6.3.3.2 Domain Controller Response to an LDAP Ping

  • Article

msdn link

Let reqGuidNC be set as follows:

  • If the filter does not include the (DomainGuid=domainGuid) clause, reqGuidNC is set to NULL.

  • If the filter includes the (DomainGuid=domainGuid) clause:

    • If domainGuid is not a valid GUID, the response of the DC is documented in section 6.3.3.3.

    • If there is no NC hosted by the server whose GUID is domainGuid, the response of the DC is documented in section 6.3.3.3.

    • Otherwise, reqGuidNC is set to the NC hosted by the server whose GUID is domainGuid.

Let reqDnsNC be set as follows:

  • If the filter does not include the (DnsDomain=dnsDomain) clause:

    • If reqGuidNC is NULL, reqDnsNC is set to the default NC hosted by the server.

    • If reqGuidNC is not NULL, reqDnsNC is set to NULL.

  • If the filter includes the (DnsDomain=dnsDomain) clause:

    • If dnsDomain is empty, the response of the DC is documented in section 6.3.3.3.

    • If there is no NC hosted by the server whose DNS name is dnsDomain, the response of the DC is documented in section 6.3.3.3.

    • Otherwise, reqDnsNC is set to the NC hosted by the server whose DNS name is dnsDomain.

Let reqNCUsed be set as follows:

  • If reqGuidNC is NULL, then reqNCUsed is set to reqDnsNC.

  • If reqDnsNC is NULL, then reqNCUsed is set to reqGuidNC.

  • If neither reqGuidNC nor reqDnsNC are NULL, then reqNCUsed is set to either reqGuidNC or reqDnsNC. The protocol does not specify which value is used, nor that a DC is consistent in which value is used.

Let reqSidNC be set as follows:

  • If the filter does not include the (DomainSid=domainSid) clause, reqSidNC is set to NULL.

  • If the filter includes the (DomainSid=domainSid) clause:

    • If domainSid is not a valid sid, the response of the DC is documented in section 6.3.3.3.

    • If there is no NC hosted by the server whose Sid is domainSid, the response of the DC is documented in section 6.3.3.3.

    • If domainSid is not equal to the SID of NC reqNCUsed, the response of the DC is documented in section 6.3.3.3.

    • Otherwise, reqSidNC is set to the NC hosted by the server whose SID is domainSid.

Let u be set as follows:

  • If the filter does not include the (User=user) clause, then u is set to NULL.

  • If filter includes the (User=user) clause, then u is set to the supplied value.

Let x be as follows:

  • Let y be an object in NC reqNCUsed where y!sAMAccountName = u.

    • If there is no such object y, then x is set to NULL.

    • If there is an object y, x is set as:

      • Let aac be set as follows:

        • If the filter does not include the (AAC=aac) clause, then aac is set to 0.

        • If filter includes the (AAC = aac) clause, then aac is set to the supplied value.

      • Let uac be set to y!userAccountControl.

        • If uac has the USER_ACCOUNT_DISABLED ([MS-SAMR] section 2.2.1.12) bit set, then let x be equal to NULL.

        • If (aac & uac & USER_TEMP_DUPLICATE_ACCOUNT | USER_NORMAL_ACCOUNT | USER_INTERDOMAIN_TRUST_ACCOUNT | USER_WORKSTATION_TRUST_ACCOUNT | USER_SERVER_TRUST_ACCOUNT [MS-SAMR] section 2.2.1.12) is zero, then let x be equal to NULL. The effect of doing this is so that the server only checks USER_TEMP_DUPLICATE_ACCOUNT | USER_NORMAL_ACCOUNT | USER_INTERDOMAIN_TRUST_ACCOUNT | USER_WORKSTATION_TRUST_ACCOUNT | USER_SERVER_TRUST_ACCOUNT bits.

        • Otherwise, set x to y.

Let s be set as follows:

  • If there is only one site object in the Sites Container (section 6.1.1.2.2), set s to the name of that site.

  • If there are multiple site objects in the Sites Container, let sno be a subnet object in the Subnets Container (section 6.1.1.2.2.2) where sno!name represents the range of IP addresses, which includes the client's IP address (see section 6.1.1.2.2.2.1).

    • If there is no such object sno, then s is set to NULL.

    • If there is an object sno, s is set as follows:

      • If sno!siteObject has a value, let so be the site object referred to by this attribute value  (see section 6.1.1.2.2.2.1). Set s to so!name.

      • If sno!siteObject does not contain a value, set s to NULL.

Note In Windows, the server computes the client's IP address from the client's socket address. If the NtVer filter element has the NETLOGON_NT_VERSION_5EX or NETLOGON_NT_VERSION_5EX_WITH_IP bit set, and if the client's site cannot be computed from the client's socket address, then the server computes the client's IP address by using either the FQDN (2) of the client, which is found in the DnsHostName filter element (if present), or the NetBIOS name of the client, which is found in the Host filter element (section 6.3.3). The server then uses the IP address to determine the site.

Let v be the NtVer requested by the client in the search filter.

  • If the server is configured to respond to ping requests in the form of a NETLOGON_SAM_LOGON_RESPONSE_NT40 structure, and v does not have the NETLOGON_NT_VERSION_AVOID_NT4EMUL bit set (section 6.3.1.1), the server uses the NETLOGON_SAM_LOGON_RESPONSE_NT40 structure to send the response.

  • Else, if v has the NETLOGON_NT_VERSION_5EX or NETLOGON_NT_VERSION_5EX_WITH_IP bit set, the server uses the NETLOGON_SAM_LOGON_RESPONSE_EX structure to send the response.

  • Else, if v has the NETLOGON_NT_VERSION_5 bit set, the server uses the NETLOGON_SAM_LOGON_RESPONSE structure to send the response.

  • For all other cases, the server uses the NETLOGON_SAM_LOGON_RESPONSE_NT40 structure to send the response.

Let t be set as follows:

  • When the Netlogon service is in a paused state, if v does not have the NETLOGON_NT_VERSION_PDC bit set or the server is not a PDC, let t be 1.

  • If the value of rootDSE attribute isSynchronized (see section 3.1.1.3) is FALSE, let t be 1.

  • When the Netlogon RPC server is not initialized, if v does not have the NETLOGON_NT_VERSION_LOCAL bit set, let t be 1.

  • If the FRS service is in a paused state, let t be 1.

  • Otherwise, let t be 0.

After the preceding processing has occurred, if the server has not responded to an invalid filter (as documented in section 6.3.3.3), the server returns an LDAP SearchResultEntry to the client with the following form:

  • The ObjectName of the SearchResultEntry is NULL and the attribute list contains one attribute. This attribute is named "Netlogon" and its value is a little-endian octet string packed in NETLOGON_SAM_LOGON_RESPONSE_EX, NETLOGON_SAM_LOGON_RESPONSE, or NETLOGON_SAM_LOGON_RESPONSE_NT40, depending on value v.

    • If the server uses NETLOGON_SAM_LOGON_RESPONSE_EX to pack the value, it does the following:

      OperationCode: Set to LOGON_SAM_PAUSE_RESPONSE_EX if t is equal to 1. Set to LOGON_SAM_USER_UNKNOWN_EX if u is not NULL, but x is NULL. Set to LOGON_SAM_LOGON_RESPONSE_EX in other cases.

      Flags:

      Bit values are taken from DS_FLAGS in section 6.3.1.2.

      • If the server holds the PDC FSMO role (see section 3.1.1.1.11), the DS_PDC_FLAG bit is set.

      • If the server is a global catalog server, the DS_GC_FLAG bit is set. This bit is set if and only if the isGlobalCatalogReady attribute on the rootDSE is TRUE (see section 3.1.1.3.2.10).

      • If the server is a KDC, the DS_KDC_FLAG bit is set.

      • If the server is running the Win32 Time Service, as specified in [MS-W32T] and indicated by bit field A in the ServiceBits flag in the NetLogon Remote Protocol ([MS-NRPC] section 3.5.1), the DS_TIMESERV_FLAG bit is set.

      • If the server is in the same site as the client, the DS_CLOSEST_FLAG bit is set.

      • If the server is not an RODC, the DS_WRITABLE_FLAG bit is set. [MS-DRSR] section 5.7, AmIRODC, explains how to determine if a DC is an RODC.

      • If the server is configured to be a reliable time source (the way in which the configuration can be done is outside the scope of the state model and is implementation-dependent) as indicated by bit field B in the ServiceBits flag in the NetLogon Remote Protocol ([MS-NRPC] section 3.5.1), the DS_GOOD_TIMESERV_FLAG bit is set.

      • If the DnsDomain value specified in the search filter is an application NC, the DS_NDNC_FLAG bit is set.

      • If the server is an RODC, the DS_SELECT_SECRET_DOMAIN_6_FLAG bit is set.

      • If the server is a writable DC and not running Windows 2000 Server operating system, Windows Server 2003 operating system, or Windows Server 2003 R2 operating system, the DS_FULL_SECRET_DOMAIN_6_FLAG bit is set.

      • If the server is running the Active Directory Web Service, as specified in [MS-ADDM] and indicated by the bit field C in the ServiceBits flag in the Netlogon Remote Protocol ([MS-NRPC] section 3.5.1), the DS_WS_FLAG bit is set.

      • If the server is running Windows Server 2012 operating system or later, the DS_DS_8_FLAG bit is set.

      • If the server is running Windows Server 2012 R2 operating system or later, the DS_DS_9_FLAG bit is set.

      • Always set the DS_LDAP_FLAG and DS_DS_FLAG bits.

      • All the other bits of DS_FLAG are set to 0.

        DomainGuid: Set to the GUID of NC reqNCUsed.

        DnsForestName: Set to the DNS name of the forest.

        DnsDomainName: Set to the DNS name of the NC reqNCUsed.

        DnsHostName: Set to the DNS name of the server.

        NetbiosDomainName: Set to the NetBIOS name of the NC reqNCUsed.

        NetbiosComputerName: Set to the NetBIOS name of the server.

        UserName: Set to u.

        DcSiteName: Set to the site name of the server.

        ClientSiteName: Set to the site s.

        DcSockAddrSize: Set to the size of the server's IP address.

        SockAddr: Set to the IP address of the server.

        NextClosestSiteName: If v has NETLOGON_NT_VERSION_WITH_CLOSEST_SITE and the DC has DC functional level DS_BEHAVIOR_WIN2008 or greater, use IDL_DRSQuerySitesByCost ([MS-DRSR] section 4.1.16) to find the site C that is closest to ClientSiteName but not equal to ClientSiteName, and set this field to C. Otherwise omit this field.

        NtVersion: If the NextClosestSiteName field is set, set this field to {NETLOGON_NT_VERSION_1, NETLOGON_NT_VERSION_WITH_CLOSEST_SITE, NETLOGON_NT_VERSION_5EX}; otherwise set this field to {NETLOGON_NT_VERSION_1, NETLOGON_NT_VERSION_5EX}.

        LmNtToken: Always set to 0xFFFF.

        Lm20Token: Always set to 0xFFFF.

    • If the server uses NETLOGON_SAM_LOGON_RESPONSE to pack the value, it does the following:

      OperationCode: Set to LOGON_SAM_PAUSE_RESPONSE if t is equal to 1. Set to LOGON_SAM_USER_UNKNOWN if u is not NULL, but x is NULL. Set to LOGON_SAM_LOGON_RESPONSE in other cases.

      UnicodeLogonServer: Set to the NetBIOS name of the server.

      UnicodeUserName: Set to u.

      UnicodeDomainName: Set to the NetBIOS name of the domain.

      DomainGuid: Set to the GUID of the domain.

      SiteGuid: Always set to NULL GUID.

      DnsForestName: Set to the DNS name of the forest.

      DnsDomainName: Set to the DNS name of the domain.

      DnsHostName: Set to the DNS name of the server.

      DcIpAddress: Set to the IP address of the server.

      Flags: If the server is a PDC, bit DS_PDC_FLAG is set; bit DS_DS_FLAG is always set; all the other bits of DS_FLAG are set to 0.

      NtVersion: Set to NETLOGON_NT_VERSION_1 | NETLOGON_NT_VERSION_5.

      LmNtToken: Always set to 0xFFFF.

      Lm20Token: Always set to 0xFFFF.

    • If the server uses NETLOGON_SAM_LOGON_RESPONSE_NT40 to pack the value, it does the following:

      OperationCode: If t is 1, set to LOGON_SAM_PAUSE_RESPONSE. Else, if u is not NULL, but x is NULL, set to LOGON_SAM_USER_UNKNOWN. If none of the preceding conditions are met, set to LOGON_SAM_LOGON_RESPONSE.

      UnicodeLogonServer: Set to the NetBIOS name of the server.

      UnicodeUserName: Set to u.

      UnicodeDomainName: Set to the NetBIOS name of the domain.

      NtVersion: Set to NETLOGON_NT_VERSION_1.

      LmNtToken: Always set to 0xFFFF.

      Lm20Token: Always set to 0xFFFF.

LdapResult of SearchResultDone entry is set to 0 (success).