3.5.3 Initialization

The server side registers an endpoint with RPC over named pipes transport, using the NETLOGON named pipe<129> and an endpoint with RPC over TCP/IP. When DCRPCPort is present and is not NULL, and the server is a domain controller, then the DC MUST also register the port listed in DCRPCPort ([MS-RPCE] section 3.3.3.3.1.4). The server side MUST register the Netlogon security support provider (SSP) authentication_type constant [0x44] as the security provider ([MS-RPCE] section 3.3.3.3.1.3) used by the RPC interface.

NetlogonSecurityDescriptor: Initialized to the following value, expressed in Security Descriptor Description Language (SDDL) ([MS-DTYP] section 2.5.1): D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU) S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

ChallengeTable MUST be empty.

ClientSessionInfo MUST be empty.

RefusePasswordChange SHOULD be FALSE.

The ServerCapabilities field SHOULD be initialized to reflect the capabilities offered by that server implementation.

RejectMD5Clients SHOULD<130> be initialized in an implementation-specific way and SHOULD be FALSE.

SealSecureChannel SHOULD be TRUE.

SignSecureChannel SHOULD<131> be initialized in an implementation-specific way and SHOULD be TRUE. Any changes made to the SignSecureChannel registry keys are reflected in the ADM elements when a PolicyChange event is received (section 3.1.6).

StrongKeySupport SHOULD<132> be TRUE.

NetbiosDomainName is a shared ADM element with DomainName.NetBIOS ([MS-WKST] section 3.2.1.6).

DomainGuid: Prior to the initialization of the Netlogon Remote Protocol, DomainGuid has already been initialized, as described in [MS-WKST] section 3.2.1.6, since Netlogon Remote Protocol is running on a system already joined to a domain.

DomainSid: Prior to the initialization of the Netlogon Remote Protocol, DomainSid has already been initialized, as described in [MS-WKST] section 3.2.1.6, since Netlogon Remote Protocol is running on a system already joined to a domain.

AllowSingleLabelDNSDomain SHOULD<133> be set to a locally configured value.

AllowDnsSuffixSearch SHOULD<134> be set to TRUE.

SiteName SHOULD<135> be initialized from msDS-SiteName ([MS-ADTS] section 3.1.1.4.5.29) of the computer object if the server is a DC. If the server is not a DC, this ADM element is set to a locally configured value.

NextClosestSiteName SHOULD be initialized as follows: if the server is a DC, the server SHOULD invoke IDL_DRSQuerySitesByCost ([MS-DRSR] section 4.1.16), setting NextClosestSiteName to the site that is closest to SiteName but not equal to SiteName. If the server is not a DC, this ADM element SHOULD be initialized to NULL.

DynamicSiteNameSetTime MUST be set to a value such that DynamicSiteNameSetTime plus DynamicSiteNameTimeout is less than the current time.

FailedDiscoveryCachePeriod SHOULD<136> be set to a locally configured value.

CacheEntryValidityPeriod SHOULD<137> be set to a locally configured value.

CacheEntryPingValidityPeriod SHOULD<138> be set to a locally configured value.

If the NRPC server is a DC, then the following abstract data model variables are initialized:

  • DCRPCPort SHOULD<139> be initialized in an implementation-specific way and MUST default to NULL.

  • DnsForestName: SHOULD be initialized from the FQDN (1) of rootDomainNamingContext ([MS-ADTS] section 3.1.1.3.2.16).

  • The objects in TrustedDomainObjectsCollection are initialized as described in [MS-LSAD] section 3.1.1.5.

  • The NT4Emulator field SHOULD be FALSE.

  • RejectDES SHOULD<140> be initialized in an implementation-specific way and SHOULD<141> default to TRUE. .

  • ServerServiceBits SHOULD be initialized to zero.

  • SiteCoverage SHOULD be initialized in an implementation-specific way and MUST default to NULL. Implementations SHOULD<142> persistently store and retrieve the SiteCoverage variable.

Show: