Lab 7: Synchronizing Domains and Replication Index

LAB7: SYNCHRONIZING DOMAINS AND REPLICATION
In this exercise, we will learn to synchronize the BDC and PDC of the domain together. Windows NT server, by default, has a synchronization time of 5 minutes. This means account changes to the Domain accounts database is reflected to the BDC every 5 minutes.

  1. Ensure that the PDC and BDC are both running
  2. If you are logged on the BDC, then log off the BDC now before proceeding
  3. Log on to the PDC as administrator
  4. Run User Manager for Domains
  5. Create a new user account, with the following properties
    no password change at log on required
    username = user2
  6. Perform the following steps immediately after creating the user on the PDC
  7. Logon at BDC as user2
  8. Could you log on as this user at the BDC? [YES NO]
  9. As administrator on the PDC, start Server manager
  10. Select the BDC in the list of servers, then Choose Computer->Synchronize With Primary Domain Controller

    Synchronizing domains

  11. Choose Yes to send the changes in the domain accounts database to the BDC. This will cause the following dialog box to pop up

    Synchronizing domains

  12. Click Ok
  13. Try to log on at the BDC as user2
  14. Could you log on successfully? [YES NO]
  15. Perform the following at the PDC as administrator
    Run User Manager for Domains
    Select Policies->User Rights
    Grant the right to allow Everyone to log on locally
  16. Re-synchronize the domain to send the account changes to BDC
  17. Try to log on at the BDC as user2
  18. Could you log on successfully? [YES NO]

DIRECTORY REPLICATION
In this exercise, we shall enable directory replication between the PDC and the BDC of the domain. This will replicate the log on scripts and the system policies in the domain.

  1. Log on to the PDC as administrator
  2. Run User Manager for Domains
  3. Create a user account for the replication service, using the following details
    username = replicate
    all log on hours allowed
    membership of Domain Backup Operators and Replicators
    password never expires
    the user must not change password at next log on is NOT selected
  4. Once you have added the user, run the Services Icon under Control Panel
  5. Configure the directory replicator service to start automatically, and log on as the user account replicate

    Replicator Service

  6. In order to copy log on scripts and policy files [which reside in the Netlogon share under the \<winnt_root>\system32\repl\import\scripts sub-directory], the required files must be copied to the export directory first.
  7. Copy the NTConfig.pol and logon1.bat files from the import/scripts to the export/scripts sub-directory.
  8. Start Server Manager
  9. Double click on the Primary Domain Controller and access the Replication button of the properties box
  10. Specify the Export directory path and the Export Computer

    PDC Replicator Export Details

    In this example, the name of the export computer, the BDC for the domain, is HOUNDOG

  11. Click on OK, then Close Server Manager
  12. Log on to the BDC as administrator
  13. Run the Services Icon under Control Panel
  14. Configure the directory replicator service to start automatically, and log on as the user account replicate
  15. Start Server Manager
  16. Double click on the Backup Domain Controller and access the Replication button of the properties box
  17. Specify the Import directory path and the Import Computer

    BDC Replicator Import Details

  18. Click on OK, and Windows NT will attempt to start the Replicator Service on each Domain Controller.
  19. On the PDC, use Server Manager to look at the Replication details on the PDC. Choose manage and ensure that the entire sub-directory tree is being exported, then Click on OK
  20. On the PDC, use Server Manager to look at the Replication details on the BDC. Choose manage and check that the Status is OK [should be similar to that shown below]

    BDC Replicator Status Details
    If the status is No Master, this indicates a problem with the Export Computer. Try stopping the replicate service on the PDC then restarting it. The status should change to OK after a couple of minutes following the replicate service restart on the PDC.

  21. Use NT Explorer to verify that the import/scripts directory on the BDC contains the files NTConfig.pol and Blast.cmd
  22. Previously, logging on to the BDC did not implement the system policies or run the log on script. Test these features out by logging on the BDC as user1
  23. Did the system policies and log on script execute? [YES NO]
  24. Log off the BDC and also log off the PDC

Summary
The domain accounts database is replicated from the PDC to each BDC in the domain. This occurs at a preset time interval [controlled by a setting in the registry], and defaults to 5 minutes. Only changes to the accounts database are sent to the BDC’s.

The PDC holds the user accounts database for the domain, and BDC’s hold copies. Any changes to the domain accounts are done on the PDC, then changes are forwarded to each BDC. Because BDC’s also are involved in validating user log on requests, it is possible for the user account information to not be available at the BDC when the user tries to log on.

Default rights at a server prevent ordinary users from logging on. Servers and domain controllers provide resources across the network, so users are prevented by default from logging on locally. Permission to log on locally is granted to a few users and groups.

If the PDC is to be taken down for maintenance or upgrading, the BDC is promoted to PDC. This ensures that new accounts can be added and changes to accounts are possible. If there is no PDC, no changes to the accounts database is possible till the PDC is restored.

Index