Export (0) Print
Expand All

6.4.2 State in an Active Directory Domain

A machine m that is a member of an Active Directory domain d has a corresponding object o in d's domain NC. The object o is called the machine account of the joined machine m. The objectClass attribute of o contains the class computer. In addition to objectClass, the following attributes of o are significant to the membership of m in d:

The syntax and other details of these attributes are documented in [MS-ADA1], [MS-ADA2], and [MS-ADA3].

The following predicates are satisfied by the joined machine m's state and the state of object o:

  • the domain d's NetBIOS name equals m.domain-name.netbios

  • the domain d's fully qualified DNS name equals m.domain-name.dns

  • o!userAccountControl & ADS_UF_WORKSTATION_TRUST_ACCOUNT ≠ 0

  • o!sAMAccountName equals m.machine-account-name

  • o!unicodePwd equals m.domain-secret

  • o!msDs-supportedEncryptionTypes equals m.supported-encryption-types, in the format specified in [MS-KILE] section 2.2.6. This attribute may not be set if m.supported-encryption-types is NULL.

Section specifies the representation of a domain's NetBIOS name. A domain's fully qualified DNS name is derived from the DN of its root object, as specified in section

The specific choices made in implementing a machine joined to a domain (for example, for maintaining these variables) are outside the state model. Windows may periodically update m.domain-secret on the client machine and o.domain-secret in the Windows Active Directory. This behavior is not required for a functional domain join.

© 2014 Microsoft