2.2.3.2 SPN for a Target DC in AD DS

  • Article

Two different scenarios are possible when an AD DS DC wants to connect to another DC for a DRS protocol operation:

The scenario determines how the DC constructs an SPN for the service it is using:

  • A DC wants to connect to a DC in a particular domain. The DC constructs the following SPN:

    • "<DRS interface GUID>/<DSA GUID>/<DNS domain name>"

  • A DC wants to connect to a GC server in the forest. The DC constructs the following SPN:

    • "GC/<DNS hostname>/<DNS forest name>"

In the preceding SPN descriptions:

  • "GC" is a literal string that represents a service class.

  • The forward slash ('/') is the literal separator between parts of the SPN.

  • <DRS interface GUID> is the fixed DRS RPC interface GUID, which has the well-known value of "E3514235-4B06-11D1-AB04-00C04FC2DCD2".

  • <DSA GUID> is the DSA GUID of the target DC.

  • <DNS domain name> is the FQDN (2) of the domain of the target DC.

  • <DNS hostname> is the DNS host name of the target DC.

  • <DNS forest name> is the FQDN of the forest of the target DC.

For example, the two SPNs that can be used for a DC named "dc1" with DSA GUID A5FF6869-AB5A-11D2-91E2-08002BA3ED3B in the contoso.com domain and forest are as follows:

  • "E3514235-4B06-11D1-AB04-00C04FC2DCD2/A5FF6869-AB5A-11D2-91E2-08002BA3ED3B/contoso.com"

  • "GC/dc1.contoso.com/contoso.com"

To allow mutual authentication to occur in DC-to-DC protocol operations, an AD DS RODC MUST store the form of SPN that begins with "GC/" as values of the servicePrincipalName attribute of the DC's computer object, but not the other form of SPN because that form of SPN is used for outbound replication. Other AD DS DCs MUST store both forms of SPN as values of the servicePrincipalName attribute of the DC's computer object. Additional forms that must be stored for client-to-DC protocol operations are described in section 2.2.4.2.