Every Windows NT workstation, server, or domain controller has a Netlogon service. This service is responsible for communication between systems in response to a logon request, a domain synchronization request, and a request to promote a Backup Domain Controller (BDC) to a Primary Domain Controller (PDC). The Netlogon service performs several tasks when servicing network logon requests. It
* selects the target domain for logon authentication
* identifies a domain controller in the target domain to perform authentication
* creates a secure channel for communication between Netlogon services on the originating and target systems
* passes an authentication request to the appropriate domain controller
* returns authentication results to Netlogon on the originating system
Netlogon is a key part of passthrough authentication. Passthrough authentication requires a secure communication channel between the Netlogon services on two systems: the originating, or local, system and a domain controller in the requested domain. Before they pass logon information between them, the Netlogon services on each system perform a handshake, called Challenge and Challenge Response, to validate the authenticity of the originating system. To ensure interdomain communication remains secure, PDCs change trusted account passwords weekly and synchronize the password change with the machine that owns the account.