184.108.40.206.1.2.4 Alternative Forms of DNs
In addition to the form of the DN defined in [RFC2253], Active Directory supports several alternative forms of DNs that can be used to specify objects in requests sent to the DC, for example, as the baseObject in a SearchRequest or as a AttributeValue in a ModifyRequest.
The first alternative form is in the format
where object_guid is a GUID that corresponds to the value of the objectGUID attribute of the object being specified. All DCs support object_guid expressed as the hexadecimal representation of the binary form of a GUID ([MS-DTYP] section 2.3.4). Windows Server 2003 operating system, Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, and Windows Server 2012 R2 operating system DCs also support the dashed-string form of a GUID ([RFC4122] section 3).
The second alternative form is in the format
where sid is the security identifier (SID) that corresponds to the value of the objectSid attribute of the object being specified. The sid is expressed as either the hexadecimal representation of a binary SID structure ([MS-DTYP] section 220.127.116.11) in little-endian byte order, or as a SID string ([MS-DTYP] section 18.104.22.168). Windows 2000 operating system DCs support only the hexadecimal representation.
The third alternative form is in the format
where guid is a GUID expressed as the hexadecimal representation of the binary form of the GUID. A DN of this form is resolved to an object O by applying the following algorithm.
MapWellKnownGuidToDN(GUID guid, DN object_DN)
This algorithm resolves a well-known GUID, expressed as a GUID, guid, and an object, object_DN, into the DN of the object O that is identified by that well-known GUID.
If object_DN does not name an object in the directory, reject the DN.
Otherwise, let C be the object named by object_DN.
If there exists a value V in C!wellKnownObjects such that the binary portion of V contains the same GUID as guid, then the DN of O is the DN portion of V.
Otherwise, if there exists a value V' in C!otherWellKnownObjects such that the binary portion of V' contains the same GUID as guid, then the DN of O is the DN portion of V'.
Otherwise, reject the DN.
Normally, Active Directory will return DNs in the [RFC2253] format. However, clients can request that Active Directory return DNs in the "extended DN" format. This format combines an RFC 2253-style DN with a representation of the object's objectGUID and objectSid attributes. This form is documented in the LDAP section 22.214.171.124.4.1.5, which defines the LDAP_SERVER_EXTENDED_DN_OID control that is used by the client to request that the DC use the "extended DN" form when returning DNs. The "extended DN" form is not accepted as a means of specifying DNs in requests sent to the DC. The "extended DN" form is only used in LDAP responses from the DC, and only when the LDAP_SERVER_EXTENDED_DN_OID control is used to request such a form.