3.5.4.4.10 NetrLogonGetDomainInfo (Opnum 29)

  • Article

The NetrLogonGetDomainInfo method SHOULD<190> return information that describes the current domain to which the specified client belongs. 

 NTSTATUS NetrLogonGetDomainInfo(
   [in, string] LOGONSRV_HANDLE ServerName,
   [in, string, unique] wchar_t* ComputerName,
   [in] PNETLOGON_AUTHENTICATOR Authenticator,
   [in, out] PNETLOGON_AUTHENTICATOR ReturnAuthenticator,
   [in] DWORD Level,
   [in, switch_is(Level)] PNETLOGON_WORKSTATION_INFORMATION WkstaBuffer,
   [out, switch_is(Level)] PNETLOGON_DOMAIN_INFORMATION DomBuffer
 );

ServerName: The custom binding handle, as defined in section 3.5.4.1.

ComputerName: The null-terminated Unicode string that contains the name of the client computer issuing the request.

Authenticator: A pointer to a NETLOGON_AUTHENTICATOR structure, as specified in section 2.2.1.1.5, that contains the client authenticator.

ReturnAuthenticator: A pointer to a NETLOGON_AUTHENTICATOR structure, as specified in section 2.2.1.1.5, that contains the server return authenticator.

Level: The information level requested by the client. The DomBuffer parameter contains one of the following structures, based on the value of this field.

Value

Meaning

0x00000001

The DomBuffer contains a NETLOGON_DOMAIN_INFO structure.

0x00000002

The DomBuffer contains a NETLOGON_LSA_POLICY_INFO structure.

WkstaBuffer: A pointer to a NETLOGON_WORKSTATION_INFO structure, as specified in section 2.2.1.3.6, that contains information about the client workstation.

DomBuffer: A pointer to a NETLOGON_DOMAIN_INFORMATION structure, as specified in section 2.2.1.3.12, that contains information about the domain or policy information.

Return Values: The method returns 0x00000000 on success; otherwise, it returns a nonzero error code.

On receiving this call, the server MUST perform the following validation steps:

  • Apply Common Error Processing Rule A, specified in section 3.

  • Verify that the WkstaBuffer parameter is not NULL. If it is, the server SHOULD<191> return STATUS_INVALID_PARAMETER.

  • Verify that the Level parameter is set to 1 or 2. All other values are invalid, and STATUS_INVALID_LEVEL MUST be returned.

  • Using the ComputerName for the secure channel to find the corresponding record in the ClientSessionInfo table, verify the Authenticator parameter (section 3.1.4.5). If the Authenticator parameter is valid, compute the ReturnAuthenticator parameter returned (section 3.1.4.5). Otherwise, the server MUST return STATUS_ACCESS_DENIED.

If the Level parameter is set to 1, the return structure pointed to by DomBuffer MUST be generated as follows:

  • NETLOGON_DOMAIN_INFO.PrimaryDomain.DomainName MUST be set to NetbiosDomainName.

  • NETLOGON_DOMAIN_INFO.PrimaryDomain.DnsDomainName MUST be set to DnsDomainName.

  • NETLOGON_DOMAIN_INFO.PrimaryDomain.DnsForestName MUST be set to DnsForestName.

  • NETLOGON_DOMAIN_INFO.PrimaryDomain.DomainGuid MUST be set to DomainGuid.

  • NETLOGON_DOMAIN_INFO.PrimaryDomain.DomainSid MUST be set to DomainSid.

  • NETLOGON_DOMAIN_INFO.WorkstationFlags MUST be set with the bitwise AND of NETLOGON_WORKSTATION_INFORMATION.WorkstationInfo.WorkstationFlags and 0x3.

  • NETLOGON_DOMAIN_INFO.TrustedDomainCount MUST be set to the number of elements of the trusted domain list returned by performing the external behavior consistent with locally invoking LsarEnumerateTrustedDomainsEx ([MS-LSAD] section 3.1.4.7.7). The EnumerationContext parameter MUST be set to 0 and PreferredMaximumLength SHOULD<192> be set to 4096. A policy handle is not needed locally.

  • NETLOGON_DOMAIN_INFO.TrustedDomains MUST be set to a TrustedDomainCount-sized array of NETLOGON_ONE_DOMAIN_INFO structures. Each structure MUST be generated as follows:

    • NETLOGON_ONE_DOMAIN_INFO.DomainName MUST be set to the NetBIOS domain name of the trusted domain.

    • NETLOGON_ONE_DOMAIN_INFO.DnsDomainName MUST be set to the DNS domain name of the trusted domain.

    • NETLOGON_ONE_DOMAIN_INFO.DnsForestName MUST be set to NULL string.

    • NETLOGON_ONE_DOMAIN_INFO.DomainGuid MUST be set to the domain GUID of the trusted domain.

    • NETLOGON_ONE_DOMAIN_INFO.DomainSid SHOULD<193> be set to the domain SID of the trusted domain.

  • NETLOGON_DOMAIN_INFO.SupportedEncTypes MUST be set to the value of the msDS-SupportedEncryptionTypes attribute ([MS-ADA2] section 2.481) of the ComputerName account. If the msDS-SupportedEncryptionTypes attribute does not exist, then set NETLOGON_DOMAIN_INFO.SupportedEncTypes to 0xFFFFFFFF.

     Structure

     Reference

    NETLOGON_DOMAIN_INFO

    For details, see section 2.2.1.3.11.

    NETLOGON_WORKSTATION_INFO

    For details, see section 2.2.1.3.6.

    DS_DOMAIN_TRUSTSW

    For details, see section 2.2.1.6.2.

    NETLOGON_ONE_DOMAIN_INFO

    For details, see section 2.2.1.3.10.

If the Level parameter is set to 2:

  • NETLOGON_DOMAIN_INFO.LsaPolicy.LsaPolicySize MUST be set to 0.

  • NETLOGON_DOMAIN_INFO.LsaPolicy.LsaPolicy MUST be set to NULL.

If the WkstaBuffer.WorkstationInfo pointer is NULL, no further processing occurs and NERR_Success MUST be returned.

If WkstaBuffer.WorkstationInfo.WorkstationFlags has the 0x2 bit set, NETLOGON_DOMAIN_INFO.DnsHostNameInDs is set to the dNSHostName attribute ([MS-ADA1] section 2.185) of the client account. The dNSHostName attribute is validated against the constraints specified in [MS-ADTS] section 3.1.1.5.3.1.1.2. If there was a change in domain naming, this value holds the previous DNS host name because the AD query is done prior to changing the value. If WkstaBuffer.WorkstationInfo.WorkstationFlags does not have the 0x2 bit set, the server adds the following SPNs to the ServicePrincipalName attribute of the clients account:

  • HOST/<Netbios name>

  • HOST/<FQDN name>

WkstaBuffer.WorkstationInfo.OsName and WkstaBuffer.WorkstationInfo.OsVersion are processed as specified in section 2.2.1.3.6. If WkstaBuffer.WorkstationInfo.OsName and WkstaBuffer.WorkstationInfo.OsVersion are not specified, then use a generic string, for example, "Windows unknown version" to update the operatingSystem attribute. If WkstaBuffer.WorkstationInfo.OsVersion is specified but WkstaBuffer.WorkstationInfo.OsName is not, then a different generic string SHOULD<194> be used to update the operatingSystem attribute, depending on the value of WkstaBuffer.WorkstationInfo.OsVersion.wProductType.<195>

If WkstaBuffer.WorkstationInfo.KerberosSupportedEncryptionTypes is set, NETLOGON_DOMAIN_INFO.SupportedEncTypes is set to the msDS-SupportedEncryptionTypes attribute ([MS-ADA2] section 2.481) of the client account.

This method SHOULD only be called by a machine that has established a secure channel with the server.