3.2.5.1 Receiving a KDC_PROXY_MESSAGE
When the KKDCP server receives the KDC_PROXY_MESSAGE (section 2.2.2), it SHOULD:
Validate that the KDC_PROXY_MESSAGE.kerb-message is a well-formed Kerberos message. If not, then the KKDCP server SHOULD drop the connection and stop processing.
If target-domain is not present, return ERROR_BAD_FORMAT.
Before the KKDCP server can send a Kerberos message, it MUST discover the KDC to which the message will be sent. The KKDCP server SHOULD perform the equivalent of calling DsrGetDcNameEx2 ([MS-NRPC] section 3.5.4.3.1) where:
AllowableAccountControlBits has bits A, B, C, D, E, and F set.
DomainName is TargetDomain.
Flags is KDC_PROXY_MESSAGE.dclocator-hint. If there is no dclocator-hint in the message, Flags has bits G and H set.
If the Kerberos message is "FAST armored", then also set bit U.
All other fields are set to NULL.
Return the IP address of the DC in DomainControllerInfo.DomainControllerAddress.
Send the KDC_PROXY_MESSAGE.kerb-message to the KDC.