Local Domains and Account Database

Every computer that runs Windows has its own local domain; that is, it has an account database for accounts that are specific to that computer. Conceptually, this is an account database like any other with accounts, groups, SIDs, and so on. These are referred to as local accounts, local groups, and so on. Because computers typically do not trust each other for account information, these identities stay local to the computer on which they were created.

The Security Account Manager (SAM) Remote Protocol (Client-to-Server) [MS-SAMR] exposes this account database, for both the local domain and domains across a network. This protocol specifies the behavior for the local domain and domains across a network by defining a common data model, Active Directory, as specified in [MS-ADTS].

In a domain controller configuration, the data manipulated by the server of this protocol is stored in Active Directory and is replicated by the replication protocol specified in [MS-DRSR], made available through the LDAP interface specified in [MS-ADTS] section, and replicated by the NETLOGON replication interface specified in [MS-NRPC]. The data manipulated by the server of this protocol is used as a security principal database for authentication protocols such as NTLM [MS-NLMP] and Kerberos [MS-KILE].

The abstract data model for the SAM Remote Protocol (Client-to-Server) that exposes the account database is specified in [MS-SAMR] sections 3.1 and 3.2.