jwantdsapi.pas | searchcode

/packages/winunits-jedi/src/jwantdsapi.pas

Large files files are truncated, but you can click here to view the full file

{******************************************************************************}
{                                                                              }
{ DC and Replication Management API interface Unit for Object Pascal           }
{                                                                              }
{ Portions created by Microsoft are Copyright (C) 1995-2001 Microsoft          }
{ Corporation. All Rights Reserved.                                            }
{                                                                              }
{ The original file is: ntdsapi.h, released June 2000. The original Pascal     }
{ code is: NtDsApi.pas, released December 2000. The initial developer of the   }
{ Pascal code is Marcel van Brakel (brakelm att chello dott nl).               }
{                                                                              }
{ Portions created by Marcel van Brakel are Copyright (C) 1999-2001            }
{ Marcel van Brakel. All Rights Reserved.                                      }
{                                                                              }
{ Obtained through: Joint Endeavour of Delphi Innovators (Project JEDI)        }
{                                                                              }
{ You may retrieve the latest version of this file at the Project JEDI         }
{ APILIB home page, located at http://jedi-apilib.sourceforge.net              }
{                                                                              }
{ The contents of this file are used with permission, subject to the Mozilla   }
{ Public License Version 1.1 (the "License"); you may not use this file except }
{ in compliance with the License. You may obtain a copy of the License at      }
{ http://www.mozilla.org/MPL/MPL-1.1.html                                      }
{                                                                              }
{ Software distributed under the License is distributed on an "AS IS" basis,   }
{ WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License for }
{ the specific language governing rights and limitations under the License.    }
{                                                                              }
{ Alternatively, the contents of this file may be used under the terms of the  }
{ GNU Lesser General Public License (the  "LGPL License"), in which case the   }
{ provisions of the LGPL License are applicable instead of those above.        }
{ If you wish to allow use of your version of this file only under the terms   }
{ of the LGPL License and not to allow others to use your version of this file }
{ under the MPL, indicate your decision by deleting  the provisions above and  }
{ replace  them with the notice and other provisions required by the LGPL      }
{ License.  If you do not delete the provisions above, a recipient may use     }
{ your version of this file under either the MPL or the LGPL License.          }
{                                                                              }
{ For more information about the LGPL: http://www.gnu.org/copyleft/lesser.html }
{                                                                              }
{******************************************************************************}

// $Id: JwaNtDsApi.pas,v 1.12 2007/09/05 11:58:51 dezipaitor Exp $
{$IFNDEF JWA_OMIT_SECTIONS}
unit JwaNtDsApi;

{$WEAKPACKAGEUNIT}
{$ENDIF JWA_OMIT_SECTIONS}

{$HPPEMIT ''}
{$HPPEMIT '#include "ntdsapi.h"'}
{$HPPEMIT ''}
{$HPPEMIT 'typedef PDS_REPSYNCALL_ERRINFOW *PPDS_REPSYNCALL_ERRINFOW'}
{$HPPEMIT 'typedef PDS_REPSYNCALL_ERRINFOA *PPDS_REPSYNCALL_ERRINFOA'}
{$HPPEMIT '#ifdef UNICODE'}
{$HPPEMIT 'typedef PPDS_REPSYNCALL_ERRINFOW PPDS_REPSYNCALL_ERRINFO'}
{$HPPEMIT '#else'}
{$HPPEMIT 'typedef PPDS_REPSYNCALL_ERRINFOA PPDS_REPSYNCALL_ERRINFO'}
{$HPPEMIT '#endif'}
{$HPPEMIT ''}


{$IFNDEF JWA_OMIT_SECTIONS}
{$I jediapilib.inc}

interface

uses
  JwaWinBase, JwaWinType, JwaWinNT, JwaWinNLS, JwaRpcDce, JwaSchedule;
{$ENDIF JWA_OMIT_SECTIONS}
{$IFNDEF JWA_IMPLEMENTATIONSECTION}

//////////////////////////////////////////////////////////////////////////
//                                                                      //
// Data definitions                                                     //
//                                                                      //
//////////////////////////////////////////////////////////////////////////

// Following constants define the Active Directory Behavior
// Version numbers.

const
  DS_BEHAVIOR_WIN2000                          = 0;
  {$EXTERNALSYM DS_BEHAVIOR_WIN2000}
  DS_BEHAVIOR_WIN_DOT_NET_WITH_MIXED_DOMAINS   = 1;
  {$EXTERNALSYM DS_BEHAVIOR_WIN_DOT_NET_WITH_MIXED_DOMAINS}
  DS_BEHAVIOR_WIN_DOT_NET                      = 2;
  {$EXTERNALSYM DS_BEHAVIOR_WIN_DOT_NET}

  // (MAKELCID(MAKELANGID(LANG_ENGLISH, SUBLANG_ENGLISH_US), SORT_DEFAULT))
  DS_DEFAULT_LOCALE = DWORD((DWORD(SORT_DEFAULT) shl 16) or ((SUBLANG_ENGLISH_US shl 10) or LANG_ENGLISH));
  {$EXTERNALSYM DS_DEFAULT_LOCALE}

  DS_DEFAULT_LOCALE_COMPARE_FLAGS = (NORM_IGNORECASE or NORM_IGNOREKANATYPE or
    NORM_IGNORENONSPACE or NORM_IGNOREWIDTH or SORT_STRINGSORT);
  {$EXTERNALSYM DS_DEFAULT_LOCALE_COMPARE_FLAGS}

// When booted to DS mode, this event is signalled when the DS has completed
// its initial sync attempts.  The period of time between system startup and
// this event's state being set is indeterminate from the local service's
// standpoint.  In the meantime the contents of the DS should be considered
// incomplete / out-dated, and the machine will not be advertised as a domain
// controller to off-machine clients.  Other local services that rely on
// information published in the DS should avoid accessing (or at least
// relying on) the contents of the DS until this event is set.

  DS_SYNCED_EVENT_NAME   = 'NTDSInitialSyncsCompleted';
  {$EXTERNALSYM DS_SYNCED_EVENT_NAME}
  DS_SYNCED_EVENT_NAME_W = 'NTDSInitialSyncsCompleted';
  {$EXTERNALSYM DS_SYNCED_EVENT_NAME_W}

{$IFNDEF JWA_INCLUDEMODE}
// Permissions bits used in security descriptors in the directory.

  ACTRL_DS_OPEN           = $00000000;
  {$EXTERNALSYM ACTRL_DS_OPEN}
  ACTRL_DS_CREATE_CHILD   = $00000001;
  {$EXTERNALSYM ACTRL_DS_CREATE_CHILD}
  ACTRL_DS_DELETE_CHILD   = $00000002;
  {$EXTERNALSYM ACTRL_DS_DELETE_CHILD}
  ACTRL_DS_LIST           = $00000004;
  {$EXTERNALSYM ACTRL_DS_LIST}
  ACTRL_DS_SELF           = $00000008;
  {$EXTERNALSYM ACTRL_DS_SELF}
  ACTRL_DS_READ_PROP      = $00000010;
  {$EXTERNALSYM ACTRL_DS_READ_PROP}
  ACTRL_DS_WRITE_PROP     = $00000020;
  {$EXTERNALSYM ACTRL_DS_WRITE_PROP}
  ACTRL_DS_DELETE_TREE    = $00000040;
  {$EXTERNALSYM ACTRL_DS_DELETE_TREE}
  ACTRL_DS_LIST_OBJECT    = $00000080;
  {$EXTERNALSYM ACTRL_DS_LIST_OBJECT}
  ACTRL_DS_CONTROL_ACCESS = $00000100;
  {$EXTERNALSYM ACTRL_DS_CONTROL_ACCESS}
{$ENDIF JWA_INCLUDEMODE}

// generic read

  DS_GENERIC_READ = STANDARD_RIGHTS_READ or ACTRL_DS_LIST or ACTRL_DS_READ_PROP or
    ACTRL_DS_LIST_OBJECT;
  {$EXTERNALSYM DS_GENERIC_READ}

// generic execute

  DS_GENERIC_EXECUTE = STANDARD_RIGHTS_EXECUTE or ACTRL_DS_LIST;
  {$EXTERNALSYM DS_GENERIC_EXECUTE}

// generic right

  DS_GENERIC_WRITE = STANDARD_RIGHTS_WRITE or ACTRL_DS_SELF or ACTRL_DS_WRITE_PROP;
  {$EXTERNALSYM DS_GENERIC_WRITE}

// generic all

  DS_GENERIC_ALL = STANDARD_RIGHTS_REQUIRED or ACTRL_DS_CREATE_CHILD or
    ACTRL_DS_DELETE_CHILD or ACTRL_DS_DELETE_TREE or ACTRL_DS_READ_PROP or
    ACTRL_DS_WRITE_PROP or ACTRL_DS_LIST or ACTRL_DS_LIST_OBJECT or
    ACTRL_DS_CONTROL_ACCESS or ACTRL_DS_SELF;
  {$EXTERNALSYM DS_GENERIC_ALL}

type
  DS_NAME_FORMAT = (
    // unknown name type
    DS_UNKNOWN_NAME,

    // eg: CN=User Name,OU=Users,DC=Example,DC=Microsoft,DC=Com
    DS_FQDN_1779_NAME,

    // eg: Exmaple\UserName
    // Domain-only version includes trailing '\\'.
    DS_NT4_ACCOUNT_NAME,

    // Probably "User Name" but could be something else.  I.e. The
    // display name is not necessarily the defining RDN.
    DS_DISPLAY_NAME,

    // obsolete - see #define later
    // DS_DOMAIN_SIMPLE_NAME,
    DS_STUB_4,

    // obsolete - see #define later
    // DS_ENTERPRISE_SIMPLE_NAME,
    DS_STUB_5,

    // String-ized GUID as returned by IIDFromString().
    // eg: {4fa050f0-f561-11cf-bdd9-00aa003a77b6}
    DS_UNIQUE_ID_NAME,

    // eg: example.microsoft.com/software/user name
    // Domain-only version includes trailing '/'.
    DS_CANONICAL_NAME,

    // eg: usern@example.microsoft.com
    DS_USER_PRINCIPAL_NAME,

    // Same as DS_CANONICAL_NAME except that rightmost '/' is
    // replaced with '\n' - even in domain-only case.
    // eg: example.microsoft.com/software\nuser name
    DS_CANONICAL_NAME_EX,

    // eg: www/www.microsoft.com@example.com - generalized service principal
    // names.
    DS_SERVICE_PRINCIPAL_NAME,

    // This is the string representation of a SID.  Invalid for formatDesired.
    // See sddl.h for SID binary <--> text conversion routines.
    // eg: S-1-5-21-397955417-626881126-188441444-501
    DS_SID_OR_SID_HISTORY_NAME,

    // Pseudo-name format so GetUserNameEx can return the DNS domain name to
    // a caller.  This level is not supported by the DS APIs.
    DS_DNS_DOMAIN_NAME);
  {$EXTERNALSYM DS_NAME_FORMAT}
  TDsNameFormat = DS_NAME_FORMAT;

// Map old name formats to closest new format so that old code builds
// against new headers w/o errors and still gets (almost) correct result.

const
  DS_DOMAIN_SIMPLE_NAME     = DS_USER_PRINCIPAL_NAME;
  {$EXTERNALSYM DS_DOMAIN_SIMPLE_NAME}
  DS_ENTERPRISE_SIMPLE_NAME = DS_USER_PRINCIPAL_NAME;
  {$EXTERNALSYM DS_ENTERPRISE_SIMPLE_NAME}

type
  DS_NAME_FLAGS = DWORD;
  {$EXTERNALSYM DS_NAME_FLAGS}
  TDsNameFlags = DS_NAME_FLAGS;

const
    DS_NAME_NO_FLAGS = $0;
    {$EXTERNALSYM DS_NAME_NO_FLAGS}

    // Perform a syntactical mapping at the client (if possible) without
    // going out on the wire.  Returns DS_NAME_ERROR_NO_SYNTACTICAL_MAPPING
    // if a purely syntactical mapping is not possible.
    DS_NAME_FLAG_SYNTACTICAL_ONLY = $1;
    {$EXTERNALSYM DS_NAME_FLAG_SYNTACTICAL_ONLY}

    // Force a trip to the DC for evaluation, even if this could be
    // locally cracked syntactically.
    DS_NAME_FLAG_EVAL_AT_DC = $2;
    {$EXTERNALSYM DS_NAME_FLAG_EVAL_AT_DC}

    // The call fails if the DC is not a GC
    DS_NAME_FLAG_GCVERIFY = $4;
    {$EXTERNALSYM DS_NAME_FLAG_GCVERIFY}

    // Enable cross forest trust referral
    DS_NAME_FLAG_TRUST_REFERRAL = $8;
    {$EXTERNALSYM DS_NAME_FLAG_TRUST_REFERRAL}

type
  DS_NAME_ERROR = (
    DS_NAME_NO_ERROR,

    // Generic processing error.
    DS_NAME_ERROR_RESOLVING,

    // Couldn't find the name at all - or perhaps caller doesn't have
    // rights to see it.
    DS_NAME_ERROR_NOT_FOUND,

    // Input name mapped to more than one output name.
    DS_NAME_ERROR_NOT_UNIQUE,

    // Input name found, but not the associated output format.
    // Can happen if object doesn't have all the required attributes.
    DS_NAME_ERROR_NO_MAPPING,

    // Unable to resolve entire name, but was able to determine which
    // domain object resides in.  Thus DS_NAME_RESULT_ITEM?.pDomain
    // is valid on return.
    DS_NAME_ERROR_DOMAIN_ONLY,

    // Unable to perform a purely syntactical mapping at the client
    // without going out on the wire.
    DS_NAME_ERROR_NO_SYNTACTICAL_MAPPING,

    // The name is from an external trusted forest.
    DS_NAME_ERROR_TRUST_REFERRAL);
  {$EXTERNALSYM DS_NAME_ERROR}
  TDsNameError = DS_NAME_ERROR;

const
  DS_NAME_LEGAL_FLAGS = DS_NAME_FLAG_SYNTACTICAL_ONLY;
  {$EXTERNALSYM DS_NAME_LEGAL_FLAGS}

type
  DS_SPN_NAME_TYPE = (

    // "paulle-nec.ntwksta.ms.com"
    DS_SPN_DNS_HOST,

    // "cn=paulle-nec,ou=computers,dc=ntwksta,dc=ms,dc=com"
    DS_SPN_DN_HOST,

    // "paulle-nec"
    DS_SPN_NB_HOST,

    // "ntdev.ms.com"
    DS_SPN_DOMAIN,

    // "ntdev"
    DS_SPN_NB_DOMAIN,

    // "cn=anRpcService,cn=RPC Services,cn=system,dc=ms,dc=com"
    // "cn=aWsService,cn=Winsock Services,cn=system,dc=ms,dc=com"
    // "cn=aService,dc=itg,dc=ms,dc=com"
    // "www.ms.com", "ftp.ms.com", "ldap.ms.com"
    // "products.ms.com"
    DS_SPN_SERVICE);
  {$EXTERNALSYM DS_SPN_NAME_TYPE}
  TDsSpnNameType = DS_SPN_NAME_TYPE;

  DS_SPN_WRITE_OP = (
        DS_SPN_ADD_SPN_OP,          // add SPNs
        DS_SPN_REPLACE_SPN_OP,      // set all SPNs
        DS_SPN_DELETE_SPN_OP);      // Delete SPNs
  {$EXTERNALSYM DS_SPN_WRITE_OP}
  TDsSpnWriteOp = DS_SPN_WRITE_OP;

  PDS_NAME_RESULT_ITEMA = ^DS_NAME_RESULT_ITEMA;
  {$EXTERNALSYM PDS_NAME_RESULT_ITEMA}
  DS_NAME_RESULT_ITEMA = record
    status: DWORD;  // DS_NAME_ERROR
    pDomain: LPSTR; // DNS domain
    pName: LPSTR;   // name in requested format
  end;
  {$EXTERNALSYM DS_NAME_RESULT_ITEMA}
  TDsNameResultItemA = DS_NAME_RESULT_ITEMA;
  PDsNameResultItemA = PDS_NAME_RESULT_ITEMA;

  PDS_NAME_RESULTA = ^DS_NAME_RESULTA;
  {$EXTERNALSYM PDS_NAME_RESULTA}
  DS_NAME_RESULTA = record
    cItems: DWORD;                 // item count
    rItems: PDS_NAME_RESULT_ITEMA; // item array
  end;
  {$EXTERNALSYM DS_NAME_RESULTA}
  TDsNameResultA = DS_NAME_RESULTA;
  PDsNameResultA = PDS_NAME_RESULTA;

  PDS_NAME_RESULT_ITEMW = ^DS_NAME_RESULT_ITEMW;
  {$EXTERNALSYM PDS_NAME_RESULT_ITEMW}
  DS_NAME_RESULT_ITEMW = record
    status: DWORD;   // DS_NAME_ERROR
    pDomain: LPWSTR; // DNS domain
    pName: LPWSTR;   // name in requested format
  end;
  {$EXTERNALSYM DS_NAME_RESULT_ITEMW}
  TDsNameResultItemW = DS_NAME_RESULT_ITEMW;
  PDsNameResultItemW = PDS_NAME_RESULT_ITEMW;

  PDS_NAME_RESULTW = ^DS_NAME_RESULTW;
  {$EXTERNALSYM PDS_NAME_RESULTW}
  DS_NAME_RESULTW = record
    cItems: DWORD;                 // item count
    rItems: PDS_NAME_RESULT_ITEMW; // item array
  end;
  {$EXTERNALSYM DS_NAME_RESULTW}
  TDsNameResultW = DS_NAME_RESULTW;
  PDsNameResultW = PDS_NAME_RESULTW;

  {$IFDEF UNICODE}
  DS_NAME_RESULT = DS_NAME_RESULTW;
  {$EXTERNALSYM DS_NAME_RESULT}
  PDS_NAME_RESULT = PDS_NAME_RESULTW;
  {$EXTERNALSYM PDS_NAME_RESULT}
  DS_NAME_RESULT_ITEM = DS_NAME_RESULT_ITEMW;
  {$EXTERNALSYM DS_NAME_RESULT_ITEM}
  PDS_NAME_RESULT_ITEM = PDS_NAME_RESULT_ITEMW;
  {$EXTERNALSYM PDS_NAME_RESULT_ITEM}
  TDsNameResult = TDsNameResultW;
  PDsNameResult = PDsNameResultW;
  TDsNameResultItem = TDsNameResultItemW;
  PDsNameResultItem = PDsNameResultItemW;
  {$ELSE}
  DS_NAME_RESULT = DS_NAME_RESULTA;
  {$EXTERNALSYM DS_NAME_RESULT}
  PDS_NAME_RESULT = PDS_NAME_RESULTA;
  {$EXTERNALSYM PDS_NAME_RESULT}
  DS_NAME_RESULT_ITEM = DS_NAME_RESULT_ITEMA;
  {$EXTERNALSYM DS_NAME_RESULT_ITEM}
  PDS_NAME_RESULT_ITEM = PDS_NAME_RESULT_ITEMA;
  {$EXTERNALSYM PDS_NAME_RESULT_ITEM}
  TDsNameResult = TDsNameResultA;
  PDsNameResult = PDsNameResultA;
  TDsNameResultItem = TDsNameResultItemA;
  PDsNameResultItem = PDsNameResultItemA;
  {$ENDIF UNICODE}

// Public replication option flags

// ********************
// DsBindWithSpnEx flags
// ********************
// Allow the Bind to use delegate service level, so that you can
// do ntdsapi operations that require delegation, such as
// DsAddSidHistory, and DsReplicaSyncAll().  Most operations do
// not require DELEGATE so this flag should only be specified 
// if you need it, because if you bind to a rogue server with
// the DELEGATE flag, you'll allow the rogue server to use your
// credentials to connect back to a non-rogue server and perform
// operations other than you intended.

const
  NTDSAPI_BIND_ALLOW_DELEGATION = $00000001;
  {$EXTERNALSYM NTDSAPI_BIND_ALLOW_DELEGATION}

// ********************
// Replica Sync flags
// These flag values are used both as input to DsReplicaSync and
// as output from DsReplicaGetInfo, PENDING_OPS, DS_REPL_OPW.ulOptions
// ********************

// Perform this operation asynchronously.
// Required when using DS_REPSYNC_ALL_SOURCES

const
  DS_REPSYNC_ASYNCHRONOUS_OPERATION = $00000001;
  {$EXTERNALSYM DS_REPSYNC_ASYNCHRONOUS_OPERATION}

// Writeable replica.  Otherwise, read-only.

  DS_REPSYNC_WRITEABLE = $00000002;
  {$EXTERNALSYM DS_REPSYNC_WRITEABLE}

// This is a periodic sync request as scheduled by the admin.

  DS_REPSYNC_PERIODIC = $00000004;
  {$EXTERNALSYM DS_REPSYNC_PERIODIC}

// Use inter-site messaging

  DS_REPSYNC_INTERSITE_MESSAGING = $00000008;
  {$EXTERNALSYM DS_REPSYNC_INTERSITE_MESSAGING}

// Sync from all sources.

  DS_REPSYNC_ALL_SOURCES = $00000010;
  {$EXTERNALSYM DS_REPSYNC_ALL_SOURCES}

// Sync starting from scratch (i.e., at the first USN).

  DS_REPSYNC_FULL = $00000020;
  {$EXTERNALSYM DS_REPSYNC_FULL}

// This is a notification of an update that was marked urgent.

  DS_REPSYNC_URGENT = $00000040;
  {$EXTERNALSYM DS_REPSYNC_URGENT}

// Don't discard this synchronization request, even if a similar
// sync is pending.

  DS_REPSYNC_NO_DISCARD = $00000080;
  {$EXTERNALSYM DS_REPSYNC_NO_DISCARD}

// Sync even if link is currently disabled.

  DS_REPSYNC_FORCE = $00000100;
  {$EXTERNALSYM DS_REPSYNC_FORCE}

// Causes the source DSA to check if a reps-to is present for the local DSA
// (aka the destination). If not, one is added.  This ensures that
// source sends change notifications.

  DS_REPSYNC_ADD_REFERENCE = $00000200;
  {$EXTERNALSYM DS_REPSYNC_ADD_REFERENCE}

// A sync from this source has never completed (e.g., a new source).

  DS_REPSYNC_NEVER_COMPLETED = $00000400;
  {$EXTERNALSYM DS_REPSYNC_NEVER_COMPLETED}

// When this sync is complete, requests a sync in the opposite direction.

  DS_REPSYNC_TWO_WAY = $00000800;
  {$EXTERNALSYM DS_REPSYNC_TWO_WAY}

// Do not request change notifications from this source.
  DS_REPSYNC_NEVER_NOTIFY          = $00001000;
  {$EXTERNALSYM DS_REPSYNC_NEVER_NOTIFY}

// Sync the NC from this source when the DSA is started.
  DS_REPSYNC_INITIAL                = $00002000;
  {$EXTERNALSYM DS_REPSYNC_INITIAL}

// Use compression when replicating.  Saves message size (e.g., network
// bandwidth) at the expense of extra CPU overhead at both the source and
// destination servers.
  DS_REPSYNC_USE_COMPRESSION        = $00004000;
  {$EXTERNALSYM DS_REPSYNC_USE_COMPRESSION}

// Sync was abandoned for lack of updates
  DS_REPSYNC_ABANDONED              = $00008000;
  {$EXTERNALSYM DS_REPSYNC_ABANDONED}

// Initial sync in progress
  DS_REPSYNC_INITIAL_IN_PROGRESS    = $00010000;
  {$EXTERNALSYM DS_REPSYNC_INITIAL_IN_PROGRESS}

// Partial Attribute Set sync in progress
  DS_REPSYNC_PARTIAL_ATTRIBUTE_SET  = $00020000;
  {$EXTERNALSYM DS_REPSYNC_PARTIAL_ATTRIBUTE_SET}

// Sync is being retried
  DS_REPSYNC_REQUEUE                = $00040000;
  {$EXTERNALSYM DS_REPSYNC_REQUEUE}

// Sync is a notification request from a source
  DS_REPSYNC_NOTIFICATION           = $00080000;
  {$EXTERNALSYM DS_REPSYNC_NOTIFICATION}

// Sync is a special form which requests to establish contact
// now and do the rest of the sync later
  DS_REPSYNC_ASYNCHRONOUS_REPLICA   = $00100000;
  {$EXTERNALSYM DS_REPSYNC_ASYNCHRONOUS_REPLICA}

// Request critical objects only
  DS_REPSYNC_CRITICAL               = $00200000;
  {$EXTERNALSYM DS_REPSYNC_CRITICAL}

// A full synchronization is in progress
  DS_REPSYNC_FULL_IN_PROGRESS       = $00400000;
  {$EXTERNALSYM DS_REPSYNC_FULL_IN_PROGRESS}

// Synchronization request was previously preempted
  DS_REPSYNC_PREEMPTED              = $00800000;
  {$EXTERNALSYM DS_REPSYNC_PREEMPTED}

// ********************
// Replica Add flags
// ********************

// Perform this operation asynchronously.

  DS_REPADD_ASYNCHRONOUS_OPERATION = $00000001;
  {$EXTERNALSYM DS_REPADD_ASYNCHRONOUS_OPERATION}

// Create a writeable replica.  Otherwise, read-only.

  DS_REPADD_WRITEABLE = $00000002;
  {$EXTERNALSYM DS_REPADD_WRITEABLE}

// Sync the NC from this source when the DSA is started.

  DS_REPADD_INITIAL = $00000004;
  {$EXTERNALSYM DS_REPADD_INITIAL}

// Sync the NC from this source periodically, as defined by the
// schedule passed in the preptimesSync argument.

  DS_REPADD_PERIODIC = $00000008;
  {$EXTERNALSYM DS_REPADD_PERIODIC}

// Sync from the source DSA via an Intersite Messaging Service (ISM) transport
// (e.g., SMTP) rather than native DS RPC.

  DS_REPADD_INTERSITE_MESSAGING = $00000010;
  {$EXTERNALSYM DS_REPADD_INTERSITE_MESSAGING}

// Don't replicate the NC now -- just save enough state such that we
// know to replicate it later.

  DS_REPADD_ASYNCHRONOUS_REPLICA = $00000020;
  {$EXTERNALSYM DS_REPADD_ASYNCHRONOUS_REPLICA}

// Disable notification-based synchronization for the NC from this source.
// This is expected to be a temporary state; the similar flag
// DS_REPADD_NEVER_NOTIFY should be used if the disable is to be more permanent.

  DS_REPADD_DISABLE_NOTIFICATION = $00000040;
  {$EXTERNALSYM DS_REPADD_DISABLE_NOTIFICATION}

// Disable periodic synchronization for the NC from this source

  DS_REPADD_DISABLE_PERIODIC = $00000080;
  {$EXTERNALSYM DS_REPADD_DISABLE_PERIODIC}

// Use compression when replicating.  Saves message size (e.g., network
// bandwidth) at the expense of extra CPU overhead at both the source and
// destination servers.

  DS_REPADD_USE_COMPRESSION = $00000100;
  {$EXTERNALSYM DS_REPADD_USE_COMPRESSION}

// Do not request change notifications from this source.  When this flag is
// set, the source will not notify the destination when changes occur.
// Recommended for all intersite replication, which may occur over WAN links.
// This is expected to be a more or less permanent state; the similar flag
// DS_REPADD_DISABLE_NOTIFICATION should be used if notifications are to be
// disabled only temporarily.

  DS_REPADD_NEVER_NOTIFY = $00000200;
  {$EXTERNALSYM DS_REPADD_NEVER_NOTIFY}

// When this sync is complete, requests a sync in the opposite direction.
  DS_REPADD_TWO_WAY                  = $00000400;
  {$EXTERNALSYM DS_REPADD_TWO_WAY}

// Request critical objects only
// Critical only is only allowed while installing
// A critical only sync does not bring all objects in the partition. It
// replicates just the ones necessary for minimal directory operation.
// A normal, non-critical sync must be performed before the partition
// can be considered fully synchronized.
  DS_REPADD_CRITICAL                 = $00000800;
  {$EXTERNALSYM DS_REPADD_CRITICAL}

// ********************
// Replica Delete flags
// ********************

// Perform this operation asynchronously.

  DS_REPDEL_ASYNCHRONOUS_OPERATION = $00000001;
  {$EXTERNALSYM DS_REPDEL_ASYNCHRONOUS_OPERATION}

// The replica being deleted is writeable.

  DS_REPDEL_WRITEABLE = $00000002;
  {$EXTERNALSYM DS_REPDEL_WRITEABLE}

// Replica is a mail-based replica

  DS_REPDEL_INTERSITE_MESSAGING = $00000004;
  {$EXTERNALSYM DS_REPDEL_INTERSITE_MESSAGING}

// Ignore any error generated by contacting the source to tell it to scratch
// this server from its Reps-To for this NC.

  DS_REPDEL_IGNORE_ERRORS = $00000008;
  {$EXTERNALSYM DS_REPDEL_IGNORE_ERRORS}

// Do not contact the source telling it to scratch this server from its
// Rep-To for this NC.  Otherwise, if the link is RPC-based, the source will
// be contacted.

  DS_REPDEL_LOCAL_ONLY = $00000010;
  {$EXTERNALSYM DS_REPDEL_LOCAL_ONLY}

// Delete all the objects in the NC
// "No source" is incompatible with (and rejected for) writeable NCs.  This is
// valid only for read-only NCs, and then only if the NC has no source.  This
// can occur when the NC has been partially deleted (in which case the KCC
// periodically calls the delete API with the "no source" flag set).

  DS_REPDEL_NO_SOURCE = $00000020;
  {$EXTERNALSYM DS_REPDEL_NO_SOURCE}

// Allow deletion of read-only replica even if it sources
// other read-only replicas.

  DS_REPDEL_REF_OK = $00000040;
  {$EXTERNALSYM DS_REPDEL_REF_OK}

// ********************
// Replica Modify flags
// ********************

// Perform this operation asynchronously.

  DS_REPMOD_ASYNCHRONOUS_OPERATION = $00000001;
  {$EXTERNALSYM DS_REPMOD_ASYNCHRONOUS_OPERATION}

// The replica is writeable.

  DS_REPMOD_WRITEABLE = $00000002;
  {$EXTERNALSYM DS_REPMOD_WRITEABLE}

// ********************
// Replica Modify fields
// ********************

  DS_REPMOD_UPDATE_FLAGS     = $00000001;
  {$EXTERNALSYM DS_REPMOD_UPDATE_FLAGS}
  DS_REPMOD_UPDATE_ADDRESS   = $00000002;
  {$EXTERNALSYM DS_REPMOD_UPDATE_ADDRESS}
  DS_REPMOD_UPDATE_SCHEDULE  = $00000004;
  {$EXTERNALSYM DS_REPMOD_UPDATE_SCHEDULE}
  DS_REPMOD_UPDATE_RESULT    = $00000008;
  {$EXTERNALSYM DS_REPMOD_UPDATE_RESULT}
  DS_REPMOD_UPDATE_TRANSPORT = $00000010;
  {$EXTERNALSYM DS_REPMOD_UPDATE_TRANSPORT}

// ********************
// Update Refs fields
// ********************

// Perform this operation asynchronously.

  DS_REPUPD_ASYNCHRONOUS_OPERATION = $00000001;
  {$EXTERNALSYM DS_REPUPD_ASYNCHRONOUS_OPERATION}

// The replica being deleted is writeable.

  DS_REPUPD_WRITEABLE = $00000002;
  {$EXTERNALSYM DS_REPUPD_WRITEABLE}

// Add a reference

  DS_REPUPD_ADD_REFERENCE = $00000004;
  {$EXTERNALSYM DS_REPUPD_ADD_REFERENCE}

// Remove a reference

  DS_REPUPD_DELETE_REFERENCE = $00000008;
  {$EXTERNALSYM DS_REPUPD_DELETE_REFERENCE}

// ********************
//  NC Related Flags
// ********************
//
// Instance Type bits, specifies flags for NC head creation.
//

  DS_INSTANCETYPE_IS_NC_HEAD       = $00000001; // This if what to specify on an object to indicate it's an NC Head.
  {$EXTERNALSYM DS_INSTANCETYPE_IS_NC_HEAD}
  DS_INSTANCETYPE_NC_IS_WRITEABLE  = $00000004; // This is to indicate that the NC Head is writeable.
  {$EXTERNALSYM DS_INSTANCETYPE_NC_IS_WRITEABLE}
  DS_INSTANCETYPE_NC_COMING        = $00000010; // This is to indicate that this NC is still replicating in objects to this DC, and may not be a complete NC.
  {$EXTERNALSYM DS_INSTANCETYPE_NC_COMING}
  DS_INSTANCETYPE_NC_GOING         = $00000020; // This is to indicate that this NC is in the process of being removed from this DC, and may not be a complete NC.
  {$EXTERNALSYM DS_INSTANCETYPE_NC_GOING}

// ********************
//  xxx_OPT_xxx Flags
// ********************

// These macros define bit flags which can be set in the "options" attribute
// of objects of the specified object class.

// Bit flags valid for options attribute on NTDS-DSA objects.
//

  NTDSDSA_OPT_IS_GC                    = 1 shl 0; // DSA is a global catalog
  {$EXTERNALSYM NTDSDSA_OPT_IS_GC}
  NTDSDSA_OPT_DISABLE_INBOUND_REPL     = 1 shl 1; // disable inbound replication
  {$EXTERNALSYM NTDSDSA_OPT_DISABLE_INBOUND_REPL}
  NTDSDSA_OPT_DISABLE_OUTBOUND_REPL    = 1 shl 2; // disable outbound replication
  {$EXTERNALSYM NTDSDSA_OPT_DISABLE_OUTBOUND_REPL}
  NTDSDSA_OPT_DISABLE_NTDSCONN_XLATE   = 1 shl 3; // disable logical conn xlation
  {$EXTERNALSYM NTDSDSA_OPT_DISABLE_NTDSCONN_XLATE}

// Bit flags for options attribute on NTDS-Connection objects.
//
// The reasons that two bits are required to control notification are as follows.
// We must support existing connections with the old behavior and the UI does not
// create manual connections with the new bit set.
// The default for existing and manually created connections with bits 2 and 3
// clear must be the standard prior behavior: notification for intra-site and
// no notification for inter-site.
// We need a way to distinguish a old connection which desires the default
// notification rules, and a new connection for which we desire to explicitly
// control the notification state as passed down from a site link.  Thus we
// have a new bit to say we are overriding the default, and a new bit to indicate
// what the overridden default shall be.
//

  NTDSCONN_OPT_IS_GENERATED = 1 shl 0;  // object generated by DS, not admin
  {$EXTERNALSYM NTDSCONN_OPT_IS_GENERATED}
  NTDSCONN_OPT_TWOWAY_SYNC  = 1 shl 1;  // force sync in opposite direction at end of sync
  {$EXTERNALSYM NTDSCONN_OPT_TWOWAY_SYNC}
  NTDSCONN_OPT_OVERRIDE_NOTIFY_DEFAULT = 1 shl 2;  // Do not use defaults to determine notification
  {$EXTERNALSYM NTDSCONN_OPT_OVERRIDE_NOTIFY_DEFAULT}
  NTDSCONN_OPT_USE_NOTIFY   = 1 shl 3; // Does source notify destination
  {$EXTERNALSYM NTDSCONN_OPT_USE_NOTIFY}

// For intra-site connections, this bit has no meaning.
// For inter-site connections, this bit means:
//  0 - Compression of replication data enabled
//  1 - Compression of replication data disabled

  NTDSCONN_OPT_DISABLE_INTERSITE_COMPRESSION   = 1 shl 4;
  {$EXTERNALSYM NTDSCONN_OPT_DISABLE_INTERSITE_COMPRESSION}

// For connections whose IS_GENERATED bit is 0, this bit has no effect.
// For KCC-generated connections, this bit indicates that the schedule attribute
// is owned by the user and should not be touched by the KCC.

  NTDSCONN_OPT_USER_OWNED_SCHEDULE = 1 shl 5;
  {$EXTERNALSYM NTDSCONN_OPT_USER_OWNED_SCHEDULE}

//
// The high 4 bits of the options attribute are used by NTFRS to assign priority
// for inbound connections. Bit 31 is used to force FRS to ignore schedule during
// the initial sync. Bits 30 - 28 are used to specify a priority between 0-7.
//

  FRSCONN_PRIORITY_MASK              = $70000000;
  {$EXTERNALSYM FRSCONN_PRIORITY_MASK}
  FRSCONN_MAX_PRIORITY               = $8;
  {$EXTERNALSYM FRSCONN_MAX_PRIORITY}

  DSCONN_OPT_IGNORE_SCHEDULE_MASK = DWORD($80000000);
  {$EXTERNALSYM DSCONN_OPT_IGNORE_SCHEDULE_MASK}

function NTDSCONN_IGNORE_SCHEDULE(_options_: DWORD): DWORD;
{$EXTERNALSYM NTDSCONN_IGNORE_SCHEDULE}

function FRSCONN_GET_PRIORITY(_options_: DWORD): DWORD;
{$EXTERNALSYM FRSCONN_GET_PRIORITY}

// Bit flags for options attribute on NTDS-Site-Settings objects.
//

const
  NTDSSETTINGS_OPT_IS_AUTO_TOPOLOGY_DISABLED     = 1 shl 0; // automatic topology gen disabled
  {$EXTERNALSYM NTDSSETTINGS_OPT_IS_AUTO_TOPOLOGY_DISABLED}
  NTDSSETTINGS_OPT_IS_TOPL_CLEANUP_DISABLED      = 1 shl 1; // automatic topology cleanup disabled
  {$EXTERNALSYM NTDSSETTINGS_OPT_IS_TOPL_CLEANUP_DISABLED}
  NTDSSETTINGS_OPT_IS_TOPL_MIN_HOPS_DISABLED     = 1 shl 2; // automatic minimum hops topology disabled
  {$EXTERNALSYM NTDSSETTINGS_OPT_IS_TOPL_MIN_HOPS_DISABLED}
  NTDSSETTINGS_OPT_IS_TOPL_DETECT_STALE_DISABLED = 1 shl 3; // automatic stale server detection disabled
  {$EXTERNALSYM NTDSSETTINGS_OPT_IS_TOPL_DETECT_STALE_DISABLED}
  NTDSSETTINGS_OPT_IS_INTER_SITE_AUTO_TOPOLOGY_DISABLED = 1 shl 4; // automatic inter-site topology gen disabled
  {$EXTERNALSYM NTDSSETTINGS_OPT_IS_INTER_SITE_AUTO_TOPOLOGY_DISABLED}
  NTDSSETTINGS_OPT_IS_GROUP_CACHING_ENABLED      = 1 shl 5; // group memberships for users enabled
  {$EXTERNALSYM NTDSSETTINGS_OPT_IS_GROUP_CACHING_ENABLED}
  NTDSSETTINGS_OPT_FORCE_KCC_WHISTLER_BEHAVIOR   = 1 shl 6; // force KCC to operate in Whistler behavior mode
  {$EXTERNALSYM NTDSSETTINGS_OPT_FORCE_KCC_WHISTLER_BEHAVIOR}
  NTDSSETTINGS_OPT_FORCE_KCC_W2K_ELECTION        = 1 shl 7; // force KCC to use the Windows 2000 ISTG election algorithm
  {$EXTERNALSYM NTDSSETTINGS_OPT_FORCE_KCC_W2K_ELECTION}
  NTDSSETTINGS_OPT_IS_RAND_BH_SELECTION_DISABLED = 1 shl 8; // prevent the KCC from randomly picking a bridgehead when creating a connection
  {$EXTERNALSYM NTDSSETTINGS_OPT_IS_RAND_BH_SELECTION_DISABLED}
  NTDSSETTINGS_OPT_IS_SCHEDULE_HASHING_ENABLED   = 1 shl 9; // allow the KCC to use hashing when creating a replication schedule
  {$EXTERNALSYM NTDSSETTINGS_OPT_IS_SCHEDULE_HASHING_ENABLED}

// Bit flags for options attribute on Inter-Site-Transport objects
//
// Note, the sense of the flag should be such that the default state or
// behavior corresponds to the flag NOT being present. Put another way, the
// flag should state the OPPOSITE of the default
//
// default: schedules are significant

  NTDSTRANSPORT_OPT_IGNORE_SCHEDULES = 1 shl 0; // Schedules disabled
  {$EXTERNALSYM NTDSTRANSPORT_OPT_IGNORE_SCHEDULES}

// default: links transitive (bridges not required)

  NTDSTRANSPORT_OPT_BRIDGES_REQUIRED = 1 shl 1; // siteLink bridges are required
  {$EXTERNALSYM NTDSTRANSPORT_OPT_BRIDGES_REQUIRED}

// Bit flags for options attribute on site-Connection objects
//
// These are not realized in the DS, but are built up in the KCC

  NTDSSITECONN_OPT_USE_NOTIFY  = 1 shl 0; // Use notification on this link
  {$EXTERNALSYM NTDSSITECONN_OPT_USE_NOTIFY}
  NTDSSITECONN_OPT_TWOWAY_SYNC = 1 shl 1;  // force sync in opposite direction at end of sync
  {$EXTERNALSYM NTDSSITECONN_OPT_TWOWAY_SYNC}

// This bit means:
//  0 - Compression of replication data across this site connection enabled
//  1 - Compression of replication data across this site connection disabled

  NTDSSITECONN_OPT_DISABLE_COMPRESSION = 1 shl 2;
  {$EXTERNALSYM NTDSSITECONN_OPT_DISABLE_COMPRESSION}

// Bit flags for options attribute on site-Link objects
// Note that these options are AND-ed along a site-link path
//

  NTDSSITELINK_OPT_USE_NOTIFY  = 1 shl 0; // Use notification on this link
  {$EXTERNALSYM NTDSSITELINK_OPT_USE_NOTIFY}
  NTDSSITELINK_OPT_TWOWAY_SYNC = 1 shl 1;  // force sync in opposite direction at end of sync
  {$EXTERNALSYM NTDSSITELINK_OPT_TWOWAY_SYNC}

// This bit means:
//  0 - Compression of replication data across this site link enabled
//  1 - Compression of replication data across this site link disabled

  NTDSSITELINK_OPT_DISABLE_COMPRESSION = 1 shl 2;
  {$EXTERNALSYM NTDSSITELINK_OPT_DISABLE_COMPRESSION}

// ***********************
// Well Known Object Guids
// ***********************

  GUID_USERS_CONTAINER_A              = 'a9d1ca15768811d1aded00c04fd8d5cd';
  {$EXTERNALSYM GUID_USERS_CONTAINER_A}
  GUID_COMPUTRS_CONTAINER_A           = 'aa312825768811d1aded00c04fd8d5cd';
  {$EXTERNALSYM GUID_COMPUTRS_CONTAINER_A}
  GUID_SYSTEMS_CONTAINER_A            = 'ab1d30f3768811d1aded00c04fd8d5cd';
  {$EXTERNALSYM GUID_SYSTEMS_CONTAINER_A}
  GUID_DOMAIN_CONTROLLERS_CONTAINER_A = 'a361b2ffffd211d1aa4b00c04fd7d83a';
  {$EXTERNALSYM GUID_DOMAIN_CONTROLLERS_CONTAINER_A}
  GUID_INFRASTRUCTURE_CONTAINER_A     = '2fbac1870ade11d297c400c04fd8d5cd';
  {$EXTERNALSYM GUID_INFRASTRUCTURE_CONTAINER_A}
  GUID_DELETED_OBJECTS_CONTAINER_A    = '18e2ea80684f11d2b9aa00c04f79f805';
  {$EXTERNALSYM GUID_DELETED_OBJECTS_CONTAINER_A}
  GUID_LOSTANDFOUND_CONTAINER_A       = 'ab8153b7768811d1aded00c04fd8d5cd';
  {$EXTERNALSYM GUID_LOSTANDFOUND_CONTAINER_A}
  GUID_FOREIGNSECURITYPRINCIPALS_CONTAINER_A = '22b70c67d56e4efb91e9300fca3dc1aa';
  {$EXTERNALSYM GUID_FOREIGNSECURITYPRINCIPALS_CONTAINER_A}
  GUID_PROGRAM_DATA_CONTAINER_A       = '09460c08ae1e4a4ea0f64aee7daa1e5a';
  {$EXTERNALSYM GUID_PROGRAM_DATA_CONTAINER_A}
  GUID_MICROSOFT_PROGRAM_DATA_CONTAINER_A = 'f4be92a4c777485e878e9421d53087db';
  {$EXTERNALSYM GUID_MICROSOFT_PROGRAM_DATA_CONTAINER_A}

  GUID_USERS_CONTAINER_W              = WideString('a9d1ca15768811d1aded00c04fd8d5cd');
  {$EXTERNALSYM GUID_USERS_CONTAINER_W}
  GUID_COMPUTRS_CONTAINER_W           = WideString('aa312825768811d1aded00c04fd8d5cd');
  {$EXTERNALSYM GUID_COMPUTRS_CONTAINER_W}
  GUID_SYSTEMS_CONTAINER_W            = WideString('ab1d30f3768811d1aded00c04fd8d5cd');
  {$EXTERNALSYM GUID_SYSTEMS_CONTAINER_W}
  GUID_DOMAIN_CONTROLLERS_CONTAINER_W = WideString('a361b2ffffd211d1aa4b00c04fd7d83a');
  {$EXTERNALSYM GUID_DOMAIN_CONTROLLERS_CONTAINER_W}
  GUID_INFRASTRUCTURE_CONTAINER_W     = WideString('2fbac1870ade11d297c400c04fd8d5cd');
  {$EXTERNALSYM GUID_INFRASTRUCTURE_CONTAINER_W}
  GUID_DELETED_OBJECTS_CONTAINER_W    = WideString('18e2ea80684f11d2b9aa00c04f79f805');
  {$EXTERNALSYM GUID_DELETED_OBJECTS_CONTAINER_W}
  GUID_LOSTANDFOUND_CONTAINER_W       = WideString('ab8153b7768811d1aded00c04fd8d5cd');
  {$EXTERNALSYM GUID_LOSTANDFOUND_CONTAINER_W}
  GUID_FOREIGNSECURITYPRINCIPALS_CONTAINER_W = WideString('22b70c67d56e4efb91e9300fca3dc1aa');
  {$EXTERNALSYM GUID_FOREIGNSECURITYPRINCIPALS_CONTAINER_W}
  GUID_PROGRAM_DATA_CONTAINER_W       = WideString('09460c08ae1e4a4ea0f64aee7daa1e5a');
  {$EXTERNALSYM GUID_PROGRAM_DATA_CONTAINER_W}
  GUID_MICROSOFT_PROGRAM_DATA_CONTAINER_W = WideString('f4be92a4c777485e878e9421d53087db');
  {$EXTERNALSYM GUID_MICROSOFT_PROGRAM_DATA_CONTAINER_W}

  GUID_USERS_CONTAINER_BYTE              = '\xa9\xd1\xca\x15\x76\x88\x11\xd1\xad\xed\x00\xc0\x4f\xd8\xd5\xcd';
  {$EXTERNALSYM GUID_USERS_CONTAINER_BYTE}
  GUID_COMPUTRS_CONTAINER_BYTE           = '\xaa\x31\x28\x25\x76\x88\x11\xd1\xad\xed\x00\xc0\x4f\xd8\xd5\xcd';
  {$EXTERNALSYM GUID_COMPUTRS_CONTAINER_BYTE}
  GUID_SYSTEMS_CONTAINER_BYTE            = '\xab\x1d\x30\xf3\x76\x88\x11\xd1\xad\xed\x00\xc0\x4f\xd8\xd5\xcd';
  {$EXTERNALSYM GUID_SYSTEMS_CONTAINER_BYTE}
  GUID_DOMAIN_CONTROLLERS_CONTAINER_BYTE = '\xa3\x61\xb2\xff\xff\xd2\x11\xd1\xaa\x4b\x00\xc0\x4f\xd7\xd8\x3a';
  {$EXTERNALSYM GUID_DOMAIN_CONTROLLERS_CONTAINER_BYTE}
  GUID_INFRASTRUCTURE_CONTAINER_BYTE     = '\x2f\xba\xc1\x87\x0a\xde\x11\xd2\x97\xc4\x00\xc0\x4f\xd8\xd5\xcd';
  {$EXTERNALSYM GUID_INFRASTRUCTURE_CONTAINER_BYTE}
  GUID_DELETED_OBJECTS_CONTAINER_BYTE    = '\x18\xe2\xea\x80\x68\x4f\x11\xd2\xb9\xaa\x00\xc0\x4f\x79\xf8\x05';
  {$EXTERNALSYM GUID_DELETED_OBJECTS_CONTAINER_BYTE}
  GUID_LOSTANDFOUND_CONTAINER_BYTE       = '\xab\x81\x53\xb7\x76\x88\x11\xd1\xad\xed\x00\xc0\x4f\xd8\xd5\xcd';
  {$EXTERNALSYM GUID_LOSTANDFOUND_CONTAINER_BYTE}
  GUID_FOREIGNSECURITYPRINCIPALS_CONTAINER_BYTE = '\x22\xb7\x0c\x67\xd5\x6e\x4e\xfb\x91\xe9\x30\x0f\xca\x3d\xc1\xaa';
  {$EXTERNALSYM GUID_FOREIGNSECURITYPRINCIPALS_CONTAINER_BYTE}
  GUID_PROGRAM_DATA_CONTAINER_BYTE       = '\x09\x46\x0c\x08\xae\x1e\x4a\x4e\xa0\xf6\x4a\xee\x7d\xaa\x1e\x5a';
  {$EXTERNALSYM GUID_PROGRAM_DATA_CONTAINER_BYTE}
  GUID_MICROSOFT_PROGRAM_DATA_CONTAINER_BYTE = '\xf4\xbe\x92\xa4\xc7\x77\x48\x5e\x87\x8e\x94\x21\xd5\x30\x87\xdb';
  {$EXTERNALSYM GUID_MICROSOFT_PROGRAM_DATA_CONTAINER_BYTE}

type
  _DS_MANGLE_FOR = (
    DS_MANGLE_UNKNOWN,
    DS_MANGLE_OBJECT_RDN_FOR_DELETION,
    DS_MANGLE_OBJECT_RDN_FOR_NAME_CONFLICT);
  {$EXTERNALSYM _DS_MANGLE_FOR}
  DS_MANGLE_FOR = _DS_MANGLE_FOR;
  {$EXTERNALSYM DS_MANGLE_FOR}
  TDsMangleFor = DS_MANGLE_FOR;
  PDsMangleFor = ^DS_MANGLE_FOR;

//////////////////////////////////////////////////////////////////////////
//                                                                      //
// Prototypes                                                           //
//                                                                      //
//////////////////////////////////////////////////////////////////////////

// DSBind takes two optional input parameters which identify whether the
// caller found a domain controller themselves via DsGetDcName or whether
// a domain controller should be found using default parameters.
// Behavior of the possible combinations are outlined below.
//
// DomainControllerName(value), DnsDomainName(NULL)
//
//      The value for DomainControllerName is assumed to have been
//      obtained via DsGetDcName (i.e. Field with the same name in a
//      DOMAIN_CONTROLLER_INFO struct on return from DsGetDcName call.)
//      The client is bound to the domain controller at this name.
//      
//      Mutual authentication will be performed using an SPN of
//      LDAP/DomainControllerName provided DomainControllerName
//      is not a NETBIOS name or IP address - i.e. it must be a 
//      DNS host name.
//
// DomainControllerName(value), DnsDomainName(value)
//
//      DsBind will connect to the server identified by DomainControllerName.
//
//      Mutual authentication will be performed using an SPN of
//      LDAP/DomainControllerName/DnsDomainName provided neither value
//      is a NETBIOS names or IP address - i.e. they must be
//      valid DNS names.
//
// DomainControllerName(NULL), DnsDomainName(NULL)
//
//      DsBind will attempt to find to a global catalog and fail if one
//      can not be found.  
//
//      Mutual authentication will be performed using an SPN of
//      GC/DnsHostName/ForestName where DnsHostName and ForestName
//      represent the DomainControllerName and DnsForestName fields
//      respectively of the DOMAIN_CONTROLLER_INFO returned by the
//      DsGetDcName call used to find a global catalog.
//
// DomainControllerName(NULL), DnsDomainName(value)
//
//      DsBind will attempt to find a domain controller for the domain
//      identified by DnsDomainName and fail if one can not be found.
//
//      Mutual authentication will be performed using an SPN of
//      LDAP/DnsHostName/DnsDomainName where DnsDomainName is that
//      provided by the caller and DnsHostName is that returned by
//      DsGetDcName for the domain specified - provided DnsDomainName
//      is a valid DNS domain name - i.e. not a NETBIOS domain name.

function DsBindA(DomainControllerName: LPCSTR; DnsDomainName: LPCSTR;
  var phDS: HANDLE): DWORD; stdcall;
{$EXTERNALSYM DsBindA}
function DsBindW(DomainControllerName: LPCWSTR; DnsDomainName: LPCWSTR;
  var phDS: HANDLE): DWORD; stdcall;
{$EXTERNALSYM DsBindW}
function DsBind(DomainControllerName: LPCTSTR; DnsDomainName: LPCTSTR;
  var phDS: HANDLE): DWORD; stdcall;
{$EXTERNALSYM DsBind}

function DsBindWithCredA(DomainControllerName: LPCSTR; DnsDomainName: LPCSTR;
  AuthIdentity: RPC_AUTH_IDENTITY_HANDLE; var phDS: HANDLE): DWORD; stdcall;
{$EXTERNALSYM DsBindWithCredA}
function DsBindWithCredW(DomainControllerName: LPCWSTR; DnsDomainName: LPCWSTR;
  AuthIdentity: RPC_AUTH_IDENTITY_HANDLE; var phDS: HANDLE): DWORD; stdcall;
{$EXTERNALSYM DsBindWithCredW}
function DsBindWithCred(DomainControllerName: LPCTSTR; DnsDomainName: LPCTSTR;
  AuthIdentity: RPC_AUTH_IDENTITY_HANDLE; var phDS: HANDLE): DWORD; stdcall;
{$EXTERNALSYM DsBindWithCred}

//
// DsBindWithSpn{A|W} allows the caller to specify the service principal
// name (SPN) which will be used for mutual authentication against
// the destination server.  Do not provide an SPN if you are expecting
// DsBind to find a server for you as SPNs are machine specific and its
// unlikely the SPN you provide matches the server DsBind finds for you.
// Providing a NULL ServicePrincipalName argument results in behavior
// identical to DsBindWithCred{A|W}.
//

function DsBindWithSpnA(DomainControllerName: LPCSTR; DnsDomainName: LPCSTR;
  AuthIdentity: RPC_AUTH_IDENTITY_HANDLE; ServicePrincipalName: LPCSTR;
  var phDS: HANDLE): DWORD; stdcall;
{$EXTERNALSYM DsBindWithSpnA}
function DsBindWithSpnW(DomainControllerName: LPCWSTR; DnsDomainName: LPCWSTR;
  AuthIdentity: RPC_AUTH_IDENTITY_HANDLE; ServicePrincipalName: LPCWSTR;
  var phDS: HANDLE): DWORD; stdcall;
{$EXTERNALSYM DsBindWithSpnW}
function DsBindWithSpn(DomainControllerName: LPCTSTR; DnsDomainName: LPCTSTR;
  AuthIdentity: RPC_AUTH_IDENTITY_HANDLE; ServicePrincipalName: LPCTSTR;
  var phDS: HANDLE): DWORD; stdcall;
{$EXTERNALSYM DsBindWithSpn}

//
// DsBindWithSpnEx{A|W} allows you all the options of the previous
// DsBindWithSpn(), plus the added benefit of specifying some optional
// Binding flags.  Currently if you pass NTDSAPI_BIND_ALLOW_DELEGATION,
// you will get the exact old behaviour.  If you can avoid it, you
// should not specify this flag, see flag above for details.
//

function DsBindWithSpnExW(DomainControllerName, DnsDomainName: LPCWSTR; AuthIdentity: RPC_AUTH_IDENTITY_HANDLE;
  ServicePrincipalName: LPCWSTR; BindFlags: DWORD; phDS: LPHANDLE): DWORD; stdcall;
{$EXTERNALSYM DsBindWithSpnExW}
function DsBindWithSpnExA(DomainControllerName, DnsDomainName: LPCSTR; AuthIdentity: RPC_AUTH_IDENTITY_HANDLE;
  ServicePrincipalName: LPCSTR; BindFlags: DWORD; phDS: LPHANDLE): DWORD; stdcall;
{$EXTERNALSYM DsBindWithSpnExA}
function DsBindWithSpnEx(DomainControllerName, DnsDomainName: LPCTSTR; AuthIdentity: RPC_AUTH_IDENTITY_HANDLE;
  ServicePrincipalName: LPCTSTR; BindFlags: DWORD; phDS: LPHANDLE): DWORD; stdcall;
{$EXTERNALSYM DsBindWithSpnEx}

//
// DsBindToISTG{A|W} allows the caller to bind to the server which
// holds the Inter-Site Topology Generator role in the specified site.
// The site name should be the RDN of a site.  If no site is specified,
// the function will try to bind to the ISTG in a nearby site.
//

function DsBindToISTGW(SiteName: LPCWSTR; phDS: LPHANDLE): DWORD; stdcall;
{$EXTERNALSYM DsBindToISTGW}
function DsBindToISTGA(SiteName: LPCSTR; phDS: LPHANDLE): DWORD; stdcall;
{$EXTERNALSYM DsBindToISTGA}
function DsBindToISTG(SiteName: LPCTSTR; phDS: LPHANDLE): DWORD; stdcall;
{$EXTERNALSYM DsBindToISTG}

//
// DsBindingSetTimeout allows the caller to specify a timeout value
// which will be honored by all RPC calls using the specified binding
// handle. RPC calls which take longer the timeout value are canceled.
//

function DsBindingSetTimeout(hDS: HANDLE; cTimeoutSecs: ULONG): DWORD; stdcall;
{$EXTERNALSYM DsBindingSetTimeout}

//
// DsUnBind
//

function DsUnBindA(var phDS: HANDLE): DWORD; stdcall;
{$EXTERNALSYM DsUnBindA}
function DsUnBindW(var phDS: HANDLE): DWORD; stdcall;
{$EXTERNALSYM DsUnBindW}
function DsUnBind(var phDS: HANDLE): DWORD; stdcall;
{$EXTERNALSYM DsUnBind}

//
// DsMakePasswordCredentials
//
// This function constructs a credential structure which is suitable for input
// to the DsBindWithCredentials function, or the ldap_open function(winldap.h)
// The credential must be freed using DsFreeCredential.
//
// None of the input parameters may be present indicating a null, default
// credential.  Otherwise the username must be present.  If the domain or
// password are null, they default to empty strings.  The domain name may be
// null when the username is fully qualified, for example UPN format.
//

function DsMakePasswordCredentialsA(User: LPCSTR; Domain: LPCSTR;
  Password: LPCSTR; var pAuthIdentity: RPC_AUTH_IDENTITY_HANDLE): DWORD; stdcall;
{$EXTERNALSYM DsMakePasswordCredentialsA}
function DsMakePasswordCredentialsW(User: LPCWSTR; Domain: LPCWSTR;
  Password: LPCWSTR; var pAuthIdentity: RPC_AUTH_IDENTITY_HANDLE): DWORD; stdcall;
{$EXTERNALSYM DsMakePasswordCredentialsW}
function DsMakePasswordCredentials(User: LPCTSTR; Domain: LPCTSTR;
  Password: LPCTSTR; var pAuthIdentity: RPC_AUTH_IDENTITY_HANDLE): DWORD; stdcall;
{$EXTERNALSYM DsMakePasswordCredentials}

procedure DsFreePasswordCredentialsA(AuthIdentity: RPC_AUTH_IDENTITY_HANDLE); stdcall;
{$EXTERNALSYM DsFreePasswordCredentialsA}
procedure DsFreePasswordCredentialsW(AuthIdentity: RPC_AUTH_IDENTITY_HANDLE); stdcall;
{$EXTERNALSYM DsFreePasswordCredentialsW}
procedure DsFreePasswordCredentials(AuthIdentity: RPC_AUTH_IDENTITY_HANDLE); stdcall;
{$EXTERNALSYM DsFreePasswordCredentials}

//
// DsCrackNames
//

function DsCrackNamesA(hDS: HANDLE; flags: DS_NAME_FLAGS;
  formatOffered: DS_NAME_FORMAT; formatDesired: DS_NAME_FORMAT; cNames: DWORD;
  rpNames: LPCSTR; var ppResult: PDS_NAME_RESULTA): DWORD; stdcall;
{$EXTERNALSYM DsCrackNamesA}
function DsCrackNamesW(hDS: HANDLE; flags: DS_NAME_FLAGS;
  formatOffered: DS_NAME_FORMAT; formatDesired: DS_NAME_FORMAT; cNames: DWORD;
  rpNames: LPCWSTR; var ppResult: PDS_NAME_RESULTW): DWORD; stdcall;
{$EXTERNALSYM DsCrackNamesW}
function DsCrackNames(hDS: HANDLE; flags: DS_NAME_FLAGS;
  formatOffered: DS_NAME_FORMAT; formatDesired: DS_NAME_FORMAT; cNames: DWORD;
  rpNames: LPCTSTR; var ppResult: PDS_NAME_RESULT): DWORD; stdcall;
{$EXTERNALSYM DsCrackNames}

//
// DsFreeNameResult
//

procedure DsFreeNameResultA(pResult: PDS_NAME_RESULTA); stdcall;
{$EXTERNALSYM DsFreeNameResultA}
procedure DsFreeNameResultW(pResult: PDS_NAME_RESULTW); stdcall;
{$EXTERNALSYM DsFreeNameResultW}
procedure DsFreeNameResult(pResult: PDS_NAME_RESULT); stdcall;
{$EXTERNALSYM DsFreeNameResult}

// ==========================================================
// DSMakeSpn -- client call to create SPN for a service to which it wants to
// authenticate.
// This name is then passed to "pszTargetName" of InitializeSecurityContext().
//
// Notes:
// If the service name is a DNS host name, or canonical DNS service name
// e.g. "www.ms.com", i.e., caller resolved with gethostbyname, then instance
// name should be NULL.
// Realm is host name minus first component, unless it is in the exception list
//
// If the service name is NetBIOS machine name, then instance name should be
// NULL
// Form must be <domain>\<machine>
// Realm will be <domain>
//
// If the service name is that of a replicated service, where each replica has
// its own account (e.g., with SRV records) then the caller must supply the
// instance name then realm name is same as ServiceName
//
// If the service name is a DN, then must also supply instance name
// (DN could be name of service object (incl RPC or Winsock), name of machine
// account, name of domain object)
// then realm name is domain part of the DN
//
// If the service name is NetBIOS domain name, then must also supply instance
// name; realm name is domain name
//
// If the service is named by an IP address -- then use referring service name
// as service name
//
//  ServiceClass - e.g. "http", "ftp", "ldap", GUID
//  ServiceName - DNS or DN; assumes we can compute domain from service name
//  InstanceName OPTIONAL- DNS name of host for instance of service
//  InstancePort - port number for instance (0 if default)
//  Referrer OPTIONAL- DNS name of host that gave this referral
//  pcSpnLength - in -- max length IN CHARACTERS of principal name;
//                out -- actual
//                Length includes terminator
//  pszSPN - server principal name
//
// If buffer is not large enough, ERROR_BUFFER_OVERFLOW is returned and the
// needed length is returned in pcSpnLength.
//
//

function DsMakeSpnA(ServiceClass: LPCSTR; ServiceName: LPCSTR;
  InstanceName: LPCSTR; InstancePort: USHORT; Referrer: LPCSTR;
  var pcSpnLength: DWORD; pszSpn: LPSTR): DWORD; stdcall;
{$EXTERNALSYM DsMakeSpnA}
function DsMakeSpnW(ServiceClass: LPCWSTR; ServiceName: LPCWSTR;
  InstanceName: LPCWSTR; InstancePort: USHORT; Referrer: LPCWSTR;
  var pcSpnLength: DWORD; pszSpn: LPWSTR): DWORD; stdcall;
{$EXTERNALSYM DsMakeSpnW}
function DsMakeSpn(ServiceClass: LPCTSTR; ServiceName: LPCTSTR;
  InstanceName: LPCTSTR; InstancePort: USHORT; Referrer: LPCTSTR;
  var pcSpnLength: DWORD; pszSpn: LPTSTR): DWORD; stdcall;
{$EXTERNALSYM DsMakeSpn}

// ==========================================================
// DsGetSPN -- server's call to gets SPNs for a service name by which it is
// known to clients. N.B.: there may be more than one name by which clients
// …
Large files files are truncated, but you can click here to view the full file