Aug 28, 2005

How DNS client works on a multi-homed Windows computer?

The resolver queries the DNS servers in the following order:

1. The resolver sends the query to the first server on the preferred adapter's list of DNS servers and waits for one second for a response.

2. If the resolver does not receive a response from the first server within one second, it sends the query to the first DNS servers on all adapters that are still under consideration and waits two seconds for a response.

3. If the resolver does not receive a response from any server within two seconds, the resolver sends the query to all DNS servers on all adapters that are still under consideration and waits another two seconds for a response.

4. If the resolver still does not receive a response from any server, it sends the query to all DNS servers on all adapters that are still under consideration and waits four seconds for a response.

5. If it still does not receive a response from any server, the resolver sends the query to all DNS servers on all adapters that are still under consideration and waits eight seconds for a response.

Aug 16, 2005

Local computer SID, domain SID, and their implications

  • For any computer who is not a DC, it has a local computer SID
  • DC doesn't have a local computer SID (or you can view it in another way: DC has a computer SID that is same as domain SID)
  • Builtin users/groups have well-known SIDs that are identical in all environment
  • All other local user SID = local computer SID + local RID
  • All other domain user/computer account SID = domain SID + domain RID
  • When you grant permissions to a local account, authorization is checked based on user name/password, it will never check the SID.

    What it means is, if you assign permissions to user1 on computer1 against a shared folder. On computer2, you happen to have a user with same name and password, then the user1 on computer2 will have access to the share folder on computer1, which may not be desirable.
  • When you grant permissions to a domain account, authorization is checked based on domain account SID. What it means, even you have a user from a different domain, or from local SAM, with same user name and password, you are still not be able to access a resource that you are not supposed to have permissions as your SID is different from what is listed.

    Another implication is, as a domain user, once you are granted some kind of permissions, you won't lose it even you change you name/password.
Tools:
=======
         There are a few SID-related tools, they are either from Support Tools, or Resource Kit.
          - getsid \\server1 account \\server2 account
             Getsid was designed to compare SIDs between two accounts, so it requires two paramenters: one source account and a target account. It's annoying when you simply want to know an account's SID - you have to list same account twice. You can put domain name in the place of server1 and server2

          When query for a computer's SID, keep in mind that computer account has a $ sign at the end.

          Example: get the SID for your computer:
          getsid \\DomainName computerName$ \\DomainName computerName$

          - sid2name SID [optional server name]

          - There used to be a well-known utility called newSID made by SysInternals (bought by MS later). This was the main tool back in the age when we used clone software(such as Ghost) to deploy images. As you can image, clone image has same SID (for the computer account) therefore causes problems if clones and original are put on the same network in same domain. NewSID will change clone's SID for you. This is no longer supported and MS retired this tool. Nevertheless, if you can find a copy of the tool, it's still very helpful at times.