7 Appendix B: Product Behavior

The information in this specification is applicable to the following Microsoft products or supplemental software. References to product versions include updates to those products.

The terms "earlier" and "later", when used with a product version, refer to either all preceding versions or all subsequent versions, respectively. The term "through" refers to the inclusive range of versions. Applicable Microsoft products are listed chronologically in this section.

Windows Client

  • Windows NT operating system

  • Windows 2000 Professional operating system

  • Windows XP operating system

  • Windows Vista operating system

  • Windows 7 operating system

  • Windows 8 operating system

  • Windows 8.1 operating system

  • Windows 10 operating system

  • Windows 11 operating system

Windows Server

  • Windows NT Server operating system

  • Windows 2000 Server operating system

  • Windows Server 2003 operating system

  • Windows Server 2008 operating system

  • Windows Server 2008 R2 operating system

  • Windows Server 2012 operating system

  • Windows Server 2012 R2 operating system

  • Windows Server 2016 operating system

  • Windows Server operating system

  • Windows Server 2019 operating system

  • Windows Server 2022 operating system

  • Windows Server 2025 operating system 

Exceptions, if any, are noted in this section. If an update version, service pack or Knowledge Base (KB) number appears with a product name, the behavior changed in that update. The new behavior also applies to subsequent updates unless otherwise specified. If a product edition appears with the product version, behavior is different in that product edition.

Unless otherwise specified, any statement of optional behavior in this specification that is prescribed using the terms "SHOULD" or "SHOULD NOT" implies product behavior in accordance with the SHOULD or SHOULD NOT prescription. Unless otherwise specified, the term "MAY" implies that the product does not follow the prescription.

<1> Section 1.3.3: Except for DCs running Windows NT 4.0 operating system, synchronization between DCs running Windows is performed by the Active Directory replication service [MS-DRSR]. Synchronization involving a DC running Windows NT 4.0 is performed by the Netlogon service.

<2> Section 1.3.3: In Windows NT 4.0, a single DC in a domain is designated the primary domain controller (PDC). The PDC is the only DC that accepts changes to the account information it stores. A Windows NT 4.0 domain has zero or more BDCs.

<3> Section 2.1: The Netlogon Remote Protocol is used only when the client or server is a member of a Windows domain.

<4> Section 2.1: The Netlogon security package functionality is not implemented in Windows NT.

<5> Section 2.2: Netlogon Remote Protocol predates Windows NT. Microsoft's first network operating system was LAN Manager. However, Windows NT does not make use of interfaces that were implemented by using RPC in Lan Manager, or methods within those interfaces. Therefore, those methods are not documented.

<6> Section 2.2.1.1.2: The value of MaximumLength is ignored by the Windows NT 4.0 implementation.

<7> Section 2.2.1.1.4: This is a Windows NT domain password.

<8> Section 2.2.1.2.1: The DOMAIN_CONTROLLER_INFOW structure is not supported in Windows NT.

<9> Section 2.2.1.2.1: IPv6 is not supported in Windows NT, Windows 2000 operating system, Windows XP, or Windows Server 2003.

<10> Section 2.2.1.2.1: In Windows NT, Windows 2000 Server, Windows XP, and Windows Server 2003, this address is an IPv4 address. For all other Windows releases, this address can be an IPv4 or IPv6 address.

<11> Section 2.2.1.2.1: Windows NT-based domain controllers do not have a domain GUID.

<12> Section 2.2.1.2.1: read-only domain controllers (RODCs) are not supported in Windows NT Server, Windows 2000 Server and Windows Server 2003.

<13> Section 2.2.1.2.1: Writable domain controllers are not supported in Windows NT Server, Windows 2000, and Windows Server 2003. The concept of designating a DC as writable was added when read-only DCs were created.

<14> Section 2.2.1.2.1: Active Directory Web Service is not available in Windows NT and Windows 2000. It is available in Windows Server 2003 and Windows Server 2008 when Active Directory Management Gateway Service is installed.

<15> Section 2.2.1.2.1: Windows NT-based domain controllers do not have an associated site.

<16> Section 2.2.1.2.5: The Status field is not implemented in Windows NT, Windows 2000, Windows XP, Windows Server 2003, and Windows Vista.

<17> Section 2.2.1.2.6: DnsNamesInfo is not implemented in Windows NT, Windows 2000, Windows XP, Windows Server 2003, and Windows Vista.

<18> Section 2.2.1.3.3: The NL_AUTH_SHA2_SIGNATURE structure is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, or Windows Vista.

<19> Section 2.2.1.3.3: Windows sets these bytes to an indeterminate value.

<20> Section 2.2.1.3.6: The NETLOGON_WORKSTATION_INFO structure is not supported in Windows NT.

<21> Section 2.2.1.3.6: For example, for Windows 7 Ultimate operating system, the string "Windows 7 Ultimate" is used.

<22> Section 2.2.1.3.6: The KerberosSupportedEncryptionTypes field is not supported in Windows NT, Windows 2000, and Windows Server 2003.

<23> Section 2.2.1.3.7: The NL_TRUST_PASSWORD structure is not supported in Windows NT.

<24> Section 2.2.1.3.7: Windows domain controller expects little-endian byte ordering for the encryption input. If your processor is in big endian, then both the wide-character buffer and length fields in the NL_TRUST_PASSWORD structure MUST be converted to little endian before encryption. After encryption, byte swapping to reverse the order will be needed.

<25> Section 2.2.1.3.8: The NL_PASSWORD_VERSION structure is not supported in Windows NT.

<26> Section 2.2.1.3.9: The NETLOGON_WORKSTATION_INFORMATION union is not supported in Windows NT.

<27> Section 2.2.1.3.10: The NETLOGON_ONE_DOMAIN_INFO structure is not supported in Windows NT.

<28> Section 2.2.1.3.11: The NETLOGON_DOMAIN_INFO structure is not supported in Windows NT.

<29> Section 2.2.1.3.11: The SupportedEncTypes field is ignored in Windows NT, Windows 2000, and Windows XP.

<30> Section 2.2.1.3.12: The NETLOGON_DOMAIN_INFORMATION structure is not implemented in Windows NT.

<31> Section 2.2.1.3.13: One or both domains in a secure channel is required to be a Windows NT 4.0 domain.

<32> Section 2.2.1.3.13: The CdcServerSecureChannel type is not implemented in Windows NT, Windows 2000, Windows XP, Windows Server 2003, and Windows Vista.

<33> Section 2.2.1.3.14: The NETLOGON_CAPABILITIES union is not supported in Windows NT, Windows 2000, Windows XP, and Windows Server 2003.

<34> Section 2.2.1.3.14: The RequestedFlags addition applies to Windows 7 operating system with Service Pack 1 (SP1) and later and Windows Server 2008 operating system with Service Pack 2 (SP2) and later.

<35> Section 2.2.1.3.15: The normal (writable) DC cannot be a Windows Server 2003 or a Windows 2000 Server DC.

<36> Section 2.2.1.3.15: The following table defines the dwMajorVersion values.

Value

Meaning

4

The operating system is Windows NT 4.0.

5

The operating system is Windows 2000, Windows XP, Windows Server 2003, or Windows Server 2003 R2 operating system.

6

The operating system is Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, or Windows Server 2012 R2.

10

The operating system is Windows 10 and later.

<37> Section 2.2.1.3.15: The following table defines the dwMinorVersion values.

Value

Meaning

0

The operating system is Windows NT 4.0, Windows 2000, Windows Vista, Windows Server 2008, Windows 10, Windows Server 2016, and later.

1

The operating system is Windows XP, Windows 7, or Windows Server 2008 R2.

2

The operating system is Windows XP Professional x64 Edition operating system, Windows Server 2003, Windows Server 2003 R2, Windows 8, or Windows Server 2012.

3

The operating system is Windows 8.1 or Windows Server 2012 R2.

<38> Section 2.2.1.3.15: For Windows NT, the value is 0x00000002.

<39> Section 2.2.1.3.15: The VER_NT_WORKSTATION value identifies the operating system as one of the following: Windows NT Workstation 4.0 operating system, Windows 2000 Professional, Windows XP Home Edition operating system, Windows XP Professional operating system, Windows Vista, Windows 7, Windows 8, Windows 8.1, or Windows 10.

<40> Section 2.2.1.3.15: The wReserved field is not implemented in Windows NT, Windows 2000, Windows XP, Windows Server 2003, and Windows Vista. The Netlogon server ignores this value.

<41> Section 2.2.1.3.16: The normal (writable) DC cannot be a Windows 2000 Server or a Windows Server 2003 domain controller.

<42> Section 2.2.1.3.16: The OsName field is not implemented in Windows NT, Windows 2000, Windows XP, Windows Server 2003, and Windows Vista.

<43> Section 2.2.1.3.17: The V1 field is not supported by Windows NT, Windows 2000, Windows XP, Windows Server 2003, and Windows Vista.

<44> Section 2.2.1.3.18: The normal (writable) DC cannot be a Windows 2000 Server or a Windows Server 2003 DC.

<45> Section 2.2.1.3.18: RODCs are not supported in Windows NT, Windows 2000, Windows XP, and Windows Server 2003.

<46> Section 2.2.1.3.18: The SupportedEncTypes field is not implemented in Windows NT, Windows 2000, Windows XP, Windows Server 2003, and Windows Vista.

<47> Section 2.2.1.3.19: The V1 field is not implemented in Windows NT, Windows 2000, Windows XP, Windows Server 2003, and Windows Vista.

<48> Section 2.2.1.4.16: The NETLOGON_LOGON_INFO_CLASS enumeration types are not supported in Windows Vista.

<49> Section 2.2.1.4.17: The NETLOGON_VALIDATION_INFO_CLASS enumeration types are not supported in Windows Vista.

<50> Section 2.2.1.5: Sharing the user account database is achieved in Windows via replication of the account database among DCs so that each DC in the domain has a matching copy of the database.

<51> Section 2.2.1.5.22: Except for Windows NT, NumControllerEntries is set to zero in the NETLOGON_DELTA_TRUSTED_DOMAINS structure.

<52> Section 2.2.1.5.22: Except for Windows NT, ControllerNames is set to NULL in the NETLOGON_DELTA_TRUSTED_DOMAINS structure.

<53> Section 2.2.1.5.28: In Windows NT 4.0 replication, the DeleteGroupByName, DeleteUserByName, and SerialNumberSkip types require NegotiateFlags=0x00000010. For more information, see the Capability Negotiation bullet in section 1.7 and the NegotiateFlags parameter description in sections 3.5.4.4.4 (NetrServerAuthenticate2) and 3.5.4.4.2 (NetrServerAuthenticate3).

<54> Section 2.2.1.6.2: The DS_DOMAIN_TRUSTSW structure is not supported in Windows NT.

<55> Section 2.2.1.6.2: 0x00000001 is supported only in Windows NT.

<56> Section 2.2.1.6.2: Trust with an Active Directory domain is not supported in Windows NT.

<57> Section 2.2.1.6.2: A trust link is valid only for Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 domains.

<58> Section 2.2.1.6.3: The NETLOGON_TRUSTED_DOMAIN_ARRAY structure is not supported in Windows NT.

<59> Section 2.2.1.6.4: The NL_GENERIC_RPC_DATA structure is not supported in Windows NT or Windows 2000.

<60> Section 2.2.1.7.2: The NETLOGON_INFO_1 structure contains information about the state of the database synchronization for Windows NT 4.0 backup domain controllers only.

<61> Section 2.2.1.7.2: Flags A, B, C, and D are set only in the query response from a Windows NT 4.0-based backup domain controller. Flags E, F, and G are not available in Windows NT and cannot be set in the query response from a domain controller running Windows NT.

<62> Section 2.2.1.7.3: Flags A, B, and C cannot be set in the query response from a server running Windows NT. Flag C is also not supported in Windows 2000 or Windows XP.

<63> Section 2.2.1.8: The unsupported structures are used in Windows releases that are not applicable to this specification.

<64> Section 2.2.1.8.4: Windows never uses the NETLOGON_DUMMY1 union.

<65> Section 3: In Windows NT 4.0, the Netlogon Remote Protocol RPC interface is used to replicate account information from the primary domain controllers (PDCs) to the backup domain controllers (BDCs). PDCs also use mailslots to broadcast messages to the BDCs; these messages (as specified in section 2.2.1.5.1) are not transmitted via RPC.

<66> Section 3: Except in Windows NT, the server defaults to the primary domain if the name is not found.

<67> Section 3.1.1: In all applicable Windows Server releases except Windows NT, for computer accounts in a domain, the OWF of the shared secret is stored in the unicodePwd attribute of the computer account object in Active Directory ([MS-ADTS] section 6.4.2).

For trusts with applicable Windows Server releases domains (except Windows NT), the shared secret is stored in the trustAuthIncoming attribute ([MS-ADTS] section 6.1.6.7.10) and the trustAuthOutgoing attribute ([MS-ADTS] section 6.1.6.7.11) of the trusted domain object (TDO) that contains trust information in Active Directory ([MS-ADTS] section 6.1.6.9.1). Depending on the AuthType either the shared secret (TRUST_AUTH_TYPE_CLEAR) or NTOWFv1 (TRUST_AUTH_TYPE_NT4OWF) is stored.

For trusts with Windows NT 4.0 domains, the OWF of the shared secret is stored in the trustAuth attribute of the corresponding TDO for the Windows NT 4.0 domain.

<68> Section 3.1.1: In Windows NT 4.0, the OWF of the shared secret is stored as an attribute of the computer account object (for domain members) or the interdomain trust account object (for domain trusts) ([MS-SAMR] section 3.1.1.3).

<69> Section 3.1.1: In all applicable Windows Server releases (except Windows NT), the trust password version is stored in the TRUST_AUTH_TYPE_VERSION of the trustAuthIncoming attribute ([MS-ADTS] section 6.1.6.7.10) and the trustAuthOutgoing attribute ([MS-ADTS] section 6.1.6.7.11) of the TDO that contains trust information in Active Directory ([MS-ADTS] section 6.1.6.9.1). The trust password version is not maintained for Windows NT 4.0 domains.

<70> Section 3.1.1: VulnerableChannelAllowList is not supported in Windows NT, Windows 2000, Windows Server 2003.

<71> Section 3.1.4.1: Windows NT, Windows 2000, Windows Server 2003, and Windows Server 2008 allow the call to succeed.

<72> Section 3.1.4.1: Returning the negotiated flags or received client flags for the current exchange is not supported in Windows NT, Windows 2000, Windows XP, and Windows Server 2003.

<73> Section 3.1.4.1: Comparing the received Capabilities with the negotiated NegotiateFlags or RequestedFlags is not supported in Windows NT, Windows 2000, Windows XP, and Windows Server 2003.

<74> Section 3.1.4.1: Returning the negotiated flags or received client flags for the current exchange is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003.

<75> Section 3.1.4.1: Comparing the received Capabilities with the negotiated NegotiateFlags or RequestedFlags is not supported in Windows NT, Windows 2000, Windows XP, and Windows Server 2003.

<76> Section 3.1.4.2: The negotiable options that are available vary by Windows releases:

  • B is used in Windows NT 3.5 operating system only.

  • J through S are not supported in Windows NT.

  • T and U are not supported in Windows NT or Windows 2000. U supports neutralizing Windows NT 4.0 emulation.

  • V is not supported in Windows NT, Windows 2000, Windows XP, and Windows Server 2003.

  • W is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

  • Y is not supported in Windows NT prior to Windows NT 4.0 operating system Service Pack 2 (SP2). Windows NT 4.0 operating system Service Pack 4 (SP4) does not support Secure RPC and does not perform a secure bind.

<77> Section 3.1.4.6: Windows XP and later clients will request secure RPC. Windows Server 2008 and later will enforce that clients are using RPC Confidentiality to secure the connection. For more information, see [MSFT-CVE-2020-1472] and [MSFT-CVE-2022-38023].

<78> Section 3.1.4.6: For Windows, the client binds to the RPC server using TCP (except for Windows NT, in which the client binds to the RPC server using the named pipe "\PIPE\NETLOGON"). If RPC returns an error indicating that the protocol sequence is not supported, the client binds to the RPC server using named pipes.

<79> Section 3.1.4.6: Windows NT, Windows 2000, and Windows Server 2003 MS-NRPC servers do not support enforcing that clients are using RPC Integrity and Confidentiality to secure the connection.

<80> Section 3.1.4.6: Windows NT, Windows 2000, Windows Server 2003, and Windows Server 2008 allow the call to succeed.

<81> Section 3.1.4.6: Windows caches and reuses the binding for subsequent RPC calls to the server.

<82> Section 3.1.4.7: Only Windows NT uses named pipes, see product note in step 1 in section 3.1.4.6.

<83> Section 3.1.6: When Netlogon receives a PolicyChange event, NRPC implementations that use the Windows registry to persistently store and retrieve the SealSecureChannel variable need to load the new value from the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters registry path and SealSecureChannel key.

<84> Section 3.3: The Windows Netlogon SSP is not provided for use by other applications. It has neither the full functionally of public SSPs nor access from non-LSA applications.

<85> Section 3.3: The Netlogon capability of encrypting and signing data during communication is not supported in Windows NT prior to Windows NT 4.0 operating system Service Pack 6 (SP6).

<86> Section 3.3.4.2.2: Windows disregards the Flags data.

<87> Section 3.3.4.2.2: In Windows when SEC_E_OUT_OF_SEQUENCE is returned, the exact error shown depends on the RPC layer. The RPC_S_SEC_PKG_ERROR  ([MS-ERREF] section 2.2) might be the ultimate error shown.

<88> Section 3.4: Netlogon runs only on machines joined to a domain. Upon startup, it locates a domain controller and establishes a secure channel to it. It is used for secure communication between the client and the domain controller and for passing sensitive data between the two entities. Except in Windows NT, Netlogon also registers the SPNs for the computer that it runs on. It registers the SPNs of the form "HOST/NetBIOSName" and "HOST/Full.Dns.Name", which updates the servicePrincipalName attribute of the computer account object in Active Directory.

<89> Section 3.4.1: The RejectMD5Servers variable is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

The Windows registry settings used to persistently store and retrieve the RejectMD5Servers variable are the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Netlogon\Parameters registry path and RejectMD5Servers key.

<90> Section 3.4.1: The following Windows registry settings are used to persistently store and retrieve the RequireSignOrSeal variable:

  • RegistryValueName: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Netlogon\Parameters

  • RegistryValueType: 4

  • RegistryValue: RequireSignOrSeal

See [MS-GPSB] section 2.2.5 for information on setting registry entries.

<91> Section 3.4.1: The RequireStrongKey variable is not supported in Windows NT.

<92> Section 3.4.1: The Windows registry settings used to persistently store and retrieve the RequireStrongKey variable are as follows:

  • RegistryValueName: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Netlogon\Parameters

  • RegistryValueType: 4

  • RegistryValue: RequireStrongKey

<93> Section 3.4.3: Windows uses 4096. Other implementations can use any value.

<94> Section 3.4.3: Implementations that use the Windows registry to persistently store and retrieve the settings for ClientCapabilities bit O use the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Netlogon\Parameters registry path and the SignSecureChannel and SealSecureChannel values to indicate whether bit O is to be set. If either of these registry values are set to 0x1, then bit O is set.

Implementations that use the Windows registry to persistently store settings for ClientCapabilities bit U use the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Netlogon\Parameters registry path and NeutralizeNt4Emulator key to indicate whether bit U is set. If this registry value is set to 0x1, then bit U is set.

<95> Section 3.4.3: Windows NT 4.0 SP4, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 initialize RequireSignOrSeal to FALSE.

<96> Section 3.4.3: The RequireStrongKey is initialized to FALSE in Windows.

<97> Section 3.4.5.1.3: The SiteGuid parameter is set to NULL by all applications available as part of Windows.

<98> Section 3.4.5.1.11: The ServerName parameter is a normal (writable) DC but is not a Windows Server 2003 or a Windows 2000 Server DC.

<99> Section 3.4.5.2.5: The NetrServerAuthenticate method is used only in Windows NT Server 3.1 operating system.

<100> Section 3.4.5.2.6: Windows domain controller expects little-endian byte ordering for the encryption input. If your processor is in big endian, then both the wide-character buffer and length fields in the NL_TRUST_PASSWORD structure MUST be converted to little endian before encryption. After encryption, byte swapping to reverse the order will be needed.

<101> Section 3.4.5.2.6: Windows clients do not call NetrServerPasswordSet2 for group managed Microsoft Service Accounts (gMSA) accounts. Calling this API for gMSA accounts could cause undefined behavior.

<102> Section 3.4.5.2.6: Windows clients re-establish the secure channel with the domain controller upon receiving STATUS_ACCESS_DENIED.

<103> Section 3.4.5.2.7: Windows clients re-establish the secure channel with the domain controller upon receiving STATUS_ACCESS_DENIED.

<104> Section 3.4.5.2.8: Windows clients re-establish the secure channel with the domain controller upon receiving STATUS_ACCESS_DENIED.

<105> Section 3.4.5.2.10: Windows clients reestablish the secure channel with the domain controller upon receiving STATUS_ACCESS_DENIED.

<106> Section 3.4.5.2.11: NetrLogonGetCapabilities is not supported by Windows NT, Windows 2000, Windows XP, and  Windows Server 2003.

<107> Section 3.4.5.2.11: Re-establishing the secure channel with the DC is not supported by Windows NT, Windows 2000, Windows XP, and Windows Server 2003, Windows Vista, and Windows Server 2008.

<108> Section 3.4.5.2.11: Re-establishing the secure channel with the DC is not supported by Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<109> Section 3.4.5.2.11: For Windows DCs, the STATUS_NOT_IMPLEMENTED error means the DC is a Windows NT, Windows Server 2003, or Windows Server 2008 machine.

<110> Section 3.4.5.2.11: Windows clients re-establish the secure channel with the domain controller upon receiving STATUS_ACCESS_DENIED.

<111> Section 3.4.5.2.12: The normal (writable) DC cannot be a Windows 2000 Server or a Windows Server 2003 DC.

<112> Section 3.4.5.3.2: Except in Windows NT 3.1 operating system, Windows encrypts by using the negotiated encryption algorithm and the session key.

For Windows NT 3.1, encrypt as follows.

 InitLMKey(KeyIn, KeyOut)
      KeyOut[0] = KeyIn[0] >> 0x01;
      KeyOut[1] = ((KeyIn[0]&0x01)<<6) | (KeyIn[1]>>2);
      KeyOut[2] = ((KeyIn[1]&0x03)<<5) | (KeyIn[2]>>3);
      KeyOut[3] = ((KeyIn[2]&0x07)<<4) | (KeyIn[3]>>4);
      KeyOut[4] = ((KeyIn[3]&0x0F)<<3) | (KeyIn[4]>>5);
      KeyOut[5] = ((KeyIn[4]&0x1F)<<2) | (KeyIn[5]>>6);
      KeyOut[6] = ((KeyIn[5]&0x3F)<<1) | (KeyIn[6]>>7);
      KeyOut[7] = KeyIn[6] & 0x7F;
      ((DWORD*)KeyOut)[0] <<= 1;
      ((DWORD*)KeyOut)[1] <<= 1;
      ((DWORD*)KeyOut)[0] &= 0xfefefefe;
      ((DWORD*)KeyOut)[1] &= 0xfefefefe;

Assume bytes(s, e, l) returns bytes from s to e of the byte array l. Assume concat(a1, a2) returns byte array containing the bytes of array a1 followed by the bytes from byte array a2.

 LMDESECB(Input, Sk, Output)
      SET k1 to bytes(0, 7, Sk)
      CALL InitLMKey(k1, k3)
      SET k2 to bytes(8, 15, Sk)
      CALL InitLMKey(k2, k4)
      SET i1 to bytes(0, 7, Input)
      SET i2 to bytes(8, 15, Input)
      CALL DES_ECB(i1, k3, &output1)
      CALL DES_ECB(i2, k4, &output2)
      SET Output to concat(output1, output2)

<113> Section 3.4.5.3.2: Except in Windows NT 3.1, Windows encrypts using the negotiated encryption algorithm and the session key. Windows NT 3.1 encryption is described in the preceding product behavior note.

<114> Section 3.4.5.3.2: Except in Windows NT 3.1, Windows encrypts using the negotiated encryption algorithm and the session key. Windows NT 3.1 encryption is described in a preceding product behavior note in this section.

<115> Section 3.4.5.3.2: Windows clients reestablish the secure channel with the domain controller upon receiving STATUS_ACCESS_DENIED.

<116> Section 3.4.5.3.4: Except in Windows NT 3.1, Windows encrypts by using the negotiated encryption algorithm and the session key. For Windows NT 3.1, encrypt as described in the product behavior note in section 3.4.5.3.2.

<117> Section 3.4.5.3.4: Windows clients reestablish the secure channel with the domain controller upon receiving STATUS_ACCESS_DENIED.

<118> Section 3.4.5.3.5: Windows clients reestablish the secure channel with the domain controller upon receiving STATUS_ACCESS_DENIED.

<119> Section 3.4.5.4.1: Windows clients reestablish the secure channel with the domain controller upon receiving STATUS_ACCESS_DENIED.

<120> Section 3.4.5.4.2: Windows clients call the NetrDatabaseSync2 method in a loop until all database records are received.

<121> Section 3.4.5.4.2: On receiving the STATUS_MORE_ENTRIES status code, Windows clients continue calling the NetrDatabaseSync2 routine in a loop until all missing database entries are received. The client terminates the loop on a computer shutdown notification.

<122> Section 3.4.5.4.2: Windows clients re-establish the secure channel with the domain controller upon receiving STATUS_ACCESS_DENIED.

<123> Section 3.4.5.4.4: Windows clients reestablish the secure channel with the domain controller upon receiving STATUS_ACCESS_DENIED.

<124> Section 3.4.5.5.4: Windows clients reestablish the secure channel with the domain controller upon receiving STATUS_ACCESS_DENIED.

<125> Section 3.4.5.5.6: Windows clients reestablish the secure channel with the domain controller upon receiving STATUS_ACCESS_DENIED.

<126> Section 3.4.5.6.4: Windows clients reestablish the secure channel with the domain controller upon receiving STATUS_ACCESS_DENIED.

<127> Section 3.4.6.1: Windows uses 4096. Other implementations can use any value.

<128> Section 3.4.7: The new Windows registry settings for the RequireStrongKey and RequireSignOrSeal variables are loaded from the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Netlogon\Parameters registry path and the RequireStrongKey and RequireSignOrSeal keys.

<129> Section 3.5.1: In Windows, the default DynamicSiteNameTimeout value is 5 minutes, and the allowed range is 0 minutes to 49 days.

<130> Section 3.5.1: RejectMD5Clients is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<131> Section 3.5.1: The NT4Emulator ADM element is not implemented in Windows NT prior to Windows NT 4.0.

<132> Section 3.5.1: DCRPCPort is not supported in Windows NT Server and Windows 2000 Server.

<133> Section 3.5.3: The named pipe LSASS is also known by the alias NETLOGON. The client can use this alias to establish an RPC over a named pipe connection.

<134> Section 3.5.3: Implementations that use the Windows registry to persistently store and retrieve the RejectMD5Clients variable use the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Netlogon\Parameters registry path and RejectMD5Clients key.

<135> Section 3.5.3: Implementations that use the Windows registry to persistently store and retrieve the SignSecureChannel variable set the following values:

  • RegistryValueName: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Netlogon\Parameters

  • RegistryValueType: 4

  • RegistryValue: SignSecureChannel

Windows registry keys and values ([MS-GPSB]  section 2.2.5) are exposed at a specified registry path via the Windows Remote Registry Protocol [MS-RRP]. For each abstract data model (ADM) element that is loaded from the registry, there is one instance that is shared between the Windows Remote Registry Protocol and the protocol(s) that use(s) the ADM element. Any changes made to the RejectMD5Clients registry key will not be reflected in the ADM elements until the Netlogon server is stopped and restarted.

<136> Section 3.5.3: The StrongKeySupport value is initialized to FALSE in Windows NT 4.0.

<137> Section 3.5.3: In Windows, AllowSingleLabelDNSDomain is configured using the following Windows registry path:

  • Registry path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Netlogon\Parameters

  • RegistryValueName: AllowSingleLabelDNSDomain

  • RegistryType: DWORD

  • Acceptable values: 0 = Disabled, 1 = Enabled

  • Default value if not explicitly configured: 0.

<138> Section 3.5.3: Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 consider AllowDnsSuffixSearch to be FALSE.

<139> Section 3.5.3: Windows uses the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters registry path and SiteName value.

<140> Section 3.5.3: In Windows, FailedDiscoveryCachePeriod can be configured using the following Windows registry path:

  • Registry path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Netlogon\Parameters

  • RegistryValueName: NegativeCachePeriod

  • RegistryType: DWORD

  • AllowedRange: 0 - 604800 (7 days)

  • Default value if not explicitly configured: 45 seconds

<141> Section 3.5.3: In Windows, the CacheEntryValidityPeriod variable value is 12 hours, unless changed by an administrator.

<142> Section 3.5.3: In Windows, the CacheEntryPingValidityPeriod variable value is 30 minutes, unless changed by an administrator.

<143> Section 3.5.3: The Windows registry settings to persistently store and retrieve the DCRPCPort variable are the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Netlogon\Parameters registry path and DCRPCPort key.

<144> Section 3.5.3: The Windows registry settings to persistently store and retrieve the RejectDES variable are the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Netlogon\Parameters registry path and AllowNT4Crypto key set to negation of the RejectDES variable.

<145> Section 3.5.3: The RejectDES is FALSE in Windows NT, Windows 2000, Windows XP, Windows Server 2003, and Windows Vista.

<146> Section 3.5.3: The Windows registry settings to persistently store and retrieve the SiteCoverage variable are the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Netlogon\Parameters registry path and SiteCoverage key.

<147> Section 3.5.4: Gaps in the opnum numbering sequence apply to Windows as follows.

Opnum

Description

47

Windows uses this method only locally, never remotely.

<148> Section 3.5.4.3.1: The DsrGetDcNameEx2 method is not supported in Windows NT.

<149> Section 3.5.4.3.1: The F bit is not implemented in Windows NT, Windows 2000, Windows XP, Windows Server 2003, and Windows Vista.

<150> Section 3.5.4.3.1: The P bit is not implemented in Windows NT, Windows 2000, Windows XP, and Windows Server 2003.

<151> Section 3.5.4.3.1: Windows implements both the LDAP Ping and the Mailslot Ping methods ([MS-ADTS] section 6.3.3 and section 6.3.5 respectively) and uses them to locate a DC.

<152> Section 3.5.4.3.1: Windows NT does not support directory service functions.

<153> Section 3.5.4.3.1: In all applicable Windows Server releases except Windows NT, DCs support directory service functions.

<154> Section 3.5.4.3.1: In all applicable Windows Server releases except Windows NT, a DC is writable when it hosts a writable copy of the directory service. These DCs are writable unless they are RODCs. A Windows NT DC is writable only if it is a PDC.

<155> Section 3.5.4.3.1: The T bit is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<156> Section 3.5.4.3.1: If neither the R nor S flag is specified, Windows returns the type of name that matches the type of the DomainName parameter.

<157> Section 3.5.4.3.1: In Windows, if neither the R nor S flags are set in the Flags parameter, the behavior is as follows:

  • If only one of the DnsHostName or NetbiosComputerName fields is set in the message, the DomainControllerName field is set to that value.

  • Otherwise, if both the DnsHostName and NetbiosComputerName fields are set in the message:

    • If the DomainName parameter is equal to the DnsDomainName message field, the DomainControllerName field is set to the value of the DnsHostName message field.

    • If the DomainName parameter is equal to the NetbiosDomainName message field, the DomainControllerName field is set to the value of the NetbiosComputerName message field.

    • If the DomainName parameter is NULL:

      • If the DC responded to the LDAP message, the DomainControllerName field is set to the value of the DnsHostName message field.

      • If the DC responded to the mailslot message, the DomainControllerName field is set to the value of the NetbiosComputerName message field.

<158> Section 3.5.4.3.1: In Windows, if neither the R nor S flags are set in the Flags parameter, the behavior is as follows:

  • If only one of the DnsDomainName or NetbiosDomainName fields is set in the message, the DomainName field is set to that value.

  • Otherwise, if both the DnsDomainName and NetbiosDomainName fields are set in the message:

    • If the DomainName parameter of the DsrGetDcNameEx2 call is equal to the DnsDomainName message field, the DomainName field is set to the value of the DnsDomainName message field.

    • If the DomainName parameter of the DsrGetDcNameEx2 call is equal to the NetbiosDomainName message field, the DomainName field is set to the value of the NetbiosDomainName message field.

    • If the DomainName parameter of the DsrGetDcNameEx2 call is NULL:

      • If the DC responded to the LDAP message, the DomainName field is set to the value of the DnsDomainName message field.

      • If the DC responded to the mailslot message, the DomainName field is set to the value of the NetbiosDomainName message field.

<159> Section 3.5.4.3.2: The DsrGetDcNameEx method is not supported in Windows NT.

<160> Section 3.5.4.3.3: The DsrGetDcName method is not supported in Windows NT.

<161> Section 3.5.4.3.4: The NetrGetDCName method is supported in Windows NT Server 3.1. It is superseded by the DsrGetDcNameEx2 method (section 3.5.4.3.1) in Windows 2000.

<162> Section 3.5.4.3.4: Windows implements both the LDAP Ping method ([MS-ADTS] section 6.3.3) and the Mailslot Ping method ([MS-ADTS] section 6.3.5), and uses those two methods to locate a DC.

<163> Section 3.5.4.3.5: The NetrGetAnyDCName method is supported in Windows NT Server 3.1 through Windows NT 4.0. It is superseded by the DsrGetDcNameEx2 method (section 3.5.4.3.1) in Windows 2000.

<164> Section 3.5.4.3.5: Windows implements both the LDAP Ping method ([MS-ADTS] section 6.3.3) and the Mailslot Ping method ([MS-ADTS] section 6.3.5), and uses those two methods to locate a DC ([MS-ADTS] section 6.3.6).

<165> Section 3.5.4.3.6: The DsrGetSiteName method is not supported in Windows NT.

<166> Section 3.5.4.3.6: Windows implements both the LDAP Ping method ([MS-ADTS] section 6.3.3) and the Mailslot Ping method ([MS-ADTS] section 6.3.5), and uses those two methods to locate a DC ([MS-ADTS] section 6.3.6).

<167> Section 3.5.4.3.7: The DsrGetDcSiteCoverageW method is not supported in Windows NT.

<168> Section 3.5.4.3.8: The DsrAddressToSiteNamesW method is not supported in Windows NT.

<169> Section 3.5.4.3.9: The DsrAddressToSiteNamesExW method is not supported in Windows NT.

<170> Section 3.5.4.3.10: The DsrDeregisterDnsHostRecords method is not supported in Windows NT.

<171> Section 3.5.4.3.11: The DsrUpdateReadOnlyServerDnsRecords method is not implemented in Windows NT, Windows 2000, Windows XP, Windows Server 2003, and Windows Vista.

<172> Section 3.5.4.3.11: The normal (writable) DC cannot be a Windows 2000 Server or a Windows Server 2003 DC.

<173> Section 3.5.4.4.1: The NetrServerReqChallenge method is not implemented in Windows NT 3.1.

<174> Section 3.5.4.4.2: The NetrServerAuthenticate3 method is not supported in Windows NT.

<175> Section 3.5.4.4.2: In Windows, all machine account names are the name of the machine with a "$" (dollar sign) appended.

<176> Section 3.5.4.4.2: Except in Windows NT 4.0, if the value is 5 (UasServerSecureChannel), the server always returns an access-denied error because this functionality is no longer supported. Windows NT 4.0 has configuration parameter options allowing UAS compatibility mode, and if this mode is enabled, the error is not returned, and further processing occurs. Otherwise, it returns an access-denied error.

<177> Section 3.5.4.4.3: Supported on Windows 11, version 24H2 operating system and Windows Server 2025.

<178> Section 3.5.4.4.3:  Windows uses netlogon/<hostname> as the targetname for the workstation secure channels.

<179> Section 3.5.4.4.4: The NetrServerAuthenticate2 method is used in Windows NT 3.5 and Windows NT 4.0. It is superseded by the NetrServerAuthenticate3 method (section 3.5.4.4.2).

<180> Section 3.5.4.4.5: The NetrServerAuthenticate method is used only in Windows NT Server 3.1. In Windows NT Server 3.5 operating system, it is superseded by the NetrServerAuthenticate2 method (section 3.5.4.4.4).

<181> Section 3.5.4.4.6: The NetrServerPasswordSet2 method is not supported in Windows NT.

<182> Section 3.5.4.4.6: By default, the machine account password is changed every 30 days in Windows. The value is configurable with a minimum of one day and maximum of 1,000,000 days.

<183> Section 3.5.4.4.6: In Windows, all machine account names are the name of the machine with a "$" (dollar sign) appended.

<184> Section 3.5.4.4.6: Windows domain controller expects little-endian byte ordering for the encryption input. If your processor is in big endian, then both the wide-character buffer and length fields in the NL_TRUST_PASSWORD structure MUST be converted to little endian before encryption. After encryption, byte swapping to reverse the order will be needed.

<185> Section 3.5.4.4.7: The NetrServerPasswordSet method is not implemented in Windows NT 3.1.

<186> Section 3.5.4.4.7: In Windows, all machine account names are the name of the machine with a "$" (dollar sign) appended.

<187> Section 3.5.4.4.8: The NetrServerPasswordGet method is not supported in Windows NT.

<188> Section 3.5.4.4.8: In Windows, all machine account names are the name of the machine with a "$" (dollar sign) appended.

<189> Section 3.5.4.4.9: The NetrServerTrustPasswordsGet method is not supported in Windows NT and Windows 2000 prior to Windows 2000 Server operating system Service Pack 4 (SP4).

<190> Section 3.5.4.4.9: In Windows, all machine account names are the name of the machine with a "$" (dollar sign) appended.

<191> Section 3.5.4.4.10: The NetrLogonGetDomainInfo method is not supported in Windows NT.

<192> Section 3.5.4.4.10: Verifying that the WkstaBuffer parameter is not NULL is not supported in Windows NT, Windows 2000, Windows Server 2003, and Windows Server 2008.

<193> Section 3.5.4.4.10: Windows uses 4096. Other implementations can use any value.

<194> Section 3.5.4.4.10: In Windows, NETLOGON_ONE_DOMAIN_INFO.TrustExtension MaximumLength and Length are set to the size 0x10, and Buffer points to a buffer containing the following fields of a DS_DOMAIN_TRUSTSW structure: Flags, ParentIndex, TrustType, TrustAttributes.

<195> Section 3.5.4.4.10: If the wProductType is VER_NT_WORKSTATION, then the string is "Windows Workstation", otherwise the string is "Windows Server".

<196> Section 3.5.4.4.10: If both WkstaBuffer.WorkstationInfo.OsVersion and WkstaBuffer.WorkstationInfo.OsName are unspecified, Windows 2000, Windows XP, and Windows Server 2003 use the generic string "Windows 2000" to update the operatingSystem attribute. If only WkstaBuffer.WorkstationInfo.OsName is unspecified, Windows 2000, Windows XP, and Windows Server 2003 use the generic string "Windows 2000 Professional" when WkstaBuffer.WorkstationInfo.OsVersion.wProductType is VER_NT_WORKSTATION, and otherwise use the string "Windows 2000 Server" to update the operatingSystem attribute.

<197> Section 3.5.4.4.11: The NetrLogonGetCapabilities method is not supported in Windows NT, Windows 2000, Windows XP, and Windows Server 2003.

In Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008, RPC Opnum 21 is associated with the following RPC method, which does not perform any protocol-relevant function:

 NTSTATUS NetrLogonDummyRoutine1(
   [in, string] LOGONSRV_HANDLE ServerName,
   [in, string, unique] wchar_t* ComputerName,
   [in] PNETLOGON_AUTHENTICATOR Authenticator,
   [in, out] PNETLOGON_AUTHENTICATOR ReturnAuthenticator,
   [in] DWORD QueryLevel,
   [out, switch_is(QueryLevel)] PNETLOGON_DUMMY1 Buffer
 );
  

The return type and parameters for NetrLogonDummyRoutine1 take on the same data representation as those for NetrLogonGetCapabilities.

<198> Section 3.5.4.4.11: The Capabilities parameter is not supported by Windows NT, Windows 2000, Windows XP, and Windows Server 2003. These operating systems supported a dummy buffer type:

[out, switch_is(QueryLevel)] PNETLOGON_DUMMY1 Buffer

Buffer: A pointer to a byte buffer.

<199> Section 3.5.4.4.11: Windows NT, Windows 2000, Windows XP, and Windows Server 2003 do no processing for this call, and always return 0xC0000002 (STATUS_NOT_IMPLEMENTED).

<200> Section 3.5.4.4.11: Windows RPC layer may return its own error code instead of STATUS_INVALID_LEVEL. The error code that a client gets depends on where the calling application is getting the error from:

  1. If the client is running on Windows and calling Windows RPC APIs, they may get the Win32 error code RPC_S_INVALID_TAG ([MS-ERREF] section 2.2).

  2. If the client is running on third-party operating systems or getting the error code from the wire, they may get nca_s_fault_invalid_tag (0x1C000006). ([C706-RSCP]).

  3. The conversion between the on-the-wire nca_s_fault_invalid_tag and Win32 error code RPC_S_INVALID_TAG is specified in [MS-RPCE] section 3.1.1.5.5.

<201> Section 3.5.4.4.12: The NetrChainSetClientAttributes method is not supported by Windows NT, Windows 2000, Windows XP, Windows Server 2003, and Windows Vista. The normal (writable) DC cannot be a Windows 2000 Server or a Windows Server 2003 DC.

<202> Section 3.5.4.5.1: The NetrLogonSamLogonEx method is not supported in Windows NT.

<203> Section 3.5.4.5.1: Windows uses the value 0x01 as the representation of TRUE and 0x00 for FALSE.

<204> Section 3.5.4.5.1: Bits C and D are not implemented in Windows NT, Windows 2000, and Windows Server 2003.

<205> Section 3.5.4.5.1: Windows will fragment a response that exceeds the maximum fragment size even if minor version is 0. If the RPC message is fragmented, operations are done on each message fragment.

<206> Section 3.5.4.5.1: Except in Windows NT 3.1, Windows decrypts by using the negotiated decryption algorithm and the session key. For Windows NT 3.1, decrypt as follows.

 InitLMKey(KeyIn, KeyOut)
      KeyOut[0] = KeyIn[0] >> 0x01;
      KeyOut[1] = ((KeyIn[0]&0x01)<<6) | (KeyIn[1]>>2);
      KeyOut[2] = ((KeyIn[1]&0x03)<<5) | (KeyIn[2]>>3);
      KeyOut[3] = ((KeyIn[2]&0x07)<<4) | (KeyIn[3]>>4);
      KeyOut[4] = ((KeyIn[3]&0x0F)<<3) | (KeyIn[4]>>5);
      KeyOut[5] = ((KeyIn[4]&0x1F)<<2) | (KeyIn[5]>>6);
      KeyOut[6] = ((KeyIn[5]&0x3F)<<1) | (KeyIn[6]>>7);
      KeyOut[7] = KeyIn[6] & 0x7F;
      ((DWORD*)KeyOut)[0] <<= 1;
      ((DWORD*)KeyOut)[1] <<= 1;
      ((DWORD*)KeyOut)[0] &= 0xfefefefe;
      ((DWORD*)KeyOut)[1] &= 0xfefefefe;

Assume bytes(s, e, l) returns bytes from s to e of the byte array l. Assume concat(a1, a2) returns byte array containing the bytes of array a1 followed by the bytes from byte array a2.

 LMDESECB(Input, Sk, Output)
      SET k1 to bytes(0, 7, Sk)
      CALL InitLMKey(k1, k3)
      SET k2 to bytes(8, 15, Sk)
      CALL InitLMKey(k2, k4)
      SET i1 to bytes(0, 7, Input)
      SET i2 to bytes(8, 15, Input)
      CALL DES_ECB(i1, k3, &output1)
      CALL DES_ECB(i2, k4, &output2)
      SET Output to concat(output1, output2)
  

<207> Section 3.5.4.5.1: Except in Windows NT 3.1, Windows decrypts by using the negotiated decryption algorithm and the session key. For Windows NT 3.1, decrypt as described in the product behavior note earlier in the section.

<208> Section 3.5.4.5.1: Except in Windows NT 3.1, Windows decrypts by using the negotiated decryption algorithm and the session key. For Windows NT 3.1, decrypt as described in the product behavior note earlier in the section.

<209> Section 3.5.4.5.1: Except in Windows NT and Windows 2000, Windows supports verifying whether a correct combination of LogonLevel and ValidationLevel is supplied. The data is opaque to Netlogon and is passed unexamined to the package specified by the PackageName field of the NETLOGON_GENERIC_INFO structure. For more information, see section 3.2.4.1.

<210> Section 3.5.4.5.1: Windows NT and Windows 2000 do not verify whether a correct combination of LogonLevel and ValidationLevel is supplied.

<211> Section 3.5.4.5.1: This functionality is only performed by the operating systems specified by security update [MSFT-CVE-2022-21857] with its related KB article installed. It excludes Windows Vista and earlier and Windows Server 2003 R2 and earlier.

<212> Section 3.5.4.5.1: This functionality is only performed by the operating systems specified by security update [MSFT-CVE-2022-21857] with its related KB article installed. It excludes Windows Vista and earlier and Windows Server 2003 R2 and earlier.

<213> Section 3.5.4.5.2: The NetrLogonSamLogonWithFlags method is not supported in Windows NT and Windows 2000 prior to Windows 2000 Server SP4.

<214> Section 3.5.4.5.2: Windows uses the value of 0x01 as the representation of TRUE and 0x00 for FALSE.

<215> Section 3.5.4.5.2: Bits C and D are not supported in Windows NT, Windows 2000, Windows XP, and Windows Server 2003.

<216> Section 3.5.4.5.3: The NetrLogonSamLogon method is only used in Windows NT 4.0. It is superseded by the NetrLogonSamLogonWithFlags method (section 3.5.4.5.2).

<217> Section 3.5.4.5.3: Windows will fragment a response that exceeds the maximum fragment size even if minor version is 0. If the RPC message is fragmented, operations are done on each message fragment.

<218> Section 3.5.4.5.4: The NetrLogonSamLogoff method is not available in Windows NT 3.1.

<219> Section 3.5.4.5.4: Windows NT servers support logoff updates.

<220> Section 3.5.4.6.1: The NetrDatabaseDeltas method is not available in Windows NT 3.1.

<221> Section 3.5.4.6.1: All applicable Windows Server releases stop including elements in the returned DeltaArray after the size of the returned data equals or exceeds the value of the PreferredMaximumLength parameter.

<222> Section 3.5.4.6.1: Windows limits the number of records to approximately 1,000 records per call.

<223> Section 3.5.4.6.2: The NetrDatabaseSync2 method is not available in Windows NT 3.1, Windows NT Server 3.1, Windows NT 3.5, Windows 7, or Windows Server 2008 R2.

<224> Section 3.5.4.6.2: Windows stops including elements in the returned DeltaArray once the size of the returned data equals or exceeds the value of the PreferredMaximumLength parameter.

<225> Section 3.5.4.6.2: Windows limits the number of records to approximately 1,000 records per call.

<226> Section 3.5.4.6.3: The NetrDatabaseSync method was used in Windows NT prior to Windows NT 4.0. It is superseded by the NetrDatabaseSync2 method.

<227> Section 3.5.4.6.4: The NetrDatabaseRedo method is not available in Windows NT 3.1, Windows NT Server 3.1, Windows NT 3.5, Windows 7, or Windows Server 2008 R2.

<228> Section 3.5.4.7.1: The DsrEnumerateDomainTrusts method is not supported in Windows NT.

<229> Section 3.5.4.7.2: The NetrEnumerateTrustedDomainsEx method is not supported in Windows NT.

<230> Section 3.5.4.7.3: The NetrEnumerateTrustedDomains method is not available in Windows NT prior to Windows NT 4.0.

<231> Section 3.5.4.7.4: The NetrGetForestTrustInformation method is not supported in Windows NT and Windows 2000 Server prior to Windows 2000 Server SP4.

<232> Section 3.5.4.7.5: The DsrGetForestTrustInformation method is not supported in Windows NT and Windows 2000 prior to Windows 2000 Server SP4.

<233> Section 3.5.4.7.6: The NetrServerGetTrustInfo method is not supported in Windows NT and Windows 2000 prior to Windows 2000 Server SP4.

<234> Section 3.5.4.8.1: The NetrLogonGetTrustRid method is not supported in Windows NT.

<235> Section 3.5.4.8.1: Windows NT, Windows 2000, Windows XP, and Windows Server 2003 allow the call to succeed. Other Windows releases return ERROR_ACCESS_DENIED if not local.

<236> Section 3.5.4.8.2: The NetrLogonComputeServerDigest method is not implemented in Windows NT.

<237> Section 3.5.4.8.2: When the previous password is not present, Windows Server 2012 and later use an uninitialized value to compute the OldMessageDigest parameter.

<238> Section 3.5.4.8.3: The NetrLogonComputeClientDigest method is not implemented in Windows NT.

<239> Section 3.5.4.8.4: The NetrLogonSendToSam method is not supported in Windows NT.

<240> Section 3.5.4.8.5: The NetrLogonSetServiceBits method is not supported in Windows NT.

<241> Section 3.5.4.8.5: The C flag is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<242> Section 3.5.4.8.5: The C flag is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<243> Section 3.5.4.8.5: Windows NT, Windows 2000, Windows XP, and Windows Server 2003 allow the call to succeed. Other Windows releases return ERROR_ACCESS_DENIED if not local.

<244> Section 3.5.4.8.6: The NetrLogonGetTimeServiceParentDomain method is not supported in Windows NT.

<245> Section 3.5.4.8.6: Windows NT, Windows 2000, Windows XP, and Windows Server 2003 allow the call to succeed.

<246> Section 3.5.4.9.1: The NetrLogonControl2Ex method executes Windows-specific administrative actions and is not available in Windows NT prior to Windows NT 4.0.

<247> Section 3.5.4.9.1: The following restrictions apply to the values of the FunctionCode parameter. The error ERROR_NOT_SUPPORTED is returned if one of these values is used.

The following values are not supported on Windows NT 4.0:

  • NETLOGON_CONTROL_CHANGE_PASSWORD (0x00000009)

  • NETLOGON_CONTROL_TC_VERIFY (0x0000000A)

  • NETLOGON_CONTROL_FORCE_DNS_REG (0x0000000B)

  • NETLOGON_CONTROL_QUERY_DNS_REG (0x0000000C)

  • NETLOGON_CONTROL_BACKUP_CHANGE_LOG (0x0000FFFC)

  • NETLOGON_CONTROL_TRUNCATE_LOG (0x0000FFFD)

  • NETLOGON_CONTROL_SET_DBFLAG (0x0000FFFE)

  • NETLOGON_CONTROL_BREAKPOINT (0x0000FFFF)

The following values are not supported on Windows 2000 Server:

  • NETLOGON_CONTROL_TC_VERIFY (0x0000000A)

  • NETLOGON_CONTROL_FORCE_DNS_REG (0x0000000B)

  • NETLOGON_CONTROL_QUERY_DNS_REG (0x0000000C)

The following values are not supported on Windows 7 and Windows Server 2008 R2:

  • NETLOGON_CONTROL_REPLICATE (0x00000002)

  • NETLOGON_CONTROL_SYNCHRONIZE (0x00000003)

  • NETLOGON_CONTROL_PDC_REPLICATE (0x00000004)

  • NETLOGON_CONTROL_BACKUP_CHANGE_LOG (0x0000FFFC)

No restrictions apply in Windows Server 2003, Windows Vista, and Windows Server 2008.

<248> Section 3.5.4.9.1: NETLOGON_CONTROL_REPLICATE is supported on servers that are Windows NT 4.0 BDCs; otherwise, the ERROR_NOT_SUPPORTED error is returned from a server that is not a Windows NT 4.0 BDC.

<249> Section 3.5.4.9.1: NETLOGON_CONTROL_SYNCHRONIZE is supported on Windows NT 4.0 BDCs; otherwise, the ERROR_NOT_SUPPORTED error is returned from a server that is not a Windows NT 4.0 BDC.

<250> Section 3.5.4.9.1: On a Windows NT, Windows 2000, or Windows XP DC, ERROR_NOT_SUPPORTED is returned. The server implementation decides how the DNS update status is recorded.

<251> Section 3.5.4.9.1: In Windows, the server copies to a backup file the contents of a file that contains a cache of database changes.

<252> Section 3.5.4.9.1: In Windows, the server truncates the contents of a debug file that contains debugging information about the Netlogon service operations.

<253> Section 3.5.4.9.1: In Windows, the server sets the level of verbosity of output into the debug file that contains debugging information about the Netlogon service operations. The level of verbosity to set is specified in the DebugFlag field of the Data parameter.

<254> Section 3.5.4.9.1: In Windows, if the NetrLogonControl2Ex method is called with the function code NETLOGON_CONTROL_BREAKPOINT and the operating system is not a checked build, the method returns ERROR_NOT_SUPPORTED.

<255> Section 3.5.4.9.1: In Windows, the server breaks into the debugger if it is attached to the computer that supports debugging.

<256> Section 3.5.4.9.1: The NETLOGON_INFO_4 structure is not supported in Windows NT.

<257> Section 3.5.4.9.1: Windows NT 4.0 BDCs force an immediate partial synchronization of all databases.

<258> Section 3.5.4.9.1: Windows NT 4.0 BDCs force an immediate full synchronization of all databases.

<259> Section 3.5.4.9.1: Windows NT 4.0 PDCs immediately send announcement messages to request each BDC to replicate the database.

<260> Section 3.5.4.9.1: Windows NT and Windows 2000 DCs return ERROR_NOT_SUPPORTED.

<261> Section 3.5.4.9.1: Windows NT and Windows 2000 DCs return ERROR_NOT_SUPPORTED.

<262> Section 3.5.4.9.2: The NetrLogonControl2 method is not supported in Windows NT 3.1.

<263> Section 3.5.4.9.3: NetrLogonControl is not available in Windows NT 3.1.

<264> Section 3.5.4.9.3: The FunctionCode parameter is restricted to the following values. If any other value is used, the error code ERROR_NOT_SUPPORTED is returned.

Windows NT 4.0:

  • NETLOGON_CONTROL_QUERY (0x00000001)

  • NETLOGON_CONTROL_REPLICATE (0x00000002)

  • NETLOGON_CONTROL_SYNCHRONIZE (0x00000003)

  • NETLOGON_CONTROL_PDC_REPLICATE (0x00000004)

Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008:

  • NETLOGON_CONTROL_QUERY (0x00000001)

  • NETLOGON_CONTROL_REPLICATE (0x00000002)

  • NETLOGON_CONTROL_SYNCHRONIZE (0x00000003)

  • NETLOGON_CONTROL_PDC_REPLICATE (0x00000004)

  • NETLOGON_CONTROL_BACKUP_CHANGE_LOG (0x0000FFFC)

  • NETLOGON_CONTROL_TRUNCATE_LOG (0x0000FFFD)

  • NETLOGON_CONTROL_BREAKPOINT (0x0000FFFF)

For all windows releases except Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008:

  • NETLOGON_CONTROL_QUERY (0x00000001)

  • NETLOGON_CONTROL_TRUNCATE_LOG (0x0000FFFD)

  • NETLOGON_CONTROL_BREAKPOINT (0x0000FFFF)

<265> Section 3.5.4.10: The Netlogon client implementations in Windows ignore these methods. The Netlogon server returns STATUS_NOT_IMPLEMENTED.

<266> Section 3.5.6: The new SignSecureChannel value is loaded into the Windows registry from the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Netlogon\Parameters registry path and SignSecureChannel key.

<267> Section 3.6: On Windows DCs, replication is performed by the Active Directory replication service ([MS-DRSR]), except on Windows NT 4.0 DCs, where replication is performed by the Netlogon replication. Netlogon replication requires the PDC to run Windows NT Server 4.0 operating system, Windows 2000 Server, or Windows Server 2003, while BDCs run Windows NT Server 4.0. Windows Server 2008 does not support replication to Windows NT 4.0 BDCs.

<268> Section 3.6.4.1: To indicate such a local condition, the PDC returns a value of 0xC0000134 as the return value of the NetrDatabaseDeltas call. For example, the PDC maintains a partial database state cached in memory that the PDC can use for processing partial synchronization requests. If the cached information is not available (for example, if the cache gets flushed), the PDC returns the error code 0xC0000134.