Previously we had a discussion on ActiveDir Org about using Tree Delete on an OU or other container with a large number of objects, specifically more than 16,000 or so objects (16384 to be even more specific).
http://www.activedir.org/ListArchives/tabid/55/view/topic/postid/44636/Default.aspx
MSDN Article about the error
http://msdn.microsoft.com/en-us/library/cc223490(v=prot.10).aspx
And an old blog post from me about the error
http://blog.joeware.net/2007/06/01/905/
Anyway, on the ActiveDir Org thread I mentioned that I should add a treenuke option sometime. Well I have now down that, it will be available for public destruction when V01.18.00 is released which will hopefully occur in the next week or so if I can fully sort out a bug that our friend Brian Desmond sent me recently when trying to "add" conflict objects from one AD to another AD. The fix for that is to print out an error that says "Seriously Brian????", no, I am not sure what the fix will be in the end yet but I know where part of the issue is. 😉
More on the tree nuke. This is simply a little piece of code that I added which simply loops on the treedelete LDAP deletion operation when you specify the -treenuke switch. Initially that was all I was going to do but then when I ran it trying to delete a container with over 100,000 objects AdMod just seemed to sit there looking stupid so now I have it perform a little extra work. For every treedelete LDAP operation it submits, it adds another dot onto the output on the line… So for example, instead of just seeing:
DN: cn=nuke,cn=adamrocks…
You will see
DN: cn=nuke,cn=adamrocks…
and then
DN: cn=nuke,cn=adamrocks….
and then
DN: cn=nuke,cn=adamrocks…..
and then
DN: cn=nuke,cn=adamrocks……
etc.
Not really awesome in terms of some of the stuff they do in the GUI world but if you are looking for awesome stuff from the GUI world you have made a serious mistake coming here…
So for the real example or as I like to call it, how to create and then destroy 100,000 users in 30 minutes:
1. Create the container
[Tue 02/07/2012 22:20:01.00]
F:\>f:\dev\cpp\admod\release\admod -hh . -b cn=nuke,CN=ADAMRocks -add objectclass::container
AdMod V01.18.00cpp BETA Joe Richards (joe@joeware.net) February 2012
DN Count: 1
Using server: DellLT17:389
Directory: Windows Server 2008 R2 Active Directory Application Mode
Adding specified objects…
DN: cn=nuke,CN=ADAMRocks…
The command completed successfully
2. Create 100,000 users
[Tue 02/07/2012 22:20:18.89]
F:\>f:\dev\cpp\admod\release\admod -hh . -sc adamau:100000;password;cn=testuser,cn=nuke,cn=adamrocks
AdMod V01.18.00cpp BETA Joe Richards (joe@joeware.net) February 2012
DN Count: 100000
Using server: DellLT17:389
Directory: Windows Server 2008 R2 Active Directory Application Mode
Adding specified objects…
DN: cn=testuser_0,cn=nuke,cn=adamrocks…
DN: cn=testuser_1,cn=nuke,cn=adamrocks…
DN: cn=testuser_2,cn=nuke,cn=adamrocks…
DN: cn=testuser_3,cn=nuke,cn=adamrocks…
DN: cn=testuser_4,cn=nuke,cn=adamrocks…
DN: cn=testuser_5,cn=nuke,cn=adamrocks…
DN: cn=testuser_6,cn=nuke,cn=adamrocks…
DN: cn=testuser_7,cn=nuke,cn=adamrocks…
DN: cn=testuser_8,cn=nuke,cn=adamrocks…
DN: cn=testuser_9,cn=nuke,cn=adamrocks…
DN: cn=testuser_10,cn=nuke,cn=adamrocks…
DN: cn=testuser_11,cn=nuke,cn=adamrocks…
DN: cn=testuser_12,cn=nuke,cn=adamrocks…
DN: cn=testuser_13,cn=nuke,cn=adamrocks…
DN: cn=testuser_14,cn=nuke,cn=adamrocks…
DN: cn=testuser_15,cn=nuke,cn=adamrocks…
DN: cn=testuser_16,cn=nuke,cn=adamrocks…
DN: cn=testuser_17,cn=nuke,cn=adamrocks…
<SNIP>
DN: cn=testuser_99979,cn=nuke,cn=adamrocks…
DN: cn=testuser_99980,cn=nuke,cn=adamrocks…
DN: cn=testuser_99981,cn=nuke,cn=adamrocks…
DN: cn=testuser_99982,cn=nuke,cn=adamrocks…
DN: cn=testuser_99983,cn=nuke,cn=adamrocks…
DN: cn=testuser_99984,cn=nuke,cn=adamrocks…
DN: cn=testuser_99985,cn=nuke,cn=adamrocks…
DN: cn=testuser_99986,cn=nuke,cn=adamrocks…
DN: cn=testuser_99987,cn=nuke,cn=adamrocks…
DN: cn=testuser_99988,cn=nuke,cn=adamrocks…
DN: cn=testuser_99989,cn=nuke,cn=adamrocks…
DN: cn=testuser_99990,cn=nuke,cn=adamrocks…
DN: cn=testuser_99991,cn=nuke,cn=adamrocks…
DN: cn=testuser_99992,cn=nuke,cn=adamrocks…
DN: cn=testuser_99993,cn=nuke,cn=adamrocks…
DN: cn=testuser_99994,cn=nuke,cn=adamrocks…
DN: cn=testuser_99995,cn=nuke,cn=adamrocks…
DN: cn=testuser_99996,cn=nuke,cn=adamrocks…
DN: cn=testuser_99997,cn=nuke,cn=adamrocks…
DN: cn=testuser_99998,cn=nuke,cn=adamrocks…
DN: cn=testuser_99999,cn=nuke,cn=adamrocks…
The command completed successfully
3. Issue standard treedelete command and watch it partially complete and then fail.
[Tue 02/07/2012 22:41:56.54]
F:\>f:\dev\cpp\admod\release\admod -hh . -b cn=nuke,cn=adamrocks -treedelete -del
AdMod V01.18.00cpp BETA Joe Richards (joe@joeware.net) February 2012
DN Count: 1
Using server: DellLT17:389
Directory: Windows Server 2008 R2 Active Directory Application Mode
Deleting specified objects…
DN: cn=nuke,cn=adamrocks…: [DellLT17] Error 0xb (11) – Administration Limit Exceeded
ERROR: Too many errors encountered, terminating…
The command did not complete successfully
4. Count the objects that are left.
[Tue 02/07/2012 22:43:26.09]
F:\>f:\dev\cpp\adfind\release\adfind -hh . -b cn=nuke,cn=adamrocks -c
AdFind V01.46.00cpp **BETA** Joe Richards (joe@joeware.net) January 2012
Using server: DellLT17:389
Directory: Windows Server 2008 R2 Active Directory Application Mode
83617 Objects returned
5. Nuke it!
[Tue 02/07/2012 22:47:38.82]
F:\>f:\dev\cpp\admod\release\admod -hh . -b cn=nuke,cn=adamrocks -treenuke -del
AdMod V01.18.00cpp BETA Joe Richards (joe@joeware.net) February 2012
DN Count: 1
Using server: DellLT17:389
Directory: Windows Server 2008 R2 Active Directory Application Mode
Deleting specified objects…
DN: cn=nuke,cn=adamrocks………
The command completed successfully
6. Count the remaining objects.
[Tue 02/07/2012 22:51:09.27]
F:\>f:\dev\cpp\adfind\release\adfind -hh . -b cn=nuke,cn=adamrocks -c
AdFind V01.46.00cpp **BETA** Joe Richards (joe@joeware.net) January 2012
Using server: DellLT17:389
Directory: Windows Server 2008 R2 Active Directory Application Mode
ldap_get_next_page_s: [DellLT17] Error 0x20 (32) – No Such Object
Best Match of: ‘CN=ADAMRocks’
0 Objects returned
[Tue 02/07/2012 22:51:15.30]
Looking into this further, the “Seriously Brian” error message may have to be the solution. I fixed the issue in AdMod that prevented the proper sending of the request to Active Directory. However Active Directory appears to have a rule against including 0x0A in the DN of an object you create and conflict objects have an embedded 0x0A.
[Thu 02/09/2012 20:49:34.86]
F:\temp>f:\dev\cpp\admod\release\admod -hh . -add -b “CN=brian\09,CN=Computers,CN=briantest,CN=adamrocks” objectclass::user
AdMod V01.18.00cpp BETA Joe Richards (joe@joeware.net) February 2012
DN Count: 1
Using server: DellLT17:389
Directory: Windows Server 2008 R2 Active Directory Application Mode
Adding specified objects…
DN: CN=brian\09,CN=Computers,CN=briantest,CN=adamrocks…
The command completed successfully
[Thu 02/09/2012 20:49:52.35]
F:\temp>f:\dev\cpp\admod\release\admod -hh . -add -b “CN=brian\0a,CN=Computers,CN=briantest,CN=adamrocks” objectclass::user
AdMod V01.18.00cpp BETA Joe Richards (joe@joeware.net) February 2012
DN Count: 1
Using server: DellLT17:389
Directory: Windows Server 2008 R2 Active Directory Application Mode
Adding specified objects…
DN: CN=brian\0a,CN=Computers,CN=briantest,CN=adamrocks…: [DellLT17] Error 0x40 (64) – Naming Violation
ERROR: Too many errors encountered, terminating…
The command did not complete successfully
[Thu 02/09/2012 20:49:56.66]
F:\temp>f:\dev\cpp\admod\release\admod -hh . -add -b “CN=brian\0b,CN=Computers,CN=briantest,CN=adamrocks” objectclass::user
AdMod V01.18.00cpp BETA Joe Richards (joe@joeware.net) February 2012
DN Count: 1
Using server: DellLT17:389
Directory: Windows Server 2008 R2 Active Directory Application Mode
Adding specified objects…
DN: CN=brian\0b,CN=Computers,CN=briantest,CN=adamrocks…
The command completed successfully
[Thu 02/09/2012 20:50:01.36]