Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Standard view
Full view
of .
Look up keyword or section
Like this

Table Of Contents

1 Introduction
1.1 Glossary
1.2 References
1.2.1 Normative References
1.2.2 Informative References
1.3 Overview
1.4 Relationship to Other Protocols
1.5 Prerequisites/Preconditions
1.6 Applicability Statement
1.7 Versioning and Capability Negotiation
1.8 Vendor-Extensible Fields
1.9 Standards Assignments
2 Messages
2.1 Transport
2.2 Message Syntax
2.2.1 LCID-Locale Mapping Table
2.2.9 Search Flags
2.2.10 System Flags
2.2.11 schemaFlagsEx Flags
2.2.12 Group Type Flags
2.2.13 Security Privilege Flags
2.2.14 Domain RID Values
2.2.15 userAccountControl Bits
2.2.16 Optional Feature Values
3 Details
3.1 Common Details
3.1.1 Abstract Data Model State Model Scope State Modeling Primitives and Notational Conventions Basics, objectGUID, and Special Attribute Behavior objectClass, RDN, DN, Constructed Attributes NC, NC Replica Forest, Canonical Name GC DCs, usn Counters, and the Originating Update Stamp GC Server FSMO Roles Cross-NC Object References NC Replica Graph Scheduled and Event-Driven Replication Replication Latency and Tombstone Lifetime Delayed Link Processing Active Directory Schema Schema NC Syntaxes Introduction LDAP Representations Object(DN-String) Object(Access-Point) Object(DN-Binary) Object(OR-Name) String(Case) String(NT-Sec-Desc) String(Sid) String(Teletex) Referential Integrity Supported Comparison Operations Bool Comparison Rule Integer Comparison Rule DN-String Comparison Rule DN-Binary Comparison Rule DN Comparison Rule PresentationAddress Comparison Rule Octet Comparison Rule CaseString Comparison Rule SecDesc Comparison Rule OID Comparison Rule Sid Comparison Rule NoCaseString Comparison Rule UnicodeString Comparison Rule Time Comparison Rule Attributes Auto-Generated linkID Auto-Generated mAPIID Property Set ldapDisplayName Generation Flag fRODCFilteredAttribute in Attribute searchFlags Classes Class Categories Inheritance objectClass Structure Rules Content Rules Auxiliary Class RDN Attribute of a Class Class classSchema Schema Modifications Consistency and Safety Checks Consistency Checks Safety Checks Defunct Forest Functional Level Less Than WIN2003 Forest Functional Level WIN2003 or Greater ATTRTYP LDAP LDAP Conformance Schema subSchema Syntaxes Attributes Classes Auxiliary Classes Object Naming Naming Attributes NC Naming Multivalued and Multiple-Attribute RDNs Alternative Forms of DNs Alternative Form of SIDs Search Operations Search Filters Range Retrieval of Attribute Values Ambiguous Name Resolution Searches Using the objectCategory Attribute Restrictions on rootDSE Searches Referrals in LDAPv2 and LDAPv3 Password Modify Operations unicodePwd userPassword Dynamic Objects Modify DN Operations Aliases Error Message Strings Ports LDAP Search Over UDP Unbind Operation rootDSE Attributes configurationNamingContext currentTime defaultNamingContext dNSHostName dsSchemaAttrCount dsSchemaClassCount dsSchemaPrefixCount dsServiceName highestCommittedUSN isGlobalCatalogReady isSynchronized ldapServiceName namingContexts netlogon pendingPropagations rootDomainNamingContext schemaNamingContext serverName subschemaSubentry supportedCapabilities supportedControl supportedLDAPPolicies supportedLDAPVersion supportedSASLMechanisms domainControllerFunctionality domainFunctionality forestFunctionality msDS-ReplAllOutboundNeighbors msDS-ReplQueueStatistics msDS-TopQuotaUsage supportedConfigurableSettings supportedExtension validFSMOs dsaVersionString msDS-PortLDAP msDS-PortSSL msDS-PrincipalName serviceAccountInfo spnRegistrationResult tokenGroups usnAtRifm rootDSE Modify Operations becomeDomainMaster becomeInfrastructureMaster becomePdc becomePdcWithCheckPoint becomeRidMaster becomeSchemaMaster checkPhantoms doGarbageCollection dumpDatabase fixupInheritance invalidateRidPool recalcHierarchy schemaUpdateNow removeLingeringObject doLinkCleanup doOnlineDefrag replicateSingleObject updateCachedMemberships doGarbageCollectionPhantomsNow invalidateGCConnection renewServerCertificate rODCPurgeAccount sqmRunOnce runProtectAdminGroupsTask disableOptionalFeature enableOptionalFeature LDAP Extensions LDAP Extended Controls LDAP_PAGED_RESULT_OID_STRING LDAP_SERVER_CROSSDOM_MOVE_TARGET_OID LDAP_SERVER_DIRSYNC_OID LDAP_SERVER_DOMAIN_SCOPE_OID LDAP_SERVER_EXTENDED_DN_OID LDAP_SERVER_GET_STATS_OID LDAP_SERVER_LAZY_COMMIT_OID LDAP_SERVER_PERMISSIVE_MODIFY_OID LDAP_SERVER_NOTIFICATION_OID LDAP_SERVER_RANGE_OPTION_OID LDAP_SERVER_SD_FLAGS_OID LDAP_SERVER_SEARCH_OPTIONS_OID LDAP_SERVER_SORT_OID and LDAP_SERVER_RESP_SORT_OID LDAP_SERVER_SHOW_DELETED_OID LDAP_SERVER_TREE_DELETE_OID LDAP_SERVER_VERIFY_NAME_OID LDAP_CONTROL_VLVREQUEST and LDAP_CONTROL_VLVRESPONSE LDAP_SERVER_ASQ_OID LDAP_SERVER_QUOTA_CONTROL_OID LDAP_SERVER_SHUTDOWN_NOTIFY_OID LDAP_SERVER_FORCE_UPDATE_OID LDAP_SERVER_RANGE_RETRIEVAL_NOERR_OID LDAP_SERVER_RODC_DCPROMO_OID LDAP_SERVER_INPUT_DN_OID LDAP_SERVER_SHOW_DEACTIVATED_LINK_OID LDAP_SERVER_SHOW_RECYCLED_OID LDAP Extended Operations
GSS-SPNEGO X X X GSSAPI GSS-SPNEGO EXTERNAL DIGEST-MD5 LDAP Policies LDAP Configurable Settings LDAP IP-Deny List Reads Introduction Definitions Access Checks Extended Access Checks Constructed Attributes subSchemaSubEntry canonicalName allowedChildClasses sDRightsEffective allowedChildClassesEffective allowedAttributes allowedAttributesEffective fromEntry createTimeStamp modifyTimeStamp primaryGroupToken entryTTL msDS-NCReplOutboundNeighbors msDS-Approx-Immed-Subordinates msDS-KeyVersionNumber msDS-User-Account-Control-Computed msDS-Auxiliary-Classes tokenGroups, tokenGroupsNoGCAcceptable tokenGroupsGlobalAndUniversal possibleInferiors msDS-QuotaEffective msDS-QuotaUsed msDS-TopQuotaUsage ms-DS-UserAccountAutoLocked msDS-UserPasswordExpired msDS-PrincipalName parentGUID msDS-SiteName msDS-isRODC msDS-isGC msDS-isUserCachableAtRodc msDS-UserPasswordExpiryTimeComputed msDS-RevealedList msDS-RevealedListBL msDS-ResultantPSO msDS-LocalEffectiveDeletionTime msDS-LocalEffectiveRecycleTime Referrals Continuations Effects of Defunct Attributes and Classes GetMemberships Algorithm DRS_MSG_REVMEMB_REQ_V1 Add Operation Security Considerations Constraints Special Classes and Attributes Processing Specifics Quota Calculation NC Requirements crossRef Requirements NC-Add Operation Constraints Security Considerations Processing Specifics Modify Operation Security Considerations Validated Writes Member dNSHostName msDS-AdditionalDnsHostName servicePrincipalName msDS-Behavior-Version FSMO Changes Constraints Processing Specifics BehaviorVersion Updates ObjectClass Updates wellKnownObjects Updates Undelete Operation Undelete Security Considerations Undelete Constraints Undelete Processing Specifics Modify DN Intra Domain Modify DN Security Considerations Constraints Processing Specifics Cross Domain Move Security Considerations Constraints Processing Specifics Delete Operation Resultant Object Requirements Tombstone Requirements Deleted-Object Requirements Recycled-Object Requirements dynamicObject Requirements Protected Objects Security Considerations Constraints Processing Specifics Transformation into a Tombstone Transformation into a Deleted-Object Transformation into a Recycled-Object Tree-delete Operation Tree-delete Security Considerations Tree-delete Constraints Tree-delete Processing Specifics Background Tasks AdminSDHolder Authoritative Security Descriptor Protected Objects Protection Operation Configurable State Security Descriptor Propagator Update AD LDS Special Objects AD LDS Users Bind Proxies Optional Features Recycle Bin Optional Feature Revisions Forest Revision RODC Revision Domain Revision
4 Protocol Examples
5 Security
5.1 LDAP Security
5.1.1 Authentication Supported Authentication Methods Simple Authentication SASL Authentication Sicily Authentication Using SSL/TLS Using Fast Bind Mutual Authentication Supported Types of Security Principals
5.1.2 Message Security Using SASL Using SSL/TLS
5.1.3 Authorization Background Access Rights Checking Access Null vs. Empty DACLs Checking Simple Access Checking Object-Specific Access Checking Control Access Right-Based Access Checking Validated Write-Based Access Checking Object Visibility AD LDS Security Context Construction
6 Index of Version-Specific Behavior
7 Additional Information
7.1 Special Objects and Forest Requirements
7.1.1 Special Objects Naming Contexts Any NC Root Config NC Root Schema NC Root Domain NC Root Application NC Root Configuration Objects Cross-Ref-Container Container Cross-Ref Objects Foreign crossRef Objects Configuration crossRef Object Schema crossRef Object Domain crossRef Object Application NC crossRef Object Sites Container Site Object NTDS Site Settings Object Servers Container Server Object nTDSDSA Object Connection Object RODC NTFRS Connection Object Subnets Container Subnet Object Inter-Site Transports Container IP Transport Container SMTP Transport Container Site Link Object Site Link Bridge Object Display Specifiers Container Display Specifier Object Services Terminal Server User This Organization Extended Rights controlAccessRight objects Change-Rid-Master Do-Garbage-Collection Recalculate-Hierarchy Allocate-Rids Change-PDC Add-GUID Change-Domain-Master Change-Naming-Master Public-Information msmq-Receive-Dead-Letter msmq-Peek-Dead-Letter msmq-Receive-computer-Journal msmq-Peek-computer-Journal msmq-Receive msmq-Peek msmq-Send msmq-Receive-journal msmq-Open-Connector Apply-Group-Policy RAS-Information DS-Install-Replica Change-Infrastructure-Master Update-Schema-Cache Recalculate-Security-Inheritance DS-Check-Stale-Phantoms Certificate-Enrollment Self-Membership Validated-DNS-Host-Name
name: Validated-DNS-Host-Name Validated-SPN Generate-RSoP-Planning Refresh-Group-Cache Reload-SSL-Certificate SAM-Enumerate-Entire-Domain Generate-RSoP-Logging Domain-Other-Parameters DNS-Host-Name-Attributes
name: DNS-Host-Name-Attributes Create-Inbound-Forest-Trust DS-Replication-Get-Changes-All
name: DS-Replication-Get-Changes-All Migrate-SID-History Reanimate-Tombstones Allowed-To-Authenticate DS-Execute-Intentions-Script
name: DS-Execute-Intentions-Script DS-Replication-Monitor-Topology Update-Password-Not-Required-Bit
name: Update-Password-Not-Required-Bit Unexpire-Password Enable-Per-User-Reversibly-Encrypted-Password
name: Enable-Per-User-Reversibly-Encrypted-Password DS-Query-Self-Quota Private-Information MS-TS-GatewayAccess Terminal-Server-License-Server Domain-Administer-Server User-Change-Password User-Force-Change-Password Send-As Receive-As Send-To Domain-Password General-Information User-Account-Restrictions User-Logon Membership Open-Address-Book Personal-Information Email-Information Web-Information DS-Replication-Get-Changes DS-Replication-Synchronize DS-Replication-Manage-Topology
name: DS-Replication-Manage-Topology Change-Schema-Master DS-Replication-Get-Changes-In-Filtered-Set
name: DS-Replication-Get-Changes-In-Filtered-Set Run-Protect-Admin-Groups-Task Manage-Optional-Features Read-Only-Replication-Secret-Synchronization Validated-MS-DS-Additional-DNS-Host-Name
name: Validated-MS-DS-Additional-Host-Name Validated-MS-DS-Behavior-Version
name: Validated-MS-DS-Behavior-Version Forest Updates Container Operations Container Windows2003Update Container ActiveDirectoryUpdate Container ActiveDirectoryRodcUpdate Container Critical Domain Objects Domain Controller Object Read-Only Domain Controller Object Well-Known Objects Lost and Found Container Deleted Objects Container NTDS Quotas Container Infrastructure Object Domain Controllers OU Users Container Computers Container Program Data Container Managed Service Accounts Container Foreign Security Principals Container System Container Password Settings Container Builtin Container Account Operators Group Object Administrators Group Object Backup Operators Group Object Certificate Service DCOM Access Group Object Cryptographic Operators Group Object Distributed COM Users Group Object Event Log Readers Group Object Guests Group Object IIS_IUSRS Group Object Incoming Forest Trust Builders Group Object Network Configuration Operators Group Object Performance Log Users Group Object Performance Monitor Users Group Object Pre-Windows 2000 Compatible Access Group Object Print Operators Group Object Remote Desktop Users Group Object Replicator Group Object Server Operators Group Object Terminal Server License Servers Group Object Users Group Object Windows Authorization Access Group Group Object
name: Windows Authorization Access Group Roles Container Administrators Group Object Readers Group Object Users Group Object Instances Group Object Other System Objects AdminSDHolder Object Default Domain Policy Container Sam Server Object Domain Updates Container Operations Container Windows2003Update Container ActiveDirectoryUpdate Container Well-Known Domain-Relative Security Principals Administrator Guest Key Distribution Center Service Account Cert Publishers Domain Administrators Domain Computers Domain Controllers Domain Guests Domain Users Enterprise Administrators Group Policy Creator Owners RAS and IAS Servers Read-Only Domain Controllers Enterprise Read-Only Domain Controllers
name: Enterprise Read-Only Domain Controllers Schema Admins
7.1.2 Forest Requirements DC Existence NC Existence Hosting Requirements DC and Application NC Replica DC and Regular Domain NC Replica DC and Schema/Config NC Replicas DC and Partial Replica NCs Replicas
7.1.3 Security Descriptor Requirements ACE Ordering Rules SD Flags Control Processing Specifics Security Considerations SD Defaulting Rules Owner and Group Defaulting Rules Default Administrators Group
7.1.4 Special Attributes ntMixedDomain msDS-Behavior-Version: DC Functional Level msDS-Behavior-Version: Domain NC Functional Level msDS-Behavior-Version: Forest Functional Level Replication Schedule Structures SCHEDULE_HEADER Structure SCHEDULE Structure REPLTIMES Structure msDS-AuthenticatedAtDC
7.1.5 FSMO Roles Schema Master FSMO Role Domain Naming Master FSMO Role RID Master FSMO Role PDC Emulator FSMO Role Infrastructure FSMO Role
7.1.6 Trust Objects Overview (Synopsis) Relationship to Other Protocols TDO Replication over DRS TDO Roles in Authentication Protocols over Domain Boundaries TDO Roles in Authorization over Domain Boundaries Prerequisites/Preconditions Versioning and Capability Negotiation Vendor-Extensible Fields Transport Essential Attributes of a Trusted Domain Object flatName isCriticalSystemObject msDs-supportedEncryptionTypes msDS-TrustForestTrustInfo nTSecurityDescriptor objectCategory objectClass securityIdentifier trustAttributes trustAuthIncoming trustAuthOutgoing trustDirection trustPartner trustPosixOffset trustType Essential Attributes of Interdomain Trust Accounts cn (RDN) objectClass sAMAccountName sAMAccountType userAccountControl Details trustAuthInfo Attributes LSAPR_AUTH_INFORMATION Kerberos Usages of trustAuthInfo Attributes Netlogon Usages of Trust Objects msDS-TrustForestTrustInfo Attribute Record Building Well-Formed msDS-TrustForestTrustInfo Messages Computation of trustPosixOffset Mapping Logon SIDs to POSIX Identifiers Timers Trust Secret Cycling Initialization Security Considerations for Implementers
7.1.7 DynamicObject Requirements
7.2 Knowledge Consistency Checker
7.2.1 References
7.2.2 Overview
7.2.3 Contents of kCCFailedConnections and kCCFailedLinks
7.3 Publishing and Locating a Domain Controller
7.3.2 DNS Record Registrations SRV Records Registered by a DC Non-SRV Records Registered by a DC
7.3.3 LDAP Ping Syntactic Validation of the Filter Domain Controller Response to an LDAP Ping Response to Invalid Filter
7.3.4 NetBIOS Broadcast and NBNS Background
7.3.5 Mailslot Ping
7.3.6 Locating a Domain Controller DNS-Based Discovery NetBIOS-Based Discovery
7.3.7 Name Compression and Decompression
7.3.8 AD LDS DC Publication
7.4 Domain Join
7.4.1 State of a Machine Joined to a Domain
7.4.2 State in an Active Directory Domain
9 Index
0 of .
Results for:
No results containing your search query
P. 1


Ratings: (0)|Views: 1,096|Likes:
Published by Andrei Sidar

More info:

Published by: Andrei Sidar on Apr 07, 2011
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





You're Reading a Free Preview
Pages 10 to 237 are not shown in this preview.
You're Reading a Free Preview
Pages 247 to 307 are not shown in this preview.
You're Reading a Free Preview
Pages 317 to 348 are not shown in this preview.
You're Reading a Free Preview
Pages 358 to 463 are not shown in this preview.
You're Reading a Free Preview
Pages 473 to 479 are not shown in this preview.

Activity (2)

You've already reviewed this. Edit your review.
1 thousand reads
1 hundred reads

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->