1.1.1.3 Domain Membership

Domain membership is the state of trusting a third party, the domain controller, for identity and authentication information. Any computer can be part of a domain. Windows computers are easily configured to be part of a domain and to trust the domain controller for many tasks. Also, certain configuration changes are made, such as accepting the domain as the authoritative source of time.

Joining a domain can be summarized as (1) establishing an account on the domain that represents the computer joining the domain, and (2) setting the password (or key) for the account on both the domain and the computer. In Windows, this process is encapsulated in a domain join function called NetJoinDomain. Several tools, including WinBind, exist for non-Windows systems to join a Windows domain.

In Windows, the Netlogon component manages the relationship with the domain controller. Netlogon maintains the keys that are necessary for ongoing authentication of the member system to the domain controller. It also creates a secure channel to the Netlogon instance on the domain controller. This channel that Netlogon creates for authentication is not specific to any protocol and is available only to components that are involved in authentication.

Various authentication protocol implementations use this channel to redirect an authentication request to their instance on the domain controller or to augment their activities with their instance on the domain controller.

When the Netlogon service that runs on a client computer connects to the Netlogon service on a domain controller to authenticate a user, the Netlogon services challenge each other to determine whether they both have a valid computer account. This allows a secure communication channel to be established for logon purposes.