1.3.3 Account Database Replication

Account database replication is relevant only for server-to-server communication of the protocol.

So far we have considered scenarios in which there is one DC in a domain. In practice, multiple DCs are placed into a domain for redundancy and load balancing so that multiple DCs can service logon requests from many servers. In such scenarios, the DCs need to share the user account database.<1><2>

A BDC was a domain controller that maintained a full copy of the domain account database and could satisfy authentication requests, but would not allow modification of the accounts. Instead, the BDCs of a domain would replicate the account database from the PDC using the Netlogon replication protocol.<3><4>

To request and transfer the replication data securely, Netlogon uses the secure channel that the BDCs establish with the PDC using the BDC's machine account password. This type of secure channel is called the server secure channel.

Show: