Recipe 18.3 Programming with DSML

18.3.1 Problem

You want to programmatically access Active Directory using the Directory Services Markup Language (DSML). DSML is the answer for all programmers who have been longing for an XML-based interface to query and access a directory.

18.3.2 Solution

To use DSML with Active Directory, you have to install the Windows DSML client (DSFW) on a Windows 2000 or Windows Server 2003 computer that is running IIS. The DSML client can be downloaded from the following site: If you are installing the client on a Windows 2000 machine, you will also need to make sure MSXML 3.0 SP2 is installed.

After the client is installed, you can perform DSML queries against that server, which will translate the calls into LDAP queries to Active Directory. No additional software needs to be installed on domain controllers to support DSML.

The following code shows a DSML request for the RootDSE:

<se:Envelope xmlns:se="">
        <se:Body xmlns="urn:oasis:names:tc:DSML:2:0:core">
                        <searchRequest dn="" scope="baseObject">
                                        <present name="objectclass"/>

18.3.3 Discussion

DSML is an XML alternative to using LDAP to access and manage a directory server. The Oasis standards body has driven the development of DSML ( and now most directory vendors support it as of Version 2 (DSMLv2).

DSML encodes LDAP-like functions in XML messages and transmits them to a SOAP client that can sit directly on the directory server or a separate server. Currently, Active Directory domain controllers do not support DSML directly and, thus, a separate client must be installed. For more information including the DSML specification, see the Oasis web site.

18.3.4 See Also

DSMLfW home page:

    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List