joeware - never stop exploring...

A pretty common issue out there in the real world is an error of something like
“There are multiple accounts with name XXX/YYYYYYYYYY of type DS_SERVICE_PRINCIPAL_NAME” or maybe that last bit is “of type 10″
floating about.
The general guidance is to find the objects with the same SPNs and clean all but one of them up. [...]

I was recently pinged by a friend who had some consultants in at his company and the consultants I guess were going on about how the domain is the security boundary and it is perfectly safe/acceptable to have a bunch of child domains that are run by disparate groups of admins.
THIS IS INCORRECT!
It has ALWAYS [...]

Someone on ActiveDir Org (and actually the umich LDAP list) were asking about putting multivalued manager info into AD for dotted line reports. Active Directory’s manager attribute is single valued so this won’t work. You get one manager, have a nice day.
Well this someone wants MSFT to add this to their schema, it [...]

Back in May of last year I mentioned that Longhorn RODCs would have an issue with updating lastLogonTimeStamp. This was indeed the case at the time. I just wanted to revisit the topic and say that the DS team at MSFT realized that was a serious problem and put in some special functionality into Windows [...]

http://computerworld.co.nz/news.nsf/tech/99A7774F067EA284CC257474007C0076
 
Hewlett-Packard is working with Fusion-io to adapt the start-up’s high-performance, solid-state input/output storage technology to HP’s enterprise servers to improve their data access performance and energy efficiency.

…
“With our ioMemory architecture, we’re getting more than 200,000 IOPS within HP BladeSystem c-Class server blades today,” says Don Basile, Fusion-io’s chief executive officer. “So, working together with [...]

A friend of mine pinged me recently and asked
… can you think of way of determining with certainty that a DC was IFM promoted or not based on its DIT (logs are say long since retired)

I thought about this a moment,  furrowed my brow for another moment and then started down the path involving a [...]

Wow I went looking and actually found the SLIQ Major MUD scripts I talked about in the last post. Or at least I think I found most of them, even then I broke the stuff up into multiple files and modules.
I was poking around in one piece and found this section which was one [...]

So I am working on Active Roles Server (ARS for now on…) and ran into a little issue that had me thinking for a little bit…
The thing was that I needed to auto-generate the user name and it needed to be
[LASTNAME],[SPACE][FIRSTNAME][SPACE][INITIALS]
So for example, say I have John Q. Public the name attribute (aka cn [...]

So you will recall my previous post on AdFind and PowerShell using S.DS.Protocols…
If you read activedir.org you will know that I realized some odd things occurred… I didn’t want to post back here until I had some more understanding of what is going on but now almost 2 weeks later I still haven’t a [...]

So Brandon stepped up and did something I didn’t think anyone would step up and do… Start profiling and comparing the performance of PowerShell and .NET DS Protocols against a native App using the wldap32 LDAP library[1]. Brandon’s first blog entry on the topic is here - http://bsonposh.com/archives/325
While I am going to question Brandon’s testing [...]

A lot of times when people run into issues with LDAP based apps, one of the troubleshooting steps I recommend is to do a network trace and look at the LDAP traffic and then I hear… Hey, I try to but it looks like gibberish and WireShark says it can’t be decoded or something… By [...]

So I uninstalled Microsoft Expressions Web 1 and installed Microsoft Expressions Web 2 on my main workstation (SFMFXP32) this weekend. Then a familiar problem popped up which kind of ticks me off as I bugged this with Microsoft quite some time before and I know people have been complaining about it since at least 2006. [...]

I saw a posting that had a piece on AdFind at ActiveDir.org that made me want to post something to my blog here for anyone who doesn’t read ADOrg…
Basically one of the posters came up with a good way of setting local admin passwords on machines and part of the solution was to use adfind [...]

I was talking with a good friend this evening and he asked a question which I would normally consider trivial but the way he put it made me go, oh wow, put that way, that is kind of interesting… It should work the way you would intuit it to work…
The question was, how do I [...]

In one of my old posts (September 2005) I had some vbscript code to convert an octet string GUID to a friendly GUID string. Well I recently received an email from fellow MVP Michael Smith letting me know he found a bug and a new function that was corrected.
First thought in my mind was… NFW. [...]

In my previous article on DN formats (http://blog.joeware.net/2008/05/03/1226/) I talked about the various Base DN shortcut formats available and hinted that AdFind has some shortcuts of its own. To me these are all, well they aren’t even second nature because I use them almost exclusively. I am bringing it up because even people who use [...]

So Active Directory can do some cool things around distinguishedNames (DNs) that many developers even this long into the availability of the product don’t know or take advantage of. I mention this because yet again I ran into a case where some developer/application integrator was unhappy about how easy it is to move users around [...]

I know some of you may read that and choke on your bagel or candy bar or coke or whatever else you were shoving down your throat as you relaxed and sat back to read what I have to say today…
But I mean it!
I had an unfortunate issue where one of my virtual host servers [...]

I received the following email:
If I wanted to copy the IP Phone attribute of each user into Exchange Extension attribute13 for that user, would AdMod work?  and if so, can you point me to and example?

This is actually extremely easy with adfind and admod since I added the -adcsv capability… This is however where you [...]

This is a nice article on Active Directory Limits
http://technet2.microsoft.com/windowsserver/en/library/d2fc40d8-50ba-450c-959b-28fd7e31b9961033.mspx?mfr=true
 
Summary
Max Objects - 231 minus 255 or ~2.15 Billion or 2,147,483,394
Max SIDs - 230 or ~1 billion or 1,073,741,824
Max Group Membership for Security Principal - 1015 groups
Max FQDN Length - 64 characters
Max File Name Length - 260 characters [1]
Max OU Name Length - 64 characters
Max Group Policies [...]

Here is yet another reason why….
http://www.betanews.com/article/Bringing_down_the_cloud_HPs_Upline_down_for_a_third_of_its_life/1208893272
 
HP has not officially cited the reason for the service’s suspension, but in a comment to TechCrunch last Friday, member Ridz may have proven to have experienced Upline’s fatal flaw: His application was connecting him to another member’s account.

I learned this week that maybe one or more of my friends may have trouble with Hexadecimal… So to help out, I went and found this wikipedia article…
 
http://en.wikipedia.org/wiki/Hexadecimal
 

http://www.microcenter.com/single_product_results.phtml?product_id=0273266
 
$199.99
Product Specifications
Formatted Capacity1TB (1000GB)
Interface TypeSerial ATA-300
Buffer Size16MB
Spindle Speed (RPM)IntelliPower (5,400RPM to 7,200RPM)
Read Seek Time Average8.9 ms
Data Transfer Rate: Buffer to HostUp to 300MBps
Data Transfer Rate: Buffer to DiskUp to 1,156Mbps
Ports and Connectors7-pin Serial ATA Connector
Included SoftwareDrivers & Utilities
Manufacturer Warranty3 Year Limited Warranty

Well the bug in LiveWriter that I ran into in my last post about Security Descriptors got me to looking for a more recent version and what do you, they are now out of beta… So I have loaded the new version and here we go… Right off I can say this version starts up [...]

I hear this question all of the time… AdFind is cool, but can it display Security Descriptors in a friendly format… or more accurately most people say “can it display permissions in a way I can read??”
Well yes, AdFind can output security descriptors in a readable format, whether or not *you* can read it is, [...]

Will be in Vegas on March 22-25…

 
DEC 2009 Europe will be in Europe in September 2009.
 
Speaking of DEC Europe, how many people go to that that don’t go to DEC USA? And of those, how many are interested in having Dean and I run around saying hi? Not saying actually present, but [...]

A man with one watch knows what time it is; a man with two watches is never quite sure.
I was thinking of this quote the other day as I was trying to figure out what version(s) of the .NET framework were loaded on a Windows Server 2003 Server[1]. I had an application that said it [...]

This post brought to you by Colbie Caillat’s song Realize, Microsoft Windows Server 2008 Server Core,  and the letter Q.
 
I always end up rewriting code to parse CSV files in perl for some reason or another so I thought I would write it again and then post it here so when I don’t find it in my [...]

http://blogs.technet.com/askds/archive/2008/04/02/directory-services-debug-logging-primer.aspx

http://technet.microsoft.com/en-us/library/cc264463.aspx

At some ungodly hour on Monday March 3 (i.e. first day of DEC 2008) Brian Puhl sent this slide to show me that he was using my ADAM logo I created for DEC 2006… He googled (or maybe he lived) for an ADAM Logo and mine was one of the first hits… I love it.
 
 

http://www.shopping.hp.com/series/category/notebooks/dv2800tae_series/3/computer_store?jumpid=in_r329_personalization/browse1/SDP_SDP

This is a pretty cool idea…
 
http://msdn2.microsoft.com/en-us/security/bb896640.aspx

I don’t use it, don’t really intend to use it unless absolutely forced kicking and screaming to. Will not write a provider for AdFind nor AdMod nor any of my tools for it.
 
     love joe

Well I decided I would be a responsible OID holder and registered the OID that Microsoft gave to me several years ago…
http://www.oid-info.com/get/1.2.840.113556.1.8000.1420
 
Note that Microsoft no longer gives out OIDs like that. All done. They decided they didn’t want to be in that business and there were data privacy issues. So now they have a script [...]

I had someone ping me about replacing the target address on a bunch of contacts in a given OU with adfind/admod. This is actually a great use of those utilities and why I added the cool -adcsv functionality in… This used to be something that you had to script, no choice, but not now…
So the [...]

One of the top things I get “help me joda!” emails about is people trying to run my utilities and running into issues with strings with spaces and other special characters. These strings are handled in special ways by the command interpreter and when people think my programs are screwing up, it is actually just that [...]

Just found out the Dev for the Time Service at MSFT has a blog
http://blogs.msdn.com/w32time/

Ok I finally got this posted, it is in ppsx format. It seems to work great on Vista and occasionally does weird things on XP… I hate Office…
http://www.jadonex.com/comingsoon/
Note that unless you are a techy, primarily an Active Directory Techy, this probably isn’t going to appeal to you all that much.
 
 
 
Not sure on when Dean will [...]

Microsoft was required to publish a bunch of previously undocumented protocol stuff for Windows. If you haven’t peeked at it yet, you can find it here
 
http://msdn2.microsoft.com/en-us/library/cc203350.aspx
 
Lots of fun DS stuff as well as whole bunches of other stuff…

While working on the PPT Deck for DEC I was going through the slides that were put together almost entirely[1] by Dean and came across a slide on how to show container objectClass objects in the NEW context menu selection in ADUC - i.e. how to make it so you can create new container objects [...]

I have been pinged by someone in the US Army asking if the joeware utilities are DOD approved. I have no clue. I do know I get a lot of email from military and US Government folks about using the tools and how to do various things. I unfortunately though, don’t keep all of those [...]

http://www.efluxmedia.com/news_HD_DVD_Format_Game_Over_14113.html

I recenty wrote this paragraph below. The context is a discussion on mismanagement of Active Directory in Enterprise companies.
“In my dreams, one day, people will not consider AD a commodity or utility service. They will look at it as the integral piece of their corporate security and stability it truly is. AD often gets bumped [...]

Here are some cool techie propeller head things I have found recently. I am not endorsing them or saying I have used them, just found the links and they made me think hmmm, I need to check these out when I am not so busy and decided to share with all of you.
 
MSDN [...]

I didn’t dig into this but wanted to give a heads up that when I used Windows Update this evening to apply the latest patches to my main XP machine after the reboot it would no longer talk to the domain properly and hence unable to log into the machine with a domain ID. This [...]

Why is the Silverlight V1.0 install package coming down through Microsoft Update? Do any other companies get to send down IE plugins through Microsoft Update?
 
Just asking…
 
   joe

This laptop was shown at a “mobility” conference…
http://www.gizmodo.com.au/2007/05/hp_20inch_hdx_dragon_laptop_re.html
 
I don’t know about you, but I don’t feel lugging a 20″ flat panel with a full keyboard and media center remote around is mobile. Its more like transportable like the first Compaq portables (http://en.wikipedia.org/wiki/Compaq) which I can tell you from first hand experience were also not enjoyable [...]

Handy blog article for troubleshooting services provided by SVCHOST.
http://blogs.technet.com/ganand/archive/2007/12/23/how-to-isolate-a-service-in-its-own-scvhost-exe.aspx
It also links to
http://support.microsoft.com/kb/314056
 
Basically the idea is that some service executables have multiple services in them and they share a process when they start. There could be times you don’t want that to happen with SVCHOST because there is such a large number of arbitrary services [...]

So I spoke a little too early on my last blog post about my new Western Digital MyBook World Edition.
I ran into some huge issues with it, I haven’t gone looking for a firmware update yet but that is my next step. However, the issue I found shouldn’t be in any version of the product [...]