Each computer running Advanced Server, Windows NT Server, or Windows NT Workstation that participates in a domain has its own account in the directory database. A computer account is created when the computer first is identified to the domain during network setup at installation. Computer accounts are used to establish secure communications channels.
A secure communications channel is created when computers at each end of a connection are satisfied that the computer at the other end has identified itself correctly. Computers identify themselves using their computer accounts. When a secure communications channel has been established, a communications session can begin between the two computers.
The Net Logon service on each computer running Advanced Server, Windows NT Server, or Windows NT Workstation creates a secure communications channel when it starts — but only if the computer is participating in a domain. A BDC creates a secure communications channel to its PDC. A Windows NT Workstation or Windows NT Server computer running as a member server in a domain creates a secure communications channel to a domain controller in the domain.
Computer accounts and secure communications channels also are used by interdomain trust relationships. A computer account is associated with each trust relationship. Each domain controller in a trusting domain establishes a secure communications channel with a domain controller in each of its trusted domains.
Computer accounts and the secure communications channels they provide enable administrators to manage workstations and member servers remotely. They also affect the relationship between workstations and domain servers and between primary and backup domain controllers in the following ways:
A computer account is part of an implicit one-way trust relationship between a client computer and the controllers in its domain. Workstations request logon authentication for a user account from a domain server in the same way a server in a trusting domain requests validation from a server in a trusted domain. This trust relationship enables administrators to select a workstation or member server for administration in the same way they select a domain.
When a workstation or member server is added to a domain, the Domain Admins global group automatically is added to the computer’s Administrators local group. Domain administrators then can use Windows NT Server Tools or Windows NT Administrative Tools to manage the computer’s user environment remotely and to manage the computer’s user and group accounts, including adding domain global groups to the computer’s local groups. Additionally, domain administrators can perform any function on the computer itself that is allowed by the Administrators local group.
For Advanced Server and Windows NT Server domain controllers, computer accounts link BDCs with the PDC and pair up trusting and trusted domains. A computer account that is created when a BDC joins a domain allows the BDC to get a copy of the master directory database from its PDC. Interdomain trust computer accounts allow domain controllers in a trusting domain to pass authentication of user accounts through to the trusted domain. For more information, see How User Logons Work.
For information on how to add a computer to a domain, see "Adding a Computer to the Domain" in Server Manager Help and "To join a domain" in Control Panel Help.
