|
Posted by Roger Abell [MVP] on March 30, 2006, 10:32 am
Please log in for more thread options
> Hi Roger,
> Thank you for your response.
>
> I have a few questions. These are:
>
>> However, when a server verion has been made a DC then
>> the SAM is changed for only special uses.............
>
> Can you please explain what you meant when you said "SAM is changed for
> only
> special uses......"?
>
>> Now, a modern description of SAMR is that it is used for remote
>> account management actions.
>
when you DCpromo a server making it a DC the SAM is wiped (mostly)
clean and then becomes the account store for the DS restore mode boot,
where on can log into a DC without the Active Directory started up.
>
> Right. From this what i have perceived is that Domain SAM and Active
> Directory continue to exist side by side and part of the operations
> that Domain SAM use to perform in Win NT 4 has now been given to Active
> Directory (i.e maintaining domain accounts. Along with this many new
> features have also been added to AD in new server OSs). Domain SAM is
> not the keeper of domain accounts anymore. But for Win NT 4 based
> clients and earlier full SAM functionality (SAMR interfaces) is still
> available even with the new server OS. In other words its there for
> backward compatibility.
>
Not quite. All domain principals are stored in AD post NT4 domain.
Local SAM on a DC has a restricted role mentioned above.
Since there were millions of machines in place, all expecting to use
SAMR for account mgmt actions, with intro of AD it was choice of
a change in one place (DCs) so these calls would work against post-NT4
domain, or of changing all in place machines to know of something new.
> In one of my previous postings where i asked what are the
> ways/scenarios executing which would generate SAMR calls. So far (like
> you told me) i have been able to generate SAMR calls by the following
> two ways:
>
> 1- Joining client machine with a domain controller and
> 2- Changing a domain user password from a client (ctrl + alt + del and
> then change password).
>
> Are there any other ways that i can use to generate SAMR calls?
>
Probably, but I am not expert to list them out.
I also notice that you have earlier mentioned link to one of
the better docs that tries to discuss SAMR in human terms.
> Thanks again. You have been a great help.
>
> sarshah.
>
> Roger Abell [MVP] wrote:
>> Hi again sarshah
>>
>> I think you are being too literal.
>> Older docs will indicate that SAMR is used when there is need to
>> manage objects stored in the SAM.
>> You are not quite correct that SAM exists only Windows NT 4 and
>> earlier, as it still exists in all versions right on through Windows
>> Server
>> 2003 R2. However, when a server verion has been made a DC then
>> the SAM is changed for only special uses and domain accounts are
>> stored with the Active Directory.
>> Now, a modern description of SAMR is that it is used for remote
>> account management actions.
>>
>> > Hi,
>> > This is a repost of the message that i earlier posted on different
>> > forums but unfortunately there was no response. May be i made it look
>> > too complicated.
>> >
>> > To put it simply, the question was related to domain Security Account
>> > Manager (SAM). In Windows 2000/2003/XP, domain SAM does not exist (not
>> > used) anymore. It is replaced by Active Directory. But, for the
>> > aforementioned OS, local SAM still exists.
>> >
>> > Everything was fine until when i setup a Windows 2000 domain controller
>> > and made a Windows 2000 Client to join it. I used a network packet
>> > capture utility to capture the packets that were exchanged during the
>> > process of joining the domain controller. The packet capture for this
>> > activity showed a number of SAMR calls. Now if the domain SAM does not
>> > exist for Windows 2000 (and above) then why there are SAMR calls made
>> > when joining a domain. I observed the same behavior for another
>> > scenario where accessing user account on the domain controller was
>> > involved. Why SAMR interface calls are being used? What is the role of
>> > SAMR calls here? Can someone shed some light on this?
>> >
>> > Thanks for your help. The original post is as follows:
>> >
>> > =======================================
>> > I have a slight confusion regarding SAM and Active Directory. From the
>> > research that i have conducted so far, among other things, i have found
>> > out that SAM DB was used up till windows NT 4 and after that it was
>> > replaced with Active Directory (Windows 2000/Windows 2003). A local SAM
>> > DB is still maintained on these systems.SAMR are the interfaces used to
>> > access SAM DB and LDAP is used to access contents of Active Directory
>> > (not sure about LDAP). I also know that in order to maintain backward
>> > compatibility, SAMR interfaces are still being supported. This implies
>> > that if for example, in a domain, Windows NT 4 based client is joined
>> > to a server which is running W2k or W2k3 then SAMR interfaces are used.
>> > Everything seemed fine untill the point when i took some captures on
>> > the wire (using a network protocol analyzer). What i did was i setup a
>> > windows 2000 domain controller. Then i made a windows 2000 based client
>> > to join that domain. While analyzing the network capture, i found out
>> > that several SAMR interface calls are being made. This is quite
>> > confusing considering the fact that for W2k and above ActiveDirectory
>> > is being used and perhaps LDAP calls were suppose to be made instead of
>> > SAMR calls. So the questions that i have are:
>> >
>> > - Is SAMR a legacy interface/protocol and only being kept for backward
>> > compatibility?
>> >
>> > - Active Directory is a successor to SAM DB. Is LDAP a successor to
>> > SAMR?
>> >
>> > - Why there are SAMR calls even when Windows NT 4 is not being used at
>> > all in the scenario as mentioned above? Or in other words if in Windows
>> > 2000 and above, Active DIrectory is being used then why SAMR calls are
>> > being used?
>> >
>> > =======================================
>> >
>> > sarshah.
>> >
>
| 
XML Sitemap