Each computer running Windows NT Workstation and Windows NT Server that participates in a domain has its own account in the directory database, called a computer account. A computer account is created when the computer is first identified to the domain (rather than to a workgroup) during network setup at installation or when the administrator uses Server Manager to define the computer account.
When a computer running Windows NT Workstation or Windows NT Server logs on to the network, the NetLogon service on the client computer creates a secure communications channel with the NetLogon service on the server. A secure communications channel exists when computers at each end of a connection are satisfied that the computer on the other end has correctly identified itself. Computers identify themselves using their computer accounts. When the secure communications channel has been established, a communications session can begin between the two computers.
To maintain security during the communications session, internal trust accounts are set up between the workstation and the server, between the primary and backup domain controllers, and between domain controllers in both domains of a trust relationship.
Computer accounts and the secure channels they provide enable administrators to remotely manage workstations and member servers. They also affect the relationships between a workstation and domain servers, and between primary and backup domain controllers.
The computer account is part of an implicit one-way trust relationship between the client computer and the controllers in its domain. Workstations request logon authentication for a user account from a domain server in the same way a server in a trusting domain requests validation from a server in a trusted domain. This trust relationship enables administrators to select a workstation or member server for administration in the same way they select a domain.
When the computer account is created, the Domain Admins global group is automatically added to the workstation or member server's Administrators local group. Domain administrators can then use Windows NT Server utilities to remotely manage the computer's user and group accounts, including adding global groups to the computer's local groups. Domain administrators can perform any functions on the computer itself that are allowed by the Administrators local group.
For Windows NT Server domain controllers, computer accounts link the BDCs with the PDCs and pair up trusting and trusted domains. Server trust accounts, created while setting up the secure communications channel, allow BDCs to copy the master directory database from the PDC. Interdomain trust accounts allow domain controllers in a trusted domain to pass through authentication of user accounts to the trusting domain.