Click here to get back home

SAMR Interface Calls and Active Directory
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
SAMR Interface Calls and Active Directory sarshah20 03-29-2006
Posted by Roger Abell [MVP] on April 5, 2006, 8:49 am
Please log in for more thread options
> Thank you roger. Your replies have been very helpful.
>
> sarshah.
>

You are welcome sarshah - thanks to the acknowledgement



Posted by Roger Abell [MVP] on March 29, 2006, 8:51 am
Please log in for more thread options
> Why there are SAMR calls even when Windows NT 4 is not being used at
> all in the scenario as mentioned above? Or in other words if in Windows
> 2000 and above, Active DIrectory is being used then why SAMR calls are
> being used?

Think of it this way.
You are getting ready to release Windows 2000 and its new Active Directory.
You know all existing machines would use SAMR to attempt to do certain
actions. You know that for some, likely long, time you will have both
Windows
NT 4 based domains and Windows 2000 based Active Directory domains in
use. Hence you know that for some time there will be machines attempting to
join either type of domain, or being used to manage accounts of either.
What do you do ? a) keep SAMR for all cases, b) introduce something new
and force use of only the new for the post-NT4 ?



Posted by Joe Richards [MVP] on April 6, 2006, 6:57 pm
Please log in for more thread options
SAM (Security Accounts Manager) is not the storage medium, it is the management
code for handling security principals in Windows. It is fully active in Active
Directory, many (all?) LDAP calls that have to do with SAM objects route through
the SAM code.

The difference between a Windows 2000 (or better) member machine and a Windows
2000 (or better) domain controller is simply that the SAM stores its info in
different places. On a member the info is stored in a secured portion of the
registry, on DCs it is stored in an ESE database which allows it to scale and
perform more efficiently.

joe


--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm



sarshah20@yahoo.com wrote:
> Hi,
> This is a repost of the message that i earlier posted on different
> forums but unfortunately there was no response. May be i made it look
> too complicated.
>
> To put it simply, the question was related to domain Security Account
> Manager (SAM). In Windows 2000/2003/XP, domain SAM does not exist (not
> used) anymore. It is replaced by Active Directory. But, for the
> aforementioned OS, local SAM still exists.
>
> Everything was fine until when i setup a Windows 2000 domain controller
> and made a Windows 2000 Client to join it. I used a network packet
> capture utility to capture the packets that were exchanged during the
> process of joining the domain controller. The packet capture for this
> activity showed a number of SAMR calls. Now if the domain SAM does not
> exist for Windows 2000 (and above) then why there are SAMR calls made
> when joining a domain. I observed the same behavior for another
> scenario where accessing user account on the domain controller was
> involved. Why SAMR interface calls are being used? What is the role of
> SAMR calls here? Can someone shed some light on this?
>
> Thanks for your help. The original post is as follows:
>
> =======================================
> I have a slight confusion regarding SAM and Active Directory. From the
> research that i have conducted so far, among other things, i have found
> out that SAM DB was used up till windows NT 4 and after that it was
> replaced with Active Directory (Windows 2000/Windows 2003). A local SAM
> DB is still maintained on these systems.SAMR are the interfaces used to
> access SAM DB and LDAP is used to access contents of Active Directory
> (not sure about LDAP). I also know that in order to maintain backward
> compatibility, SAMR interfaces are still being supported. This implies
> that if for example, in a domain, Windows NT 4 based client is joined
> to a server which is running W2k or W2k3 then SAMR interfaces are used.
> Everything seemed fine untill the point when i took some captures on
> the wire (using a network protocol analyzer). What i did was i setup a
> windows 2000 domain controller. Then i made a windows 2000 based client
> to join that domain. While analyzing the network capture, i found out
> that several SAMR interface calls are being made. This is quite
> confusing considering the fact that for W2k and above ActiveDirectory
> is being used and perhaps LDAP calls were suppose to be made instead of
> SAMR calls. So the questions that i have are:
>
> - Is SAMR a legacy interface/protocol and only being kept for backward
> compatibility?
>
> - Active Directory is a successor to SAM DB. Is LDAP a successor to
> SAMR?
>
> - Why there are SAMR calls even when Windows NT 4 is not being used at
> all in the scenario as mentioned above? Or in other words if in Windows
> 2000 and above, Active DIrectory is being used then why SAMR calls are
> being used?
>
> =======================================
>
> sarshah.
>

Posted by sarshah20 on April 10, 2006, 9:16 am
Please log in for more thread options
Joe,
Can you please further elaborate on what you mean by storage medium?
If you mean a database (or actual data store on the disk) then in many
microsoft articles, SAM has been referred to as SAM DB. Please explain.

Aditionally, can you think of any further scenarios which would
generate SAMR calls on windows 2000 and above machines.

Thanks,
sarshah.

Joe Richards [MVP] wrote:
> SAM (Security Accounts Manager) is not the storage medium, it is the management
> code for handling security principals in Windows. It is fully active in Active
> Directory, many (all?) LDAP calls that have to do with SAM objects route
through
> the SAM code.
>
> The difference between a Windows 2000 (or better) member machine and a Windows
> 2000 (or better) domain controller is simply that the SAM stores its info in
> different places. On a member the info is stored in a secured portion of the
> registry, on DCs it is stored in an ESE database which allows it to scale and
> perform more efficiently.
>
> joe
>
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> Author of O'Reilly Active Directory Third Edition
> www.joeware.net
>
>
> ---O'Reilly Active Directory Third Edition now available---
>
> http://www.joeware.net/win/ad3e.htm
>
>
>
> sarshah20@yahoo.com wrote:
> > Hi,
> > This is a repost of the message that i earlier posted on different
> > forums but unfortunately there was no response. May be i made it look
> > too complicated.
> >
> > To put it simply, the question was related to domain Security Account
> > Manager (SAM). In Windows 2000/2003/XP, domain SAM does not exist (not
> > used) anymore. It is replaced by Active Directory. But, for the
> > aforementioned OS, local SAM still exists.
> >
> > Everything was fine until when i setup a Windows 2000 domain controller
> > and made a Windows 2000 Client to join it. I used a network packet
> > capture utility to capture the packets that were exchanged during the
> > process of joining the domain controller. The packet capture for this
> > activity showed a number of SAMR calls. Now if the domain SAM does not
> > exist for Windows 2000 (and above) then why there are SAMR calls made
> > when joining a domain. I observed the same behavior for another
> > scenario where accessing user account on the domain controller was
> > involved. Why SAMR interface calls are being used? What is the role of
> > SAMR calls here? Can someone shed some light on this?
> >
> > Thanks for your help. The original post is as follows:
> >
> > =======================================
> > I have a slight confusion regarding SAM and Active Directory. From the
> > research that i have conducted so far, among other things, i have found
> > out that SAM DB was used up till windows NT 4 and after that it was
> > replaced with Active Directory (Windows 2000/Windows 2003). A local SAM
> > DB is still maintained on these systems.SAMR are the interfaces used to
> > access SAM DB and LDAP is used to access contents of Active Directory
> > (not sure about LDAP). I also know that in order to maintain backward
> > compatibility, SAMR interfaces are still being supported. This implies
> > that if for example, in a domain, Windows NT 4 based client is joined
> > to a server which is running W2k or W2k3 then SAMR interfaces are used.
> > Everything seemed fine untill the point when i took some captures on
> > the wire (using a network protocol analyzer). What i did was i setup a
> > windows 2000 domain controller. Then i made a windows 2000 based client
> > to join that domain. While analyzing the network capture, i found out
> > that several SAMR interface calls are being made. This is quite
> > confusing considering the fact that for W2k and above ActiveDirectory
> > is being used and perhaps LDAP calls were suppose to be made instead of
> > SAMR calls. So the questions that i have are:
> >
> > - Is SAMR a legacy interface/protocol and only being kept for backward
> > compatibility?
> >
> > - Active Directory is a successor to SAM DB. Is LDAP a successor to
> > SAMR?
> >
> > - Why there are SAMR calls even when Windows NT 4 is not being used at
> > all in the scenario as mentioned above? Or in other words if in Windows
> > 2000 and above, Active DIrectory is being used then why SAMR calls are
> > being used?
> >
> > =======================================
> >
> > sarshah.
> >


Posted by Joe Richards [MVP] on April 10, 2006, 9:30 pm
Please log in for more thread options
There is SAM and there is the SAM DB. The SAM I spelled out before, the SAM DB
is the underlying store. With AD it is an ESE DB, with members it is the
registry.



--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm



sarshah20@yahoo.com wrote:
> Joe,
> Can you please further elaborate on what you mean by storage medium?
> If you mean a database (or actual data store on the disk) then in many
> microsoft articles, SAM has been referred to as SAM DB. Please explain.
>
> Aditionally, can you think of any further scenarios which would
> generate SAMR calls on windows 2000 and above machines.
>
> Thanks,
> sarshah.
>
> Joe Richards [MVP] wrote:
>> SAM (Security Accounts Manager) is not the storage medium, it is the
management
>> code for handling security principals in Windows. It is fully active in Active
>> Directory, many (all?) LDAP calls that have to do with SAM objects route
through
>> the SAM code.
>>
>> The difference between a Windows 2000 (or better) member machine and a Windows
>> 2000 (or better) domain controller is simply that the SAM stores its info in
>> different places. On a member the info is stored in a secured portion of the
>> registry, on DCs it is stored in an ESE database which allows it to scale and
>> perform more efficiently.
>>
>> joe
>>
>>
>> --
>> Joe Richards Microsoft MVP Windows Server Directory Services
>> Author of O'Reilly Active Directory Third Edition
>> www.joeware.net
>>
>>
>> ---O'Reilly Active Directory Third Edition now available---
>>
>> http://www.joeware.net/win/ad3e.htm
>>
>>
>>
>> sarshah20@yahoo.com wrote:
>>> Hi,
>>> This is a repost of the message that i earlier posted on different
>>> forums but unfortunately there was no response. May be i made it look
>>> too complicated.
>>>
>>> To put it simply, the question was related to domain Security Account
>>> Manager (SAM). In Windows 2000/2003/XP, domain SAM does not exist (not
>>> used) anymore. It is replaced by Active Directory. But, for the
>>> aforementioned OS, local SAM still exists.
>>>
>>> Everything was fine until when i setup a Windows 2000 domain controller
>>> and made a Windows 2000 Client to join it. I used a network packet
>>> capture utility to capture the packets that were exchanged during the
>>> process of joining the domain controller. The packet capture for this
>>> activity showed a number of SAMR calls. Now if the domain SAM does not
>>> exist for Windows 2000 (and above) then why there are SAMR calls made
>>> when joining a domain. I observed the same behavior for another
>>> scenario where accessing user account on the domain controller was
>>> involved. Why SAMR interface calls are being used? What is the role of
>>> SAMR calls here? Can someone shed some light on this?
>>>
>>> Thanks for your help. The original post is as follows:
>>>
>>> =======================================
>>> I have a slight confusion regarding SAM and Active Directory. From the
>>> research that i have conducted so far, among other things, i have found
>>> out that SAM DB was used up till windows NT 4 and after that it was
>>> replaced with Active Directory (Windows 2000/Windows 2003). A local SAM
>>> DB is still maintained on these systems.SAMR are the interfaces used to
>>> access SAM DB and LDAP is used to access contents of Active Directory
>>> (not sure about LDAP). I also know that in order to maintain backward
>>> compatibility, SAMR interfaces are still being supported. This implies
>>> that if for example, in a domain, Windows NT 4 based client is joined
>>> to a server which is running W2k or W2k3 then SAMR interfaces are used.
>>> Everything seemed fine untill the point when i took some captures on
>>> the wire (using a network protocol analyzer). What i did was i setup a
>>> windows 2000 domain controller. Then i made a windows 2000 based client
>>> to join that domain. While analyzing the network capture, i found out
>>> that several SAMR interface calls are being made. This is quite
>>> confusing considering the fact that for W2k and above ActiveDirectory
>>> is being used and perhaps LDAP calls were suppose to be made instead of
>>> SAMR calls. So the questions that i have are:
>>>
>>> - Is SAMR a legacy interface/protocol and only being kept for backward
>>> compatibility?
>>>
>>> - Active Directory is a successor to SAM DB. Is LDAP a successor to
>>> SAMR?
>>>
>>> - Why there are SAMR calls even when Windows NT 4 is not being used at
>>> all in the scenario as mentioned above? Or in other words if in Windows
>>> 2000 and above, Active DIrectory is being used then why SAMR calls are
>>> being used?
>>>
>>> =======================================
>>>
>>> sarshah.
>>>
>

Similar ThreadsPosted
auditing active directory not working properly directory serviceaccess October 21, 2005, 7:47 pm
Linking PKI directory accounts with Active Directory? February 11, 2007, 5:29 am
Active Directory December 28, 2005, 7:00 am
eap-tls without active directory November 23, 2006, 10:52 am
Active Directory May 1, 2008, 11:11 am
Active Directory Server August 12, 2005, 3:49 pm
Active Directory Questions. November 24, 2006, 12:09 am
Published Certificates in Active Directory February 9, 2006, 6:53 pm
Active Directory Schema Permissions October 17, 2006, 4:59 pm
Group Policy without Active Directory February 27, 2007, 3:31 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap