The resolver queries the DNS servers in the following order:
1. The resolver sends the query to the first server on the preferred adapter's list of DNS servers and waits for one second for a response.
2. If the resolver does not receive a response from the first server within one second, it sends the query to the first DNS servers on all adapters that are still under consideration and waits two seconds for a response.
3. If the resolver does not receive a response from any server within two seconds, the resolver sends the query to all DNS servers on all adapters that are still under consideration and waits another two seconds for a response.
4. If the resolver still does not receive a response from any server, it sends the query to all DNS servers on all adapters that are still under consideration and waits four seconds for a response.
5. If it still does not receive a response from any server, the resolver sends the query to all DNS servers on all adapters that are still under consideration and waits eight seconds for a response.
Search This Blog
Aug 28, 2005
Aug 16, 2005
Local computer SID, domain SID, and their implications
- For any computer who is not a DC, it has a local computer SID
- DC doesn't have a local computer SID (or you can view it in another way: DC has a computer SID that is same as domain SID)
- Builtin users/groups have well-known SIDs that are identical in all environment
- All other local user SID = local computer SID + local RID
- All other domain user/computer account SID = domain SID + domain RID
- When you grant permissions to a local account, authorization is checked based on user name/password, it will never check the SID.
What it means is, if you assign permissions to user1 on computer1 against a shared folder. On computer2, you happen to have a user with same name and password, then the user1 on computer2 will have access to the share folder on computer1, which may not be desirable. - When you grant permissions to a domain account, authorization is checked based on domain account SID. What it means, even you have a user from a different domain, or from local SAM, with same user name and password, you are still not be able to access a resource that you are not supposed to have permissions as your SID is different from what is listed.
Another implication is, as a domain user, once you are granted some kind of permissions, you won't lose it even you change you name/password.
=======
There are a few SID-related tools, they are either from Support Tools, or Resource Kit.
- getsid \\server1 account \\server2 account
Getsid was designed to compare SIDs between two accounts, so it requires two paramenters: one source account and a target account. It's annoying when you simply want to know an account's SID - you have to list same account twice. You can put domain name in the place of server1 and server2
When query for a computer's SID, keep in mind that computer account has a $ sign at the end.
Example: get the SID for your computer:
getsid \\DomainName computerName$ \\DomainName computerName$
- sid2name SID [optional server name]
- There used to be a well-known utility called newSID made by SysInternals (bought by MS later). This was the main tool back in the age when we used clone software(such as Ghost) to deploy images. As you can image, clone image has same SID (for the computer account) therefore causes problems if clones and original are put on the same network in same domain. NewSID will change clone's SID for you. This is no longer supported and MS retired this tool. Nevertheless, if you can find a copy of the tool, it's still very helpful at times.
Jul 13, 2005
How is an email address generated in Exchange ?
It's all based on your recipient policy. This is described very detailed in
285136 How to customize the SMTP e-mail address generators through recipient http://support.microsoft.com/?id=285136
However, there are couple things that are unclear in that article: what is alias, and where we get alias from?
When you create a new user, you are given the oppotunity to select an alias for the user, that alias is written into attribute "mailNickName". And mailNickName will be the first part of your primary smtp email address.
Then what will be the first part of the primary smtp address if we don't choose an alias? Your pre-Windows logon name, which corresponds to "samAccountName" will act as "mailNickName" by default.
Further to the post (Dec 6, 2006):
When will RUS consider a user object to be mailbox-enabled and try to stamp the other attributes?
Answer: Two attributes are needed: mailNickname + (msExchHomeServerName homeMDB homeMTA)
1. If the msExchHomeServer is not present, it is created based on the homeMDB or homeMTA, depending on which one is present.
2. After the msExchHomeServerName is set, the homeMDB and homeMTA attribute are populated if either one is missing.
3. The displayName is copied from mailNickname as is. The legacyExchangeDN goes through an algorithm that identifies the organization and administration group for the entry.
4. msExchMailboxGuid is created
285136 How to customize the SMTP e-mail address generators through recipient http://support.microsoft.com/?id=285136
However, there are couple things that are unclear in that article: what is alias, and where we get alias from?
When you create a new user, you are given the oppotunity to select an alias for the user, that alias is written into attribute "mailNickName". And mailNickName will be the first part of your primary smtp email address.
Then what will be the first part of the primary smtp address if we don't choose an alias? Your pre-Windows logon name, which corresponds to "samAccountName" will act as "mailNickName" by default.
Further to the post (Dec 6, 2006):
When will RUS consider a user object to be mailbox-enabled and try to stamp the other attributes?
Answer: Two attributes are needed: mailNickname + (msExchHomeServerName homeMDB homeMTA)
1. If the msExchHomeServer is not present, it is created based on the homeMDB or homeMTA, depending on which one is present.
2. After the msExchHomeServerName is set, the homeMDB and homeMTA attribute are populated if either one is missing.
3. The displayName is copied from mailNickname as is. The legacyExchangeDN goes through an algorithm that identifies the organization and administration group for the entry.
4. msExchMailboxGuid is created
Subscribe to:
Posts (Atom)