Overview#

LDAP ping is a Microsoft Active Directory a specific Lightweight Directory Access Protocol (LDAP) or Connection-less Lightweight Directory Access Protocol (CLDAP) search that returns information about whether services are live on a Domain Controller (DC).

As far as we know, this LDAP ping is only used to verify the "Liveness" and Capability Verification of a specific Domain Controller.

This is typically performed by the Local Netlogon service after the Locating the Domain Controller Canidate and the Windows Clients use the logic defined on the for 5.4.5.3 Ping the Candidate Domain Controllers for "Liveness" and Capability Verification Using LDAP Ping Mechanism

LDAP ping is most commonly encountered on Microsoft Active Directory networks where clients use LDAP or CLDAP for LDAP ping to retrieve server information.

LDAP ping is perhaps more formally described as a RootDSE query for the Netlogon attribute.

Windows 2000 Server requires UDP (CLDAP) for the RootDSE Netlogon attribute query whereas either LDAP or CLDAP MAY be used with Windows 2003 Server.

The A rootDSE Search Request Netlogon attribute query Example:[3]

(&(DnsDomain=abcde.corp.microsoft.com)(Host=abcdefgh-dev)(User=abcdefgh-dev$)(AAC=\80\00\00\00)(DomainGuid=\3b\b0\21\ca\d3\6d\d1\11\8a\7d\b8\df\b1\56\87\1f)(NtVer=\06\00\00\00))
but it appears the Host and DomainGuid are not required.

A rootDSE Search Request requesting Netlogon attribute with a LDAP Search Scope pf baseObject using the filter:

 
(&(DnsDomain=EXAMPLE.COM)(NtVer=\06\00\00\02))
Returns some value for the Netlogon attribute.

We have observed that Wireshark may not display this filter correctly as the BER encoding does not reflect the nested & conditions displayed. However, the response appears to be proper.

The DomainGuid is supplied in Little-Endian binary despite the fact that the BER encoding is otherwise Big-Endian.

The first 4 bits of the first byte of the NtVer value generates four different replies (\01\00\00\00, \02\00\00\00, \04\00\00\00, \08\00\00\00) but the author of this paragraph has only ever observed a value of \06\00\00\20. The mechanics behind these bits is not known but the structures seem to correspond to Netlogon mailslot operations.[2]

Even though MS uses BER 1+4 byte length fields for non-primitive types, DER encoding works fine with both Windows 2000 Server and Windows 2003 Server.

Specifications#

Microsoft has specifications available in the MS-ADTS document.[3]

Microsoft Active Directory encodes the results of an LDAP search performed over UDP in the same manner as it does a search performed over TCP.
More specifically, as one or more SearchResultEntry messages followed by a SearchResultDone message, as described in RFC 2251.

This means that the search response is not encoded as described in RFC 1798.

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-9) was last changed on 20-Sep-2016 12:54 by jim