Members View

DNTU’s Domain Members View provides you with the functionality to add and remove machines to/from a domain. You may also Synchronize the Entire Domain (NT4 only) by selecting a machine and choosing the synchronize option from the right button menu. The Synchronize Monitor view provides functionality to synchronize a Backup Domain Controller with the Primary Domain Controller and Force full Synchronization with the Primary Domain Controller. DameWare NT Utilities will dynamically determine the role the computer(s) within the Domain Members view is playing and will display the appropriate icon for that computer type. You may selectively display computers within this view, including View All Computers, View Workstations Only, View Servers Only and View Members Only. When a computer is selected, you may remove it from the domain or add a new member to the domain

The Domain Members window view will display the Computer Count, Status, Computer Name, Computer type, Description and Version, all of which are selectable for column sorting and column ordering.

The following icons distinguish the computer type(s) within the Domain Members view:

$image\DNTU-icons-Machine_shg.jpg$ This icon represents machines that are Windows NT/2000/XP Workstation clients

$image\DNTU-icons-Server_shg.jpg$ This icon represents machines that are Windows NT/2000/2003 servers

$image\DNTU-icons-MachineDisabled_shg.jpg$ This icon represents an Inactive Windows NT/2000/XP/2003 Workstation or Server

$image\DNTU-icons-Domain_shg.jpg$ This icon represents a Windows NT/2000/2003 Domain Controller

$image\DNTU-icons-PDCGrayed_shg.jpg$ This icon represents an Inactive Windows NT/2000/2003 Domain Controller

Synchronize Monitor View

The Members->Synchronize Monitor View contains several columns of information for both the Selected Domain Controller and All Domain Controllers within a domain:

Machine - Primary Domain Controller or Backup Domain Controllers
Sync. Item - Description of the sync item
Status - In the case of sync item "Connection Status", this contains any error that may occur or zero (0), if no errors.
All other sync items indicate "Yes", if sync item is occurring or "No", if sync item is not occurring.
Last - When the sync item last occurred
Count - The count of times the sync has occurred.
Error - The error condition

Note: It is possible to miss a sync event if the event occurs between checks. A smaller refresh interval could help eliminate this condition.

NetLogon Service

The NetLogon Service automatically synchronizes changes in the Windows NT/2000 directory database stored on the Primary Domain Controller (PDC) to all Backup Domain Controllers (BDCs). Based on settings in the registry, the PDC sends timed notices that signal the BDCs to request changes at the same time. When a BDC requests changes, it informs the PDC of the last change it received so that the PDC can determine whether a BDC needs updating. If a BDC is up to date, its’ NetLogon service does not request changes.

The NetLogon Service synchronizes three domain directory databases: the secuity accounts manager (SAM) database, the SAM built-in database and the Local Security Authority (LSA) license database.

SAM accounts: Microsoft domain user and group accounts that you create. Includes all computer accounts added to the domain such as domain controllers (DCs) and Windows NT/2000/XP/2003/Vista/2008/Windows7 computers.

SAM built-in: Local machine built-in user and group accounts such as Administrator, Domain Admins, etc.

LSA: LSA Secrets that are used for trust relationships and DC computer account passwords. Also includes the account policy settings that you configure.

Synchronization occurs:

When a backup domain controller is initialized or restarted in the domain.

When "forced" by a network administrator using Server Manager.

It occurs automatically by the DCs, depending upon Windows NT/2000/XP/2003/Vista/2008/Windows7 registry configuration.

The change log records changes to the domain-directory databases, including new or modified passwords, user and group and accounts and group membership and user rights. Its' size determines how many changes the log can hold and the duration. Typically, the change log holds approximately 2000 changes, retaining only the most recent changes and deleting the oldest ones first. When a BDC requests changes, it receives only changes that occurred since the last synchronization.

The NetLogon Service checks for updates every five minutes (default). If a BDC does not request changes in a timely manner, the entire domain directory must be copied to that BDC. For example, if a BDC is offline for a time (such as for system repair), more changes could occur during that timeframe than can be stored in the change log.

Partial synchronization consists of the automatic, timed replication of directory database changes to all BDCs since the last synchronization. Full synchronization copies the entire directory database to a BDC. This occurs automatically when changes have been deleted from the change log before replication or when you add a new BDC to a domain.

Both the NetLogon Service updates and the change log size ensure that full synchronization does not start up under most operating conditions. In the WAN environment, you can control and refine NetLogon activity using the Windows NT/2000/XP/2003/Vista/2008/Windows7 registry entries and methods described below.

One way to reduce the number of full synchronizations is to build BDCs at the corporate network site so that the full directory database can be quickly transferred from a PDC to BDCs. You can then send the new BDC to the branch office and put it into service as soon as possible (within 3 to 6 days of dispatch). When the new BDC starts up, it contacts the PDC to obtain any directory database changes that occurred while the BDC was offline.