3.2.6 Example 6: Update the User's lastLogOnTimeStamp Against an RODC When the User Binds to an LDAP Server

  • Article

In this example, the user's lastLogonTimeStamp attribute is updated when the user authenticates successfully to the LDAP server by using an LDAP bind request .

This example applies only to AD DS.

This example uses the SAMS protocol.

This example covers the use case in section 2.7.2.6, User Logon to Domain Services by Using an RODC and Updating the User LastLogonTimeStamp - Client Application.

The lastLogonTimeStamp attribute is updated on successful authentication of the user who either uses interactive logon or Network logon to the directory system. This example shows user logon to the directory by using Network logon to the LDAP server.

Prerequisites

The general requirements described in section 2.6, Assumptions and Preconditions.

The Active Directory system meets all preconditions described in section 2.7.2.6.

Initial System State

None.

Final System State

The user's lastLogonTimeStamp attribute is updated.

Sequence of Events

The following sequence diagram shows the message flow that is associated with this example.

User lastLogonTimeStamp update message flow

Figure 51: User lastLogonTimeStamp update message flow

Unless otherwise noted, all responses that include a return code contain a return code that indicates that the operation was performed successfully.

 1. The client starts and sends an LDAP bind request ([RFC2251] section 4.2) to the RODC along with the credentials of the user.

 2. The RODC uses one of the methods specified in [MS-AUTHSOD] section 2 to verify the credentials. Depending on the negotiated authentication method, this might involve additional client and server interactions that are not directly relevant to this discussion. After verification, the directory server sends an LDAP bind response ([RFC2251] section 4.2.3) to the client.

 3. The client sends an unbind request to clean up the bind operation. This step can occur in any order after step 2. It is not dependent on the timing of the subsequent steps in this example.

 4. – 11. In these steps, the RODC establishes a secure channel with a DC that contains a writable NC replica of the domain, as specified in [MS-NRPC] section 3.1.4.1.

12. The RODC sends a password update request to the DC, as specified in [MS-SAMS] section 3.2.4.6, by using the NetrLogonSendToSam method specified in [MS-NRPC] section 3.5.4.8.4, and according to the processing rules specified in [MS-NRPC] section 3.4.5.6.4.

13. The DC processes the request ([MS-SAMS] section 3.3.5.6 and [MS-NRPC] section 3.5.4.8.4), updates the user account's lastLogonTimeStamp attribute, and returns a response.