The Netlogon Service

Every Windows NT workstation, server, or domain controller has a Netlogonservice. This service is responsible for communication between systems inresponse to a logon request, a domain synchronization request, and a request topromote a Backup Domain Controller (BDC) to a Primary Domain Controller (PDC).The Netlogon service performs several tasks when servicing network logonrequests. It

*selects the target domain for logon authentication

*identifies a domain controller in the target domain to performauthentication

*creates a secure channel for communication between Netlogon services onthe originating and target systems

*passes an authentication request to the appropriate domain controller

*returns authentication results to Netlogon on the originating system

Netlogon is a key part of passthrough authentication. Passthroughauthentication requires a secure communication channel between the Netlogonservices on two systems: the originating, or local, system and a domaincontroller in the requested domain. Before they pass logon information betweenthem, the Netlogon services on each system perform a handshake, called Challengeand Challenge Response, to validate the authenticity of the originating system.To ensure interdomain communication remains secure, PDCs change trusted accountpasswords weekly and synchronize the password change with the machine that ownsthe account.