Question
The following screenshot shows a snippet of network communication as sniffed by Wireshark. It is a part of the login process, where a domain-joined client tries to login to a Windows Server 2008 R2 (which is the domain controller). The protocol used is Connectionless LDAP (CLDAP), also known as LDAP Ping.
Sample response:
It seems that the query is trying to get some "filtered" information regarding the "Netlogon" attribute. This attribute is documented here: http://msdn.microsoft.com/en-us/library/cc223260.aspx
Moreover, as described in http://msdn.microsoft.com/en-us/library/cc223254.aspx, this attribute is operational, meaning that:
... the server returns the attribute only when it is explicitly requested.
I tried to write a simple ADSI script to get more info about this attribute, but I got an error. Here's the script:
https://stackoverflow.com/questions/13939704
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianSet obj = GetObject("LDAP://rootDSE")
attArray = Array("netlogon")
obj.GetInfoEx attArray, 0
WScript.Echo obj.netlogon
Could you please help me with the script?
La solution
For later reference, I provide one of my comments above as the answer:
I finally understood what's wrong: According to this page: "The client then uses this IP address to establish a UDP connection to the LDAP service on the DC and query for the NETLOGON attribute in RootDSE. This attribute doesn't actually exist in the directory; rather, it's used to perform an LDAP ping." More info: http://msdn.microsoft.com/en-us/library/cc223811(v=prot.20).aspx
