2.2.1 General Background

A DC authenticates using its service account. In AD DS, this is the Local System account on the machine running the DC, represented by the computer object of the machine. In AD LDS, a DC's service account is configured by the administrator.

In AD DS, connections for DC-to-DC communications MUST use mutual authentication and encryption of protocol traffic. Mutual authentication is provided by Kerberos (see [MS-KILE] section 3.3.1).

In AD LDS, mutual authentication for DC-to-DC communications is not required. When a connection is established, the client uses the GSS Negotiate protocol, which first attempts to use Kerberos, and if Kerberos is unavailable, attempts NTLM (which does not give mutual authentication). If the msDS-ReplAuthenticationMode attribute on the config NC root equals 2, all DCs in the AD LDS forest require mutual authentication for DC-to-DC communications.

Connections from a non-DC client to a DC do not require mutual authentication. Therefore, NTLM is an acceptable security provider in addition to Kerberos.

When a connection is established, the non-DC client uses the GSS Negotiate protocol, which first attempts to use Kerberos and then, if Kerberos is unavailable, attempts NTLM (which does not give mutual authentication).