how do workstations ``find'' a server?

[Buck Huppmann]

hi. please feel free to stop reading and refer me to the relevant
prior thread on this topic or, by name, to the FM

how does, say, a Windows XP box in an AD domain, say, ad.example.com,
``find'' a server when the user specifies the UNC \\label\share?  i.e.,
the process seems to maybe involve, not first a DNS query for
label.first.entry.in.dns.search.order but maybe an initial peek at the
active directory. if so, what does it look for? and what does it do
with the information it gets in terms of then making a DNS query to
resolve the dnsDomainName and acquiring tickets for which SPN? for
extra credit: how much of this is guaranteed client behavior and
host much of it is likely subject to whimsical changes in the next
Windows flavor? (i would try sniffing things out for myself, but for
having no idea about the latter question and thinking maybe an author-
itative answer from one of you all might be of use to others besides
me. moreover, discussions of the schemes for impedance-matching names
to Kerberos principals are always fun to try to wrap your head around,
although Microsoft may have taken a lot of that fun away with its re-
ferral mechanism and turning the ADC into a ticket-dispensing black
box)

and, just for the sake of completeness, how about if there's an account
for cn=other$, samAccountName=other$,
dnsDomainName=label.first.entry.in.dns.search.order? or if there's
cn=other$, samAccountName=other$, dnsDomainName=label.ad.example.com?

i would elucidate by detailing exactly what we're trying to pull off
by misuse of this knowledge, but it'd probably make some of you ques-
tion why you give us dangerous toys like samba to play with

thanks