User Databases In Windows NT and Windows 2000

Murat Yıldırımoğlu


Both Windows NT and Windows 2000 are secure operating systems (OS). Number one requirement for a secure OS is to log on to the system whose resources will be used, with a valid username and password.


Every NT machine has a user database, called SAM (security accounts manager), located at %systemroot%\system32\config. SAM is a part of the Registry. If a user wants to access the resources on an NT machine, a user account must be created for him or her. But this requirement makes the life difficult. Think like that: If you want a thousand users access to a thousand NT machines, you must create 1000X1000, 1 million user accounts totally. The NT domain comes to the rescue at this point.


If you create an NT domain, you will solve the problem of creating user accounts in all the machines. User accounts are created at a central location and all the computers can use the accounts in this central location when a user must be validated (“authenticated” in computer terminology).


The central location is domain controllers. Domain controllers are NT server machines. The user databases (SAM) of the domain controllers become the domain databases. There are two kinds of domain controllers: Primary domain controllers (PDC) and backup domain controllers (BDC). There can be only one PDC in an NT domain. BDC is not necessary, and if you want to use it for “backup” and load distribution purposes, you can install BDCs as many as you want. The writable copy of the domain database resides in PDCs and the read-only copies of the domain database are replicated to BDCs periodically. So, SAM databases of the PDCs and BDCs are the same.


In Windows 2000 computers also there are SAM databases located at the same locations. And Windows 2000 has also a domain structure. But domain structure is radically different from the NT domain structure. There are domain controllers in the Windows 2000 domain, but they are equal (well, some of them are more equal, but it is the subject of another article). So they are called simply as “domain controllers” (DC). Every domain controller has the writable copy of the domain database. The changes to the domain database in a DC are replicated to all the other DCs. Domain database is located at %systemroot%\NTDS folder by default, and its name is NTDS.DIT. Main difference comes now: Domain database is separate and different from the SAM. When the first domain controller is setup, the user accounts that may be created before are transferred to the domain database and only the default user accounts are left at the SAM. (This procedure is not repeated for the successive domain controllers.) In two situations, we need the SAM in the DCs: In the Recovery Console and when we want to restore the system state data from the backup. In these situations you must log on to the system using the administrator account in the SAM. So, be careful when you change the name or the password of this account.