HP OpenVMS Systems

HP Advanced Server for OpenVMS
Server Installation and Configuration Guide

3.7 Configuring the Advanced Server Domain Role

Depending on the domain type, the Advanced Server can participate in a domain as either the PDC, a BDC, or a member server.

There are five kinds of domains that the Advanced Server may participate in:

Windows NT domains, in which Advanced Servers can participate as a PDC, BDCs, and member servers.
Windows 2000 mixed-mode domains, which are domains that include both Windows 2000 domain controllers and Windows NT or HP Advanced Server domain controllers; Advanced Servers can participate as BDCs and as member servers.
Windows 2000 native-mode domains (also referred to as a pure Windows 2000 domains), which are domains in which all domain controllers are Windows 2000 systems; Advanced Servers can participate as member servers only.
Windows 2003 interim domains, which are domains that include both Windows 2003 domain controllers and Windows NT or HP Advanced Server domain controllers; Advanced Servers can participate as BDCs and as member servers.
Windows 2003 domains, in which all domain controllers are Windows 2003 systems; Advanced Servers can participate as member servers only. A windows 2003 domain must include at least one domain controller.

Table 3-3, Server Roles in Each Type of Domain, lists for each type of domain the roles the server can take:

**Table 3-3 Server Roles in Each Type of Domain**
For Domain Type:	The Advanced Server Can Take These Roles:
	PDC	BDC	Member Server
Windows NT	X	X	X
Windows 2000 Mixed-Mode		X	X
Windows 2000 Native-Mode			X
Windows 2003 Interim		X	X
Windows 2003			X

Each Windows NT domain must have one PDC. The PDC stores the domain's master copy of the security accounts database.

When you install the Advanced Server to create a new Windows NT domain, the new server becomes the PDC by default. When you install server software and specify an existing domain name, the server can join the existing domain only as a BDC or member server.

A domain does not have to have BDCs, but one or more are recommended. A BDC keeps a copy of the domain's master security accounts database. The copy of the security accounts database stored on BDCs is synchronized with the PDC's master database. PDCs and BDCs can validate logon requests in the domain.

A member server does not store a copy of the domain's security accounts database and does not validate logon requests. Member servers rely on domain controllers to validate credentials of users requesting access to member server shares. The advantages of configuring the Advanced Server as a member server are listed in Section 3.7.1, Configuring the Advanced Server As a Member Server.

In an OpenVMS Cluster, all nodes on the cluster must have the same role. If you change the role of one node, the other nodes are automatically changed to the same role.

When you configure the Advanced Server for the first time, you select the role your server will perform in the domain. There may be times when you need to change the role of your server. The method you use to change the server depends on the current role of the server and the role you want to change it to. To change the role of the server from a BDC to a PDC, or vice versa, use the ADMINISTER SET COMPUTER/ROLE command. To change a server BDC to a member server, you must use PWRK$CONFIG, as explained in Section 3.7.1, Configuring the Advanced Server As a Member Server. To change a PDC to a member server, you must first promote another BDC to a PDC; then the original PDC is demoted automatically to a BDC, after which you can use PWRK$CONFIG to change it to a member server. Use PWRK$CONFIG also to change a member server to a BDC. (This restriction is similar [but less restrictive] to that of Windows NT, which requires the operating system to be reinstalled to change a domain controller to a member server, or vice versa.) For more information on changing the role of the server from a BDC to a PDC, or vice versa, refer to the HP Advanced Server for OpenVMS Server Administrator's Guide. Table 3-4, Methods for Changing Server Roles, summarizes which role changes are allowed and disallowed by PWRK$CONFIG.

**Table 3-4 Methods for Changing Server Roles**
From:	To:	Method
BDC	PDC	Use ADMINISTER SET COMPUTER/ROLE command to promote the BDC to a PDC
BDC	Member	Use PWRK$CONFIG
Member	PDC	Use PWRK$CONFIG to change this server to a BDC, and then use the ADMINISTER SET COMPUTER/ROLE command to promote the BDC to a PDC
Member	BDC	Use PWRK$CONFIG
PDC	BDC	Use ADMINISTER SET COMPUTER/ROLE to promote a BDC in the domain to PDC; this promotion demotes the original PDC to a BDC
PDC	Member	Use ADMINISTER SET COMPUTER/ROLE to promote an existing BDC to a PDC; this promotion demotes the PDC to a BDC so that you can change it to a member server, using PWRK$CONFIG

Caution

If you reconfigure a BDC as a member server, PWRK$CONFIG automatically removes the domain controller's domain user account database.

If you reconfigure a member server to a BDC, PWRK$CONFIG automatically removes the member server's local user account database.

In either case, because of loss of local group information, access to some resources might be affected. If resource permissions have been set using local groups, those permissions will have to be reset. If resource permissions have been set using global groups or global user accounts, those permissions will remain in effect after the role change.

3.7.1 Configuring the Advanced Server As a Member Server

Use the PWRK$CONFIG.COM configuration procedure to configure the Advanced Server to participate in a domain as a member server. You cannot use the ADMINISTER SET COMPUTER/ROLE command to change an Advanced Server for OpenVMS domain controller to a member server role or to change a member server to a domain controller role.

You can configure the Advanced Server as a member server if it is joining an existing domain that has a PDC in operation. If the domain consists of a native-mode Windows 2000 environment (also referred to as a pure Windows 2000 domain) or Windows 2003 domain, this is a domain in which all domain controllers are Windows 2000 or Windows 2003 systems, the domain must first include at least one domain controller before you can configure an Advanced Server as a member server.

You may want to configure your Advanced Server for OpenVMS as a member server instead of a BDC (or PDC) for any of the following reasons:

Member servers do not spend time validating logon requests. Thus, this role can be a good choice for servers that have heavy workloads or that perform extremely time-critical tasks.
More important, configuring one or more servers as member servers rather than domain controllers can help decrease the network load, eliminating network traffic normally generated by domain controllers for replicating user databases and authenticating logon requests. When a client attempts to find a logon server to authenticate a request, all domain controllers respond to the request. In some environments, this can generate a significant load on the network.
Configuring the Advanced Server for OpenVMS as a member server allows the Advanced Server for OpenVMS to participate in a native-mode Windows 2000 or Windows 2003 environment without interruption to that environment.
If in the future your Advanced Server for OpenVMS server is moved to a different domain, it is simpler to move it as a member server from one domain to another.

The following sections explain how to configure the Advanced Server as a member server.

3.7.1.1 Considerations When Configuring Advanced Server as Member Server

When Advanced Server is configured as member server in an Active Directory, the following considerations must be taken into account:

Determine which computer is functioning as the PDC emulator. If unsure, perform the following steps:
1. Launch Active Directory Users and Computers, right click on the domain name, and select Operations Masters.
2. Select the PDC tab to see which domain controller is the PDC emulator.
3. When the Advanced Server configuration procedure prompts for the name of the PDC, enter the NetBIOS name (sometimes referred to as the pre-Windows 2000 name) of the PDC emulator.

As long as administrator selects to supply the username and password during configuration, Advanced Server can successfully join the domain. However, it might fail if the administrator chooses to not supply the credentials (i.e., when the computer account already exists). In this case, ensure the following security policy is enabled (the default is disabled) on Windows Server 2003 PDC emulator (this policy does not exist in Windows 2000):

Network access: Allow anonymous SID/Name translation

If this policy is disabled on the PDC emulator, the Advanced Server may fail to create its SAM database files when joining the domain. The error seen during configuration is:

Creating SAM datafiles...
%PWRK-F-SAMCHECK, error creating SAM databases
PWRK-I-RESTORE, restoring original settings

@SYS$UPDATE:PWRK$CONFIG must be executed again.
The Advanced Server configuration is incomplete and cannot continue.

Determine the current setting of the security policy "Network security: LAN Manager authentication level" on the PDC emulator.
This policy controls the setting of the Registry value LmCompatibilityLevel (under key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa).
The setting of LmCompatibilityLevel should be the same on all systems (when possible). The Windows security policy setting "Network security: LAN Manager authentication level" maps to the Registry value LmCompatibilityLevel as follows:

Network security: LAN Manager authentication level  LmCompatibilityLevel
Send LM & NTLM responses                                       0
Send LM & NTLM                                                 1
Send NTLM response only                                        2
Send NTLMv2 response only                                      3
Send NTLMv2 response only/refuse LM                            4
Send NTLMv2 response only/refuse LM & NTLM                     5

By default, the LmCompatibilityLevel registry parameter does not exist in the Advanced Server for OpenVMS registry so it defaults to LmCompatibilityLevel = 0 (Send LM & NTLM responses). On Advanced Server, if LmCompatibilityLevel is defined to 0 or 1 or 2, then ensure the security policy "Network security: LAN Manager authentication level" is not defined to "Send NTLMv2 response only\Refuse LM and NTLM" on the PDC emulator.
If the PDC emulator has its security policy set to "Send NTLMv2 response only\Refuse LM and NTLM", on Advanced Server modify the registry parameter LmCompatibilityLevel to 3 or 4 or 5 . This needs to be done prior to joining the Advanced Server for OpenVMS server to the domain.
To initially change the LmCompatibilityLevel setting on Advanced Server, it must first be created:

$ regutl :== $sys$system:pwrk$regutl.exe
$ regutl set parameter lsa LmCompatibilityLevel  <desired level> /create

Once initially set, the /create qualifier need not be used to modify the setting.

On all Windows 2000 domain controllers, ensure the security policy "Additional restrictions for anonymous connections" is not set to "No access without explicit anonymous permissions". Any other setting is acceptable. This requirement does not pertain to Windows Server 2003 domain controllers. The system must be rebooted if the setting is changed; however, wait until the policy is refreshed on the domain controller before rebooting, otherwise, a second reboot will be necessary. Domain controllers, by default, will refresh their policies every 5 minutes. The system can be forced to refresh the policy immediately with the following command:

SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE

When this policy is set to "No access without explicit anonymous permissions", the Advanced Server configuration procedure fails when attempting to join the domain, if no credentials were supplied. If credentials were provided when joining the domain, the configuration procedure succeeds; however, Advanced Server subsequently fails to start the NETLOGON service and posts the following message to the System event log ($ ADMIN SHOW EVENTS):

Events in System Event Log on server "MYSRV":

T Date     Time        Source    Category Event  User Computer
--------   ----------- --------- -------- ------ ---- ---------
E 01/31/06 11:00:57 AM NETLOGON  None     3210   N/A  MYSRV

Failed to authenticate with W2KDC, a domain controller for domain MYDOM.
Data:0000: 22 00 00 c0 00 00 00 00 "..?....

Additionally, if you attempt to start the NETLOGON service, an error is displayed:

$ ADMIN START SERVICE NETLOGON
%PWRK-I-SVCOPWAIT, attempting to start the "NETLOGON" service on
"MYSRV"%PWRK-E-SVCOPFAILED, start of service "NETLOGON" on "MYSRV"
failed-LM-E-UIC_INTERNAL, an internal error occurred

This error results in the following message in the System event log:

T Date     Time        Source   Category  Event User Computer
- -------- ----------- ------   --------- ----- ---- ---------
W 02/02/06 10:31:57 AM NETLOGON  None      5701  N/A  MYSRV

The Netlogon service failed to update the domain trust list.
The following error occurred:
%5 Data:0000: 22 00 00 c0 00 00 00 00 "..?....

A network trace shows the Advanced Server attempts to establish an anonymous connection to the IPC$ share and is denied access (0xC0000022).

Decide on the name for the Advanced Server computer account and how to create the account. As noted earlier, when the Advanced Server runs in an OpenVMS Cluster, a single computer account is used to represent the entire cluster; the name of this computer account must be identical to the Advanced Server cluster alias name. The Advanced Server cluster alias name can be set when configuring the Advanced Server.
If the Advanced Server system is not a member of an OpenVMS Cluster, the computer account name must be identical to the computer name of the Advanced Server. By default, the computer name is identical to the SYSGEN SCSNODE parameter, but it too may be modified when configuring the Advanced Server. The computer account can be created prior to or during configuration of the Advanced Server:
- Prior to configuring the Advanced Server
  Use Active Directory Users and Computers to create the computer account.
  
  Note
  The account must be designated for a pre-Windows 2000 computer.
  
  In Windows 2000 Active Directory Users and Computers, select the option, Allow pre-Windows 2000 computers to use this account. In Windows Server 2003 Active Directory Users and Computers, select the option, Assign this computer account as a pre-Windows 2000 computer.
  The account can be created in any Organizational Unit (OU) or in the Computers container.
- During configuration of the Advanced Server
  Supply the username and password of an administrator account. The configuration procedure creates the computer account in the Computers container. The account can later be moved to an OU, if desired.

3.7.1.2 Configuring a New Advanced Server for OpenVMS to Be a Member Server

While installing a new Advanced Server for OpenVMS in an existing domain, you can configure it as a member server during the PWRK$CONFIG.COM configuration procedure. The domain must include one active PDC; a native-mode Windows 2000 domain or Windows 2003 domain must include at least one domain controller.

The following PWRK$CONFIG.COM output shows how an Advanced Server for OpenVMS server might be configured as a member server. Preceding this part of the procedure, item 5 was selected to specify UPTIME as the domain. This example assumes the UPTIME domain is a native-mode Windows 2000 domain that already has one or more domain controllers.

Reading current configuration parameters ...

  Your Advanced Server for OpenVMS is presently configured to
  run as follows:

   1.  Run the License Server:          NO
   2.  Enable Timesource service:       NO
   3.  Enable Alerter service:          YES
   3a. Alert user names:                Administrator
   4.  Enable Netlogon service:         YES
   5.  Advanced Server domain:          UPTIME
   6.  Advanced Server role:            PRIMARY
   7.  Advanced Server computer name:   GRATDA
   7a. Advanced Server OpenVMS Cluster alias:   GRATDA_ALIAS
   8.  Server announce comment:    Advanced Server V7.3B for OpenVMS
   9.  Advanced Server language:        English (USA)
   10. Enable NT style printing:        NO
Enter item number, or RETURN to use these values [DONE]: 6 [Return]

  The Advanced Server role is the part the server will play in its
  domain.

  A primary domain controller maintains the domain's master user
  accounts database and validates logins.

  A backup domain controller receives copies of the master database,
  validates logins, and can be promoted to primary.

  A member server does not receive copies of the master database
  or validate logins.  It relies on domain controllers to validate
  user credentials.

Enter the role of this server (P)rimary/(B)ackup/(M)ember [P]: M [Return]

  Before joining a domain, the computer must be added to the
  domain. This can be done in one of two ways:

      - the administrator of the domain uses the administrative
        tools to add this computer to the domain, or

      - the computer is added automatically by this procedure;
        you must supply an administrator account and password
Are you going to supply account/password information [Y]/N YES [Return]

Enter the name of the primary domain controller for domain UPTIME:
SUNDA [Return]
Enter the name of the administrator account: [Administrator] [Return]
Enter the account password in the required case:          [Return]
Re-enter to verify password:          [Return]

Process NETBIOS created with identification 206010B5
Process PWRK$NBDAEMON created with identification 206010B7
Process PWRK$KNBDAEMON created with identification 206010B9
Confirming domain name with SUNDA...
Successfully retrieved domain name from SUNDA.
Validating user name and password...
Successfully verified user name and password.


  Your Advanced Server for OpenVMS is presently configured to
  run as follows:

   1.  Run the License Server:          NO
   2.  Enable Timesource service:       NO
   3.  Enable Alerter service:          YES
   3a. Alert user names:                Administrator
   4.  Enable Netlogon service:         YES
   5.  Advanced Server domain:          UPTIME
   6.  Advanced Server role:            MEMBER
   7.  Advanced Server computer name:   GRATDA
   7a. Advanced Server OpenVMS Cluster alias:   GRATDA_ALIAS
   8.  Server announce comment:    Advanced Server V7.3B for OpenVMS
   9.  Advanced Server language:        English (USA)
   10. Enable NT style printing:        NO
Enter item number, or RETURN to use these values [DONE]: [Return]

Saving parameters to the OpenVMS Registry...
Creating SAM datafiles...
   .
   .
   .
   The Advanced Server Administrator account is used to
   administer the server.  The Administrator account
   is mapped by default to the OpenVMS SYSTEM account.

   The Administrator account password can be up to 14 characters long
   and the case of the characters used will be preserved.

Enter a password for this member server's local Administrator account:[Return]

Re-enter to verify password: [Return]

Changing password for Administrator account...

Setting character set information in databases as needed ...

   Setting share database character set information ...
   Setting ACL database character set information ...
Checking system resources...

3.7.1.3 Configuring an Existing Advanced Server for OpenVMS BDC As a Member Server

When you configure a BDC to become a member server, the script is similar to the one for configuring a new server as a member server. One exception is that the script will display the following lines:

 Changing from backup domain controller to member server
 results in the re-creation of the Advanced Server SAM databases.
 If there is any problem with the configuration, your existing SAM
 databases will be restored.

The BDC's domain-wide account database is removed, and the member server's local database is created. Server-specific data is retained from the BDC's database. The configuration procedure saves the domain-wide account database in case you need to restore it later (for more information, see Section 3.10.3, If Problems Occur When Reconfiguring the Advanced Server).

The following two displays show the role of server LIONHEART before and after reconfiguration to the member server role. The display symbol for a member server is [SV].

LANDOFOZ\\TINMAN> SHOW COMPUTERS

Computers in domain "LANDOFOZ":
Computer       Type                      Description
-------        ------------------------  -----------------------------
[PD] TINMAN    OpenVMS (NT 4.0) Primary  Advanced Server V7.3B for OpenVMS

[BD] LIONHEART OpenVMS (NT 4.0) Backup   Advanced Server V7.3B for OpenVMS

[BD] DOROTHY   OpenVMS (NT 3.51) Backup  Advanced Server V7.2A for OpenVMS

  Total of 3 computers

[reconfigure server role]
.
.
.
LANDOFOZ\\TINMAN> SHOW COMPUTERS

Computers in domain "LANDOFOZ":
Computer       Type                      Description
-------        ------------------------  -----------------------------
[PD] TINMAN    OpenVMS (NT 4.0) Primary  Advanced Server V7.3B for OpenVMS

[SV] LIONHEART OpenVMS (NT 4.0) Server   Advanced Server V7.3B for OpenVMS

[BD] DOROTHY   OpenVMS (NT 3.51) Backup  Advanced Server V7.2A for OpenVMS

  Total of 3 computers

Contents

Index