3.5.4.6.4 NetrDatabaseRedo (Opnum 17)

The NetrDatabaseRedo method SHOULD<226> be used by a backup domain controller (BDC) to request information about a single account from the PDC.

 NTSTATUS NetrDatabaseRedo(
   [in, string] LOGONSRV_HANDLE PrimaryName,
   [in, string] wchar_t* ComputerName,
   [in] PNETLOGON_AUTHENTICATOR Authenticator,
   [in, out] PNETLOGON_AUTHENTICATOR ReturnAuthenticator,
   [in, size_is(ChangeLogEntrySize)] 
     UCHAR * ChangeLogEntry,
   [in] DWORD ChangeLogEntrySize,
   [out] PNETLOGON_DELTA_ENUM_ARRAY* DeltaArray
 );

PrimaryName: The custom binding handle, defined in section 3.5.4.1, representing the connection to the PDC.

ComputerName: The null-terminated Unicode string that contains the NetBIOS name of the BDC calling this method.

Authenticator: A pointer to a NETLOGON_AUTHENTICATOR structure, as specified in section 2.2.1.1.5, that contains the client authenticator.

ReturnAuthenticator: A pointer to a NETLOGON_AUTHENTICATOR structure, as specified in section 2.2.1.1.5, that contains the server return authenticator.

ChangeLogEntry: A pointer to a buffer that contains a CHANGELOG_ENTRY structure, specified as follows, for the account being queried.

ChangeLogEntrySize: The size, in bytes, of the buffer pointed to by the ChangeLogEntry parameter.

DeltaArray: A pointer to a NETLOGON_DELTA_ENUM_ARRAY structure, as specified in section 2.2.1.5.12, that contains an array of enumerated database changes for the account being queried.

Return Values: The method returns 0x00000000 on success; otherwise, it returns a nonzero error code.

The following CHANGELOG_ENTRY structure pointed to by the ChangeLogEntry parameter carries information about the account object being queried.


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

SerialNumber [0..3]

SerialNumber [4..7]

ObjectRid

Flags

DBIndex

DeltaType

ObjectSid (optional, variable length) …

ObjectName (optional, variable length) …

SerialNumber: The database serial number that corresponds to this account object (64-bit integer).

ObjectRid: The RID of the object (32-bit integer).

Flags: A two-byte set of bit flags that describes the properties of the message. A flag is TRUE (or set) if its value is equal to 1. The value is constructed from zero or more bit flags from the following table, with the exception that bit C cannot be combined with bit D.

0

1

2

3

4

5

6

7

8

9

1

0

1

2

3

4

5

0

0

0

0

0

0

0

0

0

0

0

E

D

C

B

A

The flags are defined as follows.

Flag

Meaning

A

The object requires immediate replication at the moment that the object is changed.

B

The object is an account with a changed password.

C

The optional ObjectSid field is included in the message. Cannot be combined with flag D.

D

The optional ObjectName field is included in the message. Cannot be combined with flag C.

E

The object is the first object changed after a promotion of a BDC to a new PDC.

All other bits MUST be set to zero and MUST be ignored on receipt.

DBIndex: The 8-bit integer identifier of the database containing the object. MUST be one, and only one, of the following values.

Value

Meaning

0x00

The SAM database.

0x01

The SAM built-in database.

0x02

The LSA database.

DeltaType: One of the NETLOGON_DELTA_TYPE values specified in section 2.2.1.5.28.

ObjectSid: The SID of the object. Included only if flag C is set. This is an RPC_SID structure, as defined in [MS-DTYP] section 2.4.2.3.

ObjectName: The name of the object. ObjectName is a null-terminated Unicode string, and is included only if flag D is set.

The server that receives this call MUST do the following:

  • Verify that the client is a backup domain controller (BDC), the server is a PDC, and synchronization is enabled.  If any of these conditions are false, the server MUST return the status code STATUS_NOT_SUPPORTED.

  • Using the ComputerName for the secure channel to find the corresponding record in the ClientSessionInfo table, verify the Authenticator parameter (section 3.1.4.5). If the Authenticator parameter is valid, compute the ReturnAuthenticator parameter returned (section 3.1.4.5). Otherwise, the server MUST return STATUS_ACCESS_DENIED.

  • Validate the ChangeLogEntry parameter as a valid single account object information request message. If the ChangeLogEntry parameter is not valid, the server MUST return the status code STATUS_INVALID_PARAMETER.

The server uses the server name passed in the PrimaryName parameter to look up the domain that the server hosts. If the name is not found, the server MUST return STATUS_INVALID_COMPUTER_NAME.

Return a single delta for the requested account in the DeltaArray parameter.