3.5.3 Initialization
The server side registers an endpoint with RPC over named pipes transport, using the NETLOGON named pipe<133> and an endpoint with RPC over TCP/IP. When DCRPCPort is present and is not NULL, and the server is a domain controller, then the DC MUST also register the port listed in DCRPCPort ([MS-RPCE] section 3.3.3.3.1.4). The server side MUST register the Netlogon security support provider (SSP) authentication_type constant [0x44] as the security provider ([MS-RPCE] section 3.3.3.3.1.3) used by the RPC interface.
NetlogonSecurityDescriptor: Initialized to the following value, expressed in Security Descriptor Description Language (SDDL) ([MS-DTYP] section 2.5.1): D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU) S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
ChallengeTable MUST be empty.
ClientSessionInfo MUST be empty.
RefusePasswordChange SHOULD be FALSE.
The ServerCapabilities field is initialized to reflect the capabilities offered by that server implementation.
RejectMD5Clients SHOULD<134> be initialized in an implementation-specific way and set to TRUE.
SealSecureChannel MUST be TRUE.
SignSecureChannel SHOULD<135> be initialized in an implementation-specific way and set to TRUE. Any changes made to the SignSecureChannel registry keys are reflected in the ADM elements when a PolicyChange event is received (section 3.1.6). This setting is deprecated, as SealSecureChannel MUST be true.
StrongKeySupport SHOULD<136> be TRUE.
NetbiosDomainName is a shared ADM element with DomainName.NetBIOS ([MS-WKST] section 3.2.1.6).
DomainGuid: Prior to the initialization of the Netlogon Remote Protocol, DomainGuid has already been initialized, as specified in [MS-WKST] section 3.2.1.6, since Netlogon Remote Protocol is running on a system already joined to a domain.
DomainSid: Prior to the initialization of the Netlogon Remote Protocol, DomainSid has already been initialized, as specified in [MS-WKST] section 3.2.1.6, since Netlogon Remote Protocol is running on a system already joined to a domain.
AllowSingleLabelDNSDomain SHOULD<137> be set to a locally configured value.
AllowDnsSuffixSearch SHOULD<138> be set to TRUE.
SiteName SHOULD<139> be initialized from msDS-SiteName ([MS-ADTS] section 3.1.1.4.5.29) of the computer object if the server is a DC. If the server is not a DC, this ADM element is set to a locally configured value.
NextClosestSiteName Initialized as follows: If the server is a DC, the server invokes IDL_DRSQuerySitesByCost ([MS-DRSR] section 4.1.16), setting NextClosestSiteName to the site that is closest to SiteName but not equal to SiteName. If the server is not a DC, this ADM element is initialized to NULL.
DynamicSiteNameSetTime MUST be set to a value such that DynamicSiteNameSetTime plus DynamicSiteNameTimeout is less than the current time.
FailedDiscoveryCachePeriod SHOULD<140> be set to a locally configured value.
CacheEntryValidityPeriod SHOULD<141> be set to a locally configured value.
CacheEntryPingValidityPeriod SHOULD<142> be set to a locally configured value.
If the NRPC server is a DC, then the following abstract data model variables are initialized:
DCRPCPort SHOULD<143> be initialized in an implementation-specific way and MUST default to NULL.
DnsForestName is initialized from the FQDN of rootDomainNamingContext ([MS-ADTS] section 3.1.1.3.2.16).
The objects in TrustedDomainObjectsCollection are initialized as specified in [MS-LSAD] section 3.1.1.5.
The NT4Emulator field is set to FALSE.
RejectDES SHOULD<144> be initialized in an implementation-specific way and SHOULD<145> default to TRUE.
ServerServiceBits is initialized to zero.
SiteCoverage is initialized in an implementation-specific way and MUST default to NULL. Implementations SHOULD<146> persistently store and retrieve the SiteCoverage variable.