| Platform SDK: Active Directory, ADSI, and Directory Services |
You should never hardcode a server name. Additionally, you should avoid unnecessarily tying your binding to a single server under most circumstances. Active Directory supports serverless binding, which means you can bind to Active Directory on the default domain without specifying the name of a domain controller. When processing your serverless binding call, ADSI finds the "best" Windows 2000 domain controller in the default domain, which is the domain associated with the current security context of the thread that's doing the binding. For ordinary applications, this is typically the domain of the logged-on user. For service applications, this is either the domain of the service's logon account or that of the client the service is impersonating.
In LDAP 3.0, rootDSE is defined as the root of the directory information tree on a directory server. The rootDSE is not part of any namespace. The purpose of the rootDSE is to provide information about the directory server.
ADsPath string for rootDSE:
LDAP://rootDSE
or
LDAP://servername/rootDSE
In this example, servername is the name of the server. If the servername is not specified, ADSI uses a domain controller in the domain associated with the current security context of the calling thread. ADSI attempts to find a domain controller within the client computer's site (a site is usually defined as an IP subnet) and connect to that domain controller. If a domain controller cannot be accessed within the site, ADSI uses the first domain controller that can be found.
For an Active Directory server (a Windows NT domain controller), the rootDSE contains the following properties:
| Property | Description |
|---|---|
| currentTime | Current time set on this directory server. |
| subschemaSubentry | Distinguished name for the subSchema object. The subSchema object contains properties that expose the supported attributes (in the attributeTypes property) and classes (in the objectClasses property).
The subschemaSubentry property and subschema are defined in LDAP 3.0 (see RFC 2251). |
| dsServiceName | The distinguished name of the NTDS settings object for this directory server. |
| namingContexts | Multi-valued. DISTINGUISHED NAMEs for all naming contexts stored on this directory server. By default, a Windows 2000 domain controller contains at least three namespaces: Schema, Configuration, and one for the domain of which the server is a member. |
| defaultNamingContext | By default, the distinguished name for the domain of which this directory server is a member. |
| schemaNamingContext | Distinguished name for the schema container. |
| configurationNamingContext | Distinguished name for the configuration container. |
| RootDomainNamingContext | Distinguished name for the first domain in the forest that contains the domain of which this directory server is a member. |
| SupportedControl | Multi-valued. OIDs for extension controls supported by this directory server. |
| SupportedLDAPVersion | Multi-valued. LDAP versions (specified by major version number) supported by this directory server. |
| HighestCommittedUSN | Highest USN used on this directory server. Used by directory replication. |
| SupportedSASLMechanisms | Security mechanisms supported for SASL negotiation (see LDAP RFCs). By default, GSSAPI is supported. |
| DnsHostName | DNS address for this directory server. |
| LdapServiceName | Service Principal Name (SPN) for the LDAP server. Used for mutual authentication. |
| ServerName | Distinguished name for the server object for this directory server in the configuration container. |
The rootDSE is a well-known and reliable location on every directory server to get distinguished names to the domain container, schema container, configuration container, and other information about the server and the contents of its directory information tree. These properties rarely change on a particular server. Your application can read these properties at startup and use them throughout the session.
In summary, your application should use serverless binding to bind to the directory on the current domain, use rootDSE to get the distinguished name for a namespace, and use that distinguished name to bind to objects in the namespace.