3.6 Example 6: Querying Active Directory for Scope of Management and Version Information
In this example, a Group Policy client queries a Group Policy server for SOM and version information. SOM containers such as domain, site, and OU containers hold user and computer account information and are associated with GPOs. Each GPO is associated with a specific policy target, such as a user or computer account. Messages exchanged between the Group Policy client and the Group Policy server use LDAP as a transport.
This example loosely maps to the use case specified in Applying Group Policy — Group Policy client (section 2.5.2).
Prerequisites
The following prerequisites apply to this example:
The Group Policy client has discovered the Group Policy server and has connected with Active Directory, as described in [MS-GPOL] section 3.2.5.1.1.
The Group Policy server stores policy and responds to LDAP requests from the Group Policy client.
The Group Policy client maintains a consistent configuration of policy information that is retrieved from the Group Policy server, which includes registry settings, WMI data, and RSoP data.
The Group Policy administrator ensures that the Group Policy client policy configuration aligns with business requirements.
Initial System State
The initial state of Group Policy corresponds to the previously specified prerequisites.
Final System State
The state of Group Policy and its components after execution of this example can be described as follows:
The Group Policy client successfully retrieved the SOM and version information from the Group Policy server.
Sequence of Events
The following diagram shows the message sequence that occurs when the Group Policy client queries Active Directory for SOM and Version information.

Figure 17: Querying Active Directory for SOM and version information
The message sequence for this example is described as follows:
The Group Policy client sends an LDAP BindRequest, as described in [RFC2251] section 4.2, to the Group Policy server.
The Group Policy server sends an LDAP BindResponse, as described in [RFC2251] section 4.2.3, to the Group Policy client.
The Group Policy client sends an LDAP domain SOM SearchRequest to the Group Policy server, to query for the gpLink and gpOption attributes for its DN for the domain naming context (domain NC), as described in [MS-GPOL] section 3.2.5.1.3.
The Group Policy server returns the domain SOM list via an LDAP SearchResponse, as described in [MS-GPOL] section 3.2.5.1.3.
The Group Policy client processes the gpLink and gpOption attributes information for the domain SOM and uses it to search for the list of GPOs for the domain SOM, as described in [MS-GPOL] section 3.2.5.1.5.
The Group Policy client sends an LDAP BindRequest to the Group Policy server.
The Group Policy server sends an LDAP BindResponse to the Group Policy client.
The Group Policy client sends its DNS name to the Group Policy server via Netlogon.
The Group Policy server returns the site name of the Group Policy client via Netlogon.
The Group Policy client sends an LDAP SearchRequest to the Group Policy server, to query for the configurationNamingContext attribute for the root of the domain, as described in [MS-GPOL] section 3.2.5.1.4.
The Group Policy server returns the site store value via an LDAP SearchResponse message.
The Group Policy client processes the configurationNamingContext attribute information for the root domain and uses it to compute the DN of the site, as described in [MS-GPOL] section 3.2.5.1.4.
The Group Policy client sends an LDAP SearchRequest message to the Group Policy server, to query for the gpLink and gpOption attributes to obtain the DN for the config NC, as described in [MS-GPOL] section 3.2.5.1.4.
The Group Policy server returns the site SOM list via an LDAP SearchResponse message.
The Group Policy client processes the gpLink and gpOption attributes information for the site SOM and uses this information to search for the list of GPOs for the domain SOM, as described in [MS-GPOL] section 3.2.5.1.5.
The Group Policy client sends an LDAP UnBindRequest, as described in [RFC2251] section 4.3, to the Group Policy server.