Page 318 - DCAP403_Operating System
P. 318
Unit 14: Windows 2000
client-side object that forwards I/O requests to remote files, where they are satisfied by a server. Notes
For performance and security, the redirectors and servers run in kernel mode.
In more detail, access to a remote file occurs as follows:
1. The application calls the I/O manager to request that a file be opened with a file name in
the standard UNC format.
2. The I/O manager builds an I/O request packet.
3. The I/O manager recognizes that the access is for a remote file, and calls a driver called a
multiple universal-naming-convention provider (MUP).
4. The MUP sends the I/O request packet asynchronously to all registered redirectors.
5. A redirector that can satisfy the request responds to the MUP. To avoid asking all the
redirectors the same question in the future, the MUP uses a cache to remember which
redirector can handle this fi le.
6. The redirector sends the network request to the remote system.
7. The remote-system network drivers receive the request and pass it to the server driver.
8. The server driver hands the request to the proper local fi le-system driver.
9. The proper device driver is called to access the data.
10. The results are returned to the server driver, which sends the data back to the requesting
redirector. The redirector then returns the data to the calling application via the I/O
manager.
A similar process occurs for applications that use the Win32 network API, rather than the UNC
services, except that a module called a multi-provider router is used, instead of a MUP.
For portability, redirectors and servers use the TDI API for network transport. The requests
themselves are expressed in a higher-level protocol, which by default is the SMB protocol. The
list of redirectors is maintained in the system registry database.
14.5.4 Domains
Many networked environments have natural groups of users, such as students in a computer
laboratory at school, or employees in one department in a business. Frequently, we want all the
members of the group to be able to access shared resources on their various computers in the
group. To manage the global access rights within such groups, Windows 2000 uses the concept
of a domain. Previously, these domains had no relationship whatsoever to the Domain Name
System that maps Internet host names to IP addresses; now, however, they are closely related.
Specifically, a Windows 2000 domain is a group of Windows 2000 workstations and servers that
shares a common security policy and user database. Since Windows 2000 now uses the Kerberos
protocol for trust and authentication, a Windows 2000 domain is the same thing as a Kerberos
realm. Previous versions of NT used the idea of primary and backup domain controllers; now all
servers in a domain are domain controllers.
In addition, previous versions required the setup of one-way trusts between domains. Windows
2000 utilizes uses a hierarchical approach based on DNS, and allows transitive trusts that can
flow up and down the hierarchy. This approach reduces the number of trusts required for n
domains from n _ (n _ 1) to O(n). The workstations in the domain trust the domain controller
to give correct information about the access rights of each user (via the user’s access token). All
users retain the ability to restrict access to their own workstations, no matter what any domain
controller may say.
Because a business may have many departments, and a school may have many classes, it is
often necessary to manage multiple domains within a single organization. A domain tree is a
LOVELY PROFESSIONAL UNIVERSITY 311
