While messing around with late 1980s and early 1990s networking software, I had the need to switch a LAN Manager 2.0 server to the primary domain controller role, so that it could run the Netlogon service and I could use clients which log onto the network. It was difficult enough that I needed to write it down.
It’s not that the process is undocumented, and I do have the complete documentation set on the Microsoft Programmer’s Library CDs. But the documentation is quite difficult to find (even though the Programmer’s Library is decently searchable) and somehow not very clear.
First of all, there are of course two ways to do it, either from the full-screen user interface or from the command line. I will skip the UI part because clicking around is harder than running a few simple commands.
I will just note that when on the server machine, running NET is not the same as NET ADMIN, even though the interface looks deceptively similar, and in fact the initial screen is 100% identical:
But with NET ADMIN, there are additional options in the UI. Here is the Accounts menu when running NET:
And here is the same Accounts menu when running NET ADMIN:
Oh look, now there’s a lot more, but you’d never guess from the initial screen. From Chapter one of How to Create a Confusing User Interface. Anyway, the UI method is much harder to explain, so I won’t do it.
Let’s start with a bit of background. In Microsoft world, there are several kinds of servers: Primary, Backup, Member, and Standalone. The first three all belong to a domain, while a Standalone server does not.
The crucial difference is that a Standalone server does not run the Netlogon service, cannot validate domain logons, and only provides local logon. That does not mean a Standalone server can’t share resources, but usage is somewhat different.
In a domain, users have domain-wide accounts. The one Primary server holds the master logon database and runs the Netlogon service. The Primary server is the only one allowed to make changes to the accounts database.
A Backup server (of which there can be several) also runs the Netlogon service and synchronizes its accounts database (the NET.ACC file) with the Primary server. The Backup server can also validate logons, but only passively accepts changes to the accounts database from the Primary server.
Member servers are part of the domain and also run the Netlogon service, but do not actually validate logon requests. It’s not practical to have a Member server without at least the Primary server. A minimal domain contains just the Primary server.
For completeness, LAN Manager 2.0 also supports the old share-level security, where a shared resource itself is protected by a password; anyone who knows the password can access the resource, without necessarily needing a user account.
How To Do It
Now back to the problem at hand. When LAN Manager 2.0 is installed, it cannot be set up as a Primary server (that probably would have made sense, much like a NetWare 4.x server allows creating the NDS tree during installation, but that’s just not how it works with LM). And it’s not only a matter of making the server Primary and starting the Netlogon service, because that will only result in the following unhelpful error message:
NET3055: A problem exists with the system configuration. The user accounts system isn't configured correctly.
Real helpful, guys. At least the error message does not include the one thing guaranteed to drive system administrators crazy, “Please contact your system administrator”.
So let’s fix it. If the server isn’t already Standalone, make it so by running
NET ACCOUNTS /ROLE:STANDALONE
Remember that the default administrator account is ‘ADMIN’, and the default password is ‘password’.
And now the few simple but not terribly obvious steps. If the LAN Man 2.0 server is called MYSERVER, it’s necessary to do the following:
NET USER MYSERVER password /ADD
NET GROUP SERVERS /ADD
NET GROUP SERVERS MYSERVER /ADD
NET ACCOUNTS /ROLE:PRIMARY
That creates an account for the server itself, creates a group named SERVERS, adds the server account to said group, and switches the server role to Primary. And now, starting the Netlogon service magically works!
There’s no way to guess the sequence of steps from the LM 2.0 error message, but fortunately newer versions (LAN Manager 2.1/2.2) provide much more detailed errors which explain what exactly is wrong, instead of useless hand waving about the system not being configured correctly. And although steps are mentioned in the LM 2.0 documentation, they aren’t easy to find.
The SERVERS group controls access to the Netlogon service, and even the Primary server itself needs to be its member. It makes some sort of sense. And there’s clearly a reason why system administration tends to be a full-time job.