如果要使用域账号登录Windows机器,首先要找到域控制器。
域控制器是通过DNS查询(_ldap._tcp.dc._msdcs.<DNS domain>)来得到,在查询DNS时需要使用到DHCP Option 15 (域名)和Option 119(域名搜索列表),或者使用用户输入的域名.
引用一个例子:
let's assume that we have the situation:
- The device receives the DNS domain fabrikam.dk in DHCP option 15 (DomainName)
- The device receives the DNS domains fabrikam.dk and dk in DHCP option 119 (DomainSearch)
- The DC is located in fabrikam.dk and can be found by locating the SRV record _ldap._tcp.dc._msdcs.fabrikam.dk
- The user signs in with Fabrikam\Jens
The device will try to locate the DC using this sequence:
- _ldap._tcp.dc._msdcs.fabrikam - takes the NetBIOS name directly - fails
- _ldap._tcp.dc._msdcs.fabrikam.fabrikam.dk - adds the DomainName value - fails
- _ldap._tcp.dc._msdcs.fabrikam.fabrikam.dk - adds first element in DomainSearch - fails
- _ldap._tcp.dc._msdcs.fabrikam.dk - adds second element in DomainSearch - success
So if dk was not added to DHCP option 119 the device would have been unable to locate a DC and hence the user couldn’t sign in and the device would have be unable to download certificates.
The conclusion is therefore: You need to configure the DNS Suffix list such that the device can construct the correct DNS domain based on the NetBIOS name used.
参考: http://blogs.technet.com/b/jenstr/archive/2008/12/08/when-do-you-need-to-use-dhcp-option-119-with-ocpe-powered-devices.aspx?wa=wsignin1.0