6.4.1 State of a Machine Joined to a Domain

The following variables are part of the state of any machine joined to a domain:

  • domain-secret: An even-numbered sequence of bytes, with no embedded zero values, containing the secret shared between the machine and the domain. There are no minimum or maximum length constraints imposed on domain-secret; implementations MUST NOT assume any such limitations.

  • machine-account-name: The sAMAccountName of the machine's computer object within the domain.

  • domain-name: A tuple containing:

    • netbios: The NetBIOS name of the domain

    • dns: The fully qualified DNS name of the domain

      If the domain has a DNS name, domain-name.dns contains it. If the domain has a NetBIOS name, domain-name.netbios contains it. The value of at least one of these variables is not NULL.

  • domain-locator: Implementation-specific state sufficient to locate a domain controller of the domain. If the implementation is capable of locating a domain controller given domain-name, then domain-locator can be NULL.

  • supported-encryption-types: A set of encryption algorithms that can be used by the Key Distribution Center (KDC) to generate tickets for the machine account. This value can be NULL if the machine supports default encryption types used by a given implementation of the KDC.

The specific choices made in implementing a machine joined to a domain (for example, for representing these variables and for generating names) are outside the state model. For Windows, machine-account-name equals the machine name (result of GetComputerName) with "$" appended, and domain-locator is NULL.