3.3.5.4 Determining Authentication Policy Silo Membership
If domainControllerFunctionality returns a value < 6 ([MS-ADTS] section 3.1.1.3.2.25), the KDC SHOULD<48> set BelongsToSilo to FALSE. See section 3.3.1.1 for the following KDC pseudo variable definitions.
Note The BelongsToSilo variable is a Boolean variable that is used for illustrative purposes in the processing rules of this section and section 3.3.5.5. The value of BelongsToSilo is not persisted across client requests.
If domainControllerFunctionality returns a value >= 6, the KDC checks whether the account is a member of an Authentication Policy Silo:
If the AssignedSilo (section 3.3.1.1) is NULL, the KDC sets BelongsToSilo to FALSE.
If the AssignedSilo is not NULL and AssignedSilo.msDS-AuthNPolicySiloMembers does not contain the account, the KDC sets BelongsToSilo to FALSE.
If the AssignedSilo is not NULL and AssignedSilo.msDS-AuthNPolicySiloMembers contains the account, the KDC sets BelongsToSilo to TRUE.