The
Primary Domain Controller
or PDC plays an important role in MS Windows NT4. In
Windows 200x domain control architecture, this role is held by domain controllers. Folklore dictates that
because of its role in the MS Windows network, the domain controller should be the most powerful and most
capable machine in the network. As strange as it may seem to say this here, good overall network performance
dictates that the entire infrastructure needs to be balanced. It is advisable to invest more in standalone
(domain member) servers than in the domain controllers.
In the case of MS Windows NT4-style domains, it is the PDC that initiates a new domain control database.
This forms a part of the Windows registry called the Security Account Manager (SAM). It plays a key
part in NT4-type domain user authentication and in synchronization of the domain authentication
database with BDCs.
With MS Windows 200x Server-based Active Directory domains, one domain controller initiates a potential
hierarchy of domain controllers, each with its own area of delegated control. The master domain
controller has the ability to override any downstream controller, but a downline controller has
control only over its downline. With Samba-3, this functionality can be implemented using an
LDAP-based user and machine account backend.
New to Samba-3 is the ability to use a backend database that holds the same type of data as the NT4-style SAM
database (one of the registry files)[1]
The
Backup Domain Controller
or BDC plays a key role in servicing network authentication
requests. The BDC is biased to answer logon requests in preference to the PDC. On a network segment that has
a BDC and a PDC, the BDC will most likely service network logon requests. The PDC will answer network logon
requests when the BDC is too busy (high load). When a user logs onto a Windows domain member client the
workstation will query the network to locate the nearest network logon server. Where a WINS server is used,
this is done via a query to the WINS server. If a netlogon server can not be found from the WINS query, or in
the absence of a WINS server, the workstation will perform a NetBIOS name lookup via a mailslot broadcast over
the UDP broadcast protocol. This means that the netlogon server that the windows client will use is influenced
by a number of variables, thus there is no simple determinant of whether a PDC or a BDC will serve a
particular logon authentication request.
A Windows NT4 BDC can be promoted to a PDC. If the PDC is online at the time that a BDC is promoted to PDC,
the previous PDC is automatically demoted to a BDC. With Samba-3, this is not an automatic operation; the PDC
and BDC must be manually configured, and other appropriate changes also need to be made.
With MS Windows NT4, a decision is made at installation to determine what type of machine the server will be.
It is possible to promote a BDC to a PDC, and vice versa. The only method Microsoft provide to convert a
Windows NT4 domain controller to a domain member server or a standalone server is to reinstall it. The install
time choices offered are:
-
Primary Domain Controller
the one that seeds the domain SAM.
-
Backup Domain Controller
one that obtains a copy of the domain SAM.
-
Domain Member Server
one that has no copy of the domain SAM; rather
it obtains authentication from a domain controller for all access controls.
-
Standalone Server
one that plays no part in SAM synchronization,
has its own authentication database, and plays no role in domain security.
|