What is the User Account System (UAS)?

Luke Kenneth Casson Leighton lkcl at regent.push.net
Tue Apr 28 23:39:32 GMT 1998

On Wed, 29 Apr 1998, Paul Ashton wrote:

> pcc at ntsinc.com said:
> > The more I look into this domain authentication, the more confused I
> > become.
> You're not the only one. The only way you get to understand this is
> to disassemble it.

oo, don't say that: disassembly is only legal if it's for interoperability
reasons :-)

> > While reading MS KB Article Q78209, I read:
> > 
> >   The Netlogon service is executed to replicate the user accounts system 
> >   (UAS) database between a primary domain controller (PDC), a backup domain 
> >   controller (BDC), and member servers, and to validate logons to the
> >   logical domain the servers are in. 
> Gobbledygook.

the first part is factually incorrect.  \PIPE\NETLOGON is for logins;
\PIPE\samr is for SAM replication.  ah, they are referring to
\PIPE\NETLOGON _not_ the [netlogon] share that you load policies and batch
files from.

that's why it's confusing.
> > I am assuming that the user accounts system is referring to the SAM and
> > info in the NetLogon share. I am reading this to be the "domain
> > syncronization of the SAM & other associated domain info" goes to the BDC's
> > (which makes sense) BUT ALSO the member servers?????? Where am I going
> > wrong here? Under what (if any) circumstances do memeber servers take part
> > in the syncronization of a domain?
> I think UAS==SAM here.

that's what i assume, which means the above statement is wrong: \PIPE\samr
is used for sam replication.

> Take a look at the resource kit utility NLTEST.

this gives you information, and it's really for test / understanding
purposes.  it doesn't actually do anything useful / critical.  for
example, NLTEST sends an LsaAuth command _not_ an LsaAuth2 when doing a
"LsaSamLogon" test.

More information about the samba-ntdom mailing list