3.4.5.2.12 Calling NetrChainSetClientAttributes

The read-only domain controller MUST do the following:

  • Have a secure channel established with a normal (writable) DC in the domain identified by domain-name and pass its name as the ServerName parameter.

  • Pass a valid client Netlogon authenticator as the Authenticator parameter.

  • Pass the dwInVersion parameter set to 1.

  • Pass the address of a valid NL_OUT_CHAIN_SET_CLIENT_ATTRIBUTES_V1 structure as the pmsgIn parameter.

  • Pass the pdwOutVersion parameter set to the address of the value 1.

  • Pass the address of a valid NL_OUT_CHAIN_SET_CLIENT_ATTRIBUTES_V1 structure as the pmsgOut parameter.

After the method returns, the client MUST verify the ReturnAuthenticator, as defined in section 3.1.4.5.

On receiving STATUS_ACCESS_DENIED, the client SHOULD<111> reestablish the secure channel with the normal (writable) DC.