6.3.5 Mailslot Ping

  • Article

This section describes the usage of mailslot messages to verify the aliveness of the DC and also to check whether that DC matches a specific set of requirements. This operation is commonly referred to as a mailslot ping.

The server creates a mailslot (as specified in [MS-MAIL] section 3.2.4.1) with the name \\mailslot\net\netlogon and listens to this mailslot [MS-MAIL] section 3.2.4.2. If the opcode of the mailslot message (hereafter in this section referred to simply as "message") is set to LOGON_PRIMARY_QUERY, it interprets the message as a NETLOGON_LOGON_QUERY structure; otherwise, it interprets the message as a NETLOGON_SAM_LOGON_REQUEST.

The server then completes the following processing:

If the opcode is set to LOGON_PRIMARY_QUERY and the server is not the PDC, the DC ignores the message without sending a response back to the client. If the opcode is set to LOGON_SAM_LOGON_REQUEST and NtVer is not NETLOGON_NT_VERSION_5, the DC ignores the message without sending a response back to the client. The server determines whether or not it is the PDC by calling the IsEffectiveRoleOwner(roleObject(Default NC, PdcEmulationMasterRole)) function. If the function returns TRUE, the server is the PDC, otherwise it is not. See section 3.1.1.5.1.8 for more information.

If DomainSidSize is not zero, it checks whether the default NC has the same SID; if it does not, the server ignores the message without sending a response back to the client.

If UnicodeUserName is specified, it is processed in the same way as the User value in section 6.3.3.2.

Let v be the NtVer requested by the client.

  • If dc.nt4EmulatorEnabled is TRUE, and v does not have the NETLOGON_NT_VERSION_AVOID_NT4EMUL bit set, the server uses the NETLOGON_SAM_LOGON_RESPONSE_NT40 structure to send the response.

  • Else, if v has the NETLOGON_NT_VERSION_5EX or NETLOGON_NT_VERSION_5EX_WITH_IP bit set, the server uses the NETLOGON_SAM_LOGON_RESPONSE_EX structure to send the response.

  • Else, if v has the NETLOGON_NT_VERSION_5 bit set, the server uses the NETLOGON_SAM_LOGON_RESPONSE structure to send the response.

  • Else, if v has the NETLOGON_NT_VERSION_PDC bit set, the server uses the NETLOGON_PRIMARY_RESPONSE structure to send the response.

  • For all other cases, the server uses the NETLOGON_SAM_LOGON_RESPONSE_NT40 structure to send the response.

Let t be 0.

  • When the Netlogon service is in a paused state, if v does not have the NETLOGON_NT_VERSION_PDC bit set or server is not a PDC, let t be 1.

  • If the value of rootDSE attributes isSynchronized (see section 3.1.1.3) is FALSE, let t be 1.

  • When the Netlogon RPC server is not initialized, if v does not have the NETLOGON_NT_VERSION_LOCAL bit set, let t be 1.

  • If the FRS is in a paused state, let t be 1.

Then, the server sends a response back to the mailslot named in the client's request. The response message is packed in the NETLOGON_SAM_LOGON_RESPONSE structure, the NETLOGON_PRIMARY_RESPONSE structure, or the NETLOGON_SAM_LOGON_RESPONSE_NT40 structure, depending on the value of v.

  • If the server uses NETLOGON_SAM_LOGON_RESPONSE to pack the value, it does the following:

    OperationCode: Set to LOGON_SAM_PAUSE_RESPONSE if t is equal to 1. Set to LOGON_SAM_USER_UNKNOWN if UnicodeUserName is not NULL, but x is NULL. Set to LOGON_SAM_LOGON_RESPONSE in other cases.

    UnicodeLogonServer: Set to the NetBIOS name of the server.

    UnicodeUserName: Set to UnicodeUserName filed in the request NETLOGON_SAM_LOGON_REQUEST message.

    UnicodeDomainName: Set to the NetBIOS name of the domain.

    DomainGuid: Set to the GUID of the domain.

    SiteGuid: Always set to NULL GUID.

    DnsForestName: Set to the DNS name of the forest.

    DnsDomainName: Set to the DNS name of the domain.

    DnsHostName: Set to the DNS name of the server.

    DcIpAddress: Set to the IP address of the server.

    Flags: If the server is a PDC, bit DS_PDC_FLAG is set; bit DS_DS_FLAG is always set; all the other bits of DS_FLAG are set to 0.

    NtVersion: Set to NETLOGON_NT_VERSION_1 | NETLOGON_NT_VERSION_5.

    LmNtToken: Always set to 0xFFFF.

    Lm20Token: Always set to 0xFFFF.

  • If the server uses NETLOGON_SAM_LOGON_RESPONSE_NT40 to pack the value, it does the following:

    OperationCode: If t is 1, set to LOGON_SAM_PAUSE_RESPONSE. Else, if UnicodeUserName is not NULL, but x is NULL, set to LOGON_SAM_USER_UNKNOWN. If none of the preceding conditions are met, set to LOGON_SAM_LOGON_RESPONSE.

    UnicodeLogonServer: Set to the NetBIOS name of the server.

    UnicodeUserName: Set to UnicodeUserName filed in the request NETLOGON_SAM_LOGON_REQUEST message.

    UnicodeDomainName: Set to the NetBIOS name of the domain.

    NtVersion: Set to NETLOGON_NT_VERSION_1.

    LmNtToken: Always set to 0xFFFF.

    Lm20Token: Always set to 0xFFFF.

  • If the server uses NETLOGON_PRIMARY_RESPONSE to pack the value, it does the following:

    OperationCode: If t is 1, set to LOGON_SAM_PAUSE_RESPONSE. Else, if UnicodeUserName is not NULL, but x is NULL, set to LOGON_SAM_USER_UNKNOWN. If none of the preceding conditions are met, set to LOGON_PRIMARY_RESPONSE.

    PrimaryDCName: Set to the ASCII value of the NetBIOS name of the server.

    UnicodePrimaryDCName: Set to the Unicode value of the NetBIOS name of the server.

    UnicodeDomainName: Set to the NetBIOS name of the domain.

    NtVersion: Set to NETLOGON_NT_VERSION_1.

    LmNtToken: Always set to 0xFFFF.

    Lm20Token: Always set to 0xFFFF.

  • If the server uses NETLOGON_SAM_LOGON_RESPONSE_EX to pack the value, it does the following:

    OperationCode: Set to LOGON_SAM_PAUSE_RESPONSE if t is equal to 1. Set to LOGON_SAM_USER_UNKNOWN if UnicodeUserName is not NULL, but x is NULL. Set to LOGON_SAM_LOGON_RESPONSE_EX in other cases.

    Sbz: Always set to 0x0.

    Flags: Set to the value produced for the Flags value in section 6.3.3.2.

    DomainGuid: Set to the GUID of the domain.

    DnsForestName: Set to the DNS name of the forest.

    DnsDomainName: Set to the DNS name of the domain.

    NetbiosDomainName: Set to the NetBIOS name of the domain.

    NetbiosComputerName: Set to the NetBIOS name of the server.

    UserName: Set to UnicodeUserName field in the request NETLOGON_SAM_LOGON_REQUEST message.

    DcSiteName: Set to the site name of the server.

    ClientSiteName: Set to the site name of the client as produced by the algorithm in section 6.3.3.2.

    DcSockAddrSize: If v has the NETLOGON_NT_VERSION_5EX_WITH_IP bit set, set to the size of the server's IP address.

    DcSockAddr: If v has the NETLOGON_NT_VERSION_5EX_WITH_IP bit set, set to the IP address of the server.

    NextClosestSiteName: If v has NETLOGON_NT_VERSION_WITH_CLOSEST_SITE and the DC has DC functional level DS_BEHAVIOR_WIN2008 or greater, use IDL_DRSQuerySitesByCost ([MS-DRSR] section 4.1.16) to find the site C that is closest to ClientSiteName but not equal to ClientSiteName, and set this field to C. Otherwise omit this field.

    NtVersion: If the NextClosestSiteName field is set and the DcSockAddr field is not set, set this field to {NETLOGON_NT_VERSION_1, NETLOGON_NT_VERSION_WITH_CLOSEST_SITE, NETLOGON_NT_VERSION_5EX}; if the NextClosestSiteName field is not set and the DcSockAddr field is set, set this field to {NETLOGON_NT_VERSION_1, NETLOGON_NT_VERSION_5EX, NETLOGON_NT_VERSION_5EX_WITH_IP}; if the NextClosestSiteName field is set and the DcSockAddr field is set, set this field to {NETLOGON_NT_VERSION_1, NETLOGON_NT_VERSION_WITH_CLOSEST_SITE, NETLOGON_NT_VERSION_5EX, NETLOGON_NT_VERSION_5EX_WITH_IP};otherwise set this field to {NETLOGON_NT_VERSION_1, NETLOGON_NT_VERSION_5EX}.

    LmNtToken: Always set to 0xFFFF.

    Lm20Token: Always set to 0xFFFF.