3.4.3 Initialization

If the client is running on a member workstation, the client MUST initialize the LocatedDCsCache with one entry, as follows:

  • The client MUST attempt to locate a domain controller (DC) from the client's domain by performing the steps described in section for the domain specified by the domain-name ADM element. If a DC is successfully located, the LocatedDCsCache is populated based on the resulting DomainControllerInfo structure.

  • If the client fails to locate a DC, the client ignores errors and MUST continue initialization.

If the client is running on a DC, the client MUST initialize the LocatedDCsCache for each domain trusted by the client DC, as follows:

  • The client MUST get a trusted domain list by performing the external behavior consistent with locally invoking LsarEnumerateTrustedDomains ([MS-LSAD] section

    • The EnumerationContext parameter MUST be set to 0.

    • The PreferredMaximumLength SHOULD<89> be set to 4096.

    • A policy handle is not needed locally.

  • The client MUST attempt to locate a DC (section for each of the domain entries of the returned trusted domain list.

    • If the client fails when attempting to locate a DC for a domain entry in the trusted domain list, the client MUST ignore errors and continue to attempt to locate DCs for the remaining domain entries in the trusted domain list.

    • For each successfully located DC, the client must add an entry to the ServerSessionInfo table with the new entry's PrimaryName set to DOMAIN_CONTROLLER_INFOW.DomainControllerName and the new entry's DomainName set to DOMAIN_CONTROLLER_INFOW.DomainName.

  • For each located DC, the client MUST attempt to establish a session key with the located DC (section

ServerSessionInfo MUST be empty.

ClientCapabilities SHOULD be initialized in an implementation-specific way to reflect the capabilities offered by that client implementation. The client SHOULD set the value according to the bit field, defined as shown in Netlogon Negotiable Options (section Bits C, G, I, J, K, L, O, P, R, S, T, V, W, and Y SHOULD<90> be set to 1 when a corresponding capability is supported by a given implementation. Bit U SHOULD be set if the client is determined to be running on a domain controller (section Other bits are not used and MAY be set to zero, but will be ignored upon receipt.

RejectMD5Servers MUST be initialized to FALSE.

RequireSignOrSeal SHOULD<91> be initialized to TRUE.

RequireStrongKey SHOULD<92> be initialized to TRUE.

domain-name is a shared Abstract Data Model element with DomainName.NetBIOS in ([MS-WKST] section

TrustPasswordVersion MUST be initialized to 0.