Overview#

LDAP ping is a Microsoft Active Directory a specific Lightweight Directory Access Protocol (LDAP) or Connection-less Lightweight Directory Access Protocol (CLDAP) search that returns information about whether services are live on a Domain Controller (DC).

As far as we know, this LDAP ping is only used to verify the "Liveness" and Capability Verification of a specific Domain Controller as described within the Netlogon attribute

This is typically performed by the Local Netlogon service after the Locating the Domain Controller Candidate and the Microsoft Windows Clients use the logic defined on the for 5.4.5.3 Ping the Candidate Domain Controllers for "Liveness" and Capability Verification Using LDAP Ping MechanismContent unavailable! (broken link)https://ldapwiki.com/wiki/images/out.png

LDAP ping is most commonly encountered on Microsoft Active Directory networks where clients use LDAP or CLDAP for LDAP ping to retrieve server information.

LDAP ping is perhaps more formally described as a RootDSE query for the Netlogon attribute.

Windows Server 2000 requires UDP (CLDAP) for the RootDSE Netlogon attribute query whereas either LDAP or CLDAP MAY be used with Windows Server 2003.

The A rootDSE Search Request Netlogon attribute query Example:[3]

(&(DnsDomain=abcde.corp.microsoft.com)(Host=abcdefgh-dev)(User=abcdefgh-dev$)(AAC=\80\00\00\00)(DomainGuid=\3b\b0\21\ca\d3\6d\d1\11\8a\7d\b8\df\b1\56\87\1f)(NtVer=\06\00\00\00))

but it appears the Host and DomainGuid are not required.

A rootDSE Search Request requesting Netlogon attribute with a LDAP Search Scope pf baseObject using the filter:

 (&(DnsDomain=EXAMPLE.COM)(NtVer=\06\00\00\02))

Returns some value for the Netlogon attribute.

We have observed that Wireshark may not display this filter correctly as the BER encoding does not reflect the nested & conditions displayed. However, the response appears to be proper.

The DomainGuid is supplied in Little-Endian binary despite the fact that the BER encoding is otherwise Big-Endian.

The first 4 bits of the first byte of the NtVer value generates four different replies (\01\00\00\00, \02\00\00\00, \04\00\00\00, \08\00\00\00) but the author of this paragraph has only ever observed a value of \06\00\00\20. The mechanics behind these bits is not known but the structures seem to correspond to Netlogon mailslot operations.[2]

Even though MS uses BER 1+4 byte length fields for non-primitive types, DER encoding works fine with both Windows Server 2000 and and later.

Specifications#

Microsoft has specifications available in the MS-ADTS document.[3]

Microsoft Active Directory encodes the results of an LDAP SearchRequest performed over UDP in the same manner as it does a search performed over TCP.
More specifically, as one or more SearchResultEntry messages followed by a SearchResultDone message, as described in RFC 2251.

This means that the Search Responses is not encoded as described in RFC 1798.

More Information#

There might be more information for this subject on one of the following:

• Active Directory Site
• Connection-less Lightweight Directory Access Protocol
• DS_FLAG
• How Domain Controllers Are Located in Windows
• LDAP ping
• Netlogon attribute

---

• [#1] - https://msdn.microsoft.com/en-us/library/cc717362.aspxContent unavailable! (broken link)https://ldapwiki.com/wiki/images/out.png - based on information obtained 2016-05-19
• [#2] - MS-CLDAPContent unavailable! (broken link)https://ldapwiki.com/wiki/images/out.png - based on information obtained 2016-05-19
• [#3] - MS-ADTS documentContent unavailable! (broken link)https://ldapwiki.com/wiki/images/out.png - based on information obtained 2016-05-19