2.2.4.3 SPN for a Target DC in AD LDS

When a client wants to connect to an AD LDS DC for a DRS operation, it uses either of the following SPN forms:

• ldap/<DNS hostname>:<LDAP port>

• ldap/<NetBIOS hostname>:<LDAP port>

In the preceding SPN descriptions:

• "ldap" is the literal string representing the service class.

• The forward slash ('/') is the literal separator between parts of the SPN.

• <DNS hostname> is the full DNS host name of the target DC.

• <NetBIOS hostname> is the NetBIOS host name of the target DC.

• The colon (':') is the literal separator between the host name and port number.

• <LDAP port> is the LDAP port on which the target DC listens.

If an AD LDS DC runs on a computer joined to an external Active Directory domain, and NTDSDSA_OPT_DISABLE_SPN_REGISTRATION is not present in the options attribute of its nTDSDSA object in AD LDS (see [MS-ADTS] section 6.1.1.2.2.1.2.1.1), then the AD LDS DC MUST store these two forms of SPN as values of the servicePrincipalName attribute of the object (in the external AD DS domain) that corresponds to the security principal that the AD LDS service is running as. This action allows mutual authentication to occur in "client-to-AD LDS DC" protocol operations. When the requirements of this section are added to the requirements of section 2.2.3.3, an AD LDS DC that stores SPNs stores four servicePrincipalName values in all.