Understanding the NT Security Database Replication Model

Windows NT uses a single-master replication model to replicate security information between all a domain’s domain controllers (DCs). The NT security database consists of the SAM accounts and the Local Security Authority (LSA) database.

Jan De Clercq

April 29, 2001

2 Min Read
ITPro Today logo in a gray background | ITPro Today

Windows NT uses a single-master replication model to replicate security information between all a domain’s domain controllers (DCs). The NT security database consists of the SAM accounts and the Local Security Authority (LSA) database. Single-master means that only one DC holds a read/write copy of the security database; all the other DCs hold a read-only copy. In NT terminology, the first DC is the PDC, and the rest of the DCs are the BDCs. The PDC’s Netlogon service controls the replication process.

NT supports three replication types for copying the SAM changes between the PDC and the BDCs: full, partial, and urgent. A full replication replicates the complete security database to all BDCs. A full replication occurs when a new BDC is added to the domain and when the number of changes that have occurred since the last replication is bigger than the number of changes that the PDC’s Change log can hold (I describe the Change log in the next paragraph). You can force a full replication at every machine startup by setting the registry entry Update of type REG_SZ in the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetlogonParameters registry subkey to yes. Another way to force a full replication is from the PDC’s Server Manager: Select a BDC and choose the Synchronize with primary domain controller option from the Computer menu. A third way to force a full replication is from the PDC’s command prompt: Type

net accounts /sync

or

nltest /sync /server:BDC_name

(Nltest is a utility that ships with the Microsoft Windows NT Server 4.0 Resource Kit) where BDC_name is the name of the BDC.

A partial replication, which occurs every 5 minutes by default, replicates only the changes in the PDC’s Change log (i.e., the changes that have occurred since the last full or partial replication). The Change log is a sequential, circular log file—newer changes automatically overwrite older ones—and resides both in memory and on hard disk. To see your PDC’s Change log contents, open the netlogon.chg file in the %systemroot% folder.

An urgent replication happens in three circumstances:

  • domain-account lockout or password policy changes

  • machine account password and LSA secret changes

  • account lockouts

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like