Re: SAMR Interface Calls and Active Directory


<sarshah20@xxxxxxxxx> wrote in message
news:1143725629.189323.105110@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi Roger,
Thank you for your response.

I have a few questions. These are:

However, when a server verion has been made a DC then
the SAM is changed for only special uses.............

Can you please explain what you meant when you said "SAM is changed for
only
special uses......"?

Now, a modern description of SAMR is that it is used for remote
account management actions.

when you DCpromo a server making it a DC the SAM is wiped (mostly)
clean and then becomes the account store for the DS restore mode boot,
where on can log into a DC without the Active Directory started up.


Right. From this what i have perceived is that Domain SAM and Active
Directory continue to exist side by side and part of the operations
that Domain SAM use to perform in Win NT 4 has now been given to Active
Directory (i.e maintaining domain accounts. Along with this many new
features have also been added to AD in new server OSs). Domain SAM is
not the keeper of domain accounts anymore. But for Win NT 4 based
clients and earlier full SAM functionality (SAMR interfaces) is still
available even with the new server OS. In other words its there for
backward compatibility.


Not quite. All domain principals are stored in AD post NT4 domain.
Local SAM on a DC has a restricted role mentioned above.
Since there were millions of machines in place, all expecting to use
SAMR for account mgmt actions, with intro of AD it was choice of
a change in one place (DCs) so these calls would work against post-NT4
domain, or of changing all in place machines to know of something new.


In one of my previous postings where i asked what are the
ways/scenarios executing which would generate SAMR calls. So far (like
you told me) i have been able to generate SAMR calls by the following
two ways:

1- Joining client machine with a domain controller and
2- Changing a domain user password from a client (ctrl + alt + del and
then change password).

Are there any other ways that i can use to generate SAMR calls?


Probably, but I am not expert to list them out.
I also notice that you have earlier mentioned link to one of
the better docs that tries to discuss SAMR in human terms.

Thanks again. You have been a great help.

sarshah.

Roger Abell [MVP] wrote:
Hi again sarshah

I think you are being too literal.
Older docs will indicate that SAMR is used when there is need to
manage objects stored in the SAM.
You are not quite correct that SAM exists only Windows NT 4 and
earlier, as it still exists in all versions right on through Windows
Server
2003 R2. However, when a server verion has been made a DC then
the SAM is changed for only special uses and domain accounts are
stored with the Active Directory.
Now, a modern description of SAMR is that it is used for remote
account management actions.

<sarshah20@xxxxxxxxx> wrote in message
news:1143638213.474836.91740@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi,
This is a repost of the message that i earlier posted on different
forums but unfortunately there was no response. May be i made it look
too complicated.

To put it simply, the question was related to domain Security Account
Manager (SAM). In Windows 2000/2003/XP, domain SAM does not exist (not
used) anymore. It is replaced by Active Directory. But, for the
aforementioned OS, local SAM still exists.

Everything was fine until when i setup a Windows 2000 domain controller
and made a Windows 2000 Client to join it. I used a network packet
capture utility to capture the packets that were exchanged during the
process of joining the domain controller. The packet capture for this
activity showed a number of SAMR calls. Now if the domain SAM does not
exist for Windows 2000 (and above) then why there are SAMR calls made
when joining a domain. I observed the same behavior for another
scenario where accessing user account on the domain controller was
involved. Why SAMR interface calls are being used? What is the role of
SAMR calls here? Can someone shed some light on this?

Thanks for your help. The original post is as follows:

=======================================
I have a slight confusion regarding SAM and Active Directory. From the
research that i have conducted so far, among other things, i have found
out that SAM DB was used up till windows NT 4 and after that it was
replaced with Active Directory (Windows 2000/Windows 2003). A local SAM
DB is still maintained on these systems.SAMR are the interfaces used to
access SAM DB and LDAP is used to access contents of Active Directory
(not sure about LDAP). I also know that in order to maintain backward
compatibility, SAMR interfaces are still being supported. This implies
that if for example, in a domain, Windows NT 4 based client is joined
to a server which is running W2k or W2k3 then SAMR interfaces are used.
Everything seemed fine untill the point when i took some captures on
the wire (using a network protocol analyzer). What i did was i setup a
windows 2000 domain controller. Then i made a windows 2000 based client
to join that domain. While analyzing the network capture, i found out
that several SAMR interface calls are being made. This is quite
confusing considering the fact that for W2k and above ActiveDirectory
is being used and perhaps LDAP calls were suppose to be made instead of
SAMR calls. So the questions that i have are:

- Is SAMR a legacy interface/protocol and only being kept for backward
compatibility?

- Active Directory is a successor to SAM DB. Is LDAP a successor to
SAMR?

- Why there are SAMR calls even when Windows NT 4 is not being used at
all in the scenario as mentioned above? Or in other words if in Windows
2000 and above, Active DIrectory is being used then why SAMR calls are
being used?

=======================================

sarshah.




.

Relevant Pages

  • Re: SAMR Interface Calls and Active Directory
    ... Older docs will indicate that SAMR is used when there is need to ... manage objects stored in the SAM. ... as it still exists in all versions right on through Windows Server ... It is replaced by Active Directory. ...
    (microsoft.public.windows.server.security)
  • Re: SAMR Interface Calls and Active Directory
    ... SAM is not the storage medium, it is the management code for handling security principals in Windows. ... It is fully active in Active Directory, many LDAP calls that have to do with SAM objects route through the SAM code. ... The difference between a Windows 2000 member machine and a Windows 2000 domain controller is simply that the SAM stores its info in different places. ... activity showed a number of SAMR calls. ...
    (microsoft.public.windows.server.security)
  • Re: SAMR Interface Calls and Active Directory
    ... SAM has been referred to as SAM DB. ... generate SAMR calls on windows 2000 and above machines. ... Author of O'Reilly Active Directory Third Edition ...
    (microsoft.public.windows.server.security)
  • RE: Please! Confirm or deny.....
    ... I will also try to get a repair copy of SAM ... > make sure there is no corruption based upon a hard disk problem. ... > This problem may occur if the Active Directory directory service contains ... Windows Server 2003 cannot initialize the Security Accounts Manager ...
    (microsoft.public.windowsxp.general)
  • Re: SAMR Interface Calls and Active Directory
    ... There is SAM and there is the SAM DB. ... Joe Richards Microsoft MVP Windows Server Directory Services ... Author of O'Reilly Active Directory Third Edition ... generate SAMR calls on windows 2000 and above machines. ...
    (microsoft.public.windows.server.security)