Previous | Contents | Index |
This chapter describes the way Advanced Server participates in a domain and provides the concepts and procedures you use to manage servers and domains from Advanced Server.
A domain is a set of computers that share a common security accounts database (also referred to as the Security Account Manager (SAM) database) and security policy. The security accounts database contains security information such as user accounts and passwords, and groups, and the settings of the security policies. When you manage a domain and its services, you control its system entities and resources, and you can display information about its resources, such as its computers, connections, users and user sessions, shares, and services.
The Advanced Server may participate in any of the following three kinds of domains:
Section 2.1.1, Server Roles in the Domain, describes the roles that the Advanced Server can take in a
domain.
2.1.1 Server Roles in the Domain
The Advanced Server can have one of three roles in a domain:
When you configure the Advanced Server for the first time, you select the role your server will perform in the domain. There may be times when you need to change the role of your server. The method you use to change the server depends on the current role of the server and the role you want to change it to. For more information on changing a server's role, see Section 2.1.1.1, Changing a Server's Role in a Domain.
In an OpenVMS Cluster, all nodes on the cluster running the
Advanced Server must have the same role.
2.1.1.1 Changing a Server's Role in a Domain
The first server to be configured in a domain is always the primary domain controller (PDC). The PDC role is established during initial installation and configuration of the server. When you install a new server into an existing domain, you can configure it as a backup domain controller (BDC) or member server. You can change the role of the server from a BDC to a PDC, or vice versa, using the ADMINISTER SET COMPUTER/ROLE command. To change the role of a BDC to a member server, or vice versa, you must use PWRK$CONFIG. To change a PDC to a member server, you must first promote a BDC to a PDC in that domain. The original PDC is automatically demoted to a BDC, and then you can use PWRK$CONFIG to reconfigure it as a member server. Likewise, to change a member server to a PDC, you must first change the member server to a BDC (using PWRK$CONFIG), and then change the BDC to a PDC.
Table 2-1, Role Changes, lists possible role changes you can make and indicates the tools you can use to make the changes: PWRK$CONFIG and/or the ADMINISTER SET COMPUTER/ROLE command. Section 2.1.1.1.1, Changing the Role of a BDC to a PDC, or Vice Versa, explains in detail how to change the role of a BDC to a PCD, or vice versa. Section 2.1.1.1.2, Changing a BDC to a Member Server, or Vice Versa, explains how to change a BDC to a member server, or vice versa.
To Change: | Use: | Notes: |
---|---|---|
BDC to PDC | ADMINISTER | Promoting the BDC automatically demotes the current PDC of the domain to a BDC. |
BDC to Member | PWRK$CONFIG | |
Member to PDC | PWRK$CONFIG, then ADMINISTER | First, use PWRK$CONFIG to change the member server to a BDC, and then use ADMINISTER to promote the BDC to a PDC. |
Member to BDC | PWRK$CONFIG | |
PDC to BDC | ADMINISTER | Use the ADMINISTER command to promote a BDC to PDC; this demotes the PDC to a BDC. |
PDC to Member | ADMINISTER, then PWRK$CONFIG | First, use ADMINISTER to promote a BDC in the domain to a PDC. This demotes the original PDC to a BDC. Then, use PWRK$CONFIG to change the BDC to a member server. |
When you change the server role on one member of an OpenVMS Cluster,
the role on all cluster members running the Advanced Server is also
changed accordingly. For information about running the Advanced Server in
a cluster environment, see Section 2.4,Advanced Server in OpenVMS Clusters.
2.1.1.1.1 Changing the Role of a BDC to a PDC, or Vice Versa
You change the role of the PDC by promoting a BDC. For example, if the PDC needs to be taken off line for maintenance, you can promote a BDC to be the PDC. When you promote a BDC, the role of the original PDC is automatically changed to BDC, at which point you can take it off line. In this case, when the original PDC comes back on line, it has the role of BDC. You can then promote it to PDC, if necessary.
If the PDC fails unexpectedly, the domain continues to provide logon validation as long as the NetLogon service is running on a BDC. However, to make changes to the security accounts database, a PDC is required. Therefore, if you think the PDC will be unavailable for more than a short time, you should promote a BDC. When the original PDC comes back on line after an unscheduled interruption, it continues to assume the role of PDC. If the PDC is restarted and you have promoted a BDC in its absence, the NetLogon service is not started on the server, and the following Alert message is generated and recorded in the system event log:
A primary domain controller is running in the domain |
In this case, you must explicitly change the server's role to BDC using the SET COMPUTER/ROLE command. It may take a few minutes to complete a server role change in a domain.
While server roles are changing, you cannot make changes to the security accounts database; logon validation remains available during the role change if there is another BDC running the NetLogon service. See Section 2.3.4, Managing Services, for more information about the NetLogon service.
To change the server role in a domain from BDC to PDC, or vice versa, follow these steps:
For example:
$ ADMINISTER LANDOFOZ\\TINMAN> LOGON ADMINISTRATOR Password: The server \\TINMAN successfully logged you on as Administrator. Your privilege level on domain LANDOFOZ is ADMIN. The last time you logged on was 8/11/00 2:57 PM. LANDOFOZ\\TINMAN> SHOW COMPUTERS Computers in domain "LANDOFOZ": Computer Type Description ------------ ------------------------ ---------------------------- [PD] TINMAN OpenVMS (NT 4.0) Primary Advanced Server V7.3 for OpenVMS [BD] WOODMAN OpenVMS (NT 3.51) Backup Advanced Server V7.2 for OpenVMS [SV] LIONHEART OpenVMS (NT 4.0) Server Advanced Server V7.3 for OpenVMS Total of 3 computers LANDOFOZ\\TINMAN> SET COMPUTER WOODMAN/ROLE=PRIMARY_DOMAIN_CONTROLLER Promoting "WOODMAN" to a Primary Domain Controller may take a few minutes. Do you want to continue with the promotion [YES or NO] (YES) : YES %PWRK-I-ROLESYNC, synchronizing "WOODMAN" with its primary %PWRK-I-ROLENLSTOP, stopping the Net Logon service on "WOODMAN" %PWRK-I-ROLENLSTOP, stopping the Net Logon service on "TINMAN" %PWRK-I-ROLECHANGE, changing "TINMAN"'s role to Backup Domain Controller %PWRK-I-ROLECHANGE, changing "WOODMAN"'s role to Primary Domain Controller %PWRK-I-ROLENLSTART, starting the Net Logon service on "WOODMAN" %PWRK-I-ROLENLSTART, starting the Net Logon service on "TINMAN" %PWRK-I-ROLECHANGED, the computers role was successfully changed LANDOFOZ\\TINMAN> SHOW COMPUTERS Computers in domain "LANDOFOZ": Computer Type Description ------------ ------------------------- ------------------------- [BD] TINMAN OpenVMS (NT 4.0) Backup Advanced Server V7.3 for OpenVMS [PD] WOODMAN OpenVMS (NT 3.51) Primary Advanced Server V7.2 for OpenVMS [SV] LIONHEART OpenVMS (NT 4.0) Server Advanced Server V7.3 for OpenVMS Total of 3 computers LANDOFOZ\\TINMAN> |
Note that a member server (in this example, LIONHEART) is represented
with the display symbol [SV], and the server type is Server.
2.1.1.1.2 Changing a BDC to a Member Server, or Vice Versa
To change the role of a BDC to a member server, you must use the PWRK$CONFIG procedure. You cannot use the SET COMPUTER/ROLE command. The same is true of changing the role of a member server to a BDC. These restrictions are similar (but less restrictive) to those of Windows NT, which requires the operating system software to be reinstalled to change a domain controller to a member server, or vice versa. For a list of advantages gained by configuring your server as a member server, and for details on configuring a server as a member server, refer to the Compaq Advanced Server for OpenVMS Server Installation and Configuration Guide.
If you reconfigure a backup domain controller as a member server, PWRK$CONFIG automatically removes the domain controller's domain user account database. If you reconfigure a member server to a BDC, PWRK$CONFIG automatically removes the member server's local user account database. The removed database is stored in the PWRK$LMDOMAINS: and PWRK$LMDATAFILES: directories in case you decide to restore them later. For more information, refer to the Compaq Advanced Server for OpenVMS Server Installation and Configuration Guide. In either case, because of loss of local group information, access to some resources might be affected. If resource permissions have been set using local groups, those permissions will have to be reset. If resource permissions have been set using global groups or global user accounts, those permissions will remain in effect after the role change. |
If the PDC fails or is stopped, you cannot make changes that affect the domain's security accounts database, but logon validation continues as long as one or more BDCs are running the NetLogon service. Because PDCs and BDCs keep their own copies of the database, and because the PDC and all BDCs can validate logon requests, there is no single point of failure in the domain. However, if the PDC is unavailable for an extended period, you should promote a BDC to assume the PDC role, so that changes can be made to user accounts.
Each domain in a network is identified internally by a security
identifier (SID), a unique number associated with the domain. When a
PDC is installed and started, a unique SID is assigned. Therefore, if
you have an existing domain, and you want to add a new server to the
domain as the PDC, you must install the new server as a BDC first, then
change the server's role. For information about changing the server's
role, see Section 2.1.1.1, Changing a Server's Role in a Domain.
2.1.2.1 Synchronizing SAM Databases on Domain Controllers
Normally, the domain security databases are synchronized automatically
at regular intervals: the primary domain controller (PDC) replicates
its databases to the backup domain controllers (BDCs). In rare cases,
you may need to synchronize them manually. For example, you may have
just added some new users or groups and you want the BDCs to be able to
validate the new user logons now, rather than after the next periodic
synchronization. To do this, use the SET COMPUTER/ACCOUNT_SYNCHRONIZE
command. You can synchronize all BDCs at once, or synchronize an
individual BDC with the PDC.
2.1.2.1.1 How to Synchronize All Controllers in a Domain
To ensure that all BDCs are synchronized with the PDC, enter the SET COMPUTER /ACCOUNT_SYNCHRONIZE command, specifying the PDC.
For example, if the PDC is called TINMAN, the following command ensures that all BDCs in the domain are synchronized with TINMAN. This command results in each BDC receiving a synchronize status message from the PDC. The information in this message determines whether the BDC's databases are synchronized with the PDC's databases. If the status message indicates to a BDC that the PDC's databases contain changes that are not represented in the BDC's databases, the BDC will request a partial synchronization. The PDC sends the BDC only those database elements that were changed since the last time the BDC received a status message.
LANDOFOZ\\TINMAN> SET COMPUTER TINMAN/ACCOUNT_SYNCHRONIZE Resynchronizing "LANDOFOZ" domain may take a few minutes. Do you want to continue with the synchronization [YES or NO] (YES) : YES %PWRK-S-ACCSYNCHED, account synchronization was successfully initiated LANDOFOZ\\TINMAN> |
Although the command has completed successfully, the synchronization
process takes a few minutes to complete. You can monitor its progress
by reviewing the System event log file using the SHOW EVENTS command.
If the BDCs are already up-to-date, no event log message is recorded.
2.1.2.1.2 How to Synchronize a Specific Backup Domain Controller with the Primary Domain Controller
To synchronize a specific backup domain controller (BDC) with the primary domain controller (PDC), enter the SET COMPUTER/ACCOUNT_SYNCHRONIZE command, specifying the BDC name.
For example, if the BDC is called WOODMAN, the following command synchronizes only the server WOODMAN with the domain's primary domain controller, TINMAN. The BDC requests a full synchronization, meaning that the entire databases are replicated to the BDC.
LANDOFOZ\\TINMAN> SET COMPUTER WOODMAN/ACCOUNT_SYNCHRONIZE Resynchronizing "WOODMAN" with its Primary Domain Controller "TINMAN" may take a few minutes. After the synchronization has completed, you should check the Event Logs on "WOODMAN" and "TINMAN" to determine whether synchronization was successful. Do you want to continue with the synchronization [YES or NO] (YES) : YES %PWRK-S-ACCSYNCHED, account synchronization was successful LANDOFOZ\\TINMAN> |
Although the command has completed successfully, the synchronization
process takes a few minutes to complete, and longer if the database
contains thousands of accounts. You can monitor its progress by
reviewing the System event log of the primary domain controller, using
the command SHOW EVENTS/SERVER=pdc_name (where
pdc_name is the name of the primary domain controller). (Note
that the primary domain controller periodically posts an update to its
System event log during a full synchronization; the backup domain
controllers post a single update when the synchronization has
completed.)
2.1.3 Displaying the Current Domain
When you use the ADMINISTER command-line interface, the command prompt provides the name of your domain, along with the name of the server. By default, you are set up to administer the local server and the domain to which it belongs. The default domain remains in effect for the duration of the current OpenVMS login session, or until you log off the domain or change the default domain. (You can change the default server, too.)
To display the current domain and server, execute the ADMINISTER command. For example:
$ ADMINISTER LANDOFOZ\\TINMAN> |
The domain name and server name are in the command prompt. In this example, the domain name is LANDOFOZ and the server name is TINMAN.
Any domain name prefixed by the double backslashes indicates a member server (or workstation) local security accounts database will be the target of ADMINISTER commands. For more information on managing member servers, see Section 2.1.5, Member Servers and Domain Management.
Use the SHOW ADMINISTRATION command to display information about the current domain and your logged-on user account. For example:
LANDOFOZ\\TINMAN> SHOW ADMINISTRATION Administration information: The domain being administered is: LANDOFOZ The domain controller for the domain is: TINMAN The domain controller type is: Advanced Server for OpenVMS The server being administered is TINMAN The server type is: Advanced Server for OpenVMS The user name is: ADMINISTRATOR The user is logged on to domain LANDOFOZ and has been authenticated. The user's privilege level on this domain is: ADMIN The user's workstation is TINMAN and is in domain LANDOFOZ. LANDOFOZ\\TINMAN> |
You can administer another domain in either of the following ways:
LANDOFOZ\\TINMAN> SET ADMINISTRATION/DOMAIN=RUBYPALACE %PWRK-S-ADMSET, now administering domain "RUBYPALACE", server "QUEEN" RUBYPALACE\\QUEEN> SHOW TRUSTS There are currently no domains trusted by domain RUBYPALACE. Domains permitted to trust domain RUBYPALACE: LANDOFOZ |
$ ADMINISTER LANDOFOZ\\TINMAN> LOGON ADMINISTRATOR/DOMAIN=RUBYPALACE Password: The server \\QUEEN successfully logged you on as Administrator. Your privilege level on domain RUBYPALACE is ADMIN. The last time you logged on was 08/09/00 07:44 AM. RUBYPALACE\\QUEEN> |
RUBYPALACE\\QUEEN>LOGOFF ADMINISTRATOR was logged off successfully. LANDOFOZ\\TINMAN>LOGON ADMINISTRATOR Password: The server \\TINMAN successfully logged you on as Administrator. Your privilege level on domain LANDOFOZ is ADMIN. The last time you logged on was 08/09/00 07:16 AM. |
For information about the requirements for administrative functions, refer to the Compaq Advanced Server for OpenVMS Commands Reference Manual.
Section 2.1.5, Member Servers and Domain Management, explains how to administer a member server's local database.
Previous | Next | Contents | Index |