3 Protocol Details

The Netlogon Remote Protocol remote procedure call (RPC) interface is used primarily to maintain the relationship between a machine and its domain, and relationships among domain controllers (DCs) and domains. As such, there are several distinct responsibilities that the RPC interface fulfills while acting in this maintenance capacity. These responsibilities are as follows:<65>

  • To establish and maintain the secure channel that is used by members of a domain to communicate with the domain controller (DC).

  • To transport authentication requests from domain members to the DC, and among DCs. This functionality is most commonly implemented by authentications using the NTLM Authentication Protocol ([MS-NLMP]), but it is also used by other protocols such as Kerberos and Digest ([MS-APDS] section 1.4).

  • To transmit certain account changes, such as password changes or account lockout information. Details about the types of account changes that can be transmitted are as specified in Netlogon NT Replication Details (section 3.6).

  • To serve as its own security provider for its RPC connection; that is, the authentication protocol is used both within the RPC exchanges for specific methods, and also as a general authentication protocol for the entire Netlogon Remote Protocol RPC interface.

The details of the Netlogon Remote Protocol are presented in the following sections:

  • Section 3.1 specifies the authentication aspects that are common to all Netlogon Remote Protocol roles, including establishing the secure channel. Before any method that utilizes the secure channel can be invoked, the authentication process that is defined in this section MUST be completed.

  • Section 3.2 specifies the use of the Netlogon Remote Protocol for pass-through authentication.

  • Section 3.3 specifies the use of the Netlogon Remote Protocol authentication method as a generic security authentication mechanism.

  • Sections 3.4 and 3.5 detail client and server operations, respectively.

  • Section 3.6 specifies the behavior of the Netlogon Remote Protocol in the account replication role in environments with BDCs.

All the Netlogon Remote Protocol methods return 0x00000000 (NERR_Success) to indicate success; otherwise, they return a 32-bit nonzero error code. There are two types of error codes returned, NET_API_STATUS ([MS-ERREF] section 2.2) and NTSTATUS ([MS-ERREF] section 2.3). For more information about NTSTATUS values, see [NTSTATUSERR].

Common Error Processing Rules

Several Netlogon Remote Protocol methods apply the processing rules listed in the following section to determine which error codes are returned. The applicable processing rules from those mentioned in this section are referred to in each of the method descriptions. Error codes prepended with the prefix STATUS are of type NTSTATUS ([MS-ERREF] section 2.3); the remaining error codes are of type NET_API_STATUS. Error codes prepended with the prefix ERROR are defined in [MS-ERREF] section 2.2.

Common Error Processing Rule



If a server does not support a specific Netlogon RPC method, it MUST return ERROR_NOT_SUPPORTED or STATUS_NOT_SUPPORTED, based on the return type. This includes the case when the server is not a domain controller.


If the input parameter to a Netlogon RPC request is a computer name or server name, the server SHOULD<66> look up this name in the domain the server hosts. If the name is not found, the server MUST return ERROR_INVALID_COMPUTERNAME or STATUS_INVALID_COMPUTER_NAME.


If a server needs to locate a domain controller (DC) to service a Netlogon RPC request, it follows the method specified in [MS-ADTS] section 6.3.6. If the DC cannot be located by following this method, the server MUST return ERROR_NO_LOGON_SERVERS or STATUS_NO_LOGON_SERVERS, depending on the return type.


If the Directory Service is paused and the Netlogon RPC method cannot be processed further, the server returns STATUS_DS_BUSY.


The server MUST return ERROR_NO_SUCH_DOMAIN if the DC could not be located for the specified domain, or if the specified domain is not primary or directly trusted.

The default pointer type for the Netlogon Remote Protocol RPC interface is pointer_default(unique). Method calls are received at a dynamically assigned endpoint ([MS-RPCE] section The endpoints for the Netlogon Remote Protocol service are negotiated by the RPC endpoint mapper ([MS-RPCE] section 

Out of Memory Errors

Netlogon Remote Protocol methods require allocation of memory in order to execute their processing rules. If a client or server is unable to allocate the memory required, it MUST return STATUS_NO_MEMORY.