Directory Services

Serverless Binding and RootDSE

If possible, do not hard-code a server name. Furthermore, under most circumstances, binding should not be unnecessarily tied to a single server. Active Directory supports serverless binding, which means that Active Directory can be bound to on the default domain without specifying the name of a domain controller. For ordinary applications, this is typically the domain of the logged-on user. For service applications, this is either the domain of the service logon account or that of the client that the service impersonates.

In LDAP 3.0, rootDSE is defined as the root of the directory data tree on a directory server. The rootDSE is not part of any namespace. The purpose of the rootDSE is to provide data about the directory server. The following is the binding string that is used to bind to rootDSE.

LDAP://<servername>/rootDSE

The <servername> is the DNS name of a server. The <servername> is optional, as shown in the following format.

LDAP://rootDSE

In this case, a default domain controller from the domain that the security context of the calling thread is in will be used. If a domain controller cannot be accessed within the site, the first domain controller that can be found will be used.

For an Active Directory server (a Windows NT domain controller), the rootDSE contains the following attributes.

Property Description
currentTime Contains the current time set on this directory server.
subschemaSubentry Contains the distinguished name for the subSchema object. The subSchema object contains properties that expose the supported attributes (in the attributeTypes property) and classes (in the objectClasses property).

The subschemaSubentry property and subschema are defined in LDAP 3.0 (see RFC 2251).

dsServiceName Contains the distinguished name of the NTDS settings object for this directory server.
namingContexts A multi-valued atttribute that contains the distinguished names for all naming contexts stored on this directory server. By default, a Windows 2000 domain controller contains at least three naming contexts: Schema, Configuration, and one for the domain of which the server is a member.
defaultNamingContext Contains the distinguished name for the domain of which this directory server is a member.
schemaNamingContext Contains the distinguished name for the schema container.
configurationNamingContext Contains the distinguished name for the configuration container.
RootDomainNamingContext Contains the distinguished name for the first domain in the forest that contains the domain of which this directory server is a member.
SupportedControl A multi-valued attribute that contains the OIDs for extension controls supported by this directory server. The controls supported by Active Directory are listed in the following table.
SupportedLDAPVersion A multi-valued attribute that contains the LDAP versions (specified by major version number) supported by this directory server.
HighestCommittedUSN Contains the highest USN used on this directory server. Used by directory replication.
SupportedSASLMechanisms Contains the security mechanisms supported for SASL negotiation (see LDAP RFCs). By default, GSSAPI is supported.
DnsHostName Contains the DNS address for this directory server.
LdapServiceName Contains the Service Principal Name (SPN) for the LDAP server. Used for mutual authentication.
ServerName Contains the distinguished name for the server object for this directory server in the configuration container.

The rootDSE is a well-known and reliable location on every directory server to get distinguished names of the domain, schema, and configuration containers, and other data about the server and the contents of its directory data tree. These properties rarely change on a particular server. An application can read these properties at startup and use them throughout the session.

In summary, an application should use serverless binding to bind to the directory on the current domain, use rootDSE to get the distinguished name for a namespace, and use that distinguished name to bind to objects in the namespace.

Active Directory supports the following extension controls listed in the SupportedControl attribute. For more information, see LDAPControl and ldap_search_init_page.

Control OID String constant
1.2.840.113556.1.4.319 LDAP_PAGED_RESULT_OID_STRING
1.2.840.113556.1.4.473 LDAP_SERVER_SORT_OID
1.2.840.113556.1.4.474 LDAP_SERVER_RESP_SORT_OID
1.2.840.113556.1.4.801 LDAP_SERVER_SD_FLAGS_OID
1.2.840.113556.1.4.528 LDAP_SERVER_NOTIFICATION_OID
1.2.840.113556.1.4.417 LDAP_SERVER_SHOW_DELETED_OID
1.2.840.113556.1.4.619 LDAP_SERVER_LAZY_COMMIT_OID
1.2.840.113556.1.4.841 LDAP_SERVER_DIRSYNC_OID
1.2.840.113556.1.4.529 LDAP_SERVER_EXTENDED_DN_OID
1.2.840.113556.1.4.805 LDAP_SERVER_TREE_DELETE_OID
1.2.840.113556.1.4.521 LDAP_SERVER_CROSSDOM_MOVE_TARGET_OID
1.2.840.113556.1.4.1338 LDAP_SERVER_VERIFY_NAME_OID
1.2.840.113556.1.4.1339 LDAP_SERVER_DOMAIN_SCOPE_OID
1.2.840.113556.1.4.1340 LDAP_SERVER_SEARCH_OPTIONS_OID
1.2.840.113556.1.4.1413 LDAP_SERVER_PERMISSIVE_MODIFY_OID

For more information and a code example that shows how to use serverless binding and rootDSE, see Example Code for Getting the Distinguished Name of the Domain.