3.5.3 Initialization

The server side registers an endpoint with RPC over named pipes transport, using the NETLOGON named pipe<132> and an endpoint with RPC over TCP/IP. When DCRPCPort is present and is not NULL, and the server is a domain controller, then the DC MUST also register the port listed in DCRPCPort ([MS-RPCE] section 3.3.3.3.1.4). The server side MUST register the Netlogon security support provider (SSP) authentication_type constant [0x44] as the security provider ([MS-RPCE] section 3.3.3.3.1.3) used by the RPC interface.

NetlogonSecurityDescriptor: Initialized to the following value, expressed in Security Descriptor Description Language (SDDL) ([MS-DTYP] section 2.5.1): D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU) S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

ChallengeTable MUST be empty.

ClientSessionInfo MUST be empty.

RefusePasswordChange SHOULD be FALSE.

The ServerCapabilities field is initialized to reflect the capabilities offered by that server implementation.

RejectMD5Clients SHOULD<133> be initialized in an implementation-specific way and set to TRUE.

SealSecureChannel MUST be TRUE.

SignSecureChannel SHOULD<134> be initialized in an implementation-specific way and set to TRUE. Any changes made to the SignSecureChannel registry keys are reflected in the ADM elements when a PolicyChange event is received (section 3.1.6). This setting is deprecated, as SealSecureChannel MUST be true.

StrongKeySupport SHOULD<135> be TRUE.

NetbiosDomainName is a shared ADM element with DomainName.NetBIOS ([MS-WKST] section 3.2.1.6).

DomainGuid: Prior to the initialization of the Netlogon Remote Protocol, DomainGuid has already been initialized, as specified in [MS-WKST] section 3.2.1.6, since Netlogon Remote Protocol is running on a system already joined to a domain.

DomainSid: Prior to the initialization of the Netlogon Remote Protocol, DomainSid has already been initialized, as specified in [MS-WKST] section 3.2.1.6, since Netlogon Remote Protocol is running on a system already joined to a domain.

AllowSingleLabelDNSDomain SHOULD<136> be set to a locally configured value.

AllowDnsSuffixSearch SHOULD<137> be set to TRUE.

SiteName SHOULD<138> be initialized from msDS-SiteName ([MS-ADTS] section 3.1.1.4.5.29) of the computer object if the server is a DC. If the server is not a DC, this ADM element is set to a locally configured value.

NextClosestSiteName Initialized as follows: If the server is a DC, the server invokes IDL_DRSQuerySitesByCost ([MS-DRSR] section 4.1.16), setting NextClosestSiteName to the site that is closest to SiteName but not equal to SiteName. If the server is not a DC, this ADM element is initialized to NULL.

DynamicSiteNameSetTime MUST be set to a value such that DynamicSiteNameSetTime plus DynamicSiteNameTimeout is less than the current time.

FailedDiscoveryCachePeriod SHOULD<139> be set to a locally configured value.

CacheEntryValidityPeriod SHOULD<140> be set to a locally configured value.

CacheEntryPingValidityPeriod SHOULD<141> be set to a locally configured value.

If the NRPC server is a DC, then the following abstract data model variables are initialized:

  • DCRPCPort SHOULD<142> be initialized in an implementation-specific way and MUST default to NULL.

  • DnsForestName is initialized from the FQDN of rootDomainNamingContext ([MS-ADTS] section 3.1.1.3.2.16).

  • The objects in TrustedDomainObjectsCollection are initialized as specified in [MS-LSAD] section 3.1.1.5.

  • The NT4Emulator field is set to FALSE.

  • RejectDES SHOULD<143> be initialized in an implementation-specific way and SHOULD<144> default to TRUE.

  • ServerServiceBits is initialized to zero.

  • SiteCoverage is initialized in an implementation-specific way and MUST default to NULL. Implementations SHOULD<145> persistently store and retrieve the SiteCoverage variable.