220.127.116.11.4 Calling NetrLogonSendToSam
The client calling this method MUST be a BDC or RODC. The client MUST do the following:
Encrypt the OpaqueBuffer parameter using the negotiated encryption algorithm (determined by bits C, O, or W, respectively, in the NegotiateFlags member of the ServerSessionInfo table entry for PrimaryName) and the session key established as the encryption key.
Pass a valid client Netlogon authenticator as the Authenticator parameter.
For details about how the OpaqueBuffer parameter is used, see [MS-SAMS].