages                  
FAT            Low system overhead.        Using FAT with drives or       
               Best for drives and/or      partitions over 200 MB may     
               partitions under about 200  decrease performance.          
               MB.                         Cannot set permissions on      
                                           files or directories.          
HPFS           Best for drives in the      Not efficient for a volume of  
               200-400 MB range.           under 200 MB, because of       
               Attempts to avoid           overhead involved.             
               fragmentation by searching  Does not support Hot Fixing.   
               for a band that can hold    Cannot set file or directory   
               the entire file.            permissions on Windows NT      
                                           HPFS partitions.               
NTFS           Best for use on volumes of  Not recommended for use on     
               about 400 MB or more.       volumes smaller than 400 MB,   
               Recoverability              because of impact on           
               (transaction logging)       performance. Disk space        
               designed into NTFS is such  overhead ranges from 1 to 5    
               that a user should never    MB depending on size of the    
               have to run any sort of     partition.                     
               disk repair utility on an                                  
               NTFS partition.                                            
               It is possible to set                                      
               permissions on files and                                   
               directories.                                               


Long Filenames on FAT Partitions


Windows NT supports multiple file systems. As a result you need to 
consider the differences in naming structures when transferring files 
from one file system to another. 
For every long filename, (LFN) created on a Windows NT 3.5 FAT 
partition, there is an auto-generated short filename. This short 
filename complies with the 8.3 naming convention for backwards 
compatibility and provides an "alias" for the long filenames. 
On FAT partitions, a LFN will take one directory entry for every 13 
characters plus another directory entry for its alias. For example, if a 
filename is 12 characters long, it will have one directory entry for the 
LFN and another for the alias. A 36-character LFN will take three 
directory entries for the LFN, plus another for its alias, for a total 
of four directory entries. A directory entry is the listing in File 
Manager or a DIR command that displays all files and directories. 
Directory entries are used to store the LFN. 
Each LFN entry has the following attributes: 
  *	Volume-a special attribute that designates the entry as a hard disk 
	partition, as opposed to a file or directory. 
  *	Read-Only-allows only read privileges. You cannot write to the file. 
  *	System-Identifies the file as a system file, not a normal user 
	accessible file. 
  *	Hidden-Prevents the file from appearing in the directory. 

No other MS-DOS filename entry will have all four of these attributes. A 
file may have RSH but would not also have a Volume attribute. 
Conversely, a Volume will not have RSH attributes. Having this special 
attribute combination should protect these entries from most disk 
utilities. 

8.3 Namespace Under Windows NT 3.5 NTFS and FAT


Under Windows NT 3.5, long filenames are converted to 8.3 names to 
create an alias for supporting MS-DOS-based clients. This conversion 
takes the first 6 characters of the long name and uses a ~number suffix 
to keep the name unique. For example, in the graphic below, My Term 
Paper A.doc becomes MYTERM~1.DOC and successive iterations would look 
like MYTERM~2.DOC, MYTERM~3.DOC, MYTERM~4.DOC 
After the fourth file with the same first 6 characters, the naming 
convention changes. The fifth attempt will use the first two characters 
of the long name, but the next four will be generated by a hashing 
algorithm. For example, after the fourth attempt, My Term Paper E.doc 
becomes MY0F58~5.DOC. Notice the last two characters are "~5". Only when 
the hashing of the middle 4 characters fails to produce a unique name 
will the ~5 be incremented to a ~6 and so on. This method is used on 
both NTFS and FAT partitions to create alias' for long filenames. 

Long and Short Filename Creation Considerations


If you are using HPFS, it is important to note that HPFS does not 
automatically generate short filenames. As a result, MS-DOS- and Windows 
3.x-based applications will not be able to access files with long names 
on a HPFS partition, and dir/x will display a blank column where the 8.3 
character-length filename is normally listed. 
By creating 8.3 character-length filenames for files, NTFS and FAT allow 
Windows 3.x- and MS-DOS-based applications to recognize and load these 
files even though they have long filenames. 

Using COPY and XCOPY with Long Filenames


By default, COPY and XCOPY attempt to copy a file using its long 
filename. Therefore, when copying a file with a long filename from 
either HPFS or NTFS to FAT, the following error will occur if FAT long 
filenames are turned off: 
The filename, directory name, or volume label syntax is incorrect. 
When using COPY or XCOPY to copy from an NTFS partition to a FAT 
partition, consider using the /n switch. This switch will have COPY or 
XCOPY use the short 8.3 NTFS generated filename when copying the file 
from an NTFS partition. When trying to copy a file from an HPFS 
partition, the file will have to be renamed when copying to a FAT 
partition that has long filenames turned off, since HPFS does not 
generate short filenames. 

Case Sensitive Filenames


NTFS supports case sensitive names, a requirement of POSIX. However, 
MS-DOS, WIN 16, OS/2, and the Win32 application programming interface 
do not currently support case sensitive naming. Therefore, any 
applications running in any of these environments may be confused by 
files with case sensitive names. 

Using Disk Administrator


Disk Administrator is a graphical tool for managing hard disk drives. 
This tool encompasses and extends the functionality of character-based 
disk management tools, such as MS-DOS Fdisk and the Microsoft LAN 
Manager local area network software Fault Tolerance character 
applications, into one graphical interface. Primarily, it is used to set 
up, configure, and organize the system's hard disk(s) to function more 
efficiently. 
Disk Administrator displays the system's disk resources through a status 
bar and legend. This legend can be customized by colors and patterns to 
display disk regions and types of disk usage. 

Creating and Formatting Partitions


Disk Administrator provides a simple way to manage disks by providing 
administrators the capability to create, format, and delete partitions 
within a graphical application. 
As you recall, partitioning the hard disk on a new computer is performed 
during initial setup when you install Windows NT. After Windows NT is 
installed, use Disk Administrator to make changes to the computer's hard 
disks or to partition a new hard disk. 
Keep in mind that a disk must be partitioned before it can be formatted 
with a file system. Disk partitions are a portion of a physical disk 
that functions as if it was a physically separate unit. For example, one 
hard disk could be partitioned to function as if it were two disks. 
Document Contents 
------------------------------------------------------------------------

Windows NT Resource Security Model


Windows NT protects its resources, including files, printers, and 
applications, by controlling access to them. For a resource to be 
protected or secured, the resource must be accessible to authorized 
users and inaccessible to unauthorized users. There are two basic 
approaches to resource security. One method associates an access code 
with each resource. Any user who knows the code receives access. Another 
method associates users with resources. Any user that is granted 
permission to the resource receives access. In Windows NT, users are 
associated with a resource. 

Windows NT Objects


All Windows NT resources are represented as objects that can be accessed 
only by authorized Windows NT services and users. An object in Windows 
NT is defined as a set of data used by the system, and the set of 
actions that manipulate that data. For example, a file object consists 
of data stored in a file and a set of functions that allow you to read, 
write, or delete data in that file. This definition can be applied to 
any object used by the system, including memory, printers, or processes. 

Everything in Windows NT is represented to the operating system as an 
object. The following are examples of Windows NT objects: 
  *	Directories 
  *	Symbolic links 
  *	Printers 
  *	Processes 
  *	Network shares 
  *	Ports 
  *	Devices 
  *	Windows 
  *	Files 
  *	Threads 

Access Control Lists


All functions used to access an object, (for example, open a file), are 
directly associated with a specific object. In addition, the users and 
groups that are permitted to use the function are also associated with 
the object. Only users with the appropriate rights are allowed to use 
functions on an object. As a result, functions from one process cannot 
access objects that belong to another process. This characteristic of 
objects provides built-in security. Access to each object is controlled 
through an Access Control List (ACL). 
The ACL contains the user (and group) accounts that have access and 
permissions to the object. When a user wants to access an object, the 
system checks the user's security identifier and group memberships with 
the ACL to determine whether or not this user is allowed to complete the 
request. 

Access Control Entries 


Every user of the system needs to have a user account which can be added 
to resource access control lists. This includes applications and 
services which need to access resources as well as people. When an 
administrator grants access to a resource, the user account is added to 
the ACL for that resource along with any specific permissions. For 
example User-1 has read permissions to a file, while User-2 has read, 
write, and delete permissions to the same file. 
These ACL entries are called Access Control Entries (ACEs). Each entry 
identifies a user or group and the permissions that have been granted or 
denied for the object. An ACE is added to the ACL for each user or group 
that is granted or denied access to an object. 
Entries that deny access are listed first in the ACL, and entries that 
permit access will be listed next. The only time this order is changed 
is if a company has written their own application that edits the ACL of 
a resource. In this case, they can place the ACE anywhere in the ACL 
they wish. 

Securing Access to Resources


Access to resources begins with the user logging on. Windows NT requires 
that users log on before they can access any resources. When a user 
successfully logs on, he or she receives an access token that remains 
with the user process until logging off. Each time the user attempts to 
access a resource, the access token is compared to the resource ACL to 
determine whether access is granted or denied. 

Mandatory Logon


Windows NT requires each user to provide a unique username and password 
to log on to a computer. This mandatory logon process cannot be 
disabled. 
When a user logs on to Windows NT, the security subsystem creates an 
access token for the user. The access token includes information such as 
the user's name and the groups to which the user belongs. Access to the 
system is allowed after the user has received this access token. During 
the time a user is logged into a system they are identified to the 
system by this access token. 

Access Tokens


When a user's process attempts to access any object, Windows NT checks 
the user ID and list of groups in the user process's access token 
against the object's Access Control List (ACL). This check determines if 
the user is granted the requested access to the object. The access token 
is permanently attached to each of the user's processes and serves as 
the process's "identity card" whenever it attempts to use system 
resources. Access tokens are objects and have attributes and services 
just like any other system object. 

Security IDs


Even though user and group identifications are represented here as 
names, the computer actually stores this information as a security 
identifier (SID) and group security identifiers (group SIDs). A SID is a 
unique identifier used to represent a user, group, or some type of 
security authority. SIDs are used within access tokens and ACLs instead 
of usernames or group names. A SID is represented as a unique number, 
such as: 
S-1-5-21-76965814-1898335404-322544488-1001 
The result of identifying users by SIDs is that the same user account 
name may have been created multiple times on the same computer, but each 
instance of the account name will have a unique SID. For example, you 
have user account for User-1. If you delete this account and create a 
new account for User-1 using the same name, the new account will not 
have access to the same resources as the old account. This is a result 
of the SID being different, even when the account name is the same. 

Checking Permissions


Windows NT compares the information in the access token to the 
information in the ACL to determine whether or not access should be 
granted. When a user attempts to access a resource on the system, the 
security subsystem compares the user's access token to the ACL to 
validate or deny the requested permission to the resource. It goes 
through the following steps: 
1. Starting at the top of the ACL, it checks each Access Control Entry 
(ACE) to see if it explicitly denies the user (or any of the groups that 
appear in the user's access token) the type of access that is being 
requested. 
2. It checks to see if the type of access requested has been explicitly 
granted to the user or any of the groups in the user's access token. 
3. It repeats step 1 and 2 for each entry in the ACL until either it has 
encountered a deny, or until it has accumulated all the necessary 
permissions to grant the requested access. 
4. If neither a deny or a grant appears in the ACL for each of the 
requested permissions, the user will be denied access. 

Optimizing Permission Checking


When Windows NT grants access to an object, what it really does is gives 
the user's process a pointer (handle) to the object. A handle is an 
identifier used internally by the system to identify and access a 
resource. The system also creates a list of allowed permissions called 
the list of granted access rights. This information is then stored in 
the user's process. 
In this way, an ACL is only checked when the object is initially opened. 
Subsequent actions performed on an opened object are checked against the 
list of granted access rights that have been stored in the user's 
process table for that handle. 
Document Contents 
------------------------------------------------------------------------

Windows NT Network Architecture


A significant difference between the Microsoft Windows NT operating 
system and other operating systems is that networking capabilities are 
built into Windows NT. With MS-DOS, Windows 3.x, and OS/2, networking 
was added on top of the operating system. By providing both client and 
server capabilities within Windows NT, your computer is able to 
participate with other network computers to share files, printers, and 
applications. A Windows NT-based computer can participate as either a 
client or server in a distributed application environment, as well as in 
a peer-to-peer networking environment. 
Windows NT provides the ability to interoperate in many different 
network environments simultaneously from a single Windows NT computer. 
The following networking environments are supported by Windows NT: 
  *	Microsoft networks, including Windows NT Server 3.5, Windows NT 3.1, 
	Windows for Workgroups, LAN Manager, and other networks based on the 
	Microsoft Networks local area network operating system. 
  *	Novell NetWare 
  *	Transmission Control Protocol/Internet Protocol (TCP/IP) hosts 
	(including UNIX environments) 
  *	Apple Macintosh AppleTalk 
  *	Remote Access clients 

Components and Interfaces


To support this diverse network interoperability, Windows NT provides 
modular network components. This means a network component, such as a 
network protocol, can be replaced with a newer version without affecting 
the networking components. In addition, new components can be integrated 
with the default networking components to provide increased 
interoperability with other networking operating systems. 
Windows NT networking components can be organized into three categories: 
file system drivers, transport protocols, and network adapter card 
drivers. Each plays a distinctive role. 
These components communicate with each other through interface layers 
known as boundary layers. Boundary layers translate data into a format 
the receiving component understands. The boundary layers include 
programming interfaces, the Transport Driver Interface (TDI), and NDIS 
3.0. 

Network Components and OSI


The Windows NT networking components and the boundary layers can be 
compared to the seven-layer OSI model. 
File system drivers access system resources, such as an I/O call to an 
NTFS partition or a network file. They operate at the Application and 
Presentation layer of the OSI model, receiving input from user mode 
applications. FAT, HPFS, and NTFS each have their own file system driver 
for local file partitions. In addition, there are several file system 
drivers for use in a network environment. 
Transport protocols define the rules governing communications between 
two computers. They operate at the Date Link layer and typically cover 
responsibilities up to the Session layer in the OSI model. Each 
transport protocol has advantages and disadvantages in its 
implementation, although it is possible to install and run several 
protocols at once. 
Network adapter card drivers coordinate communication between network 
adapter card and the computer's hardware and software. For every network 
adapter card, there is a network adapter card driver. These drivers must 
be NDIS 3.0 compliant to operate with Windows NT. Network adapter card 
drivers operate at the Media Access Control sublayer while the card 
itself represents the Physical layer of the OSI model. 

Boundary Layers


A boundary is the unified interface between the layers in the Windows NT 
network architecture model. Creating boundaries as a breakpoint in the 
network layers helps open the system to outside development. It makes it 
easier for vendors to develop network drivers and services, since the 
functionality that must be implemented between the layers is well 
defined. Vendors only need to program between the boundary layers 
instead of writing to the entire OSI model. Boundary layers eliminate 
the need for rewriting software written for adjacent layers by allowing 
software to be mixed and matched. 

Programming Interfaces


Programming interfaces provide a means of communicating over the 
network. There are several programming interfaces available. Windows NT 
supports NetBIOS, Windows Sockets, Remote Procedure Calls, and Network 
Dynamic Data Exchange (NetDDE). 

Transport Driver Interface (TDI)


The TDI boundary layer provides a common interface for a file system 
driver, such as a redirector or server, to communicate with the various 
network transports. This allows redirectors and servers to remain 
independent from transports. 

NDIS 3.0 (Network Driver Interface Specification)


The NDIS 3.0 boundary layer provides the interface to the NDIS wrapper 
and network adapter card drivers. All transport protocols call the NDIS 
interface to access network adapter cards. 
NDIS (Network Driver Interface Specification) is a standard that allows 
for multiple network adapters and multiple protocols to coexist in a 
single computer. NDIS permits the high-level protocol components to be 
independent of the network interface card by providing a standard 
interface. 
The network adapter card driver is at the very bottom of the Windows NT 
network architecture. Since Windows NT supports NDIS 3.0, it requires 
network adapter card drivers written to the NDIS 3.0 specification. NDIS 
3.0 allows an unlimited number of network adapter cards in a computer 
and an unlimited number of protocols that can be bound to a single 
adapter card. 
Boundary layer components are examples of the modular Windows NT network 
components. 

Components Built into Windows NT


At the center of the Windows NT networking environment are the 
components that provide the user with the ability to create and access 
resources across the network 
Windows NT networking components, from the bottom layer going up, 
include: 
  *	Transport protocols (DLC, NetBEUI, NWLink IPX/SPX, and TCP/IP). 
  *	File System Drivers. 
	  o	Named pipes (NPFS) and mailslots (MSFS) provide inter-process 
		communication (IPC) over a network. 
	  o	The Server (SRV) and Workstation (RDR) services provide file and print 
		sharing. The Server allows resources to be made available on a network 
		and the Workstation provides the ability to access network resources. 
  *	Programming Interfaces (NetBIOS, Windows Sockets, RPC, NetDDE). 
  *	The Multiple UNC Provider (MUP) and Multi-Provider Router (MPR). The UNC 
	and the MUP make it possible to write applications that use a single API 
	to communicate on the network using any network vendor's redirector. 
	These are helper components which determine which file system driver to 
	use when a network request is made. 

Windows NT Network Protocols


Above the NDIS wrapper are the transport protocols. Windows NT ships 
with four transport protocols: NWLink, TCP/IP, NetBEUI, and DLC. 

NetBEUI


NetBEUI stands for NetBIOS Extended User Interface and was first 
introduced by IBM in 1985. NetBEUI was developed for small departmental 
LANs of 20 to 200 computers. It was assumed that these LANs would be 
connected by gateways to other LAN segments and mainframes. NetBEUI's 
primary disadvantage is that it cannot be routed, so it must be 
connected using bridges and not routers. As such, it is primarily used 
in a local area network consisting of mainly Microsoft clients and 
servers, including LAN Manager. 

NWLink IPX/SPX


NWLink is an IPX/SPX-compatible protocol for Windows NT. It can be used 
to establish connections between Windows NT-based computers and MS-DOS-, 
OS/2-, Windows-, or other Windows NT-based computers through a variety 
of communication mechanisms. It is often used in environments that 
consist of both Microsoft and Novell networks, in which the Microsoft 
clients need access to resources on NetWare file servers. 
NWLink is simply a protocol. By itself, it does not allow a Windows NT 
computer to access files or printers on a NetWare server, or to act as a 
file or print server to a NetWare client. To access files or printers on 
a NetWare server, you must use a redirector, such as Microsoft Client 
Service for NetWare (CSNW) or Novell NetWare Client for Windows NT. 

TCP/IP


TCP/IP stands for Transmission Control Protocol/Internet Protocol and is 
an industry-standard suite of protocols designed for wide-area 
networking. It was developed in 1969, resulting from a Defense Advanced 
Research Projects Agency (DARPA) research project on network 
interconnection. TCP/IP is commonly used in wide area networks that 
consist of a variety of network hosts. 
DARPA developed TCP/IP to connect its research networks together. This 
combination of networks continued to grow and now includes many 
government agencies, universities, and corporations. This global wide 
area network is referred to as the Internet. 
In Windows NT, TCP/IP allows users to connect to the Internet as well as 
any machine running TCP/IP and providing TCP/IP services. 

DLC


DLC stands for Data Link Control, unlike the other protocols in Windows 
NT (NetBEUI, NWLink IPX/SPX, TCP/IP), the DLC protocol is not designed 
to be a primary protocol for use between personal computers, as it does 
not provide a NetBIOS interface. DLC only provides applications with 
direct access to the data link layer, and thus is not used by the 
Windows NT redirector. Since the redirector cannot use DLC, this 
protocol is not used for normal session communication between Windows 
NT-based computers. 
DLC only needs to be installed on computers performing the above tasks 
and not on the other computers on the network. An example would be a 
print server sending data to a network HP printer. Client computers 
sending print jobs to the network printer do not need to be using the 
DLC protocol, only the print server communicating directly with the 
printer needs the DLC protocol installed. 

IPC Mechanisms for Distributed Processing


In distributed computing, the computing task is divided into two 
sections, a client component and a server component. The goal is to move 
the actual application processing from the client computer to a server 
system with the power to run large applications. Windows NT-based 
computers can perform the role of either the client or the server for 
distributed application support. 

IPC Client


The client component of a client-server application is typically the 
user interface for the application. It runs on the client computer and 
utilizes a smaller amount of computing power than the server 
application, but typically requires a lot of network bandwidth to 
communicate with the server component. 

IPC Server


The server component of a client-server application typically requires 
larger amounts of data storage, computing power, or specialized 
hardware. It includes operations such as database lookups and updates, 
or mainframe data access. 

Interprocess Communication (IPC) Mechanisms


There must be a network connection between the client and server 
portions of distributed applications that allows data to flow in both 
directions. There are a number of different ways to establish this 
connection. Windows NT provides several different Interprocess 
Communication (IPC) mechanisms. Included are: 
  *	Named Pipes File Systems (NPFS) 
  *	Mailslots File Systems (MSFS) 
  *	NetBIOS 
  *	Windows Sockets 
  *	Remote Procedure Calls (RPC) 
  *	Network Dynamic Data Exchange (Net DDE) 

Named Pipes


Named pipes provide connection-oriented messaging services that allow 
applications to share memory over the network. Windows NT provides a 
special application programming interface (API) which increases security 
when using named pipes. One feature added to named pipes is 
impersonation. When using impersonation, the server can change its 
security identifier to that of the client at the other end of the 
connection. For example, suppose a database server system uses named 
pipes to receive read and write requests from clients. When a request 
comes in, the database server program can impersonate the client before 
attempting to perform the request. Thus, if the client does not have the 
authority to perform the function the request would be denied, even 
though the server program might have the proper permissions to complete 
the task. 

Mailslots


Mailslots are used to provide connection-less messaging services on a 
local area network. Windows NT implements second-class mailslots, which 
are used most commonly for the following: 
  *	Registration of computer, workgroup or domain, and user names on the 
	network 
  *	The Computer Browser service 
  *	Sending broadcast messages to computers or users 

Programming Interfaces


The following programming interfaces provide communication between user 
mode applications and file system drivers. 

NetBIOS


NetBIOS is a standard programming interface in the personal computer 
environment for developing client-server applications. NetBIOS has been 
used as an IPC mechanism since the introduction of the interface in the 
early 1980s. From a programming perspective, higher level interfaces 
such as named pipes and RPC are superior in their flexibility and 
portability. 
A NetBIOS client-server application can communicate over various 
protocols: NetBEUI protocol (NBF), NWLink NetBIOS (NWNBLink), and 
NetBIOS over TCP/IP (NetBT). 
The NetBIOS Interface provides the NetBIOS mapping layer between NetBIOS 
applications and the TDI compliant protocols. 

Windows Sockets


The Windows Sockets API provides a standard Windows interface to many 
transports with different addressing schemes, such as TCP/IP and IPX. 
The Windows Sockets API was developed to accomplish two things. One was 
to migrate the sockets interface, developed at the University of 
California, Berkeley in the early 1980s, into the Windows and Windows NT 
environments. The other was to help standardize an API for all 
platforms. Windows NT provides Windows Sockets support on both NWLink 
and TCP/IP transport protocols. 

Remote Procedure Calls (RPC)


The RPC mechanism can use other IPC mechanisms to establish 
communications between the computers on which the client and the server 
portions of the application exist. If the client and server are on the 
same computer, the Local Procedure Call (LPC) mechanism can be used to 
transfer information between processes and subsystems. This makes RPC 
the most flexible and portable IPC choice. 
The components of the remote procedure call mechanism are: 
  *	Remote Procedure Stub-Packages remote procedure calls to be sent to the 
	server by means of the RPC runtime. 
  *	RPC Runtime-Responsible for communications between the local and remote 
	computer, including the passing of parameters. 
  *	Application Stub-Accepts RPC requests from the RPC Runtime, unwraps the 
	package, and makes the appropriate call to the remote procedure. 
  *	Remote Procedure-The actual procedure that is called over the network. 
  *	The remote procedure call facility provided in Windows NT is compatible 
	with the Open Software Foundation's (OSF) distributed computing 
	environment (DCE) specification. Windows NT workstations can use RPC to 
	interoperate with any other workstations that support this standard. 

Network Dynamic Data Exchange (Net DDE)


NetDDE provides information sharing capabilities by opening two one-way 
pipes between applications. NetDDE is an extension of Dynamic Data 
Exchange (DDE) that can be used between two computers across the 
network. 
By default, the NetDDE services are not automatically started. They can 
be started using Control Panel Services option. 

File and Print Sharing Components


The ability to use and share file and print resources is accomplished 
primarily by two Windows NT components: Workstation (RDR) and Server 
(SVR). Both the Workstation and Server execute as 32-bit services. These 
services are implemented as File System Drivers (FSD). There is an FSD 
for each of the file systems (FAT, HPFS, NTFS, CDFS) as well as the 
Workstation and Server services. 

The Workstation Service


The Workstation service of a Windows NT computer allows that computer to 
access resources on the network, including the ability to log on to a 
domain, connect to shared directories and printers, and use 
client-server applications over the network. 
All user mode requests go through the Workstation service. This service 
consists of two components: 
  *	The user-mode interface (such as File Manager connections or net use 
	commands). 
  *	The redirector (RDR.SYS)-The redirector provides file system and print 
	service translation to access remote drives and printers. 

Workstation Service Dependencies


The Workstation service is dependent on the following components: 
  *	A protocol that exposes the TDI interface at its top level must be 
	started for the Workstation service to load. 
  *	Multiple Universal Naming Convention Provider (MUP) 

The Workstation Service (Redirector) as a File System Driver 


The redirector is a component through which one computer gains access to 
another computer. The Windows NT redirector allows connection to Windows 
NT, Windows for Workgroups, LAN Manager, LAN Server, and other Microsoft 
Networks servers. The redirector communicates to the protocols via the 
TDI interface. 

Accessing a Remote File


When a process on a Windows NT computer tries to open a file that 
resides on a remote computer, the following steps occur: 
  *	The process calls the I/O Manager to request that the file be opened. 
  *	The I/O Manager recognizes that the request is for a file on a remote 
	computer, so it passes it to the redirector file system driver. 
  *	The redirector passes the request to lower-level network drivers that 
	transmit it to the remote Server for processing. 

The Server Service


The Windows NT Server service allows a Windows NT computer to create and 
secure shared resources, such as directories and printers, and to 
function as a server in a client-server application. Like the 
redirector, the Server service is implemented as a file system driver 
and directly interacts with various other file system drivers to satisfy 
I/O requests such as reading or writing to a file. 
The Server service processes the connections requested by client 
redirectors, and provides them with access to the resources they 
request. Like the Workstation service, the Server service is composed of 
two parts: 
Server service-A service that runs in the SERVICES.EXE process. Unlike 
the Workstation service, it is not dependent on the MUP service, since 
the Server is not a UNC provider. It does not attempt to connect to 
other computers, but other computers connect to it. 
SRV.SYS-A file system driver that handles the interaction with the lower 
layers and interacts directly with various file system devices to 
satisfy command requests, such as file read and write. 

Multiple Universal Naming Convention Provider (MUP)


It is possible to have more than one redirector installed on the system 
for use with other network operating systems such as NetWare. 
Applications reside above the redirector and server services in user 
mode. Like all other layers in the Windows NT networking architecture, 
there is a single unified interface to access network resources, 
independent of the redirector(s) installed on the system. This is done 
through two components: MUP and the Multi-Provider Router (MPR). 
The MUP provides a communication link between applications that make UNC 
calls and the redirectors installed on the system. The MUP is a 
component that finds out which redirector should receive a UNC call from 
an application. 
The MPR provides a communication link between applications that make 
Win32 Network API calls and the redirectors installed on the system. 
When applications make I/O calls containing UNC names, these requests 
are passed to MUP. MUP selects the appropriate UNC provider (redirector) 
to handle the I/O request. 

Universal Naming Convention (UNC) Names


The UNC is a naming convention for describing network servers and share 
points on those servers. UNC names start with two backslashes followed 
by the server name. All other fields in the name are separated by a 
single backslash. A typical UNC name would appear as: 

\\server\share\subdirectory\filename 


Not all of the components of the UNC name need to be present with each 
command; only the share component is required. For example, dir 
\\server\share can be used to obtain a directory listing of the root of 
the specified share. 

Why MUP?


One of the major design goals for networking in the Windows NT 
environment was to provide a uniform platform upon which vendors could 
build networking services. MUP is a vital part in allowing multiple 
redirectors to coexist in the computer at the same time. MUP frees 
applications from maintaining UNC provider listings themselves. This 
allows a client computer to have multiple redirectors loaded, and use 
File Manager to browse and access network resources without having to a 
provide unique syntax to each network redirector. 

The Multi-Provider Router (MPR)


The MPR provides a communication layer between applications that make 
Win32 Network API calls and the redirectors installed on the system. 
Not all programs use UNC names in their I/O requests. Some applications 
use WNet APIs (which are the Win32 network APIs). The Multi-Provider 
Router (MPR) was created to support these applications. 
MPR is very much like MUP. This layer receives WNet commands, determines 
the appropriate redirector, and passes the command to that redirector. 
Since different network vendors will use different interfaces for 
communicating with their redirector, there is a series of provider DLLs 
between the MPR and the redirectors. The provider DLLs expose a standard 
interface so that MPR can communicate with the provider, and they know 
how to take the request from MPR and communicate it to their 
corresponding redirector. 
The provider DLLs are supplied by the network vendor that wrote the 
redirector and should be installed automatically when the redirector is 
installed. 
Document Contents 
------------------------------------------------------------------------

Introduction to the Browser Service


To efficiently share resources across a network, users should be able to 
find out what resources are available. Windows NT provides the Computer 
Browser service to display a list of currently available resources. 
The Microsoft Windows NT Computer Browser service provides a centralized 
location for a list of available network resources. This list is 
distributed to specially assigned computers that, along with their other 
normal services, perform browsing services. "Browser" computers 
eliminate the need for all computers to maintain a list of all shared 
resources on the network. The Browser service lowers the amount of 
network traffic needed to build and maintain a list of all shared 
resources on the network by assigning the browser role to specific 
computers. This also frees the CPU time each computer would have had to 
use creating a network resource list. 

Browser Server Roles


The responsibility of providing a list of network resources to clients 
is distributed among multiple computers on a network. The Browsing roles 
of these computers are known to the Browser service as Potential 
Browser, Master Browser, Backup Browser, and Browser Clients 
(Non-Browsers). Both Windows NT 3.5 Workstations and Windows NT 3.5 
Server computers can perform any of these roles. These computers collect 
and maintain a list of available network resources. These roles are 
defined below: 

Master Browser


The Master Browser is the computer that maintains the master copy of the 
network resource list, and is responsible for collecting the information 
used to create the list. It is also responsible for distributing the 
browse list to the Backup browsers. 

Preferred Master Browser


An administrator can configure a specific computer to be the Preferred 
Master Browser. When this computer is started, it will designate itself 
as the Master Browser for the domain or workgroup. If there is already a 
Master Browser, and other computers are up and running in the workgroup 
before this one was turned on, the Preferred Master Browser forces an 
"election." The election process ensures that there will only be one 
Master Browser per workgroup or domain and results in the Preferred 
Master Browser assuming the role of the Master Browser. A Preferred 
Master Browser will not win an election over a Primary Domain Controller 
as a PDC always functions as the Master Browser of the domain. More 
about the election process is covered later in this chapter. 

Backup Browsers


A Backup Browser is a computer that receives a copy of the network 
resource list from the Master Browser. It then distributes the list to 
the Browser clients upon request. 

Potential Browser


A Potential Browser is a computer that is capable of a maintaining a 
network resource (browse) list, but will not do so unless instructed to 
by a Master Browser. 

Non-Browser


A non browser is a computer that has been configured so that it will not 
maintain a network resource (browse) list. Client computers are commonly 
non-browsers. 

The Browse Process


The Windows NT Computer Browser service operates in the following 
manner: 
1. After startup, all computers that are running the Server service 
announce their presence to the Master Browser in their workgroup or 
domain. This happens regardless of whether they have shared resources to 
advertise. 
2. The first time a client computer attempts to locate available network 
resources, it contacts the Master Browser for the domain or workgroup 
for a list of Backup Browsers. 
3. The client then requests the network resource list from a Backup 
Browser. 
4. The Backup Browser responds to the requesting client with a list of 
domains and workgroups and the list of servers local to the client's 
domain or workgroup. 
5. The user at the client either selects a local server or a domain or 
workgroup to view available servers. 
6. Finally the user selects the appropriate server and searches for the 
desired resource on which to establish a session to use that resource, 
and contacts the appropriate server. 
For example, a Windows NT Workstation computer that belongs to a domain 
is turned on (Step 1). A domain user logs on to the domain and starts 
File Manager. The user chooses the Connect Network Drive button on the 
toolbar and sees "Working..." in the Shared Directories box (Steps 2, 3, 
and 4). The user sees a list of workgroups and domains and selects the 
domain to expand the list of computers (Step 5). Then the user selects 
one of the computers and expands a list of available shared directories 
on that computer (Step 6). 

Browser Criteria


Browser criteria is a means in which to determine the hierarchical order 
of the different types of computer systems that are in the workgroup or 
domain. Each Browser computer has certain criteria, depending on the 
type of system it is. The criteria include: 
  *	The operating system 
  *	The operating system version 
  *	Its current role in the browsing environment 

The criteria ranking is used during an election. An election is used as 
a "voting" process in determining which computer should be the Master 
Browser in the event the current Master Browser is determined 
unavailable. 

The Browser Election Process


The election process insures that only one Master Browser exists per 
workgroup or domain. An election is initiated by a computer when any of 
the following occurs: 
  *	A client computer cannot locate a Master Browser. 
  *	A Backup Browser attempts to update its network resource list and cannot 
	locate the Master Browser. 
  *	A computer that has been designated as a Preferred Master Browser comes 
	online. 

Any of these computers can initiate an election by broadcasting a 
special packet called an election packet. This election packet contains 
that requesting computer's criteria value. All Browsers will receive the 
election packet. When a Browser receives an election packet, the Browser 
examines the packet and compares the requesting computer's criteria 
value with its own election criteria. If the receiving Browser has 
better election criteria than the issuer of the election packet, the 
Browser will issue its own election packet and enter what is referred to 
as an "election in progress" state. This process will continue until a 
Master Browser is elected, based on having the highest ranking criteria 
value. 

Configuring a Browser 


To determine whether or not a Windows NT computer will become a Browser, 
when it initializes, the Browser service looks in the Registry for the 
following parameter: 
\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\Browser\Parameters\MaintainServerList 
For optimization purposes, it is possible to configure a computer to 
become a Browser, or to prevent a computer from becoming a Browser. 
The MaintainServerList parameter can have the following values: 

Parameter     Value                                            
No            This computer will NEVER participate as a        
              Browser server.                                  
Yes           This computer will become a Browser server.      
              Upon startup, this computer will attempt to      
              contact the Master Browser to get a current      
              browse list. If the Master Browser cannot be     
              found, the computer will force one to be         
              elected. This computer will either be elected    
              as the Master Browser or become a Backup         
              Browser.                                         
              Yes is the default value for Windows NT Server   
              domain controller computers.                     
Auto          This computer may or may not become a Browser    
              server, depending on the number of currently     
              active Browsers, and is referred to as a         
              Potential Browser. This computer will be         
              notified by the Master Browser as to whether or  
              not it should become a Backup Browser.           
              Auto is the default value for Windows NT         
              Workstation and Windows NT Server (non-domain    
              controller) computers.                           


Configuring a Preferred Master Browser


A Windows NT Workstation or Windows NT Server can be configured as a 
Preferred Master Browser. When the Browser service is started on a 
computer configured as a Preferred Master Browser, the Browser service 
will force a Browser election to occur. Preferred Master Browsers are 
given an advantage in elections, such that if all other things are 
equal, a Preferred Master Browser will always win an election and become 
the Master Browser. 
To configure a computer as a Preferred Master Browser, set the following 
Registry parameter value to True or Yes: 
\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters
\IsDomainMaster 
Unless the computer has been already been configured as the Preferred 
Master Browser, this value will be False or No. This is true even if the 
computer is currently the Master Browser. 

Browser Operations


As the Master Browser and Backup Browsers are established, each has its 
own role to play in the operation of the browsing environment. The 
Browsers need to communicate with each other and provide service to 
client computers. 

Browser Announcements


When a computer that is running the Server service comes online, it must 
inform the Master Browser that it is available. It does this by 
announcing itself on the network. 

All Servers


Each computer announces itself to the Master Browser periodically by 
broadcasting on the network. Initially each computer announces itself 
every minute. As the computer stays running, the announcement time will 
be extended to once every 12 minutes. If the Master Browser has not 
heard from the computer for three announcement periods, the Master 
Browser will remove the computer from the browse list. 

Backup Browsers


In addition to announcing themselves, Backup Browsers call the Master 
Browser every 15 minutes to obtain an updated network resource (browse) 
list, as well as a list of workgroups and domains. The Backup Browser 
caches these lists and will return the browse list to any clients who 
send out a browse request to the Backup Browser. If the Backup Browser 
cannot find the Master Browser, it forces an election. 

Master Browsers


In addition, Master Browsers periodically announce themselves to the 
Backup Browsers with a broadcast. When Backup Browsers receive this 
announcement, they refresh their Master Browser name with the new 
information. 

Master Browser


Master Browsers are responsible for overseeing the entire browsing 
system and are responsible for receiving announcements from Windows NT 
3.1, Windows NT Advanced Server 3.1, Windows for Workgroups, Windows NT 
Workstation 3.5, Windows NT Server 3.5, and LAN Manager systems. 
Master Browsers also return lists of Backup Browsers to Windows NT 3.1, 
Windows NT Advanced Server 3.1, Windows NT Workstation 3.5, Windows NT 
Server 3.5, and Windows for Workgroups clients for their local subnet. 
As was discussed earlier in this section, when a system starts and its 
MaintainServerList parameter is Auto, the Master Browser is responsible 
for telling the system whether or not to become a Backup Browser. 
If the Master Browser has just won an election and its browse list is 
empty, it can force all systems to register with it. The Master Browser 
does this by broadcasting a "RequestAnnouncement" packet. All systems 
that receive this packet must answer randomly within 30 seconds. This 30 
second range for responses prevents the Master Browser from becoming 
overloaded and losing replies, and also prevents the network from being 
flooded with responses. 
If a Master Browser receives an announcement from another computer that 
claims to be the Master Browser, the Master Browser will demote itself 
from Master Browser and force an election. This ensures that there is 
never more than one Master Browser in each workgroup or domain. 

Determining the Number of Browsers


Workgroup


The number of Browsers in a workgroup is determined by the number of 
computers in the workgroup. 

Number of       Number of       Number of Master    
Systems         Backup          Browsers            
                Browsers                            
1               0               1                   
2-31            1               1                   
32-63           2               1                   


In cases where a computer has its MaintainServerList parameter set to 
Auto, the Master Browser will determine the number of Backup Browsers 
based on the table. After this, for each additional 32 computers added 
to the workgroup, there will be another Backup Browser added to the 
workgroup. 

Domain


In a domain there will be three Backup Browsers at most. This is 
regardless of the number of computers in the domain. If you have a large 
domain, you may want to either break it up, or increase the system 
performance for the Backup Browsers in the domain. 

How Client Computers Access the Browse List


The Master Browser maintains a list of network resources and makes this 
list available to Backup Browsers on the network. A client computer goes 
to a Backup Browser to get the current list. A client computer needs to 
see the browse list whenever a "net view" command is run at the Command 
Prompt, or when the File Manager Connect Network Drive dialog box is 
displayed. 
If this is the first time that the client has tried to access the browse 
list, it needs to find out which computers are the Backup Browsers for 
its workgroup or domain. The client does this by issuing a 
"QueryBrowserServers" broadcast. The QueryBrowserServers request is 
received and processed by the Master Browser for the client computer's 
workgroup or domain. The Master Browser returns a list of Backup 
Browsers that are active within the workgroup or domain being queried. 

Browsing Failures


If a computer fails or simply goes off-line, it will be removed from the 
browse list in a predetermined time frame. If the computer played a role 
in the browse environment, further action takes place depending on what 
role it played. 

Non-Browser Computers


If a Non-Browser computer fails to announce itself to the Master 
Browser, it will eventually be removed from the list. For example, if 
the computer is powered off without being shutdown or if the Server 
service fails, it will not announce itself. In this case, it is removed 
from the network resource list. After three missed announcement periods 
(between 1 and 12 minutes each) the Master Browser removes the computer 
from the browse list. Therefore, it may take up to 51 minutes before all 
of the Browsers know of a systems failure, up to 36 minutes for the 
Master Browser to detect the failure, and 15 minutes for all of the 
Backup Browsers to retrieve the updated list from the Master Browser. 

Backup Browsers


If a Backup Browser fails, it will be removed from the Master Browser 
browse list in the same amount of time as a Non-Browser. This is because 
they announce themselves in the same manner. If a client attempts to 
retrieve a browse list from the missing Backup Browser, the client will 
select another Backup Browser from its list of three Backup Browsers. If 
all of the clients' known Backup Browsers fail, the client will attempt 
to get a new list of Backup Browsers from the Master Browser. If the 
client is unable to contact the Master Browser, the client will force an 
election. 

Master Browser


When a Master Browser fails, a Backup Browser will detect the failure 
within 15 minutes. When this happens, a Backup Browser will force an 
election to select a new Master Browser. 

Server Shut Down


When the computer is shut down normally it will make an announcement 
that will cause the Master Browser to remove it from the list. If a 
Backup Browser is shutting down, it will send an announcement to the 
Master Browser that does NOT specify the Browser service in the list of 
running services. If a Master Browser is shutting down, it will send a 
"ForceElection" broadcast so that a new Master Browser can be chosen. 

Browsing Across Multiple Workgroups and/or Domains


Not only do Master Browsers need to communicate within a workgroup or 
domain, but they need to communicate between workgroups and domains. 
This allows users to be able to retrieve lists of other workgroups and 
domains. Windows NT adds a new level of functionality to the "net view" 
and File Manager connect requests that allows clients to retrieve a list 
of available workgroups and domains from the Master Browser. 
Upon becoming a Master Browser, each Master Browser will broadcast a 
"DomainAnnouncement" to each domain every minute for the first five 
minutes of its life as Master Browser. After the first five minutes, the 
Master Browser will make "DomainAnnouncement" broadcasts once every 15 
minutes. If a workgroup or domain has not announced itself for a period 
equaling three times the announcement period, the workgroup or domain 
will be removed from the list of workgroups and domains. Therefore, it 
is possible that a workgroup or domain will appear in the browse list 
for up to 45 minutes after the workgroup or domain has ceased 
operations. 
It is the responsibility of the Master Browser in each workgroup or 
domain to receive "DomainAnnouncement" packets from other workgroups and 
domains. The Master Browser uses these announcements to build a list of 
available workgroups and domains. This list is also given to the Backup 
Browsers every 15 minutes so that they can return a list of network 
resources available in their workgroup or domain as well as being able 
to return a list of other workgroups and domains. 
The "DomainAnnouncement" packet contains the name of the domain, the 
name of the Master Browser for that domain, and whether the Master 
Browser is running Windows NT Workstation or Windows NT Server. In 
addition, if the Master Browser is running Windows NT Server, the 
"DomainAnnouncement" will also specify if the system is the domain's 
PDC. 
Document Contents 
------------------------------------------------------------------------

Printing from Windows NT


Windows NT Printing Terminology


Windows NT uses its own printing terminology to describe the printing 
process. 

Printing Device versus Printer


Under Microsoft Windows NT, a printing device refers to the actual 
hardware device that produces printed output. A printer refers to the 
software interface between the application and printing device. Each 
printer appears as a separate window that is managed using the Windows 
NT Print Manager application. 
Multiple printers can be routed to one printing device. For example, if 
you have a printing device capable of using both PostScript and HP PCL 
modes, you might want to use Print Manager to create a printer for each 
mode. Each printer would use a different printer driver. Printers can be 
assigned priorities, or be configured to print during certain hours. For 
example, longer or lower priority jobs could be sent to a printer that 
prints only at night. 

Printer Versus Print Queue


In Windows NT, print jobs are sent to a printer, where they are then 
spooled before being sent to the printing device. In many network 
environments, the term print queue is used instead of printer. For 
example: Windows NT users submit print jobs to a printer, but OS/2 and 
NetWare users submit print jobs to a print queue. 

Physical Versus Logical Printer Port


A physical port is a hardware connection, such as LPT1: or COM2:, 
between the local computer and a printing device. 
A logical port is a network connection to a remote print server or 
printing device, referred to as \\server\printer. Windows NT allows you 
to create a printer to use a logical or a physical port as the print 
destination. 

Local and Remote Printers and Printing Devices


Local printing devices are attached directly to a Windows NT Workstation 
or Windows NT Server computer. Remote printing devices are accessed 
across the network. Network-interface printing devices are printing 
devices with built-in network cards, and are connected directly to the 
network. 

Printer Pools


In a printer pool, multiple printing devices are associated with a 
single printer. The devices within a printer pool must be identical or 
must all emulate the same type of printing device. In other words, they 
must all be able to use the same printer driver. Windows NT imposes no 
limits on the number of printing devices in a printer pool. 
Printer pools enable administrators to add printing devices without 
modifying user environments. Since printer pools are created by adding 
new devices to existing printers, user configurations will not need to 
be changed. 

Using Print Manager


Print Manager is the Windows NT administrative tool that allows 
administrators to perform all network printer administration tasks 
including creating, securing, connecting to, and configuring printers. 
Print Manager also allows users to interact with local and remote 
printers. 
Print Manager is used to: 
  *	Create printers (install printer drivers). 
  *	Control printer characteristics, such as fonts and paper size. 
  *	Set permissions for printer access. 
  *	Set up auditing of printer use. 
  *	Administer printers from a remote location. 
  *	Redirect printer output. 
  *	Connect to remote printers. 
  *	Check local and remote printer status. 

Print Manager can be started from the Print Manager icon in the Main 
group or from the Control Panel Printers icon. 

Creating a Printer


The Create Printer dialog box is used to install and configure printer 
drivers on Windows NT-based computers. This works for either a local 
printing device (a printing device that is physically attached to the 
computer) or a network printer. If the print server is Windows NT based, 
then it may be easier to use the Connect to Printer command to avoid 
installing a local print driver. 

Connecting to a Printer


The second way to access a printer is to connect to a printer. 
To connect to a shared network printer on another Windows NT-based 
computer, use the Connect to Printer command. If you are printing to a 
printer on a Windows NT print server, the client computer does not need 
to have the appropriate printer driver installed locally. Instead, the 
printer driver is copied across the network from the print server to the 
client computer. This allows the application that is printing to query 
the printer driver for the current printer settings, such as font 
information. This provides two main benefits: 
  *	The administrator only needs to update the driver on the print server. 
	Clients automatically get the new driver when they connect to the 
	printer. 
  *	The client computer does not need to have the appropriate driver 
	installed in order to use the printing device. This can be very useful 
	with portable computers, or computers that may use several different 
	printing devices. 

The Connect to Printer command is not intended for use in connecting to 
a shared printer on a Windows for Workgroups-based computer or other 
network printer server. If the command is used for that purpose, a 
message will appear informing the user that the computer being connected 
to does not have a printer driver and then give you the opportunity to 
create a printer. 

Installing Intel-Based Print Drivers on RISC-Based Platforms 


The Windows NT printer drivers are platform specific. RISC-based 
computers cannot use Intel printer drivers, and vice versa. In addition, 
the printer drivers are different for each of the supported RISC 
platforms. Therefore, to perform a "connect to" from one platform to any 
other platform requires the drivers for each client platform to be 
installed. 
To avoid installing a printer driver on every Intel-based computer that 
will be printing to a RISC-based Windows NT print server, the Intel 
version of the printer device driver should be installed on the print 
server. Likewise, if the print server is Intel-based and the client 
computers are RISC-based, you should install the RISC-based drivers on 
the print server. That way, when any platform client connects to a print 
server, the appropriate printer driver will be downloaded to the client 
for use. 

Administering Remote Printers


Print Manager allows you to administer network print servers remotely. 
You can change the properties of existing printers, as well as install 
new printers or remove printers. To administer printers you must have 
Administrator or Full Control permission on the printer at the print 
server. 

Implementing Printer Pools


A printer pool is a grouping of multiple printing devices connected to a 
single printer. A printer pool allows users to print to a single printer 
and let the print spooler determine which printing device is available. 
When a printer is created, you should select the port in the Print To 
list that has the most efficient printing device attached to it. This 
will be the first printing device considered by the spooler. 
To add more printing devices to the pool, choose the Details button in 
the Create Printer dialog box and select the additional ports you want. 
The selected ports can be of a mixed variety, such as serial, parallel, 
and so on. Routing is based on the order in which the ports are chosen, 
so add the fastest ports first. All printing devices in a printer pool 
must be able to use the same printer driver. This list box can also be 
used to remove a persistent network connection to a print server. 
All printing devices in the printer pool share the same printer name and 
act as a single device. Pausing the printer will pause the entire 
printer pool, and changing any properties will affect all printing 
devices in the printer pool. 
Document Contents
------------------------------------------------------------------------

Remote Access Service (RAS)


RAS connects users over phone lines through the Remote Access Service to 
a remote network. Once a user has made a connection, the phone lines 
become transparent and the user can access all network resources as if 
they were sitting at a computer in an office that was directly attached 
to the network. RAS makes a modem act like a network card, projecting 
your remote computer onto a LAN. 

Supported Dial-in Servers


Windows NT RAS clients can connect to LAN Manager, Windows for 
Workgroups, Windows NT 3.1, and Windows NT Server 3.5 RAS servers. In 
addition RAS clients can also connect to non-Microsoft dial-in servers, 
such as UNIX-based dial-in servers (via the SLIP and PPP standards) 

Supported Dial-in Clients


Windows NT RAS servers can be connected to by LAN Manager, Windows for 
Workgroups, Windows NT Workstation, and Windows NT Server 3.5 RAS 
clients. In addition non-Microsoft clients can also connect to Microsoft 
servers, such as UNIX-based dial-in clients (via the PPP standard). 

Supported Network Interfaces


Any network application that uses any of the following interfaces will 
work over RAS: 
  *	Windows Sockets-A bi-directional pipe for incoming and outgoing data 
	between networked computers. The Windows Sockets API is a networking API 
	used by programmers creating IPX or TCP/IP sockets applications. 
  *	Network basic input/output system (NetBIOS)-A software basic 
	input/output system used to connect to network resources. 
  *	Mailslots-A message delivery system used for announcing and locating 
	network services and resources. 
  *	Named pipes-The interprocess communication mechanism that allows one 
	process to communicate with another local or remote process. 
  *	Remote Procedure Calls (RPCs)-A message-passing facility that allows a 
	distributed application to call services available on various computers 
	in a network. Used during remote administration of computers. 
  *	Windows NT network (Win32) and LAN Manager APIs-Application programming 
	interfaces available for applications to call functions of Windows NT or 
	LAN Manager operating systems. 

Windows NT RAS Connection Limitations


Windows NT RAS supports up to 256 simultaneous inbound connections in 
the Windows NT Server network operating system, and one inbound 
connection in Windows NT Workstation. A multiport serial device, such as 
a Digiboard adapter, can provide multiple serial ports on one RAS 
server. The drivers for Digiboard adapters ship with Windows NT 
Workstation and Windows NT Server 3.5. 
When accessing NetBIOS resources, the limit to the number of 
simultaneous connections is 250. This is a limitation of the number of 
NetBIOS names that can be registered by a single system. When using 
Windows Sockets over TCP/IP or IPX, there are no software limitations to 
the number of simultaneous connections that can be made to the RAS 
Server. The maximum number of simultaneous connections that has been 
tested by Microsoft is 256. 

RAS Software Compression


RAS software compression is now supported in Windows NT 3.5. This 
software compression is based on the Microsoft DRVSPACE compression 
algorithm (from the MS-DOS operating system 6.22) with an average 2:1 
compression ratio. Using software compression can improve connection 
speeds as much as eight times faster than a connection without 
compression. 

Scalability


The RAS server is multithreaded and can take advantage of 
multiprocessors. This allows threads of the Remote Access Service to run 
on multiple processors in a computer at the same time, improving RAS 
performance. 

WAN Support


RAS supports the following methods for establishing a connection between 
the RAS client and the RAS server. 
  *	Standard phone lines (Public Switched Telephone Networks) 

Windows NT RAS uses standard modem connections over Public Switched 
Telephone Networks (PSTN). 
  *	X.25 

An X.25 network transmits data with a packet-switching protocol. This 
protocol relies on an elaborate worldwide network of packet-forwarding 
nodes that participate in delivering an X.25 packet to the correct 
address. 
All remote workstations will be able to use an X.25 network by dialing 
an X.25 Packet Assembler/Disassembler (PAD). Windows NT Server 3.5 
Remote Access Services have direct access via X.25 adapters, and Windows 
NT Workstation computers have direct X.25 connectivity in addition to 
asynchronous access to X.25 PADs. 
  *	Integrated Services Digital Network (ISDN) 

ISDN offers much faster communication speed than a standard telephone 
communicating at speeds of 64 to 128 kilobits per second. 

RAS Security


Windows NT Remote Access Service implements a number of security 
measures to ensure that the remote user is a valid remote access user on 
the network. In some ways, going through RAS is more secure than sitting 
right at your network. 

Integrated Domain Security


The RAS server uses the same user account database as the Windows NT 3.5 
Server. This provides for easier administration, since users will log on 
with the same user account that they use at the office. This ensures 
that users will have the same privileges and permissions they normally 
have. 
In order to connect, a user must have a valid Windows NT user account as 
well as the RAS dialin permission. Users must be authenticated by RAS 
before they are even allowed to attempt to log on to Windows NT. 

Encrypted Authentication and Log on


All authentication and logon information is encrypted when transmitted 
over the phone line. 

Auditing


With auditing enabled, RAS will generate audit information on all remote 
connections, including activities such as authentication, log ons, and 
so on. 

Intermediary Security Hosts


It is possible to add another level of security to a RAS configuration 
by connecting an intermediary security host between the RAS Client(s) 
and the RAS Server(s). When an intermediary security host is used, the 
user will have to type a password or code to get past the security 
device before a connection will be established with the RAS Server. 

Call Back Security


The RAS server can be configured to provide call backs as a means for 
increasing security. This allows another level of security by having the 
RAS server call the remote user to verify connection to the local 
network. 
 1995 Microsoft Corporation. 
THESE MATERIALS ARE PROVIDED "AS-IS," FOR INFORMATIONAL PURPOSES ONLY.
NEITHER MICROSOFT NOR ITS SUPPLIERS MAKES ANY WARRANTY, EXPRESS OR 
IMPLIED WITH RESPECT TO THE CONTENT OF THESE MATERIALS OR THE ACCURACY 
OF ANY INFORMATION CONTAINED HEREIN, INCLUDING, WITHOUT LIMITATION, THE 
IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR 
PURPOSE. BECAUSE SOME STATES/JURISDICTIONS DO NOT ALLOW EXCLUSIONS OF 
IMPLIED WARRANTIES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. 
NEITHER MICROSOFT NOR ITS SUPPLIERS SHALL HAVE ANY LIABILITY FOR ANY 
DAMAGES WHATSOEVER INCLUDING CONSEQUENTIAL INCIDENTAL, DIRECT, INDIRECT, 
SPECIAL, AND LOSS PROFITS. BECAUSE SOME STATES/JURISDICTIONS DO NOT 
ALLOW THE EXCLUSION OF CONSEQUENTIAL OR INCIDENTAL DAMAGES THE ABOVE 
LIMITATION MAY NOT APPLY TO YOU. IN ANY EVENT, MICROSOFT'S AND ITS 
SUPPLIERS' ENTIRE LIABILITY IN ANY MANNER ARISING OUT OF THESE 
MATERIALS, WHETHER BY TORT, CONTRACT, OR OTHERWISE SHALL NOT EXCEED THE 
SUGGESTED RETAIL PRICE OF THESE MATERIALS. 
Document Contents 
------------------------------------------------------------------------
Search the TechNet site 
How to Subscribe 
------------------------------------------------------------------------
1996 Microsoft Corporation TechNet Home Page Microsoft Home Page  