6.4.2 State in an Active Directory Domain

A machine m that is a member of an Active Directory domain d has a corresponding object o in d's domain NC. The object o is called the machine account of the joined machine m. The objectClass attribute of o contains the class computer. In addition to objectClass, the following attributes of o are significant to the membership of m in d:

• userAccountControl

• sAMAccountName

• unicodePwd

• dNSHostName

• servicePrincipalName

• msDs-supportedEncryptionTypes

The syntax and other details of these attributes are documented in [MS-ADA1], [MS-ADA2], and [MS-ADA3].

The following predicates are satisfied by the joined machine m's state and the state of object o:

• the domain d's NetBIOS name equals m.domain-name.netbios

• the domain d's fully qualified DNS name equals m.domain-name.dns

• o!userAccountControl & ADS_UF_WORKSTATION_TRUST_ACCOUNT ≠ 0

• o!sAMAccountName equals m.machine-account-name

• o!unicodePwd equals m.domain-secret

• o!msDs-supportedEncryptionTypes equals m.supported-encryption-types, in the format specified in [MS-KILE] section 2.2.7. Note that the msDs-supportedEncryptionTypes attribute is not supported on all products. In such cases, m.supported-encryption-types is set to NULL.

Section 6.1.1.2.1.1.4 specifies the representation of a domain's NetBIOS name. A domain's fully qualified DNS name is derived from the DN of its root object, as specified in section 3.1.1.1.5.

The specific choices made in implementing a machine joined to a domain (for example, for maintaining these variables) are outside the state model. Windows might periodically update m.domain-secret on the client machine and o.domain-secret in the Windows Active Directory. This behavior is not required for a functional domain join.