[MS-ADTS]:
Active Directory Technical Specification
Intellectual Property Rights Notice for Open Specifications
Documentation
· Technical Documentation. Microsoft publishes Open
Specifications documentation (“this documentation”) for protocols,
file formats, data portability, computer languages, and standards
support. Additionally, overview documents cover inter-protocol
relationships and interactions.
· Copyrights. This documentation is covered by Microsoft
copyrights. Regardless of any other terms that are contained in the
terms of use for the Microsoft website that hosts this
documentation, you can make copies of it in order to develop
implementations of the technologies that are described in this
documentation and can distribute portions of it in your
implementations that use these technologies or in your
documentation as necessary to properly document the implementation.
You can also distribute in your implementation, with or without
modification, any schemas, IDLs, or code samples that are included
in the documentation. This permission also applies to any documents
that are referenced in the Open Specifications documentation.
· No Trade Secrets. Microsoft does not claim any trade secret
rights in this documentation.
· Patents. Microsoft has patents that might cover your
implementations of the technologies described in the Open
Specifications documentation. Neither this notice nor Microsoft's
delivery of this documentation grants any licenses under those
patents or any other Microsoft patents. However, a given Open
Specifications document might be covered by the Microsoft Open
Specifications Promise or the Microsoft Community Promise. If you
would prefer a written license, or if the technologies described in
this documentation are not covered by the Open Specifications
Promise or Community Promise, as applicable, patent licenses are
available by contacting [email protected].
· License Programs. To see all of the protocols in scope under a
specific license program and the associated patents, visit the
Patent Map.
· Trademarks. The names of companies and products contained in
this documentation might be covered by trademarks or similar
intellectual property rights. This notice does not grant any
licenses under those rights. For a list of Microsoft trademarks,
visit www.microsoft.com/trademarks.
· Fictitious Names. The example companies, organizations,
products, domain names, email addresses, logos, people, places, and
events that are depicted in this documentation are fictitious. No
association with any real company, organization, product, domain
name, email address, logo, person, place, or event is intended or
should be inferred.
Reservation of Rights. All other rights are reserved, and this
notice does not grant any rights other than as specifically
described above, whether by implication, estoppel, or
otherwise.
Tools. The Open Specifications documentation does not require
the use of Microsoft programming tools or programming environments
in order for you to develop an implementation. If you have access
to Microsoft programming tools and environments, you are free to
take advantage of them. Certain Open Specifications documents are
intended for use in conjunction with publicly available standards
specifications and network programming art and, as such, assume
that the reader either is familiar with the aforementioned material
or has immediate access to it.
Support. For questions and support, please contact
[email protected].
Revision Summary
Date
Revision History
Revision Class
Comments
2/22/2007
0.01
New
Version 0.01 release
6/1/2007
1.0
Major
Included non-native content.
7/3/2007
1.0.1
Editorial
Changed language and formatting in the technical content.
7/20/2007
1.0.2
Editorial
Changed language and formatting in the technical content.
8/10/2007
1.0.3
Editorial
Changed language and formatting in the technical content.
9/28/2007
2.0
Major
Adjusted bitfield diagrams for byte ordering; added
bitflags.
10/23/2007
2.1
Minor
Clarified the meaning of the technical content.
11/30/2007
2.2
Minor
Clarified the meaning of the technical content.
1/25/2008
3.0
Major
Updated and revised the technical content.
3/14/2008
3.1
Minor
Deleted hexadecimal representations of little-endian bit
flags.
5/16/2008
4.0
Major
Updated and revised the technical content.
6/20/2008
5.0
Major
Updated and revised the technical content.
7/25/2008
6.0
Major
Updated and revised the technical content.
8/29/2008
7.0
Major
Updated and revised the technical content.
10/24/2008
8.0
Major
Updated and revised the technical content.
12/5/2008
9.0
Major
Updated and revised the technical content.
1/16/2009
10.0
Major
Updated and revised the technical content.
2/27/2009
11.0
Major
Updated and revised the technical content.
4/10/2009
12.0
Major
Updated and revised the technical content.
5/22/2009
13.0
Major
Updated and revised the technical content.
7/2/2009
14.0
Major
Updated and revised the technical content.
8/14/2009
15.0
Major
Updated and revised the technical content.
9/25/2009
16.0
Major
Updated and revised the technical content.
11/6/2009
17.0
Major
Updated and revised the technical content.
12/18/2009
18.0
Major
Updated and revised the technical content.
1/29/2010
19.0
Major
Updated and revised the technical content.
3/12/2010
20.0
Major
Updated and revised the technical content.
4/23/2010
21.0
Major
Updated and revised the technical content.
6/4/2010
22.0
Major
Updated and revised the technical content.
7/16/2010
23.0
Major
Updated and revised the technical content.
8/27/2010
24.0
Major
Updated and revised the technical content.
10/8/2010
25.0
Major
Updated and revised the technical content.
11/19/2010
26.0
Major
Updated and revised the technical content.
1/7/2011
27.0
Major
Updated and revised the technical content.
2/11/2011
28.0
Major
Updated and revised the technical content.
3/25/2011
29.0
Major
Updated and revised the technical content.
5/6/2011
30.0
Major
Updated and revised the technical content.
6/17/2011
30.1
Minor
Clarified the meaning of the technical content.
9/23/2011
31.0
Major
Updated and revised the technical content.
12/16/2011
32.0
Major
Updated and revised the technical content.
3/30/2012
33.0
Major
Updated and revised the technical content.
7/12/2012
34.0
Major
Updated and revised the technical content.
10/25/2012
35.0
Major
Updated and revised the technical content.
1/31/2013
36.0
Major
Updated and revised the technical content.
8/8/2013
37.0
Major
Updated and revised the technical content.
11/14/2013
38.0
Major
Updated and revised the technical content.
2/13/2014
39.0
Major
Updated and revised the technical content.
5/15/2014
40.0
Major
Updated and revised the technical content.
6/30/2015
41.0
Major
Significantly changed the technical content.
10/16/2015
42.0
Major
Significantly changed the technical content.
7/14/2016
43.0
Major
Significantly changed the technical content.
3/16/2017
44.0
Major
Significantly changed the technical content.
6/1/2017
45.0
Major
Significantly changed the technical content.
Table of Contents
1Introduction22
1.1Glossary24
1.2References41
1.2.1Normative References42
1.2.2Informative References46
1.3Overview47
1.4Relationship to Other Protocols48
1.5Prerequisites/Preconditions48
1.6Applicability Statement48
1.7Versioning and Capability Negotiation48
1.8Vendor-Extensible Fields48
1.9Standards Assignments49
2Messages50
2.1Transport50
2.2Message Syntax50
2.2.1LCID-Locale Mapping Table50
2.2.2DS_REPL_NEIGHBORW_BLOB56
2.2.3DS_REPL_KCC_DSA_FAILUREW_BLOB59
2.2.4DS_REPL_OPW_BLOB60
2.2.5DS_REPL_QUEUE_STATISTICSW_BLOB62
2.2.6DS_REPL_CURSOR_BLOB63
2.2.7DS_REPL_ATTR_META_DATA_BLOB64
2.2.8DS_REPL_VALUE_META_DATA_BLOB65
2.2.9Search Flags67
2.2.10System Flags68
2.2.11schemaFlagsEx Flags69
2.2.12Group Type Flags69
2.2.13Group Security Flags70
2.2.14Security Privilege Flags70
2.2.15Domain RID Values71
2.2.16userAccountControl Bits72
2.2.17Optional Feature Values73
2.2.18Claims Wire Structures74
2.2.18.1CLAIM_ID75
2.2.18.2CLAIM_TYPE75
2.2.18.3CLAIMS_SOURCE_TYPE76
2.2.18.4CLAIMS_COMPRESSION_FORMAT76
2.2.18.5CLAIM_ENTRY76
2.2.18.6CLAIMS_ARRAY77
2.2.18.7CLAIMS_SET78
2.2.18.8CLAIMS_SET_METADATA78
2.2.18.9CLAIMS_BLOB79
2.2.19MSDS-MANAGEDPASSWORD_BLOB79
2.2.20Key Credential Link Structures80
2.2.20.1Key Credential Link Constants80
2.2.20.2KEYCREDENTIALLINK_BLOB81
2.2.20.3KEYCREDENTIALLINK_ENTRY81
2.2.20.4CUSTOM_KEY_INFORMATION82
2.2.20.5KEYCREDENTIALLINK_ENTRY Identifiers82
2.2.21Service Principal Name83
3Details84
3.1Common Details85
3.1.1Abstract Data Model85
3.1.1.1State Model85
3.1.1.1.1Scope85
3.1.1.1.2State Modeling Primitives and Notational
Conventions86
3.1.1.1.3Basics, objectGUID, and Special Attribute
Behavior87
3.1.1.1.4objectClass, RDN, DN, Constructed Attributes, Secret
Attributes88
3.1.1.1.5NC, NC Replica91
3.1.1.1.5.1Tombstone Lifetime and Deleted-Object Lifetime93
3.1.1.1.6Attribute Syntaxes, Object References, Referential
Integrity, and Well-Known Objects94
3.1.1.1.7Forest, Canonical Name97
3.1.1.1.8GC99
3.1.1.1.9DCs, usn Counters, and the Originating Update
Stamp99
3.1.1.1.10GC Server106
3.1.1.1.11FSMO Roles106
3.1.1.1.12Cross-NC Object References106
3.1.1.1.13NC Replica Graph107
3.1.1.1.14Scheduled and Event-Driven Replication109
3.1.1.1.15Replication Latency and Tombstone Lifetime110
3.1.1.1.16Delayed Link Processing110
3.1.1.2Active Directory Schema110
3.1.1.2.1Schema NC111
3.1.1.2.2Syntaxes112
3.1.1.2.2.1Introduction112
3.1.1.2.2.2LDAP Representations112
3.1.1.2.2.2.1Object(DN-String)115
3.1.1.2.2.2.2Object(Access-Point)115
3.1.1.2.2.2.3Object(DN-Binary)115
3.1.1.2.2.2.4Object(OR-Name)115
3.1.1.2.2.2.5String(Case)115
3.1.1.2.2.2.6String(NT-Sec-Desc)115
3.1.1.2.2.2.7String(Sid)116
3.1.1.2.2.2.8String(Teletex)116
3.1.1.2.2.3Referential Integrity116
3.1.1.2.2.4Supported Comparison Operations116
3.1.1.2.2.4.1Bool Comparison Rule119
3.1.1.2.2.4.2Integer Comparison Rule119
3.1.1.2.2.4.3DN-String Comparison Rule119
3.1.1.2.2.4.4DN-Binary Comparison Rule119
3.1.1.2.2.4.5DN Comparison Rule119
3.1.1.2.2.4.6PresentationAddress Comparison Rule120
3.1.1.2.2.4.7Octet Comparison Rule120
3.1.1.2.2.4.8CaseString Comparison Rule120
3.1.1.2.2.4.9SecDesc Comparison Rule120
3.1.1.2.2.4.10OID Comparison Rule120
3.1.1.2.2.4.11Sid Comparison Rule120
3.1.1.2.2.4.12NoCaseString Comparison Rule120
3.1.1.2.2.4.13UnicodeString Comparison Rule121
3.1.1.2.2.4.14Time Comparison Rule121
3.1.1.2.3Attributes121
3.1.1.2.3.1Auto-Generated linkID124
3.1.1.2.3.2Auto-Generated mAPIID124
3.1.1.2.3.3Property Set125
3.1.1.2.3.4lDAPDisplayName Generation126
3.1.1.2.3.5Flag fRODCFilteredAttribute in Attribute
searchFlags126
3.1.1.2.4Classes127
3.1.1.2.4.1Class Categories127
3.1.1.2.4.2Inheritance127
3.1.1.2.4.3objectClass127
3.1.1.2.4.4Structure Rules128
3.1.1.2.4.5Content Rules128
3.1.1.2.4.6Auxiliary Class128
3.1.1.2.4.7RDN Attribute of a Class129
3.1.1.2.4.8Class classSchema129
3.1.1.2.5Schema Modifications131
3.1.1.2.5.1Consistency and Safety Checks131
3.1.1.2.5.1.1Consistency Checks131
3.1.1.2.5.1.2Safety Checks132
3.1.1.2.5.2Auto-Generated Attributes133
3.1.1.2.5.3Defunct133
3.1.1.2.5.3.1Forest Functional Level Less Than WIN2003134
3.1.1.2.5.3.2Forest Functional Level WIN2003 or Greater134
3.1.1.2.6ATTRTYP135
3.1.1.3LDAP136
3.1.1.3.1LDAP Conformance136
3.1.1.3.1.1Schema136
3.1.1.3.1.1.1subSchema136
3.1.1.3.1.1.2Syntaxes139
3.1.1.3.1.1.3Attributes139
3.1.1.3.1.1.4Classes146
3.1.1.3.1.1.5Auxiliary Classes149
3.1.1.3.1.2Object Naming150
3.1.1.3.1.2.1Naming Attributes150
3.1.1.3.1.2.2NC Naming151
3.1.1.3.1.2.3Multivalued and Multiple-Attribute RDNs151
3.1.1.3.1.2.4Alternative Forms of DNs151
3.1.1.3.1.2.5Alternative Form of SIDs153
3.1.1.3.1.3Search Operations153
3.1.1.3.1.3.1Search Filters153
3.1.1.3.1.3.2Selection Filters154
3.1.1.3.1.3.3Range Retrieval of Attribute Values154
3.1.1.3.1.3.4Ambiguous Name Resolution155
3.1.1.3.1.3.5Searches Using the objectCategory Attribute157
3.1.1.3.1.3.6Restrictions on rootDSE Searches157
3.1.1.3.1.4Referrals in LDAPv2 and LDAPv3157
3.1.1.3.1.5Password Modify Operations158
3.1.1.3.1.5.1unicodePwd158
3.1.1.3.1.5.2userPassword159
3.1.1.3.1.6Dynamic Objects160
3.1.1.3.1.7Modify DN Operations160
3.1.1.3.1.8Aliases160
3.1.1.3.1.9Error Message Strings160
3.1.1.3.1.10Ports160
3.1.1.3.1.11LDAP Search Over UDP161
3.1.1.3.1.12Unbind Operation161
3.1.1.3.2rootDSE Attributes161
3.1.1.3.2.1configurationNamingContext165
3.1.1.3.2.2currentTime165
3.1.1.3.2.3defaultNamingContext165
3.1.1.3.2.4dNSHostName165
3.1.1.3.2.5dsSchemaAttrCount165
3.1.1.3.2.6dsSchemaClassCount165
3.1.1.3.2.7dsSchemaPrefixCount166
3.1.1.3.2.8dsServiceName166
3.1.1.3.2.9highestCommittedUSN166
3.1.1.3.2.10isGlobalCatalogReady166
3.1.1.3.2.11isSynchronized166
3.1.1.3.2.12ldapServiceName166
3.1.1.3.2.13namingContexts166
3.1.1.3.2.14netlogon166
3.1.1.3.2.15pendingPropagations166
3.1.1.3.2.16rootDomainNamingContext166
3.1.1.3.2.17schemaNamingContext167
3.1.1.3.2.18serverName167
3.1.1.3.2.19subschemaSubentry167
3.1.1.3.2.20supportedCapabilities167
3.1.1.3.2.21supportedControl167
3.1.1.3.2.22supportedLDAPPolicies167
3.1.1.3.2.23supportedLDAPVersion167
3.1.1.3.2.24supportedSASLMechanisms167
3.1.1.3.2.25domainControllerFunctionality167
3.1.1.3.2.26domainFunctionality168
3.1.1.3.2.27forestFunctionality168
3.1.1.3.2.28msDS-ReplAllInboundNeighbors,
msDS-ReplConnectionFailures, msDS-ReplLinkFailures, and
msDS-ReplPendingOps168
3.1.1.3.2.29msDS-ReplAllOutboundNeighbors169
3.1.1.3.2.30msDS-ReplQueueStatistics170
3.1.1.3.2.31msDS-TopQuotaUsage171
3.1.1.3.2.32supportedConfigurableSettings171
3.1.1.3.2.33supportedExtension171
3.1.1.3.2.34validFSMOs172
3.1.1.3.2.35dsaVersionString172
3.1.1.3.2.36msDS-PortLDAP173
3.1.1.3.2.37msDS-PortSSL173
3.1.1.3.2.38msDS-PrincipalName173
3.1.1.3.2.39serviceAccountInfo173
3.1.1.3.2.40spnRegistrationResult174
3.1.1.3.2.41tokenGroups174
3.1.1.3.2.42usnAtRifm174
3.1.1.3.2.43approximateHighestInternalObjectID174
3.1.1.3.2.44databaseGuid174
3.1.1.3.2.45schemaIndexUpdateState174
3.1.1.3.2.46dumpLdapNotifications174
3.1.1.3.2.47msDS-ProcessLinksOperations174
3.1.1.3.2.48msDS-SegmentCacheInfo174
3.1.1.3.3rootDSE Modify Operations175
3.1.1.3.3.1becomeDomainMaster177
3.1.1.3.3.2becomeInfrastructureMaster177
3.1.1.3.3.3becomePdc178
3.1.1.3.3.4becomePdcWithCheckPoint178
3.1.1.3.3.5becomeRidMaster178
3.1.1.3.3.6becomeSchemaMaster179
3.1.1.3.3.7checkPhantoms179
3.1.1.3.3.8doGarbageCollection179
3.1.1.3.3.9dumpDatabase180
3.1.1.3.3.10fixupInheritance180
3.1.1.3.3.11invalidateRidPool181
3.1.1.3.3.12recalcHierarchy181
3.1.1.3.3.13schemaUpdateNow181
3.1.1.3.3.14schemaUpgradeInProgress182
3.1.1.3.3.15removeLingeringObject182
3.1.1.3.3.16doLinkCleanup183
3.1.1.3.3.17doOnlineDefrag183
3.1.1.3.3.18replicateSingleObject184
3.1.1.3.3.19updateCachedMemberships184
3.1.1.3.3.20doGarbageCollectionPhantomsNow185
3.1.1.3.3.21invalidateGCConnection185
3.1.1.3.3.22renewServerCertificate185
3.1.1.3.3.23rODCPurgeAccount186
3.1.1.3.3.24runSamUpgradeTasks186
3.1.1.3.3.25sqmRunOnce187
3.1.1.3.3.26runProtectAdminGroupsTask187
3.1.1.3.3.27disableOptionalFeature187
3.1.1.3.3.28enableOptionalFeature188
3.1.1.3.3.29dumpReferences189
3.1.1.3.3.30sidCompatibilityVersion189
3.1.1.3.3.31dumpLinks190
3.1.1.3.3.32schemaUpdateIndicesNow190
3.1.1.3.3.33null190
3.1.1.3.3.34dumpQuota190
3.1.1.3.3.35dumpLinksExtended191
3.1.1.3.3.36dumpLDAPState191
3.1.1.3.3.37msDS-ProcessLinksAbandonOperation191
3.1.1.3.3.38msDS-ProcessLinksScheduleOperation192
3.1.1.3.4LDAP Extensions192
3.1.1.3.4.1LDAP Extended Controls192
3.1.1.3.4.1.1LDAP_PAGED_RESULT_OID_STRING199
3.1.1.3.4.1.2LDAP_SERVER_CROSSDOM_MOVE_TARGET_OID199
3.1.1.3.4.1.3LDAP_SERVER_DIRSYNC_OID199
3.1.1.3.4.1.4LDAP_SERVER_DOMAIN_SCOPE_OID201
3.1.1.3.4.1.5LDAP_SERVER_EXTENDED_DN_OID201
3.1.1.3.4.1.6LDAP_SERVER_GET_STATS_OID202
3.1.1.3.4.1.7LDAP_SERVER_LAZY_COMMIT_OID206
3.1.1.3.4.1.8LDAP_SERVER_PERMISSIVE_MODIFY_OID206
3.1.1.3.4.1.9LDAP_SERVER_NOTIFICATION_OID207
3.1.1.3.4.1.10LDAP_SERVER_RANGE_OPTION_OID207
3.1.1.3.4.1.11LDAP_SERVER_SD_FLAGS_OID207
3.1.1.3.4.1.12LDAP_SERVER_SEARCH_OPTIONS_OID208
3.1.1.3.4.1.13LDAP_SERVER_SORT_OID and
LDAP_SERVER_RESP_SORT_OID209
3.1.1.3.4.1.14LDAP_SERVER_SHOW_DELETED_OID215
3.1.1.3.4.1.15LDAP_SERVER_TREE_DELETE_OID215
3.1.1.3.4.1.16LDAP_SERVER_VERIFY_NAME_OID216
3.1.1.3.4.1.17LDAP_CONTROL_VLVREQUEST and
LDAP_CONTROL_VLVRESPONSE216
3.1.1.3.4.1.18LDAP_SERVER_ASQ_OID218
3.1.1.3.4.1.19LDAP_SERVER_QUOTA_CONTROL_OID219
3.1.1.3.4.1.20LDAP_SERVER_SHUTDOWN_NOTIFY_OID220
3.1.1.3.4.1.21LDAP_SERVER_FORCE_UPDATE_OID220
3.1.1.3.4.1.22LDAP_SERVER_RANGE_RETRIEVAL_NOERR_OID220
3.1.1.3.4.1.23LDAP_SERVER_RODC_DCPROMO_OID221
3.1.1.3.4.1.24LDAP_SERVER_DN_INPUT_OID221
3.1.1.3.4.1.25LDAP_SERVER_SHOW_DEACTIVATED_LINK_OID222
3.1.1.3.4.1.26LDAP_SERVER_SHOW_RECYCLED_OID222
3.1.1.3.4.1.27LDAP_SERVER_POLICY_HINTS_OID222
3.1.1.3.4.1.28LDAP_SERVER_POLICY_HINTS_DEPRECATED_OID223
3.1.1.3.4.1.29LDAP_SERVER_DIRSYNC_EX_OID223
3.1.1.3.4.1.30LDAP_SERVER_UPDATE_STATS_OID223
3.1.1.3.4.1.30.1Highest USN Allocated224
3.1.1.3.4.1.30.2Invocation ID Of Server224
3.1.1.3.4.1.31LDAP_SERVER_TREE_DELETE_EX_OID224
3.1.1.3.4.1.32LDAP_SERVER_SEARCH_HINTS_OID224
3.1.1.3.4.1.32.1Require Sort Index225
3.1.1.3.4.1.32.2Soft Size Limit225
3.1.1.3.4.1.33LDAP_SERVER_EXPECTED_ENTRY_COUNT_OID226
3.1.1.3.4.1.34LDAP_SERVER_SET_OWNER_OID226
3.1.1.3.4.1.35LDAP_SERVER_BYPASS_QUOTA_OID226
3.1.1.3.4.1.36LDAP_SERVER_LINK_TTL_OID227
3.1.1.3.4.2LDAP Extended Operations227
3.1.1.3.4.2.1LDAP_SERVER_FAST_BIND_OID228
3.1.1.3.4.2.2LDAP_SERVER_START_TLS_OID228
3.1.1.3.4.2.3LDAP_TTL_REFRESH_OID229
3.1.1.3.4.2.4LDAP_SERVER_WHO_AM_I_OID229
3.1.1.3.4.2.5LDAP_SERVER_BATCH_REQUEST_OID229
3.1.1.3.4.3LDAP Capabilities231
3.1.1.3.4.3.1LDAP_CAP_ACTIVE_DIRECTORY_OID232
3.1.1.3.4.3.2LDAP_CAP_ACTIVE_DIRECTORY_LDAP_INTEG_OID232
3.1.1.3.4.3.3LDAP_CAP_ACTIVE_DIRECTORY_V51_OID232
3.1.1.3.4.3.4LDAP_CAP_ACTIVE_DIRECTORY_ADAM_DIGEST_OID232
3.1.1.3.4.3.5LDAP_CAP_ACTIVE_DIRECTORY_ADAM_OID233
3.1.1.3.4.3.6LDAP_CAP_ACTIVE_DIRECTORY_PARTIAL_SECRETS_OID233
3.1.1.3.4.3.7LDAP_CAP_ACTIVE_DIRECTORY_V60_OID233
3.1.1.3.4.3.8LDAP_CAP_ACTIVE_DIRECTORY_V61_R2_OID233
3.1.1.3.4.3.9LDAP_CAP_ACTIVE_DIRECTORY_W8_OID233
3.1.1.3.4.4LDAP Matching Rules (extensibleMatch)233
3.1.1.3.4.4.1LDAP_MATCHING_RULE_BIT_AND233
3.1.1.3.4.4.2LDAP_MATCHING_RULE_BIT_OR234
3.1.1.3.4.4.3LDAP_MATCHING_RULE_TRANSITIVE_EVAL234
3.1.1.3.4.4.4LDAP_MATCHING_RULE_DN_WITH_DATA234
3.1.1.3.4.5LDAP SASL Mechanisms235
3.1.1.3.4.5.1GSSAPI235
3.1.1.3.4.5.2GSS-SPNEGO235
3.1.1.3.4.5.3EXTERNAL236
3.1.1.3.4.5.4DIGEST-MD5236
3.1.1.3.4.6LDAP Policies236
3.1.1.3.4.7LDAP Configurable Settings239
3.1.1.3.4.8LDAP IP-Deny List242
3.1.1.4Reads242
3.1.1.4.1Introduction242
3.1.1.4.2Definitions243
3.1.1.4.3Access Checks243
3.1.1.4.4Extended Access Checks244
3.1.1.4.5Constructed Attributes246
3.1.1.4.5.1subSchemaSubEntry246
3.1.1.4.5.2canonicalName246
3.1.1.4.5.3allowedChildClasses246
3.1.1.4.5.4sDRightsEffective247
3.1.1.4.5.5allowedChildClassesEffective247
3.1.1.4.5.6allowedAttributes248
3.1.1.4.5.7allowedAttributesEffective248
3.1.1.4.5.8fromEntry248
3.1.1.4.5.9createTimeStamp248
3.1.1.4.5.10modifyTimeStamp248
3.1.1.4.5.11primaryGroupToken248
3.1.1.4.5.12entryTTL248
3.1.1.4.5.13msDS-NCReplInboundNeighbors, msDS-NCReplCursors,
msDS-ReplAttributeMetaData, msDS-ReplValueMetaData249
3.1.1.4.5.14msDS-NCReplOutboundNeighbors249
3.1.1.4.5.15msDS-Approx-Immed-Subordinates250
3.1.1.4.5.16msDS-KeyVersionNumber250
3.1.1.4.5.17msDS-User-Account-Control-Computed250
3.1.1.4.5.18msDS-Auxiliary-Classes251
3.1.1.4.5.19tokenGroups, tokenGroupsNoGCAcceptable251
3.1.1.4.5.20tokenGroupsGlobalAndUniversal252
3.1.1.4.5.21possibleInferiors252
3.1.1.4.5.22msDS-QuotaEffective253
3.1.1.4.5.23msDS-QuotaUsed253
3.1.1.4.5.24msDS-TopQuotaUsage254
3.1.1.4.5.25ms-DS-UserAccountAutoLocked254
3.1.1.4.5.26msDS-UserPasswordExpired255
3.1.1.4.5.27msDS-PrincipalName255
3.1.1.4.5.28parentGUID255
3.1.1.4.5.29msDS-SiteName255
3.1.1.4.5.30msDS-isRODC256
3.1.1.4.5.31msDS-isGC256
3.1.1.4.5.32msDS-isUserCachableAtRodc256
3.1.1.4.5.33msDS-UserPasswordExpiryTimeComputed257
3.1.1.4.5.34msDS-RevealedList258
3.1.1.4.5.35msDS-RevealedListBL258
3.1.1.4.5.36msDS-ResultantPSO258
3.1.1.4.5.37msDS-LocalEffectiveDeletionTime259
3.1.1.4.5.38msDS-LocalEffectiveRecycleTime259
3.1.1.4.5.39msDS-ManagedPassword260
3.1.1.4.5.40msds-memberOfTransitive266
3.1.1.4.5.41msds-memberTransitive266
3.1.1.4.5.42msds-tokenGroupNames,
msds-tokenGroupNamesNoGCAcceptable267
3.1.1.4.5.43msds-tokenGroupNamesGlobalAndUniversal267
3.1.1.4.5.44structuralObjectClass267
3.1.1.4.6Referrals267
3.1.1.4.7Continuations269
3.1.1.4.8Effects of Defunct Attributes and Classes269
3.1.1.5Updates270
3.1.1.5.1General270
3.1.1.5.1.1Enforce Schema Constraints270
3.1.1.5.1.2Naming Constraints271
3.1.1.5.1.3Uniqueness Constraints271
3.1.1.5.1.4Transactional Semantics272
3.1.1.5.1.5Stamp Construction272
3.1.1.5.1.6Replication Notification272
3.1.1.5.1.7Urgent Replication273
3.1.1.5.1.8Updates Performed Only on FSMOs273
3.1.1.5.1.9Allow Updates Only When They Are Enabled276
3.1.1.5.1.10Originating Updates Attempted on an RODC276
3.1.1.5.1.11Constraints and Processing Specifics Defined
Elsewhere276
3.1.1.5.2Add Operation276
3.1.1.5.2.1Security Considerations277
3.1.1.5.2.2Constraints277
3.1.1.5.2.3Special Classes and Attributes282
3.1.1.5.2.4Processing Specifics283
3.1.1.5.2.5Quota Calculation286
3.1.1.5.2.6NC Requirements286
3.1.1.5.2.7crossRef Requirements287
3.1.1.5.2.8NC-Add Operation287
3.1.1.5.2.8.1Constraints288
3.1.1.5.2.8.2Security Considerations288
3.1.1.5.2.8.3Processing Specifics288
3.1.1.5.3Modify Operation289
3.1.1.5.3.1Security Considerations289
3.1.1.5.3.1.1Validated Writes290
3.1.1.5.3.1.1.1Member290
3.1.1.5.3.1.1.2dNSHostName290
3.1.1.5.3.1.1.3msDS-AdditionalDnsHostName290
3.1.1.5.3.1.1.4servicePrincipalName291
3.1.1.5.3.1.1.5msDS-Behavior-Version291
3.1.1.5.3.1.1.6msDS-KeyCredentialLink292
3.1.1.5.3.1.2FSMO Changes292
3.1.1.5.3.2Constraints292
3.1.1.5.3.3Processing Specifics297
3.1.1.5.3.4BehaviorVersion Updates298
3.1.1.5.3.5ObjectClass Updates300
3.1.1.5.3.6wellKnownObjects Updates300
3.1.1.5.3.7Undelete Operation301
3.1.1.5.3.7.1Undelete Security Considerations302
3.1.1.5.3.7.2Undelete Constraints302
3.1.1.5.3.7.3Undelete Processing Specifics303
3.1.1.5.4Modify DN303
3.1.1.5.4.1Intra Domain Modify DN304
3.1.1.5.4.1.1Security Considerations304
3.1.1.5.4.1.2Constraints305
3.1.1.5.4.1.3Processing Specifics306
3.1.1.5.4.2Cross Domain Move306
3.1.1.5.4.2.1Security Considerations306
3.1.1.5.4.2.2Constraints307
3.1.1.5.4.2.3Processing Specifics309
3.1.1.5.5Delete Operation311
3.1.1.5.5.1Resultant Object Requirements313
3.1.1.5.5.1.1Tombstone Requirements313
3.1.1.5.5.1.2Deleted-Object Requirements314
3.1.1.5.5.1.3Recycled-Object Requirements315
3.1.1.5.5.2dynamicObject Requirements316
3.1.1.5.5.3Protected Objects316
3.1.1.5.5.4Security Considerations316
3.1.1.5.5.5Constraints317
3.1.1.5.5.6Processing Specifics318
3.1.1.5.5.6.1Transformation into a Tombstone318
3.1.1.5.5.6.2Transformation into a Deleted-Object319
3.1.1.5.5.6.3Transformation into a Recycled-Object319
3.1.1.5.5.7Tree-delete Operation320
3.1.1.5.5.7.1Tree-delete Security Considerations320
3.1.1.5.5.7.2Tree-delete Constraints320
3.1.1.5.5.7.3Tree-delete Processing Specifics320
3.1.1.6Background Tasks321
3.1.1.6.1AdminSDHolder321
3.1.1.6.1.1Authoritative Security Descriptor321
3.1.1.6.1.2Protected Objects322
3.1.1.6.1.3Protection Operation322
3.1.1.6.1.4Configurable State322
3.1.1.6.2Reference Update323
3.1.1.6.3Security Descriptor Propagator Update324
3.1.1.7NT4 Replication Support325
3.1.1.7.1Format of nt4ReplicationState and pdcChangeLog325
3.1.1.7.1.1nt4ReplicationState325
3.1.1.7.1.2pdcChangeLog326
3.1.1.7.2State Changes326
3.1.1.7.2.1Initialization326
3.1.1.7.2.2Directory Updates326
3.1.1.7.2.3Acquiring the PDC Role330
3.1.1.7.2.4Resetting the pdcChangeLog330
3.1.1.7.3Format of the Referent of pmsgOut.V1.pLog331
3.1.1.8AD LDS Special Objects331
3.1.1.8.1AD LDS Users331
3.1.1.8.2Bind Proxies332
3.1.1.9Optional Features333
3.1.1.9.1Recycle Bin Optional Feature334
3.1.1.9.2Privileged Access Management Optional Feature335
3.1.1.10Revisions336
3.1.1.10.1Forest Revision336
3.1.1.10.2RODC Revision337
3.1.1.10.3Domain Revision337
3.1.1.11Claims338
3.1.1.11.1Informative Overview338
3.1.1.11.1.1Claim338
3.1.1.11.1.2Claims Dictionary338
3.1.1.11.1.3Claim Source338
3.1.1.11.1.4Claims Issuance339
3.1.1.11.1.5Claims Transformation Rules339
3.1.1.11.1.6Claims Transformation339
3.1.1.11.2Claims Procedures340
3.1.1.11.2.1GetClaimsForPrincipal340
3.1.1.11.2.2GetADSourcedClaims341
3.1.1.11.2.3GetCertificateSourcedClaims342
3.1.1.11.2.4GetConstructedClaims343
3.1.1.11.2.5EncodeClaimsSet344
3.1.1.11.2.6FillClaimsSetMetadata344
3.1.1.11.2.7RunCompressionAlgorithm345
3.1.1.11.2.8NdrEncode346
3.1.1.11.2.9NdrDecode346
3.1.1.11.2.10DecodeClaimsSet347
3.1.1.11.2.11TransformClaimsOnTrustTraversal348
3.1.1.11.2.12GetClaimsTransformationRulesXml349
3.1.1.11.2.13GetTransformationRulesText350
3.1.1.11.2.14GetCTAClaims351
3.1.1.11.2.15CollapseMultiValuedClaims351
3.1.1.11.2.16FilterAndPackOutputClaims352
3.1.1.11.2.17ValidateClaimDefinition354
3.1.1.11.2.18GetAuthSiloClaim355
3.1.1.12NC Rename356
3.1.1.12.1Abstract Data Types356
3.1.1.12.1.1FlatName356
3.1.1.12.1.2SPNValue357
3.1.1.12.1.3ServerDescription357
3.1.1.12.1.4InterdomainTrustAccountDescription357
3.1.1.12.1.5TrustedDomainObjectDescription358
3.1.1.12.1.6NCDescription358
3.1.1.12.1.7DomainDescriptionElements359
3.1.1.12.1.8DomainDescription360
3.1.1.12.1.9NewTrustParentElements360
3.1.1.12.1.10DomainWithNewTrustParentDescription360
3.1.1.12.1.11NCRenameDescription360
3.1.1.12.2Encoding/Decoding Rules362
3.1.1.12.2.1EBNF-M362
3.1.1.12.2.1.1Tuples as Parameters to Production Rules362
3.1.1.12.2.1.2Parameter Fields as Terminal Values362
3.1.1.12.2.1.3Formatting of Non-String Parameter Fields as
Terminal Values362
3.1.1.12.2.1.4Parameter Fields as Iterators363
3.1.1.12.2.1.5Reversed Production Rules364
3.1.1.12.2.2CodedNCRenameDescription365
3.1.1.12.2.2.1Expression365
3.1.1.12.2.2.2Common366
3.1.1.12.2.2.3Tests367
3.1.1.12.2.2.3.1TestConfigurationNC367
3.1.1.12.2.2.3.2TestReplicationEpoch367
3.1.1.12.2.2.3.3TestAppNCs368
3.1.1.12.2.2.3.4TestDomains368
3.1.1.12.2.2.3.4.1TestCrossRef369
3.1.1.12.2.2.3.4.2TestServersInstantiated370
3.1.1.12.2.2.3.4.3TestTrustCount370
3.1.1.12.2.2.3.4.4TestTrustedDomainObjectDescriptions371
3.1.1.12.2.2.3.4.5TestInterdomainTrustAccountDescriptions372
3.1.1.12.2.2.3.4.6TestServerDescriptions372
3.1.1.12.2.2.3.5TestPartitionCounts374
3.1.1.12.2.2.4Flatten374
3.1.1.12.2.2.5Rebuild375
3.1.1.12.2.2.6Trusts376
3.1.1.12.2.2.6.1DomainTrustSpecifications377
3.1.1.12.2.2.6.2DomainTrustAccounts378
3.1.1.12.2.2.7CrossRefs379
3.1.1.12.2.2.7.1ConfigurationCrossRef379
3.1.1.12.2.2.7.2SchemaCrossRef380
3.1.1.12.2.2.7.3AppNCsCrossRefs380
3.1.1.12.2.2.7.4NCRenameDescriptionRootCrossRef381
3.1.1.12.2.2.7.5TrustTreeNonRootDomainCrossRefs382
3.1.1.12.2.2.7.6TrustTreeRootDomainCrossRefs384
3.1.1.12.2.2.8ReplicationEpoch385
3.1.1.12.3Decode Operation386
3.1.1.12.4Verify Conditions386
3.1.1.12.5Process Changes387
3.1.1.13Authentication Information Retrieval389
3.1.1.13.1Informative Overview389
3.1.1.13.2ExpandMemberships390
3.1.1.13.3GetUserLogonInfo390
3.1.1.13.4GetResourceDomainInfo391
3.1.1.13.5ExpandShadowPrincipal392
3.1.1.13.6GetUserLogonInfoByAttribute393
3.1.1.13.7GetUserLogonInfoByUPNOrAccountName393
4Protocol Examples395
5Security396
5.1LDAP Security396
5.1.1Authentication396
5.1.1.1Supported Authentication Methods396
5.1.1.1.1Simple Authentication397
5.1.1.1.2SASL Authentication398
5.1.1.1.3Sicily Authentication399
5.1.1.2Using SSL/TLS401
5.1.1.3Using Fast Bind401
5.1.1.4Mutual Authentication402
5.1.1.5Supported Types of Security Principals402
5.1.2Message Security404
5.1.2.1Using SASL404
5.1.2.2Using SSL/TLS404
5.1.3Authorization404
5.1.3.1Background405
5.1.3.2Access Rights405
5.1.3.2.1Control Access Rights407
5.1.3.2.2Validated Writes411
5.1.3.3Checking Access413
5.1.3.3.1Null vs. Empty DACLs413
5.1.3.3.2Checking Simple Access413
5.1.3.3.3Checking Object-Specific Access414
5.1.3.3.4Checking Control Access Right-Based Access416
5.1.3.3.5Checking Validated Write-Based Access417
5.1.3.3.6Checking Object Visibility417
5.1.3.4AD LDS Security Context Construction418
6Additional Information420
6.1Special Objects and Forest Requirements420
6.1.1Special Objects420
6.1.1.1Naming Contexts420
6.1.1.1.1Any NC Root420
6.1.1.1.2Config NC Root421
6.1.1.1.3Schema NC Root422
6.1.1.1.4Domain NC Root422
6.1.1.1.5Application NC Root423
6.1.1.2Configuration Objects424
6.1.1.2.1Cross-Ref-Container Container425
6.1.1.2.1.1Cross-Ref Objects425
6.1.1.2.1.1.1Foreign crossRef Objects426
6.1.1.2.1.1.2Configuration crossRef Object426
6.1.1.2.1.1.3Schema crossRef Object426
6.1.1.2.1.1.4Domain crossRef Object426
6.1.1.2.1.1.5Application NC crossRef Object427
6.1.1.2.2Sites Container427
6.1.1.2.2.1Site Object427
6.1.1.2.2.1.1NTDS Site Settings Object428
6.1.1.2.2.1.2Servers Container429
6.1.1.2.2.1.2.1Server Object429
6.1.1.2.2.1.2.1.1nTDSDSA Object429
6.1.1.2.2.1.2.1.2Connection Object431
6.1.1.2.2.1.2.1.3RODC NTFRS Connection Object433
6.1.1.2.2.2Subnets Container434
6.1.1.2.2.2.1Subnet Object434
6.1.1.2.2.3Inter-Site Transports Container436
6.1.1.2.2.3.1IP Transport Container436
6.1.1.2.2.3.2SMTP Transport Container437
6.1.1.2.2.3.3Site Link Object437
6.1.1.2.2.3.4Site Link Bridge Object438
6.1.1.2.3Display Specifiers Container438
6.1.1.2.3.1Display Specifier Object438
6.1.1.2.4Services440
6.1.1.2.4.1Windows NT440
6.1.1.2.4.1.1Directory Service440
6.1.1.2.4.1.2dSHeuristics441
6.1.1.2.4.1.3Optional Features Container446
6.1.1.2.4.1.3.1Recycle Bin Feature Object446
6.1.1.2.4.1.3.2Privileged Access Management Feature
Object446
6.1.1.2.4.1.4Query-Policies446
6.1.1.2.4.1.4.1Default Query Policy446
6.1.1.2.4.1.5SCP Publication Service Object447
6.1.1.2.5Physical Locations447
6.1.1.2.6WellKnown Security Principals447
6.1.1.2.6.1Anonymous Logon447
6.1.1.2.6.2Authenticated Users448
6.1.1.2.6.3Batch448
6.1.1.2.6.4Console Logon448
6.1.1.2.6.5Creator Group448
6.1.1.2.6.6Creator Owner448
6.1.1.2.6.7Dialup448
6.1.1.2.6.8Digest Authentication448
6.1.1.2.6.9Enterprise Domain Controllers449
6.1.1.2.6.10Everyone449
6.1.1.2.6.11Interactive449
6.1.1.2.6.12IUSR449
6.1.1.2.6.13Local Service449
6.1.1.2.6.14Network449
6.1.1.2.6.15Network Service449
6.1.1.2.6.16NTLM Authentication449
6.1.1.2.6.17Other Organization450
6.1.1.2.6.18Owner Rights450
6.1.1.2.6.19Proxy450
6.1.1.2.6.20Remote Interactive Logon450
6.1.1.2.6.21Restricted450
6.1.1.2.6.22SChannel Authentication450
6.1.1.2.6.23Self450
6.1.1.2.6.24Service451
6.1.1.2.6.25System451
6.1.1.2.6.26Terminal Server User451
6.1.1.2.6.27This Organization451
6.1.1.2.7Extended Rights451
6.1.1.2.7.1controlAccessRight objects451
6.1.1.2.7.2Change-Rid-Master452
6.1.1.2.7.3Do-Garbage-Collection452
6.1.1.2.7.4Recalculate-Hierarchy452
6.1.1.2.7.5Allocate-Rids452
6.1.1.2.7.6Change-PDC452
6.1.1.2.7.7Add-GUID452
6.1.1.2.7.8Change-Domain-Master453
6.1.1.2.7.9Public-Information453
6.1.1.2.7.10msmq-Receive-Dead-Letter453
6.1.1.2.7.11msmq-Peek-Dead-Letter453
6.1.1.2.7.12msmq-Receive-computer-Journal453
6.1.1.2.7.13msmq-Peek-computer-Journal453
6.1.1.2.7.14msmq-Receive454
6.1.1.2.7.15msmq-Peek454
6.1.1.2.7.16msmq-Send454
6.1.1.2.7.17msmq-Receive-journal454
6.1.1.2.7.18msmq-Open-Connector454
6.1.1.2.7.19Apply-Group-Policy455
6.1.1.2.7.20RAS-Information455
6.1.1.2.7.21DS-Install-Replica455
6.1.1.2.7.22Change-Infrastructure-Master455
6.1.1.2.7.23Update-Schema-Cache455
6.1.1.2.7.24Recalculate-Security-Inheritance455
6.1.1.2.7.25DS-Check-Stale-Phantoms456
6.1.1.2.7.26Certificate-Enrollment456
6.1.1.2.7.27Self-Membership456
6.1.1.2.7.28Validated-DNS-Host-Name456
6.1.1.2.7.29Validated-SPN456
6.1.1.2.7.30Generate-RSoP-Planning457
6.1.1.2.7.31Refresh-Group-Cache457
6.1.1.2.7.32Reload-SSL-Certificate457
6.1.1.2.7.33SAM-Enumerate-Entire-Domain457
6.1.1.2.7.34Generate-RSoP-Logging457
6.1.1.2.7.35Domain-Other-Parameters457
6.1.1.2.7.36DNS-Host-Name-Attributes458
6.1.1.2.7.37Create-Inbound-Forest-Trust458
6.1.1.2.7.38DS-Replication-Get-Changes-All458
6.1.1.2.7.39Migrate-SID-History458
6.1.1.2.7.40Reanimate-Tombstones458
6.1.1.2.7.41Allowed-To-Authenticate459
6.1.1.2.7.42DS-Execute-Intentions-Script459
6.1.1.2.7.43DS-Replication-Monitor-Topology459
6.1.1.2.7.44Update-Password-Not-Required-Bit459
6.1.1.2.7.45Unexpire-Password460
6.1.1.2.7.46Enable-Per-User-Reversibly-Encrypted-Password460
6.1.1.2.7.47DS-Query-Self-Quota460
6.1.1.2.7.48Private-Information460
6.1.1.2.7.49MS-TS-GatewayAccess460
6.1.1.2.7.50Terminal-Server-License-Server461
6.1.1.2.7.51Domain-Administer-Server461
6.1.1.2.7.52User-Change-Password461
6.1.1.2.7.53User-Force-Change-Password461
6.1.1.2.7.54Send-As462
6.1.1.2.7.55Receive-As462
6.1.1.2.7.56Send-To462
6.1.1.2.7.57Domain-Password462
6.1.1.2.7.58General-Information463
6.1.1.2.7.59User-Account-Restrictions463
6.1.1.2.7.60User-Logon463
6.1.1.2.7.61Membership463
6.1.1.2.7.62Open-Address-Book464
6.1.1.2.7.63Personal-Information464
6.1.1.2.7.64Email-Information464
6.1.1.2.7.65Web-Information464
6.1.1.2.7.66DS-Replication-Get-Changes465
6.1.1.2.7.67DS-Replication-Synchronize465
6.1.1.2.7.68DS-Replication-Manage-Topology465
6.1.1.2.7.69Change-Schema-Master465
6.1.1.2.7.70DS-Replication-Get-Changes-In-Filtered-Set466
6.1.1.2.7.71Run-Protect-Admin-Groups-Task466
6.1.1.2.7.72Manage-Optional-Features466
6.1.1.2.7.73Read-Only-Replication-Secret-Synchronization466
6.1.1.2.7.74Validated-MS-DS-Additional-DNS-Host-Name466
6.1.1.2.7.75Validated-MS-DS-Behavior-Version467
6.1.1.2.7.76DS-Clone-Domain-Controller467
6.1.1.2.7.77Certificate-AutoEnrollment467
6.1.1.2.7.78DS-Read-Partition-Secrets467
6.1.1.2.7.79DS-Write-Partition-Secrets467
6.1.1.2.7.80DS-Set-Owner467
6.1.1.2.7.81DS-Bypass-Quota468
6.1.1.2.7.82DS-Validated-Write-Computer468
6.1.1.2.8Forest Updates Container468
6.1.1.2.8.1Operations Container468
6.1.1.2.8.2Windows2003Update Container469
6.1.1.2.8.3ActiveDirectoryUpdate Container469
6.1.1.2.8.4ActiveDirectoryRodcUpdate Container469
6.1.1.3Critical Domain Objects469
6.1.1.3.1Domain Controller Object470
6.1.1.3.2Read-Only Domain Controller Object470
6.1.1.4Well-Known Objects471
6.1.1.4.1Lost and Found Container474
6.1.1.4.2Deleted Objects Container474
6.1.1.4.3NTDS Quotas Container475
6.1.1.4.4Infrastructure Object475
6.1.1.4.5Domain Controllers OU475
6.1.1.4.6Users Container475
6.1.1.4.7Computers Container476
6.1.1.4.8Program Data Container476
6.1.1.4.9Managed Service Accounts Container476
6.1.1.4.10Foreign Security Principals Container476
6.1.1.4.11System Container477
6.1.1.4.11.1Password Settings Container477
6.1.1.4.12Builtin Container477
6.1.1.4.12.1Account Operators Group Object478
6.1.1.4.12.2Administrators Group Object478
6.1.1.4.12.3Backup Operators Group Object478
6.1.1.4.12.4Certificate Service DCOM Access Group Object478
6.1.1.4.12.5Cryptographic Operators Group Object478
6.1.1.4.12.6Distributed COM Users Group Object478
6.1.1.4.12.7Event Log Readers Group Object478
6.1.1.4.12.8Guests Group Object478
6.1.1.4.12.9IIS_IUSRS Group Object479
6.1.1.4.12.10Incoming Forest Trust Builders Group Object479
6.1.1.4.12.11Network Configuration Operators Group Object479
6.1.1.4.12.12Performance Log Users Group Object479
6.1.1.4.12.13Performance Monitor Users Group Object479
6.1.1.4.12.14Pre-Windows 2000 Compatible Access Group
Object479
6.1.1.4.12.15Print Operators Group Object479
6.1.1.4.12.16Remote Desktop Users Group Object479
6.1.1.4.12.17Replicator Group Object480
6.1.1.4.12.18Server Operators Group Object480
6.1.1.4.12.19Terminal Server License Servers Group Object480
6.1.1.4.12.20Users Group Object480
6.1.1.4.12.21Windows Authorization Access Group Group
Object480
6.1.1.4.13Roles Container480
6.1.1.4.13.1Administrators Group Object481
6.1.1.4.13.2Readers Group Object481
6.1.1.4.13.3Users Group Object481
6.1.1.4.13.4Instances Group Object481
6.1.1.5Other System Objects481
6.1.1.5.1AdminSDHolder Object481
6.1.1.5.2Default Domain Policy Container482
6.1.1.5.3Sam Server Object483
6.1.1.5.4Domain Updates Container483
6.1.1.5.4.1Operations Container483
6.1.1.5.4.2Windows2003Update Container484
6.1.1.5.4.3ActiveDirectoryUpdate Container484
6.1.1.6Well-Known Domain-Relative Security Principals484
6.1.1.6.1Administrator484
6.1.1.6.2Guest484
6.1.1.6.3Key Distribution Center Service Account485
6.1.1.6.4Cert Publishers485
6.1.1.6.5Domain Administrators485
6.1.1.6.6Domain Computers485
6.1.1.6.7Domain Controllers485
6.1.1.6.8Domain Guests485
6.1.1.6.9Domain Users486
6.1.1.6.10Enterprise Administrators486
6.1.1.6.11Group Policy Creator Owners486
6.1.1.6.12RAS and IAS Servers486
6.1.1.6.13Read-Only Domain Controllers486
6.1.1.6.14Enterprise Read-Only Domain Controllers487
6.1.1.6.15Schema Admins487
6.1.1.6.16Allowed RODC Password Replication Group487
6.1.1.6.17Denied RODC Password Replication Group487
6.1.2Forest Requirements488
6.1.2.1DC Existence488
6.1.2.2NC Existence488
6.1.2.3Hosting Requirements489
6.1.2.3.1DC and Application NC Replica489
6.1.2.3.2DC and Regular Domain NC Replica489
6.1.2.3.3DC and Schema/Config NC Replicas489
6.1.2.3.4DC and Partial Replica NCs Replicas489
6.1.3Security Descriptor Requirements490
6.1.3.1ACE Ordering Rules491
6.1.3.2SD Flags Control492
6.1.3.3Processing Specifics492
6.1.3.4Security Considerations493
6.1.3.5SD Defaulting Rules494
6.1.3.6Owner and Group Defaulting Rules494
6.1.3.7Default Administrators Group495
6.1.4Special Attributes496
6.1.4.1ntMixedDomain496
6.1.4.2msDS-Behavior-Version: DC Functional Level496
6.1.4.3msDS-Behavior-Version: Domain NC Functional Level497
6.1.4.4msDS-Behavior-Version: Forest Functional Level498
6.1.4.5Replication Schedule Structures499
6.1.4.5.1SCHEDULE_HEADER Structure499
6.1.4.5.2SCHEDULE Structure499
6.1.4.5.3REPS_FROM500
6.1.4.5.4REPS_TO500
6.1.4.5.5MTX_ADDR Structure500
6.1.4.5.6REPLTIMES Structure500
6.1.4.5.7PAS_DATA Structure500
6.1.4.6msDS-AuthenticatedAtDC501
6.1.5FSMO Roles501
6.1.5.1Schema Master FSMO Role501
6.1.5.2Domain Naming Master FSMO Role501
6.1.5.3RID Master FSMO Role501
6.1.5.4PDC Emulator FSMO Role502
6.1.5.5Infrastructure FSMO Role502
6.1.6Trust Objects503
6.1.6.1Overview (Synopsis)503
6.1.6.2Relationship to Other Protocols503
6.1.6.2.1TDO Replication over DRS503
6.1.6.2.2TDO Roles in Authentication Protocols over Domain
Boundaries503
6.1.6.2.3TDO Roles in Authorization over Domain
Boundaries504
6.1.6.3Prerequisites/Preconditions504
6.1.6.4Versioning and Capability Negotiation504
6.1.6.5Vendor-Extensible Fields504
6.1.6.6Transport504
6.1.6.7Essential Attributes of a Trusted Domain Object504
6.1.6.7.1flatName505
6.1.6.7.2isCriticalSystemObject505
6.1.6.7.3msDs-supportedEncryptionTypes505
6.1.6.7.4msDS-TrustForestTrustInfo506
6.1.6.7.5nTSecurityDescriptor506
6.1.6.7.6objectCategory506
6.1.6.7.7objectClass506
6.1.6.7.8securityIdentifier506
6.1.6.7.9trustAttributes506
6.1.6.7.10trustAuthIncoming508
6.1.6.7.11trustAuthOutgoing509
6.1.6.7.12trustDirection509
6.1.6.7.13trustPartner509
6.1.6.7.14trustPosixOffset509
6.1.6.7.15trustType509
6.1.6.8Essential Attributes of Interdomain Trust Accounts510
6.1.6.8.1cn (RDN)510
6.1.6.8.2objectClass510
6.1.6.8.3sAMAccountName510
6.1.6.8.4sAMAccountType511
6.1.6.8.5userAccountControl511
6.1.6.9Details511
6.1.6.9.1trustAuthInfo Attributes511
6.1.6.9.1.1LSAPR_AUTH_INFORMATION512
6.1.6.9.1.2Kerberos Usages of trustAuthInfo Attributes513
6.1.6.9.2Netlogon Usages of Trust Objects514
6.1.6.9.3msDS-TrustForestTrustInfo Attribute514
6.1.6.9.3.1Record514
6.1.6.9.3.2Building Well-Formed msDS-TrustForestTrustInfo
Messages517
6.1.6.9.4Computation of trustPosixOffset520
6.1.6.9.5Mapping Logon SIDs to POSIX Identifiers520
6.1.6.9.6Timers520
6.1.6.9.6.1Trust Secret Cycling520
6.1.6.9.7Initialization520
6.1.6.10Security Considerations for Implementers521
6.1.7DynamicObject Requirements521
6.2Knowledge Consistency Checker522
6.2.1References522
6.2.2Overview522
6.2.2.1Refresh kCCFailedLinks and kCCFailedConnections524
6.2.2.2Intrasite Connection Creation525
6.2.2.3Intersite Connection Creation527
6.2.2.3.1ISTG Selection528
6.2.2.3.2Merge of kCCFailedLinks and kCCFailedLinks from
Bridgeheads529
6.2.2.3.3Site Graph Concepts529
6.2.2.3.4Connection Creation530
6.2.2.3.4.1Types531
6.2.2.3.4.2Main Entry Point532
6.2.2.3.4.3Site Graph Construction533
6.2.2.3.4.4Spanning Tree Computation536
6.2.2.3.4.5nTDSConnection Creation546
6.2.2.4Removing Unnecessary Connections550
6.2.2.5Connection Translation551
6.2.2.6Remove Unneeded kCCFailedLinks and kCCFailedConnections
Tuples552
6.2.2.7Updating the RODC NTFRS Connection Object553
6.3Publishing and Locating a Domain Controller553
6.3.1Structures and Constants554
6.3.1.1NETLOGON_NT_VERSION Options Bits554
6.3.1.2DS_FLAG Options Bits555
6.3.1.3Operation Code556
6.3.1.4NETLOGON_LOGON_QUERY556
6.3.1.5NETLOGON_PRIMARY_RESPONSE557
6.3.1.6NETLOGON_SAM_LOGON_REQUEST558
6.3.1.7NETLOGON_SAM_LOGON_RESPONSE_NT40559
6.3.1.8NETLOGON_SAM_LOGON_RESPONSE560
6.3.1.9NETLOGON_SAM_LOGON_RESPONSE_EX561
6.3.1.10DNSRegistrationSettings564
6.3.2DNS Record Registrations566
6.3.2.1Timers567
6.3.2.1.1Register DNS Records Timer567
6.3.2.2Non-Timer Events567
6.3.2.2.1Force Register DNS Records Non-Timer Event567
6.3.2.3SRV Records567
6.3.2.4Non-SRV Records570
6.3.3LDAP Ping571
6.3.3.1Syntactic Validation of the Filter572
6.3.3.2Domain Controller Response to an LDAP Ping573
6.3.3.3Response to Invalid Filter578
6.3.4NetBIOS Broadcast and NBNS Background578
6.3.5Mailslot Ping578
6.3.6Locating a Domain Controller581
6.3.6.1DNS-Based Discovery581
6.3.6.2NetBIOS-Based Discovery582
6.3.7Name Compression and Decompression582
6.3.8AD LDS DC Publication584
6.4Domain Join585
6.4.1State of a Machine Joined to a Domain585
6.4.2State in an Active Directory Domain586
6.4.3Relationship to Protocols587
6.5Unicode String Comparison587
6.5.1String Comparison by Using Sort Keys587
6.6Claims.idl588
7Communication Details for Active Directory Connections590
7.1Connection Resolution of LDAP Clients590
7.2ADConnection Overview590
7.3ADConnection Abstract Data Model593
7.4Handling Network Errors595
7.5ICMP Pings596
7.6Tasks and Events596
7.6.1Tasks597
7.6.1.1Initializing an ADConnection597
7.6.1.2Setting an LDAP Option on an ADConnection598
7.6.1.3Establishing an ADConnection599
7.6.1.4Performing an LDAP Bind on an ADConnection599
7.6.1.5Performing an LDAP Unbind on an ADConnection600
7.6.1.6Performing an LDAP Operation on an ADConnection600
7.6.2Internal Tasks601
7.6.2.1Initializing a Connection to a Directory Server601
7.6.2.2Connecting to a Directory Server602
7.6.2.3Performing an LDAP Bind Against a Directory Server604
7.6.2.4Performing an LDAP Unbind Against a Directory
Server605
7.6.2.5Performing an LDAP Operation Against a Directory
Server605
7.6.2.6Following an LDAP Referral or Continuation
Reference606
7.6.2.7Autoreconnecting to a Directory Server608
7.6.3External Triggered Events609
7.6.3.1Processing Network Errors609
7.6.3.2Getting an LDAP Response from a Directory Server610
7.6.4Timer Triggered Events611
7.6.4.1Timer Expiry on RequestTimer611
7.7LDAP Over UDP612
7.7.1ADUDPHandle Overview612
7.7.2ADUDPHandle Abstract Data Model612
7.7.3Tasks613
7.7.3.1Initializing an ADUDPHandle613
7.7.3.2Performing an LDAP Operation on an ADUDPHandle613
7.8Transport Requirements616
7.9Security Elements616
7.10Communications Security616
8Change Tracking618
9Index619
Introduction
This is the primary specification for Active Directory, both
Active Directory Domain Services (AD DS) and Active Directory
Lightweight Directory Services (AD LDS). When the specification
does not refer specifically to AD DS or AD LDS, it applies to both.
The state model for this specification is prerequisite to the other
specifications for Active Directory: [MS-DRSR] and [MS-SRPL].
When no operating system version information is specified,
information in this document applies to all relevant versions of
Windows. Similarly, when no DC functional level is specified,
information in this document applies to all DC functional
levels.
AD DS first became available as part of Microsoft Windows 2000
operating system and is available as part of Windows 2000 Server
operating system products and Windows Server 2003 operating system
products; in these products it is called "Active Directory". It is
also available as part of Windows Server 2008 operating system,
Windows Server 2008 R2 operating system, Windows Server 2012
operating system, Windows Server 2012 R2 operating system, and
Windows Server 2016 operating system. AD DS is not present in
Windows NT 3.1 operating system, Windows NT 3.51 operating system,
Windows NT 4.0 operating system, or Windows XP operating
system.
Unless otherwise specified, information in this specification is
also applicable to Active Directory Application Mode (ADAM). ADAM
is a standalone application that provides AD LDS capabilities on
Windows XP and Windows Server 2003. There are two versions of ADAM,
ADAM RTW and ADAM SP1; unless otherwise specified, where ADAM is
discussed in this document it refers to both versions.
Information that is applicable to AD LDS on Windows Server 2008
is also applicable to Active Directory Lightweight Directory
Services (AD LDS) for Windows Vista, except where it is explicitly
specified that such information is not applicable to that product.
AD LDS for Windows Vista is a standalone application that provides
AD LDS capabilities for Windows Vista operating system. Similarly,
unless it is explicitly specified otherwise, information that is
applicable to AD LDS on Windows Server 2008 R2 is also applicable
to the standalone application Active Directory Lightweight
Directory Services (AD LDS) for Windows 7, which provides AD LDS
capabilities for Windows 7 operating system. Similarly, unless it
is explicitly specified otherwise, information that is applicable
to AD LDS on Windows Server 2012 is also applicable to the
stand-alone application Active Directory Lightweight Directory
Services (AD LDS) for Windows 8 operating system, which provides AD
LDS capabilities for Windows 8 operating system. Similarly, unless
it is explicitly specified otherwise, information that is
applicable to AD LDS on Windows Server 2012 R2 is also applicable
to the stand-alone application Active Directory Lightweight
Directory Services (AD LDS) for Windows 8.1 operating system, which
provides AD LDS capabilities for Windows 8.1 operating system.
Finally, unless it is explicitly specified otherwise, information
that is applicable to AD LDS on Windows Server 2016 is also
applicable to the stand-alone application Active Directory
Lightweight Directory Services (AD LDS) for Windows 10 operating
system, which provides AD LDS capabilities for Windows 10 operating
system.
State is included in the state model for this specification only
as necessitated by the requirement that a licensee implementation
of Windows Server protocols be able to receive messages and respond
in the same manner as a Windows Server. Behavior is specified in
terms of request message received, processing based on current
state, resulting state transformation, and response message sent.
Unless otherwise specified in the sections that follow, all of the
behaviors are required for interoperability.
The following typographical convention is used to indicate the
special meaning of certain names:
· Underline, as in instanceType: the name of an attribute or
object class whose interpretation is specified in the following
documents:
· [MS-ADA1] Attribute names whose initial letter is A through
L.
· [MS-ADA2] Attribute names whose initial letter is M.
· [MS-ADA3] Attribute names whose initial letter is N through
Z.
· [MS-ADSC] Object class names.
· [MS-ADLS] Object class names and attribute names for AD
LDS.
For clarity, bit flags are sometimes shown as bit field
diagrams. In the case of bit flags for Lightweight Directory Access
Protocol (LDAP) attributes, these diagrams take on big-endian
characteristics but do not reflect the actual byte ordering of
integers over the wire, because LDAP transfers an integer as the
UTF-8 string of the decimal representation of that integer, as
specified in [RFC2252].
Pervasive Concepts
The following concepts are pervasive throughout this
specification.
This specification uses [KNUTH1] section 2.3.4.2 as a reference
for the graph-related terms oriented tree, root, vertex, arc,
initial vertex, and final vertex.
replica: A variable containing a set of objects.
attribute: An identifier for a value or set of values. See also
attribute in the Glossary (section 1.1).
object: A set of attributes, each with its associated values.
Two attributes of an object have special significance:
· Identifying attribute: A designated single-valued attribute
appears on every object. The value of this attribute identifies the
object. For the set of objects in a replica, the values of the
identifying attribute are distinct.
· Parent-identifying attribute: A designated single-valued
attribute appears on every object. The value of this attribute
identifies the object's parent. That is, this attribute contains
the value of the parent's identifying attribute or a reserved value
identifying no object (for more information, see section
3.1.1.1.3). For the set of objects in a replica, the values of this
parent-identifying attribute define an oriented tree with objects
as vertices and child-parent references as directed arcs, with the
child as an arc's initial vertex and the parent as an arc's final
vertex.
Note that an object is a value, not a variable; a replica is a
variable. The process of adding, modifying, or deleting an object
in a replica replaces the entire value of the replica with a new
value.
As the term "replica" suggests, it is often the case that two
replicas contain "the same objects". In this usage, objects in two
replicas are considered "the same" if they have the same value of
the identifying attribute and if there is a process in place (that
is, replication) to converge the values of the remaining
attributes. When the members of a set of replicas are considered to
be the same, it is common to say "an object" as a shorthand way of
referring to the set of corresponding objects in the replicas.
object class: A set of restrictions on the construction and
update of objects. An object class must be specified when an object
is created. An object class specifies a set of must-have attributes
(every object of the class must have at least one value of each)
and may-have attributes (every object of the class may have a value
of each). An object class also specifies a set of possible
superiors (the parent object of an object of the class must have
one of these classes). An object class is defined by a classSchema
object.
parent object: See "object", above.
child object, children: An object that is not the root of its
oriented tree. The children of an object O is the set of all
objects whose parent object is O.
See section 3.1.1.1.3 for the particular use made of these
definitions in this specification.
Glossary
This document uses the following terms:
88 object class: An object class as specified in the X.500
directory specification ([X501] section 8.4.3). An 88 object class
can be instantiated as a new object, like a structural object
class, and on an existing object, like an auxiliary object
class.
abstract class: See abstract object class.
abstract object class: An object class whose only function is to
be the basis of inheritance by other object classes, thereby
simplifying their definition.
access check: A verification to determine whether a specific
access type is allowed by checking a security context against a
security descriptor.
access control entry (ACE): An entry in an access control list
(ACL) that contains a set of user rights and a security identifier
(SID) that identifies a principal for whom the rights are allowed,
denied, or audited.
access control list (ACL): A list of access control entries
(ACEs) that collectively describe the security rules for
authorizing access to some resource; for example, an object or set
of objects.
access mask: A 32-bit value present in an access control entry
(ACE) that specifies the allowed or denied rights to manipulate an
object.
account domain: A domain, identified by a security identifier
(SID), that is the SID namespace for which a given machine is
authoritative. The account domain is the same as the primary domain
for a domain controller (DC) and is its default domain. For a
machine that is joined to a domain, the account domain is the SID
namespace defined by the local Security Accounts Manager
[MS-SAMR].
ACID: A term that refers to the four properties that any
database system must achieve in order to be considered
transactional: Atomicity, Consistency, Isolation, and Durability
[GRAY].
active: A state of an attributeSchema or classSchema object that
represents part of the schema. It is possible to instantiate an
active attribute or an active class. The opposite term is
defunct.
Active Directory: A general-purpose network directory service.
Active Directory also refers to the Windows implementation of a
directory service. Active Directory stores information about a
variety of objects in the network. Importantly, user accounts,
computer accounts, groups, and all related credential information
used by the Windows implementation of Kerberos are stored in Active
Directory. Active Directory is either deployed as Active Directory
Domain Services (AD DS) or Active Directory Lightweight Directory
Services (AD LDS). [MS-ADTS] describes both forms. For more
information, see [MS-AUTHSOD] section 1.1.1.5.2, Lightweight
Directory Access Protocol (LDAP) versions 2 and 3, Kerberos, and
DNS.
Active Directory Domain Services (AD DS): A directory service
(DS) implemented by a domain controller (DC). The DS provides a
data store for objects that is distributed across multiple DCs. The
DCs interoperate as peers to ensure that a local change to an
object replicates correctly across DCs. For more information, see
[MS-AUTHSOD] section 1.1.1.5.2 and [MS-ADTS]. For information about
product versions, see [MS-ADTS] section 1. See also Active
Directory.
Active Directory Lightweight Directory Services (AD LDS): A
directory service (DS) implemented by a domain controller (DC). The
most significant difference between AD LDS and Active Directory
Domain Services (AD DS) is that AD LDS does not host domain naming
contexts (domain NCs). A server can host multiple AD LDS DCs. Each
DC is an independent AD LDS instance, with its own independent
state. AD LDS can be run as an operating system DS or as a
directory service provided by a standalone application (ADAM). For
more information, see [MS-ADTS]. See also Active Directory.
ambiguous name resolution (ANR): A search algorithm that permits
a client to search multiple naming-related attributes on objects by
way of a single clause of the form "(anr=value)" in a Lightweight
Directory Access Protocol (LDAP) search filter. This permits a
client to query for an object when the client possesses some
identifying material related to the object but does not know which
attribute of the object contains that identifying material.
application naming context (application NC): A specific type of
naming context (NC), or an instance of that type, that supports
only full replicas (no partial replicas). An application NC cannot
contain security principal objects in Active Directory Domain
Services (AD DS), but can contain security principal objects in
Active Lightweight Directory Services (AD LDS). A forest can have
zero or more application NCs in either AD DS or AD LDS. An
application NC can contain dynamic objects. Application NCs do not
appear in the global catalog (GC). The root of an application NC is
an object of class domainDNS.
attribute: An identifier for a single or multivalued data
element that is associated with a directory object. An object
consists of its attributes and their values. For example, cn
(common name), street (street address), and mail (email addresses)
can all be attributes of a user object. An attribute's schema,
including the syntax of its values, is defined in an
attributeSchema object.
attribute syntax: Specifies the format and range of permissible
values of an attribute. The syntax of an attribute is defined by
several attributes on the attributeSchema object, as specified in
[MS-ADTS] section 3.1.1.2. Attribute syntaxes supported by Active
Directory include Boolean, Enumeration, Integer, LargeInteger,
String(UTC-Time), Object(DS-DN), and String(Unicode).
AttributeStamp: The type of a stamp attached to an
attribute.
ATTRTYP: A 32-bit quantity representing an object identifier
(OID). See [MS-DRSR] section 5.14.
authentication: The act of proving an identity to a server while
providing key material that binds the identity to subsequent
communications.
authorization: The secure computation of roles and accesses
granted to an identity.
auxiliary object class: An object class that cannot be
instantiated in the directory but can be either added to, or
removed from, an existing object to make its attributes available
for use on that object; or associated with an abstract or
structural object class to add its attributes to that abstract or
structural object class.
back link attribute: A constructed attribute whose values
include object references (for example, an attribute of syntax
Object(DS-DN)). The back link values are derived from the values of
a related attribute, a forward link attribute, on other objects. If
f is the forward link attribute, one back link value exists on
object o for each object r that contains a value of o for attribute
f. The relationship between the forward link attributes and back
link attributes is expressed using the linkId attribute on the
attributeSchema objects representing the two attributes. The
forward link's linkId is an even number, and the back link's linkId
is the forward link's linkId plus one. For more information, see
[MS-ADTS] section 3.1.1.1.6.
back link value: The value of a back link attribute.
backup domain controller (BDC): A domain controller (DC) that
receives a copy of the domain directory database from the primary
domain controller (PDC). This copy is synchronized periodically and
automatically with the primary domain controller (PDC). BDCs also
authenticate user logons and can be promoted to function as the
PDC. There is only one PDC or PDC emulator in a domain, and the
rest are backup domain controllers.
Basic Encoding Rules (BER): A set of encoding rules for ASN.1
notation. These encoding schemes allow the identification,
extraction, and decoding of data structures. These encoding rules
are defined in [ITUX690].
big-endian: Multiple-byte values that are byte-ordered with the
most significant byte stored in the memory location with the lowest
address.
binary large object (BLOB): A collection of binary data stored
as a single entity in a database.
bridgehead domain controller (bridgehead DC): A domain
controller (DC) that may replicate updates to or from DCs in sites
other than its own.
broadcast: A style of resource location or data transmission in
which a client makes a request to all parties on a network
simultaneously (a one-to-many communication). Also, a mode of
resource location that does not use a name service.
built-in domain: The security identifier (SID) namespace defined
by the fixed SID S-1-5-32. Contains groups that define roles on a
local machine such as Backup Operators.
built-in domain SID: The fixed SID S-1-5-32.
canonical name: A syntactic transformation of an Active
Directory distinguished name (DN) into something resembling a path
that still identifies an object within a forest. DN "cn=Peter
Houston, ou=NTDEV, dc=microsoft, dc=com" translates to the
canonical name "microsoft.com/NTDEV/Peter Houston", while the DN
"dc=microsoft, dc=com" translates to the canonical name
"microsoft.com/".
child naming context (child NC): Given naming contexts (NCs)
with their corresponding distinguished names (DNs) forming a child
and parent relationship, the NC in the child relationship is
referred as the child NC. The parent of a child NC must be an NC
and is referred to as the parent naming context (parent NC).
child object, children: An object that is not the root of its
tree. The children of an object o are the set of all objects whose
parent is o. See section 1 of [MS-ADTS] and section 1 of
[MS-DRSR].
claim: An assertion about a security principal expressed as the
n-tuple {Identifier, ValueType, m Value(s) of type ValueType} where
m is greater than or equal to 1. A claim with only one Value in the
n-tuple is called a single-valued claim; a claim with more than one
Value is called a multi-valued claim.
code page: An ordered set of characters of a specific script in
which a numerical index (code-point value) is associated with each
character. Code pages are a means of providing support for
character sets and keyboard layouts used in different countries.
Devices such as the display and keyboard can be configured to use a
specific code page and to switch from one code page (such as the
United States) to another (such as Portugal) at the user's
request.
Component Object Model (COM): An object-oriented programming
model that defines how objects interact within a single process or
between processes. In COM, clients have access to an object through
interfaces implemented on the object. For more information, see
[MS-DCOM].
computer object: An object of class computer. A computer object
is a security principal object; the principal is the operating
system running on the computer. The shared secret allows the
operating system running on the computer to authenticate itself
independently of any user running on the system. See security
principal.
configuration naming context (config NC): A specific type of
naming context (NC), or an instance of that type, that contains
configuration information. In Active Directory, a single config NC
is shared among all domain controllers (DCs) in the forest. A
config NC cannot contain security principal objects.
constructed attribute: An attribute whose values are computed
from normal attributes (for read) and/or have effects on the values
of normal attributes (for write).
container: An object in the directory that can serve as the
parent for other objects. In the absence of schema constraints, all
objects would be containers. The schema allows only objects of
specific classes to be containers.
control access right: An extended access right that can be
granted or denied on an access control list (ACL).
Coordinated Universal Time (UTC): A high-precision atomic time
standard that approximately tracks Universal Time (UT). It is the
basis for legal, civil time all over the Earth. Time zones around
the world are expressed as positive and negative offsets from UTC.
In this role, it is also referred to as Zulu time (Z) and Greenwich
Mean Time (GMT). In these specifications, all references to UTC
refer to the time at UTC-0 (or GMT).
cross-forest trust: A relationship between two forests that
enables security principals from any domain in one forest to
authenticate to computers joined to any domain in the other
forest.
crossRef object: An object residing in the partitions container
of the config NC that describes the properties of a naming context
(NC), such as its domain naming service name, operational settings,
and so on.
DC functional level: A specification of functionality available
in a domain controller (DC). See [MS-ADTS] section 6.1.4.2 for
possible values and a mapping between the possible values and
product versions.
default domain naming context (default domain NC): When Active
Directory is operating as Active Directory Domain Services (AD DS),
this is the default naming context (default NC) of the domain
controller (DC). When operating as Active Directory Lightweight
Directory Services (AD LDS), this NC is not defined.
default naming context (default NC): When Active Directory is
operating as Active Directory Domain Services (AD DS), the default
naming context (default NC) is the domain naming context (domain
NC) whose full replica is hosted by a domain controller (DC),
except when the DC is a read-only domain controller (RODC), in
which case the default NC is a filtered partial NC replica. When
operating as AD DS, a DC's default NC is the NC of its default NC
replica, and the default NC contains the DC's computer object. When
Active Directory is operating as AD LDS, the default NC is the
naming context (NC) specified by the msDS-DefaultNamingContext
attribute on the nTDSDSA object for the DC. See nTDSDSA object.
default schema: The schema of a given version of Active
Directory, as defined by [MS-ADSC], [MS-ADA1], [MS-ADA2], and
[MS-ADA3] for AD DS, and as defined by [MS-ADLS] for Active
Directory Lightweight Directory Services (AD LDS).
defunct: A state of an attributeSchema or classSchema object
that represents part of the schema. It is not possible to
instantiate a defunct attribute or a defunct class. The opposite
term is active.
deleted-object: An object that has been deleted, but remains in
storage until a configured amount of time (the deleted-object
lifetime) has passed, after which the object is transformed to a
recycled-object. Unlike a recycled-object or a tombstone, a
deleted-object maintains virtually all the state of the object
before deletion, and can be undeleted without loss of information.
Deleted-objects exist only when the Recycle Bin optional feature is
enabled.
deleted-object lifetime: The time period that a deleted-object
is kept in storage before it is transformed into a
recycled-object.
digest: The fixed-length output string from a one-way hash
function that takes a variable-length input string and is
probabilistically unique for every different input string. Also, a
cryptographic checksum of a data (octet) stream.
directory: A forest.
directory object: An Active Directory object, which is a
specialization of the "object" concept that is described in
[MS-ADTS] section 1 or [MS-DRSR] section 1, Introduction, under
Pervasive Concepts. An Active Directory object can be identified by
the objectGUID attribute of a dsname according to the matching
rules defined in [MS-DRSR] section 5.50, DSNAME. The
parent-identifying attribute (not exposed as an LDAP attribute) is
parent. Active Directory objects are similar to LDAP entries, as
defined in [RFC2251]; the differences are specified in [MS-ADTS]
section 3.1.1.3.1.
directory service (DS): A service that stores and organizes
information about a computer network's users and network shares,
and that allows network administrators to manage users' access to
the shares. See also Active Directory.
directory service agent (DSA): A term from the X.500 directory
specification [X501] that represents a component that maintains and
communicates directory information.
discretionary access control list (DACL): An access control list
(ACL) that is controlled by the owner of an object and that
specifies the access particular users or groups can have to the
object.
distinguished name (DN): In Lightweight Directory Access
Protocol (LDAP), an LDAP Distinguished Name, as described in
[RFC2251] section 4.1.3. The DN of an object is the DN of its
parent, preceded by the RDN of the object. For example: CN=David
Thompson, OU=Users, DC=Microsoft, DC=COM. For definitions of CN and
OU, see [RFC2256] sections 5.4 and 5.12, respectively.
DNS name: A fully qualified domain name (FQDN).
domain: A set of users and computers sharing a common namespace
and management infrastructure. At least one computer member of the
set must act as a domain controller (DC) and host a member list
that identifies all members of the domain, as well as optionally
hosting the Active Directory service. The domain controller
provides authentication of members, creating a unit of trust for
its members. Each domain has an identifier that is shared among its
members. For more information, see [MS-AUTHSOD] section 1.1.1.5 and
[MS-ADTS].
domain controller (DC): The service, running on a server, that
implements Active Directory, or the server hosting this service.
The service hosts the data store for objects and interoperates with
other DCs to ensure that a local change to an object replicates
correctly across all DCs. When Active Directory is operating as
Active Directory Domain Services (AD DS), the DC contains full NC
replicas of the configuration naming context (config NC), schema
naming context (schema NC), and one of the domain NCs in its
forest. If the AD DS DC is a global catalog server (GC server), it
contains partial NC replicas of the remaining domain NCs in its
forest. For more information, see [MS-AUTHSOD] section 1.1.1.5.2
and [MS-ADTS]. When Active Directory is operating as Active
Directory Lightweight Directory Services (AD LDS), several AD LDS
DCs can run on one server. When Active Directory is operating as AD
DS, only one AD DS DC can run on one server. However, several AD
LDS DCs can coexist with one AD DS DC on one server. The AD LDS DC
contains full NC replicas of the config NC and the schema NC in its
forest. The domain controller is the server side of Authentication
Protocol Domain Support [MS-APDS].
domain functional level: A specification of functionality
available in a domain. Must be less than or equal to the DC
functional level of every domain controller (DC) that hosts a
replica of the domain's naming context (NC). For information on
defined levels, corresponding features, information on how the
domain functional level is determined, and supported domain
controllers, see [MS-ADTS] sections 6.1.4.2 and 6.1.4.3. When
Active Directory is operating as Active Directory Lightweight
Directory Services (AD LDS), domain functional level does not
exist.
domain joined: A relationship between a machine and some domain
naming context (domain NC) in which they share a secret. The shared
secret allows the machine to authenticate to a domain controller
(DC) for the domain.
domain local group: An Active Directory group that allows user
objects, global groups, and universal groups from any domain as
members. It can additionally include, and be a member of, other
domain local groups from within its domain. A group object g is a
domain local group if and only if GROUP_TYPE_RESOURCE_GROUP is
present in g!groupType; see [MS-ADTS] section 2.2.12, "Group Type
Flags". A security-enabled domain local group is valid for
inclusion within access control lists (ACLs) from its own domain.
If a domain is in mixed mode, then a security-enabled domain local
group in that domain allows only user objects as members.
domain name: A domain name or a NetBIOS name that identifies a
domain.
Domain Name System (DNS): A hierarchical, distributed database
that contains mappings of domain names to various types of data,
such as IP addresses. DNS enables the location of computers and
services by user-friendly names, and it also enables the discovery
of other information stored in the database.
domain naming context (domain NC): A specific type of naming
context (NC), or an instance of that type, that represents a
domain. A domain NC can contain security principal objects; no
other type of NC can contain security principal objects. Domain NCs
appear in the global catalog (GC). A domain NC is hosted by one or
more domain controllers (DCs) operating as AD DS. In AD DS, a
forest has one or more domain NCs. A domain NC cannot exist in AD
LDS. The root of a domain NC is an object of class domainDNS; for
directory replication [MS-DRSR], see domainDNS.
domain prefix: A security identifier (SID) of a domain without
the relative identifier (RID) portion. The domain prefix refers to
the issuing authority SID. For example, the domain prefix of
S-1-5-21-397955417-626881126-188441444-1010 is
S-1-5-21-397955417-626881126-188441444.
downlevel trust: A trust in which one of the peers is running
Windows NT 4.0.
DSA GUID: The objectGUID of a DSA object.
DSA object: See nTDSDSA object.
dsname: A tuple that contains between one and three identifiers
for an object. The term dsname does not stand for anything. The
possible identifiers are the object's GUID (attribute objectGuid),
security identifier (SID) (attribute objectSid), and distinguished
name (DN) (attribute distinguishedName). A dsname can appear in a
protocol message and as an attribute value (for example, a value of
an attribute with syntax Object(DS-DN)). Given a DSName, an object
can be identified within a set of NC replicas according to the
matching rules defined in [MS-DRSR] section 5.49.
dynamic object: An object with a time-to-die (attribute
msDS-Entry-Time-To-Die). The directory service garbage-collects a
dynamic object immediately after its time-to-die has passed. The
constructed attribute entryTTL gives a dynamic object's current
time-to-live, that is, the difference between the current time and
msDS-Entry-Time-To-Die. For more information, see [RFC2589].
entry: In Active Directory, a synonym for object.
existing-object: An object that is not a tombstone,
deleted-object, or recycled-object.
expunge: To permanently remove an object from a naming context
(NC) replica, without converting it to a tombstone.
Extended-Rights container: A container holding objects that
correspond to control access rights. The container is a child of
configuration naming context (config NC) and has relative
distinguished name (RDN) CN=Extended-Rights.
File Replication Service (FRS): One of the services offered by a
domain controller (DC), which is advertised through the Domain
Controller Location protocol. The service being offered to clients
is a replicated data storage volume that is associated with the
default naming context (NC). The running or paused state of the FRS
on a DC is available through protocols documented in [MS-ADTS]
section 6.3.
filter: In the context of the Lightweight Directory Access
Protocol (LDAP), the filter is one of the parameters in a search
request. The filter specifies matching constraints for the
candidate objects.
filtered attribute set: The subset of attributes that are not
replicated to the filtered partial NC replica and the filtered GC
partial NC replica. The filtered attribute set is part of the state
of the forest and is used to control the attributes that replicate
to a read-only domain controller (RODC). The searchFlags schema
attribute is used to define this set.
filtered GC partial NC replica: An NC replica that contains a
schema-specified subset of attributes for the objects. The
attributes consist of the attributes in the GC partial attribute
set (PAS), excluding those present in the filtered attribute set. A
filtered GC partial NC replica is not writable; that is, it does
not accept originating updates.
filtered partial NC replica: An NC replica that contains a
schema-specified subset of attributes for the objects it contains.
The subset of attributes consists of all the attributes of the
objects, excluding those attributes in the filtered attribute set.
A filtered partial NC replica is not writable; that is, it does not
accept originating updates.
flexible single master operation (FSMO): A read or update
operation on a naming context (NC), such that the operation must be
performed on the single designated master replica of that NC. The
master replica designation is "flexible" because it can be changed
without losing the consistency gained from having a single master.
This term, pronounced "fizmo", is never used alone; see also FSMO
role, FSMO role owner, and FSMO object.
foreign principal object (FPO): A foreignSecurityPrincipal
object.
forest: For Active Directory Domain Services (AD DS), a set of
naming contexts (NCs) consisting of one schema naming context
(schema NC), one configuration naming context (config NC), one or
more domain naming contexts (domain NCs), and zero or more
application naming contexts (application NCs). Because a set of NCs
can be arranged into a tree structure, a forest is also a set
containing one or several trees of NCs. For AD LDS, a set of NCs
consisting of one schema NC, one config NC, and zero or more
application NCs. (In Microsoft documentation, an AD LDS forest is
called a "configuration set".)
forest functional level: A specification of functionality
available in a forest. It must be less than or equal to the domain
controller (DC) functional level of every DC in the forest. See
[MS-ADTS] section 6.1.4.4 for information on how the forest
functional level is determined.
forest root domain NC: For Active Directory Domain Services (AD
DS), the domain naming context (domain NC) within a forest whose
child is the forest's configuration naming context (config NC). The
fully qualified domain name (FQDN) of the forest root domain NC
serves as the forest's name.
forward link attribute: An attribute whose values include object
references (for example, an attribute of syntax Object(DS-DN)). The
forward link values can be used to compute the values of a related
attribute, a back link attribute, on other objects. If an object o
refers to object r in forward link attribute f, and there exists a
back link attribute b corresponding to f, then a back link value
referring to o exists in attribute b on object r. The relationship
between the forward and back link attributes is expressed using the
linkId attribute on the attributeSchema objects representing the
two attributes. The forward link's linkId is an even number, and
the back link's linkId is the forward link's linkId plus one. A
forward link attribute can exist with no corresponding back link
attribute, but not vice-versa. For more information, see
[MS-ADTS].
forward link value: The value of a forward link attribute.
FSMO role: A set of objects that can be updated in only one
naming context (NC) replica (the FSMO role owner's replica) at any
given time. For more information, see [MS-ADTS] section 3.1.1.1.11.
See also FSMO role owner.
FSMO role object: An object in a directory that represents a
specific FSMO role. This object is an element of the FSMO role and
contains the fSMORoleOwner attribute.
FSMO role owner: The domain controller (DC) holding the naming
context (NC) replica in which the objects of a FSMO role can be
updated.
full NC replica: A naming context (NC) replica that contains all
the attributes of the objects it contains. A full replica accepts
originating updates.
fully qualified domain name (FQDN): (1) An unambiguous domain
name that gives an absolute location in the Domain Name System's
(DNS) hierarchy tree, as defined in [RFC1035] section 3.1 and
[RFC2181] section 11.
(2) In Active Directory, a fully qualified domain name (FQDN)
(1) that identifies a domain.
garbage collection: The process of identifying logically deleted
objects (also known as tombstones) and link values that have passed
their tombstone lifetime, and then permanently removing these
objects from a naming context (NC) replica. Garbage collection does
not generate replication traffic.
GC partial attribute set (PAS): The subset of attributes that
replicate to a GC partial NC replica. A particular GC partial
attribute set (PAS) is part of the state of the forest and is used
to control the attributes that replicate to global catalog servers
(GC servers). The isMemberOfPartialAttributeSet schema attribute is
used to define this set.
GC partial NC replica: An NC replica that contains a
schema-specified subset of attributes for the objects it contains.
The subset of attributes consists of the attributes in the GC
partial attribute set (PAS). A GC partial NC replica is not
writable; for example, it does not accept originating updates.
global catalog (GC): A unified partial view of multiple naming
contexts (NCs) in a distributed partitioned directory. The Active
Directory directory service GC is implemented by GC servers. The
definition of global catalog is specified in [MS-ADTS] section
3.1.1.1.8.
global catalog server (GC server): A domain controller (DC) that
contains a naming context (NC) replica (one full, the rest partial)
for each domain naming context in the forest.
global group: An Active Directory group that allows user objects
from its own domain and global groups from its own domain as
members. Also called domain global group. Universal groups can
contain global groups. A group object g is a global group if and
only if GROUP_TYPE_ACCOUNT_GROUP is present in g! groupType; see
[MS-ADTS] section 2.2.12, "Group Type Flags". A global group that
is also a security-enabled group is valid for inclusion within ACLs
anywhere in the forest. If a domain is in mixed mode, then a global
group in that domain that is also a security-enabled group allows
only user object as members. See also domain local group,
security-enabled group.
globally unique identifier (GUID): A term used interchangeably
with universally unique identifier (UUID) in Microsoft protocol
technical documents (TDs). Interchanging the usage of these terms
does not imply or require a specific algorithm or mechanism to
generate the value. Specifically, the use of this term does not
imply or require that the algorithms described in [RFC4122] or
[C706] must be used for generating the GUID. See also universally
unique identifier (UUID).
group: A collection of objects that can be treated as a
whole.
group object: In Active Directory, a group object has an object
class group. A group has a forward link attribute member; the
values of this attribute either represent elements of the group
(for example, objects of class user or computer) or subsets of the
group (objects of class group). The representation of group subsets
is called "nested group membership". The back link attribute
memberOf enables navigation from group members to the groups
containing them. Some groups represent groups of security
principals and some do not and are, for instance, used to represent
email distribution lists.
Group Policy: A mechanism that allows the implementer to specify
managed