3.1.4.1.3 BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID

The server MUST ignore the cbDataIn and pDataIn parameters. It MUST process the request as follows:

1. Retrieve the current ClientWrap key pair identifier, which is a 16-byte GUID stored as the value of the LSA (Domain Policy) Remote Protocol secret object named G$BCKUPKEY_PREFERRED, using the method specified in [MS-LSAD] section 3.1.4.6.6. Let keyGuid denote this identifier. Let keyGuidString denote the GUIDString ([MS-DTYP] section 2.3.4.3) representation of keyGuid. If no such LSA (Domain Policy) Remote Protocol secret object is found, then go to step 3.

2. Retrieve the value of the LSA (Domain Policy) Remote Protocol secret object named G$BCKUPKEY_keyGuidString, using the method specified in [MS-LSAD] section 3.1.4.6.6. This value is the current ClientWrap key pair, formatted as specified in section 2.2.5. If successful, go to step 4. If this LSA (Domain Policy) Remote Protocol secret object cannot be located, or its value is not in the correct format, then continue to step 3.

3. Create a new ClientWrap key as follows:

   1. Generate a 2,048-bit RSA key pair. The structure of an RSA key pair is specified in [RFC8017], and methods for generating it are specified in [X9.31] section 4.1.

   2. Using a cryptographically strong random number generator, generate a random 16-byte GUID. Let this value be denoted newGuid, and let its GUIDString representation ([MS-DTYP] section 2.3.4.3) be denoted newGuidString.

   3. Create a new LSA (Domain Policy) Remote Protocol secret object named G$BCKUPKEY_newGuidString and set its value to the result of the first procedure in step 3, using the method specified in [MS-LSAD] section 3.1.4.6.5. This secret object will be stored in the domain's Active Directory database by the LSA (Domain Policy) protocol server as specified in the first table of [MS-LSAD] section 3.1.1.4. As a consequence, this secret object will be replicated to all other DCs in the domain by Active Directory server-to-server replication mechanisms.

   4. Create a new LSA (Domain Policy) Remote Protocol secret object named G$BCKUPKEY_PREFERRED and set its value to the 16-byte binary representation of newGuid, using the method specified in [MS-LSAD] section 3.1.4.6.5. If an LSA (Domain Policy) Remote Protocol secret object named G$BCKUPKEY_PREFERRED already exists, replace its value with newGuid. This secret object will be stored in the domain's Active Directory database by the LSA (Domain Policy) protocol server as specified in the first table of [MS-LSAD] section 3.1.1.4. As a consequence, this secret object will be replicated to all other DCs in the domain by Active Directory server-to-server replication mechanisms.

4. Steps 2 and 3 will have yielded the current ClientWrap key pair in the format specified in section 2.2.5. Place the value of the Certificate field in the ppDataOut parameter and the value of the Certificate_Length field in the pcbDataOut parameter. Return success (that is, zero) to the client.