Share via

7 Appendix B: Product Behavior

  • Article

The information in this specification is applicable to the following Microsoft products or supplemental software. References to product versions include updates to those products.

The terms "earlier" and "later", when used with a product version, refer to either all preceding versions or all subsequent versions, respectively. The term "through" refers to the inclusive range of versions. Applicable Microsoft products are listed chronologically in this section.

  • Windows Server 2008 R2 operating system

  • Windows Server 2012 operating system

  • Windows Server 2012 R2 operating system

  • Windows Server 2016 operating system

  • Windows Server operating system

  • Windows Server 2019 operating system

  • Windows Server 2022 operating system

  • Windows Server 2025 operating system

Exceptions, if any, are noted in this section. If an update version, service pack or Knowledge Base (KB) number appears with a product name, the behavior changed in that update. The new behavior also applies to subsequent updates unless otherwise specified. If a product edition appears with the product version, behavior is different in that product edition.

Unless otherwise specified, any statement of optional behavior in this specification that is prescribed using the terms "SHOULD" or "SHOULD NOT" implies product behavior in accordance with the SHOULD or SHOULD NOT prescription. Unless otherwise specified, the term "MAY" implies that the product does not follow the prescription.

<1> Section 1.3: For Microsoft implementations of Active Directory Web Services: Custom Action Protocol operations that are intended to target a specific directory service, the following table defines the applicability of the operation against an Active Directory Domain Services (AD DS) instance, an Active Directory Lightweight Directory Services (AD LDS) instance, and a snapshot store instance (for either AD DS or AD LDS). The AD DS instance is further subdivided into a global catalog (GC) instance and a non–GC instance. In each cell below, "Y" means "Yes, is applicable" and "N" means "No, is not applicable".

AD-CAP Operation

AD DS Instance

AD LDS Instance

Snapshot Store Instance (AD DS or AD LDS)

Non-GC

GC

ChangePassword

Y

N

Y

N

GetADGroupMember

Y

N

Y

N

GetADPrincipalAuthorizationGroup

Y

N

Y

N

GetADPrincipalGroupMembership

Y

N

Y

N

SetPassword

Y

N

Y

N

TranslateName

Y

Y

Y

N

ChangeOptionalFeature

Y

N

Y

N

GetADDomain

Y

N

N

N

GetADDomainController

Y

N

N

N

GetADForest

Y

N

N

N

MoveADOperationsMasterRole

Y

N

Y

N

<2> Section 1.5: Windows implementations use the domain locator protocol, described in [MS-ADOD] section 2.7.7.3.1 and [MS-ADTS] section 6.3.3.2, to locate a DC server running an instance of the Active Directory Web Services: Custom Action Protocol.

<3> Section 2.1: Microsoft implementations of Active Directory Web Services: Custom Action Protocol use SOAP 1.2 [SOAP1.2-1/2003]. The transports used, as well as the authentication mechanisms supported and the endpoints exposed, are specified in [MS-ADDM] section 2.1.

<4> Section 2.2.3.5: Microsoft implementations of Active Directory Web Services: Custom Action Protocol provide access to any Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) directory service that is running on the same computer as Active Directory Web Services. AD DS can be accessed via "ldap:389". If the machine is also an AD DS global catalog, then the global catalog can be accessed as "ldap:3268". An AD LDS instance can be accessed as "ldap:N", where N is the LDAP port number that the AD LDS instance has been configured to use.

<5> Section 2.2.4.5.1: In some cases, Microsoft implementations of the Active Directory Web Services: Custom Action Protocol populate the Message element from the list of values shown in column B in Table 1 shown below. In some cases, Microsoft implementations of the Active Directory Web Services: Custom Action Protocol populate the Message element with null, empty, or not present values.

<6> Section 2.2.4.5.2: The ArgumentErrorDetailCA/ParameterName element is null in the Active Directory Web Services: Custom Action Protocol implementation in Active Directory Management Gateway Service for Windows Server 2003 operating system with Service Pack 2 (SP2), Windows Server 2003 R2 operating system SP2, and Windows Server 2008 operating system. It is also null in the Active Directory Web Services: Custom Action Protocol implementation in Windows Server 2008 R2.

<7> Section 2.2.4.5.3: Microsoft implementations of Active Directory Web Services: Custom Action Protocol populate the ShortMessage from the Message based on Table 1 shown below.

  • If the value of Message is found in column B of Table 1, the ShortMessage is populated with text from column A.

  • If the value of Message is not found in column B of Table 1, the ShortMessage is populated with the text from column A of Table 2 shown below, based on the error encountered, as described in column B of Table 2.

Table 1.

A

B

AnonymousNotAllowed

Anonymous access to the directory is not permitted.

CantCrackNamesForTranslateName

A name translation operation could not be performed against the directory.

CouldNotRetrieveLocalDomainName

The DNS name of the local domain could not be retrieved.

CouldNotTransferPdcFsmo

The Primary Domain Controller Emulator role could not be transferred.

CouldntConvertDomainDnToDomainDnsNameForGetADDomainController

The domain distinguished name could not be converted to a DNS name.

CouldntRetrieveAddsFsmoRoles

The FSMO roles for Active Directory Domain Services could not be retrieved.

InvalidInstanceInTheHeader

The Instance present in the Request Header is invalid.

MustSupplyAccountDnForSetPasswordorChangePassword

A non-null, nonempty value for the AccountDN parameter must be supplied.

MustSupplyNewPasswordForSetPasswordorChangePassword

A non-null value for the NewPassword parameter must be supplied.

MustSupplyOldPasswordForChangePassword

A non-null value for the OldPassword parameter must be supplied.

MustSupplyPartitionDn

A non-null, nonempty value for the PartitionDN parameter must be supplied.

MustSupplyServerNameForCustomActions

A non-null, nonempty value for the Server parameter must be supplied.

NonNTDSOrADLDSInstanceInTheHeader

The specified value of Server does not name a Active Directory Domain Services or Active Directory Lightweight Directory Services instance.

NoSuchAuthenticablePrincipal

The specified Authenticable principal was not found.

ObjectSidCouldNotBeRetrievedForPdcFsmoTransfer

The SID of the domain could not be retrieved, preventing transfer of the Primary Domain Controller Emulator role.

OperationTimeout

The operation timed-out.

UnknownFormatForNameTranslate

The specified name format is unknown.

UnknownRoleForMoveADOperationMasterRole

The request specified an unknown operation master role to move.

Table 2.

A

B

EArgument

An ArgumentException was returned.

EAuthentication

An AuthenticationException was returned.

EDirectoryOperation

A DirectoryOperationException was returned.

EInvalidOperation

An InvalidOperationException was returned.

ENoConnection

A NoConnectionAvailableException was returned.

ENotSupported

A NotSupportedException was returned.

EOutOfMemory

An OutOfMemoryException was returned.

EWindows32

A Win32Exception was returned.

ECOMServices

A DirectoryServicesCOMException was returned.

EObjectNotFound

An ActiveDirectoryObjectNotFoundException was returned.

EADirectoryOperation

An ActiveDirectoryOperationException was returned.

EServerDown

An ActiveDirectoryServerDownException was returned.

EMultipleMatchingSecurityPrincipals

A MultipleMatchesException was returned.

ESecurityPrincipalOperation

A PrincipalOperationException was returned.

ELdap

The LDAP server is unavailable.

<8> Section 2.2.4.6.3: In some cases, Microsoft implementations of Active Directory Web Services: Custom Action Protocol populate the Error element from the list of values in column A of Table 2 shown above. In some cases, Microsoft implementations of Active Directory Web Services: Custom Action Protocol populate the Error element with null, empty, or not present values.

<9> Section 2.2.4.6.4: Microsoft implementations of Active Directory Web Services: Custom Action Protocol populate the ShortError from the Error based on Table 1 from the product behavior note in section 2.2.4.5.3, shown above.

  • If the value of Error is found in column B of Table 1, the ShortError is populated with text from column A.

  • If the value of Error is not found in column B of Table 1, the ShortError is populated with the text from column A of Table 2 from the product behavior note in section 2.2.4.5.3, shown above, based on the error encountered as described in column B of Table 2.

<10> Section 2.2.4.7.4: In some cases, Microsoft implementations of Active Directory Web Services: Custom Action Protocol populate the Message element from the list of values in column B of Table 1 shown above. In some cases, Microsoft implementations of Active Directory Web Services: Custom Action Protocol populate the Message element with null, empty, or not present values.

<11> Section 2.2.4.7.6: Microsoft implementations of Active Directory Web Services: Custom Action Protocol populate the ShortMessage from the Message based on Table 1 from the product behavior note in section 2.2.4.5.3, shown above.

  • If the value of Message is found in column B of Table 1, the ShortMessage is populated with text from column A.

  • If the value of Message is not found in column B of Table 1, the ShortMessage is populated with the text from column A of Table 2 from the product behavior note in section 2.2.4.5.3, shown above, based on the error encountered as described in column B of Table 2.

<12> Section 2.2.4.7.7: Microsoft implementations of Active Directory Web Services: Custom Action Protocol translate LDAP error codes into Win32 error codes ([MS-ERREF] section 2.2) using the following table.

LDAP Error

Win32 Error

Code (Hex)

Name

Code (Dec)

Name

0x00

LDAP_SUCCESS

0

NO_ERROR

0x01

LDAP_OPERATIONS_ERROR

8224

ERROR_DS_OPERATIONS_ERROR

0x02

LDAP_PROTOCOL_ERROR

8225

ERROR_DS_PROTOCOL_ERROR

0x03

LDAP_TIMELIMIT_EXCEEDED

8226

ERROR_DS_TIMELIMIT_EXCEEDED

0x04

LDAP_SIZELIMIT_EXCEEDED

8227

ERROR_DS_SIZELIMIT_EXCEEDED

0x05

LDAP_COMPARE_FALSE

8229

ERROR_DS_COMPARE_FALSE

0x06

LDAP_COMPARE_TRUE

8230

ERROR_DS_COMPARE_TRUE

0x07

LDAP_AUTH_METHOD_NOT_SUPPORTED

8231

ERROR_DS_AUTH_METHOD_NOT_SUPPORTED

0x08

LDAP_STRONG_AUTH_REQUIRED

8232

ERROR_DS_STRONG_AUTH_REQUIRED

0x09

LDAP_PARTIAL_RESULTS

299

ERROR_PARTIAL_COPY

0x0a

LDAP_REFERRAL

8235

ERROR_DS_REFERRAL

0x0b

LDAP_ADMIN_LIMIT_EXCEEDED

8228

ERROR_DS_ADMIN_LIMIT_EXCEEDED

0x0c

LDAP_UNAVAILABLE_CRIT_EXTENSION

8236

ERROR_DS_UNAVAILABLE_CRIT_EXTENSION

0x0d

LDAP_CONFIDENTIALITY_REQUIRED

8237

ERROR_DS_CONFIDENTIALITY_REQUIRED

0x0e

LDAP_SASL_BIND_IN_PROGRESS

590610

SEC_I_CONTINUE_NEEDED

0x10

LDAP_NO_SUCH_ATTRIBUTE

8202

ERROR_DS_NO_ATTRIBUTE_OR_VALUE

0x11

LDAP_UNDEFINED_TYPE

8204

ERROR_DS_ATTRIBUTE_TYPE_UNDEFINED

0x12

LDAP_INAPPROPRIATE_MATCHING

8238

ERROR_DS_INAPPROPRIATE_MATCHING

0x13

LDAP_CONSTRAINT_VIOLATION

8239

ERROR_DS_CONSTRAINT_VIOLATION

0x14

LDAP_ATTRIBUTE_OR_VALUE_EXISTS

8205

ERROR_DS_ATTRIBUTE_OR_VALUE_EXISTS

0x15

LDAP_INVALID_SYNTAX

8203

ERROR_DS_INVALID_ATTRIBUTE_SYNTAX

0x20

LDAP_NO_SUCH_OBJECT

8240

ERROR_DS_NO_SUCH_OBJECT

0x21

LDAP_ALIAS_PROBLEM

8241

ERROR_DS_ALIAS_PROBLEM

0x22

LDAP_INVALID_DN_SYNTAX

8242

ERROR_DS_INVALID_DN_SYNTAX

0x23

LDAP_IS_LEAF

8243

ERROR_DS_IS_LEAF

0x24

LDAP_ALIAS_DEREF_PROBLEM

8244

ERROR_DS_ALIAS_DEREF_PROBLEM

0x30

LDAP_INAPPROPRIATE_AUTH

8233

ERROR_DS_INAPPROPRIATE_AUTH

0x31

LDAP_INVALID_CREDENTIALS

1326

ERROR_LOGON_FAILURE

0x32

LDAP_INSUFFICIENT_RIGHTS

5

ERROR_ACCESS_DENIED

0x33

LDAP_BUSY

8206

ERROR_DS_BUSY

0x34

LDAP_UNAVAILABLE

8207

ERROR_DS_UNAVAILABLE

0x35

LDAP_UNWILLING_TO_PERFORM

8245

ERROR_DS_UNWILLING_TO_PERFORM

0x36

LDAP_LOOP_DETECT

8246

ERROR_DS_LOOP_DETECT

0x3C

LDAP_SORT_CONTROL_MISSING

8261

ERROR_DS_SORT_CONTROL_MISSING

0x3D

LDAP_OFFSET_RANGE_ERROR

8262

ERROR_DS_OFFSET_RANGE_ERROR

0x40

LDAP_NAMING_VIOLATION

8247

ERROR_DS_NAMING_VIOLATION

0x41

LDAP_OBJECT_CLASS_VIOLATION

8212

ERROR_DS_OBJ_CLASS_VIOLATION

0x42

LDAP_NOT_ALLOWED_ON_NONLEAF

8213

ERROR_DS_CANT_ON_NON_LEAF

0x43

LDAP_NOT_ALLOWED_ON_RDN

8214

ERROR_DS_CANT_ON_RDN

0x44

LDAP_ALREADY_EXISTS

5010

ERROR_OBJECT_ALREADY_EXISTS

0x45

LDAP_NO_OBJECT_CLASS_MODS

8215

ERROR_DS_CANT_MOD_OBJ_CLASS

0x46

LDAP_RESULTS_TOO_LARGE

8248

ERROR_DS_OBJECT_RESULTS_TOO_LARGE

0x47

LDAP_AFFECTS_MULTIPLE_DSAS

8249

ERROR_DS_AFFECTS_MULTIPLE_DSAS

0x4c

LDAP_VIRTUAL_LIST_VIEW_ERROR

8341

ERROR_DS_GENERIC_ERROR

0x50

LDAP_OTHER

31

ERROR_GEN_FAILURE

0x51

LDAP_SERVER_DOWN

8250

ERROR_DS_SERVER_DOWN

0x52

LDAP_LOCAL_ERROR

8251

ERROR_DS_LOCAL_ERROR

0x53

LDAP_ENCODING_ERROR

8252

ERROR_DS_ENCODING_ERROR

0x54

LDAP_DECODING_ERROR

8253

ERROR_DS_DECODING_ERROR

0x55

LDAP_TIMEOUT

1460

ERROR_TIMEOUT

0x56

LDAP_AUTH_UNKNOWN

8234

ERROR_DS_AUTH_UNKNOWN

0x57

LDAP_FILTER_ERROR

8254

ERROR_DS_FILTER_UNKNOWN

0x58

LDAP_USER_CANCELLED

1223

ERROR_CANCELLED

0x59

LDAP_PARAM_ERROR

8255

ERROR_DS_PARAM_ERROR

0x5a

LDAP_NO_MEMORY

8

ERROR_NOT_ENOUGH_MEMORY

0x5b

LDAP_CONNECT_ERROR

1225

ERROR_CONNECTION_REFUSED

0x5c

LDAP_NOT_SUPPORTED

8256

ERROR_DS_NOT_SUPPORTED

0x5e

LDAP_NO_RESULTS_RETURNED

8257

ERROR_DS_NO_RESULTS_RETURNED

0x5d

LDAP_CONTROL_NOT_FOUND

8258

ERROR_DS_CONTROL_NOT_FOUND

0x5f

LDAP_MORE_RESULTS_TO_RETURN

234

ERROR_MORE_DATA

0x60

LDAP_CLIENT_LOOP

8259

ERROR_DS_CLIENT_LOOP

0x61

LDAP_REFERRAL_LIMIT_EXCEEDED

8260

ERROR_DS_REFERRAL_LIMIT_EXCEEDED

<13> Section 2.3: The Windows Server 2008 R2 implementation of Active Directory Web Services: Custom Action Protocol cannot access the supportedCapabilities rootDSE attribute.

<14> Section 3: The following products are applicable to the Active Directory Web Services: Custom Action Protocol:

  • Active Directory Management Gateway Service contains the server implementation of Active Directory Web Services: Custom Action Protocol.

  • Remote Server Administration Tools (excluding Remote Server Administration Tools for Windows Vista operating system) contains the client implementation. For more information about Remote Server Administration Tools, see [MSFT-RSAT].

  • Windows Server 2008 R2 and later have both the server and the client implementations.

Active Directory Management Gateway Service is available for Windows Server 2003 SP2, Windows Server 2003 R2 with Service Pack 2 (SP2), and Windows Server 2008.

<15> Section 3.1.1.1: The Windows Server 2008 R2 implementation of Active Directory Web Services: Custom Action Protocol does not reference the supportedCapabilities rootDSE attribute.

<16> Section 3.1.4.2.1: Microsoft implementations of Active Directory Web Services: Custom Action Protocol populate the GroupScope element with Universal if group!groupType is not set, cannot be read, or does not contain one of the values in the table in section 3.1.4.2.1. For example, if group!groupType contains GROUP_TYPE_APP_BASIC_GROUP, then the GroupScope element is set to Universal instead of Unknown.

<17> Section 3.1.4.2.1: Microsoft implementations of Active Directory Web Services: Custom Action Protocol populate the GroupType element with Distribution if group!groupType is not set or cannot be read.

<18> Section 3.3.4.1.8.6: In Microsoft implementations of Active Directory Web Services: Custom Action Protocol, if the client sends a request that the server is unable to perform because a directory attribute or attributes needed to complete the request are not present or cannot be read, then the fault returned is as specified in section 3.3.4.1.8.2.

<19> Section 3.3.4.2.8.3: Microsoft implementations of Active Directory Web Services: Custom Action Protocol will not return a fault with the reason "Multiple matching security principals were found". This is because it is not possible to have more than one security principal with the same distinguished name in these implementations.

<20> Section 3.3.4.3.8.3: Microsoft implementations of Active Directory Web Services: Custom Action Protocol will not return a fault with the reason "Multiple matching security principals were found". This is because it is not possible to have more than one security principal with the same distinguished name in these implementations.

<21> Section 3.3.4.3.8.5: In Microsoft implementations of Active Directory Web Services: Custom Action Protocol, if the client sends a request that the server is unable to perform because a directory attribute or attributes needed to complete the request are not present or cannot be read, then the fault returned is as specified in section 3.3.4.3.8.2.

<22> Section 3.3.4.4.2.6: In the Windows Server 2008 R2 implementation of Active Directory Web Services: Custom Action Protocol, the ResourceContextServer element does not include a port number.

<23> Section 3.3.4.4.8: In Microsoft implementations of Active Directory Web Services: Custom Action Protocol for Windows Server 2012 and later, if the client sends a request with the ResourceContextServer element but the server cannot determine whether the resource context server is an instance of AD DS or AD LDS, the server returns a SOAP fault with a GetADPrincipalGroupMembershipFault fault subcode.

The type of resource context server is determined in the following steps:

  1. By well-known port first.

    Port

    Resource context server type

    Specified but not 389, 636, 3268, or 3269

    AD LDS

    389, 636, 3268, or 3269

    Query the given port for LDAP capabilities in the next step

    Not specified

    Query port 389 for LDAP capabilities in the next step

  2. By querying for LDAP capabilities, as in [MS-ADTS] sections 3.1.1.3.2.20 and 3.1.1.3.4.3.

    The supported capabilities of AD DS and AD LDS are defined as the following.

    Capability Name

    Resource context server type

    LDAP_CAP_ACTIVE_DIRECTORY_OID

    AD DS

    LDAP_CAP_ACTIVE_DIRECTORY_ADAM_OID

    AD LDS

The fault has the details that are specified in the following table.

Field

Value

[Code]

soapenv:Receiver

[Subcode]

GetADPrincipalGroupMembershipFault

[Action]

http://schemas.microsoft.com/2008/1/ActiveDirectory/Data/fault

[Reason]

The operation failed because of a bad parameter.

[Detail]

 
 <soapenv:Detail>
     <GetADPrincipalGroupMembershipFault
       xmlns="http://schemas.microsoft.com/2008/1/ActiveDirectory/CustomActions"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
       <ArgumentError xsi:nil="true"></ArgumentError>
       <DirectoryError xsi:nil="true"></DirectoryError>
       <Error>...</Error>
       <ShortError>...</ShortError>
     </GetADPrincipalGroupMembershipFault>
 </soapenv:Detail>

<24> Section 3.3.4.4.8: The Resource Context Server Format Error fault is not available in the Windows Server 2008 R2 implementation of Active Directory Web Services: Custom Action Protocol.

<25> Section 3.3.4.4.8.3: Microsoft implementations of Active Directory Web Services: Custom Action Protocol will not return a fault with the reason "Multiple matching security principals were found". This is because it is not possible to have more than one security principal with the same distinguished name in these implementations.

<26> Section 3.3.4.4.8.6: In Microsoft implementations of Active Directory Web Services: Custom Action Protocol, if the client sends a request that the server is unable to perform because a directory attribute or attributes needed to complete the request are not present or cannot be read, then the fault returned is as specified in the second fault defined in section 3.3.4.4.8.2.

<27> Section 3.3.4.4.8.9: The Resource Context Server Format Error fault is not available in the Windows Server 2008 R2 implementation of Active Directory Web Services: Custom Action Protocol.

<28> Section 3.3.4.5.8.6: In Microsoft implementations of Active Directory Web Services: Custom Action Protocol, if the client sends a request that the server is unable to perform because a directory attribute or attributes needed to complete the request are not present or cannot be read, then the fault returned is as specified in section 3.3.4.5.8.2.

<29> Section 3.4.4.2.3.1.3: No Microsoft implementations of Active Directory Web Services: Custom Action Protocol have any specific logic to choose from multiple values of any dnsRoot attribute. If the dnsRoot attribute has more than a single value, the Microsoft implementations of Active Directory Web Services: Custom Action Protocol choose a single value randomly from the set of values.

<30> Section 3.4.4.2.3.1.4: No Microsoft implementations of Active Directory Web Services: Custom Action Protocol have any specific logic to choose from multiple values of any wellKnownObjects attribute. If the wellKnownObjects attribute has more than a single value which satisfies the requirements given in section 3.4.4.2.3.1.4, the Microsoft implementations of Active Directory Web Services: Custom Action Protocol choose a single value randomly from the set of values meeting the requirements.

<31> Section 3.4.4.2.3.1.5: No Microsoft implementations of Active Directory Web Services: Custom Action Protocol have any specific logic to choose from multiple values of any wellKnownObjects attribute. If the wellKnownObjects attribute has more than a single value which satisfies the requirements given in section 3.4.4.2.3.1.5, the Microsoft implementations of Active Directory Web Services: Custom Action Protocol choose a single value randomly from the set of values meeting the requirements.

<32> Section 3.4.4.2.3.1.8: No Microsoft implementations of Active Directory Web Services: Custom Action Protocol have any specific logic to choose from multiple values of any wellKnownObjects attribute. If the wellKnownObjects attribute has more than a single value which satisfies the requirements given in section 3.4.4.2.3.1.8, the Microsoft implementations of Active Directory Web Services: Custom Action Protocol choose a single value randomly from the set of values meeting the requirements.

<33> Section 3.4.4.2.3.1.9: No Microsoft implementations of Active Directory Web Services: Custom Action Protocol have any specific logic to choose from multiple crossRef objects which satisfy the requirements given in section 3.4.4.2.3.1.9. If multiple crossRef objects satisfy these requirements, the Microsoft implementations of Active Directory Web Services: Custom Action Protocol choose a single object randomly from the set of objects meeting the requirements.

<34> Section 3.4.4.2.3.1.9: No Microsoft implementations of Active Directory Web Services: Custom Action Protocol have any specific logic to choose from multiple values of any wellKnownObjects attribute. If the wellKnownObjects attribute has more than a single value that satisfies the requirements given in section 3.4.4.2.3.2.1, the Microsoft implementations of Active Directory Web Services: Custom Action Protocol choose a single value randomly from the set of values meeting the requirements

<35> Section 3.4.4.2.3.1.11: Microsoft implementations of Active Directory Web Services: Custom Action Protocol omit the time items (hours, minutes, seconds) and "T" designator from the response when all are zero as is permitted for xs:duration ([XMLSCHEMA2])

<36> Section 3.4.4.2.3.1.13: No Microsoft implementations of Active Directory Web Services: Custom Action Protocol have any specific logic to choose from multiple crossRef objects which satisfy the requirements given in section 3.4.4.2.3.1.13. If multiple crossRef objects satisfy these requirements, the Microsoft implementations of Active Directory Web Services: Custom Action Protocol choose a single object randomly from the set of objects meeting the requirements.

<37> Section 3.4.4.2.3.1.14: No Microsoft implementations of Active Directory Web Services: Custom Action Protocol have any specific logic to choose from multiple crossRef objects that satisfy the requirements given in section 3.4.4.2.3.1.14. If multiple crossRef objects satisfy these requirements, the Microsoft implementations of Active Directory Web Services: Custom Action Protocol choose a single object randomly from the set of objects meeting the requirements.

<38> Section 3.4.4.2.3.1.14: No Microsoft implementations of Active Directory Web Services: Custom Action Protocol have any specific logic to choose from multiple values of any dnsRoot attribute. If the dnsRoot attribute has more than a single value, the Microsoft implementations of Active Directory Web Services: Custom Action Protocol choose a single value randomly from the set of values.

<39> Section 3.4.4.2.3.1.17: No Microsoft implementations of Active Directory Web Services: Custom Action Protocol have any specific logic to choose from multiple values of any wellKnownObjects attribute. If the wellKnownObjects attribute has more than a single value which satisfies the requirements given in section 3.4.4.2.3.1.17, the Microsoft implementations of Active Directory Web Services: Custom Action Protocol choose a single value randomly from the set of values meeting the requirements.

<40> Section 3.4.4.2.3.1.18: No Microsoft implementations of Active Directory Web Services: Custom Action Protocol have any specific logic to choose from multiple values of any wellKnownObjects attribute. If the wellKnownObjects attribute has more than a single value which satisfies the requirements given in section 3.4.4.2.3.1.18, the Microsoft implementations of Active Directory Web Services: Custom Action Protocol choose a single value randomly from the set of values meeting the requirements

<41> Section 3.4.4.2.3.2.1: No Microsoft implementations of Active Directory Web Services: Custom Action Protocol have any specific logic to choose from multiple values of any wellKnownObjects attribute. If the wellKnownObjects attribute has more than a single value which satisfies the requirements given in section 3.4.4.2.3.2.1, the Microsoft implementations of Active Directory Web Services: Custom Action Protocol choose a single value randomly from the set of values meeting the requirements.

<42> Section 3.4.4.2.3.2.3: No Microsoft implementations of the Active Directory Web Services: Custom Action Protocol have any specific logic to choose from multiple crossRef objects that satisfy the requirements given in section 3.4.4.2.3.2.3. If multiple crossRef objects satisfy these requirements, the Microsoft implementations of the Active Directory Web Services: Custom Action Protocol choose a single object randomly from the set of objects meeting the requirements.

<43> Section 3.4.4.2.3.2.3: No Microsoft implementations of the Active Directory Web Services: Custom Action Protocol have any specific logic to choose from multiple values of any dnsRoot attribute. If the dnsRoot attribute has more than a single value, the Microsoft implementations of the Active Directory Web Services: Custom Action Protocol choose a single value randomly from the set of values.

<44> Section 3.4.4.2.3.2.4: No Microsoft implementations of Active Directory Web Services: Custom Action Protocol have any specific logic to choose from multiple values of any wellKnownObjects attribute. If the wellKnownObjects attribute has more than a single value which satisfies the requirements given in section 3.4.4.2.3.2.4, the Microsoft implementations of Active Directory Web Services: Custom Action Protocol choose a single value randomly from the set of values meeting the requirements.

<45> Section 3.4.4.2.3.2.10: No Microsoft implementations of Active Directory Web Services: Custom Action Protocol have any specific logic to choose from multiple values of any wellKnownObjects attribute. If the wellKnownObjects attribute has more than a single value which satisfies the requirements given in section 3.4.4.2.3.2.10, the Microsoft implementations of Active Directory Web Services: Custom Action Protocol choose a single value randomly from the set of values meeting the requirements

<46> Section 3.4.4.2.8.2: In Microsoft implementations of Active Directory Web Services: Custom Action Protocol, if the client sends a request that the server is unable to perform because a directory attribute or attributes needed to complete the request are not present or cannot be read, then the following fault is returned.

Field

Value

[Code]

soapenv:Sender

[Subcode]

GetADDomainFault

[Action]

http://schemas.microsoft.com/2008/1/ActiveDirectory/Data/fault

[Reason]

The operation failed because of a bad parameter.

[Detail]

 
 <soapenv:Detail>
     <GetADDomainFault
       xmlns="http://schemas.microsoft.com/2008/1/ActiveDirectory/CustomActions"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
       <ArgumentError xsi:nil="true"></ArgumentError>
       <DirectoryError xsi:nil="true"></DirectoryError>
       <Error>...</Error>
       <ShortError>...</ShortError>
     </GetADDomainFault>
 </soapenv:Detail>

<47> Section 3.4.4.3.3.2.4: No Microsoft implementations of the Active Directory Web Services: Custom Action Protocol have any specific logic to choose from multiple values of any dnsRoot attribute. If the dnsRoot attribute has more than a single value, the Microsoft implementations of the Active Directory Web Services: Custom Action Protocol choose a single value randomly from the set of values.

<48> Section 3.4.4.3.8.3: In Microsoft implementations of Active Directory Web Services: Custom Action Protocol, if the client sends a request that the server is unable to perform because a directory attribute or attributes needed to complete the request are not present or cannot be read, then the fault returned is as specified in section 3.4.4.3.8.2.

<49> Section 3.4.4.4.3.1.4: No Microsoft implementations of Active Directory Web Services: Custom Action Protocol have any specific logic to choose from multiple values of any dnsRoot attribute. If the dnsRoot attribute has more than a single value, the Microsoft implementations of Active Directory Web Services: Custom Action Protocol choose a single value randomly from the set of values.

<50> Section 3.4.4.4.3.1.7: No Microsoft implementations of Active Directory Web Services: Custom Action Protocol have any specific logic to choose from multiple crossRef objects which satisfy the requirements given in section 3.4.4.4.3.1.7. If multiple crossRef objects satisfy these requirements, the Microsoft implementations of Active Directory Web Services: Custom Action Protocol choose a single object randomly from the set of objects meeting the requirements.

<51> Section 3.4.4.4.3.1.7: No Microsoft implementations of Active Directory Web Services: Custom Action Protocol have any specific logic to choose from multiple values of any dnsRoot attribute. If the dnsRoot attribute has more than a single value, the Microsoft implementations of Active Directory Web Services: Custom Action Protocol choose a single value randomly from the set of values.

<52> Section 3.4.4.4.8.2: In Microsoft implementations of Active Directory Web Services: Custom Action Protocol, if the client sends a request that the server is unable to perform because a directory attribute or attributes needed to complete the request are not present or cannot be read, then the following fault is returned.

Field

Value

[Code]

soapenv:Receiver

[Subcode]

GetADForestFault

[Action]

http://schemas.microsoft.com/2008/1/ActiveDirectory/Data/fault

[Reason]

Active Directory returned an error processing the operation.

[Detail]

 
 <soapenv:Detail>
     <GetADForestFault
       xmlns="http://schemas.microsoft.com/2008/1/ActiveDirectory/CustomActions"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
       <ArgumentError xsi:nil="true"></ArgumentError>
       <DirectoryError xsi:nil="true"></DirectoryError>
       <Error>...</Error>
       <ShortError>...</ShortError>
     </GetADForestFault>
 </soapenv:Detail>

<53> Section 3.4.4.5.1.3: The TopologyManagement_GetVersion_GetVersionFault_FaultMessage message is not returned by this protocol.

<54> Section 3.4.4.5.2.4: The VersionMajor levels are available in product versions as indicated by the following table.

Value

Available in product version

1

Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server operating system, Windows Server 2019, and Active Directory Management Gateway Service

<55> Section 3.4.4.5.2.5: The VersionMinor levels are available in product versions as indicated by the following table.

Value

Available in product version

1

Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server operating system, Windows Server 2019, and Active Directory Management Gateway Service

<56> Section 3.4.4.5.2.6: The VersionString values are available in product versions as indicated by the following table.

Value

Available in product version

"Active Directory Web Services v1.1"

Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server operating system, Windows Server 2019, and Active Directory Management Gateway Service

<57> Section 3.4.4.6: In Microsoft implementations of Active Directory Web Services: Custom Action Protocol, if the server is an RODC, then the server attempts (and always fails) to remotely write the new role owner before returning the failure described in section 3.4.4.6.8.4. The remote server is a DC that holds a writable replica of the NC that the object specified in section 3.4.4.6.2.3.2 is in. The remote write is performed using the LDAP protocol (as specified in [RFC2251]) as follows.

The server first creates a TCP connection to the remote DC on port 389. Then the server binds to the DC using an LDAP bind operation [RFC2251] section 4.2) with the version parameter set to 3, the name parameter set to NULL, and the authentication set to SASL ([MS-ADTS] section 5.1.1.1.2). The mechanism field of the SaslCredentials in the bind request is set to GSS-SPNEGO [MS-SPNG]), and the credentials field contains the client's credentials. On success, the server attempts to modify an object using an LDAP modify ([RFC2251] section 4.6). The object parameter in this method is set to the DN of the object specified in section 3.4.4.6.2.3.2 based on which FSMO role to seize. The replace operation is listed in operation field. The fsmoRoleOwner is set to the type parameter. And the vals parameter is set to the DN of the nTDSDSA object of the new role owner.

Any error returned from any of these steps other than the final modify method results in the server returning a SOAP fault as described in section 3.4.4.6.8.5. Note that the final remote modify always fails, as specified in [MS-ADTS] section 3.1.1.5.3.2 (fSMORoleOwner attribute modification constraint) and then always returns the fault described in section 3.4.4.6.8.4. The Active Directory Web Services: Custom Action Protocol requires only that the seizure of the role fails when the server is an RODC with the appropriate fault, not that the remote modification is attempted. It is the Microsoft implementations of Active Directory Web Services: Custom Action Protocol that fail this seizure after attempting this remote write (which itself always fails) instead of failing directly.