3.5.4 Message Processing Events and Sequencing Rules

The following section specifies data and state maintained by the Netlogon RPC server. It includes details about receiving Netlogon RPC methods on the server side of the client/server communication. The provided data is to facilitate the explanation of how the protocol behaves. This section does not mandate that implementations adhere to this model as long as their external behavior is consistent with that described in this document.

This protocol MUST instruct the RPC runtime, via the strict_context_handle attribute, to reject use of context handles created by a method of a different RPC interface than this one, as specified in [MS-RPCE] section 3.

This protocol MUST indicate to the RPC runtime that it is to perform a strict NDR data consistency check at target level 6.0, as specified in [MS-RPCE] section 3.

Methods in RPC Opnum Order

Method

Description

NetrLogonUasLogon

This method was for support of LAN Manager products, and it is no longer used. This method was introduced in LAN Manager.

Opnum: 0

NetrLogonUasLogoff

This method was for support of LAN Manager products, and it is no longer used. This method was introduced in LAN Manager.

Opnum: 1

NetrLogonSamLogon

The NetrLogonSamLogon method updates the user's lastLogon attribute for the Security Account Manager (SAM).

Opnum: 2

NetrLogonSamLogoff

The NetrLogonSamLogoff method handles logoff requests for the SAM.

Opnum: 3

NetrServerReqChallenge

The NetrServerReqChallenge method receives a client challenge and returns a server challenge.

Opnum: 4

NetrServerAuthenticate

The NetrServerAuthenticate method authenticates an account by verifying that the computed client credentials are the same as those provided in the previous challenge.

Opnum: 5

NetrServerPasswordSet

The NetrServerPasswordSet method sets a new password for an account in the User Account Subsystem (UAS).

Opnum: 6

NetrDatabaseDeltas

The NetrDatabaseDeltas method returns a set of recent actions performed on the Security Account Manager (SAM) database, along with the number of times the domain has been modified.

Opnum: 7

NetrDatabaseSync

The NetrDatabaseSync method provides an interface to synchronize a backup domain controller's Security Account Manager (SAM) database to that of the primary domain controller (PDC) by means of replication.

Opnum: 8

NetrAccountDeltas

The NetrAccountDeltas method supported LAN Manager BDCs and is no longer supported.

Opnum: 9

NetrAccountSync

The NetrAccountSync method supported LAN Manager BDCs and is no longer supported.

Opnum: 10

NetrGetDCName

The NetrGetDCName method retrieves the NetBIOS name of the PDC for a specified domain.

Opnum: 11

NetrLogonControl

The NetrLogonControl method executes a specific Netlogon control operation.

Opnum: 12

NetrGetAnyDCName

The NetrGetAnyDCName method retrieves the name of a domain controller in a specified domain.

Opnum: 13

NetrLogonControl2

The NetrLogonControl2 method executes a specific Netlogon control operation. This method extends NetrLogonControl by allowing an input buffer that contains data for a particular query.

Opnum: 14

NetrServerAuthenticate2

The NetrServerAuthenticate2 method handles logoff requests for the Security Account Manager (SAM).

Opnum: 15

NetrDatabaseSync2

The NetrDatabaseSync2 method is used by a BDC to request the entire database from a PDC. It is called only by a BDC that has been previously authenticated by the PDC.

Opnum: 16

NetrDatabaseRedo

The NetrDatabaseRedo method is used by a SAM BDC to request information about a single account. It is called only by a BDC that has been previously authenticated by the PDC.

Opnum: 17

NetrLogonControl2Ex

The NetrLogonControl2Ex method executes a specific Netlogon control operation. The introduction of this method added support for query level (4) to both NetrLogonControl2Ex and NetrLogonControl2 for retrieving user account information.

Opnum: 18

NetrEnumerateTrustedDomains

The NetrEnumerateTrustedDomains method returns an enumeration of trusted domain names.

Opnum: 19

DsrGetDcName

The DsrGetDcName method returns the current domain controller for a specified domain.

Opnum: 20

NetrLogonGetCapabilities

The NetrLogonGetCapabilities method returns server capabilities or requested flags based on input QueryLevel parameter.

Opnum: 21

NetrLogonSetServiceBits

The NetrLogonSetServiceBits method indicates to Netlogon whether a domain controller is running a specified service. This is done by setting service bits.

Opnum: 22

NetrLogonGetTrustRid

The NetrLogonGetTrustRid method is used to obtain the RID of the account that is used by the specified server in its secure channel, to determine the DomainName for the specified domain.

Opnum: 23

NetrLogonComputeServerDigest

The NetrLogonComputeServerDigest method computes a cryptographic digest of a message.

Opnum: 24

NetrLogonComputeClientDigest

The NetrLogonComputeClientDigest method is used by a client to compute a cryptographic digest of a message.

Opnum: 25

NetrServerAuthenticate3

The NetrServerAuthenticate3 method extends NetrServerAuthenticate2, returning an account RID after authentication.

Opnum: 26

DsrGetDcNameEx

The DsrGetDcNameEx method returns the current domain controller for a specified domain and site.

Opnum: 27

DsrGetSiteName

The DsrGetSiteName method returns the site name for a specified computer.

Opnum: 28

NetrLogonGetDomainInfo

The NetrLogonGetDomainInfo method returns information that describes the current domain to which a specified client belongs.

Opnum: 29

NetrServerPasswordSet2

The NetrServerPasswordSet2 method allows an account to set a new clear text password. This method extends NetrServerPasswordSet, which specifies an encrypted one-way function (OWF) of a password.

Opnum: 30

NetrServerPasswordGet

The NetrServerPasswordGet method allows a BDC to get a computer account password from the PDC in the domain.

Opnum: 31

NetrLogonSendToSam

The NetrLogonSendToSam method allows a BDC or RODC to forward user account password changes to the PDC.

Opnum: 32

DsrAddressToSiteNamesW

The DsrAddressToSiteNamesW method resolves a list of socket addresses as their corresponding site names.

Opnum: 33

DsrGetDcNameEx2

The DsrGetDcNameEx2 method returns the current DC for a specified domain and site.

Opnum: 34

NetrLogonGetTimeServiceParentDomain

The NetrLogonGetTimeServiceParentDomain method returns the name of the parent domain of the current domain.

Opnum: 35

NetrEnumerateTrustedDomainsEx

The NetrEnumerateTrustedDomainsEx method returns a list of trusted domains from a specified server.

Opnum: 36

DsrAddressToSiteNamesExW

The DsrAddressToSiteNamesExW method translates a list of socket addresses into their corresponding site names and subnet names.

Opnum: 37

DsrGetDcSiteCoverageW

The DsrGetDcSiteCoverageW method returns a list of sites covered by a DC.

Opnum: 38

NetrLogonSamLogonEx

The NetrLogonSamLogonEx method provides an extension to NetrLogonSamLogon that allows for NT LAN Manager (NTLM) pass-through authentication.

Opnum: 39

DsrEnumerateDomainTrusts

The DsrEnumerateDomainTrusts method returns an enumerated list of domain trusts, filtered by a set of flags, from a specified server.

Opnum: 40

DsrDeregisterDnsHostRecords

The DsrDeregisterDnsHostRecords method deletes DNS entries, except for type A records registered by a DC.

Opnum: 41

NetrServerTrustPasswordsGet

The NetrServerTrustPasswordsGet method returns encrypted passwords for an account on a server.

Opnum: 42

DsrGetForestTrustInformation

The DsrGetForestTrustInformation method retrieves the trust information for the forest of the specified domain controller, or for a forest trusted by the forest of the specified DC.

Opnum: 43

NetrGetForestTrustInformation

The NetrGetForestTrustInformation method retrieves the trust information for the forest of which the member's domain is itself a member.

Opnum: 44

NetrLogonSamLogonWithFlags

The NetrLogonSamLogonWithFlags method handles logon requests for the SAM according to specific property flags.

Opnum: 45

NetrServerGetTrustInfo

The NetrServerGetTrustInfo method returns an information block from a specified server. The information includes encrypted passwords for a specific account and trust data.

Opnum: 46

OpnumUnused47

Opnum: 47

DsrUpdateReadOnlyServerDnsRecords

The DsrUpdateReadOnlyServerDnsRecords method allows an RODC to send a control command to a normal (writable) DC for site-specific and CName types of DNS records update.

Opnum: 48

NetrChainSetClientAttributes

When a read-only DC receives either the NetrServerAuthenticate3 method or the NetrLogonGetDomainInfo method, with updates requested, it invokes this method on a normal (writable) DC to update to a client's computer account object in Active Directory.

Opnum: 49

NetrServerAuthenticateKerberos

This method extends NetrServerAuthenticate3 to use Kerberos as the security support provider to establish the secure channel.

Opnum: 59

Note that gaps in the opnum numbering sequence represent opnums that SHOULD NOT<147> be used over the wire.

All methods MUST NOT throw an exception.

The following is a complete list of the Netlogon methods that require a secure channel to be established before they are called by a client. See section 3.1.4.1 for details about how to establish a secure channel between the client and the server:

  • DsrUpdateReadOnlyServerDnsRecords

  • NetrGetForestTrustInformation

  • NetrLogonSamLogon

  • NetrLogonSamLogonEx

  • NetrLogonSamLogonWithFlags

  • NetrLogonSamLogoff

  • NetrLogonSendToSam

  • NetrServerPasswordGet

  • NetrServerPasswordSet

  • NetrServerPasswordSet2

  • NetrServerGetTrustInfo

  • NetrServerTrustPasswordsGet

  • NetrLogonGetDomainInfo

  • NetrChainSetClientAttributes

  • NetrDatabaseDeltas

  • NetrDatabaseSync

  • NetrDatabaseSync2

  • NetrDatabaseRedo

  • NetrAccountDeltas

  • NetrAccountSync

  • NetrLogonDummyRoutine1