Export (0) Print
Expand All Server Behavior of the IDL_DRSAddEntry Method

Informative summary of behavior: A disabledcrossRefobject cr is one with cr!Enabled = false. Enabling a disabled crossRef object cr means setting cr!nCName and cr!dnsRoot, and removing cr!Enabled.

This method enables, creates, or modifies one or more objects, as requested by the client, in a single transaction. It enables crossRef objects, creates crossRef objects and nTDSDSA objects, and modifies arbitrary objects. The client uses an ENTINF structure to specify the state of each enabled, created, or modified object:

  • Enabling a crossRef object: The dnsRootattribute of a disabled crossRef object contains a set of one or more DNS host names, expressed as Unicode strings. The request to enable a crossRef object succeeds only if the IP address of the client that is making the request matches the IP address of one of the DNS host names in the dnsRoot attribute. When a disabled crossRef object is enabled through this method, the server is not required to be the Domain Naming Master FSMO role owner.

    The client must specify the nCName and dnsRoot attributes. The trustParent and rootTrust attributes are optional.

  • Creating a crossRef object: If the request creates a crossRef object, it succeeds only if the server owns the forest's Domain Naming Master FSMO role. The access check is the same as when a crossRef object is created through LDAP.

    The client must specify the same attributes that are required during an LDAP Add of a crossRef object, namely the new object's DN, plus all must-have attributes of the crossRefclass. See [MS-ADTS] section for the specification of crossRef objects.

  • Creating an nTDSDSA object: Creating an nTDSDSA object is not possible with LDAP. To create an nTDSDSA object, the hasMasterNCs attribute in the request must identify the forest's schemaNC and config NC, and the DC's default NC; that is, the domain of the DC corresponding to the new nTDSDSA object. If the default NC exists on the server as the nTDSDSA object is being created by IDL_DRSAddEntry, the client must have the control access right DS-Replication-Manage-Topology on the default NC. Otherwise, the client must have the right to enable or create the crossRef object that corresponds to the default NC, and must enable or create this crossRef object in the same IDL_DRSAddEntry request.

    The client must specify the new object's DN, plus the hasMasterNCs attribute. To create an nTDSDSA object for a functional DC, the request will contain invocationId, dMDLocation, options, msDS-Behavior-Version, and systemFlags. See [MS-ADTS] section for the specification of nTDSDSA objects.

    If the serverReference attribute is given a value in the request, the computer object to which the serverReference attribute points is updated with a new replicationSPN.

  • Modifying an object: To modify an existing object (other than enabling a crossRef object), the client-supplied ENTINF structure includes ENTINF_REMOTE_MODIFY in the ulFlags field and specifies the modified attributes and their values. The client must have the same rights as those needed to perform the modification via LDAP. The DC enforces the same schema and other constraints on the modification as if performed via LDAP. Performing the modification by using IDL_DRSAddEntry rather than LDAP allows changes to multiple objects to be made in a single transaction. This operation is only supported by AD LDS and AD DS in Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, and Windows Server 2012 R2 operating system.

    [in, ref]  DRS_HANDLE hDrs,
    [in] DWORD dwInVersion,
    [in, ref, switch_is(dwInVersion)]
        DRS_MSG_ADDENTRYREQ *pmsgIn,
    [out, ref] DWORD *pdwOutVersion,
    [out, ref, switch_is(*pdwOutVersion)]

pClientCreds: ADDRESS OF DRS_SecBufferDesc
objCls : ATTRTYP
ncNameV: DSName
cObjects: ULONG
res: boolean
prefixTable: PrefixTable

ValidateDRSInput(hDrs, 17)

/* Only attributes and classes in the base schema may be specified.*/
prefixTable := NewPrefixTable()

/* Set the default response version */
pdwOutVersion := 2

if dwInVersion = 1 then /* obsolete */
  pmsgOut^.V1.Guid := 0
  pmsgOut^.V1.Sid := 0
  pmsgOut^.V1.errCode := 0
  pmsgOut^.V1.dsid := 0
  pmsgOut^.V1.extendedErr := 0
  pmsgOut^.V1.extendedData := 0
  pmsgOut^.V1.problem := 0
else if dwInVersion = 2 then
  pmsgOut^.V2.pErrorObject:= null
  pmsgOut^.V2.errCode := 0
  pmsgOut^.V2.dsid := 0
  pmsgOut^.V2.extendedEr := 0
  pmsgOut^.V2.extendedData := 0
  pmsgOut^.V2.problem := 0
  pmsgOut^.V2.cObjectsAdded := 0
  pmsgOut^.V2.infoList := null
else if dwInVersion = 3 then
  pmsgOut^.V3.pdsErrObject := null
  pmsgOut^.V3.dwErrVer := 0
  pmsgOut^.V3. pErrData := null
  pmsgOut^.V3.ULONG cObjectsAdded := 0
  pmsgOut^.V3.infoList := null

/* Validate parameters. */
if not (dwInVersion in {2,3}) then
       pmsgOut, 2)
  return 0

/* If the client supports the version 3 response, use version 3. */
ext := ClientExtensions(hDrs)
if DRS_EXT_ADDENTRYREPLY_V3 in ext.dwFlags then
  pdwOutVersion^ := 3
  pdwOutVersion^ := 2

cObjects := 0

if dwInVersion = 2 then
  pEntInfList := pmsgIn^.V2.EntInfList
  pClientCreds := null
  pEntInfList := pmsgIn^.V3.EntInfList
  pClientCreds := pmsgIn^.V3.pClientCreds

/* If explicit credentials are given, use them for access checks. */
if pClientCreds ≠ null then
  err := UseCredsForAccessCheck(pClientCreds^)
  if err ≠ 0 then
    return err

/* Walk through each item in the EntInfList and perform the requested
 * operation. */
e := pEntInfList
while e ≠ null
  if ENTINF_REMOTE_MODIFY in e^.ulFlags then
    if DSAObj()!msDS-Behavior-Version ≥ DS_BEHAVIOR_WIN2008 then
      res := PerformModifyEntInf(
          hDrs, e^.Entinf, ADR(infoList[cObjects]))
      if not res then
        return 0
      /* Not supported (Win2k3 or older DC). */
      return 0
    objCls := ENTINF_GetValue(e^.Entinf, objectClass, prefixTable)
    if objCls = crossRef then
      /* Create or enable a crossRef object. */
      res := CreateCrossRef(hDrs, e^.Entinf, psmgOut, pdwOutVersion^,
      if not res then
        return 0
    else if objCls = nTDSDSA then
      /* Create an nTDSDSA object. */
      res :=  CreateNtdsDsa(hDrs, e^.Entinf, pEntInfList, pmsgOut,
          pdwOutVersion^, ADR(infoList[cObjects]))
      if not res then
        return 0
      /* Not supported. */
          pmsgOut, pdwOutVersion^)
      return 0

  e := e^.pNextEntInf
  cObjects := cObjects + 1

if pdwOutVersion^ = 2 then
  pmsgOut^.V2.cObjectsAdded := cObjects
  pmsgOut^.V2.infoList := infoList
  pmsgOut^.V3.cObjectsAdded := cObjects
  pmsgOut^.V3.infoList := infoList

return 0
© 2014 Microsoft