7 Communication Details for Active Directory Connections
The protocols used by Active Directory connections can operate on more than one transport. However, not all transports are considered equivalent. In these cases, the client is either encouraged or required to choose a specific transport when performing an operation using the protocol. This section documents these constraints. For information on the transports used by Active Directory connections, see section 7.8.
Windows uses LDAP as defined in [RFC1777] for LDAP version 2, and [RFC3377] and [RFC2251] for LDAP version 3. Clients authenticated to an Active Directory server using the GSS-SPNEGO SASL authentication mechanism (section 5.1.1.1.2, SASL Authentication) observe LDAP version 3 compliant semantics, with the extensions and deviations documented in section 3.1.1.3.1, LDAP Conformance. Unauthenticated clients and clients authenticated under a different authentication mechanism observe LDAP behavior compliant with the requested LDAP version. Windows clients authenticate to the Active Directory server using the GSS-SPNEGO SASL authentication mechanism.
While the Active Directory system supports both TCP and UDP transports for LDAP versions 2 and 3, TCP is the preferred transport. LDAP over the UDP transport does not have a mechanism by which clients can authenticate to the directory service and so clients can only perform two specific anonymous operations. These anonymous operations are rootDSE search and LDAP abandon. The UDP transport is primarily intended for use by LDAP ping requests used for the AD DS domain controller location mechanism described in section 6.3, Publishing and Locating a Domain Controller. LDAP over TCP is described in sections 7.1 through 7.6, while LDAP over UDP is described in section 7.7.