3.5.4 Message Processing Events and Sequencing Rules
The following section specifies data and state maintained by the Netlogon RPC server. It includes details about receiving Netlogon RPC methods on the server side of the client/server communication. The provided data is to facilitate the explanation of how the protocol behaves. This section does not mandate that implementations adhere to this model as long as their external behavior is consistent with that described in this document.
This protocol MUST instruct the RPC runtime, via the strict_context_handle attribute, to reject use of context handles created by a method of a different RPC interface than this one, as specified in [MS-RPCE] section 3.
This protocol MUST indicate to the RPC runtime that it is to perform a strict NDR data consistency check at target level 6.0, as specified in [MS-RPCE] section 3.
Methods in RPC Opnum Order
Method |
Description |
---|---|
This method was for support of LAN Manager products, and it is no longer used. This method was introduced in LAN Manager. Opnum: 0 |
|
This method was for support of LAN Manager products, and it is no longer used. This method was introduced in LAN Manager. Opnum: 1 |
|
The NetrLogonSamLogon method updates the user's lastLogon attribute for the Security Account Manager (SAM). Opnum: 2 |
|
The NetrLogonSamLogoff method handles logoff requests for the SAM. Opnum: 3 |
|
The NetrServerReqChallenge method receives a client challenge and returns a server challenge. Opnum: 4 |
|
The NetrServerAuthenticate method authenticates an account by verifying that the computed client credentials are the same as those provided in the previous challenge. Opnum: 5 |
|
The NetrServerPasswordSet method sets a new password for an account in the User Account Subsystem (UAS). Opnum: 6 |
|
The NetrDatabaseDeltas method returns a set of recent actions performed on the Security Account Manager (SAM) database, along with the number of times the domain has been modified. Opnum: 7 |
|
The NetrDatabaseSync method provides an interface to synchronize a backup domain controller's Security Account Manager (SAM) database to that of the primary domain controller (PDC) by means of replication. Opnum: 8 |
|
The NetrAccountDeltas method supported LAN Manager BDCs and is no longer supported. Opnum: 9 |
|
The NetrAccountSync method supported LAN Manager BDCs and is no longer supported. Opnum: 10 |
|
The NetrGetDCName method retrieves the NetBIOS name of the PDC for a specified domain. Opnum: 11 |
|
The NetrLogonControl method executes a specific Netlogon control operation. Opnum: 12 |
|
The NetrGetAnyDCName method retrieves the name of a domain controller in a specified domain. Opnum: 13 |
|
The NetrLogonControl2 method executes a specific Netlogon control operation. This method extends NetrLogonControl by allowing an input buffer that contains data for a particular query. Opnum: 14 |
|
The NetrServerAuthenticate2 method handles logoff requests for the Security Account Manager (SAM). Opnum: 15 |
|
The NetrDatabaseSync2 method is used by a BDC to request the entire database from a PDC. It is called only by a BDC that has been previously authenticated by the PDC. Opnum: 16 |
|
The NetrDatabaseRedo method is used by a SAM BDC to request information about a single account. It is called only by a BDC that has been previously authenticated by the PDC. Opnum: 17 |
|
The NetrLogonControl2Ex method executes a specific Netlogon control operation. The introduction of this method added support for query level (4) to both NetrLogonControl2Ex and NetrLogonControl2 for retrieving user account information. Opnum: 18 |
|
The NetrEnumerateTrustedDomains method returns an enumeration of trusted domain names. Opnum: 19 |
|
The DsrGetDcName method returns the current domain controller for a specified domain. Opnum: 20 |
|
Opnum: 21 |
|
The NetrLogonSetServiceBits method indicates to Netlogon whether a domain controller is running a specified service. This is done by setting service bits. Opnum: 22 |
|
The NetrLogonGetTrustRid method is used to obtain the RID of the account that is used by the specified server in its secure channel, to determine the DomainName for the specified domain. Opnum: 23 |
|
The NetrLogonComputeServerDigest method computes a cryptographic digest of a message. Opnum: 24 |
|
The NetrLogonComputeClientDigest method is used by a client to compute a cryptographic digest of a message. Opnum: 25 |
|
The NetrServerAuthenticate3 method extends NetrServerAuthenticate2, returning an account RID after authentication. Opnum: 26 |
|
The DsrGetDcNameEx method returns the current domain controller for a specified domain and site. Opnum: 27 |
|
The DsrGetSiteName method returns the site name for a specified computer. Opnum: 28 |
|
The NetrLogonGetDomainInfo method returns information that describes the current domain to which a specified client belongs. Opnum: 29 |
|
The NetrServerPasswordSet2 method allows an account to set a new clear text password. This method extends NetrServerPasswordSet, which specifies an encrypted one-way function (OWF) of a password. Opnum: 30 |
|
The NetrServerPasswordGet method allows a BDC to get a computer account password from the PDC in the domain. Opnum: 31 |
|
The NetrLogonSendToSam method allows a BDC or RODC to forward user account password changes to the PDC. Opnum: 32 |
|
The DsrAddressToSiteNamesW method resolves a list of socket addresses as their corresponding site names. Opnum: 33 |
|
The DsrGetDcNameEx2 method returns the current DC for a specified domain and site. Opnum: 34 |
|
The NetrLogonGetTimeServiceParentDomain method returns the name of the parent domain of the current domain. Opnum: 35 |
|
The NetrEnumerateTrustedDomainsEx method returns a list of trusted domains from a specified server. Opnum: 36 |
|
The DsrAddressToSiteNamesExW method translates a list of socket addresses into their corresponding site names and subnet names. Opnum: 37 |
|
The DsrGetDcSiteCoverageW method returns a list of sites covered by a DC. Opnum: 38 |
|
The NetrLogonSamLogonEx method provides an extension to NetrLogonSamLogon that allows for NT LAN Manager (NTLM) pass-through authentication. Opnum: 39 |
|
The DsrEnumerateDomainTrusts method returns an enumerated list of domain trusts, filtered by a set of flags, from a specified server. Opnum: 40 |
|
The DsrDeregisterDnsHostRecords method deletes DNS entries, except for type A records registered by a DC. Opnum: 41 |
|
The NetrServerTrustPasswordsGet method returns encrypted passwords for an account on a server. Opnum: 42 |
|
The DsrGetForestTrustInformation method retrieves the trust information for the forest of the specified domain controller, or for a forest trusted by the forest of the specified DC. Opnum: 43 |
|
The NetrGetForestTrustInformation method retrieves the trust information for the forest of which the member's domain is itself a member. Opnum: 44 |
|
The NetrLogonSamLogonWithFlags method handles logon requests for the SAM according to specific property flags. Opnum: 45 |
|
The NetrServerGetTrustInfo method returns an information block from a specified server. The information includes encrypted passwords for a specific account and trust data. Opnum: 46 |
|
OpnumUnused47 |
Opnum: 47 |
The DsrUpdateReadOnlyServerDnsRecords method allows an RODC to send a control command to a normal (writable) DC for site-specific and CName types of DNS records update. Opnum: 48 |
|
When a read-only DC receives either the NetrServerAuthenticate3 method or the NetrLogonGetDomainInfo method, with updates requested, it invokes this method on a normal (writable) DC to update to a client's computer account object in Active Directory. Opnum: 49 |
|
This method extends NetrServerAuthenticate3 to use Kerberos as the security support provider to establish the secure channel. Opnum: 59 |
Note that gaps in the opnum numbering sequence represent opnums that SHOULD NOT<147> be used over the wire.
All methods MUST NOT throw an exception.
The following is a complete list of the Netlogon methods that require a secure channel to be established before they are called by a client. See section 3.1.4.1 for details about how to establish a secure channel between the client and the server:
DsrUpdateReadOnlyServerDnsRecords
NetrGetForestTrustInformation
NetrLogonSamLogon
NetrLogonSamLogonEx
NetrLogonSamLogonWithFlags
NetrLogonSamLogoff
NetrLogonSendToSam
NetrServerPasswordGet
NetrServerPasswordSet
NetrServerPasswordSet2
NetrServerGetTrustInfo
NetrServerTrustPasswordsGet
NetrLogonGetDomainInfo
NetrChainSetClientAttributes
NetrDatabaseDeltas
NetrDatabaseSync
NetrDatabaseSync2
NetrDatabaseRedo
NetrAccountDeltas
NetrAccountSync
NetrLogonDummyRoutine1