Advanced Server for OpenVMS
Server Administrator's Guide


Previous Contents Index


Chapter 2
Managing Domains and Servers

This chapter describes the way Advanced Server participates in a domain and provides the concepts and procedures you use to manage servers and domains from Advanced Server.

2.1 Managing a Domain

A domain is a set of computers that share a common Security Accounts Management (SAM) database. When you manage a domain and its services, you control its system entities and resources, and you can display information about its resources, such as its computers, connections, user sessions, shares, and services.

The Advanced Server can have one of two roles:

Note

Advanced Server cannot be configured to take standalone or member server roles.

The NetLogon service ensures that each backup domain controller's copy of the domain-wide user accounts database is identical to the master copy kept on the primary domain controller. At regular intervals, any changes made to the master copy of the user accounts database on the primary domain controller are replicated to all backup domain controllers, as described in Section 2.1.4, Synchronizing SAM Databases on Domain Controllers. However, the Advanced Server does not replicate user files and directories.

If the primary domain controller fails or is stopped, you cannot make changes to the domain's user accounts database, but logon validation continues as long as one or more backup domain controllers are running the NetLogon service. Because primary and backup domain controllers keep their own copies of the database, and because the primary domain controller and all backup domain controllers can validate logon requests, there is no single point of failure in the domain. However, if the primary domain controller is unavailable for an extended period, you should promote a backup domain controller to assume the primary domain controller role, so that changes can be made to user accounts.

Each domain in a network is identified internally by a security identifier (SID), a unique number associated with the domain. When a primary domain controller is installed and started, a unique SID is assigned. Therefore, if you have an existing domain, and you want to add a new server to the domain as the primary domain controller, you must install the new server as a backup domain controller first, then change the server's role. For information about changing the server's role, see Section 2.1.3, Changing a Server's Role in a Domain.

2.1.1 Displaying the Current Domain

When you use the ADMINISTER command line interface, the command prompt provides the name of your domain.

To display the current domain and server:

Execute the ADMINISTER command. For example:


$ ADMINISTER 
LANDOFOZ\\TINMAN> 

The domain name and server name are in the command prompt. In this example, the domain name is LANDOFOZ and the server name is TINMAN.

Use the SHOW ADMINISTRATION command to display information about the current domain and your logged-on user account. For example:


LANDOFOZ\\TINMAN> SHOW ADMINISTRATION 
 
Administration information: 
 
The domain being administered is: LANDOFOZ 
The domain controller for the domain is: TINMAN 
The domain controller type is: Advanced Server 3.51 for OpenVMS 
 
The server being administered is TINMAN 
The server type is: Advanced Server 3.51 for OpenVMS 
 
The user name is: ADMINISTRATOR 
The user is logged on to domain LANDOFOZ and has been authenticated. 
The user's privilege level on this domain is: ADMIN 
The user's workstation is TINMAN and is in domain LANDOFOZ. 
LANDOFOZ\\TINMAN> 

2.1.2 Administering Another Domain

You can administer another domain in either of the following ways:

For information about the requirements for administrative functions, refer to the Advanced Server for OpenVMS Commands Reference Manual.

2.1.3 Changing a Server's Role in a Domain

The first server to be configured in a domain is always the primary domain controller. The primary domain controller role is established during initial installation and configuration of the server. After that, you can change the role of the server using the SET COMPUTER/ROLE command.

You change the role of the primary domain controller by promoting a backup domain controller. For example, if the primary domain controller needs to be taken off line for maintenance, you can promote a backup domain controller to be the primary domain controller. When you promote a backup domain controller, the role of the original primary domain controller is automatically changed to backup domain controller.

In this case, when the original primary domain controller comes back on line, it has the role of backup domain controller. You can then promote it to primary domain controller, if necessary.

If the primary domain controller fails unexpectedly, the domain continues to provide logon validation as long as the NetLogon service is running on a backup domain controller. However, to make changes to the SAM database, a primary domain controller is required. Therefore, if you think the primary domain controller will be unavailable for more than a short time, you should promote a backup domain controller. When the original primary domain controller comes back on line after an unscheduled interruption, it continues to assume the role of primary domain controller. If the primary domain controller is restarted and you have promoted a backup domain controller in its absence, the NetLogon service is not started on the server, and the following Alert message is generated and recorded in the System event log:


A primary domain controller is running in the domain 

In this case, you must explicitly change the server's role to backup domain controller using the SET COMPUTER/ROLE command. It may take a few minutes to complete a server role change in a domain.

While server roles are changing, you cannot make changes to the user accounts database; logon validation remains available during the role change if there is another backup domain controller running the NetLogon service. Refer to Section 2.3.3, Managing Services, for more information about the NetLogon service.

To change the role of a server in a domain:

  1. Log on as the domain administrator.
  2. Use the SHOW COMPUTERS command to check the server's current role.
  3. Use the SET COMPUTER/ROLE command to change a server's role.
  4. Use the SHOW COMPUTERS command to verify the new server role.

For example:


$ ADMINISTER 
LANDOFOZ\\TINMAN> LOGON ADMINISTRATOR 
Password: 
The server \\TINMAN successfully logged you on as Administrator. 
Your privilege level on domain LANDOFOZ is ADMIN. 
The last time you logged on was 8/11/98 2:57 PM. 
 
LANDOFOZ\\TINMAN> SHOW COMPUTERS 
 
Computers in domain "LANDOFOZ": 
Computer         Type                  Description 
----------------------------------------------------------------------- 
[PD] TINMAN   OpenVMS 3.51 Primary     Advanced Server V7.2 for OpenVMS 
 
[BD] WOODMAN  OpenVMS 3.51 Backup      Advanced Server V7.2 for OpenVMS 
 
  Total of 2 computers 
LANDOFOZ\\TINMAN> SET COMPUTER WOODMAN/ROLE=PRIMARY_DOMAIN_CONTROLLER 
 
Promoting "WOODMAN" to a Primary Domain Controller may take a few minutes. 
 
Do you want to continue with the promotion [YES or NO] (YES) : YES 
%PWRK-I-ROLESYNC, synchronizing "WOODMAN" with its primary 
%PWRK-I-ROLENLSTOP, stopping the Net Logon service on "WOODMAN" 
%PWRK-I-ROLENLSTOP, stopping the Net Logon service on "TINMAN" 
%PWRK-I-ROLECHANGE, changing "TINMAN"'s role to Backup Domain Controller 
%PWRK-I-ROLECHANGE, changing "WOODMAN"'s role to Primary Domain Controller 
%PWRK-I-ROLENLSTART, starting the Net Logon service on "WOODMAN" 
%PWRK-I-ROLENLSTART, starting the Net Logon service on "TINMAN" 
%PWRK-I-ROLECHANGED, the computers role was successfully changed 
 
LANDOFOZ\\TINMAN> SHOW COMPUTERS 
 
Computers in domain "LANDOFOZ": 
 
Computer         Type                  Description 
------------------------------------------------------------------- 
[BD] TINMAN   OpenVMS 3.51 Backup      Advanced Server V7.2 for OpenVMS 
 
[PD] WOODMAN  OpenVMS 3.51 Primary     Advanced Server V7.2 for OpenVMS 
 
  Total of 2 computers 
 
LANDOFOZ\\TINMAN> 

For information about changing the server role when Advanced Server is running in an OpenVMS cluster, see Section 2.4,Advanced Server in OpenVMS Clusters.

2.1.4 Synchronizing SAM Databases on Domain Controllers

Normally, domain controllers are automatically synchronized at regular intervals when the backup domain controllers replicate the database from the primary domain controller. In rare cases, you may need to synchronize them manually. For example, you may have just added some new users or groups and you want the backup domain controllers to be able to validate the new user logons now, rather than after the next periodic synchronization. To do this, use the SET COMPUTER/ACCOUNT_SYNCHRONIZE command. You can synchronize all backup domain controllers at once, or synchronize an individual backup domain controller with the primary domain controller.

To synchronize all controllers in a domain:

To synchronize all backup domain controllers with the primary domain controller, enter the SET COMPUTER /ACCOUNT_SYNCHRONIZE command, specifying the primary domain controller.

For example, if the primary domain controller is called TINMAN, the following command synchronizes all backup domain controllers in the domain with TINMAN:


LANDOFOZ\\TINMAN> SET COMPUTER TINMAN/ACCOUNT_SYNCHRONIZE 
 
Resynchronizing "LANDOFOZ" domain may take a few minutes. 
 
Do you want to continue with the synchronization [YES or NO] (YES) : YES 
%PWRK-S-ACCSYNCHED, account synchronization was successfully initiated 
LANDOFOZ\\TINMAN> 

Although the command has completed successfully, the synchronization process takes a few minutes to complete. You can monitor its progress by reviewing the System event log file using the SHOW EVENTS command. If the backup domain controllers are already up-to-date, no event log message is recorded.

To synchronize a specific backup domain controller with the primary domain controller:

Enter the SET COMPUTER/ACCOUNT_SYNCHRONIZE command, specifying the backup domain controller name.

For example, if the backup domain controller is called WOODMAN, the following command synchronizes only the server WOODMAN with the domain's primary domain controller, TINMAN.


LANDOFOZ\\TINMAN> SET COMPUTER WOODMAN/ACCOUNT_SYNCHRONIZE 
 
Resynchronizing "WOODMAN" with its Primary Domain Controller "TINMAN" 
may take a few minutes. 
After the synchronization has completed, you should check the Event Logs on 
"WOODMAN" and "TINMAN" to determine whether synchronization was 
successful. 
 
Do you want to continue with the synchronization [YES or NO] (YES) : YES 
%PWRK-S-ACCSYNCHED, account synchronization was successful 
 
LANDOFOZ\\TINMAN> 

Although the command has completed successfully, the synchronization process takes a few minutes to complete. You can monitor its progress by reviewing the System event log file using the SHOW EVENTS command.

2.1.5 Adding a Computer Account to a Domain

For an Advanced Server or a Windows NT computer to become a domain member, it must be added to the domain's security database. If the computer is a backup domain controller, it receives a copy of the domain's security database.

When a computer is configured to join an existing domain (for example, when you install a Windows NT Server or workstation, or when you run the PWRK$CONFIG.COM command procedure on an Advanced Server), the computer account is added to the domain's security database automatically. This procedure requires that the user name and password of a user account with membership in the Administrator's group be supplied.

Alternatively, use the ADD COMPUTER command to add the computer account to the domain's security database. After you add the computer account, the computer joins the domain automatically when it is started. No password is required when a computer joins the domain in this case. A security risk is involved, however, because until the computer joins the domain, any other computer with the same name can join the domain. If the intended computer does not join the domain immediately, you can remove the computer account from the domain's security database using the REMOVE COMPUTER command, as described in Section 2.1.6, Removing a Computer Account from a Domain's Security Database.

To add a computer to a domain:

  1. Identify the name of the domain to which you will add the computer.
  2. Obtain or establish the name of the computer you will add; be sure it is unique in the network and no more than 15 characters long.
  3. Determine whether the computer you are adding is to be a workstation, server, or backup domain controller.
  4. Use the ADD COMPUTER command. Optionally include the /DESCRIPTION qualifier to provide a description of the computer. If you enter a description that contains nonalphanumeric characters, spaces, or lowercase letters, enclose the description string in quotation marks.

For example, the following command adds the computer GREENGIRL as a Windows NT workstation to the domain LANDOFOZ:


LANDOFOZ\\TINMAN> ADD COMPUTER GREENGIRL 
%PWRK-S-COMPADD, computer "GREENGIRL" added to domain "LANDOFOZ" 
LANDOFOZ\\TINMAN> 

The computer is added to the domain's security database. The SHOW COMPUTERS command shows GREENGIRL as a Windows NT workstation. For example:


LANDOFOZ\\TINMAN> SHOW COMPUTERS 
Computers in domain "LANDOFOZ": 
Computer       Type                    Description 
-----------    ------------            -------------------------------- 
[PD] TINMAN    OpenVMS 3.51 Primary    Advanced Server V7.2 for OpenVMS 
 
[ws] GREENGIRL  Windows NT Workstation 

2.1.6 Removing a Computer Account from a Domain's Security Database

When you remove a computer account from the domain's security database, the computer can no longer participate in domain security. It might be useful to remove a computer account from the domain's security database if the computer did not join the domain after its account was added to the domain's security database. You cannot remove a primary domain controller.

To remove a computer from a domain:

  1. Identify the name of the computer you will remove.
  2. Enter the REMOVE COMPUTER command. When you execute this command, you receive a prompt to confirm the requested action.

For example, the following command removes the computer GREENGIRL from the domain LANDOFOZ:


LANDOFOZ\\TINMAN> REMOVE COMPUTER GREENGIRL 
Removing computer "GREENGIRL" from domain "LANDOFOZ" will render it 
incapable of authenticating domain logons until it is added to another 
domain. 
Do you want to continue with the removal [YES or NO] (YES) : YES 
%PWRK-S-COMPREM, computer "GREENGIRL" removed from domain "LANDOFOZ" 
 
LANDOFOZ\\TINMAN> 

2.1.7 Managing Trust Relationships

A trust relationship is a link between two domains, where one domain honors the users of another domain, trusting the other domain to authenticate the logons of its users. When trust relationships are properly established among domains and resource permissions are set properly, a user with an account in one domain is allowed to access resources on another domain. The domain that has the user accounts is the trusted domain; the domain with the required resources is the trusting domain.

The administrators of both domains must supply the same password when establishing the trust relationship. After the trust relationship is established, the password is changed periodically by the domain software.

2.1.7.1 Establishing Trust Relationships

Both domains participating in a trust relationship must take an action to establish the trust. First the domain that will be trusted (that is, the domain where the user accounts are defined) must indicate that it is willing to be trusted, by permitting the other domain to trust it. Then the domain that will be trusting (that is, the domain where the shared resources are defined) can indicate that it is willing to trust the other domain.

For example, assume there are two domains: LANDOFOZ and KANSAS. Domain KANSAS has resources required by users who have user accounts in domain LANDOFOZ. You need to set up a trust relationship so that KANSAS trusts LANDOFOZ.

If the steps to establishing a trust are done in the opposite order (that is, one domain trusts the other before the other has permitted the first domain to trust it), the trust will eventually work. However, this can take up to 15 minutes.

To set up the trust relationship, use the following procedure:

  1. When logged in on domain LANDOFOZ, enter the following command:


    LANDOFOZ\\TINMAN> ADD TRUST KANSAS/PERMITTED 
    Password: 
    Password verification: 
    %PWRK-S-TRUSTADD, trust between domains "LANDOFOZ" and "KANSAS" added 
     
    LANDOFOZ\\TINMAN> 
    

    This adds domain KANSAS to the list of domains permitted to trust LANDOFOZ.

  2. Log on to domain KANSAS, and enter the following command. Use the same password in this command that was used in the previous example.


    KANSAS\\TOPEKA> ADD TRUST LANDOFOZ/TRUSTED 
    Password: 
    Password verification: 
    %PWRK-S-TRUSTADD, trust between domains "KANSAS" and "LANDOFOZ" added 
     
    KANSAS\\TOPEKA> 
    

    This command adds domain LANDOFOZ to the list of domains trusted by domain KANSAS.

To display the trust relationships:

Use the SHOW TRUSTS command. In the following example, a trust relationship has been established to enable domain KANSAS to trust domain LANDOFOZ. Execute the SHOW TRUSTS command on domain LANDOFOZ to display its trust:


LANDOFOZ\\TINMAN> SHOW TRUSTS 
There are currently no domains trusted by domain LANDOFOZ 
Domains permitted to trust domain LANDOFOZ: 
    KANSAS 
LANDOFOZ\\TINMAN> 

Execute the SHOW TRUSTS command on domain KANSAS to display its trust:


LANDOFOZ\\TINMAN> SHOW TRUSTS/DOMAIN=KANSAS 
Domains trusted by KANSAS: 
    LANDOFOZ 
There are currently no domains permitted to trust domain KANSAS 
LANDOFOZ\\TINMAN> 

To set up a two-way trust relationship:

When a two-way trust relationship has been established, each domain trusts the other, and users in both domains can access resources in the other domain, assuming resource permissions have been set up properly.

To set up a two-way trust relationship between domains LANDOFOZ and KANSAS, follow these steps:

  1. When logged in on domain LANDOFOZ, add the domain KANSAS to the list of domains permitted to trust LANDOFOZ, as follows:


    LANDOFOZ\\TINMAN> ADD TRUST KANSAS/PERMITTED 
    

  2. On domain KANSAS, add the domain LANDOFOZ to the list of domains trusted by KANSAS, as follows:


    KANSAS\\TOPEKA> ADD TRUST LANDOFOZ/TRUSTED 
    

  3. On domain KANSAS, add LANDOFOZ to the list of domains that are permitted to trust KANSAS, as follows:


    KANSAS\\TOPEKA> ADD TRUST LANDOFOZ/PERMITTED 
    

  4. On domain LANDOFOZ, add KANSAS to the list of domains that are trusted by LANDOFOZ, as follows:


    LANDOFOZ\\TINMAN> ADD TRUST KANSAS/TRUSTED 
    


Previous Next Contents Index