3.4.5.6.4 Calling NetrLogonSendToSam
The client calling this method MUST be a backup domain controller (BDC) or read-only domain controller (RODC). The client MUST do the following:
Have a secure channel established with a domain controller in the domain identified by domain-name and pass its name as the PrimaryName parameter.
Encrypt the OpaqueBuffer parameter using the negotiated encryption algorithm (determined by bits C, O, or W, respectively, in the NegotiateFlags member of the ServerSessionInfo table entry for PrimaryName) and the session key established as the encryption key.
Pass a valid client Netlogon authenticator as the Authenticator parameter.
After the method returns, the client SHOULD<125> verify the ReturnAuthenticator, as defined in section 3.1.4.5.
For details about how the OpaqueBuffer parameter is used, see [MS-SAMS].