3.4.5.2.12 Calling NetrChainSetClientAttributes
The read-only domain controller MUST do the following:
Have a secure channel established with a normal (writable) DC in the domain identified by domain-name and pass its name as the ServerName parameter.
Pass a valid client Netlogon authenticator as the Authenticator parameter.
Pass the dwInVersion parameter set to 1.
Pass the address of a valid NL_OUT_CHAIN_SET_CLIENT_ATTRIBUTES_V1 structure as the pmsgIn parameter.
Pass the pdwOutVersion parameter set to the address of the value 1.
Pass the address of a valid NL_OUT_CHAIN_SET_CLIENT_ATTRIBUTES_V1 structure as the pmsgOut parameter.
After the method returns, the client MUST verify the ReturnAuthenticator, as defined in section 3.1.4.5.
On receiving STATUS_ACCESS_DENIED, the client SHOULD<111> reestablish the secure channel with the normal (writable) DC.