3.2.5.1.1 DC Discovery and AD Connection Establishment

  • Article

The client performs the following steps to discover and establish Active Directory connection with the DC. Steps 2-7 are performed while impersonating the policy target as specified in [MS-DTYP] (section 2.7), Impersonation Abstract Interfaces. These steps are performed a second time if steps 2-7 fail the first time.

  1. The client locates a domain controller (DC) by invoking the DsrGetDcNameEx2 method (as specified in [MS-NRPC] section 3.5.4.3.1) locally with the following parameters:

    • NULL for ComputerName.

    • NULL for AccountName.

    • 0 for AllowableAccountControlBits.

    • Policy Target Domain Name (section 3.2.1.16) for DomainName.

    • NULL for DomainGuid.

    • NULL for SiteName.

    • Values B and R for Flags on the first iteration. Additionally, value A is also passed on the second iteration.

      If the method returns a nonzero error code, policy application MUST be terminated. Otherwise, the Group Policy Server ADM element (specified in section 3.2.1.13) is populated with the value of the DomainControllerName field in the returned DOMAIN_CONTROLLER_INFOW structure.

  2. The client invokes the task "Initialize an ADConnection", as defined in [MS-ADTS] section 7.6.1.1, with the following parameters:

    • TaskInputTargetName: Value of Group Policy Server ADM element.

    • TaskInputPortNumber: 389

    • Store the new TaskReturnADConnection returned from the task as the Group Policy Client AD Connection Handle ADM element.

      If the task returns failure and it is the first iteration, repeat from step 1. Otherwise, policy application MUST be terminated and an event logged using an implementation-specific mechanism, as defined in section 3.2.5.1.

  3. The Group Policy client invokes the task "Setting an LDAP Option on an ADConnection", as defined in [MS-ADTS] section 7.6.1.2, passing the Group Policy Client AD Connection Handle ADM element, and setting the options specified by the following TaskInputOptionName and TaskInputOptionValue pairs:

    • LDAP_OPT_PROTOCOL_VERSION set to 3

    • LDAP_OPT_SIGN set to TRUE

      If the task returns failure and it is the first iteration, repeat from step 1. Otherwise, policy application MUST be terminated and an event logged using an implementation-specific mechanism as defined in step 2.

  4. If Policy Application Mode is Computer, the client invokes the task "Setting an LDAP Option on an ADConnection", as defined in [MS-ADTS] section 7.6.1.2, with the following parameters:

    • TaskInputADConnection: Value of the Group Policy Client AD Connection Handle ADM element

    • TaskInputOptionName: LDAP_OPT_DNSDOMAIN_NAME

    • TaskInputOptionValue: Value of the Policy Target Domain Name ADM element

      If the task returns failure and it is the first iteration, repeat from step 1. Otherwise, policy application MUST be terminated and an event logged using an implementation-specific mechanism as defined in step 2.

  5. The client invokes the task "Establishing an ADConnection", as defined in [MS-ADTS] section 7.6.1.3, with the following parameter:

    • TaskInputADConnection: Value of the Group Policy Client AD Connection Handle ADM element

      If the task returns FALSE, policy application MUST be terminated and an event logged using an implementation-specific mechanism as defined in step 2.

  6. The client invokes the task "Setting an LDAP Option on an ADConnection", as defined in [MS-ADTS] section 7.6.1.2, with the following parameters:

    • TaskInputADConnection: Value of the Group Policy Client AD Connection Handle ADM element

    • TaskInputOptionName: LDAP_OPT_AUTH_INFO

    • TaskInputOptionValue:

      For computer policy mode,

      • bindMethod: SASL with Kerberos as underlying authentication protocol ([MS-ADTS] section 5.1.1.1).

      • name: NULL

      • password: NULL

        For user policy mode,

      • bindMethod: SASL using the GSS-SPNEGO mechanism ([MS-ADTS] section 5.1.1.1).

      • name: NULL

      • password: NULL

  7. After the Active Directory connection is initialized and the options are set, the client invokes the "Performing an LDAP Bind on an ADConnection" task, as specified in [MS-ADTS] section 7.6.1.4, with the following parameter:

    • TaskInputADConnection: Value of the Group Policy Client AD Connection Handle ADM element

      If the TaskReturnStatus returned is not 0 and it is the first iteration, repeat from step 1. Otherwise, policy application MUST be terminated and an event logged using an implementation-specific mechanism as defined in step 2.