Skip navigation
Menu
Security

Understanding the NT Security Database Replication Model

Windows NT uses a single-master replication model to replicate security information between all a domain’s domain controllers (DCs). The NT security database consists of the SAM accounts and the Local Security Authority (LSA) database. Single-master means that only one DC holds a read/write copy of the security database; all the other DCs hold a read-only copy. In NT terminology, the first DC is the PDC, and the rest of the DCs are the BDCs. The PDC’s Netlogon service controls the replication process.

NT supports three replication types for copying the SAM changes between the PDC and the BDCs: full, partial, and urgent. A full replication replicates the complete security database to all BDCs. A full replication occurs when a new BDC is added to the domain and when the number of changes that have occurred since the last replication is bigger than the number of changes that the PDC’s Change log can hold (I describe the Change log in the next paragraph). You can force a full replication at every machine startup by setting the registry entry Update of type REG_SZ in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters registry subkey to yes. Another way to force a full replication is from the PDC’s Server Manager: Select a BDC and choose the Synchronize with primary domain controller option from the Computer menu. A third way to force a full replication is from the PDC’s command prompt: Type

net accounts /sync

or

nltest /sync /server:BDC_name

(Nltest is a utility that ships with the Microsoft Windows NT Server 4.0 Resource Kit) where BDC_name is the name of the BDC.

A partial replication, which occurs every 5 minutes by default, replicates only the changes in the PDC’s Change log (i.e., the changes that have occurred since the last full or partial replication). The Change log is a sequential, circular log file—newer changes automatically overwrite older ones—and resides both in memory and on hard disk. To see your PDC’s Change log contents, open the netlogon.chg file in the \%systemroot%\ folder.

An urgent replication happens in three circumstances:

  • domain-account lockout or password policy changes
  • machine account password and LSA secret changes
  • account lockouts
TAGS: Security
Hide comments

More information about text formats

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish
Recommended Reading
a digital padlock icon with multiple colors
Cybersecurity Workforce Sustainability Has a Problem. DEI Could Be the Solution.
May 06, 2024
the word acronym spelled out with wooden pieces
Cybersecurity Acronyms Cheat Sheet
May 06, 2024
clinician securely sharing sensitive healthcare data across mobile devices and medical practices
How to Ensure Data Protection, IT Security, and Compliance in Life Sciences
Apr 30, 2024
DevSecOps concept
90% of Java Services in Production Have Vulnerability Risk, DevSecOps Report Finds
Apr 20, 2024