2.2.3.3 SPN for a Target DC in AD LDS

  • Article

When an AD LDS DC wants to connect to another DC for a DRS protocol operation, it uses either of the following SPN forms:

  • <DRS interface GUID>-ADAM/<DNS hostname>:<LDAP port>

  • <DRS interface GUID>-ADAM/<NetBIOS hostname>:<LDAP port>

In the preceding SPN descriptions:

  • <DRS interface GUID> is the fixed DRS RPC interface GUID, which has the well-known value of "E3514235-4B06-11D1-AB04-00C04FC2DCD2".

  • "-ADAM/" is a literal string.

  • <DNS hostname> is the full DNS host name of the target DC.

  • <NetBIOS hostname> is the NetBIOS host name of the target DC.

  • The colon (':') is the literal separator between the host name and port number.

  • <LDAP port> is the LDAP port on which the target DC listens.

If an AD LDS DC runs on a machine joined to an Active Directory domain, and NTDSDSA_OPT_DISABLE_SPN_REGISTRATION is not present in the options attribute of its nTDSDSA object ([MS-ADTS] section 6.1.1.2.2.1.2.1.1), the AD LDS DC MUST store these two forms of SPN as values of the servicePrincipalName attribute of the object (in the external AD DS domain) that corresponds to the security principal that the AD LDS service is running as. This action allows mutual authentication to occur in DC-to-DC protocol operations. Additional forms that must be stored for client-to-DC protocol operations are described in section 2.2.4.3.