Re: SAMR Interface Calls and Active Directory

Joe,
Can you please further elaborate on what you mean by storage medium?
If you mean a database (or actual data store on the disk) then in many
microsoft articles, SAM has been referred to as SAM DB. Please explain.

Aditionally, can you think of any further scenarios which would
generate SAMR calls on windows 2000 and above machines.

Thanks,
sarshah.

Joe Richards [MVP] wrote:
SAM (Security Accounts Manager) is not the storage medium, it is the management
code for handling security principals in Windows. It is fully active in Active
Directory, many (all?) LDAP calls that have to do with SAM objects route through
the SAM code.

The difference between a Windows 2000 (or better) member machine and a Windows
2000 (or better) domain controller is simply that the SAM stores its info in
different places. On a member the info is stored in a secured portion of the
registry, on DCs it is stored in an ESE database which allows it to scale and
perform more efficiently.

joe


--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm



sarshah20@xxxxxxxxx wrote:
Hi,
This is a repost of the message that i earlier posted on different
forums but unfortunately there was no response. May be i made it look
too complicated.

To put it simply, the question was related to domain Security Account
Manager (SAM). In Windows 2000/2003/XP, domain SAM does not exist (not
used) anymore. It is replaced by Active Directory. But, for the
aforementioned OS, local SAM still exists.

Everything was fine until when i setup a Windows 2000 domain controller
and made a Windows 2000 Client to join it. I used a network packet
capture utility to capture the packets that were exchanged during the
process of joining the domain controller. The packet capture for this
activity showed a number of SAMR calls. Now if the domain SAM does not
exist for Windows 2000 (and above) then why there are SAMR calls made
when joining a domain. I observed the same behavior for another
scenario where accessing user account on the domain controller was
involved. Why SAMR interface calls are being used? What is the role of
SAMR calls here? Can someone shed some light on this?

Thanks for your help. The original post is as follows:

=======================================
I have a slight confusion regarding SAM and Active Directory. From the
research that i have conducted so far, among other things, i have found
out that SAM DB was used up till windows NT 4 and after that it was
replaced with Active Directory (Windows 2000/Windows 2003). A local SAM
DB is still maintained on these systems.SAMR are the interfaces used to
access SAM DB and LDAP is used to access contents of Active Directory
(not sure about LDAP). I also know that in order to maintain backward
compatibility, SAMR interfaces are still being supported. This implies
that if for example, in a domain, Windows NT 4 based client is joined
to a server which is running W2k or W2k3 then SAMR interfaces are used.
Everything seemed fine untill the point when i took some captures on
the wire (using a network protocol analyzer). What i did was i setup a
windows 2000 domain controller. Then i made a windows 2000 based client
to join that domain. While analyzing the network capture, i found out
that several SAMR interface calls are being made. This is quite
confusing considering the fact that for W2k and above ActiveDirectory
is being used and perhaps LDAP calls were suppose to be made instead of
SAMR calls. So the questions that i have are:

- Is SAMR a legacy interface/protocol and only being kept for backward
compatibility?

- Active Directory is a successor to SAM DB. Is LDAP a successor to
SAMR?

- Why there are SAMR calls even when Windows NT 4 is not being used at
all in the scenario as mentioned above? Or in other words if in Windows
2000 and above, Active DIrectory is being used then why SAMR calls are
being used?

=======================================

sarshah.


.

Relevant Pages

  • Re: SAMR Interface Calls and Active Directory
    ... Older docs will indicate that SAMR is used when there is need to ... manage objects stored in the SAM. ... as it still exists in all versions right on through Windows Server ... It is replaced by Active Directory. ...
    (microsoft.public.windows.server.security)
  • Re: SAMR Interface Calls and Active Directory
    ... SAM is not the storage medium, it is the management code for handling security principals in Windows. ... It is fully active in Active Directory, many LDAP calls that have to do with SAM objects route through the SAM code. ... The difference between a Windows 2000 member machine and a Windows 2000 domain controller is simply that the SAM stores its info in different places. ... activity showed a number of SAMR calls. ...
    (microsoft.public.windows.server.security)
  • Re: SAMR Interface Calls and Active Directory
    ... when you DCpromo a server making it a DC the SAM is wiped ... where on can log into a DC without the Active Directory started up. ... clients and earlier full SAM functionality (SAMR interfaces) is still ... as it still exists in all versions right on through Windows ...
    (microsoft.public.windows.server.security)
  • RE: Please! Confirm or deny.....
    ... I will also try to get a repair copy of SAM ... > make sure there is no corruption based upon a hard disk problem. ... > This problem may occur if the Active Directory directory service contains ... Windows Server 2003 cannot initialize the Security Accounts Manager ...
    (microsoft.public.windowsxp.general)
  • Re: SAMR Interface Calls and Active Directory
    ... There is SAM and there is the SAM DB. ... Joe Richards Microsoft MVP Windows Server Directory Services ... Author of O'Reilly Active Directory Third Edition ... generate SAMR calls on windows 2000 and above machines. ...
    (microsoft.public.windows.server.security)