1

I asked a question over on StackOverflow and was directed to ask a related one here to see if I could get any additional input. Basically, I am looking to have my application aware of what domain it's running under, if any at all. (I want to expose certain debugging facilities only in house, and due to our deployment model it isn't possible to have a different build.) Since I am over paranoid, I didn't want to just rely on the domain name to ensure we are in house. As such I noted the DOMAIN_CONTROLLER_INFO returned from DsGetDcName has a GUID associated with it, however I can find little if any information on it. I am assuming this GUID is generated at the time the first DC in a domain is created, and that it would live on for the life of the domain. Does anyone else have any inner knowledge and would be kind enough to confirm or deny my assumptions?

Community
  • 1
jchoover
  • 111
  • 2

2 Answers2

3

As per Active Directory Naming Standard,

Every object has a GUID which is assigned at object creation.

SID vs. GUID states

When an object is assigned a GUID, it keeps that value for life.

How Domain Rename Works states

Each domain and application directory partition is also identified by a globally unique identifier (GUID), which does not change with a domain rename.

On my domain, the only GUID attached to the domain object is "objectGUID". Object-Guid attribute has this to say about objectGUID:

This value is set when the object is created and cannot be changed.

Jason Pyeron
  • 133
  • 8
Mike Christiansen
  • 31
  • 1
0

Yep I'd expect this is the objectGUID of the domain which is a good unique identifier here.

In addition to what Mike said, in the generic case of say a user or a computer you've got two identifiers there. The objectGUID and the SID (Security Identifier). Both are set at object creation however in the case of a forest with multiple domains, if you move the user/computer between domains, the GUID will stay intact however the SID will change.

Brian Desmond
  • 870
  • 4
  • 7