4.3 NetrJoinDomain2 Example

Article
04/27/2022

In this example, "SrvrA" is a machine that is not joined to a domain, and there exists a domain with the name "DomainA" and a domain controller of that domain named "DC-A".

A client calls the NetrJoinDomain2 method (section 3.2.4.13) on the server named "SrvrA":

 unsigned long NetrJoinDomain2(
    [in] handle_t RpcBindingHandle,
    [in, string, unique] wchar_t* ServerName = { "SrvrA" },
    [in, string] wchar_t* DomainName = { "DomainA\DC-A" },
    [in, string, unique] wchar_t* MachineAccountOU = { NULL },
    [in, string, unique] wchar_t* AccountName = { NULL },
    [in, unique] PJOINPR_ENCRYPTED_USER_PASSWORD Password = { NULL },
    [in] unsigned long Options = { 0x00000001 }
 );

Upon receiving this message, "SrvrA" establishes an SMB session with the domain controller "DC-A", using the credentials presented. In this example, there are no credentials; therefore the session is established as an anonymous session.

The server then queries for the domain_name and security identifier (SID) properties of "DC-A", and stores them locally.

As a last step, "SrvrA" creates a domain-object ([MS-ADTS] section 6.4.2) for itself, and sets the following attributes:

sAMAccountName
userAccountControl
unicodePwd
dNSHostName
servicePrincipalName

The server then responds to the client with the following message:

 unsigned long = { 0 }
 NetrJoinDomain2(
    [in] handle_t RpcBindingHandle,
    [in, string, unique] wchar_t* ServerName,
    [in, string] wchar_t* DomainName,
    [in, string, unique] wchar_t* MachineAccountOU,
    [in, string, unique] wchar_t* AccountName,
    [in, unique] PJOINPR_ENCRYPTED_USER_PASSWORD Password,
    [in] unsigned long Options
 );

The following sequence diagram shows the sequence of messages that can be exchanged as a result of a NetrJoinDomain2 message sent to the server.

NetrJoinDomain2 sequence

Figure 6: NetrJoinDomain2 sequence

The following state changes occur as a part of this message:

Initial states:

SrvrA	DC-A
DomainNameNetBIOS = "Workgroup". DomainSID = NULL. Domain-Secret-Value = NULL.	DomainNameNetBIOS = "DomainA". DomainSID = { SID-Value}.

SrvrA

DC-A

DomainNameNetBIOS = "Workgroup".

DomainSID = NULL.

Domain-Secret-Value = NULL.

DomainNameNetBIOS = "DomainA".

DomainSID = { SID-Value}.

End states:

SrvrA	DC-A
DomainNameNetBIOS = "DomainA". DomainSID = {SID-Value}. Domain-Secret-Value = { domain-secret }.	DomainNameNetBIOS = "DomainA". DomainSID = { SID-Value }. A computer account object exists with the following LDAP attributes: userAccountControl = USER_WORKSTATION_TRUST_ACCOUNT. samAccountName = "SrvrA$". unicodePwd = { domain-secret }. dNSHostName = "SrvrA.<DomainA-DNS-Name>. servicePrincipalName = { "HOST/SrvrA", "HOST/SrvrA.<DomainA-DNS-Name>" }

SrvrA

DC-A

DomainNameNetBIOS = "DomainA".

DomainSID = {SID-Value}.

Domain-Secret-Value = { domain-secret }.

DomainNameNetBIOS = "DomainA".

DomainSID = { SID-Value }.

A computer account object exists with the following LDAP attributes:

userAccountControl = USER_WORKSTATION_TRUST_ACCOUNT.
samAccountName = "SrvrA$".
unicodePwd = { domain-secret }.
dNSHostName = "SrvrA.<DomainA-DNS-Name>.
servicePrincipalName = {

"HOST/SrvrA",

"HOST/SrvrA.<DomainA-DNS-Name>"

}

4.3 NetrJoinDomain2 Example

Additional resources