Windows NT 4.0 Domain Controller Configuration Guide

Introduction

Windows NT 4.0's domain model provides centralized authentication and management for network resources. This guide covers the setup, configuration, and management of Primary Domain Controllers (PDC) and Backup Domain Controllers (BDC).

Understanding NT Domain Architecture

Domain Model Overview

• Single Master Model: Only the PDC can make changes to the domain database
• Flat Namespace: No hierarchical structure like Active Directory
• SAM Database: Security Accounts Manager stores user and computer accounts
• NetBIOS-based: Relies on NetBIOS name resolution

Domain Controller Roles

Primary Domain Controller (PDC)

• Maintains the master copy of the domain database
• Handles all password changes and account modifications
• Performs authentication for domain users
• Only one PDC per domain

Backup Domain Controller (BDC)

• Maintains read-only copy of domain database
• Provides authentication services
• Can be promoted to PDC if needed
• Multiple BDCs recommended for redundancy

Planning Your Domain Structure

Domain Limitations

• SAM Size: Maximum 40 MB (approximately 40,000 users)
• Domain Name: 15 characters maximum (NetBIOS limitation)
• Trust Relationships: Manual configuration required
• No Transitive Trusts: Each trust must be explicitly defined

Recommended Domain Models

Single Domain Model

Best for organizations with: - Less than 40,000 users - Centralized administration - Single geographic location

Master Domain Model

Suitable for: - Centralized user management - Decentralized resource management - Multiple departments

Multiple Master Domain Model

For large organizations with: - More than 40,000 users - Geographic distribution - Departmental autonomy

Setting Up Primary Domain Controller

Method 1: During Installation

1. Start Windows NT Server Setup
2. Choose Server Type Select type of server: [X] Primary Domain Controller [ ] Backup Domain Controller [ ] Stand-alone Server
3. Enter Domain Name
4. Maximum 15 characters
5. No spaces or special characters
6. Example: CORP or HEADQUARTERS

Method 2: Promoting Stand-alone Server

1. Open Server Manager Start → Programs → Administrative Tools → Server Manager

2. Promote to PDC

3. Click Computer menu
4. Select "Promote to Primary Domain Controller"
5. Enter new domain name

6. Confirm promotion

7. Restart Server

8. Required for changes to take effect
9. Server will start as PDC

Initial PDC Configuration

1. Set Administrator Password ``` User Manager for Domains → Administrator → Properties
2. Set strong password

3. Document in secure location ```

4. Configure Computer Account ``` Server Manager → Computer → Properties

5. Verify domain membership
6. Check replication settings ```

Configuring Backup Domain Controllers

Installing BDC

1. During NT Server Installation
2. Select "Backup Domain Controller"
3. Enter existing domain name

4. Provide domain administrator credentials

5. Network Requirements

6. Must be able to contact PDC
7. Requires NetBIOS name resolution
8. WINS server recommended

BDC Synchronization Settings

1. Open Server Manager on PDC
2. Configure Replication ``` Computer → Properties → Replication

Replication Governor: - Pulse: 5 minutes - Pulse Concurrency: 10 - Pulse Maximum: 30 minutes ```

Managing Multiple BDCs

Best practices for BDC placement: - Geographic Distribution: Place BDCs at remote sites - Load Balancing: Distribute authentication load - Redundancy: Minimum 2 BDCs recommended - WAN Links: Configure appropriate replication intervals

Trust Relationships

Creating Trust Relationships

1. Open User Manager for Domains Start → Programs → Administrative Tools → User Manager for Domains

2. Access Trust Relationships Policies → Trust Relationships

3. Add Trusted Domain

4. Click "Add" in Trusted Domains section
5. Enter domain name and password
6. Password must match on both domains

Trust Configuration Examples

One-Way Trust

Domain A trusts Domain B:

Domain A (Trusting):
- Add Domain B to Trusted Domains
- Users from Domain B can access Domain A resources

Domain B (Trusted):
- Add Domain A to Trusting Domains
- Users can access Domain A resources

Two-Way Trust

Mutual trust between domains: 1. Configure Domain A to trust Domain B 2. Configure Domain B to trust Domain A 3. Test access in both directions

Domain Security Configuration

Account Policies

Configure in User Manager for Domains:

1. Password Policy ``` Policies → Account

Recommended Settings: - Maximum Password Age: 42 days - Minimum Password Age: 1 day - Minimum Password Length: 8 characters - Password Uniqueness: 5 passwords - Account lockout threshold: 3 attempts - Reset count after: 30 minutes - Lockout duration: 30 minutes ```

1. User Rights ``` Policies → User Rights

Critical Rights to Configure: - Log on locally: Restrict on DCs - Access this computer from network: Domain Users - Change system time: Administrators only - Shut down the system: Administrators only ```

Audit Policy

Enable auditing for security monitoring:

User Manager → Policies → Audit

Recommended Audit Settings:
[X] Logon and Logoff
    [X] Success  [X] Failure
[X] File and Object Access
    [X] Success  [X] Failure
[X] Use of User Rights
    [ ] Success  [X] Failure
[X] User and Group Management
    [X] Success  [X] Failure
[X] Security Policy Changes
    [X] Success  [X] Failure
[X] Restart, Shutdown, and System
    [X] Success  [X] Failure
[X] Process Tracking
    [ ] Success  [ ] Failure

WINS Integration

Why WINS is Critical

• Provides NetBIOS name resolution
• Essential for domain controller location
• Required for browsing across subnets

WINS Configuration for DCs

1. Install WINS Service Control Panel → Network → Services → Add Select "Windows Internet Name Service"

2. Configure WINS Client ``` TCP/IP Properties → WINS Address

3. Primary WINS Server: [IP Address]

4. Secondary WINS Server: [IP Address] ```

5. Special NetBIOS Names Domain controllers register:

6. DOMAIN<1B>: Domain Master Browser
7. DOMAIN<1C>: Domain Controllers group
8. DOMAIN<1D>: Master Browser

Performance Optimization

PDC Optimization

1. Hardware Recommendations
2. Fast processor (Pentium Pro or better)
3. Minimum 64 MB RAM (128 MB recommended)
4. Fast SCSI disk subsystem

5. Dedicated to domain controller role

6. Service Configuration Disable unnecessary services: ``` Control Panel → Services

Services to Disable: - Alerter (unless using) - ClipBook Server - Messenger (unless required) - Schedule (unless using AT commands) ```

1. Registry Optimizations ``` HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

Pulse = 300 (5 minutes) PulseConcurrency = 20 PulseMaximum = 7200 (2 hours) ```

Network Optimization

1. Dedicated Network Segment
2. Place DCs on same subnet when possible
3. Use switched network for better performance

4. Consider dedicated replication network

5. Protocol Binding Order ``` Control Panel → Network → Bindings

Optimize order: 1. Server service → TCP/IP 2. Server service → NetBEUI (if used) 3. Workstation service → TCP/IP ```

Monitoring and Maintenance

Event Log Monitoring

Key event logs to monitor:

1. System Log
2. Hardware errors
3. Service failures

4. Replication issues

5. Security Log

6. Authentication failures
7. Account changes

8. Policy modifications

9. Application Log

10. Directory service errors
11. Database issues

Performance Monitoring

Use Performance Monitor for:

Key Counters:
- System\Processor Queue Length
- Memory\Pages/sec
- PhysicalDisk\Disk Queue Length
- Server\Errors Logon
- WINS Server\Queries/sec

Regular Maintenance Tasks

1. Weekly
2. Review event logs
3. Check replication status

4. Verify BDC synchronization

5. Monthly

6. Review user accounts
7. Check trust relationships

8. Analyze performance logs

9. Quarterly

10. Test BDC promotion procedures
11. Review and update documentation
12. Perform disaster recovery drill

Troubleshooting Common Issues

Replication Problems

Symptoms: BDCs not receiving updates

Solutions: 1. Check network connectivity ping [PDC_NAME] nbtstat -a [PDC_NAME]

1. Force synchronization Server Manager → [BDC_NAME] → Synchronize with PDC

2. Check Event Logs for errors

Authentication Failures

Symptoms: Users cannot log on

Diagnostics: 1. Verify domain controller availability 2. Check account status in User Manager 3. Review security event log 4. Test with known good account

Trust Relationship Broken

Symptoms: "No trust relationship" errors

Resolution: 1. Delete trust on both sides 2. Recreate trust relationship 3. Ensure matching passwords 4. Verify NetBIOS name resolution

Browser Election Conflicts

Symptoms: Network neighborhood issues

Fix: 1. Check browser roles: browstat status browstat elect

1. Configure PDC as Domain Master Browser: Registry: MaintainServerList = Yes IsDomainMaster = Yes

Disaster Recovery

PDC Failure Procedures

1. Immediate Response
2. Identify operational BDC
3. Promote BDC to PDC

4. Notify administrators

5. Promotion Process On selected BDC: Server Manager → Computer → Promote to Primary Domain Controller

6. Post-Promotion

7. Verify domain functionality
8. Update WINS registrations
9. Check trust relationships

Backup Strategies

1. System State Backup
2. Use NT Backup
3. Include Registry

4. Schedule daily backups

5. Domain Database Backup Files to backup: %SystemRoot%\System32\Config\SAM %SystemRoot%\System32\Config\SECURITY %SystemRoot%\System32\Config\SYSTEM

6. Recovery Testing

7. Maintain offline BDC
8. Test promotion procedures
9. Document recovery steps

Migration Path

Planning for Active Directory

When preparing for future migration:

1. Document Current Environment
2. All domain controllers
3. Trust relationships
4. Group memberships

5. Security policies

6. Clean Up Before Migration

7. Remove unused accounts
8. Consolidate domains if possible

9. Update documentation

10. Test Migration Process

11. Use test environment
12. Practice upgrade procedures
13. Identify potential issues

Best Practices Summary

1. Always maintain multiple BDCs
2. Document all configurations
3. Test disaster recovery procedures
4. Monitor performance regularly
5. Keep service packs current
6. Implement strong security policies
7. Plan for future growth
8. Maintain proper backups

Conclusion

Windows NT 4.0 domain controllers require careful planning and regular maintenance. While the technology is outdated, these systems may still be found in legacy environments. Understanding their operation is crucial for maintaining existing systems or planning migrations to modern platforms.