|
|||
Differences Between NT Server and Workstation Are Minimalby Andrew Schulman09/16/1996
Much of the research discussed in this article was done by NT Internals expert Dr. Mark Russinovich, a Consulting Associate for Open System Resources, Inc. Russinovich is coauthor of numerous NT systems utilities, such as the NT registry monitor, the NT file monitor, and the NTFS file system for DOS. OSR specializes in file system, device driver, and data communications consulting, training, and development for Windows NT and other platforms. Neither Dr. Russinovich nor OSR are responsible for the conclusions drawn in this article. This article has been written to describe and explain the differences between Microsoft's Windows NT Server and NT Workstation products, not for the purpose of encouraging readers to defeat Microsoft's licensing restrictions. The author and O'Reilly & Associates recommend that readers carefully review the terms of Microsoft's NT license agreement and comply in all respects therewith. Microsoft recently introduced version 4.0 of NT Workstation (NTW) and NT Server (NTS), and claims that there are substantial technical differences between the Workstation and Server products. Microsoft uses this claim to justify an $800 price difference between NTW and NTS, as well as legal limits on web server usage in NTW, both of which have enormous impact on existing NTW users. But what if the supposed technical differences at the heart of NTW and NTS are mythical? We have found that NTS and NTW have identical kernels; in fact, NT is a single operating system with two modes. Only two registry settings are needed to switch between these two modes in NT 4.0, and only one setting in NT 3.51. This is extremely significant, and calls into question the related legal limitations and costly upgrades that currently face NTW users.
Introduction IntroductionIn the course of the ongoing controversy over its restriction of only ten web connections in NT Workstation 4.0, Microsoft representatives have asserted that there are substantial technical differences between NT Server and NT Workstation. From this, Microsoft draws these conclusions:
For example, Microsoft spokesman Mark Murray was quoted by Reuters:
And, according to InfoWorld columnist Nicholas Petreley ("When it comes to judging Microsoft products, the devil is in the details," InfoWorld, September 16):
In fact, the recent fight between Microsoft and Netscape, including Netscape's open letter to U.S. Department of Justice's Antitrust Division, was touched off by this very issue: Microsoft asserted that NTW should not (and, by license, apparently cannot) be used to run serious web servers, because that's what NTS (which, conveniently, comes as part of a package with Microsoft's own IIS) is for. Microsoft sent email to Netscape, complaining about a price comparison chart at Netscape's web site. According to Microsoft's letter (July 30):
So Microsoft has a lot invested in the widespread public perception of crucial differences between NTS and NTW. As Microsoft Executive VP Steve Ballmer told PC Week:
At the same time, even Microsoft's own document on Differences Between Windows NT Workstation 4.0 and Windows NT Server 4.0 (Microsoft Windows NT 4.0 Market Bulletin, Summer 1996) admits that the two products share "the same kernel architecture." This raises the question of exactly how NTS and NTW really differ. Microsoft's document goes on to say its NT strategy is "optimizing, pricing, and licensing the products for two specific segments":
So we know that the licensing, pricing, and bundling of NTS and NTW are different. But what does Microsoft mean by optimizing? What sort of technical difference are we talking about here? How specifically does the operating system itself differ between NTS and NTW? For the vast majority of those interested in using NT as a web server, there is no functional difference. NTW, like Win95, will work just fine for the vast majority of web sites:
Netscape estimates that 70% of its server customers using NT are in fact using NT Workstation rather than NT Server. Microsoft is claiming that most of these Netscape customers are in violation of the NTW license agreement! For web publishers to stay within the law, presumably they are supposed to get NTS with IIS. So much for using NT as a web server. More generally, when you strip away differences in pricing, licensing, and extra bundled software like IIS, what are the real technical differences between NTS and NTW? Identical KernelsIt turns out that NTS and NTW not only share "the same kernel architecture" (as Microsoft puts it), but in fact have identical kernels: in NT 4.0, the exact same file, NTOSKRNL.EXE, is used for both the Server and Workstation products. Likewise in NT 3.51. Not only are the NTS and NTW kernels identical, but in both NT 3.51 and 4.0, whenever a binary file (EXE, DLL, device driver, etc.) is provided with Workstation, the identical file is provided with Server. This includes such core files as NTLDR, NTOSKRNL.EXE, HAL.DLL, KERNEL32.DLL, NTDLL.DLL, SRV.SYS, TCPIP.SYS, WINSOCK.DLL, NTLANMAN.DLL, RASAUTH.DLL, NTFS.SYS, and so on. This was determined by looking not only at filenames, date/timestamps, and filesizes, but by doing a full binary comparison. NTS and NTW are merely two options for running the exact same, byte-for-byte identical operating system. The setup/installation files (TXTSETUP.SIF, INF files, etc.) differ from Workstation to Server, and Server comes with about 100 files that are not provided with Workstation. These additional files include DHCP*.*, LICCPA.*, LLS*.*, NCADMIN.*, RPC*.*, SFM*.*, SRVMGR.*, USRMGR.*, and WINS*.*, corresponding to the extras bundled with Server such as DHCP and WINS. To us, having some additional programs bundled with NTS no more gives it a "very different function" from NTW, than the combination of Windows 95 and "Windows Plus!" has a very different function from plain Windows 95. All of Microsoft's technical descriptions suggest that NTS is supposed to be something more than NTW with some bundled add-ins. It is doubtful that customers would feel good about paying approximately $800 for what is essentially an "NT Plus!" add-in package -- especially when Microsoft advertises that add-ins such as IIS come for "free." If the only technical difference between NTS and NTW were precisely these add-ins, then one could hardly call them free. Given that NTS for 10 "clients" (however Microsoft chooses to define that) costs $1080, while NTW costs $260, we figure that Microsoft would actually be charging over $800 for what is effectively "NT Plus!" So, with identical kernels, how does NT distinguish these ostensibly "very different products intended for two very different functions"? According to a course on NT internals at WinDev East '96 given by David Solomon, a single
function in
NTOSKRNL.EXE called Starting with an examination of this function, Mark Russinovich found something quite remarkable: the value that MmIsThisAnNtAsSystem() returns (Workstation vs. Server) comes directly out of the registry. In 3.51, a single registry setting is used to differentiate between NTW and NTS. In 4.0, there are two registry settings, and some code intended to prevent the user from changing them. That's it. By way of comparison, there is significantly less technical difference between NT Server and Workstation than there was between Win 3.1 Enhanced and Standard modes. Those were radically different pieces of software, bundled together for one remarkably low price. In contrast, Windows NT seems to be one piece of software, artifically differentiated into two products with wildly different prices. NT is one product, with two options: server and workstation. The Server option comes with a package of add-ins and with a license for more users. But what of Microsoft's "optimizations"? Microsoft makes great claims for how its tuning differentiates server and workstation machines. It's clear that this tuning is not particularly useful for the vast majority of web publishers (just as Microsoft's NTW license seems irrelevant to those running web servers instead of LAN servers). It's even been reported some of these "optimizations" can actually hurt when a web site is running lots of CGI programs, as opposed to delivering static web pages. Microsoft has optimized NTS for LAN servers. But since NTS and NTW use the same kernel, this optimization is based on nothing more than checking the registry settings. MmIsThisAnNtAsSystem() checks a global variable based on the registry settings, and various parts of the kernel in turn call MMIsThisAnNtAsSystem(), and behave slightly differently depending on this return value. For instance, in Process Manager initialization, the return value affects the foreground process quantum. Likewise, the value of most Memory Manager global variables are doubled if the registry indicates that NTS mode is being used. One important caveat: You can only configure a server as a domain controller at setup time. We currently know of no way to take a machine that isn't already a domain controller and make it one without reinstalling NTS. Actually, this appears to be a limitation (or perhaps a security feature) in NT itself. According to one recently posted Usenet message:
Incidentally, Mark Russinovich has also found that the Peer Web Services (PWS) shipped with NTW is absolutely identical with IIS shipped with NTS. If PWS is installed on an NTS system, it comes up as IIS. If IIS is installed on an NTW system, it comes up as PWB. How does this single piece of software determine which role it's supposed to play? Using his NTWatch program, Russinovich found that when installing INETSRV in workstation mode and then in server mode, INETSTP and INETINFO check the registry settings. Microsoft's Reponse: "700 Differences"?Responding to an earlier edition of this article, Jonathan Roberts, a division marketing manager at Microsoft, was quoted in PC WeekOnline ("Microsoft: 'significant differences' between NTS, NTW", Norvin Leach, September 10):
So Microsoft has now acknowleged that NTS and NTW have identical kernels. This of course contradicts previous Microsoft assertions. But what about those 48 cascading down to 700 changes? While the number 700 (or even 48) sounds impressive, all it seems to signify are the types of configuration switches already noted above, such as changes in the size of memory-management global variables depending on whether server or workstation mode has been chosen. These are the sort of changes that users have traditionally made in files such as CONFIG.SYS or SYSTEM.INI. While it's nice to have the operating system package many numeric settings together in a single name-based setting ("Winnt" vs. "Servernt"), this hardly seems to qualify as "significant differences," any more than it would if Microsoft had perhaps had the chutzpah to ship different versions of MS-DOS, at different price points, based on different FILES=, LASTDRIVE=, and BUFFERS= settings in CONFIG.SYS. The number 700 is a recurrent theme in Microsoft's discussions of this issue. For example, here's Alec Saunders, a Microsoft product manager (quoted in Marcia Jacobs, "How Different Are NT Workstation And NT Server?," CommunicationsWeek, September 11):
It's difficult to tell exactly what Alec Saunders is trying to say here, but at any rate -- aside from the reappearance of the magic number 700 -- it is a different explanation from the one just quoted by Jon Roberts. Saunders seems to be saying that NT goes into either NTW or NTS mode, depending on the type of underlying hardware. But that doesn't make any sense. On the other hand, one reader has made what sounds like a similar claim: that "the Current Hardware profiles are what cause [NTLDR] to load up server." This would seem to imply that, if you have a system with maybe four Pentium Pros, you automagically get NTS rather than NTW. But surely Microsoft isn't claiming that, are they? Yet another Microsoft response comes to us from Mark Hassall, NT Server manager at Microsoft UK (quoted in PC Daily News, September 11):
We're not sure where Hassall got the idea that this article was suggesting that individuals go and change their registry settings. All versions of this article have been absolutely clear that we want Microsoft to change its marketing and licensing of NT, not for individuals to sidestep the Microsoft license agreement. We have deliberately refrained from giving instructions for changing NTW 4.0 into NTS 4.0. At any rate, notice again the numbers 48 and 700 -- except this time, the Microsoft spokesman appears to think that O'Reilly has recommended that customers make 48 changes (!), but that this meanwhile would miss an additional 700 that NT supposedly makes. In short, Microsoft seems clear only about the magic numbers 48 and 700. What the numbers mean, though, seems to be improvised on the spot in whatever way seems most expedient to the Microsoft spokesman on the spot. The most imaginative Microsoft response was quoted in ZD Net AnchorDesk (September 11), with an equally clever comeback:
Having said that these differences between NTS and NTW kernels are basically controlled by simple registry settings -- and Microsoft having now acknowledged this bit of cross-dressing -- let's now look briefly at these $800 registry settings: NT 3.51: ProductType registry settingIn version 3.51, NTS and NTW are distinguished with the following registry setting (see below for NT 4.0): HKEY_LOCAL_MACHINE\System\CurrentControlSet\ControlProductOptions\ProductTy pe This is a string value that is interpreted as follows (NTOSKRNL.EXE itself only cares about the "WinNT" string, but other programs check for the "ServerNT" and "LanmanNT" strings): ValueInterpretation "WinNT"NT Workstation "ServerNT"NT Server "LanmanNT"NT Advanced Server? Click here to examine this setting on a machine running WebSite (and a Win-CGI based registry browser). This setting is described in a new book published by O'Reilly, Inside the Windows 95 Registry, by Ron Petrusha. The book covers the NT registry as well as the Win95 registry (the NT "Product Type" setting is described on p. 525). Microsoft actually describes this registry setting in an article on its web site, Determining the Product Option of a Windows NT Setup. The "product option" wording is curious, given the effort Microsoft makes elsewhere to have NTW and NTS appear to be significantly different systems. Interestingly, Microsoft's document warns: "Do NOT change the ProductType [registry setting] under any circumstances. Changes to the ProductType can result in the failure of the Windows NT operating system." What Mark Russinovich found, however, is that in NT 3.51 this "Product Type" setting can be changed by any end-user, using the Registry Editor supplied by Microsoft (REGEDT32.EXE). The system does nothing to prevent changing the value from "WinNt" to
"ServerNt". After rebooting for the new "ServerNt" setting to take
effect, the system function as NTS. The This technique seems to have been known to others previously. An AltaVista search for "ServerNt" on the web or Usenet turned up several documents describing how to run IIS on top of NTW 3.51, one of which noted that:
Indeed, changing this registry setting turns an NTW 3.51 machine into an NTS 3.51 machine -- albeit without Microsoft's license to use NTS, and without the additional programs bundled with NTS. As noted above, some of these applications are available from third parties. So the real difference is Microsoft's license, which prevents the cheaper NTW product from being used as a serious web server, and which attempts to force web publishers into using the more expensive NTS/IIS "solution." NT 4.0: ProductType and SystemPrefix registry settingsSome Microsoft employees have privately admitted that the differences between NTS and NTW 3.51 were minimal. However, they have gone on to claim that now everything is different in version 4.0. We've already established that in fact NTS 4.0 and NTW 4.0 have exactly the same kernel, and in fact exactly the same of everything but the costly extras bundled in with NTS.
But what of the magical 3.51 "ProductType" registry setting? It's still there, and it still plays the same role in 4.0 that it did in 3.51 in distinguishing between the Server and Workstation modes (see table above). Microsoft has merely added an additional registry setting, and made some effort to prevent the user from changing these settings. The extra setting is: HKEY_LOCAL_MACHINE\System\Setup\SystemPrefixThe SystemPrefix value is a binary value which the kernel treats as two DWORDs, of which the only important piece of information seems to be the bit represented by the mask 0x04000000 in the high-order DWORD. If ProductType is "ServerNT" or "LanmanNT", then this bit must be set. If ProductType is "WinNT" then the bit must be off (any inconsistency results in a blue-screen error at system boot).
The system spawns two worker threads that watch for, and override, changes to the two registry keys. If an attempt is made to change ProductType, the threads changes the settings back (really! you can see this happen if you manually refresh in REGEDT32) and pops up the following warning box:
Eamonn Sullivan of PC Week has confirmed that, when an NTW machine is tweaked via the registry into an NTS machine, web performance "tests on this "altered" Workstation were identical (within the margin of error) to Server." (See PC Week article, "Simple way found to turn NT Workstation into Server.") If an attempt is made to install Microsoft's BackOffice suite on a workstation-mode NT system, the BackOffice setup program will prevent installation of the BackOffice programs and indicate that NT Server must be installed first. If the system type is then changed to server in the registry as described above and another attempt is made to install BackOffice, then the installation of the suite programs is possible. Curiously, if you then change the system back to NTW mode, BackOffice continues to run fine -- so it is only the setup/install program that cares. To give an idea for what non-kernel processes depend upon the ProductType and SystemPrefix settings, Mark Russinovich has written a utility, NTWatch, which intercepts non-kernel accesses to these settings and displays them in a window. For example, the following screen shot shows NTWatch running on an NTW 3.51 system; at line 19, Microsoft's registry editor (RegEdt32) has been used to change the ProductType setting from "Winnt" to "Servernt". The NET ACCOUNTS command (NET1.EXE) was then run; of course, it now reported "Computer Role: SERVER". Unfortunately, NTWatch can't hook the MmIsThisAnNtAsSystem call; its output only shows direct access to the registry settings.Click here to download NTWATCH.ZIP. Instructions for installation and deinstallation are included inside the zip file.
For a more general-purpose NT registry monitor, see NTRegMon.
An attorney for Microsoft, David Heiner, was quoted by the San Francisco Examiner (August 29): This is correct. But does Microsoft have "every right to put conditions" on the use of standards such as TCP/IP, HTTP, and WinSock? Leaving that question aside, it's certainly true that there would be nothing wrong if Microsoft would just come out and say that NTS and NTW are technically identical, but that NTS comes with a license for more LAN clients, an apparent license for more web surfers, and an "NT Plus!" package of add-ins. Microsoft might have trouble selling such an honestly-described version of NTS, but they could at least tell whether the market really thinks the license to host a web server is worth $800. But as long as Microsoft claims that NTS is very different from NTW in anything other than licensing, pricing, and bundling, customers will have difficulty making informed choices. And as long as Microsoft attempts to claim that NTW isn't suitable for running competitors' web servers -- and attempts to use registry settings and license agreements to discourage the use of third-party web servers on NT -- the NTS/NTW price difference can be viewed as little more than a "web tax." As noted earlier, InfoWorld says that "the whole idea of having price points for different numbers of Web hits (clients) is patently absurd." From Microsoft's view, however, perhaps it's not so absurd. It has often been noted that Microsoft wants to be "the toll-collector on the information superhighway." Such tired metaphors aside, it is clear that Bill Gates looks at businesses such as his friend Paul Allen's Ticketmaster, and wants a piece of the per-transaction action. The Microsoft Network (MSN) was a failed attempt to collect this toll/tax. Pricing NT based on the number of web users looks like another such attempt.
NOTE: *The purpose of this article is to point out the minimal differences between NTS and NTW, and to get Microsoft to change its licensing and/or marketing of NT. The purpose is not to have individual users change the registry and therefore bypass their Microsoft license agreement. We want Microsoft, not you, to make this change. At the same time, we've received requests for further information on making this change in NT 4.0 (it is, as shown earlier, trivial in 3.51). Mark Russinovich has written a utility, NTTune, which can make the workstation-to-server registry change in 4.0. We are quite deliberately not making this available, however. We used NTTune to verify our tests, and made NTTune available to some members of the press so they could independently test our claims. That's it. NTTune uses a technique developed by Mark Russinovich and Bryce Cogswell called "system call hooking." This technique is also used in their NT registry monitor, NTRegMon. Russinovich and Cogswell will be describing System Call Hooking in a forthcoming article in Dr. Dobb's Journal. (Back to text) |
|||
|