No contienen información visible. Apuntan a la información
de política de seguridad y autenticidad de usuario para la instalación
específica. Las claves y valores se crean, modifican y eliminan
a través del administrador de usuarios o el el administrador de
usuarios para dominios. El editor de registros no permite acceder a estos
datos.
Sobre Seguridad y replicación de las bases de seguridad en un dominio con varios servidores
The NetLogon service on each Windows NT Advanced Server replicates both the security accounts manager (SAM) and local security authority (LSA) security databases. The security databases are replicated from the Domain Controller in the domain to all the Windows NT Advanced Servers in the domain. (The security database is also replicated to LAN Manager BDCs in the Windows NT domain by using the same protocols and procedures that LAN Manager uses.)
Replication does not apply to Windows NT workstations.
The security databases are actually three separate databases:
The replication paradigm is almost identical to that used by LAN Manager. Two types of replication occur: "Full Sync" replication and "Partial Sync" replication.
Full Sync Replication
Full sync replication copies the entire security database from the Domain
Control to the Windows NT Advanced Server. Full sync replication occurs
when any one of the following circumstances exists:
Partial Sync Replication
Partial sync replication ensures individual changes made to the security database on the Domain Controller are updated on the other Advanced Servers in the domain. The Domain Controller sends a periodic pulse to the other Advanced Servers in the domain. The pulse message contains the serial number of each database. Each Advanced Server checks to see if the serial number in the message is greater than the one on its local copy of the database. If it is, that Advanced Server asks for the changes by sending an I_NetDatabaseDeltas API call to the Domain Controller. I_NetDatabaseDeltas returns up to 128K of security database data on each call. NetLogon unpacks the received data and updates the information in the security database. If all the data wasn't retrieved in a single call, the Advanced Server calls I_NetDatabaseDeltas again to retrieve more data.
The pulse message is sent to the \mailslot\net\netlogon second-class mailslot. The pulse message is first sent to all Windows NT Advanced Servers in the domain by sending it to the XXX<1C> NetBIOS group name where "XXX" is the name of the domain and "<1C>" is the hexadecimal value of the 16th byte of the name. All Windows NT Advanced Servers in the domain register this global group name and receive this mailslot message. The NBT (NetBIOS over TCP/IP) transport treats this <1C> name specially. It first broadcasts to the group name and then does individual sends to all machines in domain "XXX" as determine by the lmhosts file. This ensures the mailslot send reaches all Advanced Servers in the domain even if they reside on a different subnet than the Domain Controller. The NetLogon service on the Domain Controller repeats this mailslot send to each LAN Manager server in the domain (since they don't have the <1C> address registered). The mailslot message is sent individually to each server that is a member of the SERVERS global group name. You should ensure that the SERVERS global group only contains member of this domain to prevent the LAN Manager server from receiving mailslot messages from a domain of which it is not a member.
The Domain Controller keeps track of the changes made to the security
databases by recording them in the change log, %SystemDirectory%\netlogon.chg.
Each change to the security databases is recorded in the change log along
with the serial number of the change. (The serial number is maintained
separately for each of the three security databases. It is incremented
once for each change to the databases.) Later, when an Advanced Server
requests a particular change from the Domain Controller (by calling I_NetDatabaseDeltas),
the Domain Controller consults the change log to determine what the change
was.
Secure Channel
Each Windows NT Advanced Server sets up a secure channel to the Domain
Controller in the domain. A server trust account is set up for the Advanced
Server on the Domain Controller. This account is set up either from the
Server Manager (srvmgr) by selecting Add to Domain from the Computer menu
or directly when the Windows NT Advanced Server is set up if an administrator
account name is specified when the Advanced Server joins the domain. At
this time, the password on the account is set to a well-known constant
(the server name in lowercase, truncated to 14 characters).
In either case, when the Advanced Server is set up, it stores the password for the account in LSA secret storage in a secret file named $machine.acc. The NetLogon service on the Advanced Server immediately changes this default password the first time it is started and once a week thereafter to ensure it is kept secret.
To set up the secure channel, the Advanced Server calls I_NetServerRequestChallenge,
passing the Domain Controller a challenge. The challenge is a pseudo-random
number based on the time of day and a serial number. Both the Advanced
Server and the Domain Controller use the two challenges and the password
known by each machine to compute a Session Key. Each machine then computes
a credential as its own challenge encrypted by the Session Key. The Advanced
Server then calls I_NetServerAuthenticate, passing the Domain Controller
its credential and then returning the Domain Controller's credential. Each
machine local recomputes its partners credential, thereby verifying that
the partner knows the shared password. The I_NetDatabaseSync and the I_NetDatabaseDeltas
application program interface (API) functions are only valid across this
secure channel to prevent others from calling these APIs and getting a
copy of the security databases.
Assume you have the following configuration:
Domain = DOMAIN
DC
= DOMAINDC (domain controller)
MEMBER = DOMAINMEMBER
When a member server joins a domain,
a computer account is created (you can use Server Manager to see the
computer account). A default password
is given to the computer account, and the member stores the password in
the
Local Security Authority (LSA) secret
storage $MACHINE.ACC. By default, the password is changed every seven days.
Each member maintains such an LSA secret,
which is used by the Netlogon service to establish a secure channel. If,
for some reason, the computer account's
password and the LSA secret are not synchronized, the Netlogon service
logs the following error:
NETLOGON Event ID 3210:
Failed to authenticate
with \\DOMAINDC, a Windows NT domain controller
for domain DOMAIN.
If the computer account has been deleted, the following error is logged by the member Netlogon service:
NETLOGON Event ID 5721:
The session setup to
the Windows NT Domain Controller <Unknown> for the
domain DOMAIN failed
because the Windows NT Domain Controller does not
have an account for
the computer DOMAINMEMBER.
Similarly, the Netlogon service on the
domain controller logs the following error when the password is not
synchronized:
NETLOGON Event 5722
The session setup from
the computer DOMAINMEMBER failed to authenticate.
The name of the account
referenced in the security database is
DOMAINMEMBER$. The
following error occurred: Access is denied.
In all cases, the event data contains
the error. For example, error 0xC0000022 means that the computer account's
password is invalid; error 0xC000018B
means that the computer account has been deleted, and so on.
For more information about secure channels,
see the following articles in the Microsoft Knowledge Base: