A little backup can keep you out of the unemployment line

You can implement availability measures in many ways. A basic means to ensure that your system can stay up despite a temporary failure is to set up domains so that you have a Primary Domain Controller (PDC) and a Backup Domain Controller (BDC) that can take over the PDC's tasks if necessary. To understand this capability, you need to know about the Security Accounts Manager (SAM) and the accounts in its database. Then you need to know what PDCs and BDCs are and how to set them up for availability.

Domains
Domains are logical groupings of Windows NT-based computers that you manage and administer as a unit. The domain contains a SAM database that tracks user, machine, and group accounts and each account's rights.

A user account is a record in the SAM database with information about a particular user in the domain. Each record is approximately 1KB and contains a unique Security Identifier (SID). The user account consists of five elements. You assign a unique username to each user. The same username can be in accounts in different domains, but you can't repeat it in the same domain. The password, a string up to 14 characters, verifies a user's identity at login. Then the user can access the network and its resources. A password is not mandatory, but strongly recommended. The member of groups information tells which groups the user belongs to. Initialization information, which is not mandatory, includes the logon script and the home directory pointer. Account restrictions determine the exact days and hours a user can access the domain.

Adding a workstation, BDC, or server to a domain creates a machine account in the SAM. Each machine account takes about .5KB in the database and contains information such as the machine's name and type (BDC, PDC, server, workstation). You view machine account information in Server Manager and user account information in User Manager.

Each new or existing group has a group account that you can categorize as local or global. Each group account takes about 4KB in the database. This record's structure is like the user account record.

In a domain, you assign responsibilities to your network servers according to the type of activity you expect from each server. A server can play one of three roles in a domain: PDC, BDC, or resource server.

Roles of Servers
The PDC server is the honcho in your network. You can have only one PDC per domain. If possible, dedicate a PDC to one type of task. PDCs perform best if they don't share file and printer resources. The User Manager for Domains on the PDC performs all changes to user security and administration, and the PDC writes these changes into the SAM user accounts database. Because of this central administration, you need to add only one account for each user, and each user needs only one account to log on to the domain.

The BDC server is the network's second in command. If the PDC fails, the BDC can serve as the PDC. BDCs can authenticate users. You can assign more than one server as a BDC in a domain, or you can choose to have no BDC. Table 1 shows Microsoft's recommendations for the ratio of BDCs to user accounts on a network.

A resource server performs special-purpose network services. For example, you can dedicate a resource server as a database processor, file and print server, Web server, or application server. A resource server can be a BDC. You assign a resource server its role when you install NT.

You can promote a BDC to a PDC after you install NT: Double-click the Administrative Tools icon, and double-click the Server Manager icon; highlight the BDC you want to promote, and select Promote To Primary Domain Controller from the Computer pulldown menu.

Availability
Because the SAM contains critical security information, it must be constantly available. If the PDC fails and you have no BDCs for the network, users can't access the system until the PDC is back.

This single point of failure is the fast path to unemployment. To avoid this problem, you need to assign at least one server as a BDC that can authenticate users and replicate changes across the network. (If you have a large network and want to exclude the possibility of two points of failure, you can designate more than one server as a BDC.)

Because replicating a database across a network can increase traffic, NT 3.5x copies only SAM changes to the BDCs. The entire process takes about 2KB to initialize the transmission and up to 1KB per user.

TABLE 1: Recommended Number of BDCs
Number of Number of
User Accounts BDCs to Use
<2,000 1
5,000 2
10,000 5
20,000 10
30,000 15

The PDC can replicate changes to up to 10 BDCs at a time. The ReplicationGovernor setting in the Registry lets you determine the amount of replication traffic and the frequency of replications. These and other replication settings are on the BDC under the key \hkey_local_

machine\system\currentcontrolset\

services\netlogon\parameters.

By default, the PDC sends a pulse to the BDCs every five minutes. The pulse contains information that lets the BDCs determine whether the SAM has changed. If so, the BDCs ask the PDC to send these changes. How much information the PDC sends at one time depends on the Registry settings (the PDC default is to send changes in 128KB segments to the BDCs).

In a large network, sending changes every five minutes can take substantial bandwidth. How often you replicate SAM changes depends on how many changes occur in your network's account database, how urgently the BDCs need to implement the changes, and how large your network is.

For the fastest authentication, place the BDCs near the users. They can have trouble accessing the domain if you have an unreliable, slow-speed link to a central office. Users can also experience delays logging in to the network as the information passes along a slow link. A better way to provide access to your domain is to put a BDC at the remote office and authenticate users locally.

Your organization's size determines the best way to handle domains. Organizations with 50 or more servers and varying security needs typically have several domains, several PDCs, and many BDCs and resource servers. Replication timing can be tricky if a large organization has locations around the world (and differences in time zones).

Midsized organizations have between five and 50 servers. As in large organizations, you need to strategically place BDCs to minimize the impact of authentication on network traffic, and you need from one to five BDCs.

Small organizations have between one and five servers. At least one needs to be a PDC, and at least one needs to be a BDC. Often a BDC is also a resource server.

For more information about domains, see the sidebar, "Microsoft Resources," and Alex Pournelle, "NT Security Setup with Windows for Workgroups," on page 105. Also, see Mark Minasi, "Domains and Workgroups" (Windows NT Magazine, April 1996).


Microsoft Resources
Microsoft provides an excellent white paper, "Microsoft Windows NT Server 3.5/3.51: Domain Planning for Your Enterprise." You can download it at http://www.microsoft.com/NTServer/enter.htm or find it on the November 1994 or later TechNet CD.

If you don't have Microsoft's TechNet CD but want to see a sample, visit Microsoft's TechNet Web page at http://www.microsoft.com/technet. To buy the full CD version, call 800-344-2121 in the US. It's well worth the cost.

The Windows NT Resource Kit 3.51 contains a domain planning utility for designing the ideal domain. To see Microsoft's vision for domains or directory services, you can download information at http://www.microsoft.com/backoffice/reading/ds_strat.htm.