HP OpenVMS Systems
HP Advanced Server for OpenVMS
The Advanced Server provides networking that is functionally equivalent
to that of the Windows NT Server. The Advanced Server can operate
independently or in cooperation with Windows NT Servers. This appendix
discusses some differences you will encounter between the Advanced Server
and Windows NT Server in day-to-day management of a network that
includes both types of servers. These differences include how
individuals are assigned as administrators and operators, how security
works, and how resource permissions map between the systems.
A.1 Management Tools
The Advanced Server provides the Windows NT server administration tools for managing the network. Using these tools, you can administer the Advanced Server from a Windows 95, Windows 98, or Windows for Workgroups client. You can also administer the Advanced Server from a Windows NT workstation computer that has the Windows NT server administration tools installed, and from a Windows NT Server computer. The tools can also be used to manage Windows NT Server.
Installable versions of the Windows NT server administration tools are
shared automatically by the Advanced Server.
A.1.1 Printer Management
Configured to support Windows NT-style printer management, the Advanced Server for OpenVMS provides similar printer management capabilities as provided by Windows NT. The only known exceptions are the following:
Configured to support printers with the ADMINISTER command-line
interface, the Advanced Server provides only limited management
capabilities from Windows NT, such as managing print jobs.
A.1.2 User Account Information
User accounts in Advanced Server domains maintain the same user account
information as Windows NT Server accounts.
The Advanced Server supports most Windows NT Server services. Table A-1 describes the Windows NT Server services that run on the Advanced Server.
|Alerter||Notifies selected users and computers of administrative alerts on a computer. Used by the server and other services. Starts by default.|
|EventLog||Records system, security, and application events in the event logs, and enables remote access to those logs. Starts by default.|
|NetLogon||Verifies the user name and password of each person who attempts to log on to the network or gain access to the server. Starts by default.|
|Server||Provides file, print, and named pipe sharing, and support for remote procedure calls. Starts by default.|
|Time Source||Identifies a server as the domain time source.|
A.3 Resource Permissions
This section compares the user-level permission settings available in
Windows NT Server with the security settings that are available in the
Advanced Server, including file, directory, printer, and named pipe
settings. The Advanced Server does not support communication queues.
A.3.1 File and Directory Permissions
Advanced Server file and directory permissions are identical to Windows NT Server file and directory permissions. Both are typically applied in predefined sets, such as Full Control, Read, or Change.
The Advanced Server enhances the file and directory permissions on
Windows NT Server by offering the additional option of enforcing
A.3.2 Printer Permissions
The Advanced Server and Windows NT Server implement identical printer
security. Permissions are assigned to print shares, through which the
user accesses print queues. The available printer permissions are
Print, None, Manage Documents, and Full on Advanced Servers; these
permissions correspond to Print, No Access, Manage Documents, and Full
Control on Windows NT Server.
A.4 Disk Resources Shared by Default
With Windows NT Server and Advanced Server, you can share directories and specify which users can access them. To share a directory, assign a share name to it.
Table A-2 shows share names (or disk resources) that typically are set up automatically in Windows NT Server and Advanced Server. The number of shared resources on your server will vary depending on your implementation.
|Windows NT Server||Advanced Server||Description|
|ADMIN$||ADMIN$||A special administrative resource for remote administration. All share names that end in a dollar sign ($) are hidden; they do not normally appear when a user displays server resources.|
|C$||C$||A connection to the root of the file system. On Windows NT Server, this is the local C device. On the Advanced Server, this is PWRK$LMROOT:[LANMAN].|
|d$||device$||An administrative share. On Windows NT Server, a single letter from D to Z followed by $ identifies the drive letter; on OpenVMS, the name of the disk device or directory followed by $ identifies the disk.|
|IPC$||IPC$||Supports interprocess communication.|
|LIB||N/A||Contains header files and link-time libraries needed to create applications. Not supported by Advanced Server.|
|NETLOGON||NETLOGON||Shares the directory specified by scripts with the share name NETLOGON.|
|REPL$||N/A||On Windows NT Server, this directory is associated with the Directory Replicator service. It is available when the Directory Replicator service is active on the export server. Not supported by Advanced Server.|
|USERS||USERS||Contains user home directories.|
It is useful to keep track of domains, groups, user accounts, and trust relationships you create as you build and modify your network. The information you record can help you manage your network and solve problems as they arise.
To record the way you build and modify your network, photocopy the worksheet templates provided in this chapter and fill them in as you plan your network; update the worksheets as you modify your network in the future.
The following is a list of worksheet templates provided:
B.1 The Domain Worksheet
Use this worksheet to list all the servers in the domain with their
configurations and roles and to record the domain's trust relationships
with other domains.
B.2 The Groups Worksheet
Use this worksheet to track the user groups created in the domain.
B.3 The Shares Worksheet
Use this worksheet to list the shares defined on the local server. Fill
out a separate worksheet for each server.
access control: The mechanism for validating the right
to use a resource or service, such as a connection, logon, or file
access, that is stored on or connected to a server. A user name and
password combination is the most common means of access control.
access control entry (ACE): An entry in an access
control list (ACL). Each access control entry defines the protection or
auditing to be applied to a file or other object for a specific user or
access control list (ACL): The part of a security
descriptor that restricts and audits access to an object. The owner of
an object has discretionary access control of the object and can change
the object's ACL to allow or disallow other users access to the object.
Access control lists are ordered lists of access control entries (ACEs).
access permissions: See
access right: A permission that controls the way in
which an object may be manipulated by a user or by members of a group.
Different object types support different access rights; these are
stored in an object's access control list (ACL).
access token (or security token): An object that
uniquely identifies a user who has logged on. An access token is
attached to all of the user's processes. The token contains the user's
security ID (SID), the SIDs of any groups to which the user belongs,
the user's privileges, and information describing the ownership and
access control list (ACL) to be applied to any objects that the user's
processes create. See also access control list,
security ID, and user privilege.
account: See user account.
account policy: Defines the way passwords are
implemented by all user accounts.
ACE: See access control
ACL: See access control list.
ADMIN$: An administrative resource that enables remote
administration of servers. A server's ADMIN$ resource is automatically
shared and the share cannot be deleted. See also
C$ and IPC$.
ADMINISTER commands: Commands used to manage an
Advanced Server locally or remotely. The ADMINISTER commands are the
Advanced Server command-line interface and they conform to standard
OpenVMS DCL command syntax.
administrative alert: A message from the Advanced Server
concerning server and resource use, or problems relating to security
and access, user sessions, and printing. See also
administrative resource: A resource used when network
users and administrators perform certain tasks on the server, including
viewing the resources the server is sharing, administering the server
remotely, and running shared applications. Administrative resources
include ADMIN$ and IPC$.
administrator: The individual responsible for managing
the network. Typically, this person configures the network, maintains
the network's shared resources and security, assigns passwords and
privileges, and helps users.
Advanced Server: A network operating system compatible
with Microsoft Windows NT technology that provides domain, file, and
alert: A message that the server sends under certain
conditions. See also administrative alert and
alert level: A value that users can specify so that
the software notifies them when licenses are fully consumed. For more
information, see the HP Advanced Server for OpenVMS Guide to Managing Advanced Server Licenses.
Alerter service: A server component that notifies
selected users and computers of administrative alerts that occur on a
computer. It is used by the Server service and other services. See
also administrative alert.
alias: See alias file name,
alias file name: An alternate file name that the
Advanced Server generates for a file whose name is incompatible with the
traditional 8.3 file name format used by MS-DOS and legacy PC
applications. For example, if the length of a file's name exceeds the
MS-DOS 8.3 file name length, the Advanced Server generates an alternate
file name, the alias, which conforms to the MS-DOS 8.3 file name
format. Either the full file name or the alias file name may be used by
a client to access the file.
application programming interface (API): A set of
routines that an application program uses to request and carry out
lower-level services performed by the operating system.
archive bit: An attribute of any file: a bit that
backup programs use to mark files after backing them up with either the
normal or incremental backup types.
audit policy: The policy that defines the types of
events that are logged.
audit trail: The event and error messages that are
saved in the event log file, as defined by the audit policy.
auditing: The process by which Advanced Server records
an entry in the event log file whenever a user accesses a resource in a
certain way or logs on to the network.
authentication: Validation of a user's logon
information. See also external
authentication, pass-through authentication.
backup domain controller (BDC): In a domain, a server
that keeps and uses a copy of the security accounts database to
validate logon requests and that can take over the function of the
primary domain controller if the primary domain controller fails.
Contrast with member server, primary
batch command file: A file that contains one or more
commands to be processed sequentially. When a user types the file name
at the command prompt, the commands contained in the file are executed.
BIND: Berkeley Internet Name Domain. The
implementation of a DNS server developed and distributed by the
University of California at Berkeley. Host name and address lookup
service for the Internet; implemented in a client/server model.
boot (or bootstrap): To run or initiate a program that
loads the operating system into memory and starts or restarts the
broadcast message: A message sent to client
workstations on the network. Users cannot respond to this type of
browse: To look through lists of servers and
workstations in a domain.
built-in groups: The default groups provided with the
Advanced Server. They each have established rights and abilities. These
groups cannot be deleted. See also group.
C$: The administrative resource that represents a
server's disk drive. The Advanced Server points C$ to
cache memory: High-speed memory that contains copies
of data recently used, or likely to be used again, by the processor.
Cache memory avoids frequent disk input/output, thus providing faster
check box: In a dialog box, an indicator that a user
can select or clear to turn one or more options on or off. Used, for
example, in the Configuration Manager to select transports.
Contrast with radio button.
client: A personal computer or workstation, connected
to the network, that can access resources on a server. Contrast
Client License Requester: A client-based PATHWORKS
utility that is responsible for requesting client-based licenses for
clients so that they can access resources on the server.
Client License Transponder: A client-based
PATHWORKS utility that responds to license authentication requests.
client-based license: A license that is assigned on a
per-workstation basis and allows a client to access multiple file
servers. Contrast with server-based license.
cluster alias: The OpenVMS Cluster alias acts as a single network node identifier for an OpenVMS Cluster system. The cluster alias makes all the OpenVMS Cluster nodes appear to be one node from the point of view of the rest of the network. Remote applications in DECnet or TCP/IP networks, for example, can use the alias to access services provided by the cluster. Access is ensured if at least one OpenVMS Cluster member is available to process the service request.
The Advanced Server cluster alias is the single identifier that all
Advanced Servers in the cluster share (in addition to each server's
individual server name). This alias lets remote nodes (including
clients) treat the entire cluster as though it were a single server.
The Advanced Server cluster alias is transport independent; the OpenVMS
Cluster alias is unique to either TCP/IP or DECnet. The Advanced Server
cluster alias is shared only by those members that are running the
Advanced Server; the OpenVMS Cluster alias is shared by all the members
of the cluster.
code page: An ordered set of 256 characters developed to expand beyond the limitations of the ASCII (American Standard Code for Information Interchange) character set. Language-specific code pages were developed because the sum of characters used in languages internationally far exceeds 255. All the language-specific code pages overlay the same set of 8-bit values. For example, a specific 8-bit value in a code page used for the English language can be used for another character used for the Cyrillic language. An application has to be set to interpret the codes in the context of the selected code page.
Each 8-bit index value or code position in a code page is called a code
point or code value. Most code pages, including those of the
Advanced Server, map values 0 to 128 to the ASCII character set.
computer name: A unique name that identifies a server,
personal computer, or workstation to the network.
configuration: The set of hardware, hardware options,
software, and software options on a computer or network.
Configuration Manager: An Advanced Server tool for
modifying server configuration parameters.
connection: The software link between a workstation
and a shared resource on a server. A connection is made by assigning a
local device name on the workstation to a shared resource on a server,
or by accessing the resource through a network path name with a command
or from an application. Contrast with session.
country code: A code in a user account that specifies
the language in which the server sends messages to the user.
DECnet-Plus: The HP family of peer-to-peer,
Ethernet-based network products.
default: The value assigned by a program if a value is
not supplied by the user.
default permissions: The permissions assigned to a
share if no permissions are specified.
destination directory: The directory to which one or
more files are to be moved or copied. Contrast with
device driver: A program that enables a specific
device, such as a printer, to communicate with the operating system.
device name: The name by which a computer identifies a
printer, disk, or other device.
dialog box: A window displayed in response to user
action that allows users to enter information and presents choices for
directory: Part of a structure for organizing files on
a disk. A directory can contain files and other directories (called
subdirectories). See also directory tree.
directory access permissions: The type of access that
a group or user is granted to a particular directory, such as
read-only. See also share permissions and
special access permissions.
directory replication: The copying of a master set of
directories from a server (called an export server) to specified
servers or workstations (called import computers) in the same or other
domains. See also domain synchronization.
Directory Replicator service: Replicates directories,
and the files in those directories, between computers.
directory share: See shared
directory tree: A conceptual representation of a
disk's directory structure. The directories on the disk are organized
in a hierarchy. The top-level directory is the root directory. See
disabled user account: A user account that does not
permit logons. The account can be restored to enabled status at any
time. See also user account.
disk resource: A disk device that can be shared.
distributed computing: An application design and
implementation strategy that divides the user interface, processing,
and database storage components of an application into units that can
execute on multiple networked computer systems.
DNS: Domain Name System. A distributed database system
that allows TCP/IP applications to resolve a host name into a correct
IP address. The Advanced Server for OpenVMS can be configured as a DNS client to use
a DNS server for NetBIOS name resolution in a wide area network. The
Advanced Server can use DNS for OpenVMS Cluster load balancing in a WAN
domain: A collection of computers that share a common
security database and policy. Each domain has a unique name. A network
can have many domains. See also workgroup and
domain database: See security
domain synchronization: The replication of one or more
elements of the domain databases (security databases), from the primary
domain controller to one or more backup domain controllers in the
domain. Domain synchronization is usually performed automatically by
the system, but can also be invoked manually by an administrator.
See also full synchronization and
downlevel: A term that refers to earlier network
operating systems, such as LAN Manager, that can interoperate with the
driver: See device driver.
dynamic data exchange (DDE): A form of interprocess
communications (IPC) in which two or more programs that support dynamic
data exchange can exchange information and commands.
edit box: In a dialog box, a field for entering
information. Used, for example, in the Upgrade utility to enter the
encapsulated PostScript (EPS): A file format optimized
for moving PostScript files between applications.
equivalence-name: The node name portion of a file
error alert: A message from the Advanced Server about
local area network or system errors. Error alerts are stored in the
Ethernet address: An alphanumeric string, six bytes in
length, that identifies a node on the Ethernet. The string is six pairs
of hexadecimal digits, separated by hyphens (for example,
event: Any significant occurrence in the system or in
an application that requires users, operators, or administrators to be
notified, or an entry to be added to a log.
EventLog service: The Advanced Server service that
records events in the system, security, and application event log files.
export path: In directory replication, a path from
which subdirectories, and the files in those subdirectories, are
automatically copied from an export server. See also
export server: In directory replication, a server from
which a master set of directories is copied to specified servers or
workstations (called import computers) in the same or other domains.
See also directory replication.
extended character sets: Character sets that define
16-bit character mappings for values 0 to 255, and so are much more
extensive than, for example, the conventional 7-bit ASCII set, which
maps characters to values 0 to 127, and is limited to the standard
characters of the English and Western European languages. Extended
character sets can be used to encode more characters to support a wider
variety of languages. The Advanced Server for OpenVMS can be configured to support
one of several ISO-8859 character sets. The PATHWORKS for OpenVMS (Advanced Server) only supports
ISO-8859-1 (ISO Latin-1). See also Unicode.
Extended File Specifications: On OpenVMS Alpha
systems, provides deep directories and extended file names support.
Deep directories support allows network clients to use an hierarchical
arrangement of directories and files on the OpenVMS disk similar to the
client-based disk. Extended file names support uses the On-Disk
Structure (ODS-5), extending OpenVMS file name restrictions to support
longer file names and adding extended character set characters to the
supported character set. See also ODS-5.
external authentication: Allows users to log on to the
OpenVMS operating system using their Advanced Server user names and
passwords. This feature is useful to OpenVMS system managers who want
to provide users with a single username and password combination for
both OpenVMS login and Advanced Server network logon. See also
FAT: File allocation table. File system structure used
by the MS-DOS operating system.
file extension: Any characters that follow a period at
the end of a file name. A file extension usually identifies the file's
File Index Table (FIT): A file name lookup table (with
the .FIT extension) that consists of file translation pairs. FIT files
map path names entered on a client workstation to the actual files on