CLDAP is most commonly encountered on Microsoft Active Directory networks where clients use it to retrieve server information.

This particular operation is described in MS documentation as an "AD ping" but is perhaps more formally described as a RootDSE query for the Netlogon attribute. The Netlogon attribute value is not DER encoded. The operation is derived from an analogous SMB mailslot operation which is reflected in the encoding.

Windows 2000 Server requires UDP for the RootDSE Netlogon query (aka CLDAP "AD ping") whereas either TCP or UDP can be used with Windows 2003 Server.

The filter used by the RootDSE Netlogon query is (&(\06\00\00\20)(DomainGuid=\01\02\03...) but the Host and DomainGuid are not required. It seems Wireshark may not display this filter correctly as the BER encoding does not reflect the nested & conditions displayed.

The DomainGuid is supplied in Little-Endian binary despite the fact that the BER encoding is otherwise Big-Endian.

The first 4 bits of the first byte of the NtVer value generates four different replies (\01\00\00\00, \02\00\00\00, \04\00\00\00, \08\00\00\00) but the author of this paragraph has only ever observed a value of \06\00\00\20. The mechanics behind these bits is not known but the structures seem to correspond to Netlogon mailslot operations.

Even though MS uses BER 1+4 byte length fields for non-primitive types, DER encoding works fine with both Windows 2000 Server and Windows 2003 Server.


Microsoft now has specifications available in the [MS-ADTS] document (

Imported from on 2020-08-11 23:16:56 UTC