Export (0) Print
Expand All

3.5.3 Initialization

The server side registers an endpoint with RPC over named pipes transport, using the NETLOGON named pipe<152><153> and an endpoint with RPC over TCP/IP. When DCRPCPort is present and is not NULL, and the server is a domain controller, then the DC MUST also register the port listed in DCRPCPort ([MS-RPCE] section 3.3.3.3.1.4). The server side MUST register the Netlogon security support provider authentication_type constant [0x44] as the security provider ([MS-RPCE] section 3.3.3.3.1.3) used by the RPC interface.

NetlogonSecurityDescriptor: Initialized to the following value, expressed in Security Descriptor Description Language (SDDL) ([MS-DTYP] section 2.5.1): D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU) S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

ChallengeTable MUST be empty.

ClientSessionInfo MUST be empty.

RefusePasswordChange SHOULD be FALSE.

The ServerCapabilities field SHOULD be initialized to reflect the capabilities offered by that server implementation.

RejectMD5Clients SHOULD be initialized in an implementation specific way and SHOULD be FALSE. Implementations that use the Windows registry to persistently store and retrieve the RejectMD5Clients variable SHOULD use the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Netlogon\Parameters registry path and RejectMD5Clients key.

SealSecureChannel SHOULD be TRUE.

SignSecureChannel SHOULD be initialized in an implementation specific way and SHOULD be TRUE. Implementations that use the Windows registry ([MS-GPSB] section 2.2.5) to persistently store and retrieve the SignSecureChannel variable SHOULD use the following:

  • RegistryValueName: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Netlogon\Parameters

  • RegistryValueType: 4

  • RegistryValue: SignSecureChannel

These registry keys and values MUST be exposed at a specified registry path via the Windows Remote Registry Protocol [MS-RRP]. For each abstract data model element that is loaded from the registry, there is one instance that is shared RRP and the protocol(s) that uses the abstract data model element. Any changes made to the RejectMD5Clients registry key will not be reflected in the abstract data model elements until the Netlogon server is stopped and restarted. Any changes made to the SignSecureChannel registry keys will be reflected in the abstract data model elements when [MS-GPSB] a PolicyChange event is received (section 3.1.6).

StrongKeySupport SHOULD be TRUE.<154>

NetbiosDomainName is a shared abstract data model element with DomainName.NetBIOS ([MS-DISO] section 4.3.1.1).

DomainGuid: Prior to the initialization of the Netlogon Remote Protocol, DomainGuid has already been initialized, as described in [MS-DISO] section 4.3.1.1, since Netlogon Remote Protocol is running on a system already joined to a domain.

DomainSid: Prior to the initialization of the Netlogon Remote Protocol, DomainSid has already been initialized, as described in [MS-DISO] section 4.3.1.1, since Netlogon Remote Protocol is running on a system already joined to a domain.

AllowSingleLabelDNSDomain SHOULD be set to a locally configured value.<155>

AllowDnsSuffixSearch SHOULD be set to TRUE.<156>

SiteName SHOULD be initialized from msDS-SiteName ([MS-ADTS] section 3.1.1.4.5.29) of the computer object if the server is a DC. If the server is not a DC, this abstract data model element SHOULD be set to a locally configured value.<157>

NextClosestSiteName SHOULD be initialized as follows: if the server is a DC, the server SHOULD invoke IDL_DRSQuerySitesByCost ([MS-DRSR] section 4.1.16), setting NextClosestSiteName to the site that is closest to SiteName but not equal to SiteName. If the server is not a DC, this abstract data model element SHOULD be initialized to NULL.

DynamicSiteNameSetTime MUST be set to a value such that DynamicSiteNameSetTime plus DynamicSiteNameTimeout is less than the current time.

FailedDiscoveryCachePeriod SHOULD be set to a locally configured value.<158>

CacheEntryValidityPeriod SHOULD be set to a locally configured value.<159>

CacheEntryPingValidityPeriod SHOULD be set to a locally configured value.<160>

If the NRPC server is a DC, then the following abstract data model variables are initialized:

  • DCRPCPort SHOULD be initialized in an implementation specific way and MUST default to NULL. Implementations that use the Windows registry to persistently store and retrieve the DCRPCPort variable SHOULD use the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Netlogon\Parameters registry path and DCRPCPort key.

  • DnsForestName: SHOULD be initialized from the fully qualified domain name (FQDN) (2) of rootDomainNamingContext ([MS-ADTS] section 3.1.1.3.2.16).

  • TrustedDomainObjectsCollection is initialized as described in [MS-LSAD] section 3.1.1.5.

  • The NT4Emulator field SHOULD be FALSE.

  • RejectDES SHOULD be initialized in an implementation-specific way and SHOULD default to TRUE.<161> Implementations that use Windows registry to persistently store and retrieve the RejectDES variable SHOULD use the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Netlogon\Parameters registry path and AllowNT4Crypto key set to negation of the RejectDES variable.

  • ServerServiceBits SHOULD be initialized to zero.

  • SiteCoverage SHOULD be initialized in an implementation specific way and MUST default to NULL. Implementations that use the Windows registry to persistently store and retrieve the SiteCoverage variable SHOULD use the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Netlogon\Parameters registry path and SiteCoverage key.

 
Show:
© 2014 Microsoft