introduction... · web viewad lds first became available during the release of windows server 2003....

[MS-ADTS]:

Active Directory Technical Specification

Intellectual Property Rights Notice for Open Specifications Documentation

· Technical Documentation. Microsoft publishes Open Specifications documentation (“this documentation”) for protocols, file formats, data portability, computer languages, and standards support. Additionally, overview documents cover inter-protocol relationships and interactions.

· Copyrights. This documentation is covered by Microsoft copyrights. Regardless of any other terms that are contained in the terms of use for the Microsoft website that hosts this documentation, you can make copies of it in order to develop implementations of the technologies that are described in this documentation and can distribute portions of it in your implementations that use these technologies or in your documentation as necessary to properly document the implementation. You can also distribute in your implementation, with or without modification, any schemas, IDLs, or code samples that are included in the documentation. This permission also applies to any documents that are referenced in the Open Specifications documentation.

· No Trade Secrets. Microsoft does not claim any trade secret rights in this documentation.

· Patents. Microsoft has patents that might cover your implementations of the technologies described in the Open Specifications documentation. Neither this notice nor Microsoft's delivery of this documentation grants any licenses under those patents or any other Microsoft patents. However, a given Open Specifications document might be covered by the Microsoft Open Specifications Promise or the Microsoft Community Promise. If you would prefer a written license, or if the technologies described in this documentation are not covered by the Open Specifications Promise or Community Promise, as applicable, patent licenses are available by contacting [email protected].

· License Programs. To see all of the protocols in scope under a specific license program and the associated patents, visit the Patent Map.

· Trademarks. The names of companies and products contained in this documentation might be covered by trademarks or similar intellectual property rights. This notice does not grant any licenses under those rights. For a list of Microsoft trademarks, visit www.microsoft.com/trademarks.

· Fictitious Names. The example companies, organizations, products, domain names, email addresses, logos, people, places, and events that are depicted in this documentation are fictitious. No association with any real company, organization, product, domain name, email address, logo, person, place, or event is intended or should be inferred.

Reservation of Rights. All other rights are reserved, and this notice does not grant any rights other than as specifically described above, whether by implication, estoppel, or otherwise.

Tools. The Open Specifications documentation does not require the use of Microsoft programming tools or programming environments in order for you to develop an implementation. If you have access to Microsoft programming tools and environments, you are free to take advantage of them. Certain Open Specifications documents are intended for use in conjunction with publicly available standards specifications and network programming art and, as such, assume that the reader either is familiar with the aforementioned material or has immediate access to it.

Support. For questions and support, please contact [email protected].

Revision Summary

Date

Revision History

Revision Class

Comments

2/22/2007

0.01

New

Version 0.01 release

6/1/2007

1.0

Major

Included non-native content.

7/3/2007

1.0.1

Editorial

Changed language and formatting in the technical content.

7/20/2007

1.0.2

Editorial


8/10/2007

1.0.3

Editorial


9/28/2007

2.0

Major

Adjusted bitfield diagrams for byte ordering; added bitflags.

10/23/2007

2.1

Minor

Clarified the meaning of the technical content.

11/30/2007

2.2

Minor


1/25/2008

3.0

Major

Updated and revised the technical content.

3/14/2008

3.1

Minor

Deleted hexadecimal representations of little-endian bit flags.

5/16/2008

4.0

Major


6/20/2008

5.0

Major


7/25/2008

6.0

Major


8/29/2008

7.0

Major


10/24/2008

8.0

Major


12/5/2008

9.0

Major


1/16/2009

10.0

Major


2/27/2009

11.0

Major


4/10/2009

12.0

Major


5/22/2009

13.0

Major


7/2/2009

14.0

Major


8/14/2009

15.0

Major


9/25/2009

16.0

Major


11/6/2009

17.0

Major


12/18/2009

18.0

Major


1/29/2010

19.0

Major


3/12/2010

20.0

Major


4/23/2010

21.0

Major


6/4/2010

22.0

Major


7/16/2010

23.0

Major


8/27/2010

24.0

Major


10/8/2010

25.0

Major


11/19/2010

26.0

Major


1/7/2011

27.0

Major


2/11/2011

28.0

Major


3/25/2011

29.0

Major


5/6/2011

30.0

Major


6/17/2011

30.1

Minor


9/23/2011

31.0

Major


12/16/2011

32.0

Major


3/30/2012

33.0

Major


7/12/2012

34.0

Major


10/25/2012

35.0

Major


1/31/2013

36.0

Major


8/8/2013

37.0

Major


11/14/2013

38.0

Major


2/13/2014

39.0

Major


5/15/2014

40.0

Major


6/30/2015

41.0

Major

Significantly changed the technical content.

10/16/2015

42.0

Major


7/14/2016

43.0

Major


3/16/2017

44.0

Major


6/1/2017

45.0

Major


9/15/2017

46.0

Major


12/1/2017

47.0

Major


3/16/2018

48.0

Major


9/12/2018

49.0

Major


3/13/2019

50.0

Major


3/4/2020

51.0

Major


Table of Contents

1Introduction22

1.1Glossary24

1.2References43

1.2.1Normative References43

1.2.2Informative References47

1.3Overview48

1.4Relationship to Other Protocols49

1.5Prerequisites/Preconditions50

1.6Applicability Statement50

1.7Versioning and Capability Negotiation50

1.8Vendor-Extensible Fields50

1.9Standards Assignments50

2Messages51

2.1Transport51

2.2Message Syntax51

2.2.1LCID-Locale Mapping Table51

2.2.2DS_REPL_NEIGHBORW_BLOB57

2.2.3DS_REPL_KCC_DSA_FAILUREW_BLOB60

2.2.4DS_REPL_OPW_BLOB61

2.2.5DS_REPL_QUEUE_STATISTICSW_BLOB63

2.2.6DS_REPL_CURSOR_BLOB64

2.2.7DS_REPL_ATTR_META_DATA_BLOB65

2.2.8DS_REPL_VALUE_META_DATA_BLOB66

2.2.9Search Flags68

2.2.10System Flags69

2.2.11schemaFlagsEx Flags70

2.2.12Group Type Flags71

2.2.13Group Security Flags71

2.2.14Security Privilege Flags72

2.2.15Domain RID Values72

2.2.16userAccountControl Bits73

2.2.17Optional Feature Values75

2.2.18Claims Wire Structures75

2.2.18.1CLAIM_ID76

2.2.18.2CLAIM_TYPE76

2.2.18.3CLAIMS_SOURCE_TYPE77

2.2.18.4CLAIMS_COMPRESSION_FORMAT77

2.2.18.5CLAIM_ENTRY77

2.2.18.6CLAIMS_ARRAY78

2.2.18.7CLAIMS_SET79

2.2.18.8CLAIMS_SET_METADATA79

2.2.18.9CLAIMS_BLOB80

2.2.19MSDS-MANAGEDPASSWORD_BLOB80

2.2.20Key Credential Link Structures81

2.2.20.1Key Credential Link Constants81

2.2.20.2KEYCREDENTIALLINK_BLOB82

2.2.20.3KEYCREDENTIALLINK_ENTRY82

2.2.20.4CUSTOM_KEY_INFORMATION83

2.2.20.4.1EncodedExtendedCKI84

2.2.20.5KeyMaterial85

2.2.20.5.1KEY_USAGE_NGC85

2.2.20.5.2KEY_USAGE_FIDO85

2.2.20.5.3KEY_USAGE_FEK85

2.2.20.6KEYCREDENTIALLINK_ENTRY Identifiers86

2.2.21Service Principal Name86

3Details87

3.1Common Details88

3.1.1Abstract Data Model88

3.1.1.1State Model88

3.1.1.1.1Scope88

3.1.1.1.2State Modeling Primitives and Notational Conventions90

3.1.1.1.3Basics, objectGUID, and Special Attribute Behavior90

3.1.1.1.4objectClass, RDN, DN, Constructed Attributes, Secret Attributes92

3.1.1.1.5NC, NC Replica94

3.1.1.1.5.1Tombstone Lifetime and Deleted-Object Lifetime97

3.1.1.1.6Attribute Syntaxes, Object References, Referential Integrity, and Well-Known Objects97

3.1.1.1.7Forest, Canonical Name101

3.1.1.1.8GC102

3.1.1.1.9DCs, USN Counters, and the Originating Update Stamp103

3.1.1.1.10GC Server109

3.1.1.1.11FSMO Roles109

3.1.1.1.12Cross-NC Object References110

3.1.1.1.13NC Replica Graph111

3.1.1.1.14Scheduled and Event-Driven Replication112

3.1.1.1.15Replication Latency and Tombstone Lifetime113

3.1.1.1.16Delayed Link Processing113

3.1.1.2Active Directory Schema114

3.1.1.2.1Schema NC115

3.1.1.2.2Syntaxes116

3.1.1.2.2.1Introduction116

3.1.1.2.2.2LDAP Representations116

3.1.1.2.2.2.1Object(DN-String)119

3.1.1.2.2.2.2Object(Access-Point)119

3.1.1.2.2.2.3Object(DN-Binary)119

3.1.1.2.2.2.4Object(OR-Name)119

3.1.1.2.2.2.5String(Case)119

3.1.1.2.2.2.6String(NT-Sec-Desc)119

3.1.1.2.2.2.7String(Sid)119

3.1.1.2.2.2.8String(Teletex)120

3.1.1.2.2.3Referential Integrity120

3.1.1.2.2.4Supported Comparison Operations120

3.1.1.2.2.4.1Bool Comparison Rule123

3.1.1.2.2.4.2Integer Comparison Rule123

3.1.1.2.2.4.3DN-String Comparison Rule123

3.1.1.2.2.4.4DN-Binary Comparison Rule123

3.1.1.2.2.4.5DN Comparison Rule123

3.1.1.2.2.4.6PresentationAddress Comparison Rule123

3.1.1.2.2.4.7Octet Comparison Rule123

3.1.1.2.2.4.8CaseString Comparison Rule124

3.1.1.2.2.4.9SecDesc Comparison Rule124

3.1.1.2.2.4.10OID Comparison Rule124

3.1.1.2.2.4.11Sid Comparison Rule124

3.1.1.2.2.4.12NoCaseString Comparison Rule124

3.1.1.2.2.4.13UnicodeString Comparison Rule124

3.1.1.2.2.4.14Time Comparison Rule125

3.1.1.2.3Attributes125

3.1.1.2.3.1Auto-Generated linkID128

3.1.1.2.3.2Auto-Generated mAPIID128

3.1.1.2.3.3Property Set128

3.1.1.2.3.4lDAPDisplayName Generation130

3.1.1.2.3.5Flag fRODCFilteredAttribute in Attribute searchFlags130

3.1.1.2.4Classes131

3.1.1.2.4.1Class Categories131

3.1.1.2.4.2Inheritance131

3.1.1.2.4.3objectClass131

3.1.1.2.4.4Structure Rules132

3.1.1.2.4.5Content Rules132

3.1.1.2.4.6Auxiliary Class132

3.1.1.2.4.7RDN Attribute of a Class133

3.1.1.2.4.8Class classSchema133

3.1.1.2.5Schema Modifications134

3.1.1.2.5.1Consistency and Safety Checks135

3.1.1.2.5.1.1Consistency Checks135

3.1.1.2.5.1.2Safety Checks136

3.1.1.2.5.2Auto-Generated Attributes137

3.1.1.2.5.3Defunct137

3.1.1.2.5.3.1Forest Functional Level Less Than WIN2003138

3.1.1.2.5.3.2Forest Functional Level WIN2003 or Greater138

3.1.1.2.6ATTRTYP139

3.1.1.3LDAP140

3.1.1.3.1LDAP Conformance140

3.1.1.3.1.1Schema140

3.1.1.3.1.1.1subSchema140

3.1.1.3.1.1.2Syntaxes143

3.1.1.3.1.1.3Attributes143

3.1.1.3.1.1.4Classes150

3.1.1.3.1.1.5Auxiliary Classes153

3.1.1.3.1.2Object Naming154

3.1.1.3.1.2.1Naming Attributes154

3.1.1.3.1.2.2NC Naming154

3.1.1.3.1.2.3Multivalued and Multiple-Attribute RDNs155

3.1.1.3.1.2.4Alternative Forms of DNs155

3.1.1.3.1.2.5Alternative Form of SIDs157

3.1.1.3.1.3Search Operations157

3.1.1.3.1.3.1Search Filters157

3.1.1.3.1.3.2Selection Filters158

3.1.1.3.1.3.3Range Retrieval of Attribute Values158

3.1.1.3.1.3.4Ambiguous Name Resolution159

3.1.1.3.1.3.5Searches Using the objectCategory Attribute161

3.1.1.3.1.3.6Restrictions on rootDSE Searches161

3.1.1.3.1.4Referrals in LDAPv2 and LDAPv3161

3.1.1.3.1.5Password Modify Operations161

3.1.1.3.1.5.1unicodePwd162

3.1.1.3.1.5.2userPassword163

3.1.1.3.1.6Dynamic Objects164

3.1.1.3.1.7Modify DN Operations164

3.1.1.3.1.8Aliases164

3.1.1.3.1.9Error Message Strings164

3.1.1.3.1.10Ports164

3.1.1.3.1.11LDAP Search Over UDP164

3.1.1.3.1.12Unbind Operation165

3.1.1.3.2rootDSE Attributes165

3.1.1.3.2.1configurationNamingContext170

3.1.1.3.2.2currentTime170

3.1.1.3.2.3defaultNamingContext170

3.1.1.3.2.4dNSHostName170

3.1.1.3.2.5dsSchemaAttrCount170

3.1.1.3.2.6dsSchemaClassCount170

3.1.1.3.2.7dsSchemaPrefixCount170

3.1.1.3.2.8dsServiceName170

3.1.1.3.2.9highestCommittedUSN171

3.1.1.3.2.10isGlobalCatalogReady171

3.1.1.3.2.11isSynchronized171

3.1.1.3.2.12ldapServiceName171

3.1.1.3.2.13namingContexts171

3.1.1.3.2.14netlogon171

3.1.1.3.2.15pendingPropagations171

3.1.1.3.2.16rootDomainNamingContext171

3.1.1.3.2.17schemaNamingContext171

3.1.1.3.2.18serverName171

3.1.1.3.2.19subschemaSubentry171

3.1.1.3.2.20supportedCapabilities172

3.1.1.3.2.21supportedControl172

3.1.1.3.2.22supportedLDAPPolicies172

3.1.1.3.2.23supportedLDAPVersion172

3.1.1.3.2.24supportedSASLMechanisms172

3.1.1.3.2.25domainControllerFunctionality172

3.1.1.3.2.26domainFunctionality172

3.1.1.3.2.27forestFunctionality173

3.1.1.3.2.28msDS-ReplAllInboundNeighbors, msDS-ReplConnectionFailures, msDS-ReplLinkFailures, and msDS-ReplPendingOps173

3.1.1.3.2.29msDS-ReplAllOutboundNeighbors174

3.1.1.3.2.30msDS-ReplQueueStatistics174

3.1.1.3.2.31msDS-TopQuotaUsage176

3.1.1.3.2.32supportedConfigurableSettings176

3.1.1.3.2.33supportedExtension176

3.1.1.3.2.34validFSMOs176

3.1.1.3.2.35dsaVersionString177

3.1.1.3.2.36msDS-PortLDAP177

3.1.1.3.2.37msDS-PortSSL178

3.1.1.3.2.38msDS-PrincipalName178

3.1.1.3.2.39serviceAccountInfo178

3.1.1.3.2.40spnRegistrationResult178

3.1.1.3.2.41tokenGroups179

3.1.1.3.2.42usnAtRifm179

3.1.1.3.2.43approximateHighestInternalObjectID179

3.1.1.3.2.44databaseGuid179

3.1.1.3.2.45schemaIndexUpdateState179

3.1.1.3.2.46dumpLdapNotifications179

3.1.1.3.2.47msDS-ProcessLinksOperations179

3.1.1.3.2.48msDS-SegmentCacheInfo179

3.1.1.3.2.49msDS-ThreadStates179

3.1.1.3.2.50ConfigurableSettingsEffective180

3.1.1.3.2.51LDAPPoliciesEffective180

3.1.1.3.2.52msDS-ArenaInfo180

3.1.1.3.2.53msDS-Anchor180

3.1.1.3.2.54msDS-PrefixTable180

3.1.1.3.2.55msDS-SupportedRootDSEAttributes180

3.1.1.3.2.56msDS-SupportedRootDSEModifications180

3.1.1.3.3rootDSE Modify Operations180

3.1.1.3.3.1becomeDomainMaster184

3.1.1.3.3.2becomeInfrastructureMaster184

3.1.1.3.3.3becomePdc184

3.1.1.3.3.4becomePdcWithCheckPoint185

3.1.1.3.3.5becomeRidMaster185

3.1.1.3.3.6becomeSchemaMaster185

3.1.1.3.3.7checkPhantoms185

3.1.1.3.3.8doGarbageCollection186

3.1.1.3.3.9dumpDatabase186

3.1.1.3.3.10fixupInheritance187

3.1.1.3.3.11invalidateRidPool187

3.1.1.3.3.12recalcHierarchy188

3.1.1.3.3.13schemaUpdateNow188

3.1.1.3.3.14schemaUpgradeInProgress188

3.1.1.3.3.15removeLingeringObject189

3.1.1.3.3.16doLinkCleanup190

3.1.1.3.3.17doOnlineDefrag190

3.1.1.3.3.18replicateSingleObject190

3.1.1.3.3.19updateCachedMemberships191

3.1.1.3.3.20doGarbageCollectionPhantomsNow191

3.1.1.3.3.21invalidateGCConnection192

3.1.1.3.3.22renewServerCertificate192

3.1.1.3.3.23rODCPurgeAccount192

3.1.1.3.3.24runSamUpgradeTasks193

3.1.1.3.3.25sqmRunOnce193

3.1.1.3.3.26runProtectAdminGroupsTask194

3.1.1.3.3.27disableOptionalFeature194

3.1.1.3.3.28enableOptionalFeature195

3.1.1.3.3.29dumpReferences195

3.1.1.3.3.30sidCompatibilityVersion196

3.1.1.3.3.31dumpLinks196

3.1.1.3.3.32schemaUpdateIndicesNow196

3.1.1.3.3.33null197

3.1.1.3.3.34dumpQuota197

3.1.1.3.3.35dumpLinksExtended197

3.1.1.3.3.36dumpLDAPState198

3.1.1.3.3.37msDS-ProcessLinksAbandonOperation198

3.1.1.3.3.38msDS-ProcessLinksScheduleOperation198

3.1.1.3.3.39stopService199

3.1.1.3.3.40msDS-RunDeletedPhantomsWithLinksTask199

3.1.1.3.3.41dumpDatabaseExtended199

3.1.1.3.4LDAP Extensions199

3.1.1.3.4.1LDAP Extended Controls200

3.1.1.3.4.1.1LDAP_PAGED_RESULT_OID_STRING207

3.1.1.3.4.1.2LDAP_SERVER_CROSSDOM_MOVE_TARGET_OID207

3.1.1.3.4.1.3LDAP_SERVER_DIRSYNC_OID207

3.1.1.3.4.1.4LDAP_SERVER_DOMAIN_SCOPE_OID209

3.1.1.3.4.1.5LDAP_SERVER_EXTENDED_DN_OID209

3.1.1.3.4.1.6LDAP_SERVER_GET_STATS_OID210

3.1.1.3.4.1.7LDAP_SERVER_LAZY_COMMIT_OID215

3.1.1.3.4.1.8LDAP_SERVER_PERMISSIVE_MODIFY_OID215

3.1.1.3.4.1.9LDAP_SERVER_NOTIFICATION_OID215

3.1.1.3.4.1.10LDAP_SERVER_RANGE_OPTION_OID216

3.1.1.3.4.1.11LDAP_SERVER_SD_FLAGS_OID216

3.1.1.3.4.1.12LDAP_SERVER_SEARCH_OPTIONS_OID217

3.1.1.3.4.1.13LDAP_SERVER_SORT_OID and LDAP_SERVER_RESP_SORT_OID218

3.1.1.3.4.1.14LDAP_SERVER_SHOW_DELETED_OID224

3.1.1.3.4.1.15LDAP_SERVER_TREE_DELETE_OID224

3.1.1.3.4.1.16LDAP_SERVER_VERIFY_NAME_OID224

3.1.1.3.4.1.17LDAP_CONTROL_VLVREQUEST and LDAP_CONTROL_VLVRESPONSE225

3.1.1.3.4.1.18LDAP_SERVER_ASQ_OID227

3.1.1.3.4.1.19LDAP_SERVER_QUOTA_CONTROL_OID228

3.1.1.3.4.1.20LDAP_SERVER_SHUTDOWN_NOTIFY_OID228

3.1.1.3.4.1.21LDAP_SERVER_FORCE_UPDATE_OID229

3.1.1.3.4.1.22LDAP_SERVER_RANGE_RETRIEVAL_NOERR_OID229

3.1.1.3.4.1.23LDAP_SERVER_RODC_DCPROMO_OID229

3.1.1.3.4.1.24LDAP_SERVER_DN_INPUT_OID230

3.1.1.3.4.1.25LDAP_SERVER_SHOW_DEACTIVATED_LINK_OID230

3.1.1.3.4.1.26LDAP_SERVER_SHOW_RECYCLED_OID231

3.1.1.3.4.1.27LDAP_SERVER_POLICY_HINTS_OID231

3.1.1.3.4.1.28LDAP_SERVER_POLICY_HINTS_DEPRECATED_OID231

3.1.1.3.4.1.29LDAP_SERVER_DIRSYNC_EX_OID232

3.1.1.3.4.1.30LDAP_SERVER_UPDATE_STATS_OID232

3.1.1.3.4.1.30.1Highest USN Allocated232

3.1.1.3.4.1.30.2Invocation ID Of Server233

3.1.1.3.4.1.31LDAP_SERVER_TREE_DELETE_EX_OID233

3.1.1.3.4.1.32LDAP_SERVER_SEARCH_HINTS_OID233

3.1.1.3.4.1.32.1Require Sort Index234

3.1.1.3.4.1.32.2Soft Size Limit234

3.1.1.3.4.1.33LDAP_SERVER_EXPECTED_ENTRY_COUNT_OID234

3.1.1.3.4.1.34LDAP_SERVER_SET_OWNER_OID235

3.1.1.3.4.1.35LDAP_SERVER_BYPASS_QUOTA_OID235

3.1.1.3.4.1.36LDAP_SERVER_LINK_TTL_OID235

3.1.1.3.4.1.37LDAP_SERVER_SET_CORRELATION_ID_OID235

3.1.1.3.4.1.38LDAP_SERVER_THREAD_TRACE_OVERRIDE_OID236

3.1.1.3.4.2LDAP Extended Operations236

3.1.1.3.4.2.1LDAP_SERVER_FAST_BIND_OID237

3.1.1.3.4.2.2LDAP_SERVER_START_TLS_OID238

3.1.1.3.4.2.3LDAP_TTL_REFRESH_OID238

3.1.1.3.4.2.4LDAP_SERVER_WHO_AM_I_OID238

3.1.1.3.4.2.5LDAP_SERVER_BATCH_REQUEST_OID238

3.1.1.3.4.3LDAP Capabilities240

3.1.1.3.4.3.1LDAP_CAP_ACTIVE_DIRECTORY_OID242

3.1.1.3.4.3.2LDAP_CAP_ACTIVE_DIRECTORY_LDAP_INTEG_OID242

3.1.1.3.4.3.3LDAP_CAP_ACTIVE_DIRECTORY_V51_OID242

3.1.1.3.4.3.4LDAP_CAP_ACTIVE_DIRECTORY_ADAM_DIGEST_OID242

3.1.1.3.4.3.5LDAP_CAP_ACTIVE_DIRECTORY_ADAM_OID242

3.1.1.3.4.3.6LDAP_CAP_ACTIVE_DIRECTORY_PARTIAL_SECRETS_OID242

3.1.1.3.4.3.7LDAP_CAP_ACTIVE_DIRECTORY_V60_OID243

3.1.1.3.4.3.8LDAP_CAP_ACTIVE_DIRECTORY_V61_R2_OID243

3.1.1.3.4.3.9LDAP_CAP_ACTIVE_DIRECTORY_W8_OID243

3.1.1.3.4.4LDAP Matching Rules (extensibleMatch)243

3.1.1.3.4.4.1LDAP_MATCHING_RULE_BIT_AND243

3.1.1.3.4.4.2LDAP_MATCHING_RULE_BIT_OR243

3.1.1.3.4.4.3LDAP_MATCHING_RULE_TRANSITIVE_EVAL243

3.1.1.3.4.4.4LDAP_MATCHING_RULE_DN_WITH_DATA244

3.1.1.3.4.5LDAP SASL Mechanisms244

3.1.1.3.4.5.1GSSAPI245

3.1.1.3.4.5.2GSS-SPNEGO245

3.1.1.3.4.5.3EXTERNAL245

3.1.1.3.4.5.4DIGEST-MD5245

3.1.1.3.4.6LDAP Policies245

3.1.1.3.4.7LDAP Configurable Settings249

3.1.1.3.4.8LDAP IP-Deny List252

3.1.1.4Reads252

3.1.1.4.1Introduction253

3.1.1.4.2Definitions253

3.1.1.4.3Access Checks254

3.1.1.4.4Extended Access Checks254

3.1.1.4.5Constructed Attributes256

3.1.1.4.5.1subSchemaSubEntry256

3.1.1.4.5.2canonicalName256

3.1.1.4.5.3allowedChildClasses257

3.1.1.4.5.4sDRightsEffective257

3.1.1.4.5.5allowedChildClassesEffective257

3.1.1.4.5.6allowedAttributes258

3.1.1.4.5.7allowedAttributesEffective258

3.1.1.4.5.8fromEntry258

3.1.1.4.5.9createTimeStamp258

3.1.1.4.5.10modifyTimeStamp258

3.1.1.4.5.11primaryGroupToken259

3.1.1.4.5.12entryTTL259

3.1.1.4.5.13msDS-NCReplInboundNeighbors, msDS-NCReplCursors, msDS-ReplAttributeMetaData, msDS-ReplValueMetaData259

3.1.1.4.5.14msDS-NCReplOutboundNeighbors260

3.1.1.4.5.15msDS-Approx-Immed-Subordinates260

3.1.1.4.5.16msDS-KeyVersionNumber260

3.1.1.4.5.17msDS-User-Account-Control-Computed260

3.1.1.4.5.18msDS-Auxiliary-Classes262

3.1.1.4.5.19tokenGroups, tokenGroupsNoGCAcceptable262

3.1.1.4.5.20tokenGroupsGlobalAndUniversal262

3.1.1.4.5.21possibleInferiors263

3.1.1.4.5.22msDS-QuotaEffective263

3.1.1.4.5.23msDS-QuotaUsed263

3.1.1.4.5.24msDS-TopQuotaUsage264

3.1.1.4.5.25ms-DS-UserAccountAutoLocked264

3.1.1.4.5.26msDS-UserPasswordExpired265

3.1.1.4.5.27msDS-PrincipalName265

3.1.1.4.5.28parentGUID266

3.1.1.4.5.29msDS-SiteName266

3.1.1.4.5.30msDS-isRODC266

3.1.1.4.5.31msDS-isGC266

3.1.1.4.5.32msDS-isUserCachableAtRodc267

3.1.1.4.5.33msDS-UserPasswordExpiryTimeComputed267

3.1.1.4.5.34msDS-RevealedList268

3.1.1.4.5.35msDS-RevealedListBL268

3.1.1.4.5.36msDS-ResultantPSO269

3.1.1.4.5.37msDS-LocalEffectiveDeletionTime269

3.1.1.4.5.38msDS-LocalEffectiveRecycleTime270

3.1.1.4.5.39msDS-ManagedPassword270

3.1.1.4.5.40msds-memberOfTransitive276

3.1.1.4.5.41msds-memberTransitive277

3.1.1.4.5.42msds-tokenGroupNames, msds-tokenGroupNamesNoGCAcceptable277

3.1.1.4.5.43msds-tokenGroupNamesGlobalAndUniversal277

3.1.1.4.5.44structuralObjectClass277

3.1.1.4.6Referrals278

3.1.1.4.7Continuations279

3.1.1.4.8Effects of Defunct Attributes and Classes280

3.1.1.5Updates280

3.1.1.5.1General280

3.1.1.5.1.1Enforce Schema Constraints280

3.1.1.5.1.2Naming Constraints281

3.1.1.5.1.3Uniqueness Constraints281

3.1.1.5.1.4Transactional Semantics282

3.1.1.5.1.5Stamp Construction282

3.1.1.5.1.6Replication Notification282

3.1.1.5.1.7Urgent Replication283

3.1.1.5.1.8Updates Performed Only on FSMOs284

3.1.1.5.1.9Allow Updates Only When They Are Enabled286

3.1.1.5.1.10Originating Updates Attempted on an RODC286

3.1.1.5.1.11Constraints and Processing Specifics Defined Elsewhere286

3.1.1.5.2Add Operation286

3.1.1.5.2.1Security Considerations287

3.1.1.5.2.2Constraints288

3.1.1.5.2.3Special Classes and Attributes293

3.1.1.5.2.4Processing Specifics293

3.1.1.5.2.5Quota Calculation296

3.1.1.5.2.6NC Requirements297

3.1.1.5.2.7crossRef Requirements297

3.1.1.5.2.8NC-Add Operation298

3.1.1.5.2.8.1Constraints298

3.1.1.5.2.8.2Security Considerations298

3.1.1.5.2.8.3Processing Specifics299

3.1.1.5.3Modify Operation299


3.1.1.5.3.1.1Validated Writes300

3.1.1.5.3.1.1.1Member300

3.1.1.5.3.1.1.2dNSHostName300

3.1.1.5.3.1.1.3msDS-AdditionalDnsHostName301

3.1.1.5.3.1.1.4servicePrincipalName301

3.1.1.5.3.1.1.5msDS-Behavior-Version302

3.1.1.5.3.1.1.6msDS-KeyCredentialLink302

3.1.1.5.3.1.2FSMO Changes302



3.1.1.5.3.4BehaviorVersion Updates308

3.1.1.5.3.5ObjectClass Updates310

3.1.1.5.3.6wellKnownObjects Updates311

3.1.1.5.3.7Undelete Operation312

3.1.1.5.3.7.1Undelete Security Considerations312

3.1.1.5.3.7.2Undelete Constraints312

3.1.1.5.3.7.3Undelete Processing Specifics313

3.1.1.5.4Modify DN313

3.1.1.5.4.1Intra Domain Modify DN314




3.1.1.5.4.2Cross Domain Move317




3.1.1.5.5Delete Operation322

3.1.1.5.5.1Resultant Object Requirements323

3.1.1.5.5.1.1Tombstone Requirements323

3.1.1.5.5.1.2Deleted-Object Requirements324

3.1.1.5.5.1.3Recycled-Object Requirements325

3.1.1.5.5.2dynamicObject Requirements326

3.1.1.5.5.3Protected Objects326




3.1.1.5.5.6.1Transformation into a Tombstone328

3.1.1.5.5.6.2Transformation into a Deleted-Object329

3.1.1.5.5.6.3Transformation into a Recycled-Object329

3.1.1.5.5.7Tree-delete Operation330

3.1.1.5.5.7.1Tree-delete Security Considerations330

3.1.1.5.5.7.2Tree-delete Constraints330

3.1.1.5.5.7.3Tree-delete Processing Specifics331

3.1.1.6Background Tasks331

3.1.1.6.1AdminSDHolder331

3.1.1.6.1.1Authoritative Security Descriptor332

3.1.1.6.1.2Protected Objects332

3.1.1.6.1.3Protection Operation332

3.1.1.6.1.4Configurable State333

3.1.1.6.2Reference Update333

3.1.1.6.3Security Descriptor Propagator Update334

3.1.1.7NT4 Replication Support335

3.1.1.7.1Format of nt4ReplicationState and pdcChangeLog336

3.1.1.7.1.1nt4ReplicationState336

3.1.1.7.1.2pdcChangeLog336

3.1.1.7.2State Changes336

3.1.1.7.2.1Initialization336

3.1.1.7.2.2Directory Updates336

3.1.1.7.2.3Acquiring the PDC Role340

3.1.1.7.2.4Resetting the pdcChangeLog341

3.1.1.7.3Format of the Referent of pmsgOut.V1.pLog341

3.1.1.8AD LDS Special Objects342

3.1.1.8.1AD LDS Users342

3.1.1.8.2Bind Proxies342

3.1.1.9Optional Features343

3.1.1.9.1Recycle Bin Optional Feature345

3.1.1.9.2Privileged Access Management Optional Feature345

3.1.1.10Revisions346

3.1.1.10.1Forest Revision346

3.1.1.10.2RODC Revision347

3.1.1.10.3Domain Revision347

3.1.1.11Claims348

3.1.1.11.1Informative Overview348

3.1.1.11.1.1Claim348

3.1.1.11.1.2Claims Dictionary349

3.1.1.11.1.3Claim Source349

3.1.1.11.1.4Claims Issuance349

3.1.1.11.1.5Claims Transformation Rules349

3.1.1.11.1.6Claims Transformation349

3.1.1.11.2Claims Procedures350

3.1.1.11.2.1GetClaimsForPrincipal350

3.1.1.11.2.2GetADSourcedClaims351

3.1.1.11.2.3GetCertificateSourcedClaims352

3.1.1.11.2.4GetConstructedClaims353

3.1.1.11.2.5EncodeClaimsSet354

3.1.1.11.2.6FillClaimsSetMetadata355

3.1.1.11.2.7RunCompressionAlgorithm355

3.1.1.11.2.8NdrEncode356

3.1.1.11.2.9NdrDecode357

3.1.1.11.2.10DecodeClaimsSet357

3.1.1.11.2.11TransformClaimsOnTrustTraversal358

3.1.1.11.2.12GetClaimsTransformationRulesXml359

3.1.1.11.2.13GetTransformationRulesText360

3.1.1.11.2.14GetCTAClaims361

3.1.1.11.2.15CollapseMultiValuedClaims362

3.1.1.11.2.16FilterAndPackOutputClaims362

3.1.1.11.2.17ValidateClaimDefinition364

3.1.1.11.2.18GetAuthSiloClaim365

3.1.1.12NC Rename366

3.1.1.12.1Abstract Data Types367

3.1.1.12.1.1FlatName367

3.1.1.12.1.2SPNValue367

3.1.1.12.1.3ServerDescription367

3.1.1.12.1.4InterdomainTrustAccountDescription367

3.1.1.12.1.5TrustedDomainObjectDescription368

3.1.1.12.1.6NCDescription368

3.1.1.12.1.7DomainDescriptionElements369

3.1.1.12.1.8DomainDescription370

3.1.1.12.1.9NewTrustParentElements370

3.1.1.12.1.10DomainWithNewTrustParentDescription370

3.1.1.12.1.11NCRenameDescription371

3.1.1.12.2Encoding/Decoding Rules372

3.1.1.12.2.1EBNF-M372

3.1.1.12.2.1.1Tuples as Parameters to Production Rules372

3.1.1.12.2.1.2Parameter Fields as Terminal Values372

3.1.1.12.2.1.3Formatting of Non-String Parameter Fields as Terminal Values373

3.1.1.12.2.1.4Parameter Fields as Iterators373

3.1.1.12.2.1.5Reversed Production Rules374

3.1.1.12.2.2CodedNCRenameDescription375

3.1.1.12.2.2.1Expression375

3.1.1.12.2.2.2Common376

3.1.1.12.2.2.3Tests377

3.1.1.12.2.2.3.1TestConfigurationNC378

3.1.1.12.2.2.3.2TestReplicationEpoch378

3.1.1.12.2.2.3.3TestAppNCs378

3.1.1.12.2.2.3.4TestDomains379

3.1.1.12.2.2.3.4.1TestCrossRef379

3.1.1.12.2.2.3.4.2TestServersInstantiated380

3.1.1.12.2.2.3.4.3TestTrustCount381

3.1.1.12.2.2.3.4.4TestTrustedDomainObjectDescriptions381

3.1.1.12.2.2.3.4.5TestInterdomainTrustAccountDescriptions382

3.1.1.12.2.2.3.4.6TestServerDescriptions383

3.1.1.12.2.2.3.5TestPartitionCounts384

3.1.1.12.2.2.4Flatten384

3.1.1.12.2.2.5Rebuild385

3.1.1.12.2.2.6Trusts386

3.1.1.12.2.2.6.1DomainTrustSpecifications387

3.1.1.12.2.2.6.2DomainTrustAccounts388

3.1.1.12.2.2.7CrossRefs389

3.1.1.12.2.2.7.1ConfigurationCrossRef390

3.1.1.12.2.2.7.2SchemaCrossRef390

3.1.1.12.2.2.7.3AppNCsCrossRefs391

3.1.1.12.2.2.7.4NCRenameDescriptionRootCrossRef391

3.1.1.12.2.2.7.5TrustTreeNonRootDomainCrossRefs392

3.1.1.12.2.2.7.6TrustTreeRootDomainCrossRefs394

3.1.1.12.2.2.8ReplicationEpoch396

3.1.1.12.3Decode Operation396

3.1.1.12.4Verify Conditions397

3.1.1.12.5Process Changes398

3.1.1.13Authentication Information Retrieval400

3.1.1.13.1Informative Overview400

3.1.1.13.2ExpandMemberships400

3.1.1.13.3GetUserLogonInfo401

3.1.1.13.4GetResourceDomainInfo402

3.1.1.13.5ExpandShadowPrincipal402

3.1.1.13.6GetUserLogonInfoByAttribute403

3.1.1.13.7GetUserLogonInfoByUPNOrAccountName404

4Protocol Examples406

5Security407

5.1LDAP Security407

5.1.1Authentication407

5.1.1.1Supported Authentication Methods407

5.1.1.1.1Simple Authentication408

5.1.1.1.2SASL Authentication409

5.1.1.1.3Sicily Authentication410

5.1.1.2Using SSL/TLS412

5.1.1.3Using Fast Bind412

5.1.1.4Mutual Authentication413

5.1.1.5Supported Types of Security Principals413

5.1.2Message Security415

5.1.2.1Using SASL415

5.1.2.2Using SSL/TLS415

5.1.3Authorization415

5.1.3.1Background415

5.1.3.2Access Rights416

5.1.3.2.1Control Access Rights418

5.1.3.2.2Validated Writes424

5.1.3.3Checking Access425

5.1.3.3.1Null vs. Empty DACLs426

5.1.3.3.2Checking Simple Access426

5.1.3.3.3Checking Object-Specific Access427

5.1.3.3.4Checking Control Access Right-Based Access429

5.1.3.3.5Checking Validated Write-Based Access429

5.1.3.3.6Checking Object Visibility430

5.1.3.4AD LDS Security Context Construction431

6Additional Information432

6.1Special Objects and Forest Requirements432

6.1.1Special Objects432

6.1.1.1Naming Contexts432

6.1.1.1.1Any NC Root432

6.1.1.1.2Config NC Root433

6.1.1.1.3Schema NC Root434

6.1.1.1.4Domain NC Root434

6.1.1.1.5Application NC Root435

6.1.1.2Configuration Objects436

6.1.1.2.1Cross-Ref-Container Container437

6.1.1.2.1.1Cross-Ref Objects437

6.1.1.2.1.1.1Foreign crossRef Objects438

6.1.1.2.1.1.2Configuration crossRef Object438

6.1.1.2.1.1.3Schema crossRef Object438

6.1.1.2.1.1.4Domain crossRef Object438

6.1.1.2.1.1.5Application NC crossRef Object439

6.1.1.2.2Sites Container439

6.1.1.2.2.1Site Object439

6.1.1.2.2.1.1NTDS Site Settings Object440

6.1.1.2.2.1.2Servers Container441

6.1.1.2.2.1.2.1Server Object441

6.1.1.2.2.1.2.1.1nTDSDSA Object441

6.1.1.2.2.1.2.1.2Connection Object443

6.1.1.2.2.1.2.1.3RODC NTFRS Connection Object445

6.1.1.2.2.2Subnets Container446

6.1.1.2.2.2.1Subnet Object446

6.1.1.2.2.3Inter-Site Transports Container448

6.1.1.2.2.3.1IP Transport Container448

6.1.1.2.2.3.2SMTP Transport Container449

6.1.1.2.2.3.3Site Link Object449

6.1.1.2.2.3.4Site Link Bridge Object450

6.1.1.2.3Display Specifiers Container450

6.1.1.2.3.1Display Specifier Object450

6.1.1.2.4Services452

6.1.1.2.4.1Windows NT452

6.1.1.2.4.1.1Directory Service452

6.1.1.2.4.1.2dSHeuristics453

6.1.1.2.4.1.3Optional Features Container457

6.1.1.2.4.1.3.1Recycle Bin Feature Object458

6.1.1.2.4.1.3.2Privileged Access Management Feature Object458

6.1.1.2.4.1.4Query-Policies458

6.1.1.2.4.1.4.1Default Query Policy458

6.1.1.2.4.1.5SCP Publication Service Object459

6.1.1.2.4.2Claims Configuration459

6.1.1.2.5Physical Locations459

6.1.1.2.6WellKnown Security Principals459

6.1.1.2.6.1Anonymous Logon459

6.1.1.2.6.2Authenticated Users460

6.1.1.2.6.3Batch460

6.1.1.2.6.4Console Logon460

6.1.1.2.6.5Creator Group460

6.1.1.2.6.6Creator Owner460

6.1.1.2.6.7Dialup460

6.1.1.2.6.8Digest Authentication460

6.1.1.2.6.9Enterprise Domain Controllers461

6.1.1.2.6.10Everyone461

6.1.1.2.6.11Interactive461

6.1.1.2.6.12IUSR461

6.1.1.2.6.13Local Service461

6.1.1.2.6.14Network461

6.1.1.2.6.15Network Service461

6.1.1.2.6.16NTLM Authentication462

6.1.1.2.6.17Other Organization462

6.1.1.2.6.18Owner Rights462

6.1.1.2.6.19Proxy462

6.1.1.2.6.20Remote Interactive Logon462

6.1.1.2.6.21Restricted462

6.1.1.2.6.22SChannel Authentication462

6.1.1.2.6.23Self462

6.1.1.2.6.24Service463

6.1.1.2.6.25System463

6.1.1.2.6.26Terminal Server User463

6.1.1.2.6.27This Organization463

6.1.1.2.7Extended Rights463

6.1.1.2.7.1controlAccessRight objects463

6.1.1.2.7.2Change-Rid-Master464

6.1.1.2.7.3Do-Garbage-Collection464

6.1.1.2.7.4Recalculate-Hierarchy464

6.1.1.2.7.5Allocate-Rids464

6.1.1.2.7.6Change-PDC464

6.1.1.2.7.7Add-GUID464

6.1.1.2.7.8Change-Domain-Master465

6.1.1.2.7.9Public-Information465

6.1.1.2.7.10msmq-Receive-Dead-Letter465

6.1.1.2.7.11msmq-Peek-Dead-Letter465

6.1.1.2.7.12msmq-Receive-computer-Journal465

6.1.1.2.7.13msmq-Peek-computer-Journal466

6.1.1.2.7.14msmq-Receive466

6.1.1.2.7.15msmq-Peek466

6.1.1.2.7.16msmq-Send466

6.1.1.2.7.17msmq-Receive-journal466

6.1.1.2.7.18msmq-Open-Connector466

6.1.1.2.7.19Apply-Group-Policy467

6.1.1.2.7.20RAS-Information467

6.1.1.2.7.21DS-Install-Replica467

6.1.1.2.7.22Change-Infrastructure-Master467

6.1.1.2.7.23Update-Schema-Cache467

6.1.1.2.7.24Recalculate-Security-Inheritance467

6.1.1.2.7.25DS-Check-Stale-Phantoms468

6.1.1.2.7.26Certificate-Enrollment468

6.1.1.2.7.27Self-Membership468

6.1.1.2.7.28Validated-DNS-Host-Name468

6.1.1.2.7.29Validated-SPN468

6.1.1.2.7.30Generate-RSoP-Planning469

6.1.1.2.7.31Refresh-Group-Cache469

6.1.1.2.7.32Reload-SSL-Certificate469

6.1.1.2.7.33SAM-Enumerate-Entire-Domain469

6.1.1.2.7.34Generate-RSoP-Logging469

6.1.1.2.7.35Domain-Other-Parameters470

6.1.1.2.7.36DNS-Host-Name-Attributes470

6.1.1.2.7.37Create-Inbound-Forest-Trust470

6.1.1.2.7.38DS-Replication-Get-Changes-All470

6.1.1.2.7.39Migrate-SID-History470

6.1.1.2.7.40Reanimate-Tombstones471

6.1.1.2.7.41Allowed-To-Authenticate471

6.1.1.2.7.42DS-Execute-Intentions-Script471

6.1.1.2.7.43DS-Replication-Monitor-Topology471

6.1.1.2.7.44Update-Password-Not-Required-Bit472

6.1.1.2.7.45Unexpire-Password472

6.1.1.2.7.46Enable-Per-User-Reversibly-Encrypted-Password472

6.1.1.2.7.47DS-Query-Self-Quota472

6.1.1.2.7.48Private-Information472

6.1.1.2.7.49MS-TS-GatewayAccess472

6.1.1.2.7.50Terminal-Server-License-Server473

6.1.1.2.7.51Domain-Administer-Server473

6.1.1.2.7.52User-Change-Password473

6.1.1.2.7.53User-Force-Change-Password473

6.1.1.2.7.54Send-As474

6.1.1.2.7.55Receive-As474

6.1.1.2.7.56Send-To474

6.1.1.2.7.57Domain-Password474

6.1.1.2.7.58General-Information475

6.1.1.2.7.59User-Account-Restrictions475

6.1.1.2.7.60User-Logon475

6.1.1.2.7.61Membership475

6.1.1.2.7.62Open-Address-Book476

6.1.1.2.7.63Personal-Information476

6.1.1.2.7.64Email-Information476

6.1.1.2.7.65Web-Information477

6.1.1.2.7.66DS-Replication-Get-Changes477

6.1.1.2.7.67DS-Replication-Synchronize477

6.1.1.2.7.68DS-Replication-Manage-Topology477

6.1.1.2.7.69Change-Schema-Master478

6.1.1.2.7.70DS-Replication-Get-Changes-In-Filtered-Set478

6.1.1.2.7.71Run-Protect-Admin-Groups-Task478

6.1.1.2.7.72Manage-Optional-Features478

6.1.1.2.7.73Read-Only-Replication-Secret-Synchronization478

6.1.1.2.7.74Validated-MS-DS-Additional-DNS-Host-Name479

6.1.1.2.7.75Validated-MS-DS-Behavior-Version479

6.1.1.2.7.76DS-Clone-Domain-Controller479

6.1.1.2.7.77Certificate-AutoEnrollment479

6.1.1.2.7.78DS-Read-Partition-Secrets479

6.1.1.2.7.79DS-Write-Partition-Secrets479

6.1.1.2.7.80DS-Set-Owner479

6.1.1.2.7.81DS-Bypass-Quota480

6.1.1.2.7.82DS-Validated-Write-Computer480

6.1.1.2.8Forest Updates Container480

6.1.1.2.8.1Operations Container480

6.1.1.2.8.2Windows2003Update Container481

6.1.1.2.8.3ActiveDirectoryUpdate Container481

6.1.1.2.8.4ActiveDirectoryRodcUpdate Container481

6.1.1.3Critical Domain Objects481

6.1.1.3.1Domain Controller Object482

6.1.1.3.2Read-Only Domain Controller Object482

6.1.1.4Well-Known Objects483

6.1.1.4.1Lost and Found Container486

6.1.1.4.2Deleted Objects Container486

6.1.1.4.3NTDS Quotas Container487

6.1.1.4.4Infrastructure Object487

6.1.1.4.5Domain Controllers OU487

6.1.1.4.6Users Container487

6.1.1.4.7Computers Container488

6.1.1.4.8Program Data Container488

6.1.1.4.9Managed Service Accounts Container488

6.1.1.4.10Foreign Security Principals Container488

6.1.1.4.11System Container489

6.1.1.4.11.1Password Settings Container489

6.1.1.4.12Builtin Container489

6.1.1.4.12.1Account Operators Group Object490

6.1.1.4.12.2Administrators Group Object490

6.1.1.4.12.3Backup Operators Group Object490

6.1.1.4.12.4Certificate Service DCOM Access Group Object490

6.1.1.4.12.5Cryptographic Operators Group Object490

6.1.1.4.12.6Distributed COM Users Group Object490

6.1.1.4.12.7Event Log Readers Group Object490

6.1.1.4.12.8Guests Group Object491

6.1.1.4.12.9IIS_IUSRS Group Object491

6.1.1.4.12.10Incoming Forest Trust Builders Group Object491

6.1.1.4.12.11Network Configuration Operators Group Object491

6.1.1.4.12.12Performance Log Users Group Object491

6.1.1.4.12.13Performance Monitor Users Group Object491

6.1.1.4.12.14Pre-Windows 2000 Compatible Access Group Object491

6.1.1.4.12.15Print Operators Group Object491

6.1.1.4.12.16Remote Desktop Users Group Object492

6.1.1.4.12.17Replicator Group Object492

6.1.1.4.12.18Server Operators Group Object492

6.1.1.4.12.19Terminal Server License Servers Group Object492

6.1.1.4.12.20Users Group Object492

6.1.1.4.12.21Windows Authorization Access Group Group Object492

6.1.1.4.13Roles Container492

6.1.1.4.13.1Administrators Group Object493

6.1.1.4.13.2Readers Group Object493

6.1.1.4.13.3Users Group Object493

6.1.1.4.13.4Instances Group Object493

6.1.1.5Other System Objects493

6.1.1.5.1AdminSDHolder Object493

6.1.1.5.2Default Domain Policy Container495

6.1.1.5.3Sam Server Object495

6.1.1.5.4Domain Updates Container495

6.1.1.5.4.1Operations Container496

6.1.1.5.4.2Windows2003Update Container496

6.1.1.5.4.3ActiveDirectoryUpdate Container496

6.1.1.6Well-Known Domain-Relative Security Principals496

6.1.1.6.1Administrator496

6.1.1.6.2Guest497

6.1.1.6.3Key Distribution Center Service Account497

6.1.1.6.4Cert Publishers497

6.1.1.6.5Domain Administrators497

6.1.1.6.6Domain Computers497

6.1.1.6.7Domain Controllers497

6.1.1.6.8Domain Guests498

6.1.1.6.9Domain Users498

6.1.1.6.10Enterprise Administrators498

6.1.1.6.11Group Policy Creator Owners498

6.1.1.6.12RAS and IAS Servers498

6.1.1.6.13Read-Only Domain Controllers499

6.1.1.6.14Enterprise Read-Only Domain Controllers499

6.1.1.6.15Schema Admins499

6.1.1.6.16Allowed RODC Password Replication Group499

6.1.1.6.17Denied RODC Password Replication Group499

6.1.2Forest Requirements500

6.1.2.1DC Existence500

6.1.2.2NC Existence500

6.1.2.3Hosting Requirements501

6.1.2.3.1DC and Application NC Replica501

6.1.2.3.2DC and Regular Domain NC Replica501

6.1.2.3.3DC and Schema/Config NC Replicas501

6.1.2.3.4DC and Partial Replica NCs Replicas502

6.1.3Security Descriptor Requirements502

6.1.3.1ACE Ordering Rules504

6.1.3.2SD Flags Control504

6.1.3.3Processing Specifics504

6.1.3.4Security Considerations505

6.1.3.5SD Defaulting Rules506

6.1.3.6Owner and Group Defaulting Rules507

6.1.3.7Default Administrators Group507

6.1.4Special Attributes508

6.1.4.1ntMixedDomain508

6.1.4.2msDS-Behavior-Version: DC Functional Level508

6.1.4.3msDS-Behavior-Version: Domain NC Functional Level509

6.1.4.4msDS-Behavior-Version: Forest Functional Level510

6.1.4.5Replication Schedule Structures510

6.1.4.5.1SCHEDULE_HEADER Structure510

6.1.4.5.2SCHEDULE Structure511

6.1.4.5.3REPS_FROM511

6.1.4.5.4REPS_TO512

6.1.4.5.5MTX_ADDR Structure512

6.1.4.5.6REPLTIMES Structure512

6.1.4.5.7PAS_DATA Structure512

6.1.4.6msDS-AuthenticatedAtDC512

6.1.5FSMO Roles512

6.1.5.1Schema Master FSMO Role512

6.1.5.2Domain Naming Master FSMO Role513

6.1.5.3RID Master FSMO Role513

6.1.5.4PDC Emulator FSMO Role513

6.1.5.5Infrastructure FSMO Role514

6.1.6Trust Objects514

6.1.6.1Overview (Synopsis)514

6.1.6.2Relationship to Other Protocols514

6.1.6.2.1TDO Replication over DRS514

6.1.6.2.2TDO Roles in Authentication Protocols over Domain Boundaries515

6.1.6.2.3TDO Roles in Authorization over Domain Boundaries515

6.1.6.3Prerequisites/Preconditions515

6.1.6.4Versioning and Capability Negotiation515

6.1.6.5Vendor-Extensible Fields515

6.1.6.6Transport515

6.1.6.7Essential Attributes of a Trusted Domain Object516

6.1.6.7.1flatName516

6.1.6.7.2isCriticalSystemObject516

6.1.6.7.3msDs-supportedEncryptionTypes517

6.1.6.7.4msDS-TrustForestTrustInfo517

6.1.6.7.5nTSecurityDescriptor517

6.1.6.7.6objectCategory517

6.1.6.7.7objectClass517

6.1.6.7.8securityIdentifier517

6.1.6.7.9trustAttributes517

6.1.6.7.10trustAuthIncoming520

6.1.6.7.11trustAuthOutgoing520

6.1.6.7.12trustDirection520

6.1.6.7.13trustPartner520

6.1.6.7.14trustPosixOffset520

6.1.6.7.15trustType521

6.1.6.8Essential Attributes of Interdomain Trust Accounts521

6.1.6.8.1cn (RDN)521

6.1.6.8.2objectClass521

6.1.6.8.3sAMAccountName522

6.1.6.8.4sAMAccountType522

6.1.6.8.5userAccountControl522

6.1.6.9Details522

6.1.6.9.1trustAuthInfo Attributes522

6.1.6.9.1.1LSAPR_AUTH_INFORMATION523

6.1.6.9.1.2Kerberos Usages of trustAuthInfo Attributes524

6.1.6.9.2Netlogon Usages of Trust Objects525

6.1.6.9.3msDS-TrustForestTrustInfo Attribute525

6.1.6.9.3.1Record526

6.1.6.9.3.2Building Well-Formed msDS-TrustForestTrustInfo Messages529

6.1.6.9.4Computation of trustPosixOffset531

6.1.6.9.5Mapping Logon SIDs to POSIX Identifiers531

6.1.6.9.6Timers531

6.1.6.9.6.1Trust Secret Cycling531

6.1.6.9.7Initialization532

6.1.6.10Security Considerations for Implementers533

6.1.7DynamicObject Requirements533

6.2Knowledge Consistency Checker533

6.2.1References533

6.2.2Overview534

6.2.2.1Refresh kCCFailedLinks and kCCFailedConnections536

6.2.2.2Intrasite Connection Creation536

6.2.2.3Intersite Connection Creation538

6.2.2.3.1ISTG Selection539

6.2.2.3.2Merge of kCCFailedLinks and kCCFailedLinks from Bridgeheads540

6.2.2.3.3Site Graph Concepts541

6.2.2.3.4Connection Creation542

6.2.2.3.4.1Types542

6.2.2.3.4.2Main Entry Point543

6.2.2.3.4.3Site Graph Construction544

6.2.2.3.4.4Spanning Tree Computation547

6.2.2.3.4.5nTDSConnection Creation558

6.2.2.4Removing Unnecessary Connections561

6.2.2.5Connection Translation562

6.2.2.6Remove Unneeded kCCFailedLinks and kCCFailedConnections Tuples564

6.2.2.7Updating the RODC NTFRS Connection Object564

6.3Publishing and Locating a Domain Controller564

6.3.1Structures and Constants565

6.3.1.1NETLOGON_NT_VERSION Options Bits565

6.3.1.2DS_FLAG Options Bits566

6.3.1.3Operation Code567

6.3.1.4NETLOGON_LOGON_QUERY567

6.3.1.5NETLOGON_PRIMARY_RESPONSE568

6.3.1.6NETLOGON_SAM_LOGON_REQUEST569

6.3.1.7NETLOGON_SAM_LOGON_RESPONSE_NT40570

6.3.1.8NETLOGON_SAM_LOGON_RESPONSE571

6.3.1.9NETLOGON_SAM_LOGON_RESPONSE_EX573

6.3.1.10DNSRegistrationSettings576

6.3.2DNS Record Registrations578

6.3.2.1Timers578

6.3.2.1.1Register DNS Records Timer578

6.3.2.2Non-Timer Events578

6.3.2.2.1Force Register DNS Records Non-Timer Event578

6.3.2.3SRV Records579

6.3.2.4Non-SRV Records581

6.3.3LDAP Ping583

6.3.3.1Syntactic Validation of the Filter584

6.3.3.2Domain Controller Response to an LDAP Ping584

6.3.3.3Response to Invalid Filter589

6.3.4NetBIOS Broadcast and NBNS Background589

6.3.5Mailslot Ping589

6.3.6Locating a Domain Controller592

6.3.6.1DNS-Based Discovery592

6.3.6.2NetBIOS-Based Discovery594

6.3.7Name Compression and Decompression594

6.3.8AD LDS DC Publication595

6.4Domain Join597

6.4.1State of a Machine Joined to a Domain597

6.4.2State in an Active Directory Domain597

6.4.3Relationship to Protocols598

6.5Unicode String Comparison598

6.5.1String Comparison by Using Sort Keys598

6.6Claims.idl599

7Communication Details for Active Directory Connections602

7.1Connection Resolution of LDAP Clients602

7.2ADConnection Overview602

7.3ADConnection Abstract Data Model605

7.4Handling Network Errors607

7.5ICMP Pings608

7.6Tasks and Events608

7.6.1Tasks609

7.6.1.1Initializing an ADConnection609

7.6.1.2Setting an LDAP Option on an ADConnection610

7.6.1.3Establishing an ADConnection611

7.6.1.4Performing an LDAP Bind on an ADConnection611

7.6.1.5Performing an LDAP Unbind on an ADConnection612

7.6.1.6Performing an LDAP Operation on an ADConnection612

7.6.2Internal Tasks613

7.6.2.1Initializing a Connection to a Directory Server613

7.6.2.2Connecting to a Directory Server614

7.6.2.3Performing an LDAP Bind Against a Directory Server616

7.6.2.4Performing an LDAP Unbind Against a Directory Server617

7.6.2.5Performing an LDAP Operation Against a Directory Server617

7.6.2.6Following an LDAP Referral or Continuation Reference618

7.6.2.7Autoreconnecting to a Directory Server620

7.6.3External Triggered Events621

7.6.3.1Processing Network Errors621

7.6.3.2Getting an LDAP Response from a Directory Server622

7.6.4Timer Triggered Events623

7.6.4.1Timer Expiry on RequestTimer623

7.7LDAP Over UDP624

7.7.1ADUDPHandle Overview624

7.7.2ADUDPHandle Abstract Data Model624

7.7.3Tasks625

7.7.3.1Initializing an ADUDPHandle625

7.7.3.2Performing an LDAP Operation on an ADUDPHandle625

7.8Transport Requirements628

7.9Security Elements628

7.10Communications Security628

8Change Tracking630

9Index631

Introduction

This is the primary specification for Active Directory, both Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS). When the specification does not refer specifically to AD DS or AD LDS, it applies to both. The state model for this specification is prerequisite to the other specifications for Active Directory: [MS-DRSR] and [MS-SRPL].

When no operating system version information is specified, information in this document applies to all relevant versions of Windows. Similarly, when no DC functional level is specified, information in this document applies to all DC functional levels.

The information in this specification is applicable to the following Microsoft products or supplemental software. References to product versions include released service packs.

Note: The terms "earlier" and "later", when used with a product version, refer to either all preceding versions or all subsequent versions, respectively. The term "through" refers to the inclusive range of versions. Applicable Microsoft products are listed chronologically in this section.

· Windows 2000 Server operating system

· Windows Server 2003 operating system

· Windows Server 2003 R2 operating system






· Windows Server v1709 operating system





AD DS first became available as part of Microsoft Windows 2000 operating system and is available as part of Windows 2000 Server, Windows Server 2003, and Windows Server 2003 R2 products; in these products it is called "Active Directory". It is also available as part of Windows Server 2008 and later. AD DS is not present in Windows NT 3.1 operating system, Windows NT 3.51 operating system, Windows NT 4.0 operating system, or Windows XP operating system.

AD LDS first became available during the release of Windows Server 2003. In Windows XP, Windows Server 2003, and Windows Server 2003 R2, it is a standalone application called "Active Directory Application Mode (ADAM)". AD LDS is also available as part of Windows Server 2008 and later. Unless otherwise specified, information in this specification is also applicable to AD LDS. There are two versions of ADAM, ADAM RTW (introduced in the same timeframe as Windows Server 2003 operating system with Service Pack 1 (SP1)) and ADAM SP1 (introduced in the same timeframe as Windows Server 2003 operating system with Service Pack 2 (SP2)); unless otherwise specified, where ADAM is discussed in this document it refers to both versions of ADAM.

AD LDS for a particular Windows client is a standalone application that provides AD LDS capabilities for that Windows client. Information that is applicable to AD LDS on applicable Windows Server releases is generally also applicable to AD LDS on Windows clients, except where it is explicitly specified that such information is not applicable to that product. The following list provides a mapping of this applicability:

· Information that is applicable to AD LDS on Windows Server 2008 is also applicable to Active Directory Lightweight Directory Services (AD LDS) for Windows Vista.

· Information that is applicable to AD LDS on Windows Server 2008 R2 is also applicable to Active Directory Lightweight Directory Services (AD LDS) for Windows 7.

· Information that is applicable to AD LDS on Windows Server 2012 is also applicable to Active Directory Lightweight Directory Services (AD LDS) for Windows 8 operating system.

· Information that is applicable to AD LDS on Windows Server 2012 R2 is also applicable to Active Directory Lightweight Directory Services (AD LDS) for Windows 8.1 operating system.

· Information that is applicable to AD LDS on Windows Server 2016 is also applicable to Active Directory Lightweight Directory Services (AD LDS) for Windows 10 operating system.

· Information that is applicable to AD LDS on Windows Server v1709 is also applicable to AD LDS for Windows 10 v1703 operating system and Windows 10 v1709 operating system.

· Information that is applicable to AD LDS on Windows Server v1803 is also applicable to AD LDS for Windows 10 v1803 operating system.

· Information that is applicable to AD LDS on Windows Server v1809 and Windows Server 2019 is also applicable to AD LDS for Windows 10 v1809 operating system.

· Information that is applicable to AD LDS on Windows Server v1903 is also applicable to AD LDS for Windows 10 v1903 operating system.

State is included in the state model for this specification only as necessitated by the requirement that a licensee implementation of the protocols of applicable Windows Server releases has to be capable of receiving messages and responding in the same manner as applicable Windows Server releases. Behavior is specified in terms of request message received, processing based on current state, resulting state transformation, and response message sent. Unless otherwise specified in the sections that follow, all of the behaviors are required for interoperability.

The following typographical convention is used to indicate the special meaning of certain names:

· Underline, as in instanceType: the name of an attribute or object class whose interpretation is specified in the following documents:

· [MS-ADA1] Attribute names for AD DS whose initial letter is A through L.

· [MS-ADA2] Attribute names for AD DS whose initial letter is M.

· [MS-ADA3] Attribute names for AD DS whose initial letter is N through Z.

· [MS-ADSC] Object class names for AD DS.

· [MS-ADLS] Object class names and attribute names for AD LDS.

For clarity, bit flags are sometimes shown as bit field diagrams. In the case of bit flags for Lightweight Directory Access Protocol (LDAP) attributes, these diagrams take on big-endian characteristics but do not reflect the actual byte ordering of integers over the wire, because LDAP transfers an integer as the UTF-8 string of the decimal representation of that integer, as specified in [RFC2252].

Pervasive Concepts

The following concepts are pervasive throughout this specification.

This specification uses [KNUTH1] section 2.3.4.2 as a reference for the graph-related terms oriented tree, root, vertex, arc, initial vertex, and final vertex.

Authentication concepts for domains, account domains, domain controllers, security principals, and user objects can be found in [MS-AUTHSOD] section 1.1.1 and subsections.

replica: A variable containing a set of objects.

attribute: An identifier for a value or set of values. See also attribute in the Glossary (section 1.1).

object: A set of attributes, each with its associated values. Two attributes of an object have special significance:

· Identifying attribute: A designated single-valued attribute appears on every object. The value of this attribute identifies the object. For the set of objects in a replica, the values of the identifying attribute are distinct.

· Parent-identifying attribute: A designated single-valued attribute appears on every object. The value of this attribute identifies the object's parent. That is, this attribute contains the value of the parent's identifying attribute or a reserved value identifying no object (for more information, see section 3.1.1.1.3). For the set of objects in a replica, the values of this parent-identifying attribute define an oriented tree with objects as vertices and child-parent references as directed arcs, with the child as an arc's initial vertex and the parent as an arc's final vertex.

Note that an object is a value, not a variable; a replica is a variable. The process of adding, modifying, or deleting an object in a replica replaces the entire value of the replica with a new value.

As the term "replica" suggests, it is often the case that two replicas contain "the same objects". In this usage, objects in two replicas are considered "the same" if they have the same value of the identifying attribute and if there is a process in place (that is, replication) to converge the values of the remaining attributes. When the members of a set of replicas are considered to be the same, it is common to say "an object" as a shorthand way of referring to the set of corresponding objects in the replicas.

object class: A set of restrictions on the construction and update of objects. An object class must be specified when an object is created. An object class specifies a set of must-have attributes (every object of the class must have at least one value of each) and may-have attributes (every object of the class may have a value of each). An object class also specifies a set of possible superiors (the parent object of an object of the class must have one of these classes). An object class is defined by a classSchema object.

parent object: See "object", above.

child object, children: An object that is not the root of its oriented tree. The children of an object O is the set of all objects whose parent object is O.

See section 3.1.1.1.3 for the particular use made of these definitions in this specification.

Glossary

This document uses the following terms:

88 object class: An object class as specified in the X.500 directory specification ([X501] section 8.4.3). An 88 object class can be instantiated as a new object, like a structural object class, and on an existing object, like an auxiliary object class.

abstract object class: An object class whose only function is to be the basis of inheritance by other object classes, thereby simplifying their definition.

access check: A verification to determine whether a specific access type is allowed by checking a security context against a security descriptor.

access control entry (ACE): An entry in an access control list (ACL) that contains a set of user rights and a security identifier (SID) that identifies a principal for whom the rights are allowed, denied, or audited.

access control list (ACL): A list of access control entries (ACEs) that collectively describe the security rules for authorizing access to some resource; for example, an object or set of objects.

access mask: A 32-bit value present in an access control entry (ACE) that specifies the allowed or denied rights to manipulate an object.

account domain: A domain, identified by a security identifier (SID), that is the SID namespace for which a given machine is authoritative. The account domain is the same as the primary domain for a domain controller (DC) and is its default domain. For a machine that is joined to a domain, the account domain is the SID namespace defined by the local Security Accounts Manager [MS-SAMR].

ACID: A term that refers to the four properties that any database system must achieve in order to be considered transactional: Atomicity, Consistency, Isolation, and Durability [GRAY].

active: A state of an attributeSchema or classSchema object that represents part of the schema. It is possible to instantiate an active attribute or an active class. The opposite term is defunct.

Active Directory: The Windows implementation of a general-purpose directory service, which uses LDAP as its primary access protocol. Active Directory stores information about a variety of objects in the network such as user accounts, computer accounts, groups, and all related credential information used by Kerberos [MS-KILE]. Active Directory is either deployed as Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS), which are both described in [MS-ADOD]: Active Directory Protocols Overview.

Active Directory Domain Services (AD DS): A directory service (DS) implemented by a domain controller (DC). The DS provides a data store for objects that is distributed across multiple DCs. The DCs interoperate as peers to ensure that a local change to an object replicates correctly across DCs. AD DS is a deployment of Active Directory [MS-ADTS].

Active Directory Lightweight Directory Services (AD LDS): A directory service (DS) implemented by a domain controller (DC). AD LDS is a deployment of Active Directory [MS-ADTS]. The most significant difference between AD LDS and Active Directory Domain Services (AD DS) is that AD LDS does not host domain naming contexts (domain NCs). A server can host multiple AD LDS DCs. Each DC is an independent AD LDS instance, with its own independent state. AD LDS can be run as an operating system DS or as a directory service provided by a standalone application (ADAM).

Advanced Encryption Standard (AES): A block cipher that supersedes the Data Encryption Standard (DES). AES can be used to protect electronic data. The AES algorithm can be used to encrypt (encipher) and decrypt (decipher) information. Encryption converts data to an unintelligible form called ciphertext; decrypting the ciphertext converts the data back into its original form, called plaintext. AES is used in symmetric-key cryptography, meaning that the same key is used for the encryption and decryption operations. It is also a block cipher, meaning that it operates on fixed-size blocks of plaintext and ciphertext, and requires the size of the plaintext as well as the ciphertext to be an exact multiple of this block size. AES is also known as the Rijndael symmetric encryption algorithm [FIPS197].

ambiguous name resolution (ANR): A search algorithm that permits a client to search multiple naming-related attributes on objects by way of a single clause of the form "(anr=value)" in a Lightweight Directory Access Protocol (LDAP) search filter. This permits a client to query for an object when the client possesses some identifying material related to the object but does not know which attribute of the object contains that identifying material.

application naming context (application NC): A specific type of naming context (NC), or an instance of that type, that supports only full replicas (no partial replicas). An application NC cannot contain security principal objects in Active Directory Domain Services (AD DS), but can contain security principal objects in Active Lightweight Directory Services (AD LDS). A forest can have zero or more application NCs in either AD DS or AD LDS. An application NC can contain dynamic objects. Application NCs do not appear in the global catalog (GC). The root of an application NC is an object of class domainDNS.

attribute: An identifier for a single or multivalued data element that is associated with a directory object. An object consists of its attributes and their values. For example, cn (common name), street (street address), and mail (email addresses) can all be attributes of a user object. An attribute's schema, including the syntax of its values, is defined in an attributeSchema object.

attribute syntax: Specifies the format and range of permissible values of an attribute. The syntax of an attribute is defined by several attributes on the attributeSchema object, as specified in [MS-ADTS] section 3.1.1.2. Attribute syntaxes supported by Active Directory include Boolean, Enumeration, Integer, LargeInteger, String(UTC-Time), Object(DS-DN), and String(Unicode).

AttributeStamp: The type of a stamp attached to an attribute.

authentication: The act of proving an identity to a server while providing key material that binds the identity to subsequent communications.

authorization: The secure computation of roles and accesses granted to an identity.

auxiliary object class: An object class that cannot be instantiated in the directory but can be either added to, or removed from, an existing object to make its attributes available for use on that object; or associated with an abstract or structural object class to add its attributes to that abstract or structural object class.

back link attribute: A constructed attribute whose values include object references (for example, an attribute of syntax Object(DS-DN)). The back link values are derived from the values of a related attribute, a forward link attribute, on other objects. If f is the forward link attribute, one back link value exists on object o for each object r that contains a value of o for attribute f. The relationship between the forward link attributes and back link attributes is expressed using the linkId attribute on the attributeSchema objects representing the two attributes. The forward link's linkId is an even number, and the back link's linkId is the forward link's linkId plus one. For more information, see [MS-ADTS] section 3.1.1.1.6.

back link value: The value of a back link attribute.

backup domain controller (BDC): A domain controller (DC) that receives a copy of the domain directory database from the primary domain controller (PDC). This copy is synchronized periodically and automatically with the primary domain controller (PDC). BDCs also authenticate user logons and can be promoted to function as the PDC. There is only one PDC or PDC emulator in a domain, and the rest are backup domain controllers.

base64 encoding: A binary-to-text encoding scheme whereby an arbitrary sequence of bytes is converted to a sequence of printable ASCII characters, as described in [RFC4648].

Basic Encoding Rules (BER): A set of encoding rules for ASN.1 notation. These encoding schemes allow the identification, extraction, and decoding of data structures. These encoding rules are defined in [ITUX690].

big-endian: Multiple-byte values that are byte-ordered with the most significant byte stored in the memory location with the lowest address.

binary large object (BLOB): A collection of binary data stored as a single entity in a database.

bridgehead domain controller (bridgehead DC): A domain controller (DC) that may replicate updates to or from DCs in sites other than its own.

broadcast: A style of resource location or data transmission in which a client makes a request to all parties on a network simultaneously (a one-to-many communication). Also, a mode of resource location that does not use a name service.

built-in domain: The security identifier (SID) namespace defined by the fixed SID S-1-5-32. Contains groups that define roles on a local machine such as Backup Operators.

built-in domain SID: The fixed SID S-1-5-32.

canonical name: A syntactic transformation of an Active Directory distinguished name (DN) into something resembling a path that still identifies an object within a forest. DN "cn=Peter Houston, ou=NTDEV, dc=microsoft, dc=com" translates to the canonical name "microsoft.com/NTDEV/Peter Houston", while the DN "dc=microsoft, dc=com" translates to the canonical name "microsoft.com/".

child naming context (child NC): Given naming contexts (NCs) with their corresponding distinguished names (DNs) forming a child and parent relationship, the NC in the child relationship is referred as the child NC. The parent of a child NC must be an NC and is referred to as the parent naming context (parent NC).

child object, children: An object that is not the root of its tree. The children of an object o are the set of all objects whose parent is o. See section 1 of [MS-ADTS] and section 1 of [MS-DRSR].

claim: An assertion about a security principal expressed as the n-tuple {Identifier, ValueType, m Value(s) of type ValueType} where m is greater than or equal to 1. A claim with only one Value in the n-tuple is called a single-valued claim; a claim with more than one Value is called a multi-valued claim.

code page: An ordered set of characters of a specific script in which a numerical index (code-point value) is associated with each character. Code pages are a means of providing support for character sets and keyboard layouts used in different countries. Devices such as the display and keyboard can be configured to use a specific code page and to switch from one code page (such as the United States) to another (such as Portugal) at the user's request.

Component Object Model (COM): An object-oriented programming model that defines how objects interact within a single process or between processes. In COM, clients have access to an object through interfaces implemented on the object. For more information, see [MS-DCOM].

computer object: An object of class computer. A computer object is a security principal object; the principal is the operating system running on the computer. The shared secret allows the operating system running on the computer to authenticate itself independently of any user running on the system. See security principal.

configuration naming context (config NC): A specific type of naming context (NC), or an instance of that type, that contains configuration information. In Active Directory, a single config NC is shared among all domain controllers (DCs) in the forest. A config NC cannot contain security principal objects.

constructed attribute: An attribute whose values are computed from normal attributes (for read) and/or have effects on the values of normal attributes (for write).

container: An object in the directory that can serve as the parent for other objects. In the absence of schema constraints, all objects would be containers. The schema allows only objects of specific classes to be containers.

control access right: An extended access right that can be granted or denied on an access control list (ACL).

Coordinated Universal Time (UTC): A high-precision atomic time standard that approximately tracks Universal Time (UT). It is the basis for legal, civil time all over the Earth. Time zones around the world are expressed as positive and negative offsets from UTC. In this role, it is also referred to as Zulu time (Z) and Greenwich Mean Time (GMT). In these specifications, all references to UTC refer to the time at UTC-0 (or GMT).

cross-forest trust: A relationship between two forests that enables security principals from any domain in one forest to authenticate to computers joined to any domain in the other forest.

crossRef object: An object residing in the partitions container of the config NC that describes the properties of a naming context (NC), such as its domain naming service name, operational settings, and so on.

DC functional level: A specification of functionality available in a domain controller (DC). See [MS-ADTS] section 6.1.4.2 for possible values and a mapping between the possible values and product versions.

default domain naming context (default domain NC): When Active Directory is operating as Active Directory Domain Services (AD DS), this is the default naming context (default NC) of the domain controller (DC). When operating as Active Directory Lightweight Directory Services (AD LDS), this NC is not defined.

default naming context (default NC): When Active Directory is operating as Active Directory Domain Services (AD DS), the default naming context (default NC) is the domain naming context (domain NC) whose full replica is hosted by a domain controller (DC), except when the DC is a read-only domain controller (RODC), in which case the default NC is a filtered partial NC replica. When operating as AD DS, a DC's default NC is the NC of its default NC replica, and the default NC contains the DC's computer object. When Active Directory is operating as AD LDS, the default NC is the naming context (NC) specified by the msDS-DefaultNamingContext attribute on the nTDSDSA object for the DC. See nTDSDSA object.

default schema: The schema of a given version of Active Directory, as defined by [MS-ADSC], [MS-ADA1], [MS-ADA2], and [MS-ADA3] for AD DS, and as defined by [MS-ADLS] for Active Directory Lightweight Directory Services (AD LDS).

defunct: A state of an attributeSchema or classSchema object that represents part of the schema. It is not possible to instantiate a defunct attribute or a defunct class. The opposite term is active.

deleted-object: An object that has been deleted, but remains in storage until a configured amount of time (the deleted-object lifetime) has passed, after which the object is transformed to a recycled-object. Unlike a recycled-object or a tombstone, a deleted-object maintains virtually all the state of the object before deletion, and can be undeleted without loss of information. Deleted-objects exist only when the Recycle Bin optional feature is enabled.

deleted-object lifetime: The time period that a deleted-object is kept in storage before it is transformed into a recycled-object.

digest: The fixed-length output string from a one-way hash function that takes a variable-length input string and is probabilistically unique for every different input string. Also, a cryptographic checksum of a data (octet) stream.

directory: A forest.

directory object: An Active Directory object, which is a specialization of the "object" concept that is described in [MS-ADTS] section 1 or [MS-DRSR] section 1, Introduction, under Pervasive Concepts. An Active Directory object can be identified by the objectGUID attribute of a dsname according to the matching rules defined in [MS-DRSR] section 5.50, DSNAME. The parent-identifying attribute (not exposed as an LDAP attribute) is parent. Active Directory objects are similar to LDAP entries, as defined in [RFC2251]; the differences are specified in [MS-ADTS] section 3.1.1.3.1.

directory service (DS): A service that stores and organizes information about a computer network's users and network shares, and that allows network administrators to manage users' access to the shares. See also Active Directory.

directory service agent (DSA): A term from the X.500 directory specification [X501] that represents a component that maintains and communicates directory information.

discretionary access control list (DACL): An access control list (ACL) that is controlled by the owner of an object and that specifies the access particular users or groups can have to the object.

distinguished name (DN): In Lightweight Directory Access Protocol (LDAP), an LDAP Distinguished Name, as described in [RFC2251] section 4.1.3. The DN of an object is the DN of its parent, preceded by the RDN of the object. For example: CN=David Thompson, OU=Users, DC=Microsoft, DC=COM. For definitions of CN and OU, see [RFC2256] sections 5.4 and 5.12, respectively.

DNS name: A fully qualified domain name (FQDN).

domain: A set of users and computers sharing a common namespace and management infrastructure. At least one computer member of the set must act as a domain controller (DC) and host a member list that identifies all members of the domain, as well as optionally hosting the Active Directory service. The domain controller provides authentication of members, creating a unit of trust for its members. Each domain has an identifier that is shared among its members. For more information, see [MS-AUTHSOD] section 1.1.1.5 and [MS-ADTS].

domain controller (DC): The service, running on a server, that implements Active Directory, or the server hosting this service. The service hosts the data store for objects and interoperates with other DCs to ensure that a local change to an object replicates correctly across all DCs. When Active Directory is operating as Active Directory Domain Services (AD DS), the DC contains full NC replicas of the configuration naming context (config NC), schema naming context (schema NC), and one of the domain NCs in its forest. If the AD DS DC is a global catalog server (GC server), it contains partial NC replicas of the remaining domain NCs in its forest. For more information, see [MS-AUTHSOD] section 1.1.1.5.2 and [MS-ADTS]. When Active Directory is operating as Active Directory Lightweight Directory Services (AD LDS), several AD LDS DCs can run on one server. When Active Directory is operating as AD DS, only one AD DS DC can run on one server. However, several AD LDS DCs can coexist with one AD DS DC on one server. The AD LDS DC contains full NC replicas of the config NC and the schema NC in its forest. The domain controller is the server side of Authentication Protocol Domain Support [MS-APDS].

domain functional level: A specification of functionality available in a domain. Must be less than or equal to the DC functional level of every domain controller (DC) that hosts a replica of the domain's naming context (NC). For information on defined levels, corresponding features, information on how the domain functional level is determined, and supported domain controllers, see [MS-ADTS] sections 6.1.4.2 and 6.1.4.3. When Active Directory is operating as Active Directory Lightweight Directory Services (AD LDS), domain functional level does not exist.

domain joined: A relationship between a machine and some domain naming context (domain NC) in which they share a secret. The shared secret allows the machine to authenticate to a domain controller (DC) for the domain.

domain local group: An Active Directory group that allows user objects, global groups, and universal groups from any domain as members. It can additionally include, and be a member of, other domain local groups from within its domain. A group object g is a domain local group if and only if GROUP_TYPE_RESOURCE_GROUP is present in g!groupType; see [MS-ADTS] section 2.2.12, "Group Type Flags". A security-enabled domain local group is valid for inclusion within access control lists (ACLs) from its own domain. If a domain is in mixed mode, then a security-enabled domain local group in that domain allows only user objects as members.

domain name: A domain name or a NetBIOS name that identifies a domain.

Domain Name System (DNS): A hierarchical, distributed database that contains mappings of domain names to various types of data, such as IP addresses. DNS enables the location of computers and services by user-friendly names, and it also enables the discovery of other information stored in the database.

domain naming context (domain NC): A specific type of naming context (NC), or an instance of that type, that represents a domain. A domain NC can contain security principal objects; no other type of NC can contain security principal objects. Domain NCs appear in the global catalog (GC). A domain NC is hosted by one or more domain controllers (DCs) operating as AD DS. In AD DS, a forest has one or more domain NCs. A domain NC cannot exist in AD LDS. The root of a domain NC is an object of class domainDNS; for directory replication [MS-DRSR], see domainDNS.

domain prefix: A security identifier (SID) of a domain without the relative identifier (RID) portion. The domain prefix refers to the issuing authority SID. For example, the domain prefix of S-1-5-21-397955417-626881126-188441444-1010 is S-1-5-21-397955417-626881126-188441444.

downlevel trust: A trust in which one of the peers is running Windows NT 4.0.

DSA GUID: The objectGUID of a DSA object.

dsname: A tuple that contains between one and three identifiers for an object. The term dsname does not stand for anything. The possible identifiers are the object's GUID (attribute objectGuid), security identifier (SID) (attribute objectSid), and distinguished name (DN) (attribute distinguishedName). A dsname can appear in a protocol message and as an attribute value (for example, a value of an attribute with syntax Object(DS-DN)). Given a DSName, an object can be identified within a set of NC replicas according to the matching rules defined in [MS-DRSR] section 5.49.

dynamic object: An object with a time-to-die (attribute msDS-Entry-Time-To-Die). The directory service garbage-collects a dynamic object immediately after its time-to-die has passed. The constructed attribute entryTTL gives a dynamic object's current time-to-live, that is, the difference between the current time and msDS-Entry-Time-To-Die. For more information, see [RFC2589].

entry: In Active Directory, a synonym for object.

existing-object: An object that is not a tombstone, deleted-object, or recycled-object.

expunge: To permanently remove an object from a naming context (NC) replica, without converting it to a tombstone.

Extended-Rights container: A container holding objects that correspond to control access rights. The container is a child of configuration naming context (config NC) and has relative distinguished name (RDN) CN=Extended-Rights.

File Replication Service (FRS): One of the services offered by a domain controller (DC), which is advertised through the Domain Controller Location protocol. The service being offered to clients is a replicated data storage volume that is associated with the default naming context (NC). The running or paused state of the FRS on a DC is available through protocols documented in [MS-ADTS] section 6.3.

filter: In the context of the Lightweight Directory Access Protocol (LDAP), the filter is one of the parameters in a search request. The filter specifies matching constraints for the candidate objects.

filtered attribute set: The subset of attributes that are not replicated to the filtered partial NC replica and the filtered GC partial NC replica. The filtered attribute set is part of the state of the forest and is used to control the attributes that replicate to a read-only domain controller (RODC). The searchFlags schema attribute is used to define this set.

filtered GC partial NC replica: An NC replica that contains a schema-specified subset of attributes for the objects. The attributes consist of the attributes in the GC partial attribute set (PAS), excluding those present in the filtered attribute set. A filtered GC partial NC replica is not writable; that is, it does not accept originating updates.

filtered partial NC replica: An NC replica that contains a schema-specified subset of attributes for the objects it contains. The subset of attributes consists of all the attributes of the objects, excluding those attributes in the filtered attribute set. A filtered partial NC replica is not writable; that is, it does not accept originating updates.

flexible single master operation (FSMO): A read or update operation on a naming context (NC), such that the operation must be performed on the single designated master replica of that NC. The master replica designation is "flexible" because it can be changed without losing the consistency gained from having a single master. This term, pronounced "fizmo", is never used alone; see also FSMO role, FSMO role owner, and FSMO object.

foreign principal object (FPO): A foreignSecurityPrincipal object.

forest: For Active Directory Domain Services (AD DS), a set of naming contexts (NCs) consisting of one schema naming context (schema NC), one configuration naming context (config NC), one or more domain naming contexts (domain NCs), and zero or more application naming contexts (application NCs). Because a set of NCs can be arranged into a tree structure, a forest is also a set containing one or several trees of NCs. For AD LDS, a set of NCs consisting of one schema NC, one config NC, and zero or more application NCs. (In Microsoft documentation, an AD LDS forest is called a "configuration set".)

forest functional level: A specification of functionality available in a forest. It must be less than or equal to the domain controller (DC) functional level of every DC in the forest. See [MS-ADTS] section 6.1.4.4 for information on how the forest functional level is determined.

forest root domain NC: For Active Directory Domain Services (AD DS), the domain naming context (domain NC) within a forest whose child is the forest's configuration naming context (config NC). The fully qualified domain name (FQDN) of the forest root domain NC serves as the forest's name.

forward link attribute: An attribute whose values include object references (for example, an attribute of syntax Object(DS-DN)). The forward link values can be used to compute the values of a related attribute, a back link attribute, on other objects. If an object o refers to object r in forward link attribute f, and there exists a back link attribute b corresponding to f, then a back link value referring to o exists in attribute b on object r. The relationship between the forward and back link attributes is expressed using the linkId attribute on the attributeSchema objects representing the two attributes. The forward link's linkId is an even number, and the back link's linkId is the forward link's linkId plus one. A forward link attribute can exist with no corresponding back link attribute, but not vice-versa. For more information, see [MS-ADTS].

forward link value: The value of a forward link attribute.

FSMO role: A set of objects that can be updated in only one naming context (NC) replica (the FSMO role owner's replica) at any given time. For more information, see [MS-ADTS] section 3.1.1.1.11. See also FSMO role owner.

FSMO role object: An object in a directory that represents a specific FSMO role. This object is an element of the FSMO role and contains the fSMORoleOwner attribute.

FSMO role owner: The domain controller (DC) holding the naming context (NC) replica in which the objects of a FSMO role can be updated.

full NC replica: A naming context (NC) replica that contains all the attributes of the objects it contains. A full replica accepts

introduction... · web viewad lds first became available during the release of windows server 2003....

Documents