3.5.4.4.11 NetrChainSetClientAttributes (Opnum 49)

When an RODC receives either the NetrServerAuthenticate3 method or the NetrLogonGetDomainInfo method with updates requested, it SHOULD<183> invoke the NetrChainSetClientAttributes method on a normal (writable) DC to update to a client's computer account object in Active Directory.

 NTSTATUS NetrChainSetClientAttributes(
   [in, string, ref] LOGONSRV_HANDLE PrimaryName,
   [in, string, ref] wchar_t* ChainedFromServerName,
   [in, string, ref] wchar_t* ChainedForClientName,
   [in, ref] PNETLOGON_AUTHENTICATOR Authenticator,
   [in, out, ref] PNETLOGON_AUTHENTICATOR ReturnAuthenticator,
   [in] DWORD dwInVersion,
   [in, ref] [switch_is(dwInVersion)] 
     NL_IN_CHAIN_SET_CLIENT_ATTRIBUTES* pmsgIn,
   [in, out, ref] DWORD* pdwOutVersion,
   [in, out, ref] [switch_is(*pdwOutVersion)] 
     NL_OUT_CHAIN_SET_CLIENT_ATTRIBUTES* pmsgOut
 );

PrimaryName: The custom binding handle, as defined in section 3.5.4.1.

ChainedFromServerName: The null-terminated Unicode string that contains the name of the read-only DC that issues the request.

ChainedForClientName: The null-terminated Unicode string that contains the name of the client computer that called NetrServerAuthenticate3 or NetrLogonGetDomainInfo on the RODC.

Authenticator: A pointer to a NETLOGON_AUTHENTICATOR structure that contains the client authenticator.

ReturnAuthenticator: A pointer to a NETLOGON_AUTHENTICATOR structure that contains the server return authenticator.

dwInVersion: One of the NL_IN_CHAIN_SET_CLIENT_ATTRIBUTES union types selected based on the value of the pmsgIn field. The value MUST be 1.

pmsgIn: A pointer to an NL_IN_CHAIN_SET_CLIENT_ATTRIBUTES_V1 structure that contains the values to update on the client's computer account object in Active Directory on the normal (writable) DC.

pdwOutVersion: A pointer to one of the NL_OUT_CHAIN_SET_CLIENT_ATTRIBUTES union types selected based on the value of the pmsgIn field. The value MUST be 1.

pmsgOut: A pointer to an NL_OUT_CHAIN_SET_CLIENT_ATTRIBUTES_V1 structure that contains information on the client workstation and the writable domain controller. For how it is populated by the server, see below.

Return Values: The method returns 0x00000000 on success.

On receiving this call, the normal (writable) DC MUST perform the following validation steps.

  • Verify that the server is a normal (writable) DC machine; otherwise, the server MUST return STATUS_NOT_SUPPORTED.

  • Verify that the dwInVersion parameter is set to 1. All other values are invalid and STATUS_NOT_SUPPORTED MUST be returned.

  • Verify that the pdwOutVersion parameter is set to 1. All other values are invalid and STATUS_NOT_SUPPORTED MUST be returned.

  • Verify that the Authenticator passed, and compute the ReturnAuthenticator, as specified in section 3.1.4.5. If the Authenticator verification fails, the server MUST return STATUS_ACCESS_DENIED.

    STATUS_ACCESS_DENIED is returned if the RODC, ChainedFromServerName, does not have permission to replicate the secrets for the client's computer account identified by ChainedForClientName.

The return structure MUST be generated as follows:

  • NL_OUT_CHAIN_SET_CLIENT_ATTRIBUTES.HubName MUST be set to the NetBIOS name of the writable domain controller.

  • If NL_OUT_CHAIN_SET_CLIENT_ATTRIBUTES.OldDnsHostName is not NULL, it MUST be set to the client's DNS host name, if any. If there was a change in domain naming, this value holds the previous DNS host name.

  • If NL_OUT_CHAIN_SET_CLIENT_ATTRIBUTES.SupportedEncTypes is not NULL, it MUST be set to the supported encryption algorithms.

Show: