3.3.5.7 Certificate Post-Processing

The Sender-Domain Controller-Certificate value, as a Domain Controller Certificate (section 2.3), MUST contain the GUID of an Active Directory object.

The receiving DC MUST verify the following:

• That the GUID identifies an Active Directory object of type Computer object (section 2.4.1). The Computer object MUST NOT be in the deleted object state.

• That the Computer object is acting in the DC state, as determined by the userAccountControl Bits, as specified in [MS-DRSR] section 5.206.

• That there is an Active Directory object of type Server object (section 2.4.2) associated with the Computer object. The Server object MUST NOT be in the deleted state.

• That the Server object has a child object, which is the DRS replication agent NTDSDSA object (section 2.4.3) for the DC.

When the receiving DC makes this determination, it MUST use information in its local NC replicas. The receiving DC MAY establish this correspondence and conduct a liveness check by using implementation-specific references between the Computer object in a domain NC, which might or might not be present locally as an NC replica, and the Server object in the configuration NC, which is held locally.<23>