ADS Active Directory Service (Farsi User Guide)
Resource: Windows 2000 Server Resource kit Distributed Systems Guide

> Part2 > ADS > Part 1 > Active Directory Data Storage > Data Storage > Windows 2000 SAM Storage

Windows 2000 SAM Storage

در Win NT4 اطلاعات مربوط به User Account ها در SAM و Registry ذخیره می شود .

در Windows 2000 این اطلاعات در ADS ذخیره می شوند به جای Registry .البته اگر یک اطلاعات مربوط به Local هر سیستم  که ربطی به

Domain ندارد در SAM نگهداری می شود در Windows 2000 یعنی وقتی که سرور شما یک  DC نمی باشد .

در اینجا می توان از Stand-alone Server و Member Server نام برد در این مورد .


در Win 2000 دو نوع Account داریم Workstation Account and Domain Account که به بررسی آنها می پردازیم .

Workstation Account

در این نوع اطلاعات مربوط به Users  و Group مربوط به سیستم Locally و مربوط به Member Server and Stand-alone server وجود دارد.

پهنا و حوزه و وسعت کاری این نوع Account فراتر از محدوده فیزیکی مربوط به آن سرور نمی باشد .

اما Domain Account دارای وسعت بسیار بیشتری می باشد بصورتی که در تمامی Computer های عضو Domain وجود دارد و دردسترس می باشد .

برای مثال Administrator در حالت Workstation توانایی و قدرت خود را فقط در محدوده آن سرور یا Client دارد ولی Admin در حالت Domain

در تمامی سیستم های درون Domain قدرت و توانایی دارد .

در DC اطلاعات Users , Groups , Computer Account در درون Active Directory ذخیره می شوند و فایل SAM موجو بر روی سیستم پاک می شود

یا تبدیل  Replace  می شود به یک Registry Key کوچک و محدود .دلیل این تبدیل و نگهداری اطلاعات بصورتLocally و محدود در سیستم استفاده از

آن در زمان  Directory Service Restore Mode می باشد .زمانی که شما در این حالت سیستم را Boot می کنید برای Logon شدن سیستم

اطلاعات را از طریق همان Registry Key بدست می آورد می دانیم که در این حالت شما به Domain وصل نمی شوید .

پس از SAM Registry بجای Active Directory در این حالت استفاده می شود .

SAM در Windows 2000 موارد زیر را نیز پشتیبانی می کند .

  • Multimaster account replication among peer domain controllers
  • Creation and deletion of user properties
  • Read, write, and query third-party properties as defined by supplemental security packages in the LSA.

سیستم های DC که بر روی آنها Win 2000 می باشد از Win NT  پشتیبانی می کند یعنی WinNT Client توسط DC ها Authenticate می شوند .

جالب اینجا می باشد که BDC ها نیز پشتیبانی می شوند یعنی ترافیک Replication بین یک DC با یک  NT4-Backup Domain Controller  

می تواند برقرار شود .

شما می توانید Windows2000-base DC را جوری تنظیم کنید و پیکربندی کنید که همانند یک PDC عمل کند .

به این نوع Single-Master Operation Role گفته می شود

برای اطلاعات بیشتر در این مورد به قسمت Managing Flexible Single-Master Operations مراجعه کنید .

Mixed-Mode Storage Considerations

در این حالت  محدوده کمی از اطلاعات بر روی SAM Database ذخیره می شوند .برای کار DC با BDC ها . در این حالا می باشد که BDC ها می توانند با Domain Account کار کنند .

A Windows NT 4.0–based backup domain controller is able to store approximately 40,000 security principal accounts (users, groups, and computers). The SAM database size does not decrease when you delete objects, but the database becomes fragmented and contains "empty" space. This empty space is reclaimed as new objects are added, which can result in less available storage than the number of accounts might indicate. For example, changing group membership leaves an unoccupied storage space for the membership that was removed.

Running Regback against the SAM database can remove the spaces, but only if the physical RAM of the computer is at least twice as large as the current SAM (because of the way Regback works). For information about techniques for compressing the SAM database, see the Knowledge Base link on the Web Resources page at Search the Knowledge Base using the keywords "database" and "shrink."


SAM Structure

The Windows NT 4.0 and Windows 2000 SAM both contain collections of domain security accounts. A "domain" in the SAM sense can refer either to all of the accounts on a single computer or all of the accounts in a Windows domain. The Builtin container contains default local group accounts (such as Administrators and Users) that are installed whenever a new workstation, server, or domain controller is set up. It provides some basic account types, such as Administrator and Guest, that give the operator sufficient capability to add further accounts to the computer or domain. The Builtin container account SIDs are the same on every Windows 2000 or earlier system. These fixed SIDs allow the predefined groups to be placed in access control lists without regard to the domain of the system. For this reason, the objects in the Builtin container cannot be changed.

In Windows 2000, domains continue to contain the same objects as in Windows NT 4.0, as well as several additional properties on certain objects.

SAM Accounts on a Windows 2000 Server That Becomes a Domain Controller

When you install Active Directory on a computer that is running Windows 2000 Server to create a domain controller, you can either create a new domain or configure the domain controller to contain a copy of an existing domain. In both cases, the existing registry key that contains the SAM database is deleted and is replaced by a new, smaller SAM database. The security principals in this database are used only when the server is started in Directory Services Restore Mode.

The disposition of the security principals in the SAM database on the server is different in each case, as follows:

  • If you create an additional domain controller in an existing domain, the security accounts in the existing SAM database on the server are deleted. The accounts from the existing domain are replicated to Active Directory on the new domain controller.
  • If you create a new domain, the security accounts in the existing SAM database are preserved as follows:
    • User accounts become user objects in Active Directory.
    • Local groups in the account domain become group objects in Active Directory. The group type indicates a local group.
    • Built-in local groups become group objects in Active Directory. The group type indicates a built-in local group. These groups retain their constant SIDs and are stored in the Builtin container.
Migration of Windows NT 4.0 SAM Accounts to Active Directory Objects

زمانی که یک NT4 به Windows 2000 تبدیل می شود یا Upgrade می شود تمامی SAM Account تبدیل می شوند یه

Active Directory Object و منتقل می شوند به ADS.

تمامی User ها تبدیل می شود به Object از نوع و کلاس Class User در ADS.

نمامی Computer Users یا همان Machine Account تبدیل می شوند به Object از نوع Class Computer.

برای اطلاعات بیشتر درمورد Class ها و ارتباط آتها با هم به قسمت Directory Schema رجوع کنید .

  • Global group accounts are stored as group objects in Active Directory.
  • Local group accounts from the SAM account domain are stored as group objects in Active Directory.
  • Built-in local group accounts from the SAM Builtin domain (for example, the Administrators group) are stored as domain local group objects in Active Directory in the Builtin container. Groups from the SAM Builtin domain have constant SIDs.
  • Backup domain controller computer accounts are represented identically to workstation computer accounts, except that a different flag is set to distinguish them.
  • LSA account objects grant privileges on the workstation computer to a particular account. They are maintained in the registry and synchronized between the domain controllers by being replicated to the workstation policy. By default, each domain controller in the domain has the same workstation policy. Therefore, a change to an LSA account object updates the corresponding workstation policy for the PDC emulator. The workstation policy change replicates to every other Windows 2000 domain controller in the domain.

در جدول زیر خلاصه ای از تغییرات را که بر روی SAM انجام می شود در زمان Upgrade مشاهده می کنید .

Windows NT 4.0 SAM Windows 2000 Active Directory
Normal user account User object.
Computer user account Computer object, where the user account control flag indicates a workstation trust account.
Domain controller account Computer object, where the user account control flag indicates a server trust account.
Global group in an account domain Group object, where the group type indicates a global group.
Local group in an account domain Group object, where the group type indicates a local group.
Local group in the Builtin domain Group object, where the group type indicates a local group as well as Builtin group (for example, Administrators, Backup Operators, and so forth).
Domain trust account Trusted domain object. (Assumes the role of both inbound and outbound halves of the trust relationship; there is also a domain trust account of class user for backward compatibility.)
Trusted domain object Trusted domain object, upgraded

Table 2.7 Upgrade of Windows NT 4.0 Accounts to Windows 2000 Active Directory Objects

ADS Active Directory Service (Farsi User Guide)


> Part2 > ADS > Part 1 > Active Directory Data Storage > Data Storage > Windows 2000 SAM Storage