Q and A

Asked and Answered

BDC Brain Teasers

1. If we were building a DB2 Universal Database (UDB) for Windows server as a backup domain controller (BDC) on a network with fifty servers, would we have to build it as BDCs or as one of the DB2 UDB servers?

Femi Bello
DBA
London

Paul Zikopoulos, IBM Canada, responds:

To clarify terms, you would be building a DB2 UDB server on a BDC. DB2 UDB is a database server and a BDC is a Windows server.

The objective of the BDC in a Windows environment is to serve as a domain controller when the Primary Domain Controller (PDC) goes down.

Because the BDC has a local copy of the security database, if you choose to install a DB2 UDB server on a BDC, you could configure DB2 to use the local SAM to enumerate group membership, rather than having to contact the PDC. This can be advantageous for performance reasons because authentication is local and you have reduced network traffic.

You should note, however, that since the BDC contains a read-only copy of the SAM, you cannot create a user account on this machine. Therefore, if you want to install DB2 UDB on a BDC, the user account that you want to perform the installation with must already exist.

For performance reasons, when you run DB2 UDB on a BDC, I recommend that you set the DB2DMNBCKCTL DB2 registry variable (you can use DB2DMNBCKCTLR=? to determine which PDC is backed up by your BDC). Using this DB2 registry variable will force DB2 to use the local SAM rather than the one located on the PDC. The downside is that the SAM on the BDC may be out of sync with the master copy located on the PDC. This ýout-of-syncý state can occur when the PDC's security database is updated but the changes are not propagated to a BDC (for example, if there are network latencies or if the computer browser service is not operational).

2. If I wanted to modify the DB2DMNBCKCTL DB2 registry variable, would this change have to be applied to all servers or client machines in my environment?

If your DB2 UDB server also acts as a BDC, you can improve DB2 performance and reduce network traffic if you configure DB2 to use the BDC for security checks. You can specify the BDC to DB2 by setting the DB2DMNBCKCTL DB2 registry variable on the DB2 UDB server. If you know the name of the domain for which the DB2 server is the BDC, use the following command:

db2set DB2DMNBCKCTL =DOMAIN_NAME

Note that DOMAIN_NAME must be in upper case.

This DB2 registry variable is only available on DB2 UDB servers. Of course, I am assuming you are using server rather than client authentication. For more details on this DB2 registry variable, refer to the DB2 Administration Guide.

3. Why do Web connections from WebSphere clients on database servers drop whenever a PDC is unavailable without authenticating against the BDC?

DB2 first tries to find the PDC. If that search fails, it will look for a BDC (unless of course you override this behavior with the DB2DMNBCKCTL DB2 registry variable causing DB2 to forgo the PDC search). If you are not running DB2 on a BDC but the BDC and the PDC that contain the user accounts are in the same domain as the machine running DB2, DB2 should be able to find the BDC if the PDC goes down. If all your machines are in the same domain and you are still having authentication problems, you need to take a trace and ask service to investigate.

I ran a test with a CONNECT and it worked, even after the PDC shut down. There is no need to promote the BDC to PDC for DB2 authentication to work. In the test environment, the PDC, the BDC, and the DB2 server machine all belonged to the same Windows NT version 4domain.

If the PDC and the BDC are not in the same domain as the DB2 UDB server, this approach will not work. If the BDC and the PDC are in different domains, set the DB2_GRP_LOOKUP=DOMAIN DB2 registry variable. You can use the domain controller in the DB2 domain to locate a domain controller in the accounts domain (or whatever domain contains the BDC and PDC in question).

4. What is the best mode of authentication on a network that runs Novell Directory Service NDS for Windows NT? Can BDCs authenticate in these environments?

I don't use DB2 in a Novell NDS environment. However, I assume that all authentication modes (client, server, and so on.) would function the same way as they do against default Windows NT security. Because Novell will intercept and redirect all security requests to its own security server, I don't believe the BDC would play any role in this environment.

Answers in this Q&A reflect the opinion of the author and not necessarily IBM. IBM is not responsible for any advice, hints, or information construed by this Q&A document.

See a complete archive of reader/author Q&As .

Back to The Database Security Blanket by Paul Zikopoulos.