3.4.5.2.8 Calling NetrServerPasswordGet
The client calling this method MUST be a backup domain controller (BDC). The client MUST do the following:
Have a secure channel established with a domain controller in the domain identified by domain-name and pass its name as the ServerName parameter.
Pass a valid client Netlogon authenticator as the Authenticator parameter.
The client MUST decrypt the EncryptedNtOwfPassword return parameter that was encrypted (as specified in [MS-SAMR] section 2.2.11.1.1) with the Session-Key for the secure channel as the specified key.
After the method returns, the client MUST verify the ReturnAuthenticator, as defined in section 3.1.4.5.
On receiving STATUS_ACCESS_DENIED, the client SHOULD<104> reestablish the secure channel with the domain controller.