6.3.8 AD LDS DC Publication

If an AD LDS DC is running on a computer joined to an AD DS domain, the AD LDS DC SHOULD (if certain conditions are met, as described later in this section) create a serviceConnectionPoint object in the AD DS forest of the domain to which it is joined. Clients MAY use this serviceConnectionPoint object to locate this AD LDS DC.

Let O be the msDS-ServiceConnectionPointPublicationService object in the AD LDS forest whose DN is "CN=SCP Publication Service" relative to the nTDSService object in the config NC (the DN of the nTDSService object is "CN=Directory Service, CN=Windows NT, CN=Services" relative to the root of the config NC).

An AD LDS DC SHOULD create (or update, if the object already exists) a serviceConnectionPoint object unless one of the following conditions is true:

If the LDAP add or modify operation to create or update the serviceConnectionPoint object fails for any reason, including lack of permission to create or update the serviceConnectionPoint object, the AD LDS DC SHOULD retry periodically until the operation succeeds.

The created (or updated) serviceConnectionPoint object S satisfies the following:

  • If O exists and O!msDS-SCPContainer is non-null, then the DN of S is "CN={dsaGuid}" relative to O!msDS-SCPContainer, where dsaGuid is the DC's DSA GUID. Otherwise, the DN of S is "CN={dsaGuid}" relative to the computer object of the machine running AD LDS.

  • S!serviceDNSNameType = "A"

  • S!serviceClassName = "LDAP"

  • S!serviceDNSName is the DNS name of the computer on which the AD LDS DC is running.

  • S!serviceBindingInformation contains two values, "ldap://dnsName:ldapPort" and "ldaps://dnsName:ldapsPort", where dnsName is the DNS name of the computer on which the AD LDS DC is running, ldapPort is the port on which the AD LDS DC is listening for LDAP requests, and ldapsPort is the port on which the AD LDS DC is listening for SSL/TLS-protected LDAPS requests.

  • S!keywords contains the following values:

    • The DSA GUID.

    • For each value of the supportedCapabilities attribute of the rootDSE, a string containing that value.

    • The string "site:siteName" where siteName is the name of the site in which the AD LDS DC is located.

    • The string "instance:instanceName" where instanceName is a name configured for this AD LDS DC, unique among all AD LDS DCs on the machine running the DC.

    • If this AD LDS DC has the Schema Master FSMO role, the string "fsmo:schema".

    • If the AD LDS DC has the Domain Naming FSMO role, the string "fsmo:naming".

    • For each NC-replica on the AD LDS DC, excluding the NC-replica of the schema NC:

      • The string "partition:ncName" where ncName is the DN of the NC.

      • The NC GUID (that is, the value of the objectGUID attribute for the root of the NC).

    • If O exists, the values (if any) present on O!keywords. (See section 6.1.1.2.4.1.5.)

For example, suppose an AD LDS replica is running on a computer whose DNS name is "adlds-01.fabrikam.com", has a DSA GUID of {d07c66ed-b55e-4472-b09c-1ae35980}, possesses both FSMO roles, and has a single application NC whose name is "CN=FirstAppNC" and whose GUID is {32079ab-9e49-4c4e-ad36-0f2b8a63f12b}. Further assume that it is listening on ports 50000 and 50001 for LDAP and LDAPS traffic, respectively, is located in a site named "Default-First-Site-Name", has an instance name of "TestInstance", and there are no keywords on O!keywords. The resulting serviceConnectionPoint object could be as follows (depending on the DN and GUID of the config NC).

 S!serviceDnsNameType = "A"
 S!serviceClassName = "LDAP"
 S!serviceDNSName = "adlds-01.fabrikam.com"
 S!serviceBindingInformation = {
     "ldap://adlds-01.fabrikam.com:50000", 
     "ldaps://adlds-01.fabrikam.com:50001"
     }
 S!keywords = {
     "d07c66ed-b55e-4472-b09c-1ae35980",
     "1.2.840.113556.1.4.1851",
     "1.2.840.113556.1.4.1791",
     "site:Default-First-Site-Name",
     "instance:TestInstance",
     "fsmo:schema",
     "fsmo:naming",
     "partition:CN=FirstAppNC",
     "32079ab-9e49-4c4e-ad36-0f2b8a63f12b",
     "partition:CN=Configuration,CN={FD783EE9-0216-4B83-8A2A-
         60E45AECCB81}",
     "23b65d43-a701-44b9-9e04-a6555df722eb"
     }
Show: