MORE INFORMATION
Member Servers and Workstations
Netlogon performs similar functions on Windows NT 4.0-based member servers and workstations. Netlogon has the following responsibilities:
- Locate a domain controller with which to set up a secure channel
- Retrieve a list of users when adding permissions
- Non-local (domain) account authentication
- Change the machine account password
NOTE: The terms "workstation" and "member server" are used interchangeably in this article.
Secure Channel
Upon starting, Netlogon attempts to find a domain controller (DC) for the domain in which its machine account exists. After locating the appropriate DC, the machine account password from the workstation is authenticated against the password on the DC. After the machine account is verified, the workstation establishes a secure channel with that DC.
Secure channels are not stagnant. Netlogon routinely checks the status and responsiveness of the secure channel. If the secure channel partner does not meet certain criteria, Netlogon attempts to find a new secure channel partner. If at this point a domain controller cannot be found, you may see the following error message in the System log in Event Viewer:
Event ID 5719
If a machine account cannot be found, you may see the following error message in the System log in Event Viewer:
Event ID 5721
If the password does not match, you may see the following error message in the System log in Event Viewer:
Event ID 3210
Retrieving a List of Users for Permissions
When you attempt to add users to a list of permissions, such as adding a user to the permissions for a file, Netlogon is responsible for pulling the list from its secure channel partner. However, if your user list is large and your secure channel partner is located over a slow link, there may be a significant delay in displaying permissions because the list is not displayed until the entire list is retrieved.
Non-Local Domain Authentication
When you log on locally or attempt to establish a network connection to a workstation, Netlogon can play a role in the authentication. During a logon attempt, Local Security Authority (LSA) receives the credentials offered. If the credentials that are provided are not part of the workstation's local Security Accounts Manager (SAM), Netlogon forwards the credentials to its secure channel partner. That DC then attempts to validate the credentials and responds back to the workstation. Netlogon then passes the return information back to LSA, which permits or denies the logon attempt.
Machine Account Passwords
Netlogon is also responsible for changing the machine account password. By default, this password is reset every seven days. The workstation sends the request to the secure channel partner. The secure channel partner passes the request to the PDC. If the response from the PDC is no "access denied" or "refusepasswordchange," the Netlogon service considers the password change successful. Netlogon remembers the last password as well as the new password. If the machine account is not validated when it is setting up a secure channel using the new password, Netlogon attempts to use the old password, and if successful, uses only the old password from this point on.
For additional information about machine account passwords, click the article numbers below
to view the articles in the Microsoft Knowledge Base:
154501 How to Disable Automatic Machine Account Password Changes
175468 Effects of Machine Account Replication on a Domain
250877 Problem Changing Domains Without Rebooting Within 10 Minutes
Domain Controllers
In addition to the workstation and member server responsibilities listed earlier in this article, Netlogon manages the following additional tasks on domain controllers:
- Secure channel
- Domain and pass-through authentication
- Machine account and trust relationship password changes
- SAM database synchronization
NOTE: Netlogon functions vary based on whether the DC is a PDC or a backup domain controller (BDC).
Secure Channels
When you start a PDC, Netlogon builds a list of all the BDCs in the domain, and a list of trusted domains. At this time, Netlogon attempts to set up a secure channel with a DC from each trusted domain, and if this attempt does not succeed, Netlogon does not make another attempt until a secure channel with that domain is explicitly needed.
The BDC's behavior is similar. While Netlogon on a BDC does not enumerate other BDCs, it does contact the PDC and sets up secure channels with trusted domains as needed.
Pass-Through Authentication
Secure channels with other domains are used for pass-through authentication. For example, if domain A trusts domain B, and a workstation is a member of domain A, at startup Netlogon tries to locate a DC for domain A. After a DC is located, the machine account password from the workstation is authenticated against the password on the DC in domain A. After the machine account is verified, the workstation establishes a secure channel with that DC. If a user from domain A or domain B attempts to log on to the workstation, LSA determines that this needs to be handled by Netlogon. Netlogon on the workstation passes the credentials to its secure channel partner. If the account does not exist in domain A, the secure channel partner (the DC in domain A) uses its secure channel to domain B to pass the credentials to that DC. The DC in domain B responds to the DC in domain A, which passes the information back to the workstation. Note that Netlogon handles the authentication process on all three computers.
For additional information about this issue, click the article number below
to view the article in the Microsoft Knowledge Base:
165202 WinNT Client Logon in Resource and Master Domain Environment
Trust Account Passwords
The Netlogon service on the PDC manages the trust relationship passwords, and this process is very similar to the machine account password process. Once the trust is setup or changed, the PDC passes the trust information to the BDCs during SAM account replication.
For additional information about this issue, click the article number below
to view the article in the Microsoft Knowledge Base:
128489 Inter-Domain Trust Account Passwords
SAM Synchronization
The major role that Netlogon plays on domain controllers is in SAM synchronization. Only the PDC has a writeable copy of the SAM (with the exception of Last Logon Time), and all changes that are made to the SAM need to be written to the BDCs. Any change to a user, group, machine account, trust, and so on, is recorded on the PDC.
The Netlogon service on the PDC records each change to the Netlogon.chg file. The Netlogon.chg file has three sections: SAM, Built-in, and LSA, and each section has its own serial number. Every change that is recorded in the change log updates the serial number in the appropriate section. Each BDC maintains a list of the three serial numbers from the last synchronization.
Netlogon manages this process. By default, if there are changes, the PDC sends a "pulse" message every 5 minutes to all BDCs. When a BDC receives a "pulse" message, it contacts the PDC and then compares each of the serial numbers. If the serial numbers do not match, the BDC requests the changes made since the synchronization, and this process is known as a partial synchronization.
If the change log filled up and restarted (wrapped), the BDC requests a full synchronization. By default, the change log holds about 2,000 changes. Usually, you should not wrap the change log, but adding accounts by using the Portuas utility (the LAN Manager upgrade utility) or by scripting can cause the change log to wrap.
When synchronization is complete, the BDC sets its serial numbers to the same serial number as the PDC. If no changes are made, there are no pulses, and the BDC performs periodic checks to verify that the PDC is still available. Note that no synchronization occurs if the BDC determines that the serial numbers match.
Netlogon on the domain controllers manages the size of the change log, the frequency rate of the "pulse" messages, and the number of BDCs that can synchronize at one time.
For more information about SAM synchronization, click the following article numbers to view the articles in the Microsoft Knowledge Base:
244382
Windows NT 4.0 Security Account Manager Replication
185952 Information from BDC Sent to PDC, and Then Replicated to Domain
238191 Partial Replication May Take a Long Time with Very Large Groups
173882 Netlogon Synchronization Errors
197985 PDC Performs Only Full Synchronizations to BDCs
244396 Determining if Full Syncs Are Caused By Wrapping the Change Log
158148 Domain Secure Channel Utility -- Nltest.exe
Netlogon.log and Netlogon.chg Files from a PDC
****PDC Netlogon initializing
[INIT] Following are the effective values after parsing
[INIT] ScriptsParameter = C:\WTS\system32\repl\import\scripts
[INIT] Pulse = 300 (0x12c)
[INIT] Randomize = 1 (0x1)
[INIT] PulseMaximum = 7200 (0x1c20)
[INIT] PulseConcurrency = 10 (0xa)
[INIT] PulseTimeout1 = 10 (0xa)
[INIT] PulseTimeout2 = 300 (0x12c)
[INIT] ReplicationGovernor = 100 (0x64)
[INIT] MaximumMailslotMessages = 500 (0x1f4)
[INIT] MailslotMessageTimeout = 10 (0xa)
[INIT] MailslotDuplicateTimeout = 2 (0x2)
[INIT] ExpectedDialupDelay = 0 (0x0)
[INIT] ScavengeInterval = 900 (0x384)
[INIT] MaximumPasswordAge = 7 (0x7)
[INIT] DBFlag = 545325055 (0x2080ffff)
[INIT] MaximumLogFileSize = 20000000 (0x1312d00)
[INIT] Update = FALSE
[INIT] DisablePasswordChange = FALSE
[INIT] RefusePasswordChange = FALSE
[INIT] SignSecureChannel = TRUE
[INIT] SealSecureChannel = TRUE
[INIT] RequireSignOrSeal = FALSE
[INIT] Command line parsed successfully ...
****PDC setting the Serial Numbers
[SYNC] NlInitDbSerialNumber: LSA: Serial number is 0 2c
[SYNC] NlInitDbSerialNumber: SAM: Serial number is 0 3a
[SYNC] NlInitDbSerialNumber: BUILTIN: Serial number is 0 b
****PDC enumerating DC's
[SESSION] NlAddBdcServerSession: BDC01: Added NT BDC account
[SESSION] NlAddBdcServerSession: BDC02: Added NT BDC account
[SESSION] NlAddBdcServerSession: BDC03: Added NT BDC account
[SESSION] NlAddBdcServerSession: PDC: Skipping add of ourself
[SESSION] NlAddBdcServerSession: BDC04: Added NT BDC account
[SESSION] NlAddBdcServerSession: BDC05: Added NT BDC account
[SESSION] NlAddBdcServerSession: BDC06: Added NT BDC account
****PDC getting trust info (from LSA)
[SESSION] NlInitTrustList: OTHER_DOMAIN_01 in LSA
[SESSION] NlUpdateTrustListBySid: OTHER_DOMAIN_01: Added to local trust list
[SESSION] NlDcDiscoveryMachine: OTHER_DOMAIN_01: Start Discovery
[SESSION] NlInitTrustList: OTHER_DOMAIN_02 in LSA
[SESSION] NlUpdateTrustListBySid: OTHER_DOMAIN_02: Added to local trust list
[SESSION] NlDcDiscoveryMachine: OTHER_DOMAIN_02: Start Discovery
****PDC finishing up the netlogon intialization
[INIT] The netlogon share (NETLOGON) already exists.
[INIT] The netlogon share current path is C:\WTS\system32\repl\import\scripts
[INIT] Path to be shared is C:\WTS\debug
****PDC checking to see if a Full Sync was in progress when machine shutdown
[SYNC] Setting SAM Full Sync Key: not in progress
[SYNC] Setting BUILTIN Full Sync Key: not in progress
[SYNC] Setting LSA Full Sync Key: not in progress
****PDC responding to a BDC requesting a Full Sync
[SYNC] NetrDatabaseSync: SAM full sync called by BDC04 State: 0 Context: 0x0.
[SYNC] Packing Domain Object
[SYNC] Packing Group Object 200
[SYNC] Group Object name Domain Admins
[SYNC] Packing Group Object 201
[SYNC] Group Object name Domain Users
[SYNC] Packing Group Object 202
[SYNC] Group Object name Domain Guests...
****BDC requesting partial synchronization
[SYNC] NetrDatabaseDeltas: SAM partial sync called by BDC02 SerialNumber:d0 d4b9c.
[SYNC] Packing User Object 4fec...
****BDC checking serial numbers - No changes
[SYNC] NetrDatabaseDeltas: BUILTIN partial sync called by BDC01 SerialNumber:d0 86e.
[SYNC] NetrDatabaseDeltas: BUILTIN returning (0x0) to BDC01
[SYNC] NetrDatabaseDeltas: LSA partial sync called by BDC01 SerialNumber:d0 4c2828.
[SYNC] NetrDatabaseDeltas: LSA returning (0x0) to BDC01
[SYNC] NetrDatabaseDeltas: SAM partial sync called by BDC01 SerialNumber:d0 d4ba0.
[SYNC] NetrDatabaseDeltas: SAM returning (0x0) to BDC01
****BDC checking serial numbers - Changes in SAM ONLY
[SYNC] NetrDatabaseDeltas: SAM partial sync called by BDC02 SerialNumber:d0 d4b9c.
[SYNC] Packing User Object 4fec
[SYNC] User Object name xxxx
[SYNC] NetrDatabaseDeltas: Modified count of the packed record: d0 d4b9d
[SYNC] Packing User Object 4f25
[SYNC] User Object name xxxx
[SYNC] NetrDatabaseDeltas: Modified count of the packed record: d0 d4b9e
[SYNC] Packing User Object 38f4
[SYNC] User Object name xxxx
[SYNC] NetrDatabaseDeltas: Modified count of the packed record: d0 d4b9f
[SYNC] Packing User Object 42b2
[SYNC] User Object name xxxx
[SYNC] NetrDatabaseDeltas: Modified count of the packed record: d0 d4ba0
[SYNC] NetrDatabaseDeltas: SAM returning (0x0) to BDC02
[SYNC] NetrDatabaseDeltas: BUILTIN partial sync called by BDC02 SerialNumber:d0 86e.
[SYNC] NetrDatabaseDeltas: BUILTIN returning (0x0) to BDC02
[SYNC] NetrDatabaseDeltas: LSA partial sync called by BDC02 SerialNumber:d0 4c2828.
[SYNC] NetrDatabaseDeltas: LSA returning (0x0) to BDC02
****Netlogon writing changes to the change log (PDC)
[CHANGELOG] DeltaType AddOrChangeUser (5) SerialNumber: 0 36e7 Rid: 0x1f5
[CHANGELOG] DeltaType ChangeAliasMembership (12) SerialNumber: 0 17 Rid: 0x220
[CHANGELOG] DeltaType AddOrChangeUser (5) SerialNumber: 0 36e2 Rid: 0x404
[CHANGELOG] DeltaType AddOrChangeUser (5) SerialNumber: 0 36e3 Rid: 0x404
[CHANGELOG] DeltaType ChangeAliasMembership (12) SerialNumber: 0 18 Rid: 0x220
[CHANGELOG] DeltaType AddOrChangeUser (5) SerialNumber: 0 36e4 Rid: 0x404
[CHANGELOG] DeltaType ChangeGroupMembership (8) SerialNumber: 0 36e5
Rid: 0x200 Name: 'Domain Admins'
[CHANGELOG] DeltaType AddOrChangeUser (5) SerialNumber: 0 36e8
Rid: 0x401 Immediately PasswordChanged
[CHANGELOG] DeltaType AddOrChangeUser (5) SerialNumber: 0 36e9
Rid: 0x3ed PasswordChanged
********Using NLTEST /LIST_DELTAS to view change log on PDC
FILE SIGNATURE : NT CHANGELOG 4
Deltas of SAM DATABASE
Order: 1 DeltaType AddOrChangeDomain (1) SerialNumber: 0 8
Order: 4 DeltaType DeleteUser (6) SerialNumber: 0 9
Rid: 0x3e9 Name: 'IE4AutoInstall'
Order: 12 DeltaType AddOrChangeUser (5) SerialNumber: 0 a Rid: 0x3ea
Order: 13 DeltaType AddOrChangeUser (5) SerialNumber: 0 b
Rid: 0x3ea PasswordChanged
<SNIP>
Order: 183 DeltaType AddOrChangeUser (5) SerialNumber: 0 93 Rid: 0x400
Order: 184 DeltaType AddOrChangeUser (5) SerialNumber: 0 94
Rid: 0x400 Immediately PasswordChanged
Order: 185 DeltaType DeleteUser (6) SerialNumber: 0 95
Rid: 0x400 Name: 'MACHINE$'
-----------------------------------------------
Deltas of BUILTIN DATABASE
Order: 2 DeltaType AddOrChangeDomain (1) SerialNumber: 0 2
Order: 9 DeltaType ChangeAliasMembership (12) SerialNumber: 0 3 Rid: 0x220
Order: 10 DeltaType AddOrChangeAlias (9) SerialNumber: 0 4 Rid: 0x220
<SNIP>
Order: 174 DeltaType ChangeAliasMembership (12) SerialNumber: 0 14 Rid: 0x220
-----------------------------------------------
Deltas of LSA DATABASE
Order: 3 DeltaType AddOrChangeLsaPolicy (13) SerialNumber: 0 1a
Name: 'Policy'
Order: 5 DeltaType AddOrChangeLsaPolicy (13) SerialNumber: 0 1b
Name: 'Policy'
Order: 6 DeltaType AddOrChangeLsaSecret (18) SerialNumber: 0 1c Immediately
Name: 'G$$I'
Order: 7 DeltaType AddOrChangeLsaSecret (18) SerialNumber: 0 1d Immediately
Name: 'G$$I'
Order: 8 DeltaType AddOrChangeLsaTDomain (14) SerialNumber: 0 1e Rid: 0x2725376d
Sid: S-1-5-21-1855076321-3829873465-656750445
<SNIP>
S-1-5-21-1855076321-3829873465-656750445
Order: 150 DeltaType AddOrChangeLsaSecret (18) SerialNumber: 0 30
Immediately Name: 'G$$I'
Order: 151 DeltaType AddOrChangeLsaSecret (18) SerialNumber: 0 31
Immediately Name: 'G$$I'
-----------------------------------------------