PATHWORKS for OpenVMS (Advanced Server)
Server Administrator's Guide


Previous Contents Index


Chapter 2
Managing Domains and Servers

2.1 Introduction

This section describes the way PATHWORKS Advanced Server participates in a domain and provides the concepts and procedures you use to manage servers and domains from PATHWORKS Advanced Server.

2.2 Managing a Domain

A domain is a set of computers that share a common user accounts database and security policy. When you manage a domain and its services, you control its system entities and resources, and you can display information about its resources, such as its computers, connections, user sessions, shares, and services.

The PATHWORKS Advanced Server can have one of two roles:

Note

PATHWORKS Advanced Server does not support traditional standalone or member server roles.

The NetLogon service ensures that each backup domain controller's copy of the domain-wide user accounts database is identical to the master copy kept on the primary domain controller. At regular intervals, the user accounts database on the backup domain controllers is synchronized with the primary domain controller.

If the primary domain controller fails or is stopped, you cannot make changes to the domain's user accounts database, but logon validation continues as long as one or more backup domain controllers are running the NetLogon service. Because primary and backup domain controllers keep their own copies of the database, and because the primary domain controller and all backup domain controllers can validate logon requests, there is no single point of failure in the domain. However, if the primary domain controller is unavailable for an extended period, you should promote a backup domain controller to assume the primary domain controller role, so that you can continue to make changes to user accounts.

Each domain in a network is identified internally by a security identifier (SID), a unique number associated with the domain. When a primary domain controller is installed and started, a unique SID is assigned. Therefore, if you have an existing domain, and you want to add a new server to the domain as the primary domain controller, you must install the new server as a backup domain controller first, then change the server's role. For information about changing the server's role, see Section 2.2.3, Changing a Server's Role in a Domain.

2.2.1 Displaying the Current Domain

When you access the PATHWORKS Advanced Server command line interface, the command prompt provides the name of your domain.

To display the current domain and server:

Execute the ADMINISTER command. For example:


$ ADMINISTER 
LANDOFOZ\\TINMAN> 

The domain name and server name are in the command prompt. In this example, the domain name is LANDOFOZ and the server name is TINMAN.

Use the SHOW ADMINISTRATION command to display information about the current domain and your logged-on user account. For example:


LANDOFOZ\\TINMAN> SHOW ADMINISTRATION 
 
Administration information: 
 
The domain being administered is: LANDOFOZ 
The domain controller for the domain is: TINMAN 
The domain controller type is: Advanced Server 3.51 for OpenVMS 
 
The server being administered is TINMAN 
The server type is: Advanced Server 3.51 for OpenVMS 
 
The user name is: ADMINISTRATOR 
The user is logged on to domain LANDOFOZ and has been authenticated. 
The user's privilege level on this domain is: ADMIN 
The user's workstation is TINMAN and is in domain LANDOFOZ. 
LANDOFOZ\\TINMAN> 

2.2.2 Administering Another Domain

You can administer another domain in either of the following ways:

2.2.3 Changing a Server's Role in a Domain

The first server to be configured in a domain must be the primary domain controller. The primary domain controller role is established during initial installation and configuration of the server. After that, you can change the role of the server using the SET COMPUTER/ROLE command.

For example, if the primary domain controller needs to be taken off line for maintenance, you can promote a backup domain controller to be the primary domain controller. When you promote the backup domain controller, the role of the original primary domain controller is automatically changed to backup domain controller. When the original primary domain controller comes back on line, it has the role of backup domain controller. You can then promote it to primary domain controller, if necessary.

If the server acting as the primary domain controller fails unexpectedly, the domain continues to provide logon validation as long as the NetLogon service is running on a backup domain controller. However, to make changes to user accounts, a primary domain controller is required. Therefore, you must promote a backup domain controller. When the original primary domain controller comes back on line, it still assumes the role of primary domain controller. If a primary domain controller is restarted in a domain where there is an existing primary domain controller, the NetLogon service is not started on the server, and the following Alert message is generated and recorded in the System event log:


A primary domain controller is running in the domain 

Therefore, when a server comes back on line as a primary domain controller, you must explicitly change its role to backup domain controller, using the SET COMPUTER/ROLE command.

While server roles are changing, you cannot make changes to the user accounts database; logon validation remains available during the role change if there is another backup domain controller running the NetLogon service. Refer to Section 2.4.3, Managing Services for more information about the NetLogon service.

To change the role of a server in a domain:

  1. Log on as the domain administrator.
  2. Use the SHOW COMPUTERS command to check the server's current role.
  3. Use the SET COMPUTER/ROLE command to change a server's role.
  4. Use the SHOW COMPUTERS command to verify the new server role.

For example:


$ ADMINISTER 
LANDOFOZ\\TINMAN> LOGON ADMINISTRATOR 
Password: 
The server \\TINMAN successfully logged you on as Administrator. 
Your privilege level on domain LANDOFOZ is ADMIN. 
The last time you logged on was 8/11/98 2:57 PM. 
 
LANDOFOZ\\TINMAN> SHOW COMPUTERS 
 
Computers in domain "LANDOFOZ": 
Computer         Type                  Description 
--------------------------------------------------------------------- 
[PD] TINMAN   OpenVMS 3.51 Primary       PATHWORKS V6.0 for OpenVMS 
                                         (Advanced Server) 
[BD] WOODMAN  OpenVMS 3.51 Backup        PATHWORKS V6.0 for OpenVMS 
                                         (Advanced Server) 
 
  Total of 2 computers 
 
LANDOFOZ\\TINMAN> SET COMPUTER WOODMAN/ROLE=PRIMARY_DOMAIN_CONTROLLER 
 
Promoting "WOODMAN" to a Primary Domain Controller may take a few minutes. 
 
Do you want to continue with the promotion [YES or NO] (YES) : YES 
%PWRK-I-ROLESYNC, synchronizing "WOODMAN" with its primary 
%PWRK-I-ROLENLSTOP, stopping the Net Logon service on "WOODMAN" 
%PWRK-I-ROLENLSTOP, stopping the Net Logon service on "TINMAN" 
%PWRK-I-ROLECHANGE, changing "TINMAN"'s role to Backup Domain Controller 
%PWRK-I-ROLECHANGE, changing "WOODMAN"'s role to Primary Domain Controller 
%PWRK-I-ROLENLSTART, starting the Net Logon service on "WOODMAN" 
%PWRK-I-ROLENLSTART, starting the Net Logon service on "TINMAN" 
%PWRK-I-ROLECHANGED, the computers role was successfully changed 
 
LANDOFOZ\\TINMAN> SHOW COMPUTERS 
 
Computers in domain "LANDOFOZ": 
 
Computer         Type                  Description 
------------------------------------------------------------------- 
[BD] TINMAN   OpenVMS 3.51 Backup        PATHWORKS V6.0 for OpenVMS 
                                         (Advanced Server) 
[PD] WOODMAN  OpenVMS 3.51 Primary       PATHWORKS V6.0 for OpenVMS 
                                         (Advanced Server) 
 
  Total of 2 computers 
 
LANDOFOZ\\TINMAN> 

2.2.4 Synchronizing Domain Controllers

Normally, domain controllers are automatically synchronized at regular intervals when the primary domain controller replicates the database to the backup domain controllers. In rare cases, you may need to synchronize them manually. For example, you may have just added some new users or groups and you want the backup domain controllers to be aware of the changes now, rather than at the next periodic update. To do this, use the SET COMPUTER/ACCOUNT_SYNCHRONIZE command. You can synchronize all backup domain controllers at once, or synchronize an individual backup domain controller with the primary domain controller.

To synchronize all controllers in a domain:

To synchronize all backup domain controllers with the primary domain controller, enter the SET COMPUTER /ACCOUNT_SYNCHRONIZE command, specifying the primary domain controller.

For example, if your primary domain controller is called TINMAN, the following command synchronizes all backup domain controllers in your domain with TINMAN:


LANDOFOZ\\TINMAN> SET COMPUTER TINMAN/ACCOUNT_SYNCHRONIZE 
 
Resynchronizing "LANDOFOZ" domain may take a few minutes. 
 
Do you want to continue with the synchronization [YES or NO] (YES) : YES 
%PWRK-S-ACCSYNCHED, account synchronization was successfully initiated 
LANDOFOZ\\TINMAN> 

Although the command has completed successfully, the synchronization process is not yet complete. You can monitor its progress by reviewing the System event log file using the SHOW EVENTS command. If the backup domain controllers are already up-to-date, no event log message is recorded.

To synchronize a specific backup domain controller with the primary domain controller:

Enter the SET COMPUTER/ACCOUNT_SYNCHRONIZE command. If you specify a backup domain controller name, only that backup domain controller is synchronized with the primary domain controller.

For example, if your backup domain controller is called WOODMAN, the following command synchronizes only the server WOODMAN with the domain's primary domain controller, TINMAN.


LANDOFOZ\\TINMAN> SET COMPUTER WOODMAN/ACCOUNT_SYNCHRONIZE 
 
Resynchronizing "WOODMAN" with its Primary Domain Controller "TINMAN" may take a 
few minutes. 
After the synchronization has completed, you should check the Event Logs on 
"WOODMAN" and "TINMAN" to determine whether synchronization was successful. 
 
Do you want to continue with the synchronization [YES or NO] (YES) : YES 
%PWRK-S-ACCSYNCHED, account synchronization was successful 
 
LANDOFOZ\\TINMAN> 

Although the command has completed successfully, the synchronization process is not yet complete. You can monitor its progress by reviewing the System event log file using the SHOW EVENTS command. If the backup domain controller is already up-to-date, no event log message is recorded.

2.2.5 Adding a Computer to a Domain

For a PATHWORKS Advanced Server or a Windows NT computer to become a domain member, it must be added to the domain. Computers that are added to a domain are given accounts in the domain's security database. If the computer is a backup domain controller, it receives a copy of the domain's security database.

When a computer is configured to join an existing domain (for example, when you install a Windows NT server or workstation, or when you run the PWRK$CONFIG.COM command procedure on a PATHWORKS Advanced Server), the computer is added to the domain automatically. These procedures require that the user name and password of a user account with membership in the Administrator's group be supplied. You can also use the ADD COMPUTER command to add the computer to the domain. (You need not use this command to add a primary domain controller to the domain; it is added automatically.)

To add a computer to a domain:

  1. Identify the name of the domain to which you will add the computer.
  2. Obtain or establish the name of the computer you will add; be sure it is unique in the network and no more than 15 characters long.
  3. Determine whether the computer you are adding is to be a workstation, server, or backup domain controller.
  4. Use the ADD COMPUTER command.

For example, the following command adds the computer GREENGIRL as a Windows NT workstation to the domain LANDOFOZ:


LANDOFOZ\\TINMAN> ADD COMPUTER GREENGIRL 
%PWRK-S-COMPADD, computer "GREENGIRL" added to domain "LANDOFOZ" 
LANDOFOZ\\TINMAN> 

The computer is added to the domain's security database. The SHOW COMPUTERS command shows GREENGIRL as a Windows NT workstation. For example:


LANDOFOZ\\TINMAN> SHOW COMPUTERS 
Computers in domain "LANDOFOZ": 
Computer       Type                    Description 
-----------    ------------            ----------------------- 
[PD] TINMAN    OpenVMS 3.51 Primary    PATHWORKS V6.0 for OpenVMS 
                                       (Advanced Server) 
[ws] GREENGIRL  Windows NT Workstation 

2.2.6 Removing a Computer from a Domain

When you remove a computer from a domain, it can no longer participate in domain security: the computer's account is deleted from the domain security database. You cannot remove a primary domain controller.

To remove a computer from a domain:

  1. Identify the name of the computer you will remove.
  2. Enter the REMOVE COMPUTER command. When you execute this command, you receive a prompt to confirm the requested action.

For example, the following command removes the computer GREENGIRL from the domain LANDOFOZ:


LANDOFOZ\\TINMAN> REMOVE COMPUTER GREENGIRL 
Removing computer "GREENGIRL" from domain "LANDOFOZ" will render it 
incapable of authenticating domain logons until it is added to another 
domain. 
Do you want to continue with the removal [YES or NO] (YES) : YES 
%PWRK-S-COMPREM, computer "GREENGIRL" removed from domain "LANDOFOZ" 
 
LANDOFOZ\\TINMAN> 

2.2.7 Managing Trust Relationships

A trust relationship is a link between two domains, where one domain honors the users of another domain, trusting the other domain to authenticate the logons of its users. The domain that has the user accounts is the trusted domain; the domain with the required resources is the trusting domain. When trust relationships are properly established among domains and resource permissions are set properly, a user account in one domain is allowed to access resources on another domain.

The administrators of both domains must supply a password when establishing the trust relationship. After the trust relationship is established, the password is changed periodically by the domain software.

2.2.7.1 Establishing Trust Relationships

The recommended procedure for establishing a trust relationship is:

  1. On the trusted domain, add the trusting domain to the list of domains permitted to trust this domain. To allow a domain to be trusted by another domain, use the ADD TRUST/TRUSTED command.
  2. On the trusting domain, add the trusted domain to the list of domains that this domain is permitted to trust. To permit a domain to trust another domain, use the ADD TRUST/PERMITTED command

For example, assume there are two domains: LANDOFOZ and KANSAS. Domain KANSAS has resources required by users who have user accounts in domain LANDOFOZ. You need to set up a trust relationship so that KANSAS trusts LANDOFOZ.

To set up the trust relationship, use the following procedure:

  1. When logged in on domain LANDOFOZ, enter the following command:


    LANDOFOZ\\TINMAN> ADD TRUST KANSAS/PERMITTED 
    Password: 
    Password verification: 
    %PWRK-S-TRUSTADD, trust between domains "LANDOFOZ" and "KANSAS" added 
     
    LANDOFOZ\\TINMAN> 
    

    This adds domain KANSAS to the list of domains permitted to trust LANDOFOZ.

  2. Log on to domain KANSAS, and enter the following command. Use the same password in this command that was used in the previous example.


    KANSAS\\TOPEKA> ADD TRUST LANDOFOZ/TRUSTED 
    Password: 
    Password verification: 
    %PWRK-S-TRUSTADD, trust between domains "KANSAS" and "LANDOFOZ" added 
     
    KANSAS\\TOPEKA> 
    

    This command adds domain LANDOFOZ to the list of domains trusted by domain KANSAS.

To display the trust relationships:

Use the SHOW TRUSTS command. In the following example, a trust relationship has been established to enable domain KANSAS to trust domain LANDOFOZ. Executing the SHOW TRUSTS command on domain LANDOFOZ displays the trust relationship established on domain LANDOFOZ:


LANDOFOZ\\TINMAN> SHOW TRUSTS 
 
There are currently no domains trusted by domain LANDOFOZ 
 
Domains permitted to trust domain LANDOFOZ: 
    KANSAS 
 
LANDOFOZ\\TINMAN> 

Executing the SHOW TRUSTS command on domain KANSAS shows the trust relationship established on domain KANSAS:


LANDOFOZ\\TINMAN> SHOW TRUSTS/DOMAIN=KANSAS 
 
Domains trusted by KANSAS: 
    LANDOFOZ 
 
There are currently no domains permitted to trust domain KANSAS 
 
LANDOFOZ\\TINMAN> 

To set up a two-way trust relationship:

When a two-way trust relationship has been established, each domain trusts the other, and users in both domains can access resources in the other domain, assuming resource permissions have been set up properly.

To set up a two-way trust relationship between domains LANDOFOZ and KANSAS, follow these steps:

  1. When logged in on domain LANDOFOZ, add the domain KANSAS to the list of domains permitted to trust LANDOFOZ, as follows:


    LANDOFOZ\\TINMAN> ADD TRUST KANSAS/PERMITTED 
    

  2. On domain KANSAS, add the domain LANDOFOZ to the list of domains trusted by KANSAS, as follows:


    KANSAS\\TOPEKA> ADD TRUST LANDOFOZ/TRUSTED 
    

  3. On domain KANSAS, add LANDOFOZ to the list of domains that are permitted to trust KANSAS, as follows:


    KANSAS\\TOPEKA> ADD TRUST LANDOFOZ/PERMITTED 
    

  4. On domain LANDOFOZ, add KANSAS to the list of domains that are trusted by LANDOFOZ, as follows:


    LANDOFOZ\\TINMAN> ADD TRUST KANSAS/TRUSTED 
    


Previous Next Contents Index