3.2.4.22.2 State Changes Required for Domain Join

A computer is said to be joined to a domain if a certain state exists on the computer and in the domain NC. See the specific state requirements that MUST occur both locally and in the domain NC at a domain controller (DC) (sections 3.2.1.2, 3.2.1.5, and ([MS-ADTS] section 6.4).

The state changes referenced above appear in the sequence of message processing steps later in this specification but are listed here to aid the reader. To understand the domain join process, the following normative description identifies the state manipulation performed during message processing to affect the state changes required for a computer to join a domain.

The server MUST persist in the machine:

  • The domain-name state variable ([MS-ADTS] section 6.4.1) and the domain prefix for the account domain of the DC, as queried by the server from the DC. The server MUST store these values in the local DomainName and DomainSid elements (section 3.2.1.6), respectively.

  • The domain-secret state variable ([MS-ADTS] section 6.4).

The server MUST persist in the domain:

  • A computer account object with the following LDAP attributes<139>. See [RFC2252] and [RFC2253] for more information about LDAP.

    LDAP attribute name

    Value

    userAccountControl

    ([MS-ADA2] section 2.351)

    The USER_WORKSTATION_TRUST_ACCOUNT bit is set, and the USER_ACCOUNT_DISABLED bit is not set ([MS-SAMR] section 2.2.1.12). See the userAccountControl mapping table ([MS-SAMR] section 3.1.5.14.2) for details on the mapping of these bits in the LDAP protocol.

    sAMAccountName

    ([MS-ADA3] section 2.222)

    The value of machine-account-name ([MS-ADTS] section 6.4.1). This is ComputerNameNetBIOS (section 3.2.1.5) suffixed with a "$" character.

    unicodePwd

    ([MS-ADA3] section 2.332)

    The value of domain-secret state variable ([MS-ADTS] section 6.4.1). Protocols that expose this attribute persist the NT hash of domain-secret ([MS-SAMR] section 3.1.5.10).

    dNSHostName

    ([MS-ADA1] section 2.185)

    The value of ComputerNameFQDN (section 3.2.1.5).

    servicePrincipalName

    ([MS-ADA3] section 2.253)

    Two values in the message processing sequence in section section 3.2.4.13.3:

    • A DNS based SPN.

    • A NetBIOS based SPN for the computer joining the domain.