Document revision date: 30 March 2001

The Advanced Server provides networking that is functionally equivalent to that of the Windows NT Server. The Advanced Server can operate independently or in cooperation with Windows NT Servers. This appendix discusses some differences you will encounter between the Advanced Server and Windows NT Server in day-to-day management of a network that includes both types of servers. These differences include how individuals are assigned as administrators and operators, how security works, and how resource permissions map between the systems.

A.1 Management Tools

The Advanced Server provides the Windows NT server administration tools for managing the network. Using these tools, you can administer the Advanced Server from a Windows 95, Windows 98, or Windows for Workgroups client. You can also administer the Advanced Server from a Windows NT workstation computer that has the Windows NT server administration tools installed, and from a Windows NT Server computer. The tools can also be used to manage Windows NT Server.

Installable versions of the Windows NT server administration tools are shared automatically by the Advanced Server.

A.1.1 Printer Management

Configured to support Windows NT-style printer management, the Advanced Server for OpenVMS provides similar printer management capabilities as provided by Windows NT. The only known exceptions are the following:

• You cannot adjust the scheduling properties (normally accessed from the Windows NT printer's Properties window) of Advanced Server printers.
• Upgraded printers (that is, printers or print shares that were already defined on an Advanced Server when Windows NT printer management was enabled) cannot be managed with all the management functionality available for printers that were added to the server by Windows NT print services. For example, you cannot use Windows NT to add an upgraded server printer to another workstation. You can gain full functionality for upgraded printers by removing them and then using Windows NT print services to add them back to the server again.

Configured to support printers with the ADMINISTER command-line interface, the Advanced Server provides only limited management capabilities from Windows NT, such as managing print jobs.

A.1.2 User Account Information

User accounts in Advanced Server domains maintain the same user account information as Windows NT Server accounts.

A.2 Services

The Advanced Server supports most Windows NT Server services. Table A-1 describes the Windows NT Server services that run on the Advanced Server.

Table A-1 Services Common to Advanced Server and Windows NT Server

Service	Description
Alerter	Notifies selected users and computers of administrative alerts on a computer. Used by the server and other services. Starts by default.
EventLog	Records system, security, and application events in the event logs, and enables remote access to those logs. Starts by default.
NetLogon	Verifies the user name and password of each person who attempts to log on to the network or gain access to the server. Starts by default.
Server	Provides file, print, and named pipe sharing, and support for remote procedure calls. Starts by default.
Time Source	Identifies a server as the domain time source.

A.3 Resource Permissions

Advanced Server file and directory permissions are identical to Windows NT Server file and directory permissions. Both are typically applied in predefined sets, such as Full Control, Read, or Change.

The Advanced Server enhances the file and directory permissions on Windows NT Server by offering the additional option of enforcing OpenVMS security.

A.3.2 Printer Permissions

The Advanced Server and Windows NT Server implement identical printer security. Permissions are assigned to print shares, through which the user accesses print queues. The available printer permissions are Print, None, Manage Documents, and Full on Advanced Servers; these permissions correspond to Print, No Access, Manage Documents, and Full Control on Windows NT Server.

A.4 Disk Resources Shared by Default

With Windows NT Server and Advanced Server, you can share directories and specify which users can access them. To share a directory, assign a share name to it.

Table A-2 shows share names (or disk resources) that typically are set up automatically in Windows NT Server and Advanced Server. The number of shared resources on your server will vary depending on your implementation.

Table A-2 Share Names

Windows NT Server	Advanced Server	Description
ADMIN$	ADMIN$	A special administrative resource for remote administration. All share names that end in a dollar sign ($) are hidden; they do not normally appear when a user displays server resources.
C$	C$	A connection to the root of the file system. On Windows NT Server, this is the local C device. On the Advanced Server, this is PWRK$LMROOT:[LANMAN].
d$	device$	An administrative share. On Windows NT Server, a single letter from D to Z followed by $ identifies the drive letter; on OpenVMS, the name of the disk device or directory followed by $ identifies the disk.
IPC$	IPC$	Supports interprocess communication.
LIB	N/A	Contains header files and link-time libraries needed to create applications. Not supported by Advanced Server.
NETLOGON	NETLOGON	Shares the directory specified by scripts with the share name NETLOGON.
REPL$	N/A	On Windows NT Server, this directory is associated with the Directory Replicator service. It is available when the Directory Replicator service is active on the export server. Not supported by Advanced Server.
USERS	USERS	Contains user home directories.

It is useful to keep track of domains, groups, user accounts, and trust relationships you create as you build and modify your network. The information you record can help you manage your network and solve problems as they arise.

To record the way you build and modify your network, photocopy the worksheet templates provided in this chapter and fill them in as you plan your network; update the worksheets as you modify your network in the future.

The following is a list of worksheet templates provided:

• The Domain Worksheet --- Lists the servers that are members of a domain, their configurations, and roles; records the domain's trust relationships with other domains.
• The Groups Worksheet --- Lists and describes the user groups in a domain, and lists the members of each group.
• The Shares Worksheet --- Lists a server's directory and print shares.

B.1 The Domain Worksheet

B.2 The Groups Worksheet

B.3 The Shares Worksheet

access control: The mechanism for validating the right to use a resource or service, such as a connection, logon, or file access, that is stored on or connected to a server. A user name and password combination is the most common means of access control.

access control entry (ACE): An entry in an access control list (ACL). Each access control entry defines the protection or auditing to be applied to a file or other object for a specific user or group.

access control list (ACL): The part of a security descriptor that restricts and audits access to an object. The owner of an object has discretionary access control of the object and can change the object's ACL to allow or disallow other users access to the object. Access control lists are ordered lists of access control entries (ACEs).

access permissions: See permissions.

access right: A permission that controls the way in which an object may be manipulated by a user or by members of a group. Different object types support different access rights; these are stored in an object's access control list (ACL).

access token (or security token): An object that uniquely identifies a user who has logged on. An access token is attached to all of the user's processes. The token contains the user's security ID (SID), the SIDs of any groups to which the user belongs, the user's privileges, and information describing the ownership and access control list (ACL) to be applied to any objects that the user's processes create. See also access control list, security ID, and user privilege.

account: See user account.

account policy: Defines the way passwords are implemented by all user accounts.

ACE: See access control entry.

ACL: See access control list.

ADMIN$: An administrative resource that enables remote administration of servers. A server's ADMIN$ resource is automatically shared and the share cannot be deleted. See also C$ and IPC$.

ADMINISTER commands: Commands used to manage an Advanced Server locally or remotely. The ADMINISTER commands are the Advanced Server command-line interface and they conform to standard OpenVMS DCL command syntax.

administrative alert: A message from the Advanced Server concerning server and resource use, or problems relating to security and access, user sessions, and printing. See also Alerter service.

administrative resource: A resource used when network users and administrators perform certain tasks on the server, including viewing the resources the server is sharing, administering the server remotely, and running shared applications. Administrative resources include ADMIN$ and IPC$.

administrator: The individual responsible for managing the network. Typically, this person configures the network, maintains the network's shared resources and security, assigns passwords and privileges, and helps users.

Advanced Server: A network operating system compatible with Microsoft Windows NT technology that provides domain, file, and print services.

alert: A message that the server sends under certain conditions. See also administrative alert and error alert.

alert level: A value that users can specify so that the software notifies them when licenses are fully consumed. For more information, see the Compaq Advanced Server for OpenVMS Guide to Managing Advanced Server Licenses.

Alerter service: A server component that notifies selected users and computers of administrative alerts that occur on a computer. It is used by the Server service and other services. See also administrative alert.

alias: See alias file name, cluster alias.

alias file name: An alternate file name that the Advanced Server generates for a file whose name is incompatible with the traditional 8.3 file name format used by MS-DOS and legacy PC applications. For example, if the length of a file's name exceeds the MS-DOS 8.3 file name length, the Advanced Server generates an alternate file name, the alias, which conforms to the MS-DOS 8.3 file name format. Either the full file name or the alias file name may be used by a client to access the file.

application programming interface (API): A set of routines that an application program uses to request and carry out lower-level services performed by the operating system.

archive bit: An attribute of any file: a bit that backup programs use to mark files after backing them up with either the normal or incremental backup types.

audit policy: The policy that defines the types of events that are logged.

audit trail: The event and error messages that are saved in the event log file, as defined by the audit policy.

auditing: The process by which Advanced Server records an entry in the event log file whenever a user accesses a resource in a certain way or logs on to the network.

authentication: Validation of a user's logon information. See also external authentication, pass-through authentication.

backup domain controller (BDC): In a domain, a server that keeps and uses a copy of the security accounts database to validate logon requests and that can take over the function of the primary domain controller if the primary domain controller fails. Contrast with member server, primary domain controller.

batch command file: A file that contains one or more commands to be processed sequentially. When a user types the file name at the command prompt, the commands contained in the file are executed.

BIND: Berkeley Internet Name Domain. The implementation of a DNS server developed and distributed by the University of California at Berkeley. Host name and address lookup service for the Internet; implemented in a client/server model.

boot (or bootstrap): To run or initiate a program that loads the operating system into memory and starts or restarts the computer.

broadcast message: A message sent to client workstations on the network. Users cannot respond to this type of message.

browse: To look through lists of servers and workstations in a domain.

built-in groups: The default groups provided with the Advanced Server. They each have established rights and abilities. These groups cannot be deleted. See also group.

C$: The administrative resource that represents a server's disk drive. The Advanced Server points C$ to PWRK$LMROOT:[LANMAN].

cache memory: High-speed memory that contains copies of data recently used, or likely to be used again, by the processor. Cache memory avoids frequent disk input/output, thus providing faster operation.

check box: In a dialog box, an indicator that a user can select or clear to turn one or more options on or off. Used, for example, in the Configuration Manager to select transports. Contrast with radio button.

client: A personal computer or workstation, connected to the network, that can access resources on a server. Contrast with server.

Client License Requester: A client-based PATHWORKS utility that is responsible for requesting client-based licenses for clients so that they can access resources on the server.

Client License Transponder: A client-based PATHWORKS utility that responds to license authentication requests.

client-based license: A license that is assigned on a per-workstation basis and allows a client to access multiple file servers. Contrast with server-based license.

cluster alias: The OpenVMS Cluster alias acts as a single network node identifier for an OpenVMS Cluster system. The cluster alias makes all the OpenVMS Cluster nodes appear to be one node from the point of view of the rest of the network. Remote applications in DECnet or TCP/IP networks, for example, can use the alias to access services provided by the cluster. Access is ensured if at least one OpenVMS Cluster member is available to process the service request.

The Advanced Server cluster alias is the single identifier that all Advanced Servers in the cluster share (in addition to each server's individual server name). This alias lets remote nodes (including clients) treat the entire cluster as though it were a single server. The Advanced Server cluster alias is transport independent; the OpenVMS Cluster alias is unique to either TCP/IP or DECnet. The Advanced Server cluster alias is shared only by those members that are running the Advanced Server; the OpenVMS Cluster alias is shared by all the members of the cluster.

code page: An ordered set of 256 characters developed to expand beyond the limitations of the ASCII (American Standard Code for Information Interchange) character set. Language-specific code pages were developed because the sum of characters used in languages internationally far exceeds 255. All the language-specific code pages overlay the same set of 8-bit values. For example, a specific 8-bit value in a code page used for the English language can be used for another character used for the Cyrillic language. An application has to be set to interpret the codes in the context of the selected code page.

Each 8-bit index value or code position in a code page is called a code point or code value. Most code pages, including those of the Advanced Server, map values 0 to 128 to the ASCII character set.

computer name: A unique name that identifies a server, personal computer, or workstation to the network.

configuration: The set of hardware, hardware options, software, and software options on a computer or network.

Configuration Manager: An Advanced Server tool for modifying server configuration parameters.

connection: The software link between a workstation and a shared resource on a server. A connection is made by assigning a local device name on the workstation to a shared resource on a server, or by accessing the resource through a network path name with a command or from an application. Contrast with session.

country code: A code in a user account that specifies the language in which the server sends messages to the user.

DECnet-Plus: The Compaq family of peer-to-peer, Ethernet-based network products.

default: The value assigned by a program if a value is not supplied by the user.

default permissions: The permissions assigned to a share if no permissions are specified.

destination directory: The directory to which one or more files are to be moved or copied. Contrast with source directory.

device driver: A program that enables a specific device, such as a printer, to communicate with the operating system.

device name: The name by which a computer identifies a printer, disk, or other device.

dialog box: A window displayed in response to user action that allows users to enter information and presents choices for further action.

directory: Part of a structure for organizing files on a disk. A directory can contain files and other directories (called subdirectories). See also directory tree.

directory access permissions: The type of access that a group or user is granted to a particular directory, such as read-only. See also share permissions and special access permissions.

directory replication: The copying of a master set of directories from a server (called an export server) to specified servers or workstations (called import computers) in the same or other domains. See also domain synchronization.

Directory Replicator service: Replicates directories, and the files in those directories, between computers.

directory share: See shared directory.

directory tree: A conceptual representation of a disk's directory structure. The directories on the disk are organized in a hierarchy. The top-level directory is the root directory. See also path.

disabled user account: A user account that does not permit logons. The account can be restored to enabled status at any time. See also user account.

disk resource: A disk device that can be shared.

distributed computing: An application design and implementation strategy that divides the user interface, processing, and database storage components of an application into units that can execute on multiple networked computer systems.

DNS: Domain Name System. A distributed database system that allows TCP/IP applications to resolve a host name into a correct IP address. The Advanced Server for OpenVMS can be configured as a DNS client to use a DNS server for NetBIOS name resolution in a wide area network. The Advanced Server can use DNS for OpenVMS Cluster load balancing in a WAN environment.

domain: A collection of computers that share a common security database and policy. Each domain has a unique name. A network can have many domains. See also workgroup and logon security.

domain database: See security accounts database.

domain synchronization: The replication of one or more elements of the domain databases (security databases), from the primary domain controller to one or more backup domain controllers in the domain. Domain synchronization is usually performed automatically by the system, but can also be invoked manually by an administrator. See also full synchronization and partial synchronization.

downlevel: A term that refers to earlier network operating systems, such as LAN Manager, that can interoperate with the Advanced Server.

driver: See device driver.

dynamic data exchange (DDE): A form of interprocess communications (IPC) in which two or more programs that support dynamic data exchange can exchange information and commands.

edit box: In a dialog box, a field for entering information. Used, for example, in the Upgrade utility to enter the domain name.

encapsulated PostScript (EPS): A file format optimized for moving PostScript files between applications.

equivalence-name: The node name portion of a file server name.

error alert: A message from the Advanced Server about local area network or system errors. Error alerts are stored in the error log.

Ethernet address: An alphanumeric string, six bytes in length, that identifies a node on the Ethernet. The string is six pairs of hexadecimal digits, separated by hyphens (for example, AA-00-04-00-91-27).

event: Any significant occurrence in the system or in an application that requires users, operators, or administrators to be notified, or an entry to be added to a log.

EventLog service: The Advanced Server service that records events in the system, security, and application event log files.

export path: In directory replication, a path from which subdirectories, and the files in those subdirectories, are automatically copied from an export server. See also directory replication.

export server: In directory replication, a server from which a master set of directories is copied to specified servers or workstations (called import computers) in the same or other domains. See also directory replication.

extended character sets: Character sets that define 16-bit character mappings for values 0 to 255, and so are much more extensive than, for example, the conventional 7-bit ASCII set, which maps characters to values 0 to 127, and is limited to the standard characters of the English and Western European languages. Extended character sets can be used to encode more characters to support a wider variety of languages. The Advanced Server for OpenVMS can be configured to support one of several ISO-8859 character sets. The PATHWORKS for OpenVMS (Advanced Server) only supports ISO-8859-1 (ISO Latin-1). See also Unicode.

Extended File Specifications: On OpenVMS Alpha systems, provides deep directories and extended file names support. Deep directories support allows network clients to use an hierarchical arrangement of directories and files on the OpenVMS disk similar to the client-based disk. Extended file names support uses the On-Disk Structure (ODS-5), extending OpenVMS file name restrictions to support longer file names and adding extended character set characters to the supported character set. See also ODS-5.

external authentication: Allows users to log on to the OpenVMS operating system using their Advanced Server user names and passwords. This feature is useful to OpenVMS system managers who want to provide users with a single username and password combination for both OpenVMS login and Advanced Server network logon. See also pass-through authentication.

FAT: File allocation table. File system structure used by the MS-DOS operating system.

file extension: Any characters that follow a period at the end of a file name. A file extension usually identifies the file's type.

File Index Table (FIT): A file name lookup table (with the .FIT extension) that consists of file translation pairs. FIT files map path names entered on a client workstation to the actual files on the server.

	privacy and legal statement
6553PRO_009.HTML