3.5.1 Abstract Data Model

This section describes a conceptual model of possible data organization that an implementation maintains to participate in this protocol. The described organization is provided to facilitate the explanation of how the protocol behaves. This document does not mandate that implementations adhere to this model as long as their external behavior is consistent with that described in this document.

A Netlogon Remote Protocol server maintains the following abstract variables in addition to the ones defined in section 3.1:

NetlogonSecurityDescriptor: A security descriptor that is used for verifying access security during processing of some methods. This security descriptor MUST NOT be changed.

ServerCapabilities: A 32-bit set of bit flag options defined in section 3.1.4.2 that identifies the server's supported options.

DNSDomainName: The FQDN domain name for the domain to which the server belongs. This ADM element is shared with DomainName.FQDN ([MS-WKST] section 3.2.1.6).

NetbiosDomainName: The NetBIOS domain name for the domain to which the server belongs. This ADM element is shared with DomainName.NetBIOS [MS-WKST] section 3.2.1.6).

DomainGuid: The GUID for the domain. This ADM element is shared with DomainGuid ([MS-WKST] section 3.2.1.6).

DomainSid: The security identifier for the domain. This ADM element is shared with DomainSid ([MS-WKST] section 3.2.1.6).

AllowSingleLabelDNSDomain: A Boolean that specifies whether DC location via single label DNS names is enabled.

AllowDnsSuffixSearch: A Boolean that specifies whether DC location via single-label domains using DNS suffix composition is enabled.

SiteName: The site name of the computer.

NextClostestSiteName: The name of the site that is closest to the site of the computer.

DynamicSiteName: Dynamically determined site name of the computer.

DynamicSiteNameTimeout: An implementation-specific time span that determines whether it SHOULD<128> be time to rediscover the site name.

DynamicSiteNameSetTime: An implementation-specific timestamp indicating the time at which DynamicSiteName was determined.

ChallengeTable: A table indexed by ComputerName with the following members:

FailedDiscoveryCache: A cache containing a set of failed DC discovery attempts. The fields of the cache are implementation-specific but any cache implementation MUST be able to return the time when the last DC discovery attempt failed for a given domain name (see section 3.5.4.3.1).

FailedDiscoveryCachePeriod: The length of time, in seconds, for which an entry in the FailedDiscoveryCache is valid.

CacheEntryValidityPeriod: The length of time, in hours, for which an entry in the LocatedDCsCache is valid.

CacheEntryPingValidityPeriod: The length of time, in minutes, for which an entry in the LocatedDCsCache is considered valid without having to ping the DC represented by that cached entry.

The Netlogon server variables which are registry keys are as follows:

RejectMD5Clients: A Boolean variable that indicates whether the server SHOULD<129> reject incoming clients that are using MD5 encryption.

SignSecureChannel: A Boolean variable that determines whether a domain member attempts to negotiate signing for all secure channel traffic that it initiates. This setting is deprecated, as SealSecureChannel MUST be TRUE.

TrustedDomains: A list of domain trusts (of type DS_DOMAIN_TRUSTSW (section 2.2.1.6.2)) obtained by calling DsrEnumerateDomainTrusts (section 3.5.4.7.1).

When the server is a DC, it also maintains the following abstract variables:

RejectDES: A Boolean variable that indicates whether the server MUST reject incoming clients using DES encryption in ECB mode.

DnsForestName: The FQDN forest name for the forest to which the domain belongs. The DnsForestName value is configured as specified in [MS-WKST] and is shared with DomainName.FQDN ([MS-WKST] section 3.2.1.6).

LogonAttempts: A 32-bit unsigned integer shared from LogonAttempts ([MS-APDS] section 3.1.1).

NT4Emulator: A Boolean variable that indicates whether the server offers only server capabilities of a the client specifically requests otherwise.<130>

RefusePasswordChange: Indicates whether the server refuses client password changes. This domain-wide setting indicates to client machines to avoid password changes. When TRUE, the NegotiateFlags bit I is sent.

DCRPCPort: The domain controller Netlogon port that SHOULD<131> be registered with the RPC endpoint mapper instead of the standard dynamic port. It is read only once, at initialization.

SiteCoverage: The names of all the sites that a domain controller covers.

TrustedDomainObjectsCollection: A collection of trusted domain objects as defined and initialized in [MS-LSAD] section 3.1.1.5.

The server also maintains the following abstract variable for backup domain controller (BDC) replication:

SynchronizationComplete: A Boolean variable that indicates that database synchronization is complete.

When a secure channel is established, the server maintains:

ClientSessionInfo: A table indexed by ComputerName with the following members:

  • ComputerName: The ComputerName (section 3.5.4.4.1) used by the DC during session-key negotiations (section 3.1.4.1).

  • ClientSequenceNumber: See section 3.3.1 for ClientSequenceNumber details.

  • AccountRid: The RID of this client's machine account.

  • ServerSequenceNumber: See section 3.3.1 for ServerSequenceNumber details.

  • Session-Key: See section 3.1.4.3 for Session-Key computation details.

  • NegotiateFlags: See section 3.1.1 for NegotiateFlags details.

  • ServerStoredCredential: See section 3.1.1 for ServerStoredCredential details.

  • SecureChannelType: A NETLOGON_SECURE_CHANNEL_TYPE enumerated value, as specified in section 2.2.1.3.13, which indicates the type of secure channel being established with this client.

In addition, Netlogon stores service state information.

ServerServiceBits: A set of bit flags used to store the state of running services. If the bit is set to 0, the corresponding service is not running; otherwise, the bit is set to 1 and the corresponding service is running. The value of the bit flags is constructed from zero or more  bit flags in the following table.


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

C

0

0

0

B

0

0

A

0

0

0

0

0

0

The meanings of the flags are defined in the following table.

Value

Description

A

The time service is running.

B

The time service with clock hardware is running.

C

The Active Directory Web service is running.