1.3.1 Call Flows
This section presents an overview of the message flows in a typical usage of the BackupKey Remote Protocol. It is divided into two subsections, one for the subprotocol with server-side wrapping (referred to as the ServerWrap subprotocol) and the other for the subprotocol with client-side wrapping (referred to as the ClientWrap subprotocol).
The BackupKey Remote Protocol consists of a single RPC method. This method takes a parameter that specifies the operation requested. This parameter has four possible values, as specified in section 3.1.4.1. These values are used to identify the messages in the call flows that follow.
Although the BackupKey Remote Protocol could be used between a client and any server to provide secret wrapping and unwrapping services, the specific use of this protocol is between a client and a Domain Controller (DC). Specifically, every writable DC in an Active Directory domain is a BackupKey Remote Protocol server for clients within that domain, and no other machines support BackupKey Remote Protocol server functionality. All the writable DCs in a domain are treated as equivalent. All server keys are stored as LSA global secret objects (specified in [MS-LSAD] section 3.1.1.4). These global secret objects are replicated across all the DCs in a domain as specified in [MS-LSAD].
When it needs to perform a protocol operation, the client implementation locates a writable DC that is hosting the calling user's domain-naming context. This is done using the client's implementation of the DC Locator functionality, specified in [MS-ADTS] section 6.3.6, with the DNS domain name of the calling user's primary domain as the basis. The client then establishes an RPC connection and security context, as specified in section 3.2.4, and proceeds to issue its request. For brevity, all the call flows in this section omit these initial steps, as well as the steps required to create and replicate LSA global secrets among DCs.