2.2.1.5.1 NETLOGON_DB_CHANGE (Announcement) Message

The NETLOGON_DB_CHANGE message is used to indicate that one or more changes have taken place in the account database, and carries an indication of the changes from the PDC to the backup domain controller (BDC). Because it is sent in the open, this is a hint, and the BDC MUST connect to the PDC over a reliable transport and secure connection to obtain the actual change. The following is the format of the payload of a mailslot message that is used in Netlogon replication, as specified in section 3.6.

The DBChangeInfo field represents information about a state of one of the databases (security account manager (SAM) built-in database, Security Account Manager (SAM) database, or Local Security Authority (LSA) database). The number of DBChangeInfo fields is specified by the DBCount field. The format of the DBChangeInfo field is defined in the following table.

The fields are in little-endian format and have the following meanings.


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

MessageType

LowSerialNumber

...

DateAndTime

...

Pulse

...

Random

...

PrimaryDCName (variable)

...

DomainName (variable)

...

UnicodePrimaryDCName (variable)

...

UnicodeDomainName (variable)

...

DBCount

DBChangeInfo (variable)

...

DomainSidSize

DomainSid (variable)

...

MessageFormatVersion

MessageToken

MessageType (2 bytes): A two-byte field that identifies the message. MUST be set to 0x000A.

LowSerialNumber (4 bytes): The low DWORD ([MS-DTYP] section 2.2.9) part of the 64-bit database serial number of the SAM database.

DateAndTime (4 bytes): An unsigned 32-bit value that represents the time stamp for the SAM database creation time. This MUST be expressed as the number of seconds elapsed since midnight of January 1, 1970.

Pulse (4 bytes): An unsigned 32-bit value that specifies the message interval in seconds between change announcements sent to the BDCs.

Random (4 bytes): An unsigned 32-bit value that indicates the number of seconds the recipient of the message waits before contacting the sender.

PrimaryDCName (variable): The null-terminated name of the  PDC that sends the message. MUST be encoded in the original equipment manufacturer (OEM) character set.

DomainName (variable): The null-terminated domain name that is encoded in the OEM character set. The domain name is padded to a multiple of 2 bytes for alignment reasons.

UnicodePrimaryDCName (variable): The null-terminated name of the PDC that sends the message. MUST be encoded in the Unicode character set.

UnicodeDomainName (variable): The null-terminated domain name. MUST be encoded in the Unicode character set.

DBCount (4 bytes): An unsigned 32-bit value that represents the number of DBChangeInfo fields in the message.

DBChangeInfo (variable): A set of DBChangeInfo messages, as specified below, that indicates the changes that are pending replication. There are DBCount entries in this set.


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

DBIndex

LargeSerialNumber

...

DateAndTime

...

DBIndex (4 bytes): A 32-bit value that identifies the database as follows.

Value

Meaning

0x00000000

Indicates the SAM database.

0x00000001

Indicates the SAM built-in database.

0x00000002

Indicates the LSA database.

LargeSerialNumber (8 bytes): A 64-bit value that contains the database serial number for the database identified by the DBIndex field.

DateAndTime (8 bytes): The time in UTC of the database creation expressed as an 8-byte value in the time format in a FILETIME structure, as specified in [MS-DTYP] section 2.3.3.

In what follows, the preceding message is referred to as the announcement message.

DomainSidSize (4 bytes): An unsigned 32-bit value that specifies the size in bytes of the DomainSid field.

DomainSid (variable): The domain SID, as specified in [MS-DTYP] section 2.4.2.3.

MessageFormatVersion (4 bytes): An unsigned 32-bit value that contains the version of the message format. MUST be set to 0x00000001.

MessageToken (4 bytes): An unsigned 32-bit field that identifies the message. MUST be set to 0xFFFFFFFF.