joeware - never stop exploring...

One of the sanest, surest, and most generous joys of life comes from being happy over the good fortune of others.

     – Robert A. Heinlein

A society that gets rid of all its troublemakers goes downhill.

     – Robert A. Heinlein

Clocks slay time… time is dead as long as it is being clicked off by little wheels; only when the clock stops does time come to life.

     – William Faulkner

For disappearing acts, it’s hard to beat what happens to the eight hours supposedly left after eight of sleep and eight of work.

      – Doug Larson

The future is something which everyone reaches at the rate of 60 minutes an hour, whatever he does, whoever he is.

    – C. S. Lewis

Time is the longest distance between two places.

     -Tennessee Williams

Day, n. A period of twenty-four hours, mostly misspent.

      – Ambrose Bierce

http://msdn.microsoft.com/en-us/magazine/ee309869.aspx

But why is there only an x86 version???

   joe

http://www.wired.com/gadgetlab/2010/03/popular-science-puts-entire-scanned-archive-online-free/

http://www.theregister.co.uk/2010/03/05/microsoft_unplugs_ebs/

Microsoft will halt development of its mid-market oriented Windows Essential Business Server software bundle, as the company bets on "cloud computing" rather than lump licensing to woo penny-pinching IT markets.

http://ie6funeral.com/

kerberos.msg.type == 12 || kerberos.msg.type == 13 || kerberos.msg.type == 30 || kerberos.msg.type == 10 || kerberos.msg.type == 11

http://www.youtube.com/watch?v=0Cd7Bsp3dDo

In English and slightly different… http://www.youtube.com/watch?v=yUQRbqc2qtY&NR=1

And for the nerds… Star Wars Help Desk… http://www.youtube.com/watch?v=0Q8DriPCX2o

Interesting lecture

I was recently asked for a list of MSFT blogs, here you go!

http://blogs.technet.com/blogms/pages/directory-of-microsoft-team-blogs.aspx

   joe

This looks very cool…

http://www.cbsnews.com/stories/2010/02/18/60minutes/main6221135.shtml

Could this be sitting in your yard in the next 10 years? If they can truly get it down to a couple thousand I would give it a shot.

…an experiment in designing a solution by feeling the bumps on the walls and listening for screams…

     – me (discussing an infrastructure architecture project)

From: joe [mailto:support@joeware.net]
Sent: xxx
To: xxx
Subject: RE: Support Reuest

Hi xxx,

You won’t be able to do this with just usernames in a file with just adfind/admod, you would need a script to add the additional logic to look up the usernames and convert to DNs.

However, if you have a list of user DNs in a file or you can execute a single query to locate the users you can do this with no scripting.

So say you have a list of DNs in the file userlist.txt, you could do something like

adfind homedirectory -adcsv < userlist.txt | admod homedirectory::{{.:r:oldservername:newservername}} -upto maxcount

This takes the DNs from the text file, looks up the current homedirectory value, passes that through the pipe to AdMod which then takes the current value and replaces the oldservername with the newservername and inserts it back into the user object. You specify the -upto switch to specify the maximum number of objects you want to update. By default, admod will bail out and make no changes if more than 10 objects are passed to it, this is to protect people from accidently modifying large numbers of objects by accident. You can modify the safety value with –safety x, this will tell how many items AdMod should be able to modify without bailing out and making no changes. You can use the –upto x switch which will tell it only do the first x updates. Or if you are positive you are good on the specific objects, you can specify –unsafe which tells admod to update anything passed to it.

Example:

Here is the user list

G:\Temp>type userlist.txt
"CN=auser1,OU=XXXTest,DC=test,DC=loc"
"CN=auser2,OU=XXXTest,DC=test,DC=loc"
"CN=auser3,OU=XXXTest,DC=test,DC=loc"
"CN=auser4,OU=XXXTest,DC=test,DC=loc"

Here is the current homedirectory values for that group of users

G:\Temp>adfind homedirectory -adcsv < userlist.txt
~~~ADCSV~~~~~~ADCSV~~~~~~ADCSV~~~~~~ADCSV~~~~~~ADCSV~~~~~~ADCSV~~~~~~ADCSV~~~~~~ADCSV~~~~~~ADCSV~~~~~~ADCSV~~~
"dn","homedirectory"
"CN=auser1,OU=XXXTest,DC=test,DC=loc","\\server1\auser1"
"CN=auser2,OU=XXXTest,DC=test,DC=loc","\\server1\auser2"
"CN=auser3,OU=XXXTest,DC=test,DC=loc","\\server1\auser3"
"CN=auser4,OU=XXXTest,DC=test,DC=loc","\\server1\auser4"

Here is the change

G:\Temp>adfind homedirectory -adcsv < userlist.txt | admod homedirectory::{{.:r:server1:server2}} -unsafe

AdMod V01.12.00cpp Joe Richards (joe@joeware.net) February 2010

DN Count: 4
Using server: TEST-DC1.test.loc:389
Directory: Windows Server 2003

Modifying specified objects…
   DN: CN=auser1,OU=XXXTest,DC=test,DC=loc…
   DN: CN=auser2,OU=XXXTest,DC=test,DC=loc…
   DN: CN=auser3,OU=XXXTest,DC=test,DC=loc…
   DN: CN=auser4,OU=XXXTest,DC=test,DC=loc…

The command completed successfully

Here are the new values

G:\Temp>adfind homedirectory -adcsv < userlist.txt
~~~ADCSV~~~~~~ADCSV~~~~~~ADCSV~~~~~~ADCSV~~~~~~ADCSV~~~~~~ADCSV~~~~~~ADCSV~~~~~~ADCSV~~~~~~ADCSV~~~~~~ADCSV~~~
"dn","homedirectory"
"CN=auser1,OU=XXXTest,DC=test,DC=loc","\\server2\auser1"
"CN=auser2,OU=XXXTest,DC=test,DC=loc","\\server2\auser2"
"CN=auser3,OU=XXXTest,DC=test,DC=loc","\\server2\auser3"
"CN=auser4,OU=XXXTest,DC=test,DC=loc","\\server2\auser4"

Hope this helps.

   joe

–

O’Reilly Active Directory Fourth Edition – http://www.joeware.net/win/ad4e.htm

From: xxx
Sent: xxx
To: support@joeware.net
Subject: Support Reuest

Dear Joe!

I’d like to congratulate for your site.

There is a big problem, what you could solve for me.

I want to change my fileserver and i want to move user’s fomefolders.
The users are in a USER container(not an OU) in AD.
And they are 260.

How can I change from \\abc\home\user to \\xyz\home\user with your tools?

How can i change it from a file which in contains usernames?

Wich is the best solution export only username from a AD container? And how to use it with admod tools?

Thank You:
xxx

…and I am still using LDAP…

Obviously the announcement of its demise was a bit premature.

That is why I chuckled when I heard it last year.

   joe

I thought this was an interesting little setup…

http://www.motherearthnews.com/Do-It-Yourself/2007-04-01/Portable-Chicken-Mini-coop-Plan.aspx

Yes that is a little different from what I normally post. But hey, I live in the country and am thinking about getting some chickens.

   joe

Do not handicap your children by making their lives easy.

    – Robert Heinlein (Time Enough For Love)

Whatever you do, do not let the past be a straitjacket!

   Robert Heinlein (The Moon Is a Harsh Mistress)

One way or another, what you get, you pay for.

    – Robert Heinlein (The Moon Is a Harsh Mistress)

Recently a friend pinged me about what I thought about load balancing Domain Controllers behind some sort of VIP (Virtual IP) hardware be it from Brocade, Cisco, Barracuda, F5 or from whatever vendor.

As a generic statement, I am against it. Period.

Active Directory was built in such a way that the load balancing[1] and redundancy is built in. The clients just have to be smart enough to utilize it. This can be done, I have seen people writing code in UNIX even to do the SRV record lookup and in fact one implementation I saw was arguably better than MSFT’s in how it chased after next best site and next best site after that, etc.

But joe… some apps just don’t do it right! True, so let’s just give them a pass to do things wrong[2]… No. Go back to the vendors and tell them you don’t consider them to be AD Integrated and you will find a different solution. Of course if someone already bought the product without actually consulting anyone with relevant technical skills then you are a little stuck but I would still avoid load balancing, instead point at the Domain DNS record and say have at it. Possibly showing them that you won’t crutch every single thing they throw your way will help get you or someone else with the insight to check out the product before purchase. These special crutching operations cost companies money both in having to work out the unique solutions but also in supporting them and teaching new support people about them. Can’t tell you how much fun it is to explain an environment to someone like “Well it works in this way with the exception of this which does that and that which does this, etc.”

There can be issues with this practice other than you are helping some company sell a product that should be updated. When I received the initial question I knew there was a Kerberos issue with this but thought I would ask some of my intelligent friends on an MVP distribution list what they were aware of to see if there was more than I was thinking about and also if Microsoft had written up any documentation. One of the responses was really good that I would like to share here. It is from my friend and fellow Microsoft MVP Joe Kaplan.

—–Original Message—–
From: xxx [mailto:xxx] On Behalf Of Joe Kaplan
Sent: Friday, February 19, 2010 12:02 PM
To: xxx
Subject: Re: [xxx] Hardware Load Balancing Domain Controllers

There is a principle in Kerb that exactly one security account can be

associated with a given SPN. On a DC, various services run as system which

in turn ends up using the domain computer account. This is a different

account on each DC.

However, clients form requests for Kerb service tickets by using the DNS

name of the target service to form the SPN used in the request.

In a load balanced scenario, you run the risk of having a single DNS name

refer to multiple different hosts behind it. If in turn the service being

targeted is a service that accepts Kerb auth and the service is running as a

different user depending on the host (which would be the case for services

that are part of a DC), then you’ll get random Kerb auth failures (the

dreaded KERB_APP_ERR_MODIFIED). This is probably not what you want and

therefore a significant risk in this situation.

You could potentially get away with load balancing LDAP and use an alternate

DNS name that has no Kerb SPN associated with it. You’d get no Kerb auth

(only NTLM) and it might work in most cases as a result (no cross domain

moves because delegation is now broken but other stuff may be fine).

However, it probably isn’t a good idea.

You CAN do this the right way with ADAM by having the ADAM instances all run

as the same fixed domain user service account and creating an SPN to match

the DNS name of the load balancer front end you are using. ADAM makes it

hard on you to get SSL working in this instance by insisting that you use a

wildcard cert, but it can be reasonable. Note that this is typically also

what you do when load balancing web applications that require Kerb auth.

Joe K.

that is pretty clear, I asked Joe if he knew of any MSFT docs on the subject and his next response was even more clear.

From: xxx [xxx] On Behalf Of Joe Kaplan
Sent: Friday, February 19, 2010 1:15 PM
To: xxx
Subject: Re: [xxx] Hardware Load Balancing Domain Controllers

I have no idea on the documentation part. I’m just telling you what I know

based on personal experience and my knowledge of the underlying mechanisms

(which is unfortunately much deeper than I’d probably enjoy due to some of

my personal experiences to date ).

I’m obviously recommending against doing this which is also the party line.

My opinion is that the benefit here is probably completely overshadowed by

the risk of having lots of things not work in ways that are very difficult

to understand. Getting predictable, positive results from this will likely

be non-trivial.*

Joe K.

* Emphasis is mine… Joe didn’t smack us in the face with his email like that. He is too nice. I am the mean joe… I was nice enough to get Joe’s permission to publish this though.

There are several MVPs whose opinion I will not question or at least not question when they are speaking to specific technologies. For example, I won’t question Guido Grillenmeier too much on AD Disaster Recovery.  I will not question Lee Flight too much on ADAM / ADLDS / and pretty much anything LDAP related. I won’t question my bestest buddy Dean Wells on batch commands… well I would now, he isn’t an MVP anymore… ;o)  Back to the point, I don’t question JoeK on his knowledge of .NET / Windows Auth / ADFS / Kerberos. If he says something works in a certain way, I thank him with great humility for taking the time to respond. More than once his comments in email or in newsgroup posts has helped me work issues out in those areas and there are changes in AdFind/Mod that are directly due to some of Joe’s comments/emails and even his .NET book – The .NET Developer’s Guide to Directory Services Programming.

   joe

[1] Granted the load balancing isn’t that great, keep taking on load until you fall over and don’t respond anymore… But that is exactly the same kind of load balancing you get with VIP in front of a DC. The VIP devices do not know how much load the DCs are under, at best they look at the port(s) you told it to worry about and it will stop giving out that IP if that/those port/s stop responding.

Anyone who has ever watched Exchange’s load balancing algorithms for using AD in a very big nasty Exchange deployments knows it is keep beating on the DCs until they fall over and then find another DC to gang up on and in all actuality Exchange is in a position to do better because it is one distributed app that could keep track of the connections to all of the DCs from all of the Exchange servers itself. I guess MSFT could add a special operational attribute to the rootdse of DCs (and ADAM servers) which indicated relative load when you asked for it and then you could get a VIP (or other app) smart enough to ask for that but I don’t see that happening anytime soon.

[2] As an example here… Say you have six kids you are babysitting. Four of them listen to you and follow your rules, the other two choose to randomly kick you in the shin and paint on your 52” Big Screen TV… Do you give those two kids a pass? No you correct their uncivilized behavior without delay. Think of your vendors as kids. They are working for your approval and your $’s. Make them earn it.

From: joe [mailto:support@joeware.net]
Sent: xxx
To: xxx
Subject: RE: AdFind

Hey xxx, you could do something like

adfind -default -f "&(objectcategory=group)(name=*webmaster*) " -dn

If you want to specify a domain other than the default, replace -default with -b domainDN

   joe

–

O’Reilly Active Directory Fourth Edition – http://www.joeware.net/win/ad4e.htm

From: xxx
Sent: xxx
To: ’support@joeware.net’
Subject: AdFind

Joe:

Can/how can AdFind be used to find all groups in a domain that have for example, the string “webmaster” in the group name?

Any help would be appreciated.

Thanks,

xxx

—–Original Message—–
From: joe [mailto:support@joeware.net]
Sent: xxx
To: xxx
Subject: RE:

Hey xxx,

You should only try to download joeware utilities from my website… I can’t vouche for whether or not other sites have put anything into the executable.

http://www.joeware.net/freetools/tools/oldcmp/index.htm

I just now downloaded and unzipped it (using the standard OS unzip and WinZip) and it execute fine.

joe

–

O’Reilly Active Directory Fourth Edition – http://www.joeware.net/win/ad4e.htm

—–Original Message—–

From: xxx

Sent: xxx

To: support@joeware.net

Subject:

Good Morning;

I’ve tried to download the oldcmp.zip file from sereral sites this morning. When I go to extract I get an invalid or corrupt distribution. Please download again. Are there any known issues with the download version or am I missing something on my system to properly extract.

Thanks in Advance

xxx

From: joe [mailto:joe@joeware.net]
Sent: xxx
To: xxx
Subject: RE: ADFIND – Group + Members Query

You can’t do this in one query, it will take at least two.

First query would be to find the group and dump its memberof values.

adfind -default –f "&(objectcategory=group)(name=groupname)" memberof

The second query (or set of queries) would be to dump the SMTP addresses of the members.

If you know that the members are all in the same domain as the group you can use this shortcut

adfind -this "group DN" -asq member mail

If the members could be in different domains, this can be done with a single command line but will be multiple queries. Specifically a query for every single member + 1

adfind -this "group DN" member -qlist | adfind mail

If you don’t need memberof this could be done in one command line

adfind -default -f "&(objectcategory=group)(name=groupname)" member -qlist | adfind mail

Oh that also assumes that mail will be the only SMTP address you need, if you need the primary and secondaries then this gets more complicated and would look like

adfind -default -f "&(objectcategory=group)(name=groupname)" member -qlist | adfind proxyaddresses -mvfilter proxyaddresses=smtp

And if you want that in CSV format, you simply add –CSV to the end

adfind -default -f "&(objectcategory=group)(name=groupname)" member -qlist | adfind proxyaddresses -mvfilter proxyaddresses=smtp -csv

Note that you may not be able to cut and paste the commands, sometimes outlook puts characters in that the CMD Prompt doesn’t like.

   joe

–

O’Reilly Active Directory Fourth Edition – http://www.joeware.net/win/ad4e.htm

From: xxx
Sent: xxx
To: joe@joeware.net
Subject: ADFIND – Group + Members Query

Hi Joe,
I hope you are doing fine.
I need a query to 1. find a specific group, 2. dump it’s members, 3. the groups this group is member of and also 4. dump the smtp address of the group’s members.
I managed to build the following query:
adfind -gcb -f "&(objectClass=group)(name=_test1)" member memberof
I was able to achieve the items 1, 2 and 3, but the 4th one is a bit difficult. Is it possible to be done?
Cheers,

xxx

I am free, no matter what rules surround me. If I find them tolerable, I tolerate them; if I find them too obnoxious, I break them. I am free because I know that I alone am morally responsible for everything I do.

    – Robert Heinlein (The Moon Is a Harsh Mistress)