3.1.3 Initialization

The server MUST register a dynamic endpoint with the RPC runtime. It MUST indicate to the RPC runtime that it is to negotiate security contexts using the SPNEGO protocol [MS-SPNG], and MUST request the RPC runtime to reject any unauthenticated connections. The server MUST also instruct the RPC runtime to reject any connections with an authentication level less than RPC_C_AUTHN_LEVEL_PKT_PRIVACY.

A server in the Active Directory forest MUST initialize its Server Configuration and root key objects from the corresponding values persisted in the Active Directory database on the DC. It MUST also implement a means of monitoring this state for changes made through other protocols or through Active Directory server-to-server replication mechanisms.