7 Appendix B: Product Behavior

The information in this specification is applicable to the following Microsoft products or supplemental software. References to product versions include released service packs.

  • Windows NT operating system

  • Windows 2000 operating system

  • Windows XP operating system

  • Windows Server 2003 operating system

  • Windows Vista operating system

  • Windows Server 2008 operating system

  • Windows 7 operating system

  • Windows Server 2008 R2 operating system

  • Windows 8 operating system

  • Windows Server 2012 operating system

  • Windows 8.1 operating system

  • Windows Server 2012 R2 operating system

  • Windows 10 operating system

  • Windows Server 2016 operating system

Exceptions, if any, are noted below. If a service pack or Quick Fix Engineering (QFE) number appears with the product version, behavior changed in that service pack or QFE. The new behavior also applies to subsequent service packs of the product unless otherwise specified. If a product edition appears with the product version, behavior is different in that product edition.

Unless otherwise specified, any statement of optional behavior in this specification that is prescribed using the terms "SHOULD" or "SHOULD NOT" implies product behavior in accordance with the SHOULD or SHOULD NOT prescription. Unless otherwise specified, the term "MAY" implies that the product does not follow the prescription.

<1> Section 1.3.3: Sharing the user account database is achieved in Windows via replication of the account database among DCs so that each DC in the domain has the same copy of the database. On Windows DCs, replication is performed by the Active Directory replication service (see [MS-DRSR]), except on Windows NT 4.0 operating system DCs, where replication is performed by the Netlogon replication.

<2> Section 1.3.3: Except for DCs running Windows NT 4.0, synchronization between DCs running Windows is performed by the Active Directory replication service [MS-DRSR]. Synchronization involving a DC running Windows NT 4.0 is performed by the Netlogon service.

<3> Section 1.3.3: In Windows NT 4.0, a single DC in a domain is designated the primary domain controller (PDC). The PDC is the only DC that accepts changes to the account information it stores. A Windows NT 4.0 domain has zero or more backup domain controllers (BDCs).

<4> Section 1.3.3: Netlogon replication requires the PDC to run Windows NT Server 4.0 operating system, Windows 2000 Server operating system, or Windows Server 2003, while BDCs run Windows NT Server 4.0. Windows Server 2008 does not support replication to Windows NT 4.0 BDCs.

<5> Section 1.3.8.1.1: LAN Manager is a suite of products implemented in MS-DOS, Windows 3.0 operating system, and Windows NT 3.1 operating system.

<6> Section 2.2.1.1.2: The value of MaximumLength is ignored by the Windows NT 4.0 implementation.

<7> Section 2.2.1.2.1: The DOMAIN_CONTROLLER_INFOW structure is not supported in Windows NT.

<8> Section 2.2.1.2.1: IPv6 is not supported in Windows NT, Windows 2000, Windows XP, or Windows Server 2003.

<9> Section 2.2.1.2.1: In Windows NT, Windows 2000 Server, Windows XP, and Windows Server 2003, this address is an IPv4 address. For all other versions of Windows, this address can be an IPv4 or IPv6 address.

<10> Section 2.2.1.2.1: Windows NT-based domain controllers do not have a domain GUID.

<11> Section 2.2.1.2.1: read-only domain controllers (RODCs) are not supported in Windows NT Server operating system, Windows 2000 Server and Windows Server 2003.

<12> Section 2.2.1.2.1: Writable domain controllers are not supported in Windows NT Server, Windows 2000, and Windows Server 2003. The concept of designating a DC as writable was added when read-only DCs were created.

<13> Section 2.2.1.2.1: Active Directory Web Service is not available in Windows NT and Windows 2000. It is available in Windows Server 2003 and Windows Server 2008 when Active Directory Management Gateway Service is installed.

<14> Section 2.2.1.2.1: Windows NT-based domain controllers do not have an associated site.

<15> Section 2.2.1.2.5: The Status field is not implemented in Windows NT, Windows 2000, Windows XP, Windows Server 2003, and Windows Vista.

<16> Section 2.2.1.2.6: DnsNamesInfo is not implemented in Windows NT, Windows 2000, Windows XP, Windows Server 2003, and Windows Vista.

<17> Section 2.2.1.3.3: The NL_AUTH_SHA2_SIGNATURE structure is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, or Windows Vista.

<18> Section 2.2.1.3.6: The NETLOGON_WORKSTATION_INFO structure is not supported in Windows NT.

<19> Section 2.2.1.3.6: For example, for Windows 7 Ultimate operating system, the string "Windows 7 Ultimate" is used.

<20> Section 2.2.1.3.6: The KerberosSupportedEncryptionTypes field is not supported in Windows NT, Windows 2000, and Windows Server 2003.

<21> Section 2.2.1.3.7: The NL_TRUST_PASSWORD structure is not supported in Windows NT.

<22> Section 2.2.1.3.8: The NL_PASSWORD_VERSION structure is not supported in Windows NT.

<23> Section 2.2.1.3.9: The NETLOGON_WORKSTATION_INFORMATION union is not supported in Windows NT.

<24> Section 2.2.1.3.10: The NETLOGON_ONE_DOMAIN_INFO structure is not supported in Windows NT.

<25> Section 2.2.1.3.11: The NETLOGON_DOMAIN_INFO structure is not supported in Windows NT.

<26> Section 2.2.1.3.11: Windows NT, Windows 2000, and Windows XP ignore the SupportedEncTypes field.

<27> Section 2.2.1.3.12: The NETLOGON_DOMAIN_INFORMATION structure is not implemented in Windows NT.

<28> Section 2.2.1.3.13: One or both domains in a secure channel is required to be a Windows NT 4.0 domain.

<29> Section 2.2.1.3.13: The CdcServerSecureChannel type is not implemented in Windows NT, Windows 2000, Windows XP, Windows Server 2003, and Windows Vista.

<30> Section 2.2.1.3.14: The NETLOGON_CAPABILITIES union is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<31> Section 2.2.1.3.15: The normal (writable) DC cannot be a Windows Server 2003 or a Windows 2000 Server DC.

<32> Section 2.2.1.3.15: The following table defines the dwMajorVersion values.

Value

Meaning

4

The operating system is Windows NT 4.0.

5

The operating system is Windows 2000, Windows XP, Windows Server 2003, or Windows Server 2003 R2 operating system.

6

The operating system is Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, or Windows Server 2012 R2.

10

The operating system is Windows 10 or Windows Server 2016.

<33> Section 2.2.1.3.15: The following table defines the dwMinorVersion values.

Value

Meaning

0

The operating system is Windows NT 4.0, Windows 2000, Windows Vista, Windows Server 2008, Windows 10, or Windows Server 2016.

1

The operating system is Windows XP, Windows 7, or Windows Server 2008 R2.

2

The operating system is Windows XP Professional x64 Edition operating system, Windows Server 2003, Windows Server 2003 R2, Windows 8, or Windows Server 2012.

3

The operating system is Windows 8.1 or Windows Server 2012 R2.

<34> Section 2.2.1.3.15: VER_NT_WORKSTATION identifies the operating system as one of the following: Windows NT Workstation 4.0 operating system, Windows 2000 Professional operating system, Windows XP Home Edition operating system, Windows XP Professional operating system, Windows Vista, Windows 7, Windows 8, Windows 8.1, or Windows 10.

<35> Section 2.2.1.3.15: The wReserved field is not implemented in Windows NT, Windows 2000, Windows XP, Windows Server 2003, and Windows Vista. The Netlogon server ignores this value.

<36> Section 2.2.1.3.16: The normal (writable) DC cannot be a Windows 2000 Server or a Windows Server 2003 domain controller.

<37> Section 2.2.1.3.16: The OsName field is not implemented in Windows NT, Windows 2000, Windows XP, Windows Server 2003, and Windows Vista.

<38> Section 2.2.1.3.17: Windows NT, Windows 2000, Windows XP, Windows Server 2003, and Windows Vista do not support V1.

<39> Section 2.2.1.3.18: The normal (writable) DC cannot be a Windows 2000 Server or a Windows Server 2003 DC.

<40> Section 2.2.1.3.18: RODCs are not supported in Windows NT, Windows 2000, Windows XP, and Windows Server 2003.

<41> Section 2.2.1.3.18: The SupportedEncTypes field is not implemented in Windows NT, Windows 2000, Windows XP, Windows Server 2003, and Windows Vista.

<42> Section 2.2.1.3.19: The V1 field is not implemented in Windows NT, Windows 2000, Windows XP, Windows Server 2003, and Windows Vista.

<43> Section 2.2.1.4.16: The NETLOGON_LOGON_INFO_CLASS enumeration types are not supported in Windows Vista.

<44> Section 2.2.1.4.17: The NETLOGON_VALIDATION_INFO_CLASS enumeration types are not supported in Windows Vista.

<45> Section 2.2.1.4.17: Except in Windows Vista, the NETLOGON_VALIDATION_INFO_CLASS enumeration has NetlogonValidationUasInfo type defined. This value is used by LAN Manager in support of LAN Manager products, and is beyond the scope of this document.

<46> Section 2.2.1.5.1: The recipient of the message waits for the indicated number of seconds before contacting the sender.

<47> Section 2.2.1.5.22: Except for Windows NT, NumControllerEntries is set to zero in the NETLOGON_DELTA_TRUSTED_DOMAINS structure.

<48> Section 2.2.1.5.22: Except for Windows NT, ControllerNames is set to NULL in the NETLOGON_DELTA_TRUSTED_DOMAINS structure.

<49> Section 2.2.1.5.28: In Windows NT 4.0 replication, the DeleteGroupByName, DeleteUserByName, and SerialNumberSkip types require NegotiateFlags=0x00000010. For more information, see the Capability Negotiation bullet in section 1.7 and the NegotiateFlags parameter description in sections 3.5.4.4.3 (NetrServerAuthenticate2) and 3.5.4.4.2 (NetrServerAuthenticate3).

<50> Section 2.2.1.6.2: DS_DOMAIN_TRUSTSW structure is not supported in Windows NT.

<51> Section 2.2.1.6.2: 0x00000001 is supported only in Windows NT.

<52> Section 2.2.1.6.2: Trust with an Active Directory domain is supported in Windows Server operating system except Windows NT.

<53> Section 2.2.1.6.2: A trust link is valid only for Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 domains.

<54> Section 2.2.1.6.3: The NETLOGON_TRUSTED_DOMAIN_ARRAY structure is not supported in Windows NT.

<55> Section 2.2.1.6.4: The NL_GENERIC_RPC_DATA structure is not supported in Windows NT or Windows 2000.

<56> Section 2.2.1.7.2: The NETLOGON_INFO_1 structure contains information about the state of the database synchronization for Windows NT 4.0 backup domain controllers only.

<57> Section 2.2.1.7.2: Flags A, B, C, and D are set only in the query response from a Windows NT 4.0-based backup domain controller. Flags E, F, and G are not available in Windows NT and cannot be set in the query response from a domain controller running Windows NT.

<58> Section 2.2.1.7.3: Flags A, B, and C cannot be set in the query response from a server running Windows NT. Flag C is also not supported in Windows 2000 or Windows XP.

<59> Section 2.2.1.8: The unsupported structures are used in versions of Windows not covered by this document.

<60> Section 2.2.1.8.4: Windows never uses the NETLOGON_DUMMY1 union.

<61> Section 3: In Windows NT 4.0, the Netlogon Remote Protocol RPC interface is used to replicate account information from the primary domain controllers (PDCs) to the backup domain controllers (BDCs). PDCs also use mailslots to broadcast messages to the BDCs; these messages (as specified in section 2.2.1.5.1) are not transmitted via RPC.

<62> Section 3: Except in Windows NT, the server defaults to the primary domain if the name is not found.

<63> Section 3.1.1: In Windows Server (except Windows NT), for computer accounts in a domain, the OWF of the shared secret is stored in the unicodePwd attribute of the computer account object in Active Directory ([MS-ADTS] section 6.4.2).

For trusts with Windows Server domains (except Windows NT), the shared secret is stored in the trustAuthIncoming attribute ([MS-ADTS] section 6.1.6.7.10) and the trustAuthOutgoing attribute ([MS-ADTS] section 6.1.6.7.11) of the trusted domain object (TDO) that contains trust information in Active Directory ([MS-ADTS] section 6.1.6.9.1). Depending on the AuthType either the shared secret (TRUST_AUTH_TYPE_CLEAR) or NTOWFv1 (TRUST_AUTH_TYPE_NT4OWF) is stored.

For trusts with Windows NT 4.0 domains, the OWF of the shared secret is stored in the trustAuth attribute of the corresponding TDO for the Windows NT 4.0 domain.

<64> Section 3.1.1: In Windows NT 4.0 ([MS-SAMR] section 3.1.1.3), the OWF of the shared secret is stored as an attribute of the computer account object (for domain members) or the interdomain trust account object (for domain trusts).

<65> Section 3.1.1: Windows uses the Netlogon Remote Protocol to change the machine account password every 30 days by default. The value is configurable with a minimum of one day and maximum of 1,000,000 days.

<66> Section 3.1.1: For trusts with Windows Server domains (except Windows NT), the trust password version is stored in the TRUST_AUTH_TYPE_VERSION of the trustAuthIncoming attribute ([MS-ADTS] section 6.1.6.7.10) and the trustAuthOutgoing attribute ([MS-ADTS] section 6.1.6.7.11) of the TDO that contains trust information in Active Directory ([MS-ADTS] section 6.1.6.9.1). The trust password version is not maintained for Windows NT 4.0 domains.

<67> Section 3.1.1:  The following Windows registry settings are used to persistently store and retrieve the SealSecureChannel variable:

  • RegistryValueName: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Netlogon\Parameters

  • RegistryValueType: 4

  • RegistryValue: SealSecureChannel

<68> Section 3.1.4.1: Returning the negotiated flags for the current exchange is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<69> Section 3.1.4.1: Comparing the received ServerCapabilities with the negotiated NegotiateFlags is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<70> Section 3.1.4.2: The negotiable options J through S are not supported in Windows NT. Option T is not supported in Windows NT or Windows 2000.

<71> Section 3.1.4.2:  This flag is used in Windows NT 3.5 operating system only.

<72> Section 3.1.4.2: The negotiable option U is supported in Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

<73> Section 3.1.4.2: The negotiable option V is not supported in Windows NT, Windows 2000, Windows XP, and Windows Server 2003.

<74> Section 3.1.4.2: The negotiable option W is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<75> Section 3.1.4.2: The negotiable option Y is not supported in Windows NT prior to Windows NT 4.0 operating system Service Pack 2 (SP2).

<76> Section 3.1.4.6: For Windows, the client binds to the RPC server using TCP (except for Windows NT, in which the client binds to the RPC server using named pipes). If RPC returns an error indicating that the protocol sequence is not supported, then the client binds to the RPC server using named pipes.

<77> Section 3.1.4.6: Windows NT 4.0 operating system Service Pack 4 (SP4) does not support Secure RPC and does not perform a secure bind.

<78> Section 3.1.4.6: Windows caches and reuses the binding for subsequent RPC calls to the server.

<79> Section 3.1.6: When Netlogon receives a PolicyChange event, NRPC implementations that use the Windows registry to persistently store and retrieve the SealSecureChannel variable need to load the new value from the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters registry path and SealSecureChannel key.

<80> Section 3.3: The Windows Netlogon SSP is not provided for use by other applications. It has neither the full functionally of public SSPs nor access from non-LSA applications.

<81> Section 3.3: The Netlogon capability of encrypting and signing data during communication is not supported in Windows NT prior to Windows NT 4.0 operating system Service Pack 6 (SP6).

<82> Section 3.3.4.2.2: Windows disregards the Flags data.

<83> Section 3.4: Netlogon runs only on machines joined to a domain ([MS-ADTS] section 6.4). Upon startup, it locates a domain controller and establishes a secure channel to it. It is used for secure communication between the client and the domain controller and for passing sensitive data between the two entities. Except in Windows NT, Netlogon also registers the service principal names (SPNs) for the computer that it runs on. It registers the SPNs of the form "HOST/NetBIOSName" and "HOST/Full.Dns.Name", which updates the servicePrincipalName attribute of the computer account object in Active Directory.

<84> Section 3.4.1: RejectMD5Servers is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

The Windows registry settings used to persistently store and retrieve the RejectMD5Servers variable are the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Netlogon\Parameters registry path and RejectMD5Servers key.

<85> Section 3.4.1: The following Windows registry settings are used to persistently store and retrieve the RequireSignOrSeal variable:

  • RegistryValueName: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Netlogon\Parameters

  • RegistryValueType: 4

  • RegistryValue: RequireSignOrSeal

<86> Section 3.4.1: RequireStrongKey is not supported in Windows NT.

<87> Section 3.4.1:  The Windows registry settings used to persistently store and retrieve the RequireStrongKey variable are as follows:

  • RegistryValueName: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Netlogon\Parameters

  • RegistryValueType: 4

  • RegistryValue: RequireStrongKey

<88> Section 3.4.3: Windows uses 4096. Other implementations can use any value.

<89> Section 3.4.3: Implementations that use the Windows registry to persistently store and retrieve the settings for ClientCapabilities bit O use the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Netlogon\Parameters registry path and the SignSecureChannel and SealSecureChannel values to indicate whether bit O should be set. If either of these registry values are set to 0x1, then bit O is set.

Implementations that use the Windows registry to persistently store settings for ClientCapabilities bit U use the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Netlogon\Parameters registry path and NeutralizeNt4Emulator key to indicate whether bit U is set. If this registry value is set to 0x1, then bit U is set.

<90> Section 3.4.3: Windows NT 4.0 SP4, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 initialize RequireSignOrSeal to FALSE.

<91> Section 3.4.3: Windows initializes RequireStrongKey to FALSE.

<92> Section 3.4.5.1.3: All applications available as part of Windows set the SiteGuid parameter to NULL.

<93> Section 3.4.5.1.11: The ServerName is a normal (writable) DC, but is not a Windows Server 2003 or a Windows 2000 Server DC.

<94> Section 3.4.5.1.11: The client has to be an RODC.

<95> Section 3.4.5.2.4: The NetrServerAuthenticate method is used only in Windows NT Server 3.1 operating system.

<96> Section 3.4.5.2.5: Windows clients re-establish the secure channel with the domain controller upon receiving STATUS_ACCESS_DENIED.

<97> Section 3.4.5.2.6: Windows clients re-establish the secure channel with the domain controller upon receiving STATUS_ACCESS_DENIED.

<98> Section 3.4.5.2.7: Windows clients re-establish the secure channel with the domain controller upon receiving STATUS_ACCESS_DENIED.

<99> Section 3.4.5.2.9: Windows clients reestablish the secure channel with the domain controller upon receiving STATUS_ACCESS_DENIED.

<100> Section 3.4.5.2.10: NetrLogonGetCapabilities is not supported by Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, or Windows Server 2008 clients.

<101> Section 3.4.5.2.10: Re-establishing the secure channel with the DC is not supported by Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<102> Section 3.4.5.2.10: For Windows DCs, the STATUS_NOT_IMPLEMENTED error means the DC is a Windows NT, Windows Server 2003, or Windows Server 2008 machine.

<103> Section 3.4.5.2.10: Windows clients re-establish the secure channel with the domain controller upon receiving STATUS_ACCESS_DENIED.

<104> Section 3.4.5.2.11: The normal (writable) DC cannot be a Windows 2000 Server or a Windows Server 2003 DC.

<105> Section 3.4.5.3.2: For all versions of Windows except Windows NT 3.1 operating system, encrypt by using the negotiated encryption algorithm and the session key.

For Windows NT 3.1, encrypt as follows.

 InitLMKey(KeyIn, KeyOut)
      KeyOut[0] = KeyIn[0] >> 0x01;
      KeyOut[1] = ((KeyIn[0]&0x01)<<6) | (KeyIn[1]>>2);
      KeyOut[2] = ((KeyIn[1]&0x03)<<5) | (KeyIn[2]>>3);
      KeyOut[3] = ((KeyIn[2]&0x07)<<4) | (KeyIn[3]>>4);
      KeyOut[4] = ((KeyIn[3]&0x0F)<<3) | (KeyIn[4]>>5);
      KeyOut[5] = ((KeyIn[4]&0x1F)<<2) | (KeyIn[5]>>6);
      KeyOut[6] = ((KeyIn[5]&0x3F)<<1) | (KeyIn[6]>>7);
      KeyOut[7] = KeyIn[6] & 0x7F;
      ((DWORD*)KeyOut)[0] <<= 1;
      ((DWORD*)KeyOut)[1] <<= 1;
      ((DWORD*)KeyOut)[0] &= 0xfefefefe;
      ((DWORD*)KeyOut)[1] &= 0xfefefefe;
  
 Assume bytes(s, e, l) returns bytes from s to e of the byte 
 array l. Assume concat(a1, a2) returns byte array containing 
 the bytes of array a1 followed by the bytes from byte array a2.
  
 LMDESECB(Input, Sk, Output)
      SET k1 to bytes(0, 7, Sk)
      CALL InitLMKey(k1, k3)
      SET k2 to bytes(8, 15, Sk)
      CALL InitLMKey(k2, k4)
      SET i1 to bytes(0, 7, Input)
      SET i2 to bytes(8, 15, Input)
      CALL DES_ECB(i1, k3, &output1)
      CALL DES_ECB(i2, k4, &output2)
      SET Output to concat(output1, output2)

<106> Section 3.4.5.3.2: For all versions of Windows except Windows NT 3.1, encrypt using the negotiated encryption algorithm and the session key.

For Windows NT 3.1, encrypt as described in the product behavior note earlier in this section.

<107> Section 3.4.5.3.2: For all versions of Windows except Windows NT 3.1, encrypt using the negotiated encryption algorithm and the session key.

For Windows NT 3.1, encrypt as described in the product behavior note earlier in this section.

<108> Section 3.4.5.3.2: Windows clients reestablish the secure channel with the domain controller upon receiving STATUS_ACCESS_DENIED.

<109> Section 3.4.5.3.4: For all versions of Windows except Windows NT 3.1, encrypt by using the negotiated encryption algorithm and the session key.

For Windows NT 3.1, encrypt as described in the product behavior note in section 3.4.5.3.2.

<110> Section 3.4.5.3.4: For all versions of Windows except Windows NT 3.1, encrypt by using the negotiated encryption algorithm and the session key.

For Windows NT 3.1, encrypt as described in the product behavior note in section 3.4.5.3.2.

<111> Section 3.4.5.3.4: For all versions of Windows except Windows NT 3.1, encrypt using the negotiated encryption algorithm and the session key.

For Windows NT 3.1, encrypt as described in the product behavior note in section 3.4.5.3.2.

  

<112> Section 3.4.5.3.4: Windows clients reestablish the secure channel with the domain controller upon receiving STATUS_ACCESS_DENIED.

<113> Section 3.4.5.3.5: Windows clients reestablish the secure channel with the domain controller upon receiving STATUS_ACCESS_DENIED.

<114> Section 3.4.5.4.1: Windows clients reestablish the secure channel with the domain controller upon receiving STATUS_ACCESS_DENIED.

<115> Section 3.4.5.4.2: Windows clients call the NetrDatabaseSync2 method in a loop until all database records are received.

<116> Section 3.4.5.4.2: On receiving the STATUS_MORE_ENTRIES status code, Windows clients continue calling the NetrDatabaseSync2 routine in a loop until all missing database entries are received. The client terminates the loop on a computer shutdown notification.

<117> Section 3.4.5.4.2: Windows clients re-establish the secure channel with the domain controller upon receiving STATUS_ACCESS_DENIED.

<118> Section 3.4.5.4.4: Windows clients reestablish the secure channel with the domain controller upon receiving STATUS_ACCESS_DENIED.

<119> Section 3.4.5.5.4: Windows clients reestablish the secure channel with the domain controller upon receiving STATUS_ACCESS_DENIED.

<120> Section 3.4.5.5.6: Windows clients reestablish the secure channel with the domain controller upon receiving STATUS_ACCESS_DENIED.

<121> Section 3.4.5.6.4: Windows clients reestablish the secure channel with the domain controller upon receiving STATUS_ACCESS_DENIED.

<122> Section 3.4.6.1:  Windows uses 4096. Other implementations can use any value.

<123> Section 3.4.7: The new Windows registry settings for the RequireStrongKey and RequireSignOrSeal variables are loaded from the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Netlogon\Parameters registry path and the RequireStrongKey and RequireSignOrSeal keys.

<124> Section 3.5.1: In Windows implementations, the default DynamicSiteNameTimeout value is 5 minutes, and the allowed range is 0 minutes to 49 days.

<125> Section 3.5.1: RejectMD5Clients is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<126> Section 3.5.1: The NT4Emulator ADM element is not implemented in Windows NT.

<127> Section 3.5.1: DCRPCPort is supported in all versions of Windows Server except Windows NT Server and Windows 2000 Server.

<128> Section 3.5.3: The named pipe LSASS is also known by the alias NETLOGON. The client can use this alias to establish an RPC over named pipes connection. The Netlogon security package functionality is not implemented in Windows NT.

<129> Section 3.5.3: Implementations that use the Windows registry to persistently store and retrieve the RejectMD5Clients variable use the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Netlogon\Parameters registry path and RejectMD5Clients key.

<130> Section 3.5.3: Implementations that use the Windows registry to persistently store and retrieve the SignSecureChannel variable set the following values:

  • RegistryValueName: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Netlogon\Parameters

  • RegistryValueType: 4

  • RegistryValue: SignSecureChannel

<131> Section 3.5.3: Windows NT 4.0 initializes the StrongKeySupport value to FALSE.

<132> Section 3.5.3: In Windows implementations, AllowSingleLabelDNSDomain is configured using the following Windows registry path:

  • Registry path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Netlogon\Parameters

  • RegistryValueName: AllowSingleLabelDNSDomain

  • RegistryType: DWORD

  • Acceptable values: 0 = Disabled, 1 = Enabled

  • Default value if not explicitly configured: 0.

<133> Section 3.5.3: Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 consider AllowDnsSuffixSearch to be FALSE.

<134> Section 3.5.3: Windows uses the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters registry path and SiteName value.

<135> Section 3.5.3: In Windows implementations, FailedDiscoveryCachePeriod can be configured using the following Windows registry path:

  • Registry path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Netlogon\Parameters

  • RegistryValueName: NegativeCachePeriod

  • RegistryType: DWORD

  • AllowedRange: 0 - 604800 (7 days)

  • Default value if not explicitly configured: 45 seconds

<136> Section 3.5.3: In Windows implementations, the CacheEntryValidityPeriod value is 12 hours, unless changed by an administrator.

<137> Section 3.5.3: In Windows implementations, the CacheEntryPingValidityPeriod value is 30 minutes, unless changed by an administrator.

<138> Section 3.5.3: The Windows registry settings to persistently store and retrieve the DCRPCPort variable are the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Netlogon\Parameters registry path and DCRPCPort key.

<139> Section 3.5.3: The Windows registry settings to persistently store and retrieve the RejectDES variable are the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Netlogon\Parameters registry path and AllowNT4Crypto key set to negation of the RejectDES variable.

<140> Section 3.5.3: In Windows NT, Windows 2000, Windows XP, Windows Server 2003, and Windows Vista, RejectDES is FALSE.

<141> Section 3.5.3: The Windows registry settings to persistently store and retrieve the SiteCoverage variable are the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Netlogon\Parameters registry path and SiteCoverage key.

<142> Section 3.5.4: Gaps in the opnum numbering sequence apply to Windows as follows.

Opnum

Description

47

Windows uses this method only locally, never remotely.

<143> Section 3.5.4.3.1: The DsrGetDcNameEx2 method is not supported in Windows NT.

<144> Section 3.5.4.3.1: The F bit is not implemented in Windows NT, Windows 2000, Windows XP, Windows Server 2003, and Windows Vista.

<145> Section 3.5.4.3.1: The P bit is not implemented in Windows NT, Windows 2000, Windows XP, and Windows Server 2003.

<146> Section 3.5.4.3.1: Windows implements both the LDAP Ping ([MS-ADTS] section 6.3.3) and the Mailslot Ping ([MS-ADTS] section 6.3.5) methods and uses them to locate a DC ([MS-ADTS] section 6.3.6).

<147> Section 3.5.4.3.1: Windows NT does not support directory service functions.

<148> Section 3.5.4.3.1: Except Windows NT, Windows Server DCs support directory service functions.

<149> Section 3.5.4.3.1: Except on Windows NT, a Windows Server DC is writable when it hosts a writable copy of the directory service. These DCs are writable unless they are RODCs. A Windows NT DC is writable only if it is a PDC.

<150> Section 3.5.4.3.1: The T bit is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<151> Section 3.5.4.3.1: If neither the R nor S flag is specified, Windows returns the type of name that matches the type of the DomainName parameter.

<152> Section 3.5.4.3.1: In Windows, if neither the R nor S flags are set in the Flags parameter, the behavior is as follows:

  • If only one of the DnsHostName or NetbiosComputerName fields is set in the message, the DomainControllerName field is set to that value.

  • Otherwise, if both the DnsHostName and NetbiosComputerName fields are set in the message:

    • If the DomainName parameter is equal to the DnsDomainName message field, the DomainControllerName field is set to the value of the DnsHostName message field.

    • If the DomainName parameter is equal to the NetbiosDomainName message field, the DomainControllerName field is set to the value of the NetbiosComputerName message field.

    • If the DomainName parameter is NULL:

      • If the DC responded to the LDAP message, the DomainControllerName field is set to the value of the DnsHostName message field.

      • If the DC responded to the mailslot message, the DomainControllerName field is set to the value of the NetbiosComputerName message field.

<153> Section 3.5.4.3.1: In Windows, if neither the R nor S flags are set in the Flags parameter, the behavior is as follows:

  • If only one of the DnsDomainName or NetbiosDomainName fields is set in the message, the DomainName field is set to that value.

  • Otherwise, if both the DnsDomainName and NetbiosDomainName fields are set in the message:

    • If the DomainName parameter of the DsrGetDcNameEx2 call is equal to the DnsDomainName message field, the DomainName field is set to the value of the DnsDomainName message field.

    • If the DomainName parameter of the DsrGetDcNameEx2 call is equal to the NetbiosDomainName message field, the DomainName field is set to the value of the NetbiosDomainName message field.

    • If the DomainName parameter of the DsrGetDcNameEx2 call is NULL:

      • If the DC responded to the LDAP message, the DomainName field is set to the value of the DnsDomainName message field.

      • If the DC responded to the mailslot message, the DomainName field is set to the value of the NetbiosDomainName message field.

<154> Section 3.5.4.3.2: DsrGetDcNameEx is not supported in Windows NT.

<155> Section 3.5.4.3.3: DsrGetDcName is not supported in Windows NT.

<156> Section 3.5.4.3.4: NetrGetDCName is supported in Windows NT Server 3.1. It is superseded by the DsrGetDcNameEx2 method (section 3.5.4.3.1) in Windows 2000.

<157> Section 3.5.4.3.4: Windows implements both the LDAP ping-based method ([MS-ADTS] section 6.3.3) and the mailslot message-based method ([MS-ADTS] section 6.3.5), and uses those two methods to locate a DC ([MS-ADTS] section 6.3.6).

<158> Section 3.5.4.3.5: NetrGetAnyDCName is supported in Windows NT Server 3.1 through Windows NT 4.0. It is superseded by the DsrGetDcNameEx2 method (section 3.5.4.3.1) in Windows 2000.

<159> Section 3.5.4.3.5: Windows implements both the LDAP ping-based method ([MS-ADTS] section 6.3.3) and the mailslot ping method ([MS-ADTS] section 6.3.5), and uses those two methods to locate a DC ([MS-ADTS] section 6.3.6).

<160> Section 3.5.4.3.6: DsrGetSiteName is not supported in Windows NT.

<161> Section 3.5.4.3.6: Windows implements both the LDAP Ping method ([MS-ADTS] section 6.3.3) and the Mailslot Ping method ([MS-ADTS] section 6.3.5), and uses those two methods to locate a DC ([MS-ADTS] section 6.3.6).

<162> Section 3.5.4.3.7: DsrGetDcSiteCoverageW is not supported in Windows NT.

<163> Section 3.5.4.3.8: DsrAddressToSiteNamesW is not supported in Windows NT.

<164> Section 3.5.4.3.9: DsrAddressToSiteNamesExW is not supported in Windows NT.

<165> Section 3.5.4.3.10: DsrDeregisterDnsHostRecords is not supported in Windows NT.

<166> Section 3.5.4.3.11: DsrUpdateReadOnlyServerDnsRecords is not implemented in Windows NT, Windows 2000, Windows XP, Windows Server 2003, and Windows Vista.

<167> Section 3.5.4.3.11: The normal (writable) DC cannot be a Windows 2000 Server or a Windows Server 2003 DC.

<168> Section 3.5.4.4.1: NetrServerReqChallenge is not implemented in Windows NT 3.1.

<169> Section 3.5.4.4.2: NetrServerAuthenticate3 is not supported in Windows NT.

<170> Section 3.5.4.4.2: In Windows, all machine account names are the name of the machine with a "$" (dollar sign) appended.

<171> Section 3.5.4.4.2: Except in Windows NT 4.0, if the value is 5 (UasServerSecureChannel), the server always returns an access-denied error because this functionality is no longer supported. Windows NT 4.0 has configuration parameter options allowing UAS compatibility mode, and if this mode is enabled, the error is not returned and further processing occurs. Otherwise, it returns an access-denied error.

<172> Section 3.5.4.4.3: NetrServerAuthenticate2 is used in Windows NT 3.5 and Windows NT 4.0. It is superseded by the NetrServerAuthenticate3 method (section 3.5.4.4.2).

<173> Section 3.5.4.4.4: NetrServerAuthenticate is used only in Windows NT Server 3.1. In Windows NT Server 3.5 operating system, it is superseded by the NetrServerAuthenticate2 method (section 3.5.4.4.3).

<174> Section 3.5.4.4.5: NetrServerPasswordSet2 is not supported in Windows NT.

<175> Section 3.5.4.4.5: By default, the period is 30 days in Windows.

<176> Section 3.5.4.4.5: In Windows, all machine account names are the name of the machine with a "$" (dollar sign) appended.

<177> Section 3.5.4.4.6: NetrServerPasswordSet is not implemented in Windows NT 3.1.

<178> Section 3.5.4.4.6: In Windows, all machine account names are the name of the machine with a "$" (dollar sign) appended.

<179> Section 3.5.4.4.7: NetrServerPasswordGet is not supported in Windows NT.

<180> Section 3.5.4.4.7: In Windows, all machine account names are the name of the machine with a "$" (dollar sign) appended.

<181> Section 3.5.4.4.8: NetrServerTrustPasswordsGet is not supported in Windows NT and Windows 2000 prior to Windows 2000 Server operating system Service Pack 4 (SP4).

<182> Section 3.5.4.4.8: In Windows, all machine account names are the name of the machine with a "$" (dollar sign) appended.

<183> Section 3.5.4.4.9: NetrLogonGetDomainInfo is not supported in Windows NT.

<184> Section 3.5.4.4.9: Verifying that the WkstaBuffer parameter is not NULL is not supported in Windows NT, Windows 2000, Windows Server 2003, and Windows Server 2008.

<185> Section 3.5.4.4.9: All versions of Windows use 4096. Other implementations can use any value.

<186> Section 3.5.4.4.9: In Windows, NETLOGON_ONE_DOMAIN_INFO.TrustExtension MaximumLength and Length are set to the size 0x10, and Buffer points to a buffer containing the following fields of a DS_DOMAIN_TRUSTSW structure: Flags, ParentIndex, TrustType, TrustAttributes.

<187> Section 3.5.4.4.9: If both WkstaBuffer.WorkstationInfo.OsVersion and WkstaBuffer.WorkstationInfo.OsName are unspecified, Windows 2000, Windows XP, and Windows Server 2003 use the generic string "Windows 2000" to update the operatingSystem attribute. If only WkstaBuffer.WorkstationInfo.OsName is unspecified, Windows 2000, Windows XP, and Windows Server 2003 use the generic string "Windows 2000 Professional" when WkstaBuffer.WorkstationInfo.OsVersion.wProductType is VER_NT_WORKSTATION, and otherwise use the string "Windows 2000 Server" to update the operatingSystem attribute.

<188> Section 3.5.4.4.10: NetrLogonGetCapabilities is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

In Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008, RPC opnum 21 is associated with the following RPC method, which does not perform any protocol-relevant function:

 NTSTATUS NetrLogonDummyRoutine1(
   [in, string] LOGONSRV_HANDLE ServerName,
   [in, string, unique] wchar_t* ComputerName,
   [in] PNETLOGON_AUTHENTICATOR Authenticator,
   [in, out] PNETLOGON_AUTHENTICATOR ReturnAuthenticator,
   [in] DWORD QueryLevel,
   [out, switch_is(QueryLevel)] PNETLOGON_DUMMY1 Buffer
 );
  

The return type and parameters for NetrLogonDummyRoutine1 take on the same data representation as those for NetrLogonGetCapabilities.

<189> Section 3.5.4.4.10: The ServerCapabilities parameter is not supported by Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, or Windows Server 2008. These operating systems supported a dummy buffer type:

[out, switch_is(QueryLevel)] PNETLOGON_DUMMY1 Buffer

Buffer: A pointer to a byte buffer.

<190> Section 3.5.4.4.10: Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 do no processing for this call, and always return 0xC0000002 (STATUS_NOT_IMPLEMENTED).

<191> Section 3.5.4.4.11: NetrChainSetClientAttributes is not supported by Windows NT, Windows 2000, Windows XP, Windows Server 2003, and Windows Vista. The normal (writable) DC cannot be a Windows 2000 Server or a Windows Server 2003 DC.

<192> Section 3.5.4.4.11: STATUS_ACCESS_DENIED is returned if the read-only domain controller, ChainedFromServerName, does not have permission to replicate the secrets for the client's computer account identified by ChainedForClientName.

<193> Section 3.5.4.5.1: NetrLogonSamLogonEx is not supported in Windows NT.

<194> Section 3.5.4.5.1: Windows uses the value 0x01 as the representation of TRUE and 0x00 for FALSE.

<195> Section 3.5.4.5.1: Bits C and D are not implemented in Windows NT, Windows 2000, and Windows Server 2003.

<196> Section 3.5.4.5.1: For all versions of Windows except Windows NT 3.1, decrypt by using the negotiated decryption algorithm and the session key.

For Windows NT 3.1, decrypt as follows.

 InitLMKey(KeyIn, KeyOut)
      KeyOut[0] = KeyIn[0] >> 0x01;
      KeyOut[1] = ((KeyIn[0]&0x01)<<6) | (KeyIn[1]>>2);
      KeyOut[2] = ((KeyIn[1]&0x03)<<5) | (KeyIn[2]>>3);
      KeyOut[3] = ((KeyIn[2]&0x07)<<4) | (KeyIn[3]>>4);
      KeyOut[4] = ((KeyIn[3]&0x0F)<<3) | (KeyIn[4]>>5);
      KeyOut[5] = ((KeyIn[4]&0x1F)<<2) | (KeyIn[5]>>6);
      KeyOut[6] = ((KeyIn[5]&0x3F)<<1) | (KeyIn[6]>>7);
      KeyOut[7] = KeyIn[6] & 0x7F;
      ((DWORD*)KeyOut)[0] <<= 1;
      ((DWORD*)KeyOut)[1] <<= 1;
      ((DWORD*)KeyOut)[0] &= 0xfefefefe;
      ((DWORD*)KeyOut)[1] &= 0xfefefefe;
  
 Assume bytes(s, e, l) returns bytes from s to e of the byte 
 array l. Assume concat(a1, a2) returns byte array containing 
 the bytes of array a1 followed by the bytes from byte array a2.
  
 LMDESECB(Input, Sk, Output)
      SET k1 to bytes(0, 7, Sk)
      CALL InitLMKey(k1, k3)
      SET k2 to bytes(8, 15, Sk)
      CALL InitLMKey(k2, k4)
      SET i1 to bytes(0, 7, Input)
      SET i2 to bytes(8, 15, Input)
      CALL DES_ECB(i1, k3, &output1)
      CALL DES_ECB(i2, k4, &output2)
      SET Output to concat(output1, output2)
  

<197> Section 3.5.4.5.1: For all versions of Windows except Windows NT 3.1, decrypt by using the negotiated decryption algorithm and the session key.

For Windows NT 3.1, decrypt as described in the product behavior note earlier in the section.

<198> Section 3.5.4.5.1: For all versions of Windows except Windows NT 3.1, decrypt by using the negotiated decryption algorithm and the session key.

For Windows NT 3.1, decrypt as described in the product behavior note earlier in the section.

<199> Section 3.5.4.5.1: Except in Windows NT and Windows 2000, Windows supports verifying whether a correct combination of LogonLevel and ValidationLevel is supplied. The data is opaque to Netlogon and is passed unexamined to the package specified by the PackageName field of the NETLOGON_GENERIC_INFO structure. For more information, see section 3.2.4.1.

<200> Section 3.5.4.5.1: Windows NT and Windows 2000 do not verify whether a correct combination of LogonLevel and ValidationLevel is supplied.

<201> Section 3.5.4.5.2: NetrLogonSamLogonWithFlags is not supported in Windows NT and Windows 2000 prior to Windows 2000 Server SP4.

<202> Section 3.5.4.5.2: Windows uses the value of 0x01 as the representation of TRUE and 0x00 for FALSE.

<203> Section 3.5.4.5.2: Bits C and D are not supported in Windows NT, Windows 2000, Windows XP, and Windows Server 2003.

<204> Section 3.5.4.5.3: NetrLogonSamLogon is only used in Windows NT 4.0. It is superseded by the NetrLogonSamLogonWithFlags method (section 3.5.4.5.2).

<205> Section 3.5.4.5.4: NetrLogonSamLogoff is not available in Windows NT 3.1.

<206> Section 3.5.4.5.4: Windows NT servers support logoff updates.

<207> Section 3.5.4.6.1: NetrDatabaseDeltas is not available in Windows NT 3.1.

<208> Section 3.5.4.6.1: The Windows server stops including elements in the returned DeltaArray after the size of the returned data equals or exceeds the value of the PreferredMaximumLength parameter.

<209> Section 3.5.4.6.1: Windows limits the number of records to approximately 1,000 records per call.

<210> Section 3.5.4.6.1: The server maintains and updates a state that indicates the client progress in the synchronization protocol, as described in section 3.6.

<211> Section 3.5.4.6.2: NetrDatabaseSync2 is not available in Windows NT 3.1, Windows NT Server 3.1, Windows NT 3.5, Windows 7, or Windows Server 2008 R2.

<212> Section 3.5.4.6.2: Windows stops including elements in the returned DeltaArray once the size of the returned data equals or exceeds the value of the PreferredMaximumLength parameter.

<213> Section 3.5.4.6.2: Windows limits the number of records to approximately 1,000 records per call.

<214> Section 3.5.4.6.3: The NetrDatabaseSync method was used in Windows NT prior to Windows NT 4.0. It is superseded by the NetrDatabaseSync2 method.

<215> Section 3.5.4.6.4: NetrDatabaseRedo is not available in Windows NT 3.1, Windows NT Server 3.1, Windows NT 3.5, Windows 7, or Windows Server 2008 R2.

<216> Section 3.5.4.7.1: DsrEnumerateDomainTrusts is not supported in Windows NT.

<217> Section 3.5.4.7.2: NetrEnumerateTrustedDomainsEx is not supported in Windows NT.

<218> Section 3.5.4.7.3: NetrEnumerateTrustedDomains is not available in Windows NT prior to Windows NT 4.0.

<219> Section 3.5.4.7.4: NetrGetForestTrustInformation is not supported in Windows NT and Windows 2000 Server prior to Windows 2000 Server SP4.

<220> Section 3.5.4.7.5: DsrGetForestTrustInformation is not supported in Windows NT and Windows 2000 prior to Windows 2000 Server SP4.

<221> Section 3.5.4.7.6: NetrServerGetTrustInfo is not supported in Windows NT and Windows 2000 prior to Windows 2000 Server SP4.

<222> Section 3.5.4.8.1: NetrLogonGetTrustRid is not supported in Windows NT.

<223> Section 3.5.4.8.1: Windows NT, Windows 2000, Windows XP, and Windows Server 2003 allow the call to succeed. Other versions of Windows will return ERROR_ACCESS_DENIED if not local.

<224> Section 3.5.4.8.2: NetrLogonComputeServerDigest is not implemented in Windows NT.

<225> Section 3.5.4.8.2: When the previous password is not present, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 use an uninitialized value to compute the OldMessageDigest parameter.

<226> Section 3.5.4.8.3: NetrLogonComputeClientDigest is not implemented in Windows NT.

<227> Section 3.5.4.8.4: NetrLogonSendToSam is not supported in Windows NT.

<228> Section 3.5.4.8.5: NetrLogonSetServiceBits is not supported in Windows NT.

<229> Section 3.5.4.8.5: The C flag is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<230> Section 3.5.4.8.5: The C flag is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<231> Section 3.5.4.8.5: Windows NT, Windows 2000, Windows XP, and Windows Server 2003 allow the call to succeed. Other versions of Windows will return ERROR_ACCESS_DENIED if not local.

<232> Section 3.5.4.8.6: NetrLogonGetTimeServiceParentDomain is not supported in Windows NT.

<233> Section 3.5.4.8.6: The Netlogon client ignores this value if ServerName is not a domain controller.

<234> Section 3.5.4.8.6: Windows NT, Windows 2000, Windows XP, and Windows Server 2003 allow the call to succeed.

<235> Section 3.5.4.9.1: NetrLogonControl2Ex is not available in Windows NT prior to Windows NT 4.0.

<236> Section 3.5.4.9.1: The following restrictions apply to the values of the FunctionCode parameter in different versions of Windows. The error ERROR_NOT_SUPPORTED is returned if one of these values is used.

The following values are not supported on Windows NT 4.0:

  • NETLOGON_CONTROL_CHANGE_PASSWORD (0x00000009)

  • NETLOGON_CONTROL_TC_VERIFY (0x0000000A)

  • NETLOGON_CONTROL_FORCE_DNS_REG (0x0000000B)

  • NETLOGON_CONTROL_QUERY_DNS_REG (0x0000000C)

  • NETLOGON_CONTROL_BACKUP_CHANGE_LOG (0x0000FFFC)

  • NETLOGON_CONTROL_TRUNCATE_LOG (0x0000FFFD)

  • NETLOGON_CONTROL_SET_DBFLAG (0x0000FFFE)

  • NETLOGON_CONTROL_BREAKPOINT (0x0000FFFF)

The following values are not supported on Windows 2000 Server:

  • NETLOGON_CONTROL_TC_VERIFY (0x0000000A)

  • NETLOGON_CONTROL_FORCE_DNS_REG (0x0000000B)

  • NETLOGON_CONTROL_QUERY_DNS_REG (0x0000000C)

The following values are not supported on Windows 7 and Windows Server 2008 R2:

  • NETLOGON_CONTROL_REPLICATE (0x00000002)

  • NETLOGON_CONTROL_SYNCHRONIZE (0x00000003)

  • NETLOGON_CONTROL_PDC_REPLICATE (0x00000004)

  • NETLOGON_CONTROL_BACKUP_CHANGE_LOG (0x0000FFFC)

No restrictions apply in Windows Server 2003, Windows Vista, and Windows Server 2008.

<237> Section 3.5.4.9.1: NETLOGON_CONTROL_REPLICATE is supported on servers that are Windows NT 4.0 BDCs; otherwise, the ERROR_NOT_SUPPORTED error is returned from a server that is not a Windows NT 4.0 BDC.

<238> Section 3.5.4.9.1: NETLOGON_CONTROL_SYNCHRONIZE is supported on Windows NT 4.0 BDCs; otherwise, the ERROR_NOT_SUPPORTED error is returned from a server that is not a Windows NT 4.0 BDC.

<239> Section 3.5.4.9.1: On a Windows NT, Windows 2000, or Windows XP DC, ERROR_NOT_SUPPORTED is returned. The server implementation decides how the DNS update status is recorded.

<240> Section 3.5.4.9.1: In Windows, the server copies to a backup file the contents of a file that contains a cache of database changes.

<241> Section 3.5.4.9.1: In Windows, the server truncates the contents of a debug file that contains debugging information about the Netlogon service operations.

<242> Section 3.5.4.9.1: In Windows, the server sets the level of verbosity of output into the debug file that contains debugging information about the Netlogon service operations. The level of verbosity to set is specified in the DebugFlag field of the Data parameter.

<243> Section 3.5.4.9.1: In Windows, if the NetrLogonControl2Ex method is called with the function code NETLOGON_CONTROL_BREAKPOINT and the operating system is not a checked build, the method returns ERROR_NOT_SUPPORTED.

<244> Section 3.5.4.9.1: In Windows, the server breaks into the debugger if it is attached to the computer that supports debugging.

<245> Section 3.5.4.9.1: The NETLOGON_INFO_4 structure is not supported in Windows NT.

<246> Section 3.5.4.9.1: Windows NT 4.0 BDCs force an immediate partial synchronization of all databases.

<247> Section 3.5.4.9.1: Windows NT 4.0 BDCs force an immediate full synchronization of all databases.

<248> Section 3.5.4.9.1: Windows NT 4.0 PDCs immediately send announcement messages to request each BDC to replicate the database.

<249> Section 3.5.4.9.1: Windows NT and Windows 2000 DCs return ERROR_NOT_SUPPORTED.

<250> Section 3.5.4.9.1: Windows NT and Windows 2000 DCs return ERROR_NOT_SUPPORTED.

<251> Section 3.5.4.9.2: NetrLogonControl2 is not supported in Windows NT 3.1.

<252> Section 3.5.4.9.3: NetrLogonControl is not available in Windows NT 3.1.

<253> Section 3.5.4.9.3: The FunctionCode parameter is restricted to the following values. If any other value is used, the error code ERROR_NOT_SUPPORTED is returned.

Windows NT 4.0:

  • NETLOGON_CONTROL_QUERY (0x00000001)

  • NETLOGON_CONTROL_REPLICATE (0x00000002)

  • NETLOGON_CONTROL_SYNCHRONIZE (0x00000003)

  • NETLOGON_CONTROL_PDC_REPLICATE (0x00000004)

Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008:

  • NETLOGON_CONTROL_QUERY (0x00000001)

  • NETLOGON_CONTROL_REPLICATE (0x00000002)

  • NETLOGON_CONTROL_SYNCHRONIZE (0x00000003)

  • NETLOGON_CONTROL_PDC_REPLICATE (0x00000004)

  • NETLOGON_CONTROL_BACKUP_CHANGE_LOG (0x0000FFFC)

  • NETLOGON_CONTROL_TRUNCATE_LOG (0x0000FFFD)

  • NETLOGON_CONTROL_BREAKPOINT (0x0000FFFF)

Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016:

  • NETLOGON_CONTROL_QUERY (0x00000001)

  • NETLOGON_CONTROL_TRUNCATE_LOG (0x0000FFFD)

  • NETLOGON_CONTROL_BREAKPOINT (0x0000FFFF)

<254> Section 3.5.4.10.1: The Netlogon server implementation of the NetrLogonUasLogon method is present in all versions of Windows. The Netlogon client implementations in Windows ignore this method.

<255> Section 3.5.4.10.2: The Netlogon server implementation of the NetrLogonUasLogoff method is present in all versions of Windows. The Netlogon client implementations in all versions of Windows ignore this method.

<256> Section 3.5.4.10.3: The Netlogon server returns STATUS_NOT_IMPLEMENTED.

<257> Section 3.5.4.10.4: The Netlogon server returns STATUS_NOT_IMPLEMENTED.

<258> Section 3.5.6: The new SignSecureChannel value is loaded into the Windows registry from the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Netlogon\Parameters registry path and SignSecureChannel key.

<259> Section 3.6: Netlogon replication requires the PDC to run Windows NT Server 4.0, Windows 2000 Server, or Windows Server 2003, while BDCs run Windows NT Server 4.0. Windows Server 2008 does not support replication to Windows NT 4.0 BDCs.

<260> Section 3.6.4.1: To indicate such a local condition, the PDC returns a value of 0xC0000134 as the return value of the NetrDatabaseDeltas call. For example, the PDC maintains a partial database state cached in memory that the PDC can use for processing partial synchronization requests. If the cached information is not available (for example, if the cache gets flushed), the PDC returns the error code 0xC0000134.

<261> Section 3.6.5.1: A separate timer is used on the PDC to time out announcements sent to the BDCs. A BDC is deemed as processing the announcement request until it finishes the processing by completing a synchronization request as described in the following sections. During that time, no additional announcements are sent to the BDC. If a BDC doesn't respond with a synchronization request within the time-out period as set by the timer, the announcement is deemed as timed out.

<262> Section 3.6.6: In all of the message processing scenarios described in section 3.6.4, Netlogon performs a full database synchronization.

Show: