1.3.3 Account Database Replication

Account database replication is relevant only for server-to-server communication of the protocol.

So far, we have considered scenarios in which there is one domain controller (DC) in a domain. In practice, multiple DCs are placed into a domain for redundancy and load balancing so that multiple DCs can service logon requests from many servers. In such scenarios, the DCs need to share the user account database.<1>

A backup domain controller (BDC) was a domain controller that maintained a full copy of the domain account database and could satisfy authentication requests but would not allow modification of the accounts. Instead, the BDCs of a domain replicate the account database from the primary domain controller (PDC) using account database replication methods.<2>

To request and transfer the replication data securely, Netlogon uses the secure channel that the BDCs establish with the PDC by using the BDC's machine account password. This type of secure channel is called the server secure channel.