Export (0) Print
Expand All

7 Appendix B: Product Behavior

The information in this specification is applicable to the following Microsoft products or supplemental software. References to product versions include released service packs:

  • Windows NT operating system

  • Windows 2000 operating system

  • Windows XP operating system

  • Windows Server 2003 operating system

  • Windows Vista operating system

  • Windows Server 2008 operating system

  • Windows 7 operating system

  • Windows Server 2008 R2 operating system

  • Windows 8 operating system

  • Windows Server 2012 operating system

  • Windows 8.1 operating system

  • Windows Server 2012 R2 operating system

Exceptions, if any, are noted below. If a service pack or Quick Fix Engineering (QFE) number appears with the product version, behavior changed in that service pack or QFE. The new behavior also applies to subsequent service packs of the product unless otherwise specified. If a product edition appears with the product version, behavior is different in that product edition.

Unless otherwise specified, any statement of optional behavior in this specification that is prescribed using the terms SHOULD or SHOULD NOT implies product behavior in accordance with the SHOULD or SHOULD NOT prescription. Unless otherwise specified, the term MAY implies that the product does not follow the prescription.

<1> Section 1.3.3: This is achieved in Windows via replication of the account database among domain controllers so that each DC in the domain has the same copy of the database. On Windows NT 4.0 domain controllers, this replication is performed by the Netlogon replication protocol. Starting with Windows 2000, the replication is performed by the Active Directory replication service (see [MS-ADTS]).

<2> Section 1.3.3: The synchronization between DCs running Windows 2000 or Windows Server 2003 is performed by the Active Directory replication service [MS-ADTS]. The synchronization involving a DC running Windows NT 4.0 is performed by the Netlogon service.

<3> Section 1.3.3: In Windows NT 4.0, a single DC in a domain was designated the primary domain controller, or PDC. The PDC was the only domain controller that accepted changes to the account information it stored. A Windows NT 4.0 domain had zero or more backup domain controllers, or BDCs.

<4> Section 1.3.3: Netlogon replication requires the PDC to run Windows NT Server 4.0, Windows 2000 Server, or Windows Server 2003, while BDCs must run Windows NT Server 4.0. Windows Server 2008 will not support replication to Windows NT 4.0 BDCs.

<5> Section 1.3.7.2: By default, Netlogon changes the machine account password every 30 days. The value is configurable with a minimum of one day and maximum of 1,000,000 days.

<6> Section 2.2.1.1.2: The value is ignored by the Windows NT 4.0 implementation.

<7> Section 2.2.1.2.1: This structure is introduced in Windows 2000 and is not present in Windows NT.

<8> Section 2.2.1.2.1: IPv6 is supported starting with Windows Vista and is not supported in Windows NT, Windows 2000, Windows XP, or Windows Server 2003.

<9> Section 2.2.1.2.1: For Windows NT, Windows 2000 Server, Windows XP, and Windows Server 2003, this will be an IPv4 address. For all other versions of Windows, this address can be an IPv4 or IPv6 address.

<10> Section 2.2.1.2.1: Windows NT-based domain controllers do not have a domainGUID.

<11> Section 2.2.1.2.1: Read-only DC is not supported in Windows 2000 and Windows Server 2003 DCs.

<12> Section 2.2.1.2.1: Writable domain controller is not supported in Windows 2000 and Windows Server 2003. The concept of designating a DC as writable was added when read-only DCs were created.

<13> Section 2.2.1.2.1: Added in Windows 7 and Windows Server 2008 R2; also present in Windows Server 2003 and Windows Server 2008 when Active Directory Management Gateway Service is installed.

<14> Section 2.2.1.2.1: Windows NT-based domain controllers do not have an associated site.

<15> Section 2.2.1.2.5: Added in Windows Server 2008.

<16> Section 2.2.1.2.6: Added in Windows Server 2008.

<17> Section 2.2.1.3.3: The NL_AUTH_SHA2_SIGNATURE structure is not supported by Windows NT, Windows 2000, Windows XP, Windows Server 2003, or Windows Vista.

<18> Section 2.2.1.3.6: This structure was introduced in Windows 2000, and is not present in Windows NT.

<19> Section 2.2.1.3.6: The name of the client's operating system is used. The following are the strings used by Windows:

  • For Windows 2000 Professional SKUs: "Windows 2000"

  • For Windows 2000 Server SKUs: "Windows 2000 Server"

  • For Windows XP Professional SKUs: "Windows XP Professional"

  • For Windows Server 2003 SKUs: "Windows Server 2003"

  • For Windows Vista and Windows 7 SKUs: The name of the product is used. For example, for Windows 7 Ultimate, the string "Windows 7 Ultimate" is used.

  • For Windows 8 SKUs: The name of the product is used. For example, for Windows 8 Enterprise, the string "Windows 8 Enterprise" is used.

  • For Windows Server 2008 and Windows Server 2008 R2 SKUs: the name of the product is used. For example, for Windows Server 2008 Enterprise, the string "Windows Server 2008 Enterprise" is used.

  • For Windows Server 2012 SKUs: the name of the product is used. For example, for Windows Server 2012, the string "Windows Server 2012" is used.

<20> Section 2.2.1.3.6: Not supported in Windows NT, Windows 2000 and Windows Server 2003.

<21> Section 2.2.1.3.7: This structure was introduced in Windows 2000 Server and is not present in Windows NT.

<22> Section 2.2.1.3.8: This structure was introduced in Windows 2000 Server and is not present in Windows NT.

<23> Section 2.2.1.3.9: This structure was introduced in Windows 2000 and is not present in Windows NT.

<24> Section 2.2.1.3.10: This structure was introduced in Windows 2000 and is not present in Windows NT.

<25> Section 2.2.1.3.11: This structure was introduced in Windows 2000 and is not present in Windows NT.

<26> Section 2.2.1.3.11: SupportedEncTypes was added in Windows Vista and Windows Server 2008. Windows Server 2003 and client and server versions of Windows NT, Windows 2000, and Windows XP ignore this field.

<27> Section 2.2.1.3.12: This structure was introduced in Windows 2000 and is not present in Windows NT.

<28> Section 2.2.1.3.13: This DC type is available only in Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.

<29> Section 2.2.1.3.13: Added in Windows Server 2008, and supported in Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.

<30> Section 2.2.1.3.14: This union is supported in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<31> Section 2.2.1.3.15: The normal (writable) DC cannot be a Windows Server 2003 or a Windows 2000 Server DC.

<32> Section 2.2.1.3.15: Added in Windows Server 2008. The Netlogon server ignores this value.

<33> Section 2.2.1.3.16: The normal (writable) DC cannot be a Windows 2000 Server or a Windows Server 2003 domain controller.

<34> Section 2.2.1.3.16: Added in Windows Server 2008.

<35> Section 2.2.1.3.17: Support for version 1 was added in Windows Server 2008.

<36> Section 2.2.1.3.18: The normal (writable) DC cannot be a Windows 2000 Server or a Windows Server 2003 DC.

<37> Section 2.2.1.3.18: The read-only domain controller (RODC) that invoked the method NetrChainSetClientAttributes will attempt to replicate the computer account object from HubName to itself, ignoring errors.

<38> Section 2.2.1.3.18: Added in Windows Server 2008.

<39> Section 2.2.1.3.19: Added in Windows Server 2008.

<40> Section 2.2.1.4.16: The NetlogonInteractiveInformation type is not supported in Windows Vista.

<41> Section 2.2.1.4.16: The NetlogonNetworkInformation type is not supported in Windows Vista.

<42> Section 2.2.1.4.16: The NetlogonServiceInformation type is not supported in Windows Vista.

<43> Section 2.2.1.4.16: The NetlogonGenericInformation type is not supported in Windows Vista.

<44> Section 2.2.1.4.16: The NetlogonInteractiveTransitiveInformation type is not supported in Windows Vista.

<45> Section 2.2.1.4.16: The NetlogonNetworkTransitiveInformation type is not supported in Windows Vista.

<46> Section 2.2.1.4.16: The NetlogonServiceTransitiveInformation type is not supported in Windows Vista.

<47> Section 2.2.1.4.17: Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, Windows Server 2008, Windows 7, and Windows Server 2008 R2: NETLOGON_VALIDATION_INFO_CLASS enumeration has NetlogonValidationUasInfo type defined. This value is used by LAN Manager in support of LAN Manager products, and is beyond the scope of this document.

<48> Section 2.2.1.4.17: Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2: NETLOGON_VALIDATION_INFO_CLASS enumeration has NetlogonValidationUasInfo type defined. This value is used by LAN Manager in support of LAN Manager products, and is beyond the scope of this document.

<49> Section 2.2.1.4.17: The NetlogonValidationSamInfo type is not supported in Windows Vista.

<50> Section 2.2.1.4.17: The NetlogonValidationSamInfo2 type is not supported in Windows Vista.

<51> Section 2.2.1.4.17: The NetlogonValidationGenericInfo type is not supported in Windows Vista.

<52> Section 2.2.1.4.17: The NetlogonValidationGenericInfo2 type is not supported in Windows Vista.

<53> Section 2.2.1.4.17: The NetlogonValidationSamInfo4 type is not supported in Windows Vista.

<54> Section 2.2.1.5.1: The recipient of the message waits for the indicated number of seconds before contacting the sender.

<55> Section 2.2.1.5.22: Starting with Windows 2000, NumControllerEntries is always set to zero in this structure.

<56> Section 2.2.1.5.22: Starting with Windows 2000, ControllerNames is always set to NULL in this structure.

<57> Section 2.2.1.5.28: In Windows NT 4.0 replication, this type requires NegotiateFlag=0x00000010. For more information, see the Capability Negotiation bullet in section 1.7 and the NegotiateFlags field description in sections 3.5.4.4.3 (NetrServerAuthenticate2) and 3.5.4.4.2 (NetrServerAuthenticate3).

<58> Section 2.2.1.5.28: In Windows NT 4.0 replication, this type requires NegotiateFlag=0x00000010. For more information, see the Capability Negotiation bullet in section 1.7 and the NegotiateFlags field description in sections 3.5.4.4.3 (NetrServerAuthenticate2) and 3.5.4.4.2 (NetrServerAuthenticate3).

<59> Section 2.2.1.5.28: In Windows NT 4.0 replication, this type requires NegotiateFlag=0x00000010. For more information, see the Capability Negotiation bullet in section 1.7 and the NegotiateFlags field description in sections 3.5.4.4.3 (NetrServerAuthenticate2) and 3.5.4.4.2 (NetrServerAuthenticate3).

<60> Section 2.2.1.6.2: Windows NT does not support this structure.

<61> Section 2.2.1.6.2: Windows NT.

<62> Section 2.2.1.6.2: Windows 2000, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.

<63> Section 2.2.1.6.3: This structure was introduced in Windows 2000 and is not present in Windows NT.

<64> Section 2.2.1.6.4: This structure was introduced in Windows XP and is not present in Windows XP or Windows 2000.

<65> Section 2.2.1.7.2: Flags A, B, C, and D are available in all versions of Windows. Flags E, F, and G were introduced in Windows 2000 and are not available in Windows NT.

<66> Section 2.2.1.7.2: This flag is set only in the query response from a Windows NT 4.0-based backup domain controller.

<67> Section 2.2.1.7.2: This flag can be set only in the query response from a Windows NT 4.0-based backup domain controller.

<68> Section 2.2.1.7.2: This flag can be set only in the query response from a Windows NT 4.0-based backup domain controller.

<69> Section 2.2.1.7.2: This flag can be set only in the query response from a Windows NT 4.0–based backup domain controller.

<70> Section 2.2.1.7.2: This flag can be set only in the query response from a domain controller running Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, or Windows Server 2012 R2.

<71> Section 2.2.1.7.2: This flag can be set only in the query response from a domain controller running Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, or Windows Server 2012 R2.

<72> Section 2.2.1.7.2: This flag can be set only in the query response from a domain controller running Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, or Windows Server 2012 R2.

<73> Section 2.2.1.7.3: Flags A and B are not available for use in Windows NT. Flag C was introduced in Windows Server 2003.

<74> Section 2.2.1.7.3: This flag cannot be set in the query response from a server running Windows NT.

<75> Section 2.2.1.7.3: This flag cannot be set in the query response from a server running Windows NT.

<76> Section 2.2.1.7.3: This flag cannot be set in the query response from a server running Windows NT.

<77> Section 2.2.1.8.4: Windows never uses this structure.

<78> Section 3: In Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2 the server defaults to the primary domain if the name is not found.

<79> Section 3.1.1: In Windows 2000 Server, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2, for computer accounts in a domain, the OWF of the shared secret is stored in the unicodePwd attribute of the computer account object in Active Directory ([MS-ADTS] section 6.4.2). For trusts with Windows 2000, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 domains, the shared secret is stored in the trustAuthIncoming attribute ([MS-ADTS] section 6.1.6.7.10) and the trustAuthOutgoing attribute ([MS-ADTS] section 6.1.6.7.11) of the trusted domain object (TDO) that contains trust information in Active Directory ([MS-ADTS] section 6.1.6.9.1). Depending on the AuthType either the shared secret (TRUST_AUTH_TYPE_CLEAR) or NTOWFv1 (TRUST_AUTH_TYPE_NT4OWF) is stored. For trusts with Windows NT 4.0 domains, the OWF of the shared secret is stored in the trustAuth attribute of the corresponding TDO for the Windows NT 4.0 domain.

<80> Section 3.1.1: In Windows NT 4.0 ([MS-SAMR] section 3.1.1.3), the OWF of the shared secret is stored as an attribute of the computer account object (for domain members) or the interdomain trust account object (for domaintrusts).

<81> Section 3.1.1: Windows uses the Netlogon Remote Protocol to change the machine account password every 30 days by default.

<82> Section 3.1.1: For trusts with Windows 2000, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 domains, the trust password version is stored in the TRUST_AUTH_TYPE_VERSION of the trustAuthIncoming attribute ([MS-ADTS] section 6.1.6.7.10) and the trustAuthOutgoing attribute ([MS-ADTS] section 6.1.6.7.11) of the TDO that contains trust information in Active Directory ([MS-ADTS] section 6.1.6.9.1). The trust password version is not maintained for Windows NT 4.0 domains.

<83> Section 3.1.4.1: Supported in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<84> Section 3.1.4.1: Supported in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<85> Section 3.1.4.1: Supported in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<86> Section 3.1.4.2: Added in Windows 2000 Server; not supported in Windows NT.

<87> Section 3.1.4.2: Added in Windows 2000 Server; not supported in Windows NT.

<88> Section 3.1.4.2: Added in Windows 2000 Server; not supported in Windows NT.

<89> Section 3.1.4.2: Added in Windows 2000 Server; not supported in Windows NT.

<90> Section 3.1.4.2: Added in Windows 2000 Server; not supported in Windows NT.

<91> Section 3.1.4.2: Added in Windows 2000 Server; not supported in Windows NT.

<92> Section 3.1.4.2: Added in Windows 2000 Server; not supported in Windows NT.

<93> Section 3.1.4.2: Added in Windows 2000 Server; not supported in Windows NT.

<94> Section 3.1.4.2: Added in Windows 2000 Server; not supported in Windows NT.

<95> Section 3.1.4.2: Added in Windows XP; not supported in Windows NT or Windows 2000.

<96> Section 3.1.4.2: Added in Windows XP and supported in Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2.

<97> Section 3.1.4.2: Added in Windows Vista and supported in Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<98> Section 3.1.4.2: Supported in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<99> Section 3.1.4.2: Added in Windows NT 4.0 SP2.

<100> Section 3.1.4.6: For Windows NT, the client binds to the RPC server using named pipes. For Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2, the client binds to the RPC server using TCP. If RPC returns an error indicating that the protocol sequence is not supported, then the client binds to the RPC server using named pipes.

<101> Section 3.1.4.6: Windows NT 4.0 SP4 does not support Secure RPC and does not perform a secure bind.

<102> Section 3.1.4.6: Windows caches and reuses the binding for subsequent RPC calls to the server.

<103> Section 3.3: The Windows Netlogon SSP is not provided for use by other applications. It has neither the full functionally of public SSPs nor access from non-LSA applications.

<104> Section 3.3: This Netlogon capability was added in Windows NT 4.0 SP6.

<105> Section 3.3.4.2.2: Windows disregards the Flags data.

<106> Section 3.4: Netlogon runs only on machines joined to a domain ([MS-ADTS] section 6.4). Upon startup, it locates a domain controller and establishes a secure channel to it. It is used for secure communication between the client and the domain controller and for passing sensitive data between the two entities. Starting with Windows 2000 Server, Netlogon also registers the service principal names (SPNs) for the computer that it runs on. It registers the SPNs of the form "HOST/NetBIOSName" and "HOST/Full.Dns.Name", which updates the servicePrincipalName attribute of the computer account object in Active Directory.

<107> Section 3.4.1: Supported in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<108> Section 3.4.1: This ADM element does not exist in Windows NT.

<109> Section 3.4.3: All versions of Windows use 4096. Other implementations can use any value.

<110> Section 3.4.3: Implementations that use the Windows registry to persistently store and retrieve the settings for ClientCapabilities bit O SHOULD use the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Netlogon\Parameters registry path and the SignSecureChannel and SealSecureChannel values to indicate if bit O should be set. If either of these registry values are set to 0x1 then bit O SHOULD be set. Implementations that use the Windows registry to persistently store settings for ClientCapabilities bit U SHOULD use the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Netlogon\Parameters registry path and NeutralizeNt4Emulator key to indicate if bit U should be set. If this registry value is set to 0x1 then bit U SHOULD be set.

<111> Section 3.4.3: Windows NT 4.0 SP4, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008, initialize RequireSignOrSeal to FALSE.

<112> Section 3.4.3: Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008, Windows 7, and Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2 initialize RequireStrongKey to FALSE.

<113> Section 3.4.5.1.3: All applications available as part of Windows set the SiteGuid parameter to NULL.

<114> Section 3.4.5.1.11: The ServerName is a normal (writable) DC, but is not a Windows Server 2003 or a Windows 2000 Server DC.

<115> Section 3.4.5.1.11: The client has to be an RODC.

<116> Section 3.4.5.2.3: This method was only used in Windows NT 3.5 and Windows NT 4.0.

<117> Section 3.4.5.2.4: This method was only used in Windows NT Server 3.1.

<118> Section 3.4.5.2.5: Windows clients re-establish the secure channel with the domain controller upon receiving STATUS_ACCESS_DENIED.

<119> Section 3.4.5.2.6: Windows clients re-establish the secure channel with the domain controller upon receiving STATUS_ACCESS_DENIED.

<120> Section 3.4.5.2.7: Windows clients re-establish the secure channel with the domain controller upon receiving STATUS_ACCESS_DENIED.

<121> Section 3.4.5.2.9: Windows clients reestablish the secure channel with the domain controller upon receiving STATUS_ACCESS_DENIED.

<122> Section 3.4.5.2.10: NetrLogonGetCapabilities is not supported by Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, or Windows Server 2008 clients.

<123> Section 3.4.5.2.10: Supported by Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<124> Section 3.4.5.2.10: For Windows DCs, this error means the DC is a Windows NT, Windows Server 2003, or Windows Server 2008 machine.

<125> Section 3.4.5.2.10: Windows clients re-establish the secure channel with the domain controller upon receiving STATUS_ACCESS_DENIED.

<126> Section 3.4.5.2.11: The normal (writable) DC cannot be a Windows 2000 Server or a Windows Server 2003 DC.

<127> Section 3.4.5.2.11: The client reestablishes the secure channel with the domain controller upon receiving STATUS_ACCESS_DENIED.

<128> Section 3.4.5.3.2: For all versions of Windows except Windows NT 3.1, encrypt by using the negotiated encryption algorithm and the session key.

For Windows NT 3.1, encrypt as follows.

InitLMKey(KeyIn, KeyOut)
      KeyOut[0] = KeyIn[0] >> 0x01;
     KeyOut[1] = ((KeyIn[0]&0x01)<<6) | (KeyIn[1]>>2);
     KeyOut[2] = ((KeyIn[1]&0x03)<<5) | (KeyIn[2]>>3);
     KeyOut[3] = ((KeyIn[2]&0x07)<<4) | (KeyIn[3]>>4);
     KeyOut[4] = ((KeyIn[3]&0x0F)<<3) | (KeyIn[4]>>5);
     KeyOut[5] = ((KeyIn[4]&0x1F)<<2) | (KeyIn[5]>>6);
     KeyOut[6] = ((KeyIn[5]&0x3F)<<1) | (KeyIn[6]>>7);
     KeyOut[7] = KeyIn[6] & 0x7F;
     ((DWORD*)KeyOut)[0] <<= 1;
     ((DWORD*)KeyOut)[1] <<= 1;
     ((DWORD*)KeyOut)[0] &= 0xfefefefe;
     ((DWORD*)KeyOut)[1] &= 0xfefefefe;

Assume bytes(s, e, l) returns bytes from s to e of the byte 
array l. Assume concat(a1, a2) returns byte array containing 
the bytes of array a1 followed by the bytes from byte array a2.

LMDESECB(Input, Sk, Output)
     SET k1 to bytes(0, 7, Sk)
     CALL InitLMKey(k1, k3)
     SET k2 to bytes(8, 15, Sk)
     CALL InitLMKey(k2, k4)
     SET i1 to bytes(0, 7, Input)
     SET i2 to bytes(8, 15, Input)
     CALL DES_ECB(i1, k3, &output1)
     CALL DES_ECB(i2, k4, &output2)
     SET Output to concat(output1, output2)

<129> Section 3.4.5.3.2: For all versions of Windows except Windows NT 3.1, encrypt using the negotiated encryption algorithm and the session key.

For Windows NT 3.1, encrypt as follows.

InitLMKey(KeyIn, KeyOut)
      KeyOut[0] = KeyIn[0] >> 0x01;
     KeyOut[1] = ((KeyIn[0]&0x01)<<6) | (KeyIn[1]>>2);
     KeyOut[2] = ((KeyIn[1]&0x03)<<5) | (KeyIn[2]>>3);
     KeyOut[3] = ((KeyIn[2]&0x07)<<4) | (KeyIn[3]>>4);
     KeyOut[4] = ((KeyIn[3]&0x0F)<<3) | (KeyIn[4]>>5);
     KeyOut[5] = ((KeyIn[4]&0x1F)<<2) | (KeyIn[5]>>6);
     KeyOut[6] = ((KeyIn[5]&0x3F)<<1) | (KeyIn[6]>>7);
     KeyOut[7] = KeyIn[6] & 0x7F;
     ((DWORD*)KeyOut)[0] <<= 1;
     ((DWORD*)KeyOut)[1] <<= 1;
     ((DWORD*)KeyOut)[0] &= 0xfefefefe;
     ((DWORD*)KeyOut)[1] &= 0xfefefefe;

Assume bytes(s, e, l) returns bytes from s to e of the byte 
array l. Assume concat(a1, a2) returns byte array containing 
the bytes of array a1 followed by the bytes from byte array a2.

LMDESECB(Input, Sk, Output)
     SET k1 to bytes(0, 7, Sk)
     CALL InitLMKey(k1, k3)
     SET k2 to bytes(8, 15, Sk)
     CALL InitLMKey(k2, k4)
     SET i1 to bytes(0, 7, Input)
     SET i2 to bytes(8, 15, Input)
     CALL DES_ECB(i1, k3, &output1)
     CALL DES_ECB(i2, k4, &output2)
     SET Output to concat(output1, output2)

<130> Section 3.4.5.3.2: For all versions of Windows except Windows NT 3.1, encrypt using the negotiated encryption algorithm and the session key.

For Windows NT 3.1, encrypt as follows.

InitLMKey(KeyIn, KeyOut)
      KeyOut[0] = KeyIn[0] >> 0x01;
     KeyOut[1] = ((KeyIn[0]&0x01)<<6) | (KeyIn[1]>>2);
     KeyOut[2] = ((KeyIn[1]&0x03)<<5) | (KeyIn[2]>>3);
     KeyOut[3] = ((KeyIn[2]&0x07)<<4) | (KeyIn[3]>>4);
     KeyOut[4] = ((KeyIn[3]&0x0F)<<3) | (KeyIn[4]>>5);
     KeyOut[5] = ((KeyIn[4]&0x1F)<<2) | (KeyIn[5]>>6);
     KeyOut[6] = ((KeyIn[5]&0x3F)<<1) | (KeyIn[6]>>7);
     KeyOut[7] = KeyIn[6] & 0x7F;
     ((DWORD*)KeyOut)[0] <<= 1;
     ((DWORD*)KeyOut)[1] <<= 1;
     ((DWORD*)KeyOut)[0] &= 0xfefefefe;
     ((DWORD*)KeyOut)[1] &= 0xfefefefe;

Assume bytes(s, e, l) returns bytes from s to e of the byte 
array l. Assume concat(a1, a2) returns byte array containing 
the bytes of array a1 followed by the bytes from byte array a2.

LMDESECB(Input, Sk, Output)
     SET k1 to bytes(0, 7, Sk)
     CALL InitLMKey(k1, k3)
     SET k2 to bytes(8, 15, Sk)
     CALL InitLMKey(k2, k4)
     SET i1 to bytes(0, 7, Input)
     SET i2 to bytes(8, 15, Input)
     CALL DES_ECB(i1, k3, &output1)
     CALL DES_ECB(i2, k4, &output2)
     SET Output to concat(output1, output2)

<131> Section 3.4.5.3.2: Windows clients reestablish the secure channel with the domain controller upon receiving STATUS_ACCESS_DENIED.

<132> Section 3.4.5.3.4: For all versions of Windows except Windows NT 3.1, encrypt by using the negotiated encryption algorithm and the session key.

For Windows NT 3.1, encrypt as follows.

InitLMKey(KeyIn, KeyOut)
      KeyOut[0] = KeyIn[0] >> 0x01;
     KeyOut[1] = ((KeyIn[0]&0x01)<<6) | (KeyIn[1]>>2);
     KeyOut[2] = ((KeyIn[1]&0x03)<<5) | (KeyIn[2]>>3);
     KeyOut[3] = ((KeyIn[2]&0x07)<<4) | (KeyIn[3]>>4);
     KeyOut[4] = ((KeyIn[3]&0x0F)<<3) | (KeyIn[4]>>5);
     KeyOut[5] = ((KeyIn[4]&0x1F)<<2) | (KeyIn[5]>>6);
     KeyOut[6] = ((KeyIn[5]&0x3F)<<1) | (KeyIn[6]>>7);
     KeyOut[7] = KeyIn[6] & 0x7F;
     ((DWORD*)KeyOut)[0] <<= 1;
     ((DWORD*)KeyOut)[1] <<= 1;
     ((DWORD*)KeyOut)[0] &= 0xfefefefe;
     ((DWORD*)KeyOut)[1] &= 0xfefefefe;

Assume bytes(s, e, l) returns bytes from s to e of the byte 
array l. Assume concat(a1, a2) returns byte array containing 
the bytes of array a1 followed by the bytes from byte array a2.

LMDESECB(Input, Sk, Output)
     SET k1 to bytes(0, 7, Sk)
     CALL InitLMKey(k1, k3)
     SET k2 to bytes(8, 15, Sk)
     CALL InitLMKey(k2, k4)
     SET i1 to bytes(0, 7, Input)
     SET i2 to bytes(8, 15, Input)
     CALL DES_ECB(i1, k3, &output1)
     CALL DES_ECB(i2, k4, &output2)
     SET Output to concat(output1, output2)

<133> Section 3.4.5.3.4: For all versions of Windows except Windows NT 3.1, encrypt by using the negotiated encryption algorithm and the session key.

For Windows NT 3.1, encrypt as follows.

InitLMKey(KeyIn, KeyOut)
      KeyOut[0] = KeyIn[0] >> 0x01;
     KeyOut[1] = ((KeyIn[0]&0x01)<<6) | (KeyIn[1]>>2);
     KeyOut[2] = ((KeyIn[1]&0x03)<<5) | (KeyIn[2]>>3);
     KeyOut[3] = ((KeyIn[2]&0x07)<<4) | (KeyIn[3]>>4);
     KeyOut[4] = ((KeyIn[3]&0x0F)<<3) | (KeyIn[4]>>5);
     KeyOut[5] = ((KeyIn[4]&0x1F)<<2) | (KeyIn[5]>>6);
     KeyOut[6] = ((KeyIn[5]&0x3F)<<1) | (KeyIn[6]>>7);
     KeyOut[7] = KeyIn[6] & 0x7F;
     ((DWORD*)KeyOut)[0] <<= 1;
     ((DWORD*)KeyOut)[1] <<= 1;
     ((DWORD*)KeyOut)[0] &= 0xfefefefe;
     ((DWORD*)KeyOut)[1] &= 0xfefefefe;

Assume bytes(s, e, l) returns bytes from s to e of the byte 
array l. Assume concat(a1, a2) returns byte array containing 
the bytes of array a1 followed by the bytes from byte array a2.

LMDESECB(Input, Sk, Output)
     SET k1 to bytes(0, 7, Sk)
     CALL InitLMKey(k1, k3)
     SET k2 to bytes(8, 15, Sk)
     CALL InitLMKey(k2, k4)
     SET i1 to bytes(0, 7, Input)
     SET i2 to bytes(8, 15, Input)
     CALL DES_ECB(i1, k3, &output1)
     CALL DES_ECB(i2, k4, &output2)
     SET Output to concat(output1, output2)

<134> Section 3.4.5.3.4: For all versions of Windows except Windows NT 3.1, encrypt using the negotiated encryption algorithm and the session key.

For Windows NT 3.1, encrypt as follows.

InitLMKey(KeyIn, KeyOut)
      KeyOut[0] = KeyIn[0] >> 0x01;
     KeyOut[1] = ((KeyIn[0]&0x01)<<6) | (KeyIn[1]>>2);
     KeyOut[2] = ((KeyIn[1]&0x03)<<5) | (KeyIn[2]>>3);
     KeyOut[3] = ((KeyIn[2]&0x07)<<4) | (KeyIn[3]>>4);
     KeyOut[4] = ((KeyIn[3]&0x0F)<<3) | (KeyIn[4]>>5);
     KeyOut[5] = ((KeyIn[4]&0x1F)<<2) | (KeyIn[5]>>6);
     KeyOut[6] = ((KeyIn[5]&0x3F)<<1) | (KeyIn[6]>>7);
     KeyOut[7] = KeyIn[6] & 0x7F;
     ((DWORD*)KeyOut)[0] <<= 1;
     ((DWORD*)KeyOut)[1] <<= 1;
     ((DWORD*)KeyOut)[0] &= 0xfefefefe;
     ((DWORD*)KeyOut)[1] &= 0xfefefefe;

Assume bytes(s, e, l) returns bytes from s to e of the byte 
array l. Assume concat(a1, a2) returns byte array containing 
the bytes of array a1 followed by the bytes from byte array a2.

LMDESECB(Input, Sk, Output)
     SET k1 to bytes(0, 7, Sk)
     CALL InitLMKey(k1, k3)
     SET k2 to bytes(8, 15, Sk)
     CALL InitLMKey(k2, k4)
     SET i1 to bytes(0, 7, Input)
     SET i2 to bytes(8, 15, Input)
     CALL DES_ECB(i1, k3, &output1)
     CALL DES_ECB(i2, k4, &output2)
     SET Output to concat(output1, output2)

<135> Section 3.4.5.3.4: Windows clients reestablish the secure channel with the domain controller upon receiving STATUS_ACCESS_DENIED.

<136> Section 3.4.5.3.5: Windows clients reestablish the secure channel with the domain controller upon receiving STATUS_ACCESS_DENIED.

<137> Section 3.4.5.4.1: On receiving the STATUS_MORE_ENTRIES status code, the client continues calling this routine in a loop updating DomainModifiedCount until all missing database entries are received. On receiving the STATUS_SUCCESS status code, the client terminates the loop. The client terminates the loop without receiving all entries upon receiving a system shutdown notification.

<138> Section 3.4.5.4.1: Windows clients reestablish the secure channel with the domain controller upon receiving STATUS_ACCESS_DENIED.

<139> Section 3.4.5.4.2: Windows clients call this method in a loop until all database records are received.

<140> Section 3.4.5.4.2: On receiving the STATUS_MORE_ENTRIES status code, Windows clients continue calling this routine in a loop until all missing database entries are received. The client terminates the loop on a computer shutdown notification.

<141> Section 3.4.5.4.2: Windows clients re-establish the secure channel with the domain controller upon receiving STATUS_ACCESS_DENIED.

<142> Section 3.4.5.4.4: Windows clients reestablish the secure channel with the domain controller upon receiving STATUS_ACCESS_DENIED.

<143> Section 3.4.5.5.4: Windows clients reestablish the secure channel with the domain controller upon receiving STATUS_ACCESS_DENIED.

<144> Section 3.4.5.5.6: Windows clients reestablish the secure channel with the domain controller upon receiving STATUS_ACCESS_DENIED.

<145> Section 3.4.5.6.4: Windows clients reestablish the secure channel with the domain controller upon receiving STATUS_ACCESS_DENIED.

<146> Section 3.4.6.1: All versions of Windows use 4096. Other implementations can use any value.

<147> Section 3.5.1: In Windows implementations, the default DynamicSiteNameTimeout value is 5 minutes, and the allowed range is 0 minutes to 49 days.

<148> Section 3.5.1: Supported in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<149> Section 3.5.1: This value is configured as described in [MS-DISO].

<150> Section 3.5.1: The ADM element does not exist in Windows NT.

<151> Section 3.5.1: DCRPCPort is supported in Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.

<152> Section 3.5.3: The named pipe LSASS is also known by the alias NETLOGON. The client can use this alias to establish an RPC over named pipes connection. The Netlogon security package functionality was added in Windows 2000 and is present in Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

<153> Section 3.5.3: The named pipe LSASS is also known by the alias NETLOGON. The client can use this alias to establish an RPC-over-named pipes connection. The Netlogon security package functionality was added in Windows 2000.

<154> Section 3.5.3: Windows NT 4.0 initializes this value to FALSE.

<155> Section 3.5.3:

In Windows implementations, this can be configured using the following registry path:

  • Registry path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Netlogon\Parameters

  • RegistryValueName: AllowSingleLabelDNSDomain

  • RegistryType: DWORD

  • Acceptable values: 0 = Disabled, 1 = Enabled

  • Default value if not explicitly configured: 0.

<156> Section 3.5.3: Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 always consider AllowDnsSuffixSearch to be FALSE.

<157> Section 3.5.3: Windows uses the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters registry path and SiteName value.

<158> Section 3.5.3:

In Windows implementations, this can be configured using the following registry path:

  • Registry path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Netlogon\Parameters

  • RegistryValueName: NegativeCachePeriod

  • RegistryType: DWORD

  • AllowedRange: 0 - 604800 (7 days)

  • Default value if not explicitly configured: 45 seconds

<159> Section 3.5.3: In Windows implementations, the value is 12 hours, unless changed by an administrator.

<160> Section 3.5.3: In Windows implementations, the value is 30 minutes, unless changed by an administrator.

<161> Section 3.5.3: In Windows NT, Windows 2000, Windows XP, Windows Server 2003, and Windows Vista, RejectDES is always FALSE.

<162> Section 3.5.4: NetrLogonSamLogon is available starting with Windows NT Server 3.1.

<163> Section 3.5.4: NetrLogonSamLogoff is available starting with Windows NT Server 3.1.

<164> Section 3.5.4: NetrServerReqChallenge is available starting with Windows NT Server 3.1.

<165> Section 3.5.4: NetrServerAuthenticate is available starting with Windows NT Server 3.1.

<166> Section 3.5.4: NetrServerPasswordSet is available starting with Windows NT Server 3.1.

<167> Section 3.5.4: NetrDatabaseDeltas is available starting with Windows NT Server 3.1.

<168> Section 3.5.4: NetrDatabaseSync is available starting with Windows NT Server 3.1.

<169> Section 3.5.4: NetrAccountDeltas was introduced in LAN Manager.

<170> Section 3.5.4: NetrAccountSync was introduced in LAN Manager.

<171> Section 3.5.4: NetrGetDCName is available starting with Windows NT Server 3.1.

<172> Section 3.5.4: NetrLogonControl is available starting with Windows NT Server 3.1.

<173> Section 3.5.4: NetrGetAnyDCName is available starting with Windows NT Server 3.1.

<174> Section 3.5.4: NetrLogonControl2 is available starting with Windows NT Server 3.1.

<175> Section 3.5.4: NetrServerAuthenticate2 is available starting with Windows NT Server 3.5.

<176> Section 3.5.4: NetrDatabaseSync2 is available starting with Windows NT Server 3.5, but is not available in Windows 7 or Windows Server 2008 R2.

<177> Section 3.5.4: NetrDatabaseRedo is available starting with Windows NT Server 3.5, but is not available in Windows 7 or Windows Server 2008 R2.

<178> Section 3.5.4: NetrLogonControl2Ex is available starting with Windows NT 4.0.

<179> Section 3.5.4: NetrEnumerateTrustedDomains is available starting with Windows NT 4.0.

<180> Section 3.5.4: DsrGetDcName is available in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<181> Section 3.5.4: NetrLogonGetCapabilities is not supported by Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, or Windows Server 2008 clients. In these Windows versions, a method named NetrLogonDummyRoutine1 is associated with RPC opnum 21, which has no protocol-specific relevance. See the behavior notes associated with section 3.5.4.4.10 for details.

<182> Section 3.5.4: NetrLogonSetServiceBits is available in Windows 2000, Windows 2000 Server, Windows XP, and Windows Server 2003.

<183> Section 3.5.4: NetrLogonGetTrustRid is available in Windows 2000, Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<184> Section 3.5.4: NetrLogonComputeServerDigest is available in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<185> Section 3.5.4: NetrLogonComputeClientDigest is available in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<186> Section 3.5.4: NetrServerAuthenticate3 is available in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<187> Section 3.5.4: DsrGetDcNameEx is available in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<188> Section 3.5.4: DsrGetSiteName is available in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<189> Section 3.5.4: NetrLogonGetDomainInfo is available in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<190> Section 3.5.4: NetrServerPasswordSet2 is available in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<191> Section 3.5.4: NetrServerPasswordGet is available in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<192> Section 3.5.4: NetrLogonSendToSam is available in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<193> Section 3.5.4: DsrAddressToSiteNamesW is available in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<194> Section 3.5.4: DsrGetDcNameEx2 is available in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<195> Section 3.5.4: NetrLogonGetTimeServiceParentDomain is available in Windows 2000, Windows 2000 Server, Windows XP, and Windows Server 2003.

<196> Section 3.5.4: NetrEnumerateTrustedDomainsEx is available in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<197> Section 3.5.4: DsrAddressToSiteNamesExW is available in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<198> Section 3.5.4: DsrGetDcSiteCoverageW is available in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<199> Section 3.5.4: NetrLogonSamLogonEx is available in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<200> Section 3.5.4: DsrEnumerateDomainTrusts available in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<201> Section 3.5.4: DsrDeregisterDnsHostRecords is available in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<202> Section 3.5.4: NetrServerTrustPasswordsGet is available starting with Windows 2000 Server SP4.

<203> Section 3.5.4: DsrGetForestTrustInformation is available starting with Windows 2000 Server SP4.

<204> Section 3.5.4: NetrGetForestTrustInformation is available starting with Windows 2000 Server SP4.

<205> Section 3.5.4: NetrLogonSamLogonWithFlags is available starting with Windows 2000 Server SP4.

<206> Section 3.5.4: NetrServerGetTrustInfo is available starting with Windows 2000 Server SP4.

<207> Section 3.5.4: Gaps in the opnum numbering sequence apply to Windows as follows.

Opnum

Description

47

Windows uses this method only locally, never remotely.

<208> Section 3.5.4.1: If the string is NULL, the server is considered to be the same as the client (that is, the local computer).

<209> Section 3.5.4.3.1: Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<210> Section 3.5.4.3.1: Added in Windows Server 2008.

<211> Section 3.5.4.3.1: Added in Windows Vista, and supported in Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<212> Section 3.5.4.3.1: Windows implements both the LDAP Ping ([MS-ADTS] section 6.3.3) and the Mailslot Ping ([MS-ADTS] section 6.3.5) methods and uses them to locate a DC ([MS-ADTS] section 6.3.6).

<213> Section 3.5.4.3.1: Windows 2000, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2 DCs support directory service functions.

<214> Section 3.5.4.3.1: Windows 2000, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2 DCs support directory service functions.

<215> Section 3.5.4.3.1:

A DC is writable when:

  • It is a Windows 2000, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, or Windows Server 2012 R2 DC, and it hosts a writable copy of the directory service.

  • It is a Windows NT DC, and it hosts a writable copy of SAM.

A Windows NT DC is writable only if it is a PDC. All Windows 2000, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 DCs are writable unless they are RODCs.

<216> Section 3.5.4.3.1: Added in Windows 7 and Windows Server 2008 R2.

<217> Section 3.5.4.3.1: If neither the R nor S flag is specified, Windows returns the type of name that matches the type of the DomainName parameter.

<218> Section 3.5.4.3.1:

In Windows, if neither the R nor S flags are set in the Flags parameter, the behavior is as follows:

  • If only one of the DnsHostName or NetbiosComputerName fields is set in the message, the DomainControllerName field is set to that value.

  • Otherwise, if both the DnsHostName and NetbiosComputerName fields are set in the message:

    • If the DomainName parameter is equal to the DnsDomainName message field, the DomainControllerName field is set to the value of the DnsHostName message field.

    • If the DomainName parameter is equal to the NetbiosDomainName message field, the DomainControllerName field is set to the value of the NetbiosComputerName message field.

    • If the DomainName parameter is NULL:

      • If the DC responded to the LDAP message, the DomainControllerName field is set to the value of the DnsHostName message field.

      • If the DC responded to the mailslot message, the DomainControllerName field is set to the value of the NetbiosComputerName message field.

<219> Section 3.5.4.3.1:

In Windows, if neither the R nor S flags are set in the Flags parameter, the behavior is as follows:

  • If only one of the DnsDomainName or NetbiosDomainName fields is set in the message, the DomainName field is set to that value.

  • Otherwise, if both the DnsDomainName and NetbiosDomainName fields are set in the message:

    • If the DomainName parameter of the DsrGetDcNameEx2 call is equal to the DnsDomainName message field, the DomainName field is set to the value of the DnsDomainName message field.

    • If the DomainName parameter of the DsrGetDcNameEx2 call is equal to the NetbiosDomainName message field, the DomainName field is set to the value of the NetbiosDomainName message field.

    • If the DomainName parameter of the DsrGetDcNameEx2 call is NULL:

      • If the DC responded to the LDAP message, the DomainName field is set to the value of the DnsDomainName message field.

      • If the DC responded to the mailslot message, the DomainName field is set to the value of the NetbiosDomainName message field.

<220> Section 3.5.4.3.2: Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<221> Section 3.5.4.3.3: Supported in Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<222> Section 3.5.4.3.4: This method was used in Windows NT Server 3.1 and is supported in Windows NT Server 3.1 versions. It was superseded by the DsrGetDcNameEx2 method (section 3.5.4.3.1) as of Windows 2000.

<223> Section 3.5.4.3.4:

Return Value/Code

Description

0x00000035

ERROR_ BAD_ NETPATH

The network path was not found.

<224> Section 3.5.4.3.4: Windows implements both the LDAP ping-based method ([MS-ADTS] section 6.3.3) and the mailslot message-based method ([MS-ADTS] section 6.3.5), and uses those two methods to locate a DC ([MS-ADTS] section 6.3.6).

<225> Section 3.5.4.3.5: This method was introduced in Windows NT Server 3.1 and is supported in Windows NT Server 3.1 versions. It was superseded by the DsrGetDcNameEx2 method (section 3.5.4.3.1) in Windows 2000.

<226> Section 3.5.4.3.5:

Return Value/Code

Description

0x00000712

ERROR_DOMAIN_TRUST_INCONSISTENT

The name or security ID (SID) of the domain specified is inconsistent with the trust information for that domain.

<227> Section 3.5.4.3.5: Windows implements both the LDAP ping-based method ([MS-ADTS] section 6.3.3) and the mailslot ping method ([MS-ADTS] section 6.3.5), and uses those two methods to locate a DC ([MS-ADTS] section 6.3.6).

<228> Section 3.5.4.3.6: Supported in Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<229> Section 3.5.4.3.6:

Return Value/Code

Description

0x0000077F

ERROR_NO_SITENAME

No site name is available for this machine.

<230> Section 3.5.4.3.6: Windows implements both the LDAP Ping method ([MS-ADTS] section 6.3.3) and the Mailslot Ping method ([MS-ADTS] section 6.3.5), and uses those two methods to locate a DC ([MS-ADTS] section 6.3.6).

<231> Section 3.5.4.3.7: Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<232> Section 3.5.4.3.8: Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<233> Section 3.5.4.3.8:

Return Value/Code

Description

0x00000008

ERROR_NOT_ENOUGH_MEMORY

Not enough storage is available to process this command.

0x00000057

ERROR_INVALID_PARAMETER

One of the parameters is invalid. This error value is returned if the value of EntryCount passed to DsrAddressToSiteNamesW is zero.

<234> Section 3.5.4.3.9: Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<235> Section 3.5.4.3.9: To avoid large memory allocations, the number of 32,000 was chosen as a reasonable limit for the maximum number of socket addresses that this method accepts.

<236> Section 3.5.4.3.9:

Return Value/Code

Description

0x00000008

ERROR_NOT_ENOUGH_MEMORY

Not enough storage is available to process this command.

0x00000057

ERROR_INVALID_PARAMETER

One of the parameters is invalid. This error value is returned if the value of EntryCount passed to DsrAddressToSiteNamesExW is zero.

<237> Section 3.5.4.3.10: Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<238> Section 3.5.4.3.10:

Return Value/Code

Description

0x00000032

ERROR_NOT_SUPPORTED

The request is not supported. This error value is returned when DsrDeregisterDnsHostRecords is called on a machine that is not a DC.

<239> Section 3.5.4.3.11: The normal (writable) DC cannot be a Windows 2000 Server or a Windows Server 2003 DC.

<240> Section 3.5.4.4.2: Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<241> Section 3.5.4.4.2: In Windows, all machine account names are the name of the machine with a "$" (dollar sign) appended.

<242> Section 3.5.4.4.2: For Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2, if the value is 5 (UasServerSecureChannel), the server always returns an access-denied error because this functionality is no longer supported. Windows NT 4.0 has configuration parameter options allowing UAS compatibility mode, and if this mode is enabled, the error is not returned and further processing occurs. Otherwise, it returns an access-denied error.

<243> Section 3.5.4.4.2: Supported only in Windows Server 2008 R2.

<244> Section 3.5.4.4.3: This method was used in Windows NT 3.5 and Windows NT 4.0. In Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2, it was superseded by the NetrServerAuthenticate3 method (section 3.5.4.4.2).

<245> Section 3.5.4.4.4: This method was used in Windows NT Server 3.1. In Windows NT Server 3.5, it was superseded by the NetrServerAuthenticate2 method (section 3.5.4.4.3). In Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2, the NetrServerAuthenticate2 method (section 3.5.4.4.3) was superseded by the NetrServerAuthenticate3 method (section 3.5.4.4.2).

<246> Section 3.5.4.4.5: Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<247> Section 3.5.4.4.5: A domain member uses this function to periodically change its machine account password. A PDC uses this function to periodically change the trust password for all directly trusted domains. By default, the period is 30 days in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<248> Section 3.5.4.4.5: In Windows, all machine account names are the name of the machine with a "$" (dollar sign) appended.

<249> Section 3.5.4.4.6: In Windows, all machine account names are the name of the machine with a "$" (dollar sign) appended.

<250> Section 3.5.4.4.7: Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<251> Section 3.5.4.4.7: For machine accounts, the account name is the machine name appended with a "$" character.

<252> Section 3.5.4.4.8: Supported in Windows 2000 Server SP4, Windows XP, and Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<253> Section 3.5.4.4.8: In Windows, all machine account names are the name of the machine with a "$" (dollar sign) appended.

<254> Section 3.5.4.4.9: Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<255> Section 3.5.4.4.9: Not supported in Windows NT, Windows 2000, Windows Server 2003 and Windows Server 2008.

<256> Section 3.5.4.4.9: All versions of Windows use 4096. Other implementations can use any value.

<257> Section 3.5.4.4.9: For Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2, NETLOGON_ONE_DOMAIN_INFO.TrustExtension MaximumLength and Length are set to the size 0x10, and Buffer points to a buffer containing the following fields of a DS_DOMAIN_TRUSTSW structure: Flags, ParentIndex, TrustType, TrustAttributes.

<258> Section 3.5.4.4.9: If both WkstaBuffer.WorkstationInfo.OsVersion and WkstaBuffer.WorkstationInfo.OsName are unspecified, Windows 2000, Windows XP, and Windows Server 2003 use the generic string "Windows 2000" to update the operatingSystem attribute. If only WkstaBuffer.WorkstationInfo.OsName is unspecified, Windows 2000, Windows XP, and Windows Server 2003 use the generic string "Windows 2000 Professional" when WkstaBuffer.WorkstationInfo.OsVersion.wProductType is VER_NT_WORKSTATION, and otherwise use the string "Windows 2000 Server" to update the operatingSystem attribute.

<259> Section 3.5.4.4.10: NetrLogonGetCapabilities is supported by Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

In Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008, RPC opnum 21 is associated with the following RPC method, which does not perform any protocol-relevant function:

NTSTATUS NetrLogonDummyRoutine1(
  [in, string] LOGONSRV_HANDLE ServerName,
  [in, string, unique] wchar_t* ComputerName,
  [in] PNETLOGON_AUTHENTICATOR Authenticator,
  [in, out] PNETLOGON_AUTHENTICATOR ReturnAuthenticator,
  [in] DWORD QueryLevel,
  [out, switch_is(QueryLevel)] PNETLOGON_DUMMY1 Buffer
);

The return type and parameters for NetrLogonDummyRoutine1 take on the same data representation as those for NetrLogonGetCapabilities.

<260> Section 3.5.4.4.10: The ServerCapabilities field is not supported by Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, or Windows Server 2008. These operating systems supported a dummy buffer field:

[out, switch_is(QueryLevel)] PNETLOGON_DUMMY1 Buffer

Buffer: A pointer to a byte buffer.

<261> Section 3.5.4.4.10: Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 do no processing for this call, and always return 0xC0000002 (STATUS_NOT_IMPLEMENTED).

<262> Section 3.5.4.4.11: First supported in Windows Server 2008.

<263> Section 3.5.4.4.11: The normal (writable) DC cannot be a Windows 2000 Server or a Windows Server 2003 DC.

<264> Section 3.5.4.4.11: The normal (writable) DC cannot be a Windows 2000 Server or a Windows Server 2003 DC.

<265> Section 3.5.4.4.11: STATUS_ACCESS_DENIED is returned if the read-only domain controller, ChainedFromServerName, does not have permission to replicate the secrets for the client's computer account identified by ChainedForClientName.

<266> Section 3.5.4.5.1: Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<267> Section 3.5.4.5.1: Windows uses the value 0x01 as the representation of TRUE and 0x00 for FALSE.

<268> Section 3.5.4.5.1: Added in Windows Server 2008, and supported in Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.

<269> Section 3.5.4.5.1: Added in Windows Server 2008, and supported in Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.

<270> Section 3.5.4.5.1: For all versions of Windows except Windows NT 3.1, decrypt by using the negotiated decryption algorithm and the session key.

For Windows NT 3.1, decrypt as follows.

InitLMKey(KeyIn, KeyOut)
     KeyOut[0] = KeyIn[0] >> 0x01;
     KeyOut[1] = ((KeyIn[0]&0x01)<<6) | (KeyIn[1]>>2);
     KeyOut[2] = ((KeyIn[1]&0x03)<<5) | (KeyIn[2]>>3);
     KeyOut[3] = ((KeyIn[2]&0x07)<<4) | (KeyIn[3]>>4);
     KeyOut[4] = ((KeyIn[3]&0x0F)<<3) | (KeyIn[4]>>5);
     KeyOut[5] = ((KeyIn[4]&0x1F)<<2) | (KeyIn[5]>>6);
     KeyOut[6] = ((KeyIn[5]&0x3F)<<1) | (KeyIn[6]>>7);
     KeyOut[7] = KeyIn[6] & 0x7F;
     ((DWORD*)KeyOut)[0] <<= 1;
     ((DWORD*)KeyOut)[1] <<= 1;
     ((DWORD*)KeyOut)[0] &= 0xfefefefe;
     ((DWORD*)KeyOut)[1] &= 0xfefefefe;

Assume bytes(s, e, l) returns bytes from s to e of the byte 
array l. Assume concat(a1, a2) returns byte array containing 
the bytes of array a1 followed by the bytes from byte array a2.

LMDESECB(Input, Sk, Output)
     SET k1 to bytes(0, 7, Sk)
     CALL InitLMKey(k1, k3)
     SET k2 to bytes(8, 15, Sk)
     CALL InitLMKey(k2, k4)
     SET i1 to bytes(0, 7, Input)
     SET i2 to bytes(8, 15, Input)
     CALL DES_ECB(i1, k3, &output1)
     CALL DES_ECB(i2, k4, &output2)
     SET Output to concat(output1, output2)

<271> Section 3.5.4.5.1: For all versions of Windows except Windows NT 3.1, decrypt by using the negotiated decryption algorithm and the session key.

For Windows NT 3.1, decrypt as follows.

InitLMKey(KeyIn, KeyOut)
     KeyOut[0] = KeyIn[0] >> 0x01;
     KeyOut[1] = ((KeyIn[0]&0x01)<<6) | (KeyIn[1]>>2);
     KeyOut[2] = ((KeyIn[1]&0x03)<<5) | (KeyIn[2]>>3);
     KeyOut[3] = ((KeyIn[2]&0x07)<<4) | (KeyIn[3]>>4);
     KeyOut[4] = ((KeyIn[3]&0x0F)<<3) | (KeyIn[4]>>5);
     KeyOut[5] = ((KeyIn[4]&0x1F)<<2) | (KeyIn[5]>>6);
     KeyOut[6] = ((KeyIn[5]&0x3F)<<1) | (KeyIn[6]>>7);
     KeyOut[7] = KeyIn[6] & 0x7F;
     ((DWORD*)KeyOut)[0] <<= 1;
     ((DWORD*)KeyOut)[1] <<= 1;
     ((DWORD*)KeyOut)[0] &= 0xfefefefe;
     ((DWORD*)KeyOut)[1] &= 0xfefefefe;

Assume bytes(s, e, l) returns bytes from s to e of the byte 
array l. Assume concat(a1, a2) returns byte array containing 
the bytes of array a1 followed by the bytes from byte array a2.

LMDESECB(Input, Sk, Output)
     SET k1 to bytes(0, 7, Sk)
     CALL InitLMKey(k1, k3)
     SET k2 to bytes(8, 15, Sk)
     CALL InitLMKey(k2, k4)
     SET i1 to bytes(0, 7, Input)
     SET i2 to bytes(8, 15, Input)
     CALL DES_ECB(i1, k3, &output1)
     CALL DES_ECB(i2, k4, &output2)
     SET Output to concat(output1, output2)

<272> Section 3.5.4.5.1: For all versions of Windows except Windows NT 3.1, decrypt by using the negotiated decryption algorithm and the session key.

For Windows NT 3.1, decrypt as follows.

InitLMKey(KeyIn, KeyOut)
     KeyOut[0] = KeyIn[0] >> 0x01;
     KeyOut[1] = ((KeyIn[0]&0x01)<<6) | (KeyIn[1]>>2);
     KeyOut[2] = ((KeyIn[1]&0x03)<<5) | (KeyIn[2]>>3);
     KeyOut[3] = ((KeyIn[2]&0x07)<<4) | (KeyIn[3]>>4);
     KeyOut[4] = ((KeyIn[3]&0x0F)<<3) | (KeyIn[4]>>5);
     KeyOut[5] = ((KeyIn[4]&0x1F)<<2) | (KeyIn[5]>>6);
     KeyOut[6] = ((KeyIn[5]&0x3F)<<1) | (KeyIn[6]>>7);
     KeyOut[7] = KeyIn[6] & 0x7F;
     ((DWORD*)KeyOut)[0] <<= 1;
     ((DWORD*)KeyOut)[1] <<= 1;
     ((DWORD*)KeyOut)[0] &= 0xfefefefe;
     ((DWORD*)KeyOut)[1] &= 0xfefefefe;

Assume bytes(s, e, l) returns bytes from s to e of the byte 
array l. Assume concat(a1, a2) returns byte array containing 
the bytes of array a1 followed by the bytes from byte array a2.

LMDESECB(Input, Sk, Output)
     SET k1 to bytes(0, 7, Sk)
     CALL InitLMKey(k1, k3)
     SET k2 to bytes(8, 15, Sk)
     CALL InitLMKey(k2, k4)
     SET i1 to bytes(0, 7, Input)
     SET i2 to bytes(8, 15, Input)
     CALL DES_ECB(i1, k3, &output1)
     CALL DES_ECB(i2, k4, &output2)
     SET Output to concat(output1, output2)

<273> Section 3.5.4.5.1: Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2 support verifying whether a correct combination of LogonLevel and ValidationLevel is supplied. The data is opaque to Netlogon and MUST be passed unexamined to the package specified by the PackageName field of the NETLOGON_GENERIC_INFO structure. For more information, see section 3.2.4.1.

<274> Section 3.5.4.5.1: Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2 support verifying whether a correct combination of LogonLevel and ValidationLevel is supplied.

<275> Section 3.5.4.5.2: Supported in Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<276> Section 3.5.4.5.2: Windows uses the value of 0x01 as the representation of TRUE and 0x00 for FALSE.

<277> Section 3.5.4.5.2: Added in Windows Vista and supported in Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<278> Section 3.5.4.5.2: Added in Windows Vista and supported in Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<279> Section 3.5.4.5.3: This method was used in Windows NT 4.0. It was superseded by the NetrLogonSamLogonWithFlags method (section 3.5.4.5.2) in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<280> Section 3.5.4.5.4: Windows NT servers support logoff updates.

<281> Section 3.5.4.6.1: The server stops including elements in the returned DeltaArray after the size of the returned data equals or exceeds the value of the PreferredMaximumLength parameter.

<282> Section 3.5.4.6.1: The server limits the number of records to approximately 1,000 records per call.

<283> Section 3.5.4.6.1: The server maintains and updates a state that indicates the client progress in the synchronization protocol, as described in section 3.6.

<284> Section 3.5.4.6.2: Windows stops including elements in the returned DeltaArray once the size of the returned data equals or exceeds the value of the PreferredMaximumLength parameter.

<285> Section 3.5.4.6.2: Windows limits the number of records to approximately 1,000 records per call.

<286> Section 3.5.4.6.3: This method was used prior to Windows NT 4.0. It was superseded by the NetrDatabaseSync2 method, as specified in section 3.5.4.6.2, in Windows NT 4.0.

<287> Section 3.5.4.7.1: Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<288> Section 3.5.4.7.1:

Return Value/Code

Description

0x0000051F

ERROR_NO_LOGON_SERVERS

There are currently no logon servers available to service the logon request.

0x000006FA

ERROR_NO_TRUST_LSA_SECRET

The workstation does not have a trust secret.

0x000006FB

ERROR_NO_TRUST_SAM_ACCOUNT

The security database on the server does not have a computer account for this workstation trust relationship.

<289> Section 3.5.4.7.2: Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<290> Section 3.5.4.7.2:

Return Value/Code

Description

0x0000051F

ERROR_NO_LOGON_SERVERS

There are currently no logon servers available to service the logon request.

0x000006FA

ERROR_NO_TRUST_LSA_SECRET

The workstation does not have a trust secret.

0x000006FB

ERROR_NO_TRUST_SAM_ACCOUNT

The security database on the server does not have a computer account for this workstation trust relationship.

<291> Section 3.5.4.7.3:

Return Value/Code

Description

0x0000051F

ERROR_NO_LOGON_SERVERS

There are currently no logon servers available to service the logon request.

0x000006FA

ERROR_NO_TRUST_LSA_SECRET

The workstation does not have a trust secret.

0x000006FB

ERROR_NO_TRUST_SAM_ACCOUNT

The security database on the server does not have a computer account for this workstation trust relationship.

<292> Section 3.5.4.7.4: Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<293> Section 3.5.4.7.5: Supported in Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<294> Section 3.5.4.7.5:

Return Value/Code

Description

0x00000001

ERROR_INVALID_FUNCTION

Incorrect function.

<295> Section 3.5.4.7.5: If the TrustedDomainName parameter is specified, the server calls the NetrGetForestTrustInformation method on a DC in the domain specified by the parameter.

<296> Section 3.5.4.7.6: Supported in Windows XP and Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<297> Section 3.5.4.8.1: Supported in Windows 2000, Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<298> Section 3.5.4.8.1: Windows NT, Windows 2000, Windows XP, and Windows Server 2003 allow the call to succeed. Other versions of Windows will return ERROR_ACCESS_DENIED if not local.

<299> Section 3.5.4.8.2: Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<300> Section 3.5.4.8.2: When the previous password is not present, Windows Server 2012 and Windows Server 2012 R2 use an uninitialized value to compute the OldMessageDigest parameter.

<301> Section 3.5.4.8.3: Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<302> Section 3.5.4.8.4: Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<303> Section 3.5.4.8.5: Not supported in Windows NT.

<304> Section 3.5.4.8.5: This flag was added in Windows 7.

<305> Section 3.5.4.8.5: This flag was added in Windows 7.

<306> Section 3.5.4.8.5: Windows NT, Windows 2000, Windows XP, and Windows Server 2003 allow the call to succeed. Other versions of Windows will return ERROR_ACCESS_DENIED if not local.

<307> Section 3.5.4.8.6: Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<308> Section 3.5.4.8.6: The Netlogon client ignores this value if ServerName is not a domain controller.

<309> Section 3.5.4.8.6: Windows NT, Windows 2000, Windows XP, and Windows Server 2003 allow the call to succeed. Other versions of Windows will return ERROR_ACCESS_DENIED if not local.

<310> Section 3.5.4.9.1: The following restrictions apply to the values of the FunctionCode parameter in Windows NT 4.0, Windows 2000, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2. There are no restrictions in Windows Server 2003, Windows Vista, and Windows Server 2008.

The following values are not supported on Windows NT 4.0:

  • NETLOGON_CONTROL_CHANGE_PASSWORD (0x00000009)

  • NETLOGON_CONTROL_TC_VERIFY (0x0000000A)

  • NETLOGON_CONTROL_FORCE_DNS_REG (0x0000000B)

  • NETLOGON_CONTROL_QUERY_DNS_REG (0x0000000C)

  • NETLOGON_CONTROL_BACKUP_CHANGE_LOG (0x0000FFFC)

  • NETLOGON_CONTROL_TRUNCATE_LOG (0x0000FFFD)

  • NETLOGON_CONTROL_SET_DBFLAG (0x0000FFFE)

  • NETLOGON_CONTROL_BREAKPOINT (0x0000FFFF)

The error ERROR_NOT_SUPPORTED is returned if one of these values is used.

The following values are not supported on Windows 2000 Server:

  • NETLOGON_CONTROL_TC_VERIFY (0x0000000A)

  • NETLOGON_CONTROL_FORCE_DNS_REG (0x0000000B)

  • NETLOGON_CONTROL_QUERY_DNS_REG (0x0000000C)

The error ERROR_NOT_SUPPORTED is returned if one of these values is used.

The following values are not supported on Windows 7 or Windows Server 2008 R2:

  • NETLOGON_CONTROL_REPLICATE (0x00000002)

  • NETLOGON_CONTROL_SYNCHRONIZE (0x00000003)

  • NETLOGON_CONTROL_PDC_REPLICATE (0x00000004)

  • NETLOGON_CONTROL_BACKUP_CHANGE_LOG (0x0000FFFC)

The error ERROR_NOT_SUPPORTED is returned if one of these values is used.

<311> Section 3.5.4.9.1: Only supported on servers that are Windows NT 4.0 BDCs; otherwise, the ERROR_NOT_SUPPORTED error is returned from a server that is not a Windows NT 4.0 BDC.

<312> Section 3.5.4.9.1: Only supported on servers that are Windows NT 4.0 BDCs; otherwise, the ERROR_NOT_SUPPORTED error is returned from a server that is not a Windows NT 4.0 BDC.

<313> Section 3.5.4.9.1: Windows NT, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 support NETLOGON_CONTROL_PDC_REPLICATE (0x00000004).

<314> Section 3.5.4.9.1: The server is a Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, or Windows Server 2012 R2 DC; otherwise, the ERROR_NOT_SUPPORTED error is returned.

<315> Section 3.5.4.9.1: The server is a Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, or Windows Server 2012 R2 DC; otherwise, the ERROR_NOT_SUPPORTED error is returned. The server implementation decides how the DNS update status is recorded.

<316> Section 3.5.4.9.1: In Windows, the server copies to a backup file the contents of a file that contains a cache of database changes.

<317> Section 3.5.4.9.1: In Windows, the server truncates the contents of a debug file that contains debugging information about the Netlogon service operations.

<318> Section 3.5.4.9.1: In Windows, the server sets the level of verbosity of output into the debug file that contains debugging information about the Netlogon service operations. The level of verbosity to set is specified in the DebugFlag field of the Data parameter.

<319> Section 3.5.4.9.1: In Windows, if the NetrLogonControl2Ex method is called with the function code NETLOGON_CONTROL_BREAKPOINT and the operating system is not a checked build, the method returns ERROR_NOT_SUPPORTED.

<320> Section 3.5.4.9.1: In Windows, the server breaks into the debugger if it is attached to the computer that supports debugging.

<321> Section 3.5.4.9.1: Not supported in Windows NT

<322> Section 3.5.4.9.1: Windows NT 4.0 BDCs force an immediate partial synchronization of all databases.

<323> Section 3.5.4.9.1: Windows NT 4.0 BDCs force an immediate full synchronization of all databases.

<324> Section 3.5.4.9.1: Windows NT 4.0 PDCs immediately send announcement messages to request each BDC to replicate the database.

<325> Section 3.5.4.9.1: Windows NT and Windows 2000 DCs MUST return ERROR_NOT_SUPPORTED.

<326> Section 3.5.4.9.1: Windows NT and Windows 2000 DCs MUST return ERROR_NOT_SUPPORTED.

<327> Section 3.5.4.9.1: Windows NT, Windows XP, and Windows Server 2003 support FunctionCode NETLOGON_CONTROL_PDC_REPLICATE (0x00000004).

<328> Section 3.5.4.9.3: The FunctionCode parameter is restricted to the following values:

Windows NT 4.0:

  • NETLOGON_CONTROL_QUERY (0x00000001)

  • NETLOGON_CONTROL_REPLICATE (0x00000002)

  • NETLOGON_CONTROL_SYNCHRONIZE (0x00000003)

  • NETLOGON_CONTROL_PDC_REPLICATE (0x00000004)

If any other value is used, the error code ERROR_NOT_SUPPORTED is returned.

Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008:

  • NETLOGON_CONTROL_QUERY (0x00000001)

  • NETLOGON_CONTROL_REPLICATE (0x00000002)

  • NETLOGON_CONTROL_SYNCHRONIZE (0x00000003)

  • NETLOGON_CONTROL_PDC_REPLICATE (0x00000004)

  • NETLOGON_CONTROL_BACKUP_CHANGE_LOG (0x0000FFFC)

  • NETLOGON_CONTROL_TRUNCATE_LOG (0x0000FFFD)

  • NETLOGON_CONTROL_BREAKPOINT (0x0000FFFF)

If any other value is used, the error code ERROR_NOT_SUPPORTED is returned.

Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, or Windows Server 2012 R2:

  • NETLOGON_CONTROL_QUERY (0x00000001)

  • NETLOGON_CONTROL_TRUNCATE_LOG (0x0000FFFD)

  • NETLOGON_CONTROL_BREAKPOINT (0x0000FFFF)

If any other value is used, the error code ERROR_NOT_SUPPORTED is returned.

<329> Section 3.5.4.10.1: The Netlogon server implementation of this method is present in all versions of Windows covered by this document. The Netlogon client implementations in all versions of Windows covered by this document ignore this method.

<330> Section 3.5.4.10.2: The Netlogon server implementation of this method is present in all versions of Windows covered by this document. The Netlogon client implementations in all versions of Windows covered by this document ignore this method.

<331> Section 3.5.4.10.3: The Netlogon server returns STATUS_NOT_IMPLEMENTED.

<332> Section 3.5.4.10.4: The Netlogon server returns STATUS_NOT_IMPLEMENTED.

<333> Section 3.6.2: The default time-out is 5 minutes. The time-out may be configured between 1 minute and 2 days, inclusive.

<334> Section 3.6.4.1: To indicate such local condition, the PDC returns a value of 0xC0000134 as the return value of the NetrDatabaseDeltas call. For example, the PDC maintains partial database state cached in memory that the PDC may use for processing partial synchronization requests. If the cached information is not available (for example if the cache gets flushed), the PDC returns the error code 0xC0000134.

<335> Section 3.6.5.1: The announcement can be forced if this is a new BDC configured in the domain.

<336> Section 3.6.5.1: A separate timer is used on the PDC to time out announcements sent to the BDCs. A BDC is deemed as processing the announcement request until it finishes the processing by completing a synchronization request as described below. During that time, no additional announcements are sent to the BDC. If a BDC doesn't respond with a synchronization request within the time-out period as set by the timer, the announcement is deemed as timed out.

<337> Section 3.6.5.1: The PDC sends messages only if the current value of AbstractPulseConcurrency is less than a certain value defined as a configuration setting.

<338> Section 3.6.5.2.2: The BDC performs a full synchronization on receiving any error code other than STATUS_SUCCESS or STATUS_ACCESS_DENIED.

<339> Section 3.6.6: In all of the above scenarios, Netlogon performs a full database synchronization.

 
Show:
© 2014 Microsoft