!!! Overview
[{$pagename}] is a [Microsoft Active Directory] a specific [Lightweight Directory Access Protocol] ([LDAP]) or [Connection-less Lightweight Directory Access Protocol] ([CLDAP]) search that returns information about whether services are live on a [Domain Controller] (DC).


As far as we know, this [{$pagename}] is only used to verify the "Liveness" and Capability Verification of a specific [Domain Controller] as described within the [Netlogon attribute]

This is typically performed by the Local [Netlogon service] after the [Locating the Domain Controller Candidate|How Domain Controllers Are Located in Windows] and the [Microsoft Windows] [Clients] use the logic defined on the for [5.4.5.3 Ping the Candidate Domain Controllers for "Liveness" and Capability Verification Using LDAP Ping Mechanism|https://msdn.microsoft.com/en-us/library/ff718294.aspx|target='_blank']

[{$pagename}] is most commonly encountered on [Microsoft Active Directory] networks where clients use [LDAP] or [CLDAP] for [LDAP ping] to retrieve server information.

[{$pagename}] is perhaps more formally described as a [RootDSE] query for the [Netlogon attribute].

[Windows Server 2000] __requires__ [UDP] ([CLDAP]) for the [RootDSE] [Netlogon attribute] query whereas either [LDAP] or [CLDAP] __MAY__ be used with [Windows Server 2003].

The A [rootDSE] [Search Request] [Netlogon attribute] query [Example]:[3]
{{{
(&(DnsDomain=abcde.corp.microsoft.com)(Host=abcdefgh-dev)(User=abcdefgh-dev$)(AAC=\80\00\00\00)(DomainGuid=\3b\b0\21\ca\d3\6d\d1\11\8a\7d\b8\df\b1\56\87\1f)(NtVer=\06\00\00\00))
}}}
but it appears the Host and DomainGuid are not required.

A [rootDSE] [Search Request] requesting [Netlogon attribute] with a [LDAP Search Scope] pf [baseObject] using the filter:
{{{ (&(DnsDomain=EXAMPLE.COM)(NtVer=\06\00\00\02))}}}
Returns some value for the [Netlogon attribute].

We have observed that [Wireshark] may __not__ display this filter correctly as the [BER] encoding does not reflect the nested & conditions displayed. However, the response appears to be proper.

The [DomainGuid] is supplied in [Little-Endian] binary despite the fact that the [BER] encoding is otherwise [Big-Endian].

The first 4 bits of the first byte of the NtVer value generates four different replies (\01\00\00\00, \02\00\00\00, \04\00\00\00, \08\00\00\00) but the author of this paragraph has only ever observed a value of \06\00\00\20.
The mechanics behind these bits is not known but the structures seem to correspond to Netlogon mailslot operations.[2]

Even though MS uses [BER] 1+4 byte length fields for non-primitive types, [DER] encoding works fine with both [Windows Server 2000] and and later.

!! Specifications
[Microsoft] has specifications available in the MS-ADTS document.[3]

[Microsoft Active Directory] encodes the results of an [LDAP] [SearchRequest] performed over [UDP] in the same manner as it does a search performed over [TCP]. \\More specifically, as one or more [SearchResultEntry] messages followed by a [SearchResultDone] message, as described in [RFC 2251].

This means that the [Search Responses] is not encoded as described in [RFC 1798].

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [https://msdn.microsoft.com/en-us/library/cc717362.aspx|https://msdn.microsoft.com/en-us/library/cc717362.aspx/|target='_blank'] - based on information obtained 2016-05-19
* [#2] - [MS-CLDAP|https://wiki.wireshark.org/MS-CLDAP|target='_blank'] - based on information obtained 2016-05-19
* [#3] - [MS-ADTS document|http://msdn.microsoft.com/en-us/library/cc223122%28PROT.10%29.aspx|target='_blank'] - based on information obtained 2016-05-19