184.108.40.206.10 Calling NetrLogonGetCapabilities
The client MUST do the following:<122>
Have a secure channel established with a domain controller in the domain identified by domain-name, and pass its name as the ServerName parameter.
Pass a valid client Netlogon authenticator as the Authenticator parameter.
After the method returns, the client MUST verify the ReturnAuthenticator (section 220.127.116.11) and compare the received Capabilities with the negotiated flags of the current secure channel. If the negotiated flags do not match, then the client SHOULD re-establish the secure channel with the DC.<123>
On receiving STATUS_ACCESS_DENIED, the client SHOULD re-establish the secure channel with the DC. <125>