joeware - never stop exploring...

We, as IT people in general and AD people in particular, often get dinged with the ubiquitous “quick question”. You all know what I mean, the “Hey I have a quick question” or “Hey do you have a second for a quick question” or most often just “Hey, got a sec?” as the person sits down and searches your desk for cookies, candy, or other things that they have no right to but will instantly latch onto as they settle in for decidedly more than “a second”.

Or if you are lucky enough to work at home the IM window pops up with “Got a sec? ” and you look to make sure you previously set your status to unavailable or away so if you want, you can just ignore the implied lie behind the seemingly harmless text with the disarming smiley face.

Either way, in our minds we are screaming “NOOOOOOOO, not for you. My life is composed in its entirety of ‘these seconds’ you take so cavalierly and I would rather not waste them on whatever you think will only take ‘just a second’ plus I have the letters Q, J, K, D, W, B, and O in Words with Friends and I have no clue where I am going to place any of them and am already losing by 160 points.” But… in the end… we know that saying no is pretty much pointless and that “second” could turn into three times as long as it would have been anyway if we waste the time trying to fight it… so we only get to respond with… “Sure, what’s up?” and may even feign some level of enthusiasm for dramatic effect.

Anyway…

How big is the AD DIT?

“Got a sec?”

“Sure. What’s up?”

“What is the size of the AD DIT?”

<LONG PAUSE with deep breath>

The only thing “got a sec” about that question is the amount of time to utter the syllables. The only person that single datum is valuable to is the person worried about disk space on a domain controller so unless you are looking to figure out how big of a disk you need to order for your next DC or perhaps you are in a “who has the biggest DIT contest???” asking that specific question is simply the act of pushing the first in a long chain of dominos.

So, instead of looking at your favorite DC and quickly spouting whatever the value is you instead[1] say “Why?”. You then get the response you likely were dreading… “Because we are having problems with Exchange and the Microsoft support guy wants to know how big the DIT is.”……………….. Sigh.

Some of you may be asking? But joe? What’s wrong with asking that question? The problem is that the answer to that question doesn’t really tell you anything without the appropriate contextual information to go around it. Say the answer is 3GB. What does that mean? Do we jump for joy? Do we skulk in shame? Do we yip in pain? I don’t know. It could be good, it could be bad, it may not matter at all – who am I to know with the information in front of me?

The answer starts to make some amount of sense once you know the OS level, Windows 2000 versus Windows Server 2003 versus Windows Server 2008 R2 . It makes more sense when you have some clue as to what other functions are running on the domain controller and what memory load those functions utilize. And finally it makes a heck of a lot more sense when you know where on the scale between 256MB of RAM and 64GB of RAM that your domain controller is at.  The fact that you have a 6GB DIT means something entirely different on machine with Windows 2000 and 512MB of RAM with SQL Server running in the background than it does with a Windows Server 2008 R2 with 16 processors and 64GB of RAM and only running DNS and AD functions. So simply asking “How big is the DIT?” is like asking how much oxygen is in the room. Without understanding context around it, it is pointless.  

SIDEBAR: That being said, how nice would it be to have a fancy RootDSE operational attribute that you could query on all of your DCs for some value that gives you a clue about DIT size versus RAM utilization so if someone was say, troubleshooting Exchange or something else, they could query the DC for that attribute and it would give them an idea on whether or not they should follow up with the DAs, or perhaps the DA’s could even monitor[2] the attribute across all of their DCs and be alerted that perhaps they need to be a little more aggressive in checking things out. Sure sure there are a ton of performance counters available that could be used but in all reality, most admins look at them and their eyes glaze over. Heck my eyes don’t much like them either. It would be nice if they broke those out by role and feature like they have been doing with the Server Manager functions[3]. Anyway Microsoft Exchange Support Engineers, imagine if you could ask the Exchange folks you are working with if they could do a quick LDAP query of the RootDSE of a DC to get the answer you really want versus asking them to ask someone else what the size of the DIT is? Heck it could be put into the ExRAP tool as well as the Baseline Analyzer tools.

We are seeing delays in replication…

“Got a sec?”

“Sure. What’s up?”

“We are seeing delays in replication, why?”

<PAUSE>

My response, to get a feel of what direction the questioner is driving and what kind of vehicle they are using is usually of the type “Why do you think there is a delay?” That often, but not always results in a response of the type “It just doesn’t seem to be moving as fast as we would expect.” Which I translate in my head to “We have no clue how long it is supposed to take and our stuff isn’t working correctly and we need a wall to throw the problem over…” and when I get the feeling someone is looking for a wall to toss things over I usually come out with the old standby “You need to get a network trace of the problem” which tends to make them go away for awhile if not permanently when they find some other group to accept the task of troubleshooting their problem.

But in this case of replication delay there is a better response… “What is your expected theoretical max replication latency from the source DC to the destination DC?” If they say they don’t know then I respond with “How do you know you are seeing delays? You don’t even know how long it is supposed to take in the first place.” The fact that it “feels slow” or isn’t what you expect doesn’t mean it is delayed. The entire issue could be and very often is that they have an incorrect expectation. To be able to make an objective claim of “it is delayed” means you have a thorough understanding of what it is designed to be and is during normal functioning. You should be able to say it is delayed by x minutes or hours and be able to point at the expected latency based on the design and point at what it is really taking.

SIDEBAR: And again… That being said, it doesn’t seem like it would be terribly hard for the AD site and subnet tool or for some tool supplied by MSFT that could tell you the expected max theoretical convergence time when selecting a source and destination DC. I actually have, and have had for some time, a tool listed on my “tools to build someday” list that could do this. Unfortunately, my time isn’t as free as it once was and you may notice that joeware updates and tools don’t flow quite as freely as previously. This is being worked on but MSFT definitely has quite a few more available man hours for producing things like this. Again, how nice would it be for the PSS guys to tell the admin that is having problems, fire up this tool, click on the DC that you put the change on, click on the DC you want the change to get to, and the tool will tell you a theoretical minimum and maximum time frame we have for convergence assuming a properly running replication environment.

Why are my LDAP queries going slow???

“Got a sec?”

“Sure. What’s up?”

“Why are my queries going slow?” or alternately “The PSS ExRAP or the Exchange PSS guy says the LDAP Queries are going slow. Why?”[4]

<PAUSE>

My response to this is always, “What exactly is the query that is going slow? Specifically I want the Host you are querying, the search base, the search scope, and the filter and what attributes you are asking for.” This one is really quite annoying to me because the Exchange people through the years have really irked me by looking at some DSACCESS counters and it says things aren’t good but no one can tell me specifically what it is that isn’t good…. Just something. Sorry, that isn’t good enough. Find out the queries, try them manually and show me that they are not performing properly. Otherwise I am more likely to believe based on personal experience through the years that Exchange is screwed up in its configuration somewhere versus the DCs not functioning properly. A problem isn’t a problem to me unless you can show me specifically what isn’t working properly as it applies to me, showing me some generic counter from your application isn’t proof. It has literally been dozens if not more times that someone has come to me with those DSACCESS counter complaints and I start performing LDAP Query tests on the DCs and the DCs are operating just fine and I tell the Exchange folks that and they go off and find something else to blame.

If you come to me with specific queries, I can *usually* determine why they are going slow and it is 98.9% of the time because of a poorly formulated query or a real poor choice for search scope or complete lack of anything resembling an indexed attribute. Have I had DCs that were underperforming, yes, but that is the rounding error compared to the other issues that resided outside of the domain controller.

SIDEBAR: And finally… Debugging LDAP queries on Active Directory and ADAM, IMO, is more painful than it should be. Most LDAP directories I have seen have a simple LDAP query debugging capability that dumps LDAP queries and debugging info into a simple text log file; Active Directory doesn’t have this. I know there is the whole Tracing thing but I have had zero time to dig into it and if it requires me to dig in and study it to figure it out, it is too difficult to enable and use.

Anyway, that is my rant for the day.  Have a good week and Happy Lunar New Year / Chinese New Year – Year of the Dragon.

 

 

   joe

[1] Because you naively think you can nip the whole chain of events you know is about to start in the bud.

[2] Monitor – to proactively and automatically check the service quality, availability, and functionality of your service in substantial regular intervals and alert on system faults and non-optimal performance. I only define this because lately I seem to be finding a lot of people who think the best “monitors” for AD are called “Users” and “The Help Desk”. When your users contact you to tell you the service isn’t working, that isn’t called monitoring, that is called failing. 

[3] And perhaps they have been in the most recent versions of the OS. I, unfortunately, seem to be spending a lot of time on Windows Server 2003 lately which is a step up from the Windows 2000 I had to keep dealing with previously.

[4] Yes yes I am picking on Exchange. But as I said years ago completely off the cuff in a humorous (but serious) manner in a Dean and joe Show session at one of the Directory Experts Conferences, <finger air quotes>Exchange is Special</finger air quotes>. To be honest, they aren’t the only ones I have had issues with this over the last 12 or so years, but they certainly win the award for the most consistent and excessive volume.   I also had some nice fun with issues around poorly written LDAP queries with IBM’s WebSphere Portal application software. That one was pretty bad, IBM consultants onsite testing WebSphere functionality against a test DC sitting on the same switch as their app server… A DC with an AD they built “out” with 5 users and 3 groups on hardware that was 50 times better than anything anyone has ever used anywhere in the world for a DC and then getting pissed when they try to run the same queries against an environment with hundreds of thousands of users and hundreds of thousands of groups across 6 routers shared with thousands of people.

So today I needed to test a script and as part of the test I needed to update a multi-value attribute on my own ID without admin rights. I wasn’t sure off the top of my head which attributes I could modify were multi-value so just told Active Directory to tell me…

for /f %i in (‘adfind -default -f "name=joe is freezing" allowedattributeseffective -list’) do @adfind -sc s:%i -af issinglevalued=FALSE -nodn attr:%i issinglevalued -csv –nocsvheader

 

That gave output like

"otherPager","FALSE"
"otherHomePhone","FALSE"
"otherTelephone","FALSE"
"otherFacsimileTelephoneNumber","FALSE"
"otherMobile","FALSE"
"otherIpPhone","FALSE"
"url","FALSE"
"userCertificate","FALSE"
"userSharedFolderOther","FALSE"
"preferredDeliveryMethod","FALSE"
"mSMQDigests","FALSE"
"registeredAddress","FALSE"
"internationalISDNNumber","FALSE"
"x121Address","FALSE"
"teletexTerminalIdentifier","FALSE"
"telexNumber","FALSE"
"postOfficeBox","FALSE"
"postalAddress","FALSE"
"msPKIDPAPIMasterKeys","FALSE"
"msPKIAccountCredentials","FALSE"
"msPKI-CredentialRoamingTokens","FALSE"
"userSMIMECertificate","FALSE"

 

In this case, the FALSE is a reference to the value of isSingleValued and of course a multivalued attribute would have a FALSE value for that property for the attribute in the schema.

   joe

So another new file system supposedly coming out of Redmond…

http://www.engadget.com/2012/01/17/microsoft-introducing-refs-file-system-with-windows-server-8/

 

or if you prefer a variety of articles

http://bit.ly/wS2rhK

 

Hopefully it will fix this type of issue…

 

If you have ever had AdFind output CSV before *and* you sent that output into Excel[1] *and* one or more of the fields had embedded double quotes as part of the value you likely ran into an issue with how AdFind escapes the double quotes.

The default for AdFind’s double quote escape character is "\" which is the old CSV standard that I grew up with (you used "\" to escape all characters that needed escaped). So, logically, that is what I wrote AdFind to use. I first wrote the CSV functionality after an MVP summit in Spring 2005, it was first released in October/November 2005.

Interestingly, from a timing standpoint, in October 2005, RFC4180 was published which specified a standard for escaping double quotes and as you may imagine, they didn’t choose "\", no the standard wants you to escape a double quote with another double quote.

   7.  If double-quotes are used to enclose fields, then a double-quote
       appearing inside a field must be escaped by preceding it with
       another double quote.  For example:

       "aaa","b""bb","ccc"

I pretty much ignored that RFC… in actuality I probably had no clue it existed, RFCs on spreadsheet formats wasn’t really something I was wont to go looking for. However in January 2009 I added a new switch to the version of AdFind released in February 2009 called -csvqesc which allowed you to specify the escape character. I don’t recall why I did it but I expect someone asked me to do it so I did it. It is unlikely I thought to do it myself, I try hard not to use quotes in field values (along with all sorts of other characters that are painful to deal with in scripts) and don’t think I would have run into the issue importing the data into Excel that I wouldn’t have solved via a quick perl script. Anyway, the switch allows you to specify -csvqesc \" which will then escape any embedded double quotes with another double quote.

So now kick forward a few years to 2011… I get an email explaining the problem with the escape character for the double quotes and I absolutely space on the new switch and explain why the ability isn’t in AdFind and that I will add a DCR for the functionality. Even later as I start going through the source determining the "cost" of adding the functionality I see that I already had the capability in the tool… So I sent a new email saying… "Hey… here is how you can do it…".

I am not entirely surprised that I forgot all about the switch, I have a bazillion and three switches in the tool. It does annoy me a little though so I have…. tada… added a new shortcut switch that will make it a little easier to remember -csvxl which stands for Excel CSV. It is a little easier to remember. The shortcut simply inserts -csv and -csvqesc \" into the command stream for you.

    joe

 

[1] Or some number of other spreadsheet apps.

F:\dev\cpp\AdFind\Release>adfind -rootdse

AdFind V01.46.00cpp **BETA** Joe Richards (joe@joeware.net) January 2012

Using server: WIN8Dom-DC1.win8dom.loc:389
Directory: Windows Server 8 Developer Preview

dn:
>currentTime: 20120116035246.0Z
>subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=win8dom,DC=loc
>dsServiceName: CN=NTDS Settings,CN=WIN8DOM-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=win8dom,DC=loc
>namingContexts: DC=win8dom,DC=loc
>namingContexts: CN=Configuration,DC=win8dom,DC=loc
>namingContexts: CN=Schema,CN=Configuration,DC=win8dom,DC=loc
>defaultNamingContext: DC=win8dom,DC=loc
>schemaNamingContext: CN=Schema,CN=Configuration,DC=win8dom,DC=loc
>configurationNamingContext: CN=Configuration,DC=win8dom,DC=loc
>rootDomainNamingContext: DC=win8dom,DC=loc
>supportedControl: 1.2.840.113556.1.4.319 [LDAP_PAGED_RESULT_OID_STRING]
>supportedControl: 1.2.840.113556.1.4.801 [LDAP_SERVER_SD_FLAGS_OID]
>supportedControl: 1.2.840.113556.1.4.473 [LDAP_SERVER_SORT_OID]
>supportedControl: 1.2.840.113556.1.4.528 [LDAP_SERVER_NOTIFICATION_OID]
>supportedControl: 1.2.840.113556.1.4.417 [LDAP_SERVER_SHOW_DELETED_OID]
>supportedControl: 1.2.840.113556.1.4.619 [LDAP_SERVER_LAZY_COMMIT_OID]
>supportedControl: 1.2.840.113556.1.4.841 [LDAP_SERVER_DIRSYNC_OID]
>supportedControl: 1.2.840.113556.1.4.529 [LDAP_SERVER_EXTENDED_DN_OID]
>supportedControl: 1.2.840.113556.1.4.805 [LDAP_SERVER_TREE_DELETE_OID]
>supportedControl: 1.2.840.113556.1.4.521 [LDAP_SERVER_CROSSDOM_MOVE_TARGET_OID]
>supportedControl: 1.2.840.113556.1.4.970 [LDAP_SERVER_GET_STATS_OID]
>supportedControl: 1.2.840.113556.1.4.1338 [LDAP_SERVER_VERIFY_NAME_OID]
>supportedControl: 1.2.840.113556.1.4.474 [LDAP_SERVER_RESP_SORT_OID]
>supportedControl: 1.2.840.113556.1.4.1339 [LDAP_SERVER_DOMAIN_SCOPE_OID]
>supportedControl: 1.2.840.113556.1.4.1340 [LDAP_SERVER_SEARCH_OPTIONS_OID]
>supportedControl: 1.2.840.113556.1.4.1413 [LDAP_SERVER_PERMISSIVE_MODIFY_OID]
>supportedControl: 2.16.840.1.113730.3.4.9 [LDAP_CONTROL_VLVREQUEST]
>supportedControl: 2.16.840.1.113730.3.4.10 [LDAP_CONTROL_VLVRESPONSE]
>supportedControl: 1.2.840.113556.1.4.1504 [LDAP_SERVER_ASQ_OID]
>supportedControl: 1.2.840.113556.1.4.1852 [LDAP_SERVER_QUOTA_CONTROL_OID]
>supportedControl: 1.2.840.113556.1.4.802 [LDAP_SERVER_RANGE_OPTION_OID]
>supportedControl: 1.2.840.113556.1.4.1907 [LDAP_SERVER_SHUTDOWN_NOTIFY_OID]
>supportedControl: 1.2.840.113556.1.4.1948 [LDAP_SERVER_RANGE_RETRIEVAL_NOERR]
>supportedControl: 1.2.840.113556.1.4.1974 [LDAP_SERVER_FORCE_UPDATE]
>supportedControl: 1.2.840.113556.1.4.1341 [RODC_DCPROMO]
>supportedControl: 1.2.840.113556.1.4.2026 [LDAP_SERVER_DN_INPUT_OID]
>supportedControl: 1.2.840.113556.1.4.2064 [LDAP_SERVER_SHOW_RECYCLED_OID]
>supportedControl: 1.2.840.113556.1.4.2065 [LDAP_SERVER_SHOW_DEACTIVATED_LINK_OID]
>supportedControl: 1.2.840.113556.1.4.2066 [LDAP_SERVER_POLICY_HINTS_OID]
>supportedLDAPVersion: 3
>supportedLDAPVersion: 2
>supportedLDAPPolicies: MaxPoolThreads
>supportedLDAPPolicies: MaxDatagramRecv
>supportedLDAPPolicies: MaxReceiveBuffer
>supportedLDAPPolicies: InitRecvTimeout
>supportedLDAPPolicies: MaxConnections
>supportedLDAPPolicies: MaxConnIdleTime
>supportedLDAPPolicies: MaxPageSize
>supportedLDAPPolicies: MaxQueryDuration
>supportedLDAPPolicies: MaxTempTableSize
>supportedLDAPPolicies: MaxResultSetSize
>supportedLDAPPolicies: MinResultSets
>supportedLDAPPolicies: MaxResultSetsPerConn
>supportedLDAPPolicies: MaxNotificationPerConn
>supportedLDAPPolicies: MaxValRange
>highestCommittedUSN: 13591
>supportedSASLMechanisms: GSSAPI
>supportedSASLMechanisms: GSS-SPNEGO
>supportedSASLMechanisms: EXTERNAL
>supportedSASLMechanisms: DIGEST-MD5
>dnsHostName: WIN8Dom-DC1.win8dom.loc
>ldapServiceName: win8dom.loc:win8dom-dc1$@WIN8DOM.LOC
>serverName: CN=WIN8DOM-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=win8dom,DC=loc
>supportedCapabilities: 1.2.840.113556.1.4.800 [LDAP_CAP_ACTIVE_DIRECTORY_OID]
>supportedCapabilities: 1.2.840.113556.1.4.1670 [LDAP_CAP_ACTIVE_DIRECTORY_V51_OID]
>supportedCapabilities: 1.2.840.113556.1.4.1791 [LDAP_CAP_ACTIVE_DIRECTORY_LDAP_INTEG_OID]
>supportedCapabilities: 1.2.840.113556.1.4.1935 [LDAP_CAP_ACTIVE_DIRECTORY_V61_OID]
>supportedCapabilities: 1.2.840.113556.1.4.2080 [LDAP_CAP_ACTIVE_DIRECTORY_V61_R2_OID]
>dsSchemaAttrCount: 1404
>dsSchemaClassCount: 255
>dsSchemaPrefixCount: 39
>isSynchronized: TRUE
>isGlobalCatalogReady: TRUE
>supportedConfigurableSettings: DynamicObjectDefaultTTL
>supportedConfigurableSettings: DynamicObjectMinTTL
>supportedConfigurableSettings: DisableVLVSupport
>supportedConfigurableSettings: ADAMDisablePasswordPolicies
>supportedConfigurableSettings: ADAMDisableLogonAuditing
>supportedConfigurableSettings: ADAMLastLogonTimestampWindow
>supportedConfigurableSettings: RequireSecureSimpleBind
>supportedConfigurableSettings: RequireSecureProxyBind
>supportedConfigurableSettings: MaxReferrals
>supportedConfigurableSettings: ReferralRefreshInterval
>supportedConfigurableSettings: SelfReferralsOnly
>supportedConfigurableSettings: ADAMAllowADAMSecurityPrincipalsInConfigPartition
>supportedConfigurableSettings: ADAMDisableSPNRegistration
>supportedConfigurableSettings: ADAMDisableSSI
>supportedExtension: 1.3.6.1.4.1.1466.20037 [LDAP_SERVER_START_TLS_OID]
>supportedExtension: 1.3.6.1.4.1.1466.101.119.1 [LDAP_TTL_REFRESH_OID]
>supportedExtension: 1.2.840.113556.1.4.1781 [LDAP_SERVER_FAST_BIND_OID]
>supportedExtension: 1.3.6.1.4.1.4203.1.11.3 [LDAP_SERVER_WHO_AM_I_OID]
>domainFunctionality: 4 [Windows Server 2008 R2 Domain Mode]
>forestFunctionality: 4 [Windows Server 2008 R2 Forest Mode]
>domainControllerFunctionality: 5 [Windows Server 8 Developer Preview]
>validFSMOs: CN=Schema,CN=Configuration,DC=win8dom,DC=loc
>validFSMOs: CN=Partitions,CN=Configuration,DC=win8dom,DC=loc
>validFSMOs: DC=win8dom,DC=loc
>validFSMOs: CN=Infrastructure,DC=win8dom,DC=loc
>validFSMOs: CN=RID Manager$,CN=System,DC=win8dom,DC=loc
>tokenGroups: S-1-5-21-2633680875-3286336108-926348340-1000
>tokenGroups: S-1-5-21-2633680875-3286336108-926348340-513
>tokenGroups: S-1-1-0
>tokenGroups: S-1-5-32-544
>tokenGroups: S-1-5-32-545
>tokenGroups: S-1-5-32-554
>tokenGroups: S-1-5-2
>tokenGroups: S-1-5-11
>tokenGroups: S-1-5-15
>tokenGroups: S-1-5-21-2633680875-3286336108-926348340-512
>tokenGroups: S-1-5-21-2633680875-3286336108-926348340-518
>tokenGroups: S-1-5-21-2633680875-3286336108-926348340-519
>tokenGroups: S-1-5-21-2633680875-3286336108-926348340-572
>tokenGroups: S-1-5-64-10
>dsaVersionString: 6.2.8102.0 (winmain_win8m3.110823-1455)
>serviceAccountInfo: replAuthenticationMode=1
>serviceAccountInfo: accountType=domain
>serviceAccountInfo: systemAccount=true
>serviceAccountInfo: domainType=domainWithKerb
>serviceAccountInfo: machineDomainName=WIN8DOM
>msDS-PrincipalName: WIN8DOM\$joe
>msDS-PortLDAP: 389
>msDS-PortSSL: 636
>spnRegistrationResult: 0

1 Objects returned

 

So unfortunately I had to make a change that I very much try to avoid making with my utilities, I modified the core behavior of one of the shortcuts. Certainly this is much less painful than changing core behavior of a switch but it is still painful.

First… why do I avoid making core behavior changes to switches, et alii? Anyone who has written a script or batch file likely knows… The reason is because you have scripts and batch files that are written that depend on the tools and if you change the default core behavior of the underlying tool, you need to relook at scripts.

So what did I change and why… I changed the shortcut -sc adobjcnt. The change was absolutely required because the shortcut is actually broken for specific scenarios. Broken you say?? No way joe, I use it regularly, it works like a champ. And yes I thought the same thing… Right up until I got a few emails from people who use their root domain in a multi-domain forest for more than an empty placeholder[1][2]… If they actually want to count the objects in the parent domain *and just* the parent domain then there is an issue. The issue being that I, in my infinite lack of omniscience, had set the -gc switch as one of the switches in the shortcut. I did it because I thought I was going to help people out. If you want to get a user count of say your Asia domain and you are sitting in Iowa, why not hit a Global Catalog that is 100 feet away instead of a Domain Controller on the other side of the world for that information? Much much faster that way and doesn’t require the admin to have a full understanding of how the AD world works in order to be a little more (hopefully) productive.

Example 1: Single Domain Forest – not a problem with the current shortcut

F:\dev\cpp\>adfind -gc -root -s one -dn

AdFind V01.45.00cpp Joe Richards (joe@joeware.net) March 2011

Using server: DC1.dom1.loc:389
Directory: Windows Server 2008 R2
Base DN: DC=dom1,DC=loc

dn:CN=Builtin,DC=dom1,DC=loc
dn:CN=Computers,DC=dom1,DC=loc
dn:OU=Domain Controllers,DC=dom1,DC=loc
dn:CN=ForeignSecurityPrincipals,DC=dom1,DC=loc
dn:CN=Infrastructure,DC=dom1,DC=loc
dn:CN=LostAndFound,DC=dom1,DC=loc
dn:CN=Managed Service Accounts,DC=dom1,DC=loc
dn:CN=NTDS Quotas,DC=dom1,DC=loc
dn:CN=Program Data,DC=dom1,DC=loc
dn:CN=System,DC=dom1,DC=loc
dn:CN=Users,DC=dom1,DC=loc

11 Objects returned

 

Example 2: Non-standard Multi-Domain Forest – Multiple Domain Trees – not a problem with the current shortcut (NOT RECOMMENDED!!!!)

F:\dev\cpp\>adfind -gc -root -s one -dn

AdFind V01.45.00cpp Joe Richards (joe@joeware.net) March 2011

Using server: DC1.dom1.loc:389
Directory: Windows Server 2008 R2
Base DN: DC=dom1,DC=loc

dn:CN=Builtin,DC=dom1,DC=loc
dn:CN=Computers,DC=dom1,DC=loc
dn:OU=Domain Controllers,DC=dom1,DC=loc
dn:CN=ForeignSecurityPrincipals,DC=dom1,DC=loc
dn:CN=Infrastructure,DC=dom1,DC=loc
dn:CN=LostAndFound,DC=dom1,DC=loc
dn:CN=Managed Service Accounts,DC=dom1,DC=loc
dn:CN=NTDS Quotas,DC=dom1,DC=loc
dn:CN=Program Data,DC=dom1,DC=loc
dn:CN=System,DC=dom1,DC=loc
dn:CN=Users,DC=dom1,DC=loc

11 Objects returned

But if you back up a level…

F:\dev\cpp\>adfind -gc -b dc=loc -s one -dn

AdFind V01.45.00cpp Joe Richards (joe@joeware.net) March 2011

Using server: DC1.dom1.loc:389
Directory: Windows Server 2008 R2

dn:DC=dom1,DC=loc
dn:DC=dom2,DC=loc
dn:DC=dom3,DC=loc

3 Objects returned

 

Example 3: Standard Multi-Domain Forest – Single Domain Tree – this is a problem when non-empty root

F:\dev\cpp\>adfind -gc -root -s one -dn

AdFind V01.45.00cpp Joe Richards (joe@joeware.net) March 2011

Using server: DC1.dom1.loc:389
Directory: Windows Server 2008 R2
Base DN: DC=dom1,DC=loc

dn:CN=Builtin,DC=dom1,DC=loc
dn:DC=child1,DC=dom1,DC=loc
dn:DC=child2,DC=dom1,DC=loc
dn:DC=child3,DC=dom1,DC=loc
dn:CN=Computers,DC=dom1,DC=loc
dn:OU=Domain Controllers,DC=dom1,DC=loc
dn:CN=ForeignSecurityPrincipals,DC=dom1,DC=loc
dn:CN=Infrastructure,DC=dom1,DC=loc
dn:CN=LostAndFound,DC=dom1,DC=loc
dn:CN=Managed Service Accounts,DC=dom1,DC=loc
dn:CN=NTDS Quotas,DC=dom1,DC=loc
dn:CN=Program Data,DC=dom1,DC=loc
dn:CN=System,DC=dom1,DC=loc
dn:CN=Users,DC=dom1,DC=loc

14 Objects returned

The issue crops up, like I said, when you have a parent domain in a multi-domain forest. When you specify -gc the children of the parent domain all become available and are just normal branches in the LDAP tree so AD returns all of the objects meeting the LDAP Filter from those branches as well as the area that you really want.

I have been working through this for a while now trying to figure out the best way to fix it as again, I didn’t want to make behavior changes. But none of the excuses I can come up with about what users could or should do when using the utility seem to allow me to NOT change it. I don’t mind making users do their work when using my utilities but when they have to hop on one foot and balance a flaming can of gasoline I figure that is a bit extreme.

So it is with regret that I have to announce that the -sc adobjcnt shortcuts will no longer specify the -gc switch for you. If you in actuality want to hit the GC then you will need to specify the -gc switch separately. I know I know, not very painful but I am sure someone somewhere won’t read this nor the release notes that will come out for V01.46.00 until after something bad has happened based on the new count values being returned and I will get a nice nasty gram about it. So be it, when you have done it and have written me and complained and then I have sent a link to this blog post and you have read know that "I told you so!".   Anyway, if you have the -sc adobjcnt switch specified in some batch files, just do a nice find and replace of "-sc adobjcnt" with "-gc -sc adobjcnt" and that should take care of it nicely for you.

 

   joe

 

[1] Wild but true, there are indeed people who have non-empty root multi-domain forests… When I see them I am sometimes thinking "So you could argue the point about not having an empty root but couldn’t go the step further and argue just having a single domain forest model?"

[2] It will also have issues if you have grandchildren domains as well. But I don’t like to mention grandchildren domains because they make me itch. If you have grandchildren domains you almost certainly turned left at the wrong time along the AD design process. I can’t say I have ever, in my more than a decade of working on Active Directories around the world, walked into a facility and said either of "Oh you have (multiple domain trees | grandchildren domains)[3]!!! Great idea!"

[3] Perl regex expression there, means either string in parens.