2.2.4.2 SPN for a Target DC in AD DS

  • Article

Three scenarios are possible when a client wants to connect to an AD DS DC for a DRS Remote Protocol operation:

  • A client wants to connect to a particular DC by using its host name, regardless of the domain it contains.

  • A client wants to connect to a DC in a particular domain.

  • A client wants to connect to a GC server (see [MS-ADTS] section 3.1.1.1.10) in the forest.

The scenario determines how the client constructs an SPN for the service it is using:

  • A client wants to connect to a particular DC by using its host name, regardless of the domain it contains. The client constructs any of the following three SPNs:

    • "ldap/<NetBIOS hostname>"

    • "ldap/<DNS hostname>"

    • "ldap/<DSA GUID based DNS hostname>"

      The SPN that a client constructs depends on the information that the client has available. For example, some clients have only a NetBIOS name for a DC, while others have only an Internet host name for a DC.

  • A client wants to connect to a DC in a particular domain. The client constructs any of the following three SPNs:

    • "ldap/<DNS hostname>/<NetBIOS domain name>"

    • "ldap/<DNS hostname>/<DNS domain name>"

    • "ldap/<NetBIOS hostname>/<NetBIOS domain name>"<4>

      The SPN that a client constructs depends on the information that the client has available. For example, some clients have only a NetBIOS name for a domain, while others have only a fully qualified domain name (FQDN) (2) for a domain.

  • A client wants to connect to a GC server in the forest:

    • "GC/<DNS hostname >/<DNS forest name>"

In the preceding SPN descriptions:

  • "ldap" and "GC" are literal strings representing service classes.

  • The forward slash ('/') is the literal separator between parts of the SPN.

  • <NetBIOS hostname> is the NetBIOS host name of the target DC.

  • <DNS hostname> is the DNS host name of the target DC.

  • <NetBIOS domain name> is the NetBIOS domain name of the target DC.

  • <DNS domain name> is the FQDN of the domain of the target DC.

  • <DSA GUID based DNS hostname> is the DNS host name of the target DC, constructed in the form "<DSA GUID>._msdcs.<DNS forest name>".

  • <DNS forest name> is the FQDN of the forest of the target DC or the target GC server.

As an example, the two- and three-part SPNs that can be used for a DC named "dc1" in the contoso.com domain are as follows:

  • "ldap/DC1"

  • "ldap/dc1.contoso.com"

  • "ldap/6B352A21-8622-4F6D-A5A9-45CE9D7A5FB7._msdcs.contoso.com"

  • "ldap/dc1.contoso.com/CONTOSO"

  • "ldap/dc1.contoso.com/contoso.com"

  • "GC/dc1.contoso.com/contoso.com"

  • "ldap/DC1/CONTOSO"

To allow mutual authentication to occur in client-to-DC protocol operations, an AD DS DC MUST store these seven forms of SPN as values of the servicePrincipalName attribute of the DC's computer object. The GC SPN for client-to-DC is identical to the GC SPN for DC-to-DC. Therefore, when the requirements of this section are added to the requirements of section 2.2.3.2, an AD DS RODC MUST store six, and other AD DS DCs MUST store seven, servicePrincipalName values in all.