Of Domains and Controllers

team lib

Behind every great domain is a great domain controller (so the Aretha Franklin song goes), but before you look at how Windows Server 2003 and Windows 2000 use domain controllers, a quick recap of Windows NT 4.0 usage is in order.

The Windows Server 2003 and Windows 2000 way of doing the domain controller thing is quite different from the Windows NT 4.0 way - mainly because of Active Directory. Okay, so I don't have to repeat it over and over, Windows Server 2003 and Windows 2000 both support Active Directory in the same way, so what you see here for Windows Server 2003 is also true of Windows 2000. (The few small differences, mainly in high-level schema control and naming management, are too detailed for this book.)

In the beginning

In Windows NT 4.0, 15-character NetBIOS (Network Basic Input-Output System) names represent domains. Such domains revolve around a single user / group /policy database called the Security Accounts Manager (SAM) database, stored in writable format on a single, primary server known as the primary domain controller (PDC).

TECHNICAL STUFF 

NetBIOS names can be a total of 16 characters. On Microsoft operating systems, the NetBIOS name is limited to 15 characters . The 16th character is hidden from view and is used as a NetBIOS suffix by Microsoft Networking software to identify services installed on the given system. Additional information on NetBIOS suffixes in the Microsoft environment is available at http://support.microsoft.com/default.aspx?scid=KB;en-us:q163409.

Access to the domain database is required to access a domain's resources, so any model that depends on a single domain controller introduces a single point of failure. To improve availability and reliability of the domain database, Microsoft added a second type of server to this mix, known as a backup domain controller (BDC), which stores a read-only version of the SAM database. Users can access the BDC to log on to a domain and to investigate user, group, or account information, but changes to the database can be applied only to the PDC.

In this kind of domain environment, the PDC must periodically update the SAM database on all BDCs in its domain to keep them synchronized. Should a PDC ever fail, a BDC can be promoted to become the PDC and write-enable its copy of the SAM database. However, there's an unbreakable master-slave relationship between PDCs and BDCs, because changes to the SAM database must be applied to the PDC and copied from the PDC to all BDCs. Therefore, if the PDC goes down, no changes can be applied to the SAM database unless the PDC is brought back up or a BDC is promoted to become the new PDC instead. Phew! Got all that?

REMEMBER 

Although this sounds like a form of subjugation, a master-slave relationship is computerese for "everything that changes on the master is copied to all slaves" and "only a master can accept changes and copies all changes to its slaves."

Windows Server 2003 no longer uses NetBIOS to name its domains; instead, it uses DNS domain names. (See Chapter 14 for more information on DNS domain names.) For example, rather than a Dummies domain, you might have http://sales.dummies.com as a legal domain name. However, you can still use a NetBIOS name to refer to a domain, which is a requirement for all non-Active Directory systems, such as the Windows 98 and Windows NT client operating systems, which are sometimes referred to as legacy clients . (That's why you define one when you install Active Directory in Chapter 10.) Likewise, the concept of a SAM is no longer used in a Windows Server 2003 domain. All information about users, passwords, and groups is stored in Active Directory. Therefore, instead of servers that can read from or write to the SAM, servers must supply the LDAP service that's needed to interface with Active Directory.

On Windows Server 2003, network servers that host the LDAP service are the domain controllers. As in Windows NT-based networks, these servers are responsible for authentication and other domain activities. In Windows Server 2003-based networks, however, servers use Active Directory to provide the services that their older counterparts delivered using the SAM database.

Wherefore art thou, BDC/PDC?

The concept of PDCs and BDCs is not used in the Active Directory domain structure of Windows 2000 and Windows Server 2003. In this brave new world, all domain controllers are equal (though some are, indeed, more equal than others). How is this equality maintained ? A process known as multi-master replication ensures that when changes occur on any domain controller in a domain, these changes are replicated to all other controllers in that domain. Therefore, instead of the older master-slave relationship between PDC and BDCs, you have a peer-to-peer relationship among all domain controllers in a Windows Server 2003 domain (and beyond) where trust relationships exist. (A trust relationship is a special interdomain access arrangement that you define when users in one domain require access to resources in another domain.)

Because you won't be able to upgrade all your domain controllers from Windows NT 4.0 to Windows Server 2003 in one fell swoop, Windows Server 2003 allows you to operate your domains in a mixed mode. This allows Windows NT 4.0 BDCs (but not PDCs) to participate in a Windows Server 2003 domain. The idea is that you begin by upgrading the NT4 PDC to Windows Server 2003 and then proceed on other server-based systems in the enterprise. This will often include the upgrading or total demotion of all existing NT4 Server class BDCs.

For a Windows NT 4.0 BDC to function properly, it needs to obtain updates from a PDC. Therefore, a single Windows Server 2003 domain controller impersonates a Windows NT 4.0 PDC, which allows changes to be replicated to any Windows NT 4.0 BDCs in that domain. This capability of a Windows Server 2003 domain controller is known as a Flexible Single Master Operations (FSMO) role (also known as operations master role). This specific server role is called PDC emulator.

TECHNICAL STUFF 

Even in a full-fledged, Windows Server 2003-only environment, the PDC Emulator Operations Master still plays an important part in the scheme of things. It performs certain duties that no other DCs in the domain handle. The PDC emulator receives preferential replication of password changes performed by other domain controllers in the domain. When passwords are changed, it takes time to replicate the change in every domain controller in the domain. That synchronization delay might cause an authentication failure at a domain controller that hasn't yet received the change. Before that remote domain controller denies access to whatever is trying to perform the access, it forwards the authentication request to the PDC emulator because the PDC emulator may have different information (for example, a new password).

In a mixed-mode domain operation, clients can use NetBIOS names to access old-style domain services, or they can use Active Directory to access Windows Server 2003 domain services. To find a Windows Server 2003 domain controller, clients must query a DNS server for a service record that takes the general form

_1dap._tcp. <domain name>

where _1dap.tcp.dummies.com represents the domain controllers for the dummies.com domain, for example.

Windows Server 2003 domain controllers do not have to run the DNS service locally. The only requirement is that the DNS servers support the service record types required so that those domain controllers can be located.

team lib


Windows Server 2003 for Dummies
Windows Server 2003 for Dummies
ISBN: 0764516337
EAN: 2147483647
Year: 2003
Pages: 195

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net