You can use logon scripts to configure MS-DOS and Windows workstation user environments by making network connections and starting applications.

You can create user profiles to make workstation computers easier to use and to control workstation access to network resources.

For more information about using logon scripts and user profiles, see Chapter 2, Domains and Trusts, in this guide.

1.9 Monitoring and Tracking Network Activity

The Advanced Server provides event logging and the ability to monitor network activity and track computer usage.

You can display servers and see which resources they are sharing. You can display the users currently connected to any network server and see which files are open, log and display security auditing entries, keep sophisticated error logs, and specify that alerts be sent to administrators when certain events occur.

For information on how to monitor and track network activity, see your Server Administrator's Guide.

1.10 Network Browser Services

The Advanced Server can act as a Master Browser in a Windows NT network.

1.11 Server Configuration

The installation process includes a configuration procedure that you use to set up your initial configuration. You can use the following to make adjustments to the configuration:

• The Configuration Manager lets you modify the server's configuration parameters. For example, you can configure the data cache size, the security mode, and the number of clients supported.
  For information on how to modify an Advanced Server using the Configuration Manager, see your Server Administrator's Guide.
• Server configuration parameters specify information that identifies the file and print server, controls the services that are started, and provides customization of the server.
  The Advanced Server for OpenVMS Release Notes runs on OpenVMS V7.2 systems or higher, and uses the OpenVMS Registry to store and retrieve server configuration parameter settings. Refer to the Advanced Server for OpenVMS Server Administrator's Guide for more information about the Advanced Server parameters structure in the OpenVMS Registry.
  The LANMAN.INI file is the PATHWORKS for OpenVMS (Advanced Server) configuration file. The values of the keywords in this file determine the option settings for the PATHWORKS Advanced Server.
  For a list of the LANMAN.INI file parameters, see the PATHWORKS for OpenVMS (Advanced Server) Server Administrator's Guide.

Advanced Server offers license management for both client-based and server-based licenses.

To connect to the Advanced Server, clients must be properly licensed. The Advanced Server licensing subsystem keeps track of the licensing database and validates client licenses when clients attempt their initial connection to the server. The Advanced Server licensing subsystem includes the following basic components, which are automatically installed with the Advanced Server software:

• License Registrar --- Validates that clients accessing the Advanced Server are appropriately licensed. Also manages the assignment of server-based licenses. Runs on all Advanced Server systems.
• License server --- Performs license-related services, such as assigning, verifying, and managing client-based licenses.
• License Manager --- An interface between the system administrator and the Advanced Server license server that provides the ability to manage license groups, set alert levels, set logging levels for licensing events, enable or disable the license server, and revoke assigned licenses.
  For a complete description of the licensing software and how to manage Advanced Server and PATHWORKS licenses, see the Advanced Server for OpenVMS Guide to Managing Advanced Server Licenses.

Using the Advanced Server management interfaces, you can remotely manage other servers in the domain. You can remotely manage the following kinds of servers:

• Windows NT Servers
• Other Advanced Server servers (OpenVMS and DIGITAL UNIX)
• PATHWORKS V5 LAN Manager servers (OpenVMS and DIGITAL UNIX)
• LAN Manager V2.x servers

You can use the ADMINISTER command line interface to manage servers, services, and domains. (The functionality for managing PATHWORKS V5 for OpenVMS (LAN Manager) and LAN Manager V2.2 servers is limited.)

For information on how to manage remote servers, see your Server Administrator's Guide.

1.14 Upgrading from Previous Versions of PATHWORKS

You may install Advanced Server for OpenVMS Release Notes on a system that was previously running PATHWORKS V6 for OpenVMS (Advanced Server). User, share, and security information in the Security Accounts Management (SAM) database are automatically upgraded when you configure the Advanced Server. If you are running a previous version of PATHWORKS, you must upgrade to the next higher version before proceeding. That is, a V5 server must be upgraded to V6; a V4 server must be upgraded to V5.

When you install PATHWORKS V6 for OpenVMS (Advanced Server), the Upgrade utility is automatically included with it. You can use the Upgrade utility to upgrade the users, groups, shares, and security of a PATHWORKS V5 for OpenVMS (LAN Manager) server. If you want to continue running the PATHWORKS LAN Manager server while performing the upgrade, you must install the Upgrade utility separately before installing the PATHWORKS V6 for OpenVMS (Advanced Server).

For information on how to upgrade PATHWORKS LAN Manager servers to PATHWORKS V6 for OpenVMS (Advanced Server), see the PATHWORKS for OpenVMS (Advanced Server) Server Migration Guide. For information on installing the Upgrade utility, see the PATHWORKS for OpenVMS (Advanced Server) Server Installation and Configuration Guide.

1.15 Solving Problems with the Advanced Server

The Advanced Server provides event logs and an audit trail. These resources let you track and manage server events and performance and troubleshoot problems. You can monitor and log events on any Advanced Server.

For more information on solving problems with the Advanced Server, see your Server Administrator's Guide.

The Advanced Server provides an administrative model for managing a large network efficiently. This model lets you manage and track the actions of users while allowing them to access the resources they need. Central to the idea of security in the Advanced Server is the concept that every resource and action is protected by discretionary access control. Discretionary access control allows you to permit some users to access a resource or perform an action while preventing other users from doing so.

Conventional OpenVMS file systems support simple file and directory protections --- read, write, delete, and execute --- for four categories of users: owners, members of the file owner's group, system administrators, and all others. The Advanced Server allows you to grant or deny users and groups a wide set of permissions; these permissions can work in concert with the standard OpenVMS file system protections. In addition, the Advanced Server allows you to apply a number of user:permission or group:permission pairs to any file, directory, or resource. You can set different permissions on different files in the same directory.

2.1 Domain and Trust Relationships

The basic administrative unit of Advanced Server is the domain. A domain is a collection of computers that share a common accounts database and security policy. All of the Advanced Servers in a domain use the same set of user accounts. As a result, you need to enter information for a user account only once to allow all servers in the domain to recognize the user.

Trust relationships are links between domains. In a trust relationship, a user with an account in one domain can access resources provided by another domain. This feature is called pass-through authentication. If the domains and trust relationships on your network are well planned, all your Advanced Server computers can recognize every authorized user, so a user needs to log in only once to access any required resource on the network.

2.2 Benefits of Using Domains

Grouping computers into domains offers significant benefits to network administrators and users. The first and most important benefit is that servers in a domain form a single administrative unit that can share security and user account information. Every domain has one database that contains user and group accounts and security policy settings. Every server in the domain can maintain a copy of this database. As a result, administrators need to manage only one account for each user, and each user needs to use only one account. By extending the administrative unit from a single computer to an entire domain, the Advanced Server saves administrators and users time and effort. Figure 2-1 shows four domains set up as basic administrative units on a network.

Figure 2-1 Grouping Computers into Domains

The second benefit of domains is user convenience. When users browse the network for available resources, they see the network grouped into domains instead of viewing all the individual servers on the network. This implementation of domains is similar to the use of workgroups in Microsoft Windows for Workgroups. Advanced Server domains are compatible with workgroups in the Windows for Workgroups platform.

For more information about Windows for Workgroups, see Section 2.6.4, Windows for Workgroups Computers in this guide.

You can provide a user with access to resources in a second domain without creating and maintaining a separate user account in the second domain, and without granting hard-to-maintain individual permissions directly to the person. A user can access resources in other domains as easily as those in the user's own domain.

To allow a user access to resources in a domain where the user has no user account, you can:

1. Establish a trust relationship between the two domains in which the user's domain becomes the trusted domain, and the domain the user must access becomes the trusting domain.
2. Create a local group in the trusting domain. Add to the local group the name of the user's account or the name of a global group to which the user belongs on the trusted domain. (If you add users as individuals rather than as members of global groups, the relationships are more difficult to maintain.)
3. Modify the share permissions to allow the local group to access the share.
4. Ensure that protections and permissions on the share are appropriate to the user's requirements.

The text and examples that follow will clarify several new terms introduced here, such as share, global group, and local group. For definitions of new terms, you can also see the Glossary in this guide.

2.4 Links Between Domains: Trust Relationships

Trust relationships between domains enable user accounts to be used in domains other than the ones in which they reside. Trust relationships make administration easier because you create user accounts only once on your network. Then, you can give a user account access to any computer on the network, not only to the computers in one domain.

2.4.1 Establishing a One-Way Trust Relationship

When you establish a one-way trust relationship between domains, one domain (the trusting domain) trusts the other (the trusted domain). Figure 2-2 shows a one-way trust relationship in which the Production domain trusts the Sales domain. Users from the Sales domain can access resources in the Production domain even though they do not have accounts in the Production domain.

Sales, however, does not trust Production; therefore, resources from Sales cannot be used by users in the Production domain.

Figure 2-2 A One-Way Trust Relationship

Establishing this one-way trust relationship requires administrative access to both domains and a password. For example:

1. The administrator logs in to domain Sales and adds the trust with domain Production (this adds the domain Production to a list of domains permitted to trust Sales).
2. On domain Production, the administrator adds the trust with Sales (this adds Sales to a list of domains trusted by Production).

Subsequently, the trusting domain Production recognizes all user and global group accounts from the trusted domain Sales. These accounts can be used anywhere in the trusting domain: they can log on at workstations, reside in local groups, or be given access to resources in the trusting domain. For more information on establishing a one-way trust, see your Server Administrator's Guide.

2.4.2 Establishing a Two-Way Trust Relationship

A trust relationship can be one-way or two-way. A two-way trust relationship is a pair of one-way relationships in which each domain trusts the other.

In Figure 2-3, the Finance and Shipping domains trust each other; therefore, accounts in each of these domains can be used in the other. Users in the Finance domain can access resources in the Shipping domain, and users in the Shipping domain can access resources in the Finance domain.

Figure 2-3 A Two-Way Trust Relationship

For more information on establishing a two-way trust relationship, see your Server Administrator's Guide.

2.4.3 Nontransitive Trust Relationships

Trust relationships among domains are not transitive. Although, as shown in Figure 2-4, Production trusts Sales and Sales trusts Finance, it does not follow that Production trusts Finance automatically. If Production needs to trust Finance and allow Finance accounts to be used in the Production domain, you must establish an explicit trust relationship between Production and Finance.

Figure 2-4 A Nontransitive Trust Relationship

Remember that you must take steps in each domain to define trusted and trusting domains, as discussed in the preceding sections and, in more detail, in your Server Administrator's Guide.

2.5 Domain Composition

The minimum requirement for a domain is one server running either Advanced Server (OpenVMS or DIGITAL UNIX) or Windows NT Server software. This computer serves as the primary domain controller and stores the master copy of the domain's user and group database. A domain can contain only one primary domain controller.

A domain can include, as backup domain controllers, other servers running Advanced Server (OpenVMS or DIGITAL UNIX), Windows NT Server, or LAN Manager V2.x software; it can also include LAN Manager V2.x servers as standalone or member servers. The clients in a domain can include Windows NT workstations, Windows 95 workstations, Windows 98 workstations, and workstations running Windows for Workgroups or MS-DOS. The following sections discuss individual domain components in detail.

2.5.1 Primary Domain Controller

The primary domain controller of an Advanced Server domain must be a server running either Advanced Server or Windows NT Server software. Every change made to a domain's user and group database is made to the database of the primary domain controller.

To change the user database when managing an Advanced Server with the ADMINISTER command, you specify only the name of the domain to which the change applies; you do not need to specify the server name. The Advanced Server makes the change automatically to the database of the primary domain controller.

2.5.2 Backup Domain Controller

In a domain, except for the primary domain controller, every server running Advanced Server is a backup domain controller, and every server running Windows NT Server is a backup domain controller or a member server. A backup domain controller stores a copy of the domain's account database, which is automatically synchronized with the primary domain controller. You cannot change the user database on a backup domain controller.

Like the primary domain controller, a backup domain controller can process logon requests from users who want to log on to the domain. When the domain receives a request to log on, either the primary domain controller or any of the backup domain controllers can authenticate the logon attempt.

You should have at least one backup domain controller running Advanced Server or Windows NT Server in a domain. If the primary domain controller becomes unavailable, a backup domain controller can be promoted to primary domain controller and the domain can continue to function normally. Having multiple servers also distributes logon request processing; this is especially useful in domains with many user accounts.

In domains with multiple computers running Advanced Server, one acts as the primary domain controller and the other computers are designated as backup domain controllers. In domains with WAN configurations (with server computers at different locations), each site should have at least one backup domain controller running Advanced Server or Windows NT Server to permit logon validation if access to the primary domain controller becomes unavailable.

2.5.3 LAN Manager V2.x Servers

PATHWORKS for OpenVMS (LAN Manager) and LAN Manager V2.x servers can coexist in a domain with the Advanced Server. A LAN Manager server cannot be the primary domain controller in such a domain, however, because LAN Manager V2.x does not support all the types of information contained in Advanced Server accounts.

Under some circumstances, you may need to maintain LAN Manager servers. For example, you may need to have a PATHWORKS V5 for OpenVMS server to provide Remote Boot Services, which are not supported by Advanced Server. You can incorporate LAN Manager servers into your network as backup domain controllers, member servers, or standalone servers in an Advanced Server domain.

Adding a LAN Manager server to an Advanced Server domain presents a few challenges because of the following differences in server capabilities:

• The LAN Manager server receives a copy of the domain's user and group database, but the LAN Manager server does not recognize local groups. Therefore, you cannot assign permissions for resources on LAN Manager servers based on the domain's local groups.
• LAN Manager servers are limited to 256 groups, but there is no limit to the number of groups that can exist in an Advanced Server domain. If the number of groups in a domain containing a LAN Manager server exceeds 256, the replication process can break down, affecting the databases on LAN Manager servers.
• LAN Manager servers do not recognize trust relationships. Therefore, if the domain containing LAN Manager servers trusts other domains, you cannot assign permissions on the LAN Manager servers to users and global groups from the trusted domain.
• Domains composed entirely of LAN Manager servers cannot have trust relationships with other domains and therefore cannot allow users and global groups defined on other domains to access its resources. If a workstation user in an Advanced Server domain needs to access a resource in a LAN Manager domain, that user must also have an account in the LAN Manager domain, or that domain must allow guest logon.

If it is a backup domain controller or member server, a LAN Manager server stores a copy of the domain's security database. A LAN Manager server running as a backup domain controller can validate logon attempts from computers running Windows for Workgroups or LAN Manager software. A LAN Manager standalone server does not receive a copy of the domain accounts database, and neither standalone nor member servers can validate client domain logon requests.

A Windows NT Server can be part of the same domain as an Advanced Server and can be designated as the primary domain controller.

For more information about the differences between Windows NT Server and the Advanced Server, see Appendix A, Differences Between Advanced Server and Windows NT Server, in this guide.

2.5.5 Advanced Server for DIGITAL UNIX Servers

An Advanced Server for DIGITAL UNIX server can be part of the same domain as an Advanced Server for OpenVMS server and can be designated as the primary domain controller. For Advanced Server for DIGITAL UNIX servers, you have the following options:

• You can remotely manage the Advanced Server for DIGITAL UNIX.
• From an Advanced Server for DIGITAL UNIX, you can remotely manage the OpenVMS Advanced Server.

For more information about the Advanced Server for DIGITAL UNIX product, see the Advanced Server for DIGITAL UNIX documentation set.

2.6 Workstation Environments

On an Advanced Server network, you can use user profiles to define and enhance workstation environments. A user profile contains the per-user settings of the Windows NT environment, including the following:

• Logon script specification
  A logon script can be a batch file containing Advanced Server and operating system commands, such as commands to make network connections or start application or executable programs. If a user has a logon script, that script is run whenever the user logs on at any type of workstation on the network.
  For more information about logon scripts, see Section 2.6.1, Tips for Using Logon Scripts in this guide.
• Home directory location
  A home directory gives a user storage space. Normally, users also control access to their home directories and can restrict or grant access to other users.
  For more information about home directories, see Section 2.6.2, Tips for Using Home Directories in this guide.

You manage user environments by editing the user profile. However, user profiles are applicable only at Windows NT workstation computers and have no effect on other types of client workstations.