3.2.2.1.3.1 Search Requests

  • Article

The CA SHOULD perform search requests demonstrated in the following figure.<110>

Retrieving an ADConnection handle for reading user or computer object with provided DC name.

Figure 5: Retrieving an ADConnection handle for reading user or computer object with provided DC name.

The following steps describe the flow of the preceding figure:

  1. The CA MUST validate the provided DC name by performing the following processing rules:

    1. Perform the processing rules in section 3.2.2.1.2 with the following modification: in step 3 of the processing rules in section 3.2.2.1.2.1 use the following parameters:

      • baseObject: NULL

      • scope: wholeSubtree

      • filter: (&(objectCategory=computer)( servicePrincipalName=HOST/DCName)) where DCName is the input parameter.

      • attributes: The CA SHOULD use the following attributes:

        • dNSHostName

        • serverReferenceBL

        • servicePrincipalName

          The rest of the parameters and processing rules are the same as in section 3.2.2.1.2.

    2. Perform the processing rules in section 3.2.2.1.2 with the following modification: in step 3 of the processing rules in section 3.2.2.1.2.1, use the following parameters:

      • baseObject: serverReferenceBL attribute value from the previous step

      • scope: wholeSubtree

      • filter: (objectCategory=nTDSDSA)

      • attributes: NULL

        The rest of parameters and processing rules are the same as in section 3.2.2.1.2.

    3. If the previous search request returned exactly one entry, proceed with the rest of the processing rules. Otherwise, return a nonzero error to the client and exit.

  2. Invoke the "Initialize ADConnection" task ([MS-ADTS] section 7.6.1.1) to construct an ADConnection with the following parameters:

    • TaskInputTargetName: DCName

    • TaskInputPortNumber: 389

    • Store the generated ADConnection handle in ActiveDirectory_Connection variable.

  3. Perform a bind request as specified in section 3.2.2.1.3.2.

  4. Invoke the "Perform an LDAP Operation on an ADConnection" task ([MS-ADTS] section 7.6.1.6) with the following parameters:

    • TaskInputADConnection: ActiveDirectory_Connection

    • TaskInputRequestMessage: LDAP SearchRequest message (see [RFC2251] section 4.5.1), as follows:

      • baseObject: EndEntityDistinguishedName

      • scope: baseObject

      • filter: (|(objectCategory=user)(objectCategory=computer)) 

      • attributes: The CA SHOULD use the following attributes

        • objectClass

        • cn

        • dNSHostName

        • mail

        • objectGUID

        • objectSid

        • userPrincipalName

      • sizeLimit: 10000

      • timeLimit: 120

      • derefAliases: neverDerefAliases

      • typesOnly: FALSE

    • TaskOutputResultMessage: Upon successful return from the task, this parameter will contain the results of the LDAP search. Set the output parameter EndEntityAttributes equal to TaskOutputResultMessage.

  5. If the TaskReturnStatus returned is not 0, convert it to a 4-byte HRESULT value (errors are specified in [MS-ERREF] section 2.1) by performing the processing rules in section 3.2.2.1.7 with the following input parameters:

    • InputReturnStatus: TaskReturnStatus

    • InputResultMessage: TaskOutputResultMessages

    Return the OutputHRESULT output parameter to the client and exit.

  6. Invoke the "Perform an LDAP Unbind on an ADConnection" task (see [MS-ADTS] section 7.6.1.5) with the TaskInputADConnection parameter set to be equal to ActiveDirectory_Connection.