As an application that runs on Windows NT Server, Microsoft Exchange Server takes advantage of important features, such as security, provided by the operating system. Although domains and sites are unrelated (domains are specific to Windows NT Server, and sites are specific to Microsoft Exchange Server), resources in sites rely on domains to perform essential security operations. For example, to prevent unauthorized users and services from gaining access to Microsoft Exchange Server resources, domains authenticate users when they log on to their mailboxes. They also validate Microsoft Exchange Server services.
All Microsoft Exchange Server components run on Windows NT Server as multithreaded Windows NT services. Just as users must be authenticated by a domain to log on to a client computer, Microsoft Exchange Server services must be authenticated by a domain to run in the site. Microsoft Exchange Server services, such as the system attendant, the information store, and the directory, use a type of user account called a service account. A service account is a Windows NT user account that services use to gain access to the system. For example, the directory service uses the site's service account to read and write to the local directory and directories on other servers.
A site's service account must be authenticated by the domain that contains the Microsoft Exchange Server computers or by a trusted domain in order for Microsoft Exchange Server services to interact. To send mail between two servers in a site, the message transfer agent (MTA) on one server should use the same service account as the MTA on the other server. Each site can have only one service account.