|Document revision date: 15 October 2001|
Settings made with the SET MODE command are preserved until you log off the system. These settings determine the default mode that takes effect each time you invoke the ADMINISTER command-line interface.
You can set permanent defaults by inserting the appropriate SET MODE command in your login command file. For example, to set output so that the C1 character codes are not converted to spaces, enter the following command in your LOGIN.COM file. The server does not have to be running for this command to execute.
$ ADMINISTER SET MODE/OUTPUT=NOFILTER
To determine the current mode in effect for ADMINISTER commands, use the ADMINISTER SHOW MODE command. In the following example, the SHOW MODE command indicates that output is filtered.
LANDOFOZ\\TINMAN> SHOW MODE Current mode settings: Output: FILTER
This chapter describes the way the Advanced Server participates in a domain and provides the concepts and procedures you use to manage servers and domains from Advanced Server.
A domain is a set of computers that share a common security accounts database (also referred to as the Security Account Manager [SAM] database) and security policy. The security accounts database contains security information such as user accounts and passwords, and groups, and the settings of the security policies. When you manage a domain and its services, you control its system entities and resources, and you can display information about its resources, such as its computers, connections, users and user sessions, shares, and services.
The Advanced Server may participate in any of the following three kinds of domains:
Section 2.1.1, Server Roles in the Domain, describes the roles that the Advanced Server can take in a
2.1.1 Server Roles in the Domain
The Advanced Server can have one of three roles in a domain:
When you configure the Advanced Server for the first time, you select the role your server will perform in the domain. At times, you may need to change the role of your server. The method you use to change the server depends on the current role of the server and the role to which you want to change it. For more information about changing a server's role, see Section 126.96.36.199, Changing a Server's Role in a Domain.
In an OpenVMS Cluster, all nodes on the cluster running the
Advanced Server must have the same role.
188.8.131.52 Changing a Server's Role in a Domain
The first server to be configured in a domain is always the primary domain controller (PDC). The PDC role is established during initial installation and configuration of the server. When you install a new server in an existing domain, you can configure it as a backup domain controller (BDC) or member server. You can change the role of the server from a BDC to a PDC, or from a PDC to a BDC. using the ADMINISTER SET COMPUTER/ROLE command. To change the role of a BDC to a member server, or vice versa, you must use the PWRK$CONFIG.COM procedure. To change a PDC to a member server, you must first promote a BDC to a PDC in that domain. The original PDC is automatically demoted to a BDC, and then you can use the PWRK$CONFIG.COM procedure to reconfigure it as a member server. Likewise, to change a member server to a PDC, you must first change the member server to a BDC (using PWRK$CONFIG.COM) and then change the BDC to a PDC.
Table 2-1, Role Changes, lists the role changes you can make and indicates the methods you can use to make the changes (PWRK$CONFIG or the ADMINISTER SET COMPUTER/ROLE command). Section 184.108.40.206.1, Changing a BDC to a PDC, or a PDC to a BDC, explains in detail how to change the role of a BDC to a PCD, or vice versa. Section 220.127.116.11.2, Changing a BDC to a Member Server, or Vice Versa, explains how to change a BDC to a member server, or a member server to a BDC.
|BDC to PDC||ADMINISTER||Promoting the BDC automatically demotes the current PDC of the domain to a BDC.|
|BDC to member server||PWRK$CONFIG|
|Member server to PDC||PWRK$CONFIG, then ADMINISTER||First use PWRK$CONFIG to change the member server to a BDC; then use ADMINISTER to promote the BDC to a PDC.|
|Member server to BDC||PWRK$CONFIG|
|PDC to BDC||ADMINISTER||Use the ADMINISTER command to promote a BDC to PDC; this demotes the PDC to a BDC.|
|PDC to member server||ADMINISTER, then PWRK$CONFIG||First use ADMINISTER to promote a BDC in the domain to a PDC. This demotes the original PDC to a BDC. Then use PWRK$CONFIG to change the BDC to a member server.|
When you change the server role on one node in an OpenVMS Cluster, the
role on all cluster members running the Advanced Server is also changed
automatically. For information about running the Advanced Server in a
cluster environment, see Section 2.4,Advanced Server in OpenVMS Clusters.
18.104.22.168.1 Changing a BDC to a PDC, or a PDC to a BDC
You change the role of the PDC by promoting a BDC. For example, if the PDC needs to be taken off line for maintenance, you can promote a BDC to PDC. When you promote a BDC, the role of the original PDC is automatically changed to BDC, at which point you can take it off line. In this case, when the original PDC comes back on line, it has the role of BDC. You can then promote it to PDC, if necessary.
If the PDC fails unexpectedly, the domain continues to provide logon validation as long as the NetLogon service is running on a BDC. However, to make changes to the security accounts database, a PDC is required. Therefore, if you think the PDC will be unavailable for more than a short time, you should promote a BDC. When the original PDC comes back on line after an unscheduled interruption, it continues in its role of PDC. If the PDC is restarted and you have promoted a BDC in its absence, the NetLogon service is not started on the server, and the following Alert message is generated and recorded in the system event log:
A primary domain controller is running in the domain
In this case, you must explicitly change the server's role to BDC using the SET COMPUTER/ROLE command. It may take a few minutes to complete a server role change in a domain.
While server roles are changing, you cannot make changes to the security accounts database; logon validation remains available during the role change if there is another BDC running the NetLogon service. For more information about the NetLogon service, see Section 2.3.4, Managing Services.
To change the server role in a domain from BDC to PDC, or from PDC to BDC, follow these steps:
$ ADMINISTER LANDOFOZ\\TINMAN> LOGON ADMINISTRATOR Password: The server \\TINMAN successfully logged you on as Administrator. Your privilege level on domain LANDOFOZ is ADMIN. The last time you logged on was 4/11/01 2:57 PM. LANDOFOZ\\TINMAN> SHOW COMPUTERS Computers in domain "LANDOFOZ": Computer Type Description ------------ ------------------------ ---------------------------- [PD] TINMAN OpenVMS (NT 3.51) Primary PATHWORKS V6.1 for OpenVMS (Advanced Server) [BD] WOODMAN OpenVMS (NT 3.51) Backup PATHWORKS V6.1 for OpenVMS (Advanced Server) [SV] LIONHEART OpenVMS (NT 3.51) Server PATHWORKS V6.1 for OpenVMS (Advanced Server) Total of 3 computers LANDOFOZ\\TINMAN> SET COMPUTER WOODMAN/ROLE=PRIMARY_DOMAIN_CONTROLLER Promoting "WOODMAN" to a Primary Domain Controller may take a few minutes. Do you want to continue with the promotion [YES or NO] (YES) : YES %PWRK-I-ROLESYNC, synchronizing "WOODMAN" with its primary %PWRK-I-ROLENLSTOP, stopping the Net Logon service on "WOODMAN" %PWRK-I-ROLENLSTOP, stopping the Net Logon service on "TINMAN" %PWRK-I-ROLECHANGE, changing "TINMAN"'s role to Backup Domain Controller %PWRK-I-ROLECHANGE, changing "WOODMAN"'s role to Primary Domain Controller %PWRK-I-ROLENLSTART, starting the Net Logon service on "WOODMAN" %PWRK-I-ROLENLSTART, starting the Net Logon service on "TINMAN" %PWRK-I-ROLECHANGED, the computers role was successfully changed LANDOFOZ\\TINMAN> SHOW COMPUTERS Computers in domain "LANDOFOZ": Computer Type Description ------------ ------------------------- ------------------------- [BD] TINMAN OpenVMS (NT 3.51) Backup PATHWORKS V6.1 for OpenVMS (Advanced Server) [PD] WOODMAN OpenVMS (NT 3.51) Primary PATHWORKS V6.1 for OpenVMS (Advanced Server) [SV] LIONHEART OpenVMS (NT 3.51) Server PATHWORKS V6.1 for OpenVMS (Advanced Server) Total of 3 computers LANDOFOZ\\TINMAN>
Note that a member server (in this example, LIONHEART) is represented
with the display symbol [SV], and the server type is Server.
22.214.171.124.2 Changing a BDC to a Member Server, or Vice Versa
To change the role of a BDC to a member server, you must use the PWRK$CONFIG procedure. You cannot use the SET COMPUTER/ROLE command. The same is true of changing the role of a member server to a BDC. These restrictions are similar to (but less restrictive than) those of Windows NT, which requires the operating system software to be reinstalled to change a domain controller to a member server or vice versa. For a list of advantages gained by configuring your server as a member server, and for details about configuring a server as a member server, refer to the Compaq PATHWORKS for OpenVMS (Advanced Server) Server Installation and Configuration Guide.
If you reconfigure a backup domain controller as a member server, PWRK$CONFIG automatically removes the domain controller's domain user account database. If you reconfigure a member server to a BDC, PWRK$CONFIG automatically removes the member server's local user account database. The removed database is stored in the PWRK$LMDOMAINS: and PWRK$LMDATAFILES: directories in case you decide to restore them later. For more information, refer to the Compaq PATHWORKS for OpenVMS (Advanced Server) Server Installation and Configuration Guide.
In either case, because of loss of local group information, access to some resources might be affected. If resource permissions were set using local groups, those permissions will have to be reset. If resource permissions were set using global groups or global user accounts, those permissions remain in effect after the role change.
If the PDC fails or is stopped, you cannot make changes that affect the domain's security accounts database, but logon validation continues as long as one or more BDCs are running the NetLogon service. Because PDCs and BDCs keep their own copies of the database, and because the PDC and all BDCs can validate logon requests, there is no single point of failure in the domain. However, if the PDC is unavailable for an extended period, you should promote a BDC to the PDC role so that changes can be made to user accounts.
Each domain in a network is identified internally by a security
identifier (SID), a unique number associated with the domain. When a
PDC is installed and started, a unique SID is assigned. Therefore, if
you have an existing domain, and you want to add a new server to the
domain as the PDC, you must install the new server as a BDC first, then
change the server's role. For information about changing the server's
role, see Section 126.96.36.199, Changing a Server's Role in a Domain.
188.8.131.52 Synchronizing SAM Databases on Domain Controllers
Normally, the domain security databases are synchronized automatically
at regular intervals: the PDC replicates its databases to the BDCs. In
rare cases, you may need to synchronize them manually. For example, you
may have just added some new users or groups and you want the BDCs to
be able to validate the new user logons now rather than after the next
synchronization. To do this, use the SET COMPUTER/ACCOUNT_SYNCHRONIZE
command. You can synchronize all BDCs at once, or synchronize an
individual BDC with the PDC.
184.108.40.206.1 How to Synchronize All Controllers in a Domain
To ensure that all BDCs are synchronized with the PDC, enter the SET COMPUTER /ACCOUNT_SYNCHRONIZE command, specifying the PDC on the command line.
For example, if the PDC is called TINMAN, the following command ensures that all BDCs in the domain are synchronized with TINMAN. This command results in each BDC receiving a synchronize status message from the PDC. The information in this message determines whether the BDC's databases are synchronized with the PDC's databases. If the status message indicates to a BDC that the PDC's databases contain changes that are not represented in the BDC's databases, the BDC will request a partial synchronization. The PDC sends the BDC only those database elements that were changed since the last time the BDC received a status message.
LANDOFOZ\\TINMAN> SET COMPUTER TINMAN/ACCOUNT_SYNCHRONIZE Resynchronizing "LANDOFOZ" domain may take a few minutes. Do you want to continue with the synchronization [YES or NO] (YES) : YES %PWRK-S-ACCSYNCHED, account synchronization was successfully initiated LANDOFOZ\\TINMAN>
Although the command has completed successfully, the synchronization
process takes a few minutes to complete. You can monitor its progress
by reviewing the System event log file using the SHOW EVENTS command.
If the BDCs are already uptodate, no event log message is recorded.
220.127.116.11.2 How to Synchronize a Specific Backup Domain Controller with the Primary Domain Controller
To synchronize a specific backup domain controller (BDC) with the primary domain controller (PDC), enter the SET COMPUTER/ACCOUNT_SYNCHRONIZE command, specifying the BDC name on the command line.
For example, if the BDC is called WOODMAN, the following command synchronizes only the server WOODMAN with the domain's PDC, TINMAN. The BDC requests a full synchronization, meaning that the entire databases are replicated to the BDC.
LANDOFOZ\\TINMAN> SET COMPUTER WOODMAN/ACCOUNT_SYNCHRONIZE Resynchronizing "WOODMAN" with its Primary Domain Controller "TINMAN" may take a few minutes. After the synchronization has completed, you should check the Event Logs on "WOODMAN" and "TINMAN" to determine whether synchronization was successful. Do you want to continue with the synchronization [YES or NO] (YES) : YES %PWRK-S-ACCSYNCHED, account synchronization was successful LANDOFOZ\\TINMAN>
Although the command has completed successfully, the synchronization
process takes a few minutes to complete, and it may take longer if the
database contains thousands of accounts. You can monitor its progress
by reviewing the System event log of the PDC, using the command SHOW
EVENTS/SERVER=pdc_name (where pdc_name is the name of
the PDC). (Note that the PDC periodically posts an update to its System
event log during a full synchronization; the BDCs post a single update
when the synchronization has completed.)
2.1.3 Displaying the Current Domain
When you use the ADMINISTER command-line interface, the command prompt provides the name of your domain, along with the name of the server. By default, you are set up to administer the local server and the domain to which it belongs. The default domain remains in effect for the duration of the current OpenVMS login session, or until you log off the domain or change the default domain. (You can change the default server, too.)
To display the current domain and server, use the ADMINISTER command. For example:
$ ADMINISTER LANDOFOZ\\TINMAN>
The domain name and server name are in the command prompt. In this example, the domain name is LANDOFOZ and the server name is TINMAN.
Any domain name prefixed with double backslashes indicates that a member server (or workstation) local security accounts database will be the target of ADMINISTER commands. For more information about managing member servers, see Section 2.1.5, Member Servers and Domain Management.
Use the SHOW ADMINISTRATION command to display information about the current domain and your logged-on user account. For example:
LANDOFOZ\\TINMAN> SHOW ADMINISTRATION Administration information: The domain being administered is: LANDOFOZ The domain controller for the domain is: TINMAN The domain controller type is: Advanced Server for OpenVMS The server being administered is TINMAN The server type is: Advanced Server for OpenVMS The user name is: ADMINISTRATOR The user is logged on to domain LANDOFOZ and has been authenticated. The user's privilege level on this domain is: ADMIN The user's workstation is TINMAN and is in domain LANDOFOZ. LANDOFOZ\\TINMAN>
|privacy and legal statement|