none
SAMR process for registering a machine RRS feed

  • Question

  • Appendix A of MS-SYS describes the addition of a machine to a domain.  The SAMR protocol does the registration.  However I need a little more information in order to understand the operations on the client side and to create an interoperable implementation of the specific server side behaviors.  I am particularly interested in the following sequence:

    SamrCreateUser2InDomain SamrQueryInformationUser SamrGetUserDomainPasswordInformation SamrSetInformationUser2


    When the machine account is created via SamrCreateUser2InDomain, the SID for the machine is created on the server side, using an RID from the domain controller's RID pool.  A number of entries are then created in Active Directory for this machine.  I think that among these is the machine password.    Some of this information is then stored on the newly added machine, so that it can subsequently authenticate to the domain, for example to retrieve group policy objects.  What information is stored on the newly added machine?  Clearly the name of the domain must be stored, plus the name of the machine as known to the domain, created by SamrCreateUser2InDomain, plus the machine password.  What else is stored on the newly added machine?  What is modified via SamrSetInformationUser2? 

    Abstractly, it should be possible to register the machine entirely via LDAP calls, on an LDAP session established under the administrator's credentials.  I don't mean to suggest that this should actually be done, but I am trying to understand the server behavior for SamrCreateUser2InDomain in a little more detail.  What AD entries are written or updated as a result of this call?  Is it actually possible to do all of the registration of the machine via LDAP, or is there something happening on the server side other than the creation of data in Active Directory?

    Regards,
    John McGarvey
     
    Wednesday, July 2, 2008 8:56 PM

Answers

  • Thanks for your reply.  This seems to answer my question. I will pursue the direction described, and ask follow up questions as needed.

    • Marked as answer by John McGarvey Friday, July 25, 2008 4:37 PM
    Friday, July 25, 2008 4:37 PM

All replies

  •  

     Good morning John.
    Thanks for your post regarding the [MS-SYS] protocol specification (various aspects of adding a machine to a domain). We will review your questions and update the forum once our investigation is complete.

    Thanks
    John Dunning
    Escalation Engineer Microsoft Corporation
    US-CSS DSC PROTOCOL TEAM

    • Edited by John Dunning Thursday, July 3, 2008 3:34 PM Adding sig information
    Thursday, July 3, 2008 3:32 PM
  •  Hello John,
        Please let me know if the following fully answers your questions.
     
    1) What information is stored on the newly added machine? 
     MS-ADTS - Active Directory Technical Specification Section 7.4.1 - State of a Machine Joined to a Domain documents the required state of a machine that is joined to a domain. No further state is required from the domain join perspective:
     
    7.4.1     State of a Machine Joined to a Domain
    The following variables are part of the state of any machine joined to a domain:
    "           domain-secret: A binary sequence of bytes, containing the secret shared between the machine and the domain.
    "           machine-account-name: The sAMAccountName of the machine's computer object within the domain.
    "           domain-name: A tuple containing:
    "           netbios: The NetBIOS name of the domain
    "           dns: The fully qualified DNS name of the domain
    If the domain has a DNS name, domain-name.dns contains it. If the domain has a NetBIOS name, domain-name.netbios contains it. The value of at least one of these variables is not NULL.
    "           domain-locator: Implementation-specific state sufficient to locate a domain controller of the domain. If the implementation is capable of locating a domain controller given domain-name, then domain-locator can be NULL.
    The specific choices made in implementing a machine joined to a domain (for example, for representing these variables and for generating names) are outside the state model. For Windows, machine-account-name equals the machine name (result of GetComputerName) with "$" appended, and domain-locator is NULL.
     
    2) What is modified via SamSetInformationUser2 with respect to the client machine?
    No changes are made to the client state from this RPC call.
     
    3) I am trying to understand the server behavior for SamrCreateUser2InDomain in a little more detail.  What AD entries are written or updated as a result of this call?
        The behavior of SamrCreateUser2InDomain is documented in MS-SAMR 3.1.5.4.4. Do you have any more specific questions regarding this?
     
    4) Is it actually possible to do all of the registration of the machine via LDAP, or is there something happening on the server side other than the creation of data in Active Directory?
         All required server-side (AD) changes are documented in MS-ADTS section 7.4.2. Yes it is possible to use LDAP for this purpose; more broadly, any protocol may be used so long as it satisfies the end-state requirements outlined in MS-ADTS section 7.4.2. SAMR or LDAP are the most likely protocol choices though. An additional resource that may prove useful is: http://msdn.microsoft.com/en-us/library/ms808911.aspx which has sample code that uses only LDAP to perform the same operation.
     
    Thanks
    John Dunning
    Escalation Engineer Microsoft Corporation
    US-CSS DSC PROTOCOL TEAM
    Tuesday, July 15, 2008 8:43 PM
  • Thanks for your reply.  This seems to answer my question. I will pursue the direction described, and ask follow up questions as needed.

    • Marked as answer by John McGarvey Friday, July 25, 2008 4:37 PM
    Friday, July 25, 2008 4:37 PM