Windows NT Domains
PDCs and BDCs
A domain has its own security identifier (SID). The PDC (primary domain controller) is used to store and administer the master SAM database. The database may be administered using the BDC station, but the database on the PDC is actually being changed. The BDC (backup domain controller) keeps the replicated SAM database.
Server Manager is used to create computer accounts on domain controllers. The User Manager program is used to create trusts between domains.
On multiple domain networks, a PDC or BDCs cannot be removed from one domain to another. The only way to move them is to reinstall the operating system with the computer as a PDC or BDC on the other domain. A member server can be moved to another domain since it does not have a domain SID. Domain controller SAM database replication is automatic (default of every 5 minutes) from the PDC to BDC's but the data may be synchronized manually by using synchronization from the computer menu of the Server Manager when the administrator does not want to wait. The system registry can be used to change the replication parameters. The PDC SAM database is read and write, and the BDC SAM database is read only.
When a PDC fails a BDC takes over its function? When the PDC is fixed and brought back on line, the BDC will revert to BDC status?
When a PDC fails the administrator must promote a BDC to PDC. When the PDC is fixed and brought back on line, an option in the Server Manager called "Demote to BDC" appears. One of the BDCs must be demoted. This is the only time this option appears. The original PDC (the one that went down) should be demoted. Then to re-establish it as PDC, promote it later as PDC.
To make a BDC a PDC, promote the BDC to a PDC and the original PDC is automatically demoted. The server manager program is used to promote a BDC. Then promote the original PDC from BDC to BDC and the original BDC will automatically become a BDC again.
The domain name can be changed, but the member servers and workstations must have their domain name changed also. One BDC for every 2000 users is recommended by Microsoft. This assumes that the BDC only performs authentication.
SAM Synchronization between PDC and BDCs
- A change to the PDC SAM database is made.
- The PDC sends an announcement (a pulse) indicating a change.
- The BDC(s) send a request packet for the SAM changes. (After a randomized period of time)
- The PDC sends the changes to the requesting BDC(s).
SAM Synchronization Registry Settings
The following registry key controls SAM synchronization which is controlled by the NetLogon service:
- ChangeLogsize - Indicates the number of changes that can occur in the SAM database before directory synchronization occurs. The default value is 64K. One change is about 32 bytes each.
- Pulse - The time in seconds between when SAM database updates are sent. The default value is 5 minutes(300). The minimum is 1 minute and the maximum is 1 hour.
- PulseConcurrency - 20 BDCs is the default. Indicates how many BDCs are notified of SAM database changes at one time. The minimum is 1 and the maximum is 500.
- PulseTimeout - Default is 1 minute. The BDC must respond within this time period.
- PulseMaximum - Default is 2 hours - The PDC must contact all BDCs within this time period. Can set this value to a maximum of 24 hours.
- Randomize - The BDC backoff period in seconds between 0 and randomize seconds before contacting the PDC for update information. The minimum value is 0 and maximum is 120. Default is 1 second.
- ReplicationGovenor - Controls the ammount of network bandwidth the BDC netlogon service will used for SAM Database synchronization. It controls how often SAM database synchronization takes place between the PDC and BDC. This value must be set on the BDC since the BDCs actually request synchronization periodically. Also controls size of buffer to transfer updates. Default = 100%/128K. Values of 50%/64K across 56Kb link has better performance for that speed link. The value may be 0 to 100. A value of 0 will cause the SAM database to never be synchronized.
The Netlogin service must be restarted after making changes for the changes to take effect. When the change log is full, the BDC requests full synchronization across the WAN link.
Domains on WANS
Where the PDC and BDCs are geographically relative to each other depends on your network and location of users. It usually is best to place a BDC at each end of a WAN link so users on the other side of the link do not need to be authenticated across the link.
Server Configuration for Client Support on the Domain
- Windows 95 - No configuration required. A computer account does not need to be created on the domain.
- NT Workstation - Membership in the domain must be provided.
- Macintosh - Services for Macintosh must be installed on servers to support Macintosh clients.
Adding a computer to a Domain
- Install from a domain controller
- Log in as a member of the ADMINISTRATORS or ACCOUNT OPERATORS group. The "add workstations to the domain" right is required.
- Open the "Server Manager" program and add the computer account by selecting the menu item "Computer", then "Add to domain". Enter the computer name to add.
- The user on the client NT workstation can use the control panel's network applet identification tab to specify the domain name.
- Create the domain computer account from the workstation:
- Open the control panel network applet and select the identification tab.
- Click "change" and type in the domain name then select the "Create a computer account in the Domain" box. Type the administrator name and password in the administrator heading.
Domain Trust Relationship Configuration
Domain user accounts are created with the "User Manager for domains". The domain guest account is disabled by default.
Terms and conditions:
- Trust or account domain - Trusted domain that keeps account information.
- Trusting or resource domain - The domain that does the trusting and has the resources to be accessed.
Trusts are not transitive. If domain A trusts domain B and domain B trusts domain C, domain A does not trust domain C.
User manager for domains can be used on any server in the domain to set up trust relationships between domains. The menu selection "Policies" and "Trust Relationships" starts the trust relationships window which is used to configure this. A password is specified when the trust is established. The trusting and trusted computers must have the same trust password (if one is set). The password is only good for that trust. The fastest way to set the trust up is:
- Create an entry on the trusted domain. Add the name of the trusting domain in the "Trusting Domains" box. A password to establish the trust may be optionally defined at this point.
- Create the entry on the trusting domain. Add the name of the trusted domain in the "Trusted Domains" box. Provide the password used in the above step if it was used.
A two way trust must be set up at both PDCs. If there are any open connections between the two PDCs, the trust relationship will fail. If a trust relationship is broken, it must be rebuilt from scratch. The breaking of the trust relationship does not affect accounts and permissions.
The SAM database is limited to 40,000 accounts (40Mb). An account includes user, group, and computer accounts. There are 26000 maximum users per SAM database.
- Single - Resources and accounts are centralized. Less than 40,000 users.
- Master - Account administration is centralized on the master domain and resources are on resource domains. Resource domains manage their own resources which makes resources de-centralized.
- Multiple Master - Each resource domain trusts each master domain. A two way trust must be established between each master domain. Accounts are centralized in master domains. Resources are de-centralized. It is good for geographic or divisional boundaries. Works well when ther are over 40,000 accounts. Required trusts = M(M-1) + (R times M).
- Complete Trust - Each domain trusts all others. Trusts are two way. Accounts and resources are managed in each domain. This modes has both de-centralized accounts and resources. Trusts = N(N-1).
There is no easy way to merge two domains. A utility program called ADDUSER.EXE from the NT Resource Kit will allow SAM contents of a domain to be transferred to a text file, then the text file is used to add users from one domain to another. Passwords are not transferred.
- User Account - 1K
- Computer Account - 0.5K
- Global group account - 512 Bytes + 12 bytes/member
- Local group account - 512 Bytes + 36 bytes/member