Windows 2000: LDAPv3 RootDSE
ID: Q219005
|
The information in this article applies to:
-
Microsoft Windows 2000 Advanced Server
-
Microsoft Windows 2000 Datacenter Server
-
Microsoft Windows 2000 Server
SUMMARY
The RootDSE is a standard attribute defined in the LDAP 3.0 specification. The RootDSE contains information about the directory server, including its capabilities and configuration. The search response will contain a standard set of information that is defined in the following RFC:
RFC 2251 - Lightweight Directory Access Protocol (v3)
MORE INFORMATION
The LDAP protocol assumes there are one or more servers that jointly provide access to a Directory Information Tree (DIT). At the root of the DIT is a DSA-specific Entry (DSE) and it is not part of any naming context. Each server has different attribute values in the root DSE. (DSA is an X.500 term for the directory server.)
The root DSE (DSA-specific Entry) data can be retrieved from an LDAPv3 server by doing a base-level search with a null BaseDN and with filter ObjectClass=*. The root DSE publishes information about the LDAP server including which LDAP versions it supports, any supported SASL mechanisms, supported controls as well as the DN for its subschemaSubentry. In addition to server information, operational attributes may be exposed that allow for extended administration functionality.
For more information on this LDAPv3 requirement, please see Section 3.4 of RFC 2251. This document will discuss the attributes exposed in the Active Directory RootDSE.
Section 5.2 of RFC 2252 defines a set of root DSE attributes that should be published by LDAPv3 servers that support them. In addition, Section 3.4 of RFC 2251 adds the subschemaSubentry to make a total of seven standard attributes published in the root DSE section of an LDAPv3 server.
These core attributes are defined as follows:
- namingContexts: The values of this attribute correspond to naming contexts which this server masters or shadows. If the server believes it contains the entire directory, the attribute will have a single value, and that value will be the empty string (indicating the null DN of the root). This attribute will allow a client to choose suitable base objects for searching when it has contacted a server.
- subschemaSubentry: The value of this attribute is the name of a subschema entry (or subentry if the server is based on X.500(93)) in which the server makes available attributes specifying the schema. Supported attributes are exposed in the attributeTypes property and supported classes in the objectClasses property. The subschemaSubentry property and subschema are defined in LDAPv3 (RFC 2251).
- altServer: The values of this attribute are URLs of other servers that may be contacted when this server becomes unavailable. If the server does not know of any other servers that could be used, this attribute will be absent. Clients may cache this information in case their preferred LDAP server later becomes unavailable.
- supportedExtension: The values of this attribute are Object Identifiers (OIDs) identifying the supported extended operations which the server supports. If the server does not support any extensions, this attribute will be absent.
- supportedControl: The values of this attribute are the Object Identifiers (OIDs) identifying controls that the server supports. If the server does not support any controls, this attribute will be absent.
- supportedSASLMechanisms: The values of this attribute are the names of supported SASL mechanisms which the server supports. If the server does not support any mechanisms, this attribute will be absent. By default, GSSAPI is supported.
- supportedLDAPVersion: The values of this attribute are the versions of the LDAP protocol that the server implements.
In addition, Active Directory supports the following 'informational' attributes:
- currentTime: The current time based on 'Zulu' time in the format xxxx(year)xx(month)xx(day)xxxxxx.x(hours,minutes,seconds military time)'Z'
- dsServiceName: NTDS Settings.
- defaultNamingContext: This is the default NC for a particular server. By default, the DN for the domain of which this directory server is a member.
- schemaNamingContext: DN for the Enterprise schema Naming Context.
- configurationNamingContext: DN Enterprise Configuration Naming Context.
- rootDomainNamingContext: This is the DN for the root of the Domain that this server is a DC for.
- supportedLDAPPolicies: Supported LDAP management policies.
- highestCommittedUSN: Highest USN commited to the database on this server.
- dnsHostName: The DNS name of this DC.
- ldapServiceName: Service Principal Name (SPN) for the LDAP server. Used for mutual authentication.
- serverName: DN for the server object for this directory server as defined in the Configuration container.
- supportedCapabilities: The values of this attribute are OBJECT IDENTIFIERs (OIDs) identifying the supported capabilities of the server.
Below is a network trace of a search request to the domain lcdom.com. The domain contoller is named rthomdc.lcdom.com. The transport layer and lower level protocols have been removed for clarity.
Search on RootDSE:
LDAP: ProtocolOp: SearchRequest (3)
LDAP: MessageID
LDAP: ProtocolOp = SearchRequest
LDAP: Base Object =
LDAP: Scope = Base Object
LDAP: Deref Aliases = Never Deref Aliases
LDAP: Size Limit = No Limit
LDAP: Time Limit = No Limit
LDAP: Attrs Only = 0 (0x0)
LDAP: Filter Type = Present
LDAP: Attribute Type = objectClass
SearchResponse of RootDSE:
LDAP: ProtocolOp: SearchResponse (4)
LDAP: MessageID
LDAP: ProtocolOp = SearchResponse
LDAP: Object Name =
LDAP: Attribute Type = currentTime
LDAP: Attribute Value = 19990315231515.0Z
LDAP: Attribute Type = subschemaSubentry
LDAP: Attribute Value = CN=Aggregate,CN=Schema,CN=Configuration,DC=lcdom,DC=com
LDAP: Attribute Type = dsServiceName
LDAP: Attribute Value = CN=NTDS Settings, CN=RTHOMDC,CN=Servers,CN=Sites,CN=Configuration,DC=lcdom,DC=com
LDAP: Attribute Type = namingContexts
LDAP: Attribute Value = CN=Schema,CN=Configuration,DC=lcdom,DC=com
LDAP: Attribute Value = CN=Configuration,DC=lcdom,DC=com
LDAP: Attribute Value = DC=lcdom,DC=com
LDAP: Attribute Type = defaultNamingContext
LDAP: Attribute Value = DC=lcdom,DC=com
LDAP: Attribute Type = schemaNamingContext
LDAP: Attribute Value = CN=Schema,CN=Configuration,DC=lcdom,DC=com
LDAP: Attribute Type = configurationNamingContext
LDAP: Attribute Value = CN=Configuration,DC=lcdom,DC=com
LDAP: Attribute Type = rootDomainNamingContext
LDAP: Attribute Value = DC=lcdom,DC=com
LDAP: Attribute Type = supportedControl
LDAP: Attribute Value = 1.2.840.113556.1.4.319
LDAP: Attribute Value = 1.2.840.113556.1.4.801
LDAP: Attribute Value = 1.2.840.113556.1.4.473
LDAP: Attribute Value = 1.2.840.113556.1.4.528
LDAP: Attribute Value = 1.2.840.113556.1.4.417
LDAP: Attribute Value = 1.2.840.113556.1.4.619
LDAP: Attribute Value = 1.2.840.113556.1.4.841
LDAP: Attribute Value = 1.2.840.113556.1.4.529
LDAP: Attribute Value = 1.2.840.113556.1.4.805
LDAP: Attribute Value = 1.2.840.113556.1.4.521
LDAP: Attribute Value = 1.2.840.113556.1.4.970
LDAP: Attribute Value = 1.2.840.113556.1.4.1338
LDAP: Attribute Value = 1.2.840.113556.1.4.474
LDAP: Attribute Value = 1.2.840.113556.1.4.1339
LDAP: Attribute Type = supportedLDAPVersion
LDAP: Attribute Value = 3
LDAP: Attribute Value = 2
LDAP: Attribute Type = supportedLDAPPolicies
LDAP: Attribute Value = InitRecvTimeout
LDAP: Attribute Value = MaxConnections
LDAP: Attribute Value = MaxConnIdleTime
LDAP: Attribute Value = MaxActiveQueries
LDAP: Attribute Value = MaxNotificationPerConn
LDAP: Attribute Value = MaxPageSize
LDAP: Attribute Value = MaxQueryDuration
LDAP: Attribute Value = MaxTempTableSize
LDAP: Attribute Value = MaxResultSetSize
LDAP: Attribute Value = MaxPoolThreads
LDAP: Attribute Value = MaxDatagramRecv
LDAP: Attribute Type = highestCommittedUSN
LDAP: Attribute Value = 17878
LDAP: Attribute Type = supportedSASLMechanisms
LDAP: Attribute Value = GSSAPI
LDAP: Attribute Value = GSS-SPNEGO
LDAP: Attribute Type = dnsHostName
LDAP: Attribute Value = RTHOMDC.lcdom.com
LDAP: Attribute Type = ldapServiceName
LDAP: Attribute Value =lcdom.com:RTHOMDC$@LCDOM.COM
LDAP: Attribute Type = serverName
LDAP: Attribute Value = CN=RTHOMDC,CN=Servers,CN=Sites,CN=Configuration,DC=lcdom,DC=com
LDAP: Attribute Type = supportedCapabilities
LDAP: Attribute Value = 1.2.840.113556.1.4.800
Additional query words:
rfc2251
Keywords :
Version : WINDOWS:2000
Platform : WINDOWS
Issue type : kbinfo