[REG: 114100211861646] serviceprincipalname RPC/<NTDSGUID>._msdcs.<domain>.<tld>

[Edgar Olougouna]

Matthieu,
The following is the provisional change in the publishing pipeline (see FYI note on Errata at the end of this email).
A new paragraph is being added to:
MS-DRSR
2.2.2   Service Principal Names for Domain Controllers
. . . 
In either DC-to-DC or client-to-DC operations, to allow use of the DRS Remote Protocol when the RPC endpoint mapper has been configured to disallow anonymous clients (see [MS-RPCE] section 3.1.1.1.3), the DC stores an SPN with the following format <WBN>:
•	 "RPC/<DSA GUID>.msdcs.<DNS forest name>"
In the preceding SPN description, <DSA GUID> is the DSA GUID of the DC and <DNS forest name> is the FQDN of the forest of the DC.

<WBN> Section 2.2.2:  Windows 2000 Server, Windows Server 2003, Windows Server 2003 R2 , Windows Server 2008, and Windows Server 2008 R2 AD DS DCs do not store the “RPC” SPN.  

(FYI on a separate note, not directly related to this case, we have an Errata publishing page now available for Protocols documentation updates.
Open Specifications > Protocols > Errata
http://msdn.microsoft.com/en-us/library/dn781092.aspx
Windows Protocols Errata
http://msdn.microsoft.com/en-us/library/dn781093.aspx
Individual document fixes will not appear immediately in the Errata page, but should be published at a relatively fast pace, i.e. much faster cadence than whole document releases.
)

Thanks,
Edgar

-----Original Message-----
From: Matthieu Patou [mailto:mat at samba.org] 
Sent: Sunday, October 12, 2014 10:58 PM
To: Edgar Olougouna
Cc: MSSolve Case Email; samba-technical
Subject: Re: [REG: 114100211861646] serviceprincipalname RPC/<NTDSGUID>._msdcs.<domain>.<tld>


Ok Great.

I think I have no more question on this case.

Thanks.

Matthieu.
On 10/10/2014 12:23 PM, Edgar Olougouna wrote:
> Hi Matthieu,
> That's right. I logged a bug against the document to get it updated about this special SPN in Windows implementation.
>
> Thanks for reporting this,
> Edgar
>
> -----Original Message-----
> From: Matthieu Patou [mailto:mat at samba.org]
> Sent: Friday, October 10, 2014 1:16 AM
> To: Edgar Olougouna
> Cc: MSSolve Case Email; samba-technical
> Subject: Re: [REG: 114100211861646] serviceprincipalname 
> RPC/<NTDSGUID>._msdcs.<domain>.<tld>
>
> Hi Edgar,
>
> It makes senses. Thanks for the explanation.
>
> Did I get it right that there will be a Windows behavior notes, indicating that version earlier than Windows 2012 don't register this SPN ?
>
> Matthieu.
>
> On 10/09/2014 02:07 PM, Edgar Olougouna wrote:
>> Matthieu,
>> The servicePrincipalName "RPC/<DSA GUID based DNS hostname>" gets used in the case where an administrator has locked down RPC endpoint resolution such the default AD RPC binding attempts fail (see More details). This was fixed during the development of Windows Server 2012.
>> To get AD to work in that configuration, Windows Server 2012-based DC registers the RPC SPN. Incidentally, the binding code was modified to retry the endpoint resolution as authenticated, if anonymous resolution failed. That’s was the intended of this SPN.
>> After conferring with the product group, a document bug was opened and our plan is to add this requirement to MS-DRSR Section 2.2.3.2 SPN for a Target DC in AD DS, with a reference section 3.1.1.1.3 of MS-RPCE Section 3.1.1.1.3 Authorization Policy, to further motivate the requirement.
>> <DSA GUID based DNS hostname> is the DNS host name of the target DC, constructed in the form "<DSA GUID>._msdcs.<DNS forest name>".
>> An example of the abovementioned SPN with “RPC” service class is RPC/c3c27d50-486d-4fdd-8e28-e6033e9b9a38._msdcs.contoso.com.
>> More details:
>> It has to do with the configuration on the DC where the administrator 
>> locks down things and configure restrictions, i.e. configuring RPC security group policies on DCs:
>> Computer Configuration \ <policies> \ Administrative Templates \ 
>> System \ Remote Procedure Call Restrictions for unauthenticated RPC 
>> clients = Enabled, Authenticated without Exceptions RPC endpoint 
>> mapper client authentication = Enabled ...which translate to the following registry keys (referenced in MS-RPCE3.1.1.1.3 Authorization Policy):
>> HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc 
>> EnableAuthEpResolution = 1 RestrictRemoteClients = 2 Per the bug 
>> report (without the change made in 2012), with such configuration, AD Replication would have failed with "access is denied" when RPC security group policy is enabled.
>>
>> Thanks,
>> Edgar
>>
>> -----Original Message-----
>> From: Edgar Olougouna
>> Sent: Thursday, October 2, 2014 8:34 PM
>> To: mat at samba.org
>> Cc: MSSolve Case Email
>> Subject: RE: [REG: 114100211861646] serviceprincipalname 
>> RPC/<NTDSGUID>._msdcs.<domain>.<tld>
>>
>> Matthieu,
>> I am looking into this and will follow-up.
>>
>> Thanks,
>> Edgar
>>
>> -----Original Message-----
>> From: Matt Weber
>> Sent: Thursday, October 2, 2014 8:48 AM
>> To: mat at samba.org
>> Cc: MSSolve Case Email
>> Subject: [REG: 114100211861646] serviceprincipalname 
>> RPC/<NTDSGUID>._msdcs.<domain>.<tld>
>>
>> [Case number in subject]
>> [Casemail to cc]
>> [Dochelp to bcc]
>>
>> Hello Matthieu,
>>
>> Thank you for your request. The case number 114100211861646 has been created for this inquiry. One of our team members will follow-up with you soon.
>>
>> Best regards,
>> Matt Weber | Microsoft Open Specifications Team
>>
>> -----Original Message-----
>> From: Matthieu Patou [mailto:mat at samba.org]
>> Sent: Thursday, October 2, 2014 3:16 AM
>> To: Interoperability Documentation Help
>> Subject: serviceprincipalname RPC/<NTDSGUID>._msdcs.<domain>.<tld>
>>
>> Hello Dochelp,
>>
>> I'm not able to find the document that explains when a server should have this serviceprincipalname registered and when it is used by clients (and how).
>>
>> Can you point me to the correct document ?
>>
>> Thanks.
>>
>> Matthieu.
>>
>> --
>> Matthieu Patou
>> Samba Team
>> http://samba.org
>>
>>
>
> --
> Matthieu Patou
> Samba Team
> http://samba.org
>


--
Matthieu Patou
Samba Team
http://samba.org