4.2 Basics of Domain Control

Over the years , public perceptions of what Domain Control really is has taken on an almost mystical nature. Before we branch into a brief overview of Domain Control, there are three basic types of Domain Controllers.

4.2.1 Domain Controller Types

  • Primary Domain Controller

  • Backup Domain Controller

  • ADS Domain Controller

The Primary Domain Controller or PDC plays an important role in MS Windows NT4. In Windows 200x Domain Control architecture, this role is held by Domain Controllers. Folklore dictates that because of its role in the MS Windows network, the Domain Controller should be the most powerful and most capable machine in the network. As strange as it may seem to say this here, good overall network performance dictates that the entire infrastructure needs to be balanced. It is advisable to invest more in Stand-alone (Domain Member) servers than in the Domain Controllers.

In the case of MS Windows NT4-style domains, it is the PDC that initiates a new Domain Control database. This forms a part of the Windows registry called the Security Account Manager (SAM). It plays a key part in NT4-type domain user authentication and in synchronization of the domain authentication database with Backup Domain Controllers.

With MS Windows 200x Server-based Active Directory domains, one Domain Controller initiates a potential hierarchy of Domain Controllers, each with their own area of delegated control. The master domain controller has the ability to override any downstream controller, but a downline controller has control only over its downline. With Samba-3, this functionality can be implemented using an LDAP-based user and machine account backend.

New to Samba-3 is the ability to use a backend database that holds the same type of data as the NT4-style SAM database (one of the registry files) [1] .

[1] See also Chapter 10, Account Information Databases .

The Backup Domain Controller or BDC plays a key role in servicing network authentication requests . The BDC is biased to answer logon requests in preference to the PDC. On a network segment that has a BDC and a PDC, the BDC will most likely service network logon requests. The PDC will answer network logon requests when the BDC is too busy (high load). A BDC can be promoted to a PDC. If the PDC is online at the time that a BDC is promoted to PDC, the previous PDC is automatically demoted to a BDC. With Samba-3, this is not an automatic operation; the PDC and BDC must be manually configured and changes also need to be made.

With MS Windows NT4, a decision is made at installation to determine what type of machine the server will be. It is possible to promote a BDC to a PDC and vice versa. The only way to convert a Domain Controller to a Domain Member server or a Stand-alone Server is to reinstall it. The install time choices offered are:

  • Primary Domain Controller ” the one that seeds the domain SAM.

  • Backup Domain Controller ” one that obtains a copy of the domain SAM.

  • Domain Member Server ” one that has no copy of the domain SAM, rather it obtains authentication from a Domain Controller for all access controls.

  • Stand-alone Server ” one that plays no part is SAM synchronization, has its own authentication database and plays no role in Domain Security.

With MS Windows 2000, the configuration of Domain Control is done after the server has been installed. Samba-3 is capable of acting fully as a native member of a Windows 200x server Active Directory domain.

New to Samba-3 is the ability to function fully as an MS Windows NT4-style Domain Controller, excluding the SAM replication components . However, please be aware that Samba-3 also supports the MS Windows 200x Domain Control protocols.

At this time any appearance that Samba-3 is capable of acting as an Domain Controller in native ADS mode is limited and experimental in nature. This functionality should not be used until the Samba Team offers formal support for it. At such a time, the documentation will be revised to duly reflect all configuration and management requirements. Samba can act as a NT4-style DC in a Windows 2000/XP environment. However, there are certain compromises:

  • No machine policy files.

  • No Group Policy Objects.

  • No synchronously executed AD logon scripts.

  • Can't use Active Directory management tools to manage users and machines.

  • Registry changes tattoo the main registry, while with AD they do not leave permanent changes in effect.

  • Without AD you cannot perform the function of exporting specific applications to specific users or groups.

4.2.2 Preparing for Domain Control

There are two ways that MS Windows machines may interact with each other, with other servers and with Domain Controllers: either as Stand-alone systems, more commonly called Workgroup members , or as full participants in a security system, more commonly called Domain members.

It should be noted that Workgroup membership involves no special configuration other than the machine being configured so the network configuration has a commonly used name for its workgroup entry. It is not uncommon for the name WORKGROUP to be used for this. With this mode of configurationi, there are no Machine Trust Accounts and any concept of membership as such is limited to the fact that all machines appear in the network neighborhood to be logically grouped together. Again, just to be clear: workgroup mode does not involve security machine accounts.

Domain Member machines have a machine account in the Domain accounts database. A special procedure must be followed on each machine to effect Domain Membership. This procedure, which can be done only by the local machine Administrator account, will create the Domain machine account (if it does not exist), and then initializes that account. When the client first logs onto the Domain it triggers a machine password change.



When Samba is configured as a Domain Controller, secure network operation demands that all MS Windows NT4/200x/XP Professional clients should be configured as Domain Members. If a machine is not made a member of the Domain, then it will operate like a workgroup (Stand-alone) machine. Please refer to Chapter 6, Domain Membership for information regarding Domain Membership.

The following are necessary for configuring Samba-3 as an MS Windows NT4-style PDC for MS Windows NT4/200x/XP clients:

  • Configuration of basic TCP/IP and MS Windows networking.

  • Correct designation of the Server Role ( security = user).

  • Consistent configuration of Name Resolution [2] .

    [2] See Chapter 9, Network Browsing , and Chapter 25, Integrating MS Windows Networks with Samba .

  • Domain logons for Windows NT4/200x/XP Professional clients.

  • Configuration of Roaming Profiles or explicit configuration to force local profile usage.

  • Configuration of network/system policies.

  • Adding and managing domain user accounts.

  • Configuring MS Windows client machines to become Domain Members.

The following provisions are required to serve MS Windows 9x/Me clients:

  • Configuration of basic TCP/IP and MS Windows networking.

  • Correct designation of the server role ( security = user).

  • Network Logon Configuration (since Windows 9x/Me/XP Home are not technically domain members, they do not really participate in the security aspects of Domain logons as such).

  • Roaming Profile Configuration.

  • Configuration of System Policy handling.

  • Installation of the network driver " Client for MS Windows Networks " and configuration to log onto the domain.

  • Placing Windows 9x/Me clients in User Level Security ” if it is desired to allow all client share access to be controlled according to domain user/group identities.

  • Adding and managing domain user accounts.



Roaming Profiles and System/Network policies are advanced network administration topics that are covered in the Chapter 23, Desktop Profile Management and Chapter 22, System and Account Policies chapters of this document. However, these are not necessarily specific to a Samba PDC as much as they are related to Windows NT networking concepts.

A Domain Controller is an SMB/CIFS server that:

  • Registers and advertises itself as a Domain Controller (through NetBIOS broadcasts as well as by way of name registrations either by Mailslot Broadcasts over UDP broadcast, to a WINS server over UDP unicast, or via DNS and Active Directory).

  • Provides the NETLOGON service. (This is actually a collection of services that runs over mulitple protocols. These include the LanMan Logon service, the Netlogon service, the Local Security Account service, and variations of them.)

  • Provides a share called NETLOGON.

It is rather easy to configure Samba to provide these. Each Samba Domain Controller must provide the NETLOGON service that Samba calls the domain logons functionality (after the name of the parameter in the smb.conf file). Additionally, one server in a Samba-3 Domain must advertise itself as the Domain Master Browser [3] . This causes the Primary Domain Controller to claim a domain-specific NetBIOS name that identifies it as a Domain Master Browser for its given domain or workgroup. Local master browsers in the same domain or workgroup on broadcast-isolated subnets then ask for a complete copy of the browse list for the whole wide area network. Browser clients will then contact their Local Master Browser, and will receive the domain-wide browse list, instead of just the list for their broadcast-isolated subnet.

[3] See Chapter 9, Network Browsing .

Official Samba-3 HOWTO and Reference Guide
The Official Samba-3 HOWTO and Reference Guide, 2nd Edition
ISBN: 0131882228
EAN: 2147483647
Year: 2005
Pages: 297

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net