1. Logon Validation Part 1: Computer Accounts, Computer Names, Joining a Domain
2. Logon Validation Part 2: Interdependency: User Manager for Domains and Passwords
3. Synchronizing Domain Controllers: Registry Settings
4. Promoting and Demoting the PDC
5. Pass Through Authentication

LOGON VALIDATION PART 1

*Computer Account: you must add the Computer Name of the client machine joining the domain to Server Manager. You do not need to do this for Windows 95 computers. 95 computers will appear and disappear in Server Manager as they logon and logoff of the domain.

Terra Flora Example: Computer name (max. 15 characters) convention:

• "CANTS40ENT03"
• "CA" identifies the domain. Example: California
• "NTS40" is the operating system code
• "ENT" is the network service layer. Example: Enterprise (division, department, desktop)
• "03" Computer number (01-99)

*Grayed out is "Create Computer Account in Domain ..." Instead of adding the computer account through Server Manager, if you have the 'Add Workstations to Domain' Right (Administrators and Server Operators have this right by default), you may add the computer account to Server Manager (the domain) here.

Rules for Installing / Joining a Domain

• PDC - must be online for any new computer can join the domain. Can change it's domain name without reinstallation, however, you will have to change domain names for all workstations and servers in the domain and reestablish all trusts. In other words, not a very time efficient thing to do :-)
• BDC - computer account must created prior to or during installation. Cannot be moved to another domain without reinstalling because the SID cannot be changed. Remember, BDC maintains a copy of the PDC's (domain database; directory database; SAM).
• Member Server / NT Workstation - may join the domain after installation. Cannot be reconfigured as BDC or PDC without reinstalling. Can be moved to another domain or workgroup without reinstalling because it maintains its own (domain database; directory database; SAM).. Member Server / NT Workstation directory database "'has knowledge of' the domain's (domain database; directory database; SAM)."

"PDC Cannot be found"

• Check Server Manager and make sure PDC is online
• User is spelling the domain name wrong. (MOST COMMON)
• On a Token Ring Network, this error may occur if the NIC you are using is set to the wrong ring speed.

SID - security ID. A unique name that identifies a logged-on user to the security system. SIDs identify a user or groups of users.THERE IS NO POSSIBILITY OF HAVING TWO IDENTICAL SIDs.There is a tool in NTRK called GETSID.EXE (let me know how it works).

LOGON VALIDATION PART 2

Deals with user nameand  passwords that are unique to the (domain database; directory database; SAM) for a computer or domain. This discussion will take place with UM for Domains.

Synchronization: process of replicating the (domain database; directory database; SAM) to one or all of the BDC's in the domain.
(SAM - Security Accounts Manager; Directory Database ; Domain Database) Security database on NT that is a record of all user accounts, group accounts, and computer accounts within a domain. It also holds passwords, policy settings, records of permissions, etc. The PDC holds a copy of the SAM. A Member server does not have a copy of the SAM but is aware that the SAM exists when it is a part of a domain.
SAM database is stored in the boot partition.

Manual Partial Synchronization - modifications to the BDC's SAM since last update

• Server Manger> Click on a BDC > Computer > Synchronize with Primary Domain Controller
  (synchronizes with ONLY the selected BDC - no other BDCs are affected).

Manual Full Synchronization

• Server Manager > Computer > Synchronize Entire Domain (for all BDCs in the domain).

Automatic Synchronization - occurs when

• When changes made to SAM copy on the BDC has reached its maximum size (64k:
  approximately 2,000 changes)
• BDC SAM is found to be incomplete
• Registry Settings

Automatic Synchronization: HKEY _LOCAL_ MACHINE \ System \ CurrentControlSet \ Services \ Netlogon \ Parameters

• Pulse (60 - 3600 seconds) pulse frequency. SAM database changes since last are sent to BDCs when pulse time expires. No pulse is sent when a BDC is up to date. Default value is = 300. Lower the setting = more network traffic
• Pulse Concurrency (1 - 500) max. # of BDCs the PDC can pulse at same time.
  Higher the value = more load placed on PDC but you increase speed of updating BDCs. Converse is true for lowering the value, speed of update is slower but you reduce network
  traffic. Default = 20
• Pulse Max (60 - 86,400 seconds) sends all PDCs a pulse at this interval, even if BDCs SAM database is up to date. Default = 7,200. Lower the setting = more network traffic.
• PulseTimeout1 (1 to 120 seconds) amount of time PDC will wait for BDC to respond to a pulse. Default = 5
• Pulse Timeout2 (60 - 3,600 seconds) how long PDC will wait for BDC to complete partial
  synchronization. Default = 300
• Randomize = (0-120 seconds) When BDC receives pulse from PDC, they wait "randomize" time before they calling PDC. NOTE: RANDOMIZE SHOULD ALWAYS BE LESS THAN THE PulseTimeout1 settings. Default=1
• Replication Governor (0 - 100%) Packet size used in synchronization process AKA
  the amount of bandwidth used. Lower the percentage = more packets but less network traffic because of smaller packets. Caution: too low of setting and synchronization will not
  complete. A value of 0 and synchronization will not occur at all. Default = 100.
• More controls can be found at "Regentry.hlp" on NTSRK.

When a PDC goes offline

• Users can still log (validated by BDC) on but you cannot administer accounts.
• Yes, this means Users CANNOT change their passwords!

Promoting a BDC to PDC status

• >
•  Click on BDC (\\Server 2)
• Computer > Promote to Primary Domain Controller
• PDC (\\Server 1) becomes a BDC automatically
• BDC (\\Server 2) is promoted to PDC.

Restoring BDC (Server 1) to PDC status

•  >
• Click on BDC (\\Server 1)
• Computer > Promote to Primary Domain Controller
• BDC (\\Server 1) is promoted to PDC again
• PDC (\\Server 2) is automatically demoted to BDC

Promoting a BDC to PDC status when the PDC is offline (or goes offline unexpectedly)

• >
• PDC (\\Server1) is offline.
• Click on BDC (\\Server 2)
• Computer > Promote to Primary Domain Controller
• "Cannot find PDC ... may result in error dialog box" Press OK
• BDC (\\Server 2) is now PDC ; HOWEVER, The offline PDC (\\Server1)  is NOT automatically demoted. (\\Server 1) is still PDC, it is just offline.

Restoring the original, offline PDC (\\Server1) to PDC status and demoting the current
PDC (\\Server2) to BDC status.

• Key: bring the original PDC back online (\\Server1) first . The NetLogon Service for the PDC will not be started at system boot when (\\Server1) detects that a PDC (\\Server2) is already running on the network; with the Netlogon service stopped, Server 1 cannot validate logon requests.Synchronization of directory databases ensures that changed user accounts or passwords that took place while original PDC was down will not be lost. 
• Server Manager>
• Notice:  (\\Server 1) is offline PDC and (\\Server 2) is PDC
• Click on offline PDC (\\Server 1)
• Computer > Demote to Backup Domain Controller >  "Yes"
• Original PDC, (\\Server1) is now atBDC status.
• Click on the original PDC (\\Server 1) that is now a BDC
• Computer > Promote to Primary Domain Controller > Yes
• BDC (\\Server 1) is promoted to PDC again
• PDC (\\Server 2) is automatically demoted to BDC

Key to Understanding Directory Services: Pass-Through Authentication - when User account must be authenticated but the computer being used for the logon is not a domain controller in the domain where the User account is defined; sooo, the computer passes the logon information through a domain controller (directly or indirectly) where the User account IS defined.

With a Windows 95 computer, Pass-through Authentication is a mechanism for enabling User Level Security. Literally means 95 passes an authentication request through an NT based Server,Workstation, or NetWare Server. Windows 95 does not implement its own unique security mechanism.