Previous | Contents | Index |
This chapter describes the way Advanced Server participates in a domain and provides the concepts and procedures you use to manage servers and domains from Advanced Server.
A domain is a set of computers that share a common Security Accounts Management (SAM) database. When you manage a domain and its services, you control its system entities and resources, and you can display information about its resources, such as its computers, connections, user sessions, shares, and services.
The Advanced Server can have one of two roles:
Advanced Server cannot be configured to take standalone or member server roles. |
The NetLogon service ensures that each backup domain controller's copy of the domain-wide user accounts database is identical to the master copy kept on the primary domain controller. At regular intervals, any changes made to the master copy of the user accounts database on the primary domain controller are replicated to all backup domain controllers, as described in Section 2.1.4, Synchronizing SAM Databases on Domain Controllers. However, the Advanced Server does not replicate user files and directories.
If the primary domain controller fails or is stopped, you cannot make changes to the domain's user accounts database, but logon validation continues as long as one or more backup domain controllers are running the NetLogon service. Because primary and backup domain controllers keep their own copies of the database, and because the primary domain controller and all backup domain controllers can validate logon requests, there is no single point of failure in the domain. However, if the primary domain controller is unavailable for an extended period, you should promote a backup domain controller to assume the primary domain controller role, so that changes can be made to user accounts.
Each domain in a network is identified internally by a security
identifier (SID), a unique number associated with the domain. When a
primary domain controller is installed and started, a unique SID is
assigned. Therefore, if you have an existing domain, and you want to
add a new server to the domain as the primary domain controller, you
must install the new server as a backup domain controller first, then
change the server's role. For information about changing the server's
role, see Section 2.1.3, Changing a Server's Role in a Domain.
2.1.1 Displaying the Current Domain
When you use the ADMINISTER command line interface, the command prompt provides the name of your domain.
To display the current domain and server:
Execute the ADMINISTER command. For example:
$ ADMINISTER LANDOFOZ\\TINMAN> |
The domain name and server name are in the command prompt. In this example, the domain name is LANDOFOZ and the server name is TINMAN.
Use the SHOW ADMINISTRATION command to display information about the current domain and your logged-on user account. For example:
LANDOFOZ\\TINMAN> SHOW ADMINISTRATION Administration information: The domain being administered is: LANDOFOZ The domain controller for the domain is: TINMAN The domain controller type is: Advanced Server 3.51 for OpenVMS The server being administered is TINMAN The server type is: Advanced Server 3.51 for OpenVMS The user name is: ADMINISTRATOR The user is logged on to domain LANDOFOZ and has been authenticated. The user's privilege level on this domain is: ADMIN The user's workstation is TINMAN and is in domain LANDOFOZ. LANDOFOZ\\TINMAN> |
You can administer another domain in either of the following ways:
LANDOFOZ\\TINMAN> SET ADMINISTRATION/DOMAIN=RUBYPALACE %PWRK-S-ADMSET, now administering domain "RUBYPALACE", server "QUEEN" RUBYPALACE\\QUEEN> SHOW TRUSTS There are currently no domains trusted by domain RUBYPALACE. Domains permitted to trust domain RUBYPALACE: LANDOFOZ |
$ ADMINISTER LANDOFOZ\\TINMAN> LOGON ADMINISTRATOR/DOMAIN=RUBYPALACE Password: The server \\QUEEN successfully logged you on as Administrator. Your privilege level on domain RUBYPALACE is ADMIN. The last time you logged on was 08/09/98 07:44 AM. RUBYPALACE\\QUEEN> |
RUBYPALACE\\QUEEN>LOGOFF ADMINISTRATOR was logged off successfully. LANDOFOZ\\TINMAN>LOGON ADMINISTRATOR Password: The server \\TINMAN successfully logged you on as Administrator. Your privilege level on domain LANDOFOZ is ADMIN. The last time you logged on was 08/09/98 07:16 AM. |
For information about the requirements for administrative functions,
refer to the Advanced Server for OpenVMS Commands Reference Manual.
2.1.3 Changing a Server's Role in a Domain
The first server to be configured in a domain is always the primary domain controller. The primary domain controller role is established during initial installation and configuration of the server. After that, you can change the role of the server using the SET COMPUTER/ROLE command.
You change the role of the primary domain controller by promoting a backup domain controller. For example, if the primary domain controller needs to be taken off line for maintenance, you can promote a backup domain controller to be the primary domain controller. When you promote a backup domain controller, the role of the original primary domain controller is automatically changed to backup domain controller.
In this case, when the original primary domain controller comes back on line, it has the role of backup domain controller. You can then promote it to primary domain controller, if necessary.
If the primary domain controller fails unexpectedly, the domain continues to provide logon validation as long as the NetLogon service is running on a backup domain controller. However, to make changes to the SAM database, a primary domain controller is required. Therefore, if you think the primary domain controller will be unavailable for more than a short time, you should promote a backup domain controller. When the original primary domain controller comes back on line after an unscheduled interruption, it continues to assume the role of primary domain controller. If the primary domain controller is restarted and you have promoted a backup domain controller in its absence, the NetLogon service is not started on the server, and the following Alert message is generated and recorded in the System event log:
A primary domain controller is running in the domain |
In this case, you must explicitly change the server's role to backup domain controller using the SET COMPUTER/ROLE command. It may take a few minutes to complete a server role change in a domain.
While server roles are changing, you cannot make changes to the user accounts database; logon validation remains available during the role change if there is another backup domain controller running the NetLogon service. Refer to Section 2.3.3, Managing Services, for more information about the NetLogon service.
To change the role of a server in a domain:
For example:
$ ADMINISTER LANDOFOZ\\TINMAN> LOGON ADMINISTRATOR Password: The server \\TINMAN successfully logged you on as Administrator. Your privilege level on domain LANDOFOZ is ADMIN. The last time you logged on was 8/11/98 2:57 PM. LANDOFOZ\\TINMAN> SHOW COMPUTERS Computers in domain "LANDOFOZ": Computer Type Description ----------------------------------------------------------------------- [PD] TINMAN OpenVMS 3.51 Primary Advanced Server V7.2 for OpenVMS [BD] WOODMAN OpenVMS 3.51 Backup Advanced Server V7.2 for OpenVMS Total of 2 computers LANDOFOZ\\TINMAN> SET COMPUTER WOODMAN/ROLE=PRIMARY_DOMAIN_CONTROLLER Promoting "WOODMAN" to a Primary Domain Controller may take a few minutes. Do you want to continue with the promotion [YES or NO] (YES) : YES %PWRK-I-ROLESYNC, synchronizing "WOODMAN" with its primary %PWRK-I-ROLENLSTOP, stopping the Net Logon service on "WOODMAN" %PWRK-I-ROLENLSTOP, stopping the Net Logon service on "TINMAN" %PWRK-I-ROLECHANGE, changing "TINMAN"'s role to Backup Domain Controller %PWRK-I-ROLECHANGE, changing "WOODMAN"'s role to Primary Domain Controller %PWRK-I-ROLENLSTART, starting the Net Logon service on "WOODMAN" %PWRK-I-ROLENLSTART, starting the Net Logon service on "TINMAN" %PWRK-I-ROLECHANGED, the computers role was successfully changed LANDOFOZ\\TINMAN> SHOW COMPUTERS Computers in domain "LANDOFOZ": Computer Type Description ------------------------------------------------------------------- [BD] TINMAN OpenVMS 3.51 Backup Advanced Server V7.2 for OpenVMS [PD] WOODMAN OpenVMS 3.51 Primary Advanced Server V7.2 for OpenVMS Total of 2 computers LANDOFOZ\\TINMAN> |
For information about changing the server role when Advanced Server is
running in an OpenVMS cluster, see Section 2.4,Advanced Server in OpenVMS Clusters.
2.1.4 Synchronizing SAM Databases on Domain Controllers
Normally, domain controllers are automatically synchronized at regular intervals when the backup domain controllers replicate the database from the primary domain controller. In rare cases, you may need to synchronize them manually. For example, you may have just added some new users or groups and you want the backup domain controllers to be able to validate the new user logons now, rather than after the next periodic synchronization. To do this, use the SET COMPUTER/ACCOUNT_SYNCHRONIZE command. You can synchronize all backup domain controllers at once, or synchronize an individual backup domain controller with the primary domain controller.
To synchronize all controllers in a domain:
To synchronize all backup domain controllers with the primary domain controller, enter the SET COMPUTER /ACCOUNT_SYNCHRONIZE command, specifying the primary domain controller.
For example, if the primary domain controller is called TINMAN, the following command synchronizes all backup domain controllers in the domain with TINMAN:
LANDOFOZ\\TINMAN> SET COMPUTER TINMAN/ACCOUNT_SYNCHRONIZE Resynchronizing "LANDOFOZ" domain may take a few minutes. Do you want to continue with the synchronization [YES or NO] (YES) : YES %PWRK-S-ACCSYNCHED, account synchronization was successfully initiated LANDOFOZ\\TINMAN> |
Although the command has completed successfully, the synchronization process takes a few minutes to complete. You can monitor its progress by reviewing the System event log file using the SHOW EVENTS command. If the backup domain controllers are already up-to-date, no event log message is recorded.
To synchronize a specific backup domain controller with the primary domain controller:
Enter the SET COMPUTER/ACCOUNT_SYNCHRONIZE command, specifying the backup domain controller name.
For example, if the backup domain controller is called WOODMAN, the following command synchronizes only the server WOODMAN with the domain's primary domain controller, TINMAN.
LANDOFOZ\\TINMAN> SET COMPUTER WOODMAN/ACCOUNT_SYNCHRONIZE Resynchronizing "WOODMAN" with its Primary Domain Controller "TINMAN" may take a few minutes. After the synchronization has completed, you should check the Event Logs on "WOODMAN" and "TINMAN" to determine whether synchronization was successful. Do you want to continue with the synchronization [YES or NO] (YES) : YES %PWRK-S-ACCSYNCHED, account synchronization was successful LANDOFOZ\\TINMAN> |
Although the command has completed successfully, the synchronization
process takes a few minutes to complete. You can monitor its progress
by reviewing the System event log file using the SHOW EVENTS command.
2.1.5 Adding a Computer Account to a Domain
For an Advanced Server or a Windows NT computer to become a domain member, it must be added to the domain's security database. If the computer is a backup domain controller, it receives a copy of the domain's security database.
When a computer is configured to join an existing domain (for example, when you install a Windows NT Server or workstation, or when you run the PWRK$CONFIG.COM command procedure on an Advanced Server), the computer account is added to the domain's security database automatically. This procedure requires that the user name and password of a user account with membership in the Administrator's group be supplied.
Alternatively, use the ADD COMPUTER command to add the computer account to the domain's security database. After you add the computer account, the computer joins the domain automatically when it is started. No password is required when a computer joins the domain in this case. A security risk is involved, however, because until the computer joins the domain, any other computer with the same name can join the domain. If the intended computer does not join the domain immediately, you can remove the computer account from the domain's security database using the REMOVE COMPUTER command, as described in Section 2.1.6, Removing a Computer Account from a Domain's Security Database.
To add a computer to a domain:
For example, the following command adds the computer GREENGIRL as a Windows NT workstation to the domain LANDOFOZ:
LANDOFOZ\\TINMAN> ADD COMPUTER GREENGIRL %PWRK-S-COMPADD, computer "GREENGIRL" added to domain "LANDOFOZ" LANDOFOZ\\TINMAN> |
The computer is added to the domain's security database. The SHOW COMPUTERS command shows GREENGIRL as a Windows NT workstation. For example:
LANDOFOZ\\TINMAN> SHOW COMPUTERS Computers in domain "LANDOFOZ": Computer Type Description ----------- ------------ -------------------------------- [PD] TINMAN OpenVMS 3.51 Primary Advanced Server V7.2 for OpenVMS [ws] GREENGIRL Windows NT Workstation |
When you remove a computer account from the domain's security database, the computer can no longer participate in domain security. It might be useful to remove a computer account from the domain's security database if the computer did not join the domain after its account was added to the domain's security database. You cannot remove a primary domain controller.
To remove a computer from a domain:
For example, the following command removes the computer GREENGIRL from the domain LANDOFOZ:
LANDOFOZ\\TINMAN> REMOVE COMPUTER GREENGIRL Removing computer "GREENGIRL" from domain "LANDOFOZ" will render it incapable of authenticating domain logons until it is added to another domain. Do you want to continue with the removal [YES or NO] (YES) : YES %PWRK-S-COMPREM, computer "GREENGIRL" removed from domain "LANDOFOZ" LANDOFOZ\\TINMAN> |
A trust relationship is a link between two domains, where one domain honors the users of another domain, trusting the other domain to authenticate the logons of its users. When trust relationships are properly established among domains and resource permissions are set properly, a user with an account in one domain is allowed to access resources on another domain. The domain that has the user accounts is the trusted domain; the domain with the required resources is the trusting domain.
The administrators of both domains must supply the same password when
establishing the trust relationship. After the trust relationship is
established, the password is changed periodically by the domain
software.
2.1.7.1 Establishing Trust Relationships
Both domains participating in a trust relationship must take an action to establish the trust. First the domain that will be trusted (that is, the domain where the user accounts are defined) must indicate that it is willing to be trusted, by permitting the other domain to trust it. Then the domain that will be trusting (that is, the domain where the shared resources are defined) can indicate that it is willing to trust the other domain.
For example, assume there are two domains: LANDOFOZ and KANSAS. Domain KANSAS has resources required by users who have user accounts in domain LANDOFOZ. You need to set up a trust relationship so that KANSAS trusts LANDOFOZ.
If the steps to establishing a trust are done in the opposite order (that is, one domain trusts the other before the other has permitted the first domain to trust it), the trust will eventually work. However, this can take up to 15 minutes.
To set up the trust relationship, use the following procedure:
LANDOFOZ\\TINMAN> ADD TRUST KANSAS/PERMITTED Password: Password verification: %PWRK-S-TRUSTADD, trust between domains "LANDOFOZ" and "KANSAS" added LANDOFOZ\\TINMAN> |
KANSAS\\TOPEKA> ADD TRUST LANDOFOZ/TRUSTED Password: Password verification: %PWRK-S-TRUSTADD, trust between domains "KANSAS" and "LANDOFOZ" added KANSAS\\TOPEKA> |
To display the trust relationships:
Use the SHOW TRUSTS command. In the following example, a trust relationship has been established to enable domain KANSAS to trust domain LANDOFOZ. Execute the SHOW TRUSTS command on domain LANDOFOZ to display its trust:
LANDOFOZ\\TINMAN> SHOW TRUSTS There are currently no domains trusted by domain LANDOFOZ Domains permitted to trust domain LANDOFOZ: KANSAS LANDOFOZ\\TINMAN> |
Execute the SHOW TRUSTS command on domain KANSAS to display its trust:
LANDOFOZ\\TINMAN> SHOW TRUSTS/DOMAIN=KANSAS Domains trusted by KANSAS: LANDOFOZ There are currently no domains permitted to trust domain KANSAS LANDOFOZ\\TINMAN> |
To set up a two-way trust relationship:
When a two-way trust relationship has been established, each domain trusts the other, and users in both domains can access resources in the other domain, assuming resource permissions have been set up properly.
To set up a two-way trust relationship between domains LANDOFOZ and KANSAS, follow these steps:
LANDOFOZ\\TINMAN> ADD TRUST KANSAS/PERMITTED |
KANSAS\\TOPEKA> ADD TRUST LANDOFOZ/TRUSTED |
KANSAS\\TOPEKA> ADD TRUST LANDOFOZ/PERMITTED |
LANDOFOZ\\TINMAN> ADD TRUST KANSAS/TRUSTED |
Previous | Next | Contents | Index |