LAN Manager 2.0 Primary Domain Controller

While messing around with late 1980s and early 1990s networking software, I had the need to switch a LAN Manager 2.0 server to the primary domain controller role, so that it could run the Netlogon service and I could use clients which log onto the network. It was difficult enough that I needed to write it down.

It’s not that the process is undocumented, and I do have the complete documentation set on the Microsoft Programmer’s Library CDs. But the documentation is quite difficult to find (even though the Programmer’s Library is decently searchable) and somehow not very clear.

First of all, there are of course two ways to do it, either from the full-screen user interface or from the command line. I will skip the UI part because clicking around is harder than running a few simple commands.

I will just note that when on the server machine, running NET is not the same as NET ADMIN, even though the interface looks deceptively similar, and in fact the initial screen is 100% identical:

LAN Manager 2.0 NET or NET ADMIN screen

But with NET ADMIN, there are additional options in the UI. Here is the Accounts menu when running NET:

The Accounts menu when running NET

And here is the same Accounts menu when running NET ADMIN:

The Accounts menu when running NET ADMIN

Oh look, now there’s a lot more, but you’d never guess from the initial screen. From Chapter one of How to Create a Confusing User Interface. Anyway, the UI method is much harder to explain, so I won’t do it.

Background

Let’s start with a bit of background. In Microsoft world, there are several kinds of servers: Primary, Backup, Member, and Standalone. The first three all belong to a domain, while a Standalone server does not.

The crucial difference is that a Standalone server does not run the Netlogon service, cannot validate domain logons, and only provides local logon. That does not mean a Standalone server can’t share resources, but usage is somewhat different.

In a domain, users have domain-wide accounts. The one Primary server holds the master logon database and runs the Netlogon service. The Primary server is the only one allowed to make changes to the accounts database.

A Backup server (of which there can be several) also runs the Netlogon service and synchronizes its accounts database (the NET.ACC file) with the Primary server. The Backup server can also validate logons, but only passively accepts changes to the accounts database from the Primary server.

Member servers are part of the domain and also run the Netlogon service, but do not actually validate logon requests. It’s not practical to have a Member server without at least the Primary server. A minimal domain contains just the Primary server.

For completeness, LAN Manager 2.0 also supports the old share-level security, where a shared resource itself is protected by a password; anyone who knows the password can access the resource, without necessarily needing a user account.

How To Do It

Now back to the problem at hand. When LAN Manager 2.0 is installed, it cannot be set up as a Primary server (that probably would have made sense, much like a NetWare 4.x server allows creating the NDS tree during installation, but that’s just not how it works with LM). And it’s not only a matter of making the server Primary and starting the Netlogon service, because that will only result in the following unhelpful error message:

NET3055: A problem exists with the system configuration. The user accounts system isn't configured correctly.

Real helpful, guys. At least the error message does not include the one thing guaranteed to drive system administrators crazy, “Please contact your system administrator”.

So let’s fix it. If the server isn’t already Standalone, make it so by running

NET ACCOUNTS /ROLE:STANDALONE

Remember that the default administrator account is ‘ADMIN’, and the default password is ‘password’.

And now the few simple but not terribly obvious steps. If the LAN Man 2.0 server is called MYSERVER, it’s necessary to do the following:

NET USER MYSERVER password /ADD
NET GROUP SERVERS /ADD
NET GROUP SERVERS MYSERVER /ADD
NET ACCOUNTS /ROLE:PRIMARY

That creates an account for the server itself, creates a group named SERVERS, adds the server account to said group, and switches the server role to Primary. And now, starting the Netlogon service magically works!

There’s no way to guess the sequence of steps from the LM 2.0 error message, but fortunately newer versions (LAN Manager 2.1/2.2) provide much more detailed errors which explain what exactly is wrong, instead of useless hand waving about the system not being configured correctly. And although steps are mentioned in the LM 2.0 documentation, they aren’t easy to find.

The SERVERS group controls access to the Netlogon service, and even the Primary server itself needs to be its member. It makes some sort of sense. And there’s clearly a reason why system administration tends to be a full-time job.

This entry was posted in LAN Manager, Microsoft, Networking. Bookmark the permalink.

3 Responses to LAN Manager 2.0 Primary Domain Controller

  1. Yuhong Bao says:

    It is funny how NT went to requiring a DC be selected during installation, until the introduction of Active Directory and DCPROMO in NT5.

  2. Logically I can see why it’d need to do what you have to do, but why would they be asking a USER/ADMIN to do it?

    NT/WFW really is everything that OS/2 should have been. It’s unreal how convoluted, and disparent it is. The only mistake from Windows 95 was not having TCP/IP in the default setup, but the world of corporate NetBEUI/IPXSPX Lans was just too high.

  3. Yuhong Bao says:

    AFAIK even NT requires the computer account to be added before a member can join the NT domain.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.