3.1.3 Initialization

The server initializes when the server host machine starts. The server MUST restore the state of the GroupPolicyRSoPStore, the LocalStore, and the DefaultsStore from persistent storage. The order in which the stores are loaded does not matter. The PortsInUse collection and the TrustTuples collection MUST be initialized to an empty set.

The server MUST ensure that LocalStore and GroupPolicyRSoPStore contain the Phase 1 and Phase 2 primary AuthenticationSet objects. If either of the primary sets is missing, the server MUST create a new instance and set the corresponding IsAuthConfigured property to false. The values used to initialize the new instances are implementation-specific.<29>

The server MUST ensure that LocalStore and GroupPolicyRSoPStore contain the Phase 1 and Phase 2 primary CryptoSet objects. If either of the primary sets is missing, the server MUST create a new instance and set the corresponding IsCryptoConfigured property to false. The values used to initialize the new instances are implementation-specific.<30>

The server MUST merge GroupPolicyRSoPStore and LocalStore and use the result to initialize DynamicStore. The merge logic is as follows:

  • For the GlobalConfiguration and ProfileConfiguration options, if an option is configured in only one store, that value MUST be used. If an option is configured in neither store, the option MUST be initialized to an implementation-specific<31> default value. If an option is configured in both stores, the values MUST be merged according to the merge law for that option. The merge laws for GlobalConfiguration and ProfileConfiguration options are specified in sections 2.2.42 and 2.2.38 respectively.

  • For FirewallRules, ConnectionSecurityRules, and MainModeRules, all the rules from both stores MUST be combined and added to DynamicStore.

  • For AuthenticationSets, if a primary set in GroupPolicyRSoPStore has IsAuthConfigured set to true, that set MUST be added to DynamicStore and the corresponding set in LocalStore MUST be ignored. Otherwise, the primary set from LocalStore MUST be used. For all other sets (that is, the sets where IsAuthPrimary is false), the sets from both stores MUST be combined and added to DynamicStore.

  • For CryptoSets, if a primary set in GroupPolicyRSoPStore has IsCryptoConfigured set to true, that set MUST be added to DynamicStore and the corresponding set in LocalStore MUST be ignored. Otherwise, the primary set from LocalStore MUST be used. For all other sets (that is, the sets where IsCryptoPrimary is false), the sets from both stores MUST be combined and added to DynamicStore.

After the merge is complete, the server MUST invoke the abstract interface SetEffectiveFirewallPolicy (section 3.1.6.6) with the contents of DynamicStore. It MUST register the RPC interface and begin listening on the RPC endpoint as specified in section 2.1.