/// <summary>
/// 删除站点主机头(根据站点号,也就是站点标识)
/// </summary>
/// <param name="SiteNum"></param>
/// <param name="IPAddress"></param>
/// <param name="Port"></param>
/// <param name="Url"></param>
public void DeleteHostHeader(long SiteNum, string IPAddress, string Port, string Url)
{
if (SiteNum < 0)
{
throw new Exception("IIS 站点号“" + SiteNum.ToString() + "”打开失败。");
}
string entry = String.Format("IIS://{0}/w3svc/{1}", HostName, SiteNum);
DirectoryEntry site = GetDirectoryEntry(entry);
if (site == null)
{
throw new Exception("IIS 站点号“" + SiteNum.ToString() + "”打开失败。");
}
PropertyValueCollection serverBindings = site.Properties["ServerBindings"];
string headerStr = string.Format("{0}:{1}:{2}", IPAddress, Port, Url);
if (serverBindings.Contains(headerStr))
{
serverBindings.Remove(headerStr);
site.CommitChanges();
}
}
/// <summary>
/// VerifyMsdsIsGC method is used to verify the value of options of given directory entry is even or odd.
/// </summary>
/// <param name="reqEntry">DirectoryEntry</param>
/// <returns>Returns true if the options field contains odd value.</returns>
public bool VerifyMsdsIsGC(DirectoryEntry reqEntry)
{
PropertyValueCollection objectClassValue = reqEntry.Properties["objectclass"];
if (objectClassValue.Contains("nTDSDSA"))
{
int optionValue = (int)reqEntry.Properties["options"].Value;
optionValue = optionValue & 1;
if (optionValue == 1)
{
return(true);
}
}
if (objectClassValue.Contains("server"))
{
string childDN = String.Empty;
DirectoryEntry TN = reqEntry.Children.Find("CN=NTDS Settings");
childDN = TN.Properties["distinguishedname"].Value.ToString();
if (childDN.Equals("CN=NTDS Settings," + reqEntry.Properties[StandardNames.distinguishedName].Value.ToString()))
{
return(VerifyMsdsIsGC(TN));
}
}
if (objectClassValue.Contains("computer"))
{
//Get server object with its serverReferenceBL attribute.
DirectoryEntry TS = null;
if (!adAdapter.GetObjectByDN(reqEntry.Properties["serverReferenceBL"].Value.ToString(), out TS))
{
DataSchemaSite.Assume.IsTrue(
false,
reqEntry.Properties["serverReferenceBL"].Value.ToString()
+ " Object is not found in server");
}
if (TS != null)
{
return(VerifyMsdsIsGC(TS));
}
}
return(false);
}
//
// PAPI --> S.DS (LDAP or WinNT) conversion routines
//
static internal void MultiStringToDirectoryEntryConverter(Principal p, string propertyName, DirectoryEntry de, string suggestedProperty)
{
PrincipalValueCollection <string> trackingList = (PrincipalValueCollection <string>)p.GetValueForProperty(propertyName);
if (p.unpersisted && trackingList == null)
{
return;
}
List <string> insertedValues = trackingList.Inserted;
List <string> removedValues = trackingList.Removed;
List <Pair <string, string> > changedValues = trackingList.ChangedValues;
PropertyValueCollection properties = de.Properties[suggestedProperty];
// We test to make sure the change hasn't already been applied to the PropertyValueCollection,
// because PushChangesToNative can be called multiple times prior to committing the changes and
// we want to maintain idempotency
foreach (string value in removedValues)
{
if (value != null && properties.Contains(value))
{
properties.Remove(value);
}
}
foreach (Pair <string, string> changedValue in changedValues)
{
// Remove the original value and add in the new value
Debug.Assert(changedValue.Left != null); // since it came from the system
properties.Remove(changedValue.Left);
if (changedValue.Right != null && !properties.Contains(changedValue.Right))
{
properties.Add(changedValue.Right);
}
}
foreach (string value in insertedValues)
{
if (value != null && !properties.Contains(value))
{
properties.Add(value);
}
}
}
private void ProcessCollection(DataTable dt, ActivityInfoCollection activities, int level)
{
level++;
foreach (Mediachase.Ibn.Assignments.ActivityInfo activityInfo in activities)
{
DataRow row = dt.NewRow();
if (activityInfo.Type == ActivityType.Block)
{
row["Subject"] = GetGlobalResourceObject("IbnFramework.BusinessProcess", "ParallelBlock").ToString();
}
else
{
row["Subject"] = (activityInfo.Subject != null) ? activityInfo.Subject : String.Empty;
}
if (activityInfo.UserId.HasValue)
{
row["User"] = CommonHelper.GetUserStatus(activityInfo.UserId.Value);
}
row["State"] = (int)activityInfo.State;
if (activityInfo.ExecutionResult.HasValue)
{
row["Result"] = activityInfo.ExecutionResult.Value;
}
if (activityInfo.ActualFinishDate.HasValue)
{
row["FinishDate"] = String.Concat(activityInfo.ActualFinishDate.Value.ToShortDateString(), " ", activityInfo.ActualFinishDate.Value.ToShortTimeString());
}
row["Comment"] = CHelper.ParseText(activityInfo.Comment, true, true, true);
row["Indent"] = (level - 1) * indentSize;
if (activityInfo.ClosedBy.HasValue)
{
row["ClosedBy"] = CommonHelper.GetUserStatus(activityInfo.ClosedBy.Value);
}
if (activityInfo.PlanFinishDate.HasValue)
{
row["PlanFinishDate"] = String.Concat(activityInfo.PlanFinishDate.Value.ToShortDateString(), " ", activityInfo.PlanFinishDate.Value.ToShortTimeString());
}
row["ReadOnly"] = false;
PropertyValueCollection properties = activityInfo.AssignmentProperties;
if (properties.Contains(AssignmentCustomProperty.ReadOnlyLibraryAccess))
{
bool?readOnly = properties[AssignmentCustomProperty.ReadOnlyLibraryAccess] as bool?;
if (readOnly.HasValue)
{
row["ReadOnly"] = readOnly.Value;
}
}
dt.Rows.Add(row);
ProcessCollection(dt, activityInfo.Activities, level);
}
}
public bool CanWriteAttibute(string attribute)
{
if (allowedAttributesEffective == null)
{
DirectoryEntry de = (DirectoryEntry)GetUnderlyingObject();
de.RefreshCache(new string[] { "allowedAttributesEffective" });
allowedAttributesEffective = de.Properties["allowedAttributesEffective"];
}
return(allowedAttributesEffective.Contains(attribute));
}
internal static void MultiStringToDirectoryEntryConverter(Principal p, string propertyName, DirectoryEntry de, string suggestedProperty)
{
PrincipalValueCollection <string> valueForProperty = (PrincipalValueCollection <string>)p.GetValueForProperty(propertyName);
if (!p.unpersisted || valueForProperty != null)
{
List <string> inserted = valueForProperty.Inserted;
List <string> removed = valueForProperty.Removed;
List <Pair <string, string> > changedValues = valueForProperty.ChangedValues;
PropertyValueCollection item = de.Properties[suggestedProperty];
foreach (string str in removed)
{
if (str == null || !item.Contains(str))
{
continue;
}
item.Remove(str);
}
foreach (Pair <string, string> changedValue in changedValues)
{
item.Remove(changedValue.Left);
if (changedValue.Right == null || item.Contains(changedValue.Right))
{
continue;
}
item.Add(changedValue.Right);
}
foreach (string str1 in inserted)
{
if (str1 == null || item.Contains(str1))
{
continue;
}
item.Add(str1);
}
return;
}
else
{
return;
}
}
public static void DeleteHostHeader(int siteid, string ip, int port, string domain)//删除主机头(站点编号.ip.端口.域名)
{
DirectoryEntry site = new DirectoryEntry("IIS://localhost/W3SVC/" + siteid);
PropertyValueCollection serverBindings = site.Properties["ServerBindings"];
string headerStr = string.Format("{0}:{1}:{2}", ip, port, domain);
if (serverBindings.Contains(headerStr))
{
serverBindings.Remove(headerStr);
}
site.CommitChanges();
}
/// <summary>
/// 添加域名绑定
/// </summary>
/// <param name="serverName">服务器名称</param>
/// <param name="siteid">站点编号</param>
/// <param name="ip">ip</param>
/// <param name="port">端口</param>
/// <param name="domain">域名</param>
public static void AddHostHeader(string serverName, int siteid, string ip, int port, string domain)
{
DirectoryEntry site = new DirectoryEntry("IIS://" + serverName + "/W3SVC/" + siteid);
PropertyValueCollection serverBindings = site.Properties["ServerBindings"];
string headerStr = string.Format("{0}:{1}:{2}", ip, port, domain);
if (!serverBindings.Contains(headerStr))
{
serverBindings.Add(headerStr);
}
//默认情况下,对缓存进行本地更改。修改或添加节点之后,
//必须调用 CommitChanges 方法,以便提交更改,将它们保存到树中。
//如果在调用 CommitChanges 之前调用 RefreshCache,则将丢失对属性缓存的任何未提交的更改。
site.CommitChanges();
}
public string RemoveHostHeader(string websiteName, string ipAddress, string port, string hostname)
{
string websiteID = GetWebsiteID(websiteName);
string websitePath = "IIS://" + mServer + "/w3svc/" + websiteID;
DirectoryEntry website = null;
try
{
website = new DirectoryEntry(websitePath);
}
catch (Exception error)
{
throw new Exception("Error creating the web directory entry.\n" + error.Message + "\n" + error.InnerException);
}
PropertyValueCollection websiteBindings = null;
try
{
websiteBindings = website.Properties["ServerBindings"];
}
catch (Exception error)
{
throw new Exception("Error getting the host header listing.\n" + error.Message + "\n" + error.InnerException);
}
string hostHeader = string.Format("{0}:{1}:{2}", ipAddress, port, hostname);
if (!websiteBindings.Contains(hostHeader))
{
return("missing");
}
try
{
websiteBindings.Remove(hostHeader);
website.CommitChanges();
}
catch (System.Exception error)
{
throw new Exception("Error removing the host header.\n" + error.Message + "\n" + error.InnerException);
}
return("removed");
}
private static bool CheckEquals(PropertyValueCollection properties, string[] values)
{
if (values == null)
{
return(properties.Count == 0);
}
if (properties.Count != values.Length)
{
return(false);
}
foreach (var v in values)
{
if (!properties.Contains(v))
{
return(false);
}
}
return(true);
}
/// <summary>
/// Users the can write.
/// </summary>
/// <param name="entity">The entity.</param>
/// <returns></returns>
private bool CanUserWrite(AssignmentEntity entity)
{
if (entity.WorkflowInstanceId.HasValue &&
!string.IsNullOrEmpty(entity.WorkflowActivityName))
{
PropertyValueCollection properties = WorkflowActivityWrapper.GetAssignmentProperties((Guid)entity.WorkflowInstanceId.Value, entity.WorkflowActivityName);
if (properties.Contains(AssignmentCustomProperty.ReadOnlyLibraryAccess))
{
bool?value = properties[AssignmentCustomProperty.ReadOnlyLibraryAccess] as bool?;
if (value.HasValue)
{
return(!value.Value);
}
}
}
return(true);
}
protected override void OnRemoveValue(object value)
{
object[] array = value as object[];
if (array == null)
{
array = new object[] { value };
}
PropertyValueCollection values = DirectoryUtils.GetPropertyValues(Entry, AttributeName);
foreach (object val in array)
{
if (values.Contains(val))
{
values.Remove(val);
}
}
Entry.CommitChanges();
}
public static int AddHostHeader(int siteid, string ip, int port, string domain)//增加主机头(站点编号.ip.端口.域名)
{
int mark = 0;
try
{
DirectoryEntry site = new DirectoryEntry("IIS://localhost/W3SVC/" + siteid);
PropertyValueCollection serverBindings = site.Properties["ServerBindings"];
string headerStr = string.Format("{0}:{1}:{2}", ip, port, domain);
if (!serverBindings.Contains(headerStr))
{
serverBindings.Add(headerStr);
}
site.CommitChanges();
mark = 1;
}
catch
{
mark = 0;
}
return(mark);
}
public void DeleteHostHeader(long SiteNum, string IPAddress, string Port, string Url)
{
if (SiteNum < 0L)
{
throw new Exception("IIS 站点号“" + SiteNum.ToString() + "”打开失败。");
}
string entryPath = string.Format("IIS://{0}/w3svc/{1}", this.HostName, SiteNum);
DirectoryEntry directoryEntry = this.GetDirectoryEntry(entryPath);
if (directoryEntry == null)
{
throw new Exception("IIS 站点号“" + SiteNum.ToString() + "”打开失败。");
}
PropertyValueCollection values = directoryEntry.Properties["ServerBindings"];
string str2 = string.Format("{0}:{1}:{2}", IPAddress, Port, Url);
if (values.Contains(str2))
{
values.Remove(str2);
directoryEntry.CommitChanges();
}
}
/// <summary>
/// CaptureServerContainer is a Common method for Both AD/DS and AD/LDS Server Container Requirements Validation
/// Retrieves the required Directory Entry for a specified DN and its attributes.
/// </summary>
public void CaptureServerContainer()
{
if (isDS)
{
if (!adAdapter.GetObjectByDN("CN=Sites,CN=Configuration," + adAdapter.rootDomainDN, out sitesEntry))
{
DataSchemaSite.Assume.IsTrue(
false,
"CN=Sites,CN=Configuration,"
+ adAdapter.rootDomainDN
+ " Object is not found in server");
}
}
else
{
if (!adAdapter.GetLdsObjectByDN("CN=Sites,CN=Configuration," + adAdapter.LDSRootObjectName, out sitesEntry))
{
DataSchemaSite.Assume.IsTrue(
false,
"CN=Sites,CN=Configuration,"
+ adAdapter.LDSRootObjectName
+ " Object is not found in server");
}
}
DirectoryEntries sitesChildern = sitesEntry.Children;
foreach (DirectoryEntry child in sitesChildern)
{
if (child.Properties["objectClass"].Contains((object)"site") && child.Name.Equals("CN=Default-First-Site-Name"))
{
serverParentEntry = child.Children.Find("CN=Servers");
//MS-ADTS-Schema_R433
// [Since objectClass of the child is a site object, R433 is captured.]
DataSchemaSite.CaptureRequirement(
433,
"The parent of the Servers Container must be site object.");
}
}
if (isDS)
{
string dnServers = serverParentEntry.Properties["distinguishedName"].Value.ToString();
if (!adAdapter.GetObjectByDN(dnServers, out dirPartitions))
{
DataSchemaSite.Assume.IsTrue(false, dnServers + " Object is not found in server");
}
}
parent = serverParentEntry.Parent.Name;
objectClass = serverParentEntry.Properties["objectClass"];
//MS-ADTS-Schema_R434
DataSchemaSite.CaptureRequirementIfIsTrue(
objectClass.Contains((object)"serversContainer"),
434,
"The ObjectClass Attribute of the Servers Container must be serversContainer.");
systemFlag = serverParentEntry.Properties["systemFlags"].Value.ToString();
systemFlagVal = ParseSystemFlagsValue("FLAG_DISALLOW_MOVE_ON_DELETE");
//MS-ADTS-Schema_R435
DataSchemaSite.CaptureRequirementIfAreEqual <string>(
systemFlagVal.ToString(),
systemFlag,
435,
"The systemFlags Attribute of the Servers Container must be FLAG_DISALLOW_MOVE_ON_DELETE.");
DirectoryEntries serverChildren = null;
foreach (DirectoryEntry sitechild in sitesChildern)
{
if (sitechild.Properties["objectClass"].Contains((object)"site") && sitechild.Name.Equals("CN=Default-First-Site-Name"))
{
serverParentEntry = sitechild.Children.Find("CN=Servers");
serverChildren = serverParentEntry.Children;
foreach (DirectoryEntry child in serverChildren)
{
if (!child.Parent.Name.Equals("CN=Servers"))
{
isParent = false;
}
objectClass = child.Properties["objectClass"];
if (!objectClass.Contains((object)"server"))
{
isObjectClass = false;
}
systemFlag = child.Properties["systemFlags"].Value.ToString();
systemFlagVal = ParseSystemFlagsValue("FLAG_CONFIG_ALLOW_RENAME|FLAG_CONFIG_ALLOW_LIMITED_MOVE|FLAG_DISALLOW_MOVE_ON_DELETE");
if (systemFlag != (systemFlagVal.ToString()))
{
isParseSystemFlagsValue = false;
}
}
}
}
//MS-ADTS-Schema_R436
DataSchemaSite.CaptureRequirementIfIsTrue(
isParent,
436,
"The parent of the Server Object must be servers Container object.");
//MS-ADTS-Schema_R437
DataSchemaSite.CaptureRequirementIfIsTrue(
isObjectClass,
437,
"The ObjectClass Attribute of the Server Object must be Server.");
//MS-ADTS-Schema_R438
DataSchemaSite.CaptureRequirementIfIsTrue(
isParseSystemFlagsValue,
438,
"The systemFlags Attribute of the Server Object must be either of" +
"FLAG_CONFIG_ALLOW_RENAME | FLAG_CONFIG_ALLOW_LIMITED_MOVE | FLAG_DISALLOW_MOVE_ON_DELETE.");
if (isDS)
{
if (!adAdapter.GetObjectByDN("OU=Domain Controllers," + adAdapter.rootDomainDN, out sitesEntry))
{
DataSchemaSite.Assume.IsTrue(
false,
"OU=Domain Controllers,"
+ adAdapter.rootDomainDN
+ " Object is not found in server");
}
DirectoryEntries domainChildren = sitesEntry.Children;
isObjectClass = true;
foreach (DirectoryEntry childDomain in domainChildren)
{
string cnName = childDomain.Properties["cn"].Value.ToString();
foreach (DirectoryEntry sitechild in sitesChildern)
{
if (sitechild.Properties["objectClass"].Contains((object)"site"))
{
if (sitechild.Name.Equals("CN=Default-First-Site-Name"))
{
serverParentEntry = sitechild.Children.Find("CN=Servers");
serverChildren = serverParentEntry.Children;
foreach (DirectoryEntry child in serverChildren)
{
serverEntry = serverParentEntry.Children.Find("CN=" + cnName);
DirectoryEntries serverEntryChildern = serverEntry.Children;
foreach (DirectoryEntry serverEntryChild in serverEntryChildern)
{
PropertyValueCollection objClass = serverEntryChild.Properties["objectClass"];
dnName = serverEntryChild.Properties["distinguishedName"].Value.ToString();
if (dnName.StartsWith("CN=NTDS Settings"))
{
if (dnName.Contains(adAdapter.PDCNetbiosName))
{
nTDSName = dnName;
}
if (!objClass.Contains((object)"nTDSDSA"))
{
isObjectClass = false;
}
}
}
}
}
}
}
}
bool hasDNSHostName = false;
string dnsHostName = null;
string[] hostName = null;
string domainStr = null;
foreach (DirectoryEntry child in serverChildren)
{
dnsHostName = child.Properties["dnsHostName"].Value.ToString().ToLower();
hostName = dnsHostName.Split('.');
domainStr = dnsHostName.Substring(hostName[0].Length + 1, dnsHostName.Length - (hostName[0].Length + 1));
if (hostName[0].Equals(adAdapter.PDCNetbiosName.ToLower()))
{
hasDNSHostName = true;
break;
}
}
//MS-ADTS-Schema_R439
DataSchemaSite.CaptureRequirementIfIsTrue(
hasDNSHostName &&
(domainStr.ToLower().Equals(adAdapter.PrimaryDomainDnsName.ToLower())),
439,
"The dNSHostName Attribute of the Server Object must be fully qualified DNS name of the DC.");
//MS-ADTS-Schema_R440
DataSchemaSite.CaptureRequirementIfIsTrue(
isObjectClass,
440,
"Each DC in a domain has an nTDSDSA object in the config NC.");
if (!adAdapter.GetObjectByDN(nTDSName, out dirPartitions))
{
DataSchemaSite.Assume.IsTrue(false, nTDSName + " Object is not found in server");
}
string dMDLocation = dirPartitions.Properties["dMDLocation"].Value.ToString();
//MS-ADTS-Schema_R444
DataSchemaSite.CaptureRequirementIfAreEqual <string>(
("CN=Schema,CN=Configuration,"
+ adAdapter.rootDomainDN).ToLower(), dMDLocation.ToLower(),
444,
"The dMDLocation Attribute of the nTDSDSA Object must be dsname of the schema NC root.");
}
else
{
foreach (DirectoryEntry serverEntryChild in serverChildren)
{
DirectoryEntries serverEntryChildsChild = serverEntryChild.Children;
foreach (DirectoryEntry serverChild in serverEntryChildsChild)
{
string dnsHostName = serverEntryChild.Properties["dNSHostName"].Value.ToString().ToLower();
string[] hostName = dnsHostName.Split('.');
string domainStr = dnsHostName.Substring(hostName[0].Length + 1, dnsHostName.Length - (hostName[0].Length + 1));
if ((hostName[0].ToLower().Equals(adAdapter.PDCNetbiosName.ToLower())) && (domainStr.ToLower().Equals(adAdapter.PrimaryDomainDnsName.ToLower())))
{
isTrue = true;
}
dnName = serverChild.Properties["distinguishedName"].Value.ToString();
if (dnName.StartsWith("CN=NTDS Settings"))
{
nTDSName = dnName;
}
}
}
//MS-ADTS-Schema_R439
DataSchemaSite.CaptureRequirementIfIsTrue(
isTrue,
439,
"The dNSHostName Attribute of the Server Object must be fully qualified DNS name of the DC.");
if (!adAdapter.GetLdsObjectByDN(nTDSName, out dirPartitions))
{
DataSchemaSite.Assume.IsTrue(false, nTDSName + " Object is not found in server");
}
string dMDLocation = dirPartitions.Properties["dMDLocation"].Value.ToString();
//MS-ADTS-Schema_R444
DataSchemaSite.CaptureRequirementIfAreEqual <string>(
"CN=Schema,CN=Configuration,"
+ adAdapter.LDSRootObjectName, dMDLocation,
444,
"The dMDLocation Attribute of the nTDSDSA Object must be dsname of the schema NC root.");
}
string name = dirPartitions.Properties["name"].Value.ToString();
//MS-ADTS-Schema_R441
DataSchemaSite.CaptureRequirementIfAreEqual <string>(
"NTDS Settings",
name,
441,
"The name Attribute of the nTDSDSA Object must be NTDS Settings.");
objectClass = dirPartitions.Parent.Properties["objectClass"];
//MS-ADTS-Schema_R442
DataSchemaSite.CaptureRequirementIfIsTrue(
objectClass.Contains((object)"server"),
442,
"The parent of the nTDSDSA Object must be an object with objectClass server.");
objectClass = dirPartitions.Properties["objectClass"];
//MS-ADTS-Schema_R443
DataSchemaSite.CaptureRequirementIfIsTrue(
objectClass.Contains((object)"nTDSDSA"),
443,
"The ObjectClass Attribute of the nTDSDSA Object must be nTDSDSA.");
//MS-ADTS-Schema_R445
PropertyValueCollection allNCs = null;
systemFlag = dirPartitions.Properties["systemFlags"].Value.ToString();
systemFlagVal = ParseSystemFlagsValue("FLAG_DISALLOW_MOVE_ON_DELETE");
DataSchemaSite.CaptureRequirementIfAreEqual <string>(
systemFlagVal.ToString(),
systemFlag,
445,
"The SystemFlags attribute of the nTDSDSA Object must be FLAG_DISALLOW_MOVE_ON_DELETE.");
if (isDS)
{
entry = new DirectoryEntry("LDAP://" + adAdapter.PDCNetbiosName + "/rootDSE");
}
else
{
entry = new DirectoryEntry("LDAP://" + adAdapter.adamServerPort + "/rootDSE");
try
{
allNCs = entry.Properties["namingContexts"];
}
catch (Exception)
{
entry = new DirectoryEntry("LDAP://" + adAdapter.adamServerPort + "/rootDSE");
}
}
allNCs = entry.Properties["namingContexts"];//namingContexts
PropertyValueCollection hasMasterNCs = dirPartitions.Properties["hasMasterNCs"];
PropertyValueCollection msDSHasMasterNCs = dirPartitions.Properties["msDS-hasMasterNCs"];
PropertyValueCollection msDSHasFullReplicasNCs;
bool isHasMasterNCs = true, ismsDSHasMasterNCs = true, ismsDSHasFullReplicasNCs = true;
for (int index = 0; index < hasMasterNCs.Count; index++)
{
if (!allNCs.Contains(hasMasterNCs[index]))
{
isHasMasterNCs = false;
}
}
for (int index = 0; index < msDSHasMasterNCs.Count; index++)
{
if (!allNCs.Contains(msDSHasMasterNCs[index]))
{
ismsDSHasMasterNCs = false;
}
}
//MS-ADTS-Schema_R449
DataSchemaSite.CaptureRequirementIfIsTrue(
isHasMasterNCs,
449,
@"hasMasterNCs attribute in nTDSDSA Object Contains the dsnames of the NC root objects representing
the schema NC, config NC,and domain NC for the default domain of the DC. This attribute always contains
these three values, and only these three values.");
//MS-ADTS-Schema_R451
DataSchemaSite.CaptureRequirementIfIsTrue(
ismsDSHasMasterNCs,
451,
@"msDS-hasMasterNCs attribute in nTDSDSA Object Contains the dsnames of the root objects of all
writable NC replicas hosted by the DC.");
if (isDS)
{
if (!adAdapter.GetObjectByDN(adAdapter.rootDomainDN, out entry))
{
DataSchemaSite.Assume.IsTrue(false, adAdapter.rootDomainDN + " Object is not found in server");
}
PropertyValueCollection msds = entry.Properties["distinguishedName"];
PropertyValueCollection msDSHasDomainNCs = dirPartitions.Properties["msDS-HasDomainNCs"];
//MS-ADTS-Schema_R450
DataSchemaSite.CaptureRequirementIfIsTrue(
msds.Value.ToString() == msDSHasDomainNCs.Value.ToString(),
450,
@"msDS-HasDomainNCs attribute in nTDSDSA Object Equals to the dsname of the NC root object for which
the DC is hosting a regular NC replica. This attribute must have only one value. ");
}
if (isDS)
{
isParseSystemFlagsValue = true;
isParent = true;
isObjectClass = true;
bool isNotExistingRODC = true;
//The value optionsvalue=0x41 can be got from TD [MS-ADTS] 7.1.1.2.2.1.2.1.3
const int optionsvalue = 0x41;
foreach (DirectoryEntry serverEntryChild in serverChildren)
{
if (serverEntryChild.Name.ToLower() == ("CN=" + adAdapter.RODCNetbiosName).ToLower())
{
DirectoryEntries nTDSEntries = serverEntryChild.Children;
foreach (DirectoryEntry nTDSEntry in nTDSEntries)
{
msDSHasFullReplicasNCs = nTDSEntry.Properties["msDS-hasFullReplicaNCs"];
for (int index = 0; index < hasMasterNCs.Count; index++)
{
if (!allNCs.Contains(msDSHasFullReplicasNCs[index]))
{
ismsDSHasFullReplicasNCs = false;
}
}
//Checking For the Parent equal to Servers
if (!nTDSEntry.Properties["objectClass"].Contains((object)"nTDSDSA"))
{
isParent = false;
}
foreach (DirectoryEntry nTDSConnectionObjects in nTDSEntry.Children)
{
//Check schedule attribute
if (nTDSConnectionObjects.Properties["schedule"].Value != null)
{
bool verifySuccessed = VerifyScheduleStructure((byte[])nTDSConnectionObjects.Properties["schedule"].Value);
if (verifySuccessed != true)
{
isSchedule = false;
}
}
objectClass = nTDSConnectionObjects.Properties["objectClass"];
if (!objectClass.Contains((object)"nTDSConnection"))
{
isObjectClass = false;
}
string s = (string)nTDSConnectionObjects.Properties["fromServer"].Value;
if (!s.Contains("CN=NTDS Settings"))
{
isRefertontdsdsa = false;
}
//Checking For the attribute options.
if (optionsvalue != ((int)(nTDSConnectionObjects.Properties["options"].Value)))
{
isOptions = false;
}
//Checking For the name equals to RODC Connection.
name = nTDSConnectionObjects.Properties["name"].Value.ToString();
if ((bool)(nTDSConnectionObjects.Properties["enabledConnection"].Value) != true)
{
isEnabledconnection = false;
}
systemFlag = nTDSConnectionObjects.Properties["systemFlags"].Value.ToString();
systemFlagVal = ParseSystemFlagsValue("FLAG_CONFIG_ALLOW_RENAME");
if (systemFlag != (systemFlagVal.ToString()))
{
isParseSystemFlagsValue = false;
}
}
}
}
if (serverEntryChild.Name.ToLower() == ("CN=" + adAdapter.PDCNetbiosName.ToLower()))
{
DirectoryEntries nTDSDCEntries = serverEntryChild.Children;
foreach (DirectoryEntry nTDSDCEntry in nTDSDCEntries)
{
foreach (DirectoryEntry nTDSConnectionDCObjects in nTDSDCEntry.Children)
{
nonRODCConnection = nTDSConnectionDCObjects.Properties["name"].Value.ToString();
if ((serverOS == OSVersion.WinSvr2012 || serverOS == OSVersion.WinSvr2012R2) && nonRODCConnection.Equals("RODC Connection (SYSVOL)"))
{
isNotExistingRODC = false;
}
else if ((serverOS == OSVersion.WinSvr2008 || serverOS == OSVersion.WinSvr2008R2) && nonRODCConnection.Equals("RODC Connection (FRS)"))
{
isNotExistingRODC = false;
}
}
}
}
}
//Verify MS-AD_Schema requirement:MS-AD_Schema_R4511
DataSchemaSite.CaptureRequirementIfIsTrue(
isRefertontdsdsa,
4511,
@"[Each RODC NTFRS connection object has the following attributes:]fromServer: A reference to the
nTDSDSA object of the source DC.");
//Verify MS-AD_Schema requirement:MS-AD_Schema_R4512
DataSchemaSite.CaptureRequirementIfIsTrue(
isSchedule,
4512,
@"[Each RODC NTFRS connection object has the following attributes:]schedule: Contains a SCHEDULE
structure that specifies the time intervals when replication can be performed between the source
and the destination DCs.");
//Verify MS-AD_Schema requirement:MS-AD_Schema_R4504
DataSchemaSite.CaptureRequirementIfIsTrue(
isNotExistingRODC,
4504,
@"RODC NTFRS connection objects do not exist for DCs.");
//Verify MS-AD_Schema requirement:MS-AD_Schema_R4503
if (serverOS >= OSVersion.WinSvr2012)
{
DataSchemaSite.CaptureRequirementIfAreEqual <string>(
"RODC Connection (SYSVOL)",
name,
4503,
@"An RODC NTFRS connection object exists for each RODC in the forest.");
}
else
{
DataSchemaSite.CaptureRequirementIfAreEqual <string>(
"RODC Connection (FRS)",
name,
4503,
@"An RODC NTFRS connection object exists for each RODC in the forest.");
}
//Verify MS-AD_Schema requirement:MS-AD_Schema_R4508
DataSchemaSite.CaptureRequirementIfIsTrue(
isParent,
4508,
@"[Each RODC NTFRS connection object has the following attributes:]parent: nTDSDSA object.");
//Verify MS-AD_Schema requirement:MS-AD_Schema_R4506
DataSchemaSite.CaptureRequirementIfIsTrue(
isParent,
4506,
@"This object[RODC NTFRS Connection Object] is a child of the nTDSDSA object of the
destination RODC.");
//MS-ADTS-Schema_R455
DataSchemaSite.CaptureRequirementIfIsTrue(
isObjectClass,
455,
"The objectClass attribute of the Connection object must be nTDSConnection.");
//Verify MS-AD_Schema requirement:MS-AD_Schema_R4510
DataSchemaSite.CaptureRequirementIfIsTrue(
isEnabledconnection,
4510,
@"[Each RODC NTFRS connection object has the following attributes:]enabledConnection: true.");
//
//Verify MS-AD_Schema requirement:MS-AD_Schema_R4513
//
DataSchemaSite.CaptureRequirementIfIsTrue(
isParseSystemFlagsValue,
4513,
@"[Each RODC NTFRS connection object has the following attributes:]systemFlags:
{FLAG_CONFIG_ALLOW_RENAME}.");
//Verify MS-AD_Schema requirement:MS-AD_Schema_R4509
DataSchemaSite.CaptureRequirementIfIsTrue(
isObjectClass,
4509,
@"[Each RODC NTFRS connection object has the following attributes:]objectClass: nTDSConnection.");
//Verify MS-AD_Schema requirement:MS-AD_Schema_R4507
if (serverOS >= OSVersion.WinSvr2012)
{
DataSchemaSite.CaptureRequirementIfAreEqual <string>(
"RODC Connection (SYSVOL)",
name,
4507,
@"[Each RODC NTFRS connection object has the following attributes:]name: RODC Connection (SYSVOL).");
}
else
{
DataSchemaSite.CaptureRequirementIfAreEqual <string>(
"RODC Connection (FRS)",
name,
4507,
@"[Each RODC NTFRS connection object has the following attributes:]name: RODC Connection (FRS).");
}
//Verify MS-AD_Schema requirement:MS-AD_Schema_R4514
DataSchemaSite.CaptureRequirementIfIsTrue(
isOptions,
4514,
@"[Each RODC NTFRS connection object has the following attributes:]options: Both of the bits from
the following diagram[The 26th bit is RT, the last bit is IG, and the rest are X]. ");
//Verify MS-AD_Schema requirement:MS-AD_Schema_R4517
DataSchemaSite.CaptureRequirementIfIsTrue(
isOptions,
4517,
@"[In RODC NTFRS connection object, options attribute]X: Must be zero and ignored.");
}
//MS-ADTS-Schema_R452
DataSchemaSite.CaptureRequirementIfIsTrue(
ismsDSHasFullReplicasNCs,
452,
@"msDS-hasFullReplicaNCs attribute in nTDSDSA Object Contains the dsnames of the root objects of all
writable NC replicas hosted by the DC.");
//MS-ADTS-Schema_R454
DataSchemaSite.CaptureRequirementIfIsTrue(
isParent,
454,
"The parent of the Connection object must be nTDSDSA object.");
//MS-ADTS-Schema_R456
DataSchemaSite.CaptureRequirementIfIsTrue(
isParseSystemFlagsValue,
456,
@"The SystemFlags attribute of the Connection object
must be FLAG_CONFIG_ALLOW_RENAME | FLAG_CONFIG_ALLOW_MOVE.");
}
/// <summary>
/// Method validates the requirements under LDSCrossRefContainer Scenario.
/// </summary>
public void ValidateLDSCrossRefContainer()
{
DirectoryEntry dirPartitions = new DirectoryEntry();
DirectoryEntry domainEntry = new DirectoryEntry();
DirectoryEntry childEntry = new DirectoryEntry();
DirectoryEntry requiredEntry = new DirectoryEntry();
string systemFlag;
int systemFlagVal;
//Variables for holding the paths for NCs.
if (!adAdapter.GetLdsObjectByDN("CN=Partitions,CN=Configuration," + adAdapter.LDSRootObjectName, out dirPartitions))
{
DataSchemaSite.Assert.IsTrue(
false,
"CN=Partitions,CN=Configuration,"
+ adAdapter.LDSRootObjectName
+ "Object is not found in server");
}
string parentAttribute = dirPartitions.Parent.Name.ToString();
//MS-ADTS-Schema_R402
DataSchemaSite.CaptureRequirementIfAreEqual <string>(
"CN=Configuration",
parentAttribute,
402,
"The Parent of the Cross-Ref-Container Container must be Config NC root.");
//MS-ADTS-Schema_R403
DataSchemaSite.CaptureRequirementIfAreEqual <string>(
"Partitions",
dirPartitions.Properties["name"].Value.ToString(),
403,
"The name attribute of the Cross-Ref-Container Container must be Partitions.");
PropertyValueCollection objectClass = dirPartitions.Properties["objectClass"];
//MS-ADTS-Schema_R404
DataSchemaSite.CaptureRequirementIfIsTrue(
objectClass.Contains((object)"crossRefContainer"),
404,
"The objectClass attribute of the Cross-Ref-Container Container must be crossRefContainer.");
//MS-ADTS-Schema_R406
systemFlag = dirPartitions.Properties["systemFlags"].Value.ToString();
systemFlagVal = ParseSystemFlagsValue("FLAG_DISALLOW_DELETE");
DataSchemaSite.CaptureRequirementIfAreEqual <string>(
systemFlagVal.ToString(),
systemFlag,
406,
"The systemFlags attribute of the Cross-Ref-Container Container must be FLAG_DISALLOW_DELETE.");
bool isCrossRef = true;
bool isObjectClassCrossRef = true;
DirectoryEntries Childs = dirPartitions.Children;
foreach (DirectoryEntry child in Childs)
{
if (!child.Parent.Name.Equals("CN=Partitions"))
{
isCrossRef = false;
}
PropertyValueCollection objClass = child.Properties["objectClass"];
objClass.RemoveAt(0);
if (objClass.Count != 1 || !objClass.Contains((object)"crossRef"))
{
isObjectClassCrossRef = false;
}
}
//MS-ADTS-Schema_R408
DataSchemaSite.CaptureRequirementIfIsTrue(
isCrossRef,
408,
"The parent of the Cross-Ref Objects must be crossRefContainer object.");
//MS-ADTS-Schema_R409
DataSchemaSite.CaptureRequirementIfIsTrue(
isObjectClassCrossRef,
409,
"The objectClass attribute of the Cross-Ref Objects must be crossRef.");
childEntry = dirPartitions.Children.Find("CN=Enterprise Configuration");
//MS-ADTS-Schema_R410
DataSchemaSite.CaptureRequirementIfAreEqual <string>(
"CN=Configuration," + adAdapter.LDSRootObjectName,
childEntry.Properties["nCName"].Value.ToString(),
410,
"The nCName attribute of the Configuration crossRef Object must equal to the config NC root.");
//MS-ADTS-Schema_R412
DataSchemaSite.CaptureRequirementIfIsFalse(
childEntry.Properties.Contains("dnsRoot"),
412,
"In AD/LDS the dnsroot attribute is not presented for the Configuration crossRef Object. ");
childEntry = dirPartitions.Children.Find("CN=Enterprise Schema");
//MS-ADTS-Schema_R413
DataSchemaSite.CaptureRequirementIfAreEqual <string>(
"CN=Schema,CN=Configuration," + adAdapter.LDSRootObjectName,
childEntry.Properties["nCName"].Value.ToString(),
413,
"The nCName attribute of the Schema crossRef Object must equal to the Schema NC root.");
//MS-ADTS-Schema_R415
DataSchemaSite.CaptureRequirementIfIsFalse(
childEntry.Properties.Contains("dnsRoot"),
415,
"In AD/LDS the dnsroot attribute is not presented for the Schema crossRef Object.");
childEntry = dirPartitions.Children.Find("CN=Enterprise Configuration");
//MS-ADTS-Schema_R421
DataSchemaSite.CaptureRequirementIfIsFalse(
childEntry.Properties.Contains("dnsRoot"),
421,
"In AD/LDS the dnsroot attribute is not presented for Application NC crossRef Object.");
//MS-ADTS-Schema_R852
childEntry = dirPartitions.Children.Find("CN=Enterprise Schema");
if (!adAdapter.GetLdsObjectByDN("CN=Schema,CN=Configuration," + adAdapter.LDSRootObjectName,
out dirPartitions))
{
DataSchemaSite.Assert.IsTrue(
false,
"CN=Schema,CN=Configuration,"
+ adAdapter.LDSRootObjectName
+ " Object is not found in server");
}
DataSchemaSite.CaptureRequirementIfAreEqual <string>(
childEntry.Properties["nCName"].Value.ToString(),
dirPartitions.Properties["distinguishedName"].Value.ToString(),
852,
"The nCName attribute of the crossRef object must equal the dsname of the NC root object.");
}
/// <summary>
/// Method validates the requirements under CrossRefContainer Scenario.
/// </summary>
public void ValidateCrossRefContainer()
{
//Variables required for Directory Entries.
DirectoryEntry dirPartitions = new DirectoryEntry();
DirectoryEntry domainEntry = new DirectoryEntry();
DirectoryEntry childEntry = new DirectoryEntry();
if (!Utilities.IsObjectExist(adAdapter.PartitionPath + "," + adAdapter.rootDomainDN, adAdapter.PDCNetbiosName,
adAdapter.ADDSPortNum, adAdapter.DomainAdministratorName, adAdapter.DomainUserPassword))
{
//To create the Application NC in the Active Directory.
AdLdapClient.Instance().ConnectAndBind(adAdapter.PDCNetbiosName,
adAdapter.PDCIPAddr, Convert.ToInt32(adAdapter.ADDSPortNum), adAdapter.DomainAdministratorName,
adAdapter.DomainUserPassword, adAdapter.PrimaryDomainDnsName,
AuthType.Basic | AuthType.Kerberos);
List <DirectoryAttribute> attrs = new List <DirectoryAttribute>();
attrs.Add(new DirectoryAttribute("instancetype:5"));
attrs.Add(new DirectoryAttribute("objectclass:domainDNS"));
AdLdapClient.Instance().AddObject(adAdapter.PartitionPath + "," + adAdapter.rootDomainDN, attrs, null);
AdLdapClient.Instance().Unbind();
}
string configNC = "CN=Configuration," + adAdapter.rootDomainDN;
string SchemaNC = "CN=Schema," + configNC;
//Returns Fully Qualified DNS Name for the Current Domain.
string strReturn = adAdapter.PrimaryDomainDnsName;
if (!adAdapter.GetObjectByDN("CN=Partitions," + configNC, out dirPartitions))
{
DataSchemaSite.Assume.IsTrue(false, "CN=Partitions," + configNC + " Object is not found in server");
}
string parent = dirPartitions.Parent.Name, systemFlag;
bool isPresent = false;
int systemFlagVal;
//MS-ADTS-Schema_R402
DataSchemaSite.CaptureRequirementIfAreEqual <string>(
"CN=Configuration",
parent,
402,
"The Parent of the Cross-Ref-Container Container must be Config NC root.");
//MS-ADTS-Schema_R403
DataSchemaSite.CaptureRequirementIfAreEqual <string>(
"Partitions",
dirPartitions.Properties["name"].Value.ToString(),
403,
@"The name attribute of the Cross-Ref-Container Container must be Partitions.");
//MS-ADTS-Schema_R404
PropertyValueCollection objectClass = dirPartitions.Properties["objectClass"];
DataSchemaSite.CaptureRequirementIfIsTrue(
objectClass.Contains((object)"crossRefContainer"),
404,
"The objectClass attribute of the Cross-Ref-Container Container must be crossRefContainer.");
string fsmoRoleOwner = dirPartitions.Properties["fSMORoleOwner"].Value.ToString();
//MS-ADTS-Schema_R406
systemFlag = dirPartitions.Properties["systemFlags"].Value.ToString();
systemFlagVal = ParseSystemFlagsValue("FLAG_DISALLOW_DELETE");
DataSchemaSite.CaptureRequirementIfAreEqual <string>(
systemFlagVal.ToString(),
systemFlag,
406,
"The systemFlags attribute of the Cross-Ref-Container Container must be FLAG_DISALLOW_DELETE.");
//MS-ADTS-Schema_R405
if (!adAdapter.GetObjectByDN(adAdapter.rootDomainDN, out domainEntry))
{
DataSchemaSite.Assume.IsTrue(false, adAdapter.rootDomainDN + " Object is not found in server");
}
string domainFSMO = domainEntry.Properties["fSMORoleOwner"].Value.ToString();
DataSchemaSite.CaptureRequirementIfAreEqual <string>(
fsmoRoleOwner,
domainFSMO,
405,
"The fSMORoleOwner attribute of the Cross-Ref-Container Container must references the Domain "
+ "Naming Master FSMO role owner.");
//MS-ADTS-Schema_R408
//Query the Partitions for CrossRef container get the childrens and validate the requirments as such.
bool isCrossRef = true;
bool isObjectClassCrossRef = true;
DirectoryEntries Childs = dirPartitions.Children;
foreach (DirectoryEntry child in Childs)
{
if (!child.Parent.Name.Equals("CN=Partitions"))
{
isCrossRef = false;
}
PropertyValueCollection objClass = child.Properties["objectClass"];
objClass.RemoveAt(0);
if (objClass.Count != 1 || !objClass.Contains((object)"crossRef"))
{
isObjectClassCrossRef = false;
}
if (dirPartitions.Parent.Name.ToString().Equals("CN=Configuration"))
{
isPresent = true;
}
}
//Validate the parent of the crossref objects,objectClass,nCName and
//dnsRoot for all childs and crossRef container in the configNC.
DataSchemaSite.CaptureRequirementIfIsTrue(
isCrossRef,
408,
"The parent of the Cross-Ref Objects must be crossRefContainer object.");
//MS-ADTS-Schema_R851
DataSchemaSite.CaptureRequirementIfIsTrue(
isPresent & isCrossRef,
851,
"For any NC in the forest crossRef,NC root objects must be exist.");
// MS-ADTS-Schema_R409
DataSchemaSite.CaptureRequirementIfIsTrue(
isObjectClassCrossRef,
409,
"The objectClass attribute of the Cross-Ref Objects must be crossRef.");
//This is the crossRef container or crossRefObject
//MS-ADTS-Schema_R410
childEntry = dirPartitions.Children.Find("CN=Enterprise Configuration");
DataSchemaSite.CaptureRequirementIfAreEqual <string>(
configNC.ToLower(),
childEntry.Properties["nCName"].Value.ToString().ToLower(),
410,
"The nCName attribute of the Configuration crossRef Object must equal to the config NC root.");
//MS-ADTS-Schema_R411
string dnsRoot = childEntry.Properties["dnsRoot"].Value.ToString().ToLower();
DataSchemaSite.CaptureRequirementIfAreEqual <string>(
strReturn.ToLower(),
dnsRoot.ToLower(),
411,
"In AD/DS the dnsroot attribute of the Configuration crossRef Object must be the forest "
+ "root's fully qualified DNS name.");
//This is the crossRef child or crossRefObject
//MS-ADTS-Schema_R413
childEntry = dirPartitions.Children.Find("CN=Enterprise Schema");
DataSchemaSite.CaptureRequirementIfAreEqual <string>(
SchemaNC.ToLower(),
childEntry.Properties["nCName"].Value.ToString().ToLower(),
413,
"The nCName attribute of the Schema crossRef Object must equal to the Schema NC root.");
//MS-ADTS-Schema_R414
dnsRoot = childEntry.Properties["dnsRoot"].Value.ToString().ToLower();
DataSchemaSite.CaptureRequirementIfAreEqual <string>(
strReturn.ToLower(),
dnsRoot.ToLower(),
414,
"In AD/DS the dnsroot attribute of the Schema crossRef Object must be the forest "
+ "root's fully qualified DNS name.");
//MS-ADTS-Schema_R852
if (!adAdapter.GetObjectByDN(SchemaNC, out dirPartitions))
{
DataSchemaSite.Assume.IsTrue(false, SchemaNC + " Object is not found in server");
}
DataSchemaSite.CaptureRequirementIfAreEqual <string>(
childEntry.Properties["nCName"].Value.ToString(),
dirPartitions.Properties["distinguishedName"].Value.ToString(),
852,
"The nCName attribute of the crossRef object must equal the dsname of the NC root object.");
if (!adAdapter.GetObjectByDN("CN=Partitions," + configNC, out dirPartitions))
{
DataSchemaSite.Assume.IsTrue(false, "CN=Partitions," + configNC + " Object is not found in server");
}
foreach (DirectoryEntry partitionEntry in dirPartitions.Children)
{
if (partitionEntry.Properties["objectCategory"].Value.ToString().ToLower().Contains("cn=cross-ref"))
{
if (partitionEntry.Properties["nCName"].Value.ToString().Contains(adAdapter.PartitionPath))
{
partitionEntry.RefreshCache(new string[] { "msDS-SDReferenceDomain" });
if (partitionEntry.Properties.Contains("msDS-SDReferenceDomain") && partitionEntry.Properties["msDS-SDReferenceDomain"].Value != null)
{
//MS-ADTS-Schema_R422
DataSchemaSite.CaptureRequirementIfAreEqual <string>(
adAdapter.rootDomainDN.ToLower(),
partitionEntry.Properties["msDS-SDReferenceDomain"].Value.ToString().ToLower(),
422,
"In AD/DS msDS-SDReferenceDomain attribute of the Application NC crossRef object,"
+ "references an NC root object for a domain. All security descriptors in this application NC "
+ "must use the NC represented as the reference domain for resolution.");
}
else
{
DataSchemaSite.Log.Add(LogEntryKind.Warning, "The value of msDS-SDReferenceDomain attribute of the Application NC crossRef object is null");
}
}
if (partitionEntry.Properties["nCName"].Value.ToString().Equals(adAdapter.rootDomainDN))
{
//MS-ADTS-Schema_R416
DataSchemaSite.CaptureRequirementIfAreEqual <string>(
partitionEntry.Properties["name"].Value.ToString(),
partitionEntry.Properties["nETBIOSName"].Value.ToString(),
416,
"The name attribute of the Domain crossRef Object must be the Netbios name of the domain.");
//MS-ADTS-Schema_R417
DataSchemaSite.CaptureRequirementIfAreEqual <string>(
adAdapter.rootDomainDN,
partitionEntry.Properties["nCName"].Value.ToString(),
417,
"The nCName attribute of the Domain crossRef Object must be reference to the Domain NC root.");
//MS-ADTS-Schema_R418
if (!adAdapter.GetObjectByDN(adAdapter.rootDomainDN, out domainEntry))
{
DataSchemaSite.Assume.IsTrue(false, adAdapter.rootDomainDN + " Object is not found in server");
}
DirectoryEntry domainChildEntry = new DirectoryEntry();
DataSchemaSite.CaptureRequirementIfIsTrue(
adAdapter.rootDomainDN.ToLower().Contains(partitionEntry.Properties["nETBIOSName"].Value.ToString().ToLower()),
418,
"The nETBIOSName attribute of the Domain crossRef Object must be the Netbios name of the domain.");
//MS-ADTS-Schema trustParent
DataSchemaSite.Assert.IsNull(
partitionEntry.Properties["trustParent"].Value,
"The trustParent attribute is not present on the root domain NC's crossRef object.");
//MS-ADTS-Schema_R419
systemFlag = partitionEntry.Properties["systemFlags"].Value.ToString();
systemFlagVal = ParseSystemFlagsValue("FLAG_ATTR_NOT_REPLICATED|FLAG_ATTR_REQ_PARTIAL_SET_MEMBER");
DataSchemaSite.CaptureRequirementIfAreEqual <string>(
systemFlagVal.ToString(),
systemFlag,
419,
@"The systemFlags attribute of the Domain crossRef Object must be FLAG_CR_NTDS_NC | FLAG_CR_NTDS_DOMAIN.");
}
if (partitionEntry.Properties["nCName"].Value.ToString().Equals(adAdapter.childDomainDN))
{
//MS-ADTS-Schema_R416
DataSchemaSite.CaptureRequirementIfAreEqual <string>(
partitionEntry.Properties["name"].Value.ToString(),
partitionEntry.Properties["nETBIOSName"].Value.ToString(),
416,
"The name attribute of the Domain crossRef Object must be the Netbios name of the domain.");
//MS-ADTS-Schema_R417
DataSchemaSite.CaptureRequirementIfAreEqual <string>(
adAdapter.childDomainDN,
partitionEntry.Properties["nCName"].Value.ToString(),
417,
"The nCName attribute of the Domain crossRef Object must be reference to the Domain NC root.");
//MS-ADTS-Schema_R418
if (!adAdapter.GetObjectByDN(adAdapter.childDomainDN, out domainEntry))
{
DataSchemaSite.Assume.IsTrue(false, adAdapter.childDomainDN + " Object is not found in server");
}
DirectoryEntry domainChildEntry = new DirectoryEntry();
DataSchemaSite.CaptureRequirementIfIsTrue(
adAdapter.childDomainDN.ToLower().Contains(partitionEntry.Properties["nETBIOSName"].Value.ToString().ToLower()),
418,
"The nETBIOSName attribute of the Domain crossRef Object must be the Netbios name of the domain.");
//MS-ADTS-Schema trustParent
DirectoryEntry parentEntry = new DirectoryEntry();
string netbiosDomain = adAdapter.PrimaryDomainNetBiosName;
parentEntry = dirPartitions.Children.Find(string.Format("CN={0}", netbiosDomain));
DataSchemaSite.Assert.AreEqual <string>(
parentEntry.Properties["distinguishedName"].Value.ToString(),
partitionEntry.Properties["trustParent"].Value.ToString(),
"For child NCs, the trustParent attribute value references the parent NC's crossRef object.");
//MS-ADTS-Schema_R419
systemFlag = partitionEntry.Properties["systemFlags"].Value.ToString();
systemFlagVal = ParseSystemFlagsValue("FLAG_ATTR_NOT_REPLICATED|FLAG_ATTR_REQ_PARTIAL_SET_MEMBER");
DataSchemaSite.CaptureRequirementIfAreEqual <string>(
systemFlagVal.ToString(),
systemFlag,
419,
@"The systemFlags attribute of the Domain crossRef Object must be FLAG_CR_NTDS_NC | FLAG_CR_NTDS_DOMAIN.");
}
}
}
//MS-ADTS-Schema_R420
dnsRoot = childEntry.Properties["dnsRoot"].Value.ToString().ToLower();
DataSchemaSite.CaptureRequirementIfAreEqual <string>(
strReturn.ToLower(),
dnsRoot.ToLower(),
420,
"In AD/DS the the value for dnsRoot for an application NC crossRef is derived by syntactically "
+ "converting the DN portion of the crossRef's nCName into a fully qualified DNS name.");
}
/// <summary>
/// This method validates the requirements under
/// ServiceAndQueryPolicyContainer for both AD/DS and LDS Scenario's
/// </summary>
public void LDSAndDSCommonCallForServices(DirectoryEntry reqEntry)
{
PropertyValueCollection objectClass;
DirectoryEntry requiredEntry = new DirectoryEntry();
DirectoryEntry childEntry = new DirectoryEntry();
requiredEntry = reqEntry;
//MS-ADTS-Schema_R482
string parentAttribute = requiredEntry.Parent.Name.ToString();
DataSchemaSite.CaptureRequirementIfIsTrue(
parentAttribute.Equals("CN=Configuration"),
482,
"The parent of the Services Container must be Config NC root object.");
//MS-ADTS-Schema_R483
objectClass = requiredEntry.Properties["objectClass"];
DataSchemaSite.CaptureRequirementIfIsTrue(
objectClass.Contains((object)"container"),
483,
"The ObjectClass attribute of the Services Container must be container.");
//MS-ADTS-Schema_R484
childEntry = requiredEntry.Children.Find("CN=Windows NT");
parentAttribute = childEntry.Parent.Name.ToString();
DataSchemaSite.CaptureRequirementIfIsTrue(
parentAttribute.Equals("CN=Services"),
484,
"The Parent of the Windows NT Service must be Services.");
//MS-ADTS-Schema_R485
PropertyValueCollection objectClassForWinNT = childEntry.Properties["objectClass"];
DataSchemaSite.CaptureRequirementIfIsTrue(
objectClassForWinNT.Contains((object)"container"),
485,
"The ObjectClass attribute of the Windows NT Service must be container.");
//MS-ADTS-Schema_R486
childEntry = childEntry.Children.Find("CN=Directory Service");
requiredEntry = childEntry;
string parentAttributeDirectory = childEntry.Parent.Name.ToString();
DataSchemaSite.CaptureRequirementIfIsTrue(
parentAttributeDirectory.Equals("CN=Windows NT"),
486,
"The Parent of the Directory Service which is a type of Windows NT Service must be Windows NT.");
//MS-ADTS-Schema_R487
PropertyValueCollection objectClassForDirService = childEntry.Properties["objectClass"];
DataSchemaSite.CaptureRequirementIfIsTrue(
objectClassForDirService.Contains((object)"nTDSService"),
487,
@"The ObjectClass attribute of the Directory Service which is a type of Windows NT Service must
be nTDSService.");
//MS-ADTS-Schema_R102689
PropertyValueCollection dSHeuristicsForDirService = childEntry.Properties["dSHeuristics"];
if (dSHeuristicsForDirService.Value == null)
{
DataSchemaSite.CaptureRequirementIfIsNull(
dSHeuristicsForDirService.Value,
102689,
"[In Directory Service] dSHeuristics: By default, this attribute is not set.");
}
else
{
DataSchemaSite.Log.Add(LogEntryKind.Comment, "dSHeuristics has been changed by other test suites, the value is: {0}", dSHeuristicsForDirService.Value);
}
//MS-ADTS-Schema_R490
childEntry = childEntry.Children.Find("CN=Query-Policies");
parentAttribute = childEntry.Parent.Name.ToString();
DataSchemaSite.CaptureRequirementIfIsTrue(
parentAttribute.Equals("CN=Directory Service"),
490,
"The Parent of the Query-Policies which is a type of Windows NT Service must be Directory Service.");
//MS-ADTS-Schema_R491
PropertyValueCollection objectClassQueryPolicy = childEntry.Properties["objectClass"];
DataSchemaSite.CaptureRequirementIfIsTrue(
objectClassQueryPolicy.Contains((object)"container"),
491,
"The ObjectClass attribute of the Query-Policies which is a type of Windows NT Service must be container.");
//MS-ADTS-Schema_R492
childEntry = childEntry.Children.Find("CN=Default Query Policy");
parentAttribute = childEntry.Parent.Name.ToString();
DataSchemaSite.CaptureRequirementIfIsTrue(
parentAttribute.Equals("CN=Query-Policies"),
492,
"The Parent of the Default Query Policy must be Query-Policies.");
//MS-ADTS-Schema_R493
objectClassQueryPolicy = childEntry.Properties["objectClass"];
DataSchemaSite.CaptureRequirementIfIsTrue(
objectClassQueryPolicy.Contains((object)"queryPolicy"),
493,
"The ObjectClass attribute of the Default Query Policy must be queryPolicy.");
}
/// <summary>
/// This method validates the requirements under
/// WellKnownSecurityDomainPrincipal for both AD/DS and LDS Scenario's.
/// The common requirements are logged here.
/// </summary>
public void LDSAndDSCommonCall(DirectoryEntry directEntry)
{
GroupTypeFlags gType;
//Holding Directory entries.
DirectoryEntry dirEntry = new DirectoryEntry();
DirectoryEntry childEntry = new DirectoryEntry();
dirEntry = directEntry;
//MS-ADTS-Schema_R810
DirectoryEntries rolesChilds = dirEntry.Children;
bool isParentRoles = true;
foreach (DirectoryEntry child in rolesChilds)
{
if (!child.Parent.Name.ToString().Equals("CN=Users"))
{
isParentRoles = false;
}
}
DataSchemaSite.CaptureRequirementIfIsTrue(
isParentRoles,
810,
"For the Well-Known Domain-Relative Security Principals the Parent must be Users container");
//MS-ADTS-Schema_R813
childEntry = dirEntry.Children.Find("CN=Administrator");
PropertyValueCollection objectClass = childEntry.Properties["objectClass"];
DataSchemaSite.CaptureRequirementIfIsTrue(
objectClass.Contains((object)"user"),
813,
"The objectClass attribute of Administrator Well-Known Domain-Relative Security Principals must be user");
//MS-ADTS-Schema_R814
childEntry = dirEntry.Children.Find("CN=Guest");
objectClass = childEntry.Properties["objectClass"];
DataSchemaSite.CaptureRequirementIfIsTrue(
objectClass.Contains((object)"user"),
814,
"The objectClass attribute of Guest Well-Known Domain-Relative Security Principals must be user");
//MS-ADTS-Schema_R815
childEntry.RefreshCache(new string[] { "primaryGroupID" });
string primary = childEntry.Properties["primaryGroupID"].Value.ToString();
DataSchemaSite.CaptureRequirementIfAreEqual <string>(
"514",
primary,
815,
@"The primaryGroupID attribute of Guest Well-Known Domain-Relative Security Principals must
be 514 (Domain Guests)");
//MS-ADTS-Schema_R816
childEntry = dirEntry.Children.Find("CN=krbtgt");
objectClass = childEntry.Properties["objectClass"];
DataSchemaSite.CaptureRequirementIfIsTrue(
objectClass.Contains((object)"user"),
816,
@"The objectClass attribute of Key Distribution Center Service Account Well-Known Domain-Relative
Security Principals must be user");
//MS-ADTS-Schema_R817
childEntry.RefreshCache(new string[] { "primaryGroupID" });
primary = childEntry.Properties["primaryGroupID"].Value.ToString();
DataSchemaSite.CaptureRequirementIfAreEqual <string>(
"513",
primary,
817,
@"The primaryGroupID attribute of Key Distribution Center Service Account Well-Known Domain-Relative
Security Principals must be 513 (Domain Users)");
//MS-ADTS-Schema_R818
childEntry = dirEntry.Children.Find("CN=Cert Publishers");
objectClass = childEntry.Properties["objectClass"];
DataSchemaSite.CaptureRequirementIfIsTrue(
objectClass.Contains((object)"group"),
818,
@"The objectClass attribute of Key Distribution Center Service Account Well-Known Domain-Relative
Security Principals must be user");
//MS-ADTS-Schema_R819
groupType = childEntry.Properties["groupType"];
gType = (GroupTypeFlags)Convert.ToInt32(groupType.Value);
DataSchemaSite.CaptureRequirementIfAreEqual <GroupTypeFlags>(
GroupTypeFlags.GROUP_TYPE_RESOURCE_GROUP | GroupTypeFlags.GROUP_TYPE_SECURITY_ENABLED,
gType,
819,
@"The groupType attribute of Cert Publishers Well-Known Domain-Relative Security Principals is
{GROUP_TYPE_RESOURCE_GROUP | GROUP_TYPE_SECURITY_ENABLED}.This means that in groupType field the two
above bits are set, which means that the groupType is 0x80000004");
//MS-ADTS-Schema_R820
childEntry = dirEntry.Children.Find("CN=Domain Admins");
objectClass = childEntry.Properties["objectClass"];
DataSchemaSite.CaptureRequirementIfIsTrue(
objectClass.Contains((object)"group"),
820,
@"The objectClass attribute of Domain Administrators Well-Known Domain-Relative Security Principals
must be group");
//MS-ADTS-Schema_R821
groupType = childEntry.Properties["groupType"];
gType = (GroupTypeFlags)Convert.ToInt32(groupType.Value);
DataSchemaSite.CaptureRequirementIfAreEqual <GroupTypeFlags>(
GroupTypeFlags.GROUP_TYPE_ACCOUNT_GROUP | GroupTypeFlags.GROUP_TYPE_SECURITY_ENABLED,
gType,
821,
@"The groupType attribute of Domain Administrators, Well-Known Domain-Relative Security Principals
is {GROUP_TYPE_ACCOUNT_GROUP | GROUP_TYPE_SECURITY_ENABLED}.This means that in groupType field
the two above bits are set, which means that the groupType is 0x80000002");
//MS-ADTS-Schema_R822
childEntry = dirEntry.Children.Find("CN=Domain Computers");
objectClass = childEntry.Properties["objectClass"];
DataSchemaSite.CaptureRequirementIfIsTrue(
objectClass.Contains((object)"group"),
822,
@"The objectClass attribute of Domain Computers Well-Known Domain-Relative Security
Principals must be group");
//MS-ADTS-Schema_R823
groupType = childEntry.Properties["groupType"];
gType = (GroupTypeFlags)Convert.ToInt32(groupType.Value);
DataSchemaSite.CaptureRequirementIfAreEqual <GroupTypeFlags>(
GroupTypeFlags.GROUP_TYPE_ACCOUNT_GROUP | GroupTypeFlags.GROUP_TYPE_SECURITY_ENABLED,
gType,
823,
@"The groupType attribute of Domain Computers Well-Known Domain-Relative Security Principals is
{GROUP_TYPE_ACCOUNT_GROUP | GROUP_TYPE_SECURITY_ENABLED}.This means that in groupType field the
two above bits are set, which means that the groupType is 0x80000002");
//MS-ADTS-Schema_R824
childEntry = dirEntry.Children.Find("CN=Domain Controllers");
objectClass = childEntry.Properties["objectClass"];
DataSchemaSite.CaptureRequirementIfIsTrue(
objectClass.Contains((object)"group"),
824,
@"The objectClass attribute of Domain Controllers, Well-Known Domain-Relative Security Principals
must be group");
//MS-ADTS-Schema_R825
groupType = childEntry.Properties["groupType"];
gType = (GroupTypeFlags)Convert.ToInt32(groupType.Value);
DataSchemaSite.CaptureRequirementIfAreEqual <GroupTypeFlags>(
GroupTypeFlags.GROUP_TYPE_ACCOUNT_GROUP | GroupTypeFlags.GROUP_TYPE_SECURITY_ENABLED,
gType,
825,
@"The groupType attribute of Domain Controllers Well-Known Domain-Relative Security Principals
is {GROUP_TYPE_ACCOUNT_GROUP | GROUP_TYPE_SECURITY_ENABLED}.This means that in groupType field
the two above bits are set, which means that the groupType is 0x80000002");
//MS-ADTS-Schema_R826
childEntry = dirEntry.Children.Find("CN=Domain Guests");
objectClass = childEntry.Properties["objectClass"];
DataSchemaSite.CaptureRequirementIfIsTrue(
objectClass.Contains((object)"group"),
826,
@"The objectClass attribute of Domain Guests Well-Known Domain-Relative Security Principals must
be group");
//MS-ADTS-Schema_R827
groupType = childEntry.Properties["groupType"];
gType = (GroupTypeFlags)Convert.ToInt32(groupType.Value);
DataSchemaSite.CaptureRequirementIfAreEqual <GroupTypeFlags>(
GroupTypeFlags.GROUP_TYPE_ACCOUNT_GROUP | GroupTypeFlags.GROUP_TYPE_SECURITY_ENABLED,
gType,
827,
@"The groupType attribute of Domain Guests Well-Known Domain-Relative Security Principals is
{GROUP_TYPE_ACCOUNT_GROUP | GROUP_TYPE_SECURITY_ENABLED}.This means that in groupType field
the two above bits are set, which means that the groupType is 0x80000002");
//MS-ADTS-Schema_R828
childEntry = dirEntry.Children.Find("CN=Domain Users");
objectClass = childEntry.Properties["objectClass"];
DataSchemaSite.CaptureRequirementIfIsTrue(
objectClass.Contains((object)"group"),
828,
"The objectClass attribute of Domain Users Well-Known Domain-Relative Security Principals must be group");
//MS-ADTS-Schema_R829
groupType = childEntry.Properties["groupType"];
gType = (GroupTypeFlags)Convert.ToInt32(groupType.Value);
DataSchemaSite.CaptureRequirementIfAreEqual <GroupTypeFlags>(
GroupTypeFlags.GROUP_TYPE_ACCOUNT_GROUP | GroupTypeFlags.GROUP_TYPE_SECURITY_ENABLED,
gType,
829,
@"The groupType attribute of Domain Users Well-Known Domain-Relative Security Principals must
be either of GROUP_TYPE_ACCOUNT_GROUP | GROUP_TYPE_SECURITY_ENABLED");
//MS-ADTS-Schema_R833
childEntry = dirEntry.Children.Find("CN=Group Policy Creator Owners");
objectClass = childEntry.Properties["objectClass"];
DataSchemaSite.CaptureRequirementIfIsTrue(
objectClass.Contains((object)"group"),
833,
@"The objectClass attribute of Group Policy Creator Owners Well-Known Domain-Relative Security
Principals must be group");
//MS-ADTS-Schema_R834
groupType = childEntry.Properties["groupType"];
gType = (GroupTypeFlags)Convert.ToInt32(groupType.Value);
DataSchemaSite.CaptureRequirementIfAreEqual <GroupTypeFlags>(
GroupTypeFlags.GROUP_TYPE_ACCOUNT_GROUP | GroupTypeFlags.GROUP_TYPE_SECURITY_ENABLED,
gType,
834,
@"The groupType attribute of Group Policy Creator Owners Well-Known Domain-Relative Security Principals
is {GROUP_TYPE_ACCOUNT_GROUP | GROUP_TYPE_SECURITY_ENABLED}.This means that in groupType field the two
above bits are set, which means that the groupType is 0x80000002");
//MS-ADTS-Schema_R835
childEntry = dirEntry.Children.Find("CN=RAS and IAS Servers");
objectClass = childEntry.Properties["objectClass"];
DataSchemaSite.CaptureRequirementIfIsTrue(
objectClass.Contains((object)"group"),
835,
@"The objectClass attribute of RAS and IAS Servers Well-Known Domain-Relative Security Principals
must be group");
//MS-ADTS-Schema_R836
groupType = childEntry.Properties["groupType"];
gType = (GroupTypeFlags)Convert.ToInt32(groupType.Value);
DataSchemaSite.CaptureRequirementIfAreEqual <GroupTypeFlags>(
GroupTypeFlags.GROUP_TYPE_RESOURCE_GROUP | GroupTypeFlags.GROUP_TYPE_SECURITY_ENABLED,
gType,
836,
@"The groupType attribute of RAS and IAS Servers Well-Known Domain-Relative Security Principals
is {GROUP_TYPE_RESOURCE_GROUP | GROUP_TYPE_SECURITY_ENABLED}.This means that in groupType field
the two above bits are set, which means that the groupType is 0x80000004");
//MS-ADTS-Schema_R841
childEntry = dirEntry.Children.Find("CN=Schema Admins");
objectClass = childEntry.Properties["objectClass"];
DataSchemaSite.CaptureRequirementIfIsTrue(
objectClass.Contains((object)"group"),
841,
@"The objectClass attribute of Schema Admins Well-Known Domain-Relative Security Principals
must be group");
if (serverOS >= OSVersion.WinSvr2008)
{
//MS-ADTS-Schema_R830
childEntry = dirEntry.Children.Find("CN=Enterprise Admins");
objectClass = childEntry.Properties["objectClass"];
DataSchemaSite.CaptureRequirementIfIsTrue(
objectClass.Contains((object)"group"),
830,
@"The objectClass attribute of Enterprise Administrators Well-Known Domain-Relative Security
Principals must be group.");
//MS-ADTS-Schema_R837
childEntry = dirEntry.Children.Find("CN=Read-only Domain Controllers");
objectClass = childEntry.Properties["objectClass"];
DataSchemaSite.CaptureRequirementIfIsTrue(
objectClass.Contains((object)"group"),
837,
@"The objectClass attribute of Read-Only Domain Controllers Well-Known
Domain-Relative Security Principals must be group");
//MS-ADTS-Schema_R838
groupType = childEntry.Properties["groupType"];
gType = (GroupTypeFlags)Convert.ToInt32(groupType.Value);
DataSchemaSite.CaptureRequirementIfAreEqual <GroupTypeFlags>(
GroupTypeFlags.GROUP_TYPE_ACCOUNT_GROUP | GroupTypeFlags.GROUP_TYPE_SECURITY_ENABLED,
gType,
838,
@"The groupType attribute of Read-Only Domain Controllers Well-Known Domain-Relative
Security Principals is {GROUP_TYPE_ACCOUNT_GROUP|GROUP_TYPE_SECURITY_ENABLED}
This means that in groupType field the two above bits are set, which means that the
groupType is 0x80000002.");
//MS-ADTS-Schema_R839
childEntry = dirEntry.Children.Find("CN=Enterprise Read-only Domain Controllers");
objectClass = childEntry.Properties["objectClass"];
DataSchemaSite.CaptureRequirementIfIsTrue(
objectClass.Contains((object)"group"),
839,
@"The objectClass attribute of Enterprise Read-Only Domain Controllers Well-Known Domain-Relative
Security Principals must be group");
//MS-ADTS-Schema_R840
groupType = childEntry.Properties["groupType"];
gType = (GroupTypeFlags)Convert.ToInt32(groupType.Value);
DataSchemaSite.CaptureRequirementIfAreEqual <GroupTypeFlags>(
GroupTypeFlags.GROUP_TYPE_UNIVERSAL_GROUP | GroupTypeFlags.GROUP_TYPE_SECURITY_ENABLED,
gType,
840,
@"The groupType attribute of Enterprise Read-Only Domain Controllers Well-Known Domain-Relative
Security Principals is {GROUP_TYPE_UNIVERSAL_GROUP|GROUP_TYPE_SECURITY_ENABLED} This means that in
groupType field the two above bits are set, which means that the groupType is 0x80000008.");
//MS-ADTS-Schema_Allowed RODC Password Replication Group
childEntry = dirEntry.Children.Find("CN=Allowed RODC Password Replication Group");
objectClass = childEntry.Properties["objectClass"];
DataSchemaSite.Assert.IsTrue(
objectClass.Contains((object)"group"),
@"The objectClass attribute of Allowed RODC Password Replication Group Well-Known Domain-Relative
Security Principals must be group");
//MS-ADTS-Schema_Allowed RODC Password Replication Group
groupType = childEntry.Properties["groupType"];
gType = (GroupTypeFlags)Convert.ToInt32(groupType.Value);
DataSchemaSite.Assert.AreEqual <GroupTypeFlags>(
GroupTypeFlags.GROUP_TYPE_RESOURCE_GROUP | GroupTypeFlags.GROUP_TYPE_SECURITY_ENABLED,
gType,
@"The groupType attribute of Allowed RODC Password Replication Group Well-Known Domain-Relative
Security Principals is {GROUP_TYPE_RESOURCE_GROUP|GROUP_TYPE_SECURITY_ENABLED} This means that in
groupType field the two above bits are set, which means that the groupType is 0x80000004.");
//MS-ADTS-Schema_Denied RODC Password Replication Group
childEntry = dirEntry.Children.Find("CN=Denied RODC Password Replication Group");
objectClass = childEntry.Properties["objectClass"];
DataSchemaSite.Assert.IsTrue(
objectClass.Contains((object)"group"),
@"The objectClass attribute of Denied RODC Password Replication Group Well-Known Domain-Relative
Security Principals must be group");
//MS-ADTS-Schema_Denied RODC Password Replication Group
groupType = childEntry.Properties["groupType"];
gType = (GroupTypeFlags)Convert.ToInt32(groupType.Value);
DataSchemaSite.Assert.AreEqual <GroupTypeFlags>(
GroupTypeFlags.GROUP_TYPE_RESOURCE_GROUP | GroupTypeFlags.GROUP_TYPE_SECURITY_ENABLED,
gType,
@"The groupType attribute of Denied RODC Password Replication Group Well-Known Domain-Relative
Security Principals is {GROUP_TYPE_RESOURCE_GROUP|GROUP_TYPE_SECURITY_ENABLED} This means that in
groupType field the two above bits are set, which means that the groupType is 0x80000004.");
}
}
