joeware - never stop exploring...

Someone asked me a question at work today about PowerShell… yes, I know, silly silly people but I was a bit curious as well so I opened up the PSompt (hmmm PSPrompt… Command PS… P Prompt… PS Prompt… ) err whatever… I opened the Windows application that gives me an interactive PowerShell instance and typed

help import-csv

That gave me what I needed to answer the question that was asked so I responded to the question and said don’t ask me PowerShell questions every again…

 

After that I noticed in the help where it said “RELATED LINKS” and it specified an online version. I thought that was quite cool, a link to the online assistance for a command right from the command line usage. That seemed very intelligent to me as it gave a location to go for quick help that could be more up to date or more fleshed out, etc. Then I thought, it would be really cool if you could ask for that help right from the command line… So without knowing if it would work or not I typed

help –online import-csv

and sure enough it popped an IE tab with the online help that was more fleshed out than the local usage.

I loved it. Great idea. I have filed that in the back of my head for future tools as well.

Anyway, I give Kudo’s where Kudo’s are due and definitely someone at MSFT who came up with that idea gets a Kudo.

   joe

This is something that people occasionally want to do. There are two basic answers that I am aware of. The first I always remember right off since I am an LDAP API coder, is to look at the dnsHostName attribute of the rootdse of the server you are connected to. That is what AdFind and AdMod do when you see the lines

Using server: JOEWARE-DC1.joeware.local:389
Directory: Windows Server 2003

The other way which is ADSI specific and I spent an hour trying to recall today when asked is to use the ADSI GetOption method (IADsObjectOptions::GetOption) to retrieve the ADS_OPTION_SERVERNAME value. I actually have this in an example in my book that lists ACEs in an ACL.

Examples:

VBScript:

Const ADS_OPTION_SERVERNAME=0
‘****************************************************************************
‘Bind to object
‘****************************************************************************
Out "Opening object – " & strLDAPPath
Set objObject = GetObject(strLDAPPath)
strDC = objObject.GetOption(ADS_OPTION_SERVERNAME)

PowerShell (no not me, Brandon gave this to me…)

$dcobject = [adsi]"$Ldap"
$dc = $dcobject.Invoke("GetOption",0)

[ Correction: Quick thanks to Mike for pointing out Brandon’s typo so I could correct it. Brandon obviously meant $dcobject= and not $object= in line 1. He is very sorry to everyone for the typo and he will buy you a cup of coffee the next time he sees you all.  ;o) ]

.NET (again not me, but from a post by Mr. DS.NET programming… Joe Kaplan)

const int ADS_OPTION_SERVERNAME = 0; 
object server = entry.Invoke("GetOption", new object[] {ADS_OPTION_SERVERNAME});

 

  joe

As some of you were witness at TEC 2009[1], I have put down my work on LDAP (since its a dead protocol and all…) and decided to enter the exciting field of Cybernetics, Robotics, and Artificial Intelligence Constructs. I was secretly testing my latest secret beta of the Tracy-bot artificial intelligence construct while attending TEC 2009.

While the sheer presence of the Tracy-bot in the technical sessions with a bunch of Nerds, Geeks, and other technical folks was enough to cause some folks to guess that it was an artificial construct, others needed to see the Tracy-bot getting drinks and snacks for myself and my friends as well as refusing to take money to go gamble to fully understand it was an artificial device. Still others were just standing around completely unaware and/or confused by the fact that the Tracy-bot was not human.

For those of you who didn’t realize that an artificial product was running around the conference, here is a picture of the secret beta product and possibly you will recall the artificial life form’s presence in several technical sessions at TEC 2009, including the Active Directory ESE (Extensible Storage Engine) session put on by none other than #2 of 6… Brett Shirley up to and including shouting out comments to have the presentation continue so Brett could show off his cool ESE Data Commit in Action Slide.

[Tracy-bot with Bwandon]

The Tracy-bot kernel is code complete. The product will not be released until there is a full Software Development Kit for complete customization via Perl scripting as well as many pluggable modules such as the Chess Expert Module, Dungeons and Dragons module, Face Book module, French Maid Module, Catholic School Girl Module, Lawn Mowing Module, Pole Dancing module, Back Scratching Module, as well as the very difficult to produce “Enjoying Watching Science Fiction Shows” module. I have completed several modules but have been having issues with the Sci-Fi shows module as it is still producing crashes and system hangs in the kernel software that result in a snore like sound output as well as unintended hand gestures that result in channel changing.

Please note that neither a .NET Framework interface nor a Power Shell provider will ever be built or supported for the Tracy-bot. The goal is to make sure the Tracy-bot doesn’t become bloated and non-performant and that requires careful programming with native code. The engine is based on the Windows Server 2008 R2 Server Core OS though a fully functional Microsoft Surface GUI not based on any .NET framework components nor Explorer has been produced and is going through intense acceptance testing. Virtual versions of the Tracy-bot are being considered for the Nintendo Wii and iPod Touch.

No requests for beta products will be accepted. This is a closed beta testing program.

  joe

 

[1] Note that this is NOT my wrap-up on DEC/TEC/Whatever, simply a quick comment on what was going on as I have received some email on the subject and people are concerned that good non-NET based tools will no longer be produced.

So who is going to TEC? Excited yet? You should be, it will be fun. Personally, I can’t wait to hear Dmitri, Brett, and yes, even Dean, speak. Those guys are incredibly bright and just plain know a lot of stuff. The weather in Vegas is slated to be in the low 70’s and sunny. We missed the 80’s by a week unfortunately.

If you are sitting in the sessions and wondering what kind of questions you should be asking…

In the sessions on PowerShell and ADAC (or ADMUX if you prefer) ask why the PowerShell cmdlets aren’t using LDAP[1] which is already present on every single domain controller… But instead a brand new “Web” Service that runs on a Windows Server 2008 R2 Domain Controller. See

http://technet.microsoft.com/en-us/library/dd378937.aspx

http://technet.microsoft.com/en-us/library/dd391908.aspx

http://msdn.microsoft.com/en-us/library/dd303965(PROT.10).aspx

http://msdn.microsoft.com/en-us/library/dd304395(PROT.10).aspx

 

No, this doesn’t mean you need to load IIS on the DCs. It is another binary. And in fact it really doesn’t have any HTTP involvement and doesn’t run over port 80, it is just XML. Just to get that easy question out of the way… But maybe questions along the amount of network traffic may be good ones to ask about since XML is such a ’sparse’ protocol compared to LDAP. Maybe if we are lucky we could get a demo of (including network traffic comparison) of say dumping the email addresses for all users in a 50k user forest to a text file as done via LDAP and done through PowerShell using the AD Cmdlets. That is actually a test I have been wanting to do but haven’t had the opportunity to set up a 2008R2 DC to do the tests. If I could only just install the PowerShell AD cmdlets to test…   Another interesting test of something that I just had to do at work yesterday in fact would be to dump the replication metadata value for the legacyExchangeDN attribute for all person objects in a 75k user forest[3]. I needed to see if the LEDN had gone through some mass change at some point so was interested in version numbers and originating write dates. I can’t say for sure what the network impact delta would be between these two types of requests but I could hazard a guess.

 

Don’t worry, one of the presenters of this info is my good friend Dean Wells formerly the Dean of the Dean and joe Show before he joined the dark side (<insert heavy breathing>I’m your father Lucas</heavy breathing>) and he actually enjoys audience participation versus just everyone sitting there dead silent. If you weren’t planning on attending that session… “What are you INSANE!”. You know Dean, he is easily, hands down, the best presenter I have ever seen. It may not be the most informative presentation of the whole conference (though it very well likely could be – I would say it would be but it isn’t the Dean and joe Show where we could pick any topics we wanted, the topic is constrained) but it will certainly be the most entertaining and energetic and fun presentation at the whole conference as Dean could present the phone book and have everyone trying to get him to do a second session[4]. If you can make him stutter or be unable to respond to a question, kudos to you because I just haven’t seen it happen. No fair asking him questions like “Do you still beat your maid that you snuck into the country illegally from Romania?” as that just isn’t nice and really, how do you answer that question without stuttering? No, err yes err… Err Romania?? Where’s that? Oh Maid?? I don’t have a maid! ;o)

 

Note that I am aware that Active Directory 4th Edition is now out on the book shelves and at Amazon. While I won’t be bringing any copies I think Brian may be bringing copies for purchase. I don’t believe he will have any to give out for free because unlike when AD3E came out, O’Reilly didn’t seem interested in giving copies out at DEC err darnit TEC[5].  I don’t mind signing the books however you probably really want Brian’s signature as he is the author for this version. He took what I did and extended it and chopped out a bunch of stuff that I wanted to chop out but wasn’t allowed to chop out. 

 

So if you are going to TEC/DEC/Whatever… Have a safe flight/drive/train trip/whatever. If you aren’t going… I’m sorry that sucks. I know the company I work for wasn’t interested in paying my way and I didn’t want to speak to have NetPro/Quest pay to get me out there so I took it as a vacation time and am paying for it. On reflection, it probably is silly of me not to speak but in all honesty, I don’t much like to do it unless I have something specific I need to say and I never have anything I need to say at DEC. I just go to meet the people and talk to folks about the issues they encounter to give me ideas on ways I can try to help. If you folks who attend DEC/TEC/Whatever think that had value, tell every NetPro/Quest person you run into that and maybe they will bring me out there just to chat with people like I usually do. Especially do that if you have in the past told the NetPro/Quest people that you wanted to meet me or came because of me or my blog.

I think though if next year I am taking my vacation at this time and I am paying for it, I should take it in the Bahamas and if someone happens to be there that is into Active Directory stuff then I can chat with them there.  

    joe

 

[1] Don’t worry, the Quest cmdlets for AD still use it though. So they will work against the various versions of AD without the need of a K8R2 DC with the Web Service loaded.

[2] That may or may not be a sarcastic comment.

[3] adfind -gcb -f “&(objectcategory=person)(legacyexchangedn=*)” msDS-ReplAttributeMetaData;binary -mvfilter msDS-ReplAttributeMetaData=legacyexchangedn -csv

[4] Serously, my opinion of Dean’s speaking ability is that high. Trust me on this, I had to try and speak after him in the same presentation and generally I consider myself to be a humourous interesting person to chat with, just not after Dean has been up there prancing around in his glory. ;o)

[5] Had NetPro/Quest/Whatever not changed the name of the conference, who knows, O’Reilly might have gave out some free copies… Now instead they hear, free books for TEC? Why? Now DEC, that we would give out free books at… (Man I am on a roll today!)

I just wanted to take a moment to send out a general thanks to the Active Directory Product Group at Microsoft. I always enjoy seeing the team as a whole but really enjoy the individual talk time with the PM’s and Devs even more. My favorite time for this summit was the open session where we got to sit and discuss the Recycle Bin feature stuff with Tim and Stephanie. Not because I think it is the only cool feature or anything, but because I really enjoyed the open discussion and it was nice to learn the technical details behind a feature that has been so long in coming. 

Uday and Moon, your presence was missed. Also I will miss seeing a large portion of the DS Team at DEC/TEC… Unfortunately it seems only a few of the DS Team will be able to make it to DEC/TEC due to budget cutbacks at MSFT. This is unfortunate because I often hear from the attendees that they really appreciate the availability of the Microsoft DS Team resources at DEC to respond to questions and hear feedback. Since this is the only conference with solid real deep focus on the DS pieces this is the best conference for Microsoft to send those resources but someone at some level doesn’t seem to understand that.

It was odd having my good friend Dean over on the other side of the fence as a Microsoft employee but I think it was good and he did Microsoft proud. I had a lovely time visiting with him and his wife (hmmm good meatballs) and awesome son (Hello Lucas… volcano!!!).

Just a quick FYI for those who kept asking me… The fact that Dean is working on PowerShell a lot now is not going to sway my opinion on it. Again, sorry to all those who asked me that specific direct question… but no. Not even for Dean. I will or will not use PowerShell when it becomes compelling specifically for me to use. This isn’t to say it isn’t the right answer for others, but that is for each individual to decide. I doubt there is anything that can be presented or said in a single presentation that could get any serious folks to just jump whole hog, this will be something admins choose to do or not based on their own thoughts, needs, and preferences. I found it odd when asked by some of the PM’s if I was just all of a sudden going to change my mind on it because of a good presentation. Does anyone make up their mind on whether they will change directions based on a good presentation? Once I need to do something that isn’t truly feasible for me to do (by my definition, no one else’s) in perl or command line tools that I have or can write, I will maybe look in that direction. More on the PowerShell stuff and specifically the DS Team’s AD and ADAM cmdlets for PowerShell in a later blog post.

 

Also a general thanks to the overall MVP program for having the Global Summit. It is always useful to me and this year by moving the Executive presentations to the end it really made me feel like my time was used well.

 

   joe

Back on Jan 21 I tipped my hand on a new capability in AdFind which for many people is extremely exciting based on the feedback in my inbox. To refresh your memory, that was the ability for AdFind to take in a list of Base DN’s to execute queries against. For short we will say piping AdFind into AdFind though you could, if for whatever reason gripped you, pipe dsquery into AdFind.

Well in a follow up conversation with my friend and co-Author Brian Desmond, he asked “How do I pipe DNs from AdFind into AdFind and then get counts for the number of users under each of those DN’s?” My response was… well you can’t. The whole counting mechanism is based on the number of objects AdFind returns period… But then I thought, I hacked in CSV when I didn’t think I could… then I hacked in the piping in multiple DNs when I didn’t think I could, let me give this a try before totally saying no… So voila, a new switch because you just know there aren’t enough switches in AdFind yet…. The new switch is -ic… where -c stands for count, -ic stands for intermediate count… That lets you do something like….

G:\>adfind -default -f ou=* -dsq | adfind -sc adobjcnt:user

AdFind V01.40.00cpp **BETA** Joe Richards (joe@joeware.net) February 2009

Using server: r2dc1.test.loc:3268
Directory: Windows Server 2003

BaseDN: OU=CharTests,OU=TestOU,DC=test,DC=loc
1 intermediate objects returned

BaseDN: OU=createtest,OU=TestOU,DC=test,DC=loc
10 intermediate objects returned

BaseDN: OU=Deleted,OU=XXXTest,DC=test,DC=loc
0 intermediate objects returned

BaseDN: OU=XXXTest,DC=test,DC=loc
0 intermediate objects returned

BaseDN: OU=Domain Controllers,DC=test,DC=loc
0 intermediate objects returned

BaseDN: OU=Email,OU=My,DC=test,DC=loc
1 intermediate objects returned

BaseDN: OU=GPOTest,OU=TestOU,DC=test,DC=loc
0 intermediate objects returned

BaseDN: OU=Groups,OU=My,DC=test,DC=loc
0 intermediate objects returned

BaseDN: OU=Groups,OU=TestOU,DC=test,DC=loc
0 intermediate objects returned

BaseDN: OU=HideTest,OU=TestOU,DC=test,DC=loc
0 intermediate objects returned

BaseDN: OU=joeperm,OU=TestOU,DC=test,DC=loc
0 intermediate objects returned

BaseDN: OU=My,DC=test,DC=loc
0 intermediate objects returned

BaseDN: OU=oneleveldown,OU=createtest,OU=TestOU,DC=test,DC=loc
1 intermediate objects returned

BaseDN: OU=Outlook,OU=TestOU,DC=test,DC=loc
0 intermediate objects returned

BaseDN: OU=permtest,OU=TestOU,DC=test,DC=loc
2 intermediate objects returned

BaseDN: OU=PoSTest,DC=test,DC=loc
700001 intermediate objects returned

BaseDN: OU=Skip,OU=TestXXX,OU=XXXTest,DC=test,DC=loc
1 intermediate objects returned

BaseDN: OU=TestXXX,OU=XXXTest,DC=test,DC=loc
4 intermediate objects returned

BaseDN: OU=TestDisable,OU=XXXTest,DC=test,DC=loc
0 intermediate objects returned

BaseDN: OU=TestOU,DC=test,DC=loc
6 intermediate objects returned

BaseDN: OU=Users,OU=My,DC=test,DC=loc
2 intermediate objects returned

BaseDN: OU=Users,OU=TestOU,DC=test,DC=loc
10 intermediate objects returned

700039 Objects returned

Anyone think that is pretty handy??? If so, you can thank Brian, he asked the right question at the right time… I modified the adobjcnt shortcut such that when it detects it is in multi-DN mode it will also insert the -ic switch as well as set the search scope to one-level. If you wanted counts of all of the users in each OU but you wanted the counts to roll up to the higher OU’s as well you would simply add the -s sub or -s subtree switch to your command.

But then I thought, while that is useful, it would be even more useful if I could somehow get that in a CSV format so I could use this more easily from scripts when trying to get a snapshot of an environment… I looked and there was just no way I could get it into the CSV code path. When you do CSV the whole counting section isn’t used and even if it were, it is outside of the location where the CSV code is and in order to try and get it in there would cause me to use some wholly unnatural global variables and other things that just made me go, no, I will not go there, that is too ugly, too inelegant… I know I do some bad things in code, but I don’t want to do THAT bad of things in code.

All hope is not lost however. I decided to add… yes… another switch. I know I know, another one truly isn’t needed but I wanted this functionality and if you don’t like it, just ignore the fact that it is there. This switch is not a very flexible switch, there are no modifiers for it. It is called -ictsv and it simply takes the -ic output and makes it into a TAB Delimited format output. This isn’t going to be tweaked to allow different delimiters or anything like that. It is a hack completely outside the normal CSV routines which have all that flexibility. I chose tab delimited because DNs have commas and it is unlikely (impossible? I don’t know, didn’t test) to see a tab in a DN and to be honest, I like tab delimited output. I usually use TABs for my delimiters for CSV output. Anyway that output looks like…

G:\>adfind -default -f ou=* -dsq | adfind -sc adobjcnt:user -ictsv
OU=CharTests,OU=TestOU,DC=test,DC=loc   1
OU=createtest,OU=TestOU,DC=test,DC=loc  10
OU=Deleted,OU=XXXTest,DC=test,DC=loc 0
OU=XXXTest,DC=test,DC=loc    0
OU=Domain Controllers,DC=test,DC=loc    0
OU=Email,OU=My,DC=test,DC=loc   1
OU=GPOTest,OU=TestOU,DC=test,DC=loc     0
OU=Groups,OU=My,DC=test,DC=loc  0
OU=Groups,OU=TestOU,DC=test,DC=loc      0
OU=HideTest,OU=TestOU,DC=test,DC=loc    0
OU=joeperm,OU=TestOU,DC=test,DC=loc     0
OU=My,DC=test,DC=loc    0
OU=oneleveldown,OU=createtest,OU=TestOU,DC=test,DC=loc  1
OU=Outlook,OU=TestOU,DC=test,DC=loc     0
OU=permtest,OU=TestOU,DC=test,DC=loc    2
OU=PoSTest,DC=test,DC=loc       700001
OU=Skip,OU=TestXXX,OU=XXXTest,DC=test,DC=loc      1
OU=TestXXX,OU=XXXTest,DC=test,DC=loc      4
OU=TestDisable,OU=XXXTest,DC=test,DC=loc     0
OU=TestOU,DC=test,DC=loc        7
OU=Users,OU=My,DC=test,DC=loc   2
OU=Users,OU=TestOU,DC=test,DC=loc       10

Pretty cool huh… Anyone think that is handy? If so… well you are welcome… But something still bothers me about that output… Anyone else bothered by it? It could be just me but I kind of like seeing things that normally have a hierarchical form to be displayed that way. I don’t mean in the white space, but instead, I mean I don’t want to see something like

OU=Outlook,OU=TestOU,DC=test,DC=loc     0
OU=permtest,OU=TestOU,DC=test,DC=loc    2
OU=TestOU,DC=test,DC=loc        7

I want to see the TestOU first and then its sub-OU’s after… I tried modifying my search to see if I could force AD to return the info in that order but quite frankly, AD truly isn’t hierarchical, it just appears that way. It is actually a flat database. The idea of hierarchy is imposed on it for LDAP purposes. So I thought, I really need to do something about this… This will drive me nuts. However, trying to retrieve all of the information and maintain it in memory so I can then sort it is ridiculous, might as well just write this thing in PowerShell or .NET… (count it…) if I do it in such a silly way… Then I thought, wait, I already have what I need in memory to sort it hierarchically after the DNs have been piped in so I added, yes thankyou, another switch called -stdinsort. Why did I do this with a switch? Because I didn’t want to assume someone would want it sorted like I would and I didn’t want to assume I would always want it sorted. Also I wanted to give myself the ability to sort it hierarchically as well as alphabetically both case sensitive and case insensitive, so it is a switch with a default sort order of hierarchical but you can add cialpha or csalpha to get the other types of sort… Now that output looks like

G:\>adfind -default -f ou=* -dsq | adfind -sc adobjcnt:user -ictsv -stdinsort
OU=Domain Controllers,DC=test,DC=loc    0
OU=My,DC=test,DC=loc    0
OU=Email,OU=My,DC=test,DC=loc   1
OU=Groups,OU=My,DC=test,DC=loc  0
OU=Users,OU=My,DC=test,DC=loc   2
OU=PoSTest,DC=test,DC=loc       700001
OU=TestOU,DC=test,DC=loc        7
OU=CharTests,OU=TestOU,DC=test,DC=loc   1
OU=createtest,OU=TestOU,DC=test,DC=loc  10
OU=oneleveldown,OU=createtest,OU=TestOU,DC=test,DC=loc  1
OU=GPOTest,OU=TestOU,DC=test,DC=loc     0
OU=Groups,OU=TestOU,DC=test,DC=loc      0
OU=HideTest,OU=TestOU,DC=test,DC=loc    0
OU=joeperm,OU=TestOU,DC=test,DC=loc     0
OU=Outlook,OU=TestOU,DC=test,DC=loc     0
OU=permtest,OU=TestOU,DC=test,DC=loc    2
OU=Users,OU=TestOU,DC=test,DC=loc       10
OU=XXXTest,DC=test,DC=loc       0
OU=Deleted,OU=XXXTest,DC=test,DC=loc    0
OU=TestDisable,OU=XXXTest,DC=test,DC=loc        0
OU=TestXXX,OU=XXXTest,DC=test,DC=loc    4
OU=Skip,OU=TestXXX,OU=XXXTest,DC=test,DC=loc    1

Much better… ;o)

This and more in the new version of AdFind… AdFind V01.40.00 is expected to emerge from the cocoon on Feb 13, 2009.

     joe

I am finally writing code again… I am happy about that because I was effectively not coding for over a year. Yes, for over a year, almost 15 months actually. That is a long time for me not to write code because it is one of my main creative outlets.

I will be releasing one of the tools because it is an update to GCChk. When I originally wrote GCChk I thought about allowing you to specify the DCs to use to check and then decided that AD is probably better at picking the DCs to use than most admins and didn’t allow you to specify the DCs. Well my good friend Guido ran into an issue that was a perfect example of why you may need to specify a DC to use to do the check. He actually needed to check one GC against the partitions on another GC. Now this normally wouldn’t be a good idea because you should probably check against a writeable partition as it would be considered a bit more authoritative but Guido was in a position where he didn’t have network access to a writeable DC for the partitions he was checking due to the network configuration. The ONLY way to check for lingering objects would be to daisy chain from the writeable to the closest GC to the next closest GC etc all the way to the end of the WAN. The MSFT lingering object check in repadmin just can’t do it and trying to get that updated to do that would take an OS release and Guido was on a project that needed a very troubled forest checked out and fixed quickly. I couldn’t help him with the correcting the issues, but I could help him out with identifying GCs and their specific issues. And so I updated GCChk to to allow specifying GCs for the comparison. Again that will be uploaded in the next few weeks.

 

And the second tool I worked on was a complete surprise for me…. This one I had to work on for my day job so obviously I will never be releasing it. It is… yes wait for it… a C# utility… Yes I wrote my first .NET program. I will admit it was better than I expected but at the same time it was worse. The ".NET is so intuitive and easy" really wasn’t the case, at least not for me. And System.DirectoryServices has some serious issues and bad assumptions. I know I know Eric and JoeK and BrianD and everyone else who told me to use System.DirectoryServices.Protocols. Next time I play with .NET, I will do so. But I think it was good for me to see what most people who jump into .NET (and PowerShell) are likely going to use for directory access and I feel for them. I will try to write a blog or two on a few things that I found to be really annoying and/or bad.

Brandon posted recently about the UTDV and how to get it in PowerShell. As he mentions in the blog post some chatter on AD Org got him and I going down another road in an offline email stream. This resulted in him finding a .NET method to get this over his really painful way he was doing it. However, one of the things I told him about that he neglected to mention in his post is that you really don’t need any fancy NET methods, this data is available in a simple query response from AD. You simply need to ask for the right attribute….

Specifically you need to ask for msDS-NCReplCursors when querying the NC Head that you care about…

For example to get the info for my default domain on my default domain controller…

G:\>adfind -default -s base msDS-NCReplCursors

AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007

Using server: r2dc1.test.loc:389
Directory: Windows Server 2003
Base DN: DC=test,DC=loc

dn:DC=test,DC=loc
>msDS-NCReplCursors: <DS_REPL_CURSOR>
        <uuidSourceDsaInvocationID>a34ea639-dd63-4ce8-a1c2-3ecdebd0519d</uuidSourceDsaInvocationID>
        <usnAttributeFilter>2132842</usnAttributeFilter>
        <ftimeLastSyncSuccess>2008-08-11T21:00:25Z</ftimeLastSyncSuccess>
        <pszSourceDsaDN>CN=NTDS Settings,CN=R2DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=loc</pszSourceDsaDN>
</DS_REPL_CURSOR>

>msDS-NCReplCursors: <DS_REPL_CURSOR>
        <uuidSourceDsaInvocationID>4dd96a30-d20d-4b40-bd83-556c172b8d37</uuidSourceDsaInvocationID>
        <usnAttributeFilter>3158745</usnAttributeFilter>
        <ftimeLastSyncSuccess>2008-08-11T20:52:44Z</ftimeLastSyncSuccess>
        <pszSourceDsaDN>CN=NTDS Settings,CN=TEST-DC1,CN=Servers,CN=secondsite,CN=Sites,CN=Configuration,DC=test,DC=loc</pszSourceDsaDN>
</DS_REPL_CURSOR>

>msDS-NCReplCursors: <DS_REPL_CURSOR>
        <uuidSourceDsaInvocationID>47e66f05-61fa-4bff-88e1-2a62b5ef8289</uuidSourceDsaInvocationID>
        <usnAttributeFilter>719116</usnAttributeFilter>
        <ftimeLastSyncSuccess>2007-05-16T18:47:55Z</ftimeLastSyncSuccess>
        <pszSourceDsaDN></pszSourceDsaDN>
</DS_REPL_CURSOR>

>msDS-NCReplCursors: <DS_REPL_CURSOR>
        <uuidSourceDsaInvocationID>343d88a0-0fef-4df2-ac7c-151aa3106a68</uuidSourceDsaInvocationID>
        <usnAttributeFilter>13177</usnAttributeFilter>
        <ftimeLastSyncSuccess>2006-07-15T13:43:49Z</ftimeLastSyncSuccess>
        <pszSourceDsaDN></pszSourceDsaDN>
</DS_REPL_CURSOR>

1 Objects returned

 

That will work from any LDAP query tool you want to use… And if you want this in a slightly nicer way but willing to use AdFind you can do this

G:\>adfind -default -s base msDS-NCReplCursors;binary

AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007

Using server: r2dc1.test.loc:389
Directory: Windows Server 2003
Base DN: DC=test,DC=loc

dn:DC=test,DC=loc
>msDS-NCReplCursors;binary:      13177 2006/07/15-09:43:49      DeletedDSA
>msDS-NCReplCursors;binary:     719116 2007/05/16-14:47:55      DeletedDSA
>msDS-NCReplCursors;binary:    3158745 2008/08/11-16:52:44      secondsite\TEST-DC1
>msDS-NCReplCursors;binary:    2132849 2008/08/11-17:02:11      Default-First-Site-Name\R2DC1

1 Objects returned

 

That is a bit cleaner to look at IMO. It also takes less data on the wire and less work on the Domain Controller as it comes over in a BLOB that I know how to decode.

 

   joe

Well my MVP lead is already asking for the year’s accomplishments to determine if I have been helpful enough to receive the MVP designation another year. I have to say this is absolutely the earliest this has happened in the ummmm 6, 7, or 8 years that I have been an MVP. It usually happens in mid September or so, I would kind of expect it to happen at the end of August or beginning of September which puts it close to the one year mark but gives enough time to figure things out but kudos to Ali (the new lead) for jumping out there and trying to dig up what I have thrown down in the last year already.

So thoughts from all of you? Should I be a Microsoft MVP for another year? Now for the tricky part… If the answer is no, what can I do to improve? And Brandon and you other PowerShell Zealots the answer to that is NOT “write a PowerShell Provider for AdFind” nor even “Start doing everything in PowerShell”.

The first few years I really didn’t care if I was an MVP or not. Didn’t much matter to me. But over the years I have built up some fantastic relationships with many folks in Redmond on the product teams where I can give direct feedback and often they approach me up front for feedback which I always enjoy and always try to accommodate. Also the source code access is very cool and is extremely helpful in helping people out when they run into issues. I can’t count the number of times someone has described an issue and given me a DSID that I looked up and quickly determined what the issue was for them without hassle and fuss.

So anyway, I hope to hear in October that I have made it another year as an MVP. We shall see.

“PowerShell is the COBOL of the scripting world. In that I mean as you type out what you need to do your fingers actually get tired. Powerful no doubt, but it will require most PowerShell scripters to buy a gripmaster to build up finger strength for those marathon scripting sessions or more likely, there will be a good market for autocomplete IDEs for writing PoS code.” 

Well Darren has effectively said “Tag, you’re it” for this Scripting/Sysadmin Meme that is going around. I kind of liken this to the emails that say send this to 7 of your friends immediately but since I am not actually forwarding it, you have to come to me to read it, I will play.

 

How old were you when you started using computers?

I was 12 and I believe I was in 7th grade when I first started playing with computers.  

 

What was your first machine?

The first computer I used was a Commodore PET with cassette tape storage. It was in Manton Consolidated School’s Library. The first computer my parents owned that I played on was an Atari 800 which I believe I still have a book on programming the graphics for. Although we had that machine I believe I had begged and begged for a TI-99 before that. Also mixed up in there in my playing were an Apple II and the Tandy TRS-80 Model II and the first multi-user computer I used was a PDP-11/34 running RSTS/E 7.2.

 

What was the first real script you wrote?

I started with writing compiled and assembled languages. I had all of these languages down before writing my first script – BASIC, BASIC-PLUS, BASIC-PLUS-2, FORTRAN, COBOL, PL-1, Pascal, Assembler for like 3 or 4 different processor architectures, MACRO Assembler for PDP-11, and C back when I was still in High School.

I didn’t get too involved with scripting until I started playing a MUD in the mid-90’s called MajorMUD and then I used Qmodem Pro’s SLIQ Scripting language to write scripts that would run my characters around killing monsters and picking up cash and weapons. That was the first major script I wrote for anything and was thousands of lines (I wonder if I still have that around) and could handle nearly everything in the game and used text files for directions for easy updates. It was very cool as it allowed for two characters to work together (which I called tag teaming script) which was immensely better than just a single character running around scripting. I actually was able to sell copies of the compiled version to other players of the game. If anyone that used to play MajorMUD is reading this, my characters were Slayer Cricket which was a Ogre Witch Hunter and Hunter Cricket which was a Human Paladin (colloquially known as Hunter and Slayer). The scripts would talk to each other by passing text messages back and forth through a MUD private chat channel.

The first real scripting I did “professionally” was REXX and Perl back in the late-90’s (1996 or so).

 

What scripting languages have you used?

DOS batch, Fastlane FINAL (dabbled), REXX, Perl, VBScript, JScript, SLIQ, and I have dabbled with PowerShell because I have had too occasionally.   Out of the bunch, I find Perl to be by far what I prefer.

 

What was your first professional sysadmin gig?

Well I ran the PDP-11 at my high school which was kind of a real job though I didn’t get paid. Didn’t matter, that system had to be up and running and if it wasn’t, it was my ass. After that when I was about 17 and still in high school I got a job working for a company called Automated Tracking Systems which processed insurance info for GMAC loans and issues MIC insurance for anyone who didn’t have any insurance. It was an interesting job as we would get Mag Tapes from EDS and you never knew what format those things would be coming in as, it was all over the map. The job was as weekend operator. I worked 24 hours over Sat/Sun making sure PDP-11’s and VAXes ran ok processing loan tapes and doing other batch jobs. Mostly I slept and wrote code (MACRO Assembler and Basic-Plus II) to do system chores. 

 

If you knew then what you know now, would have started in IT?

Yes I think so. I would have started earlier and not taken the time off that I did and I very likely would be retired right now just sitting back having fun writing code and enjoying life a little more. While I started early, I took large blocks of time (years) off from the tech field as it kept burning me out and went out and explored the world a little doing sales, etc. I certainly would have started something joeware “like” much sooner and would have pushed harder to make it commercial as it is tougher to do now with the little time I have. I also wouldn’t have wasted my time and money going to University/College.

 

If there is one thing you learned along the way that you would tell new sysadmins, what would it be?

Share information. Information hoarded is ridiculous. I laugh when I see people in IT who think they are important because they are the only ones who know how to do this that or the other thing. I am very quick to tell people how to do things or at least help them learn things so I can move on and do other things. Who wants to be stuck doing the same thing over and over again. Also… Never stop exploring.

 

What’s the most fun you’ve ever had scripting?

Well for pure fun, it was the MUD scripts I wrote. It was a huge challenge trying to make the computer “think” for me when I was off working so that my characters would get money, weapons, experience points and stay alive. People constantly would attack the scripts and try to trick you, etc. My scripts would play a song anytime they “bugged out” when there was too much danger of dying or something unexpected and therefore unhandled occurred…. the song… Blue Oyster Cult’s Don’t Fear The Reaper.   Just hearing the opening bars will make the hair on my arms stand upright and wake me up instantly because usually when I heard that it meant that someone was attacking my characters and I might be dead. I recall the Hunter and Slayer scripts running on my Packard Bell computer while I slept in the next room the song would pop on and I would be flying out of bed before it got 15 notes into the song.

As for “real” scripts I would say I had a blast writing scripts for Ford Credit when I worked there. We implemented SMS replacements in perl as well as all sorts of other things.

 

Who am I calling out?

Eric Fleischman

Brett Shirley

Brian Desmond

Joe Kaplan

Gil Kirkpatrick

Laura Hunter

Nathan Muggli

So you will recall my previous post on AdFind and PowerShell using S.DS.Protocols…

If you read activedir.org you will know that I realized some odd things occurred… I didn’t want to post back here until I had some more understanding of what is going on but now almost 2 weeks later I still haven’t a clue what is going on. I wanted to respond though. Admittedly the weather has been pretty nice here lately so I haven’t been playing computer geek as much as I did on the 9th when we had tornadoes whistling around the area (don’t worry, closest that got to me was about 3 miles away, so plenty of safety margin).

Basically the problem is that I have one PowerShell window that is performing like complete crap for the test script, and other Windows I open even though I seem to configure them similarly perform fine normally. I have been able to cause them to slow down a little by running the same commands over and over and watching it suck up silly amounts of memory but haven’t gotten it to slow down to the point the first window slows down. This really bothers me, I hate inconsistency. It throws all sorts of doubt on testing and what you have in front of you.

Interestingly running AdFind out of the two PowerShell windows results in identical performance, it is entirely within the realm of the PoS Scripts and .NET. But what? ~Eric suggested using some CLR profiler application but it apparently can’t profile something that is already running, you have to launch it with the profiler and unfortunately, my screwed up PoS window is already running.

Looking at the two Windows now, the PoS window that is “acting up” in which I just reran the test script to make sure it is still screwing up and that is all it has done in a couple of days is sitting there sucking up 140MB of RAM. The other PoS window is is using a “paltry”[1] 14MB[2].

When running in these “other” windows, the performance of PowerShell with the script is within 25% of AdFind. This is much closer to what I was expecting when I first tested it. The processor utilization of the “good” window is considerably less than what I saw with the “bad” window. Better actually than I expected out of PoS which is good. Network utilization is also much closer to AdFind which is what I expected; its the same data coming over the wire.

Again, I have no clue why that one PoS window is being troublesome, sorry. No answers here for you on that.

So anyway, oddness aside, I wanted to comment on each of the points from before.

1. Testing Methodology

I didn’t like Brandon’s testing methodology, I still don’t like what he initially did. He changed it and is now posting numbers with the new methodology. Very nice.

2. Testing Environment

Nothing new here.

3. Considerable performance hit on the machine running the tools…

This is related to the “bad” PoS window. Again, no clue what is happening here. The “good” PoS window has much better performance characteristics.

4. Network utilization

As mentioned above, this is now in line with AdFind as originally anticipated, again this was screwed before due to the bad window.

5. Umm there is a problem in the PoS Script…

This was all me, shortly afterward I realized while chatting with Dean about it that I used objectclass=* for AdFind and PoS was only doing an objectclass=user. I told Dean, I assume he passed that info on to Brandon.

6. The PoS doesn’t seem to fast in relation to AdFind…

Again, this is related to the bad window. The results are much closer now; within 25% in my limited tests.

 

While I have been off doing whatever, Brandon has continued forward in his tests, I highly recommend checking his blog out and reading about them. You can find it here – http://bsonposh.com/. He actually has some stuff way cooler than the perf testing that he has posted about now which is the STATS control stuff. He has sample code on how to return that info which I highly applaud. I know he spent a good portion of the weekend working through it as I got a bunch of emails from him on the details etc of it. I helped with what I felt I could[4] and then he found some docs up on MSFT in the protocols descriptions that were recently posted for legal reasons that actually describe all the stuff I had to reverse back in 2004 – http://msdn.microsoft.com/en-us/library/cc200562.aspx. I didn’t look closely at the code, but note that there were some changes in the STATS handling around the 2003 SP1 time frame as I had several people hit me with bug reports and I had to change how I was handling some of the info. I think the issue was around the calltime stuff but it was back in 2005 and I honestly don’t recall the details at the moment.

Oh Brandon mentions on his blog how PoS started surpassing AdFind for most tests when he started doing CSV data and that I would explain why. I explained to Brandon (and Dean) prior to them even getting into the tests that I expected it to occur. I don’t care too much to get into it but the gist is that the CSV handling was a hack into the tool to try and get it in there (along with -soao and -oao switches) because so many people were asking for it and I previously wasn’t planning on doing it until I built the 2.0 version of the AdFind internal logic framework[5]. Anyway when I say hack, I mean total hack, I am passing whole AdFind formatted output strings for the entire object around internally like for example

dn:DC=test,DC=loc
>objectClass: top
>objectClass: joeware-ServerClass
>objectClass: domain
>objectClass: domainDNS
>description: Test.Loc
>distinguishedName: DC=test,DC=loc
>instanceType: 5
>whenCreated: 20060512031950.0Z
>whenChanged: 20080529025642.0Z
>subRefs: CN=Configuration,DC=test,DC=loc
>subRefs: DC=ForestDnsZones,DC=test,DC=loc
>subRefs: DC=DomainDnsZones,DC=test,DC=loc
>uSNCreated: 7254

<SNIP>

and then reparsing them and reformatting into CSV format, etc. It seriously is a mess. The issue is lots of string passing between functions etc which means lots of string class instantiation going on which is dramatically slowing the AdFind down. When I was testing it back then I was seeing differences in speed between 20-60%, it was literally enough of a delta to see the difference in the output to the console. That almost prevented me from releasing the -csv/-soao/-oao switches at all. Then just bit the bullet because of my plans to rewrite the whole thing anyway. The ideas behind the new engine for AdFind will be to not do any of the formatting of the output until the very end and then it will go through a custom class that will figure out where that output is going – pipe, redirection, file, etc and output the info appropriately which should handle some of the various unicode issues people encounter at the command prompt[6].

In summary, the PoS stuff is running pretty well, when you don’t have a bad PoS Window. How you would detect that I don’t know, just have an idea on how fast your script should run I guess. For doing ad hoc DS stuff, would totally say this is fine, for constant running apps that use the directory, still won’t recommend .NET let alone PoS. PoS (and .NET) still has a lot of overhead (I had a window running some tests the other day that was eating 1.5GB and would have taken more but there was no more to take so it started throwing System.OutOfMemoryException errors…) and has been a wee bit unstable for me[7].

Possibly more later.

Oh one last thing, I tried to tweak one of Brandon’s scripts and obviously did it wrong, but it is fun to see how PoS handles it… I am currently at 1.25GB RAM being sucked up and 50%+ utilization on the PoS shell trying to run it…

$SearcherExpression = @’
$searcher = new-object System.DirectoryServices.DirectorySearcher([ADSI]“”,”(objectclass=user)”,@(”distinguishedName”))
$searcher.pagesize = 1000
$searcher.findall()
‘@
Write-Host “Test 1″
Write-Host (”-”*40)
$myresults1 = “” | select @{n=”DirectorySearcher 1″;e={(Measure-command {invoke-expression $SearcherExpression}).TotalSeconds}},
                          @{n=”DirectorySearcher 2″;e={(Measure-command {invoke-expression $SearcherExpression}).TotalSeconds}},
                          @{n=”DirectorySearcher 3″;e={(Measure-command {invoke-expression $SearcherExpression}).TotalSeconds}},
                          @{n=”DirectorySearcher 4″;e={(Measure-command {invoke-expression $SearcherExpression}).TotalSeconds}},
                          @{n=”DirectorySearcher 5″;e={(Measure-command {invoke-expression $SearcherExpression}).TotalSeconds}}, 
                          @{n=”ADFind 1″;e={(Measure-Command { .\adfind -b “dc=test,dc=loc” -c -f “(objectclass=user)” }).TotalSeconds}},
                          @{n=”ADFind 2″;e={(Measure-Command { .\adfind -b “dc=test,dc=loc” -c -f “(objectclass=user)” }).TotalSeconds}},
                          @{n=”ADFind 3″;e={(Measure-Command { .\adfind -b “dc=test,dc=loc” -c -f “(objectclass=user)” }).TotalSeconds}},
                          @{n=”ADFind 4″;e={(Measure-Command { .\adfind -b “dc=test,dc=loc” -c -f “(objectclass=user)” }).TotalSeconds}},
                          @{n=”ADFind 5″;e={(Measure-Command { .\adfind -b “dc=test,dc=loc” -c -f “(objectclass=user)” }).TotalSeconds}},
                          @{n=”DSP Using 1.1 1″;e={(Measure-command { .\Test-DSProtocalsSP.ps1 }).TotalSeconds}}
                          @{n=”DSP Using 1.1 2″;e={(Measure-command { .\Test-DSProtocalsSP.ps1 }).TotalSeconds}}
                          @{n=”DSP Using 1.1 3″;e={(Measure-command { .\Test-DSProtocalsSP.ps1 }).TotalSeconds}}
                          @{n=”DSP Using 1.1 4″;e={(Measure-command { .\Test-DSProtocalsSP.ps1 }).TotalSeconds}}
                          @{n=”DSP Using 1.1 5″;e={(Measure-command { .\Test-DSProtocalsSP.ps1 }).TotalSeconds}}
$myresults1 | fl
Write-Host “Test 2″
Write-Host (”-”*40)
$myresults2 = “” | select @{n=”ADFind #1″;e={(Measure-Command { .\adfind -b “dc=test,dc=loc” -c -f “(objectclass=user)” }).TotalSeconds}},
                          @{n=”ADFind #2″;e={(Measure-Command { .\adfind -b “dc=test,dc=loc” -c -f “(objectclass=user)” }).TotalSeconds}},
                          @{n=”ADFind #3″;e={(Measure-Command { .\adfind -b “dc=test,dc=loc” -c -f “(objectclass=user)” }).TotalSeconds}},
                          @{n=”ADFind #4″;e={(Measure-Command { .\adfind -b “dc=test,dc=loc” -c -f “(objectclass=user)” }).TotalSeconds}},
                          @{n=”ADFind #5″;e={(Measure-Command { .\adfind -b “dc=test,dc=loc” -c -f “(objectclass=user)” }).TotalSeconds}},
                          @{n=”DSP Using 1.1 #1″;e={(Measure-command { .\Test-DSProtocalsSP.ps1 }).TotalSeconds}}
                          @{n=”DSP Using 1.1 #2″;e={(Measure-command { .\Test-DSProtocalsSP.ps1 }).TotalSeconds}}
                          @{n=”DSP Using 1.1 #3″;e={(Measure-command { .\Test-DSProtocalsSP.ps1 }).TotalSeconds}}
                          @{n=”DSP Using 1.1 #4″;e={(Measure-command { .\Test-DSProtocalsSP.ps1 }).TotalSeconds}}
                          @{n=”DSP Using 1.1 #5″;e={(Measure-command { .\Test-DSProtocalsSP.ps1 }).TotalSeconds}}
                          @{n=”DirectorySearcher #1″;e={(Measure-command {invoke-expression $SearcherExpression}).TotalSeconds}},
                          @{n=”DirectorySearcher #2″;e={(Measure-command {invoke-expression $SearcherExpression}).TotalSeconds}},
                          @{n=”DirectorySearcher #3″;e={(Measure-command {invoke-expression $SearcherExpression}).TotalSeconds}},
                          @{n=”DirectorySearcher #4″;e={(Measure-command {invoke-expression $SearcherExpression}).TotalSeconds}},
                          @{n=”DirectorySearcher #5″;e={(Measure-command {invoke-expression $SearcherExpression}).TotalSeconds}}, 

$myresults2 | fl
Write-Host “Test 3″
Write-Host (”-”*40)
$myresults3 = “” | select @{n=”DSP Using 1.1 #1″;e={(Measure-command { .\Test-DSProtocalsSP.ps1 }).TotalSeconds}}
                          @{n=”DSP Using 1.1 #2″;e={(Measure-command { .\Test-DSProtocalsSP.ps1 }).TotalSeconds}}
                          @{n=”DSP Using 1.1 #3″;e={(Measure-command { .\Test-DSProtocalsSP.ps1 }).TotalSeconds}}
                          @{n=”DSP Using 1.1 #4″;e={(Measure-command { .\Test-DSProtocalsSP.ps1 }).TotalSeconds}}
                          @{n=”DSP Using 1.1 #5″;e={(Measure-command { .\Test-DSProtocalsSP.ps1 }).TotalSeconds}}
                          @{n=”DirectorySearcher #1″;e={(Measure-command {invoke-expression $SearcherExpression}).TotalSeconds}},
                          @{n=”DirectorySearcher #2″;e={(Measure-command {invoke-expression $SearcherExpression}).TotalSeconds}},
                          @{n=”DirectorySearcher #3″;e={(Measure-command {invoke-expression $SearcherExpression}).TotalSeconds}},
                          @{n=”DirectorySearcher #4″;e={(Measure-command {invoke-expression $SearcherExpression}).TotalSeconds}},
                          @{n=”DirectorySearcher #5″;e={(Measure-command {invoke-expression $SearcherExpression}).TotalSeconds}}, 
                          @{n=”ADFind #1″;e={(Measure-Command { .\adfind -b “dc=test,dc=loc” -c -f “(objectclass=user)” }).TotalSeconds}},
                          @{n=”ADFind #2″;e={(Measure-Command { .\adfind -b “dc=test,dc=loc” -c -f “(objectclass=user)” }).TotalSeconds}},
                          @{n=”ADFind #3″;e={(Measure-Command { .\adfind -b “dc=test,dc=loc” -c -f “(objectclass=user)” }).TotalSeconds}},
                          @{n=”ADFind #4″;e={(Measure-Command { .\adfind -b “dc=test,dc=loc” -c -f “(objectclass=user)” }).TotalSeconds}},
                          @{n=”ADFind #5″;e={(Measure-Command { .\adfind -b “dc=test,dc=loc” -c -f “(objectclass=user)” }).TotalSeconds}},

$myresults3 | fl
$myresults1,$myresults2,$myresults3

 

    joe

 

 

[1] Said in a sarcastic tone….

[2] For comparison, the five command prompt windows I have had open since the mid-May and that I do practically everything I do on the computer including hundreds if not thousands[3] of AdFind/AdMod commands are using 5MB combined. The PowerShell window I just opened to see how much memory it used on launch has 27MB.

[3] I run test commands against my various test AD domains all throughout the day for work.

[4]  I wasn’t about to talk about what I reverse engineered because I didn’t want to get in trouble for that…

[5] Good thing I didn’t wait, I still haven’t finished that one.

[6] Not positive but last I heard, console .NET apps have the same issues. You can test it by putting in an object in your directory with some characters with umlauts or other fun characters and then write a console app to display them at the console them redirect them then pipe them and then write them to a file and then make sure it is displayed properly each way. Unicode is a bit of a pain.

[7] In trying to do various things to make it slow down like the first window I caused PoS to crash several times which I can’t recall ever doing to a command prompt window. I can understand if a script blows or an app blows, but I don’t think it should take out the shell window in the process.

So Brandon stepped up and did something I didn’t think anyone would step up and do… Start profiling and comparing the performance of PowerShell and .NET DS Protocols against a native App using the wldap32 LDAP library[1]. Brandon’s first blog entry on the topic is here – http://bsonposh.com/archives/325

While I am going to question Brandon’s testing a little here, especially his results, I commend him for taking the time and energy to step up and actually do this[3].

I guess I should state my underlying thoughts on this whole topic since some people know, some people don’t know, and a whole lot of people *think they know* what I think about it… I would be happy to see PoS+.NET compete with or even beat out a native app+wldap32, I don’t expect it, but I would be happy to see it[6]. I definitely don’t expect to see the numbers Brandon is showing on his blog which is why I am taking the time to look at this with the detail that I am going to provide.

Anyway… Historically, there is almost always a tradeoff in terms of speed and ease of use. For instance, C++ is easier to use than Assembler but if you have a great C++ programmer and a great ASM programmer, the ASM programmer will write more code but it should almost certainly be faster, smaller compiled footprint, and more efficient overall. However some things are so painful to do or take so long or require so much code that we have moved from using ASM to using C and then C++ and other higher level compiled languages[7]. This is one of the big reasons why you use .NET. It isn’t about performance of the running code, it is about how fast you can get to having running code. It is, IMO, sort of a RAD tool, not something you want to put into heavy use, but something to prototype out what you want to do or if you just need to do something quick.

 

So after running through the tests, my results are so radically different from Brandon’s I wonder what is going on. If someone sees a mistake in the testing I followed, please let me know. I expected the results to not be as good as what Brandon came up with but I didn’t expect them to be as bad as they were.

 

1. Testing Methodology.

I don’t really like how Brandon ran his tests from a couple of angles.

The first thing I don’t like is that he uses PoS to measure the speed of PoS and AdFind. I have no clue what overhead is in there which is why I don’t like it. Brandon is obviously comfortable with it however. Whether that is blind faith or he has done comprehensive tests to prove out that it is trustworthy, I don’t know… I do know that I can’t and won’t assume the latter. His trust in it does not transition to me. I am quite untrusting.

The second thing I don’t like is how the commands are all mixed up together. When I am measuring speed on commands, especially something for AD,  I tend to run the same command over and over again so that caching is taken out of the picture as well as anything else. What I am looking for out of the numbers is consistency in times to run the specific command. If you don’t see consistency, it tends to mean something else is playing into the tests. I would prefer to see 5, 10, or 100 runs of the same command in a row and then ditto for the next command and the next, etc. I don’t see consistency in Brandon’s reported numbers. Way too much skew.

 

Solutions

My solutions for these issues are

A. Instead of using a PoS script to launch AdFind and the Counting PoS script, I changed the prompt in PoS to include the current time with the following command

function prompt {Write-Host $(get-date).Tostring(”yyyy-MM-dd HH:mm:ss”)}

That gives me a prompt that looks like

2008-06-08 17:16:25
PS>

Then I just paste in my commands I want to run with a blank line at the beginning and end of the command sequence. This is something I do in the normal command prompt as well (though my prompt in that case is instead prompt=[$D $T] $M$+ $_$P$G). That makes it so the shell stamps the time to the console right there on the spot like so…

Command Sequence

• [ENTER]
• [ENTER]
• dir
• [ENTER]
• [ENTER]

Which generates output like

2008-06-08 18:13:12
PS>
2008-06-08 18:13:23
PS>
2008-06-08 18:13:23
PS>dir

    Directory: Microsoft.PowerShell.Core\FileSystem::G:\PSTest

Mode                LastWriteTime     Length Name
—-                ————-     —— —-
-a—         6/24/2007  10:06 PM    2013184 AdFind.exe
-a—          6/8/2008  10:37 AM       1559 PSSpeed.ps1
-a—          6/8/2008  10:33 AM       2338 Test-DSProtocalsSP.ps1

2008-06-08 18:13:23
PS>
2008-06-08 18:13:23
PS>

I think anyone who looks at it should be comfortable with this method. If not, please let me know what you aren’t comfortable about.

 

 

B. So my solution for the second issue is probably pretty obvious after seeing the solution to the first… Have a notepad document with some commands all ready to cut and paste into the PoS window in one fell swoop. That looks something like

• [ENTER]
• [ENTER]
• adfind -default -f objectclass=* -c
• adfind -default -f objectclass=* -c
• [ENTER]
• [ENTER]
• .\Test-DSProtocalsSP.ps1
• .\Test-DSProtocalsSP.ps1
• [ENTER]
• [ENTER]

 

and a “10 count run”

• [ENTER]
• [ENTER]
• adfind -default -f objectclass=* -c
• adfind -default -f objectclass=* -c
• adfind -default -f objectclass=* -c
• adfind -default -f objectclass=* -c
• adfind -default -f objectclass=* -c
• adfind -default -f objectclass=* -c
• adfind -default -f objectclass=* -c
• adfind -default -f objectclass=* -c
• adfind -default -f objectclass=* -c
• adfind -default -f objectclass=* -c
• [ENTER]
• [ENTER]
• .\Test-DSProtocalsSP.ps1
• .\Test-DSProtocalsSP.ps1
• .\Test-DSProtocalsSP.ps1
• .\Test-DSProtocalsSP.ps1
• .\Test-DSProtocalsSP.ps1
• .\Test-DSProtocalsSP.ps1
• .\Test-DSProtocalsSP.ps1
• .\Test-DSProtocalsSP.ps1
• .\Test-DSProtocalsSP.ps1
• .\Test-DSProtocalsSP.ps1
• [ENTER]
• [ENTER]

 

2. Testing environment

I think testing against a 700k user environment is a bit extreme as there aren’t but a handful of AD Implementations out there that come anywhere near that but maybe it is good in that it will help stabilize any time variance issues resulting from spin up time for the app/script. I.E. If you have a second of overhead for starting an app, the more objects you have to pull, the smaller the percentage that overhead will be of the total execution time. I kind of think this tends to help PoS more than a native app because a native app has very little spin up overhead relative to PoS script or .NET but I will go with it. If anything, launching AdFind from within PoS likely has more overhead for launch than launching a PoS script from PoS. If someone wants to test on different sized environments, knock yourself out. I am already spending too much time on this.

I used AdMod to create 700k test users on my test domain with the following command:

admod -sc adau:70000;MyPassword1!;cn=PoSTest,ou=PoSTest,dc=test,dc=loc

I am running all of my tests against a virtual DC loaded with Windows Server 2003 SP2; it is one of 3 virtuals currently running on an Intel Quad Core Server box I build specifically for running virtuals using VMWARE Server. The RAM allocated (256MB) is not even close enough to cache the entire DIT (~2.75GB) even if I enabled /3GB (which I didn’t, no point…). The actual code is running on a real physical machine that has x86 XP SP2 on it and is a AMD Athlon 64 X2 4200+ Dual Core proc. Underlying network is 100Mbs with most network traffic quiesced for the testing period.

I am using the publicly available version of AdFind – V01.37.00 compiled on June 24, 2007.

PS>filever adfind.exe
–a– W32i   APP ENU     1.37.0.1604 shp  2,013,184 06-24-2007 adfind.exe

I am using the PoS Script that Brandon posted on his blog…Here it is again for completeness. Brandon, note a good modification to the script would be to output what DC it is connecting to to do the work so you know if it is consistently connecting to the same place and that AdFind and the script are connecting to the same place. I validated that it appeared to be using the same DC as AdFind by doing some network tracing. That shouldn’t be needed and honestly there should be a way to specify the domain/DC to use to make sure the same source is used consistently.

Test-DSProtocalsSP.ps1

[System.Reflection.assembly]::LoadWithPartialName(”system.directoryservices.protocols”) | Out-Null
$domain = ([ADSI]“”).distinguishedName -replace  “,”,”.” -replace “dc=”,”"
$DomainDN = “DC=” + $Domain -replace “\.”,”,DC=”
[int]$pageCount = 0
[int]$pageSize = 1000
[int]$count = 0
$connection = New-Object System.DirectoryServices.Protocols.LdapConnection($domain) 
$subtree = [System.DirectoryServices.Protocols.SearchScope]“Subtree”
$filter = “(objectclass=user)”
$searchRequest = New-Object System.DirectoryServices.Protocols.SearchRequest($DomainDN,$filter,$subtree,@(”1.1″)) 
$pagedRequest = New-Object System.DirectoryServices.Protocols.PageResultRequestControl($pageSize)
$searchRequest.Controls.add($pagedRequest) | out-null
$searchOptions = new-object System.DirectoryServices.Protocols.SearchOptionsControl([System.DirectoryServices.Protocols.SearchOption]::DomainScope)
$searchRequest.Controls.Add($searchOptions) | out-null
while ($true)
{
    ## increment the pageCount by 1
    $pageCount++
    ## cast the directory response into a
    ## SearchResponse object
    $searchResponse = $connection.SendRequest($searchRequest)
    ## verify support for this advanced search operation
    if (($searchResponse.Controls.Length -lt 1) -or
        !($searchResponse.Controls[0] -is [System.DirectoryServices.Protocols.PageResultResponseControl]))
    {
        Write-Host “The server cannot page the result set”
        return;
    }
    ## cast the diretory control into
    ## a PageResultResponseControl object.
    $pageResponse = $searchResponse.Controls[0]
    ## display the retrieved page number and the number of
    ## directory entries in the retrieved page                   
    #”Page:{0} Contains {1} response entries” -f $pageCount,$searchResponse.entries.count
    $count += $searchResponse.entries.count
    ## display the entries within this page
    ## foreach($entry in $searchResponse.entries){$entry.DistinguishedName}
    ## if this is true, there
    ## are no more pages to request
    if ($pageResponse.Cookie.Length -eq 0){write-Host $count;break}
    ## set the cookie of the pageRequest equal to the cookie
    ## of the pageResponse to request the next page of data
    ## in the send request
    $pagedRequest.Cookie = $pageResponse.Cookie
}

 

3. Considerable performance hit on the machine running the tools…. Based on .FAT[11] isn’t it???

This one is actually pretty humourous, doesn’t take much to see what is happening… It shows quite quickly and easily one of my issues with using something other than native code; especially .NET/PoS. This is what you get as you abstract and bloat… This is a part of the reason why it is slow overall, it beats the machine up.

 

Figure 1 shows my machine at “idle”. When I watched it I saw CPU usage bumps between 0% and 5% with spikes up to about 15%.

                                                     [Figure 1]

 

Figure 2 shows AdFind running the command “adfind -default -f objectclass=* -c” which counts the objects in the domain NC. When I watched it I saw CPU usage bumps between about 4% and 11% with spikes up to about 18%.

                                                     [Figure 2]

 

 

Figure 3 shows Brandon’s PoS script counting the objects in the domain NC. When I watched it I saw CPU usage bumps between 20% and 45% with spikes up to around 50%.

                                                     [Figure 3]

 

If you don’t like pretty pictures and prefer hard text data instead, here is output from typeperf… 35 one second samples from each state…

 

This is when idling

“(PDH-CSV 4.0)”,”\\SFMXP32\processor(_total)\% processor time”

“06/08/2008 17:00:04.789″,”0.000000″
“06/08/2008 17:00:05.789″,”0.000000″
“06/08/2008 17:00:06.789″,”0.000000″
“06/08/2008 17:00:07.789″,”0.000000″
“06/08/2008 17:00:08.789″,”0.774265″
“06/08/2008 17:00:09.789″,”0.000000″
“06/08/2008 17:00:10.789″,”0.000000″
“06/08/2008 17:00:11.789″,”0.000000″
“06/08/2008 17:00:12.789″,”0.000000″
“06/08/2008 17:00:13.789″,”0.000000″
“06/08/2008 17:00:14.789″,”0.774265″
“06/08/2008 17:00:15.789″,”0.774265″
“06/08/2008 17:00:16.789″,”0.000000″
“06/08/2008 17:00:17.789″,”0.774265″
“06/08/2008 17:00:18.789″,”0.000000″
“06/08/2008 17:00:19.788″,”0.000000″
“06/08/2008 17:00:20.788″,”2.336875″
“06/08/2008 17:00:21.788″,”0.774265″
“06/08/2008 17:00:22.788″,”2.336875″
“06/08/2008 17:00:23.788″,”0.000000″
“06/08/2008 17:00:24.788″,”0.000000″
“06/08/2008 17:00:25.788″,”0.000000″
“06/08/2008 17:00:26.788″,”0.000000″
“06/08/2008 17:00:27.788″,”0.000000″
“06/08/2008 17:00:28.788″,”0.000000″
“06/08/2008 17:00:29.788″,”0.774265″
“06/08/2008 17:00:30.788″,”0.000000″
“06/08/2008 17:00:31.788″,”1.555570″
“06/08/2008 17:00:32.788″,”0.000000″
“06/08/2008 17:00:33.787″,”0.774265″
“06/08/2008 17:00:34.787″,”0.000000″
“06/08/2008 17:00:35.787″,”0.000000″
“06/08/2008 17:00:36.787″,”0.000000″
“06/08/2008 17:00:37.787″,”0.000000″
“06/08/2008 17:00:38.787″,”0.000000″
“06/08/2008 17:00:39.787″,”0.000000″
“06/08/2008 17:00:40.787″,”0.000000″
“06/08/2008 17:00:41.787″,”0.000000″
“06/08/2008 17:00:42.787″,”0.000000″
“06/08/2008 17:00:43.787″,”0.000000″
“06/08/2008 17:00:44.787″,”0.774265″

 

This is when AdFind was running

“(PDH-CSV 4.0)”,”\\SFMXP32\processor(_total)\% processor time”

“06/08/2008 17:01:06.785″,”1.555570″
“06/08/2008 17:01:07.785″,”6.243400″
“06/08/2008 17:01:08.785″,”3.899485″
“06/08/2008 17:01:09.785″,”8.587315″
“06/08/2008 17:01:10.785″,”10.931230″
“06/08/2008 17:01:11.800″,”7.685809″
“06/08/2008 17:01:12.800″,”10.931230″
“06/08/2008 17:01:13.800″,”14.056450″
“06/08/2008 17:01:14.800″,”9.368620″
“06/08/2008 17:01:15.800″,”15.619060″
“06/08/2008 17:01:16.800″,”5.462095″
“06/08/2008 17:01:17.800″,”9.368620″
“06/08/2008 17:01:18.800″,”13.275145″
“06/08/2008 17:01:19.800″,”9.368620″
“06/08/2008 17:01:20.800″,”11.712535″
“06/08/2008 17:01:21.800″,”5.462095″
“06/08/2008 17:01:22.800″,”10.149925″
“06/08/2008 17:01:23.800″,”6.243400″
“06/08/2008 17:01:24.799″,”6.243400″
“06/08/2008 17:01:25.799″,”9.368620″
“06/08/2008 17:01:26.799″,”8.587315″
“06/08/2008 17:01:27.799″,”9.368620″
“06/08/2008 17:01:28.799″,”10.149925″
“06/08/2008 17:01:29.799″,”11.712535″
“06/08/2008 17:01:30.799″,”14.837755″
“06/08/2008 17:01:31.799″,”5.462095″
“06/08/2008 17:01:32.799″,”9.368620″
“06/08/2008 17:01:33.799″,”6.243400″
“06/08/2008 17:01:34.799″,”2.336875″
“06/08/2008 17:01:35.799″,”0.774265″
“06/08/2008 17:01:36.799″,”3.118180″
“06/08/2008 17:01:37.799″,”1.555570″
“06/08/2008 17:01:38.799″,”2.336875″
“06/08/2008 17:01:39.798″,”4.680790″
“06/08/2008 17:01:40.798″,”5.462095″
“06/08/2008 17:01:41.798″,”9.368620″
“06/08/2008 17:01:42.798″,”3.118180″

 

This is when the PoS Script was running

“(PDH-CSV 4.0)”,”\\SFMXP32\processor(_total)\% processor time”

“06/08/2008 17:09:17.344″,”36.918636″
“06/08/2008 17:09:18.407″,”41.786947″
“06/08/2008 17:09:19.422″,”43.072915″
“06/08/2008 17:09:20.469″,”44.772231″
“06/08/2008 17:09:21.516″,”35.816377″
“06/08/2008 17:09:22.563″,”33.083524″
“06/08/2008 17:09:23.594″,”36.918636″
“06/08/2008 17:09:24.594″,”29.682550″
“06/08/2008 17:09:25.594″,”33.589075″
“06/08/2008 17:09:26.609″,”29.540494″
“06/08/2008 17:09:27.656″,”29.540494″
“06/08/2008 17:09:28.734″,”41.300215″
“06/08/2008 17:09:29.734″,”36.359156″
“06/08/2008 17:09:30.797″,”34.086269″
“06/08/2008 17:09:31.812″,”31.533642″
“06/08/2008 17:09:32.812″,”28.901245″
“06/08/2008 17:09:33.828″,”33.072211″
“06/08/2008 17:09:34.859″,”33.328640″
“06/08/2008 17:09:35.859″,”34.610781″
“06/08/2008 17:09:36.905″,”34.086269″
“06/08/2008 17:09:37.952″,”35.816377″
“06/08/2008 17:09:38.952″,”35.151685″
“06/08/2008 17:09:40.015″,”32.348178″
“06/08/2008 17:09:41.046″,”39.547983″
“06/08/2008 17:09:42.093″,”38.230946″
“06/08/2008 17:09:43.139″,”40.904931″
“06/08/2008 17:09:44.186″,”38.230946″
“06/08/2008 17:09:45.217″,”39.839515″
“06/08/2008 17:09:46.233″,”36.918636″
“06/08/2008 17:09:47.233″,”46.089955″
“06/08/2008 17:09:48.280″,”41.786947″
“06/08/2008 17:09:49.280″,”27.338635″
“06/08/2008 17:09:50.280″,”38.276905″
“06/08/2008 17:09:51.279″,”39.839515″
“06/08/2008 17:09:52.279″,”32.807770″
“06/08/2008 17:09:53.295″,”31.533642″
“06/08/2008 17:09:54.295″,”41.402125″
“06/08/2008 17:09:55.342″,”49.250159″
“06/08/2008 17:09:56.342″,”34.610781″
“06/08/2008 17:09:57.388″,”39.389672″
“06/08/2008 17:09:58.388″,”32.807770″
“06/08/2008 17:09:59.420″,”41.662560″
“06/08/2008 17:10:00.435″,”42.533268″
“06/08/2008 17:10:01.497″,”39.389672″
“06/08/2008 17:10:02.513″,”31.533642″
“06/08/2008 17:10:03.513″,”32.571011″
“06/08/2008 17:10:04.575″,”40.904931″
“06/08/2008 17:10:05.575″,”32.807770″
“06/08/2008 17:10:06.575″,”32.026465″
“06/08/2008 17:10:07.575″,”9.368620″
“06/08/2008 17:10:08.575″,”27.338635″
“06/08/2008 17:10:09.591″,”37.687921″
“06/08/2008 17:10:10.637″,”41.786947″
“06/08/2008 17:10:11.653″,”39.995776″
“06/08/2008 17:10:12.684″,”46.965963″
“06/08/2008 17:10:13.731″,”58.820630″
“06/08/2008 17:10:14.762″,”39.995776″
“06/08/2008 17:10:15.778″,”39.547983″
“06/08/2008 17:10:16.840″,”40.147302″
“06/08/2008 17:10:17.871″,”37.495600″

Plugged into Excel, these are the stats for those 35 data points

Idle

• Min: 0
• Max: 2.336875
• Avg: 0.332834
• Median: 0
• Skew: 2.156378
• Variance: 0.401792

AdFind

• Min: 0.774265
• Max: 15.61906
• Avg: 7.75793
• Median: 8.587315
• Skew: 0.05928
• Variance: 15.36671

PoS

• Min: 27.33864
• Max: 46.08996
• Avg: 36.14655
• Median: 35.81638
• Skew: 0.157006
• Variance: 21.74553

 

4. Network Utilization

After running a couple of tests and going out and working in the yard for a bit I thought… hmmm With the results I saw, I bet the network utilization numbers are off too between AdFind and the script… Sure enough.

 

Figure 4 is idle use

                                                     [Figure 4]

 

Figure 5 is AdFind use

                                                     [Figure 5]

 

Figure 6 is the PoS Script.

                                                     [Figure 6]

 

Note the percentage range on the graphs… The AdFind graph has a range of 0-25% and the PoS graph has a range of 0-5%…

 

Again with some typeperf stats… 35 data points for each state again….

 

This is when idling…

“(PDH-CSV 4.0)”,”\\SFMXP32\network interface(Realtek RTL8168_8111 PCI-E Gigabit Ethernet NIC – Packet Scheduler Miniport)\Bytes Total/sec”

06/08/2008 20:21:15.101,”0.000000″
06/08/2008 20:21:16.101,”0.000000″
06/08/2008 20:21:17.101,”0.000000″
06/08/2008 20:21:18.101,”0.000000″
06/08/2008 20:21:19.101,”0.000000″
06/08/2008 20:21:20.116,”0.000000″
06/08/2008 20:21:21.116,”0.000000″
06/08/2008 20:21:22.116,”0.000000″
06/08/2008 20:21:23.116,”0.000000″
06/08/2008 20:21:24.116,”0.000000″
06/08/2008 20:21:25.116,”0.000000″
06/08/2008 20:21:26.132,”0.000000″
06/08/2008 20:21:27.132,”0.000000″
06/08/2008 20:21:28.132,”0.000000″
06/08/2008 20:21:29.132,”0.000000″
06/08/2008 20:21:30.132,”0.000000″
06/08/2008 20:21:31.132,”0.000000″
06/08/2008 20:21:32.132,”0.000000″
06/08/2008 20:21:33.132,”0.000000″
06/08/2008 20:21:34.147,”0.000000″
06/08/2008 20:21:35.147,”0.000000″
06/08/2008 20:21:36.147,”0.000000″
06/08/2008 20:21:37.147,”0.000000″
06/08/2008 20:21:38.147,”409.193170″
06/08/2008 20:21:39.147,”0.000000″
06/08/2008 20:21:40.147,”0.000000″
06/08/2008 20:21:41.147,”0.000000″
06/08/2008 20:21:42.163,”0.000000″
06/08/2008 20:21:43.163,”0.000000″
06/08/2008 20:21:44.163,”0.000000″
06/08/2008 20:21:45.163,”0.000000″
06/08/2008 20:21:46.163,”0.000000″
06/08/2008 20:21:47.163,”0.000000″
06/08/2008 20:21:48.163,”0.000000″
06/08/2008 20:21:49.163,”0.000000″

 

AdFind query…

“(PDH-CSV 4.0)”,”\\SFMXP32\network interface(Realtek RTL8168_8111 PCI-E Gigabit Ethernet NIC – Packet Scheduler Miniport)\Bytes Total/sec”

06/08/2008 20:22:48.303,”432.148631″
06/08/2008 20:22:49.303,”7812.669507″
06/08/2008 20:22:50.319,”215500.866875″
06/08/2008 20:22:51.319,”675597.824476″
06/08/2008 20:22:52.319,”210349.356274″
06/08/2008 20:22:53.319,”1266930.446812″
06/08/2008 20:22:54.319,”1416464.689079″
06/08/2008 20:22:55.319,”1558286.015944″
06/08/2008 20:22:56.319,”425118.163681″
06/08/2008 20:22:57.334,”1344444.782983″
06/08/2008 20:22:58.334,”1137181.434605″
06/08/2008 20:22:59.334,”1597069.087841″
06/08/2008 20:23:00.334,”1312058.658551″
06/08/2008 20:23:01.334,”1530619.724371″
06/08/2008 20:23:02.334,”1676687.003461″
06/08/2008 20:23:03.334,”1603403.974700″
06/08/2008 20:23:04.334,”1676201.171529″
06/08/2008 20:23:05.350,”1755335.554489″
06/08/2008 20:23:06.350,”1815894.653956″
06/08/2008 20:23:07.350,”1748979.095744″
06/08/2008 20:23:08.350,”1457658.560362″
06/08/2008 20:23:09.350,”1749027.180590″
06/08/2008 20:23:10.350,”1748969.577365″
06/08/2008 20:23:11.350,”1602738.860017″
06/08/2008 20:23:12.350,”1880224.306196″
06/08/2008 20:23:13.366,”1543784.545800″
06/08/2008 20:23:14.366,”1528733.402130″
06/08/2008 20:23:15.366,”1748985.669767″
06/08/2008 20:23:16.365,”1675179.234176″
06/08/2008 20:23:17.365,”1750306.711728″
06/08/2008 20:23:18.365,”1374845.844406″
06/08/2008 20:23:19.365,”1975074.793721″
06/08/2008 20:23:20.381,”1457283.676124″
06/08/2008 20:23:21.381,”1603445.281594″
06/08/2008 20:23:22.381,”1674138.066714″

 

And PoS script

“(PDH-CSV 4.0)”,”\\SFMXP32\network interface(Realtek RTL8168_8111 PCI-E Gigabit Ethernet NIC – Packet Scheduler Miniport)\Bytes Total/sec”

06/08/2008 20:24:23.537,”95271.394985″
06/08/2008 20:24:24.537,”152096.806819″
06/08/2008 20:24:25.537,”304867.276069″
06/08/2008 20:24:26.537,”229631.839613″
06/08/2008 20:24:27.537,”76356.320892″
06/08/2008 20:24:28.553,”282718.881348″
06/08/2008 20:24:29.553,”212996.840599″
06/08/2008 20:24:30.553,”428616.679015″
06/08/2008 20:24:31.553,”288234.300414″
06/08/2008 20:24:32.553,”288276.315703″
06/08/2008 20:24:33.553,”287835.901916″
06/08/2008 20:24:34.568,”144267.514096″
06/08/2008 20:24:35.568,”288038.282918″
06/08/2008 20:24:36.568,”287903.691420″
06/08/2008 20:24:37.568,”215894.243299″
06/08/2008 20:24:38.568,”288022.088767″
06/08/2008 20:24:39.584,”287852.416168″
06/08/2008 20:24:40.584,”287907.460559″
06/08/2008 20:24:41.584,”287867.971897″
06/08/2008 20:24:42.584,”216662.763604″
06/08/2008 20:24:43.584,”359322.953951″
06/08/2008 20:24:44.584,”216204.281269″
06/08/2008 20:24:45.599,”287921.254846″
06/08/2008 20:24:46.599,”216670.797928″
06/08/2008 20:24:47.599,”431409.468785″
06/08/2008 20:24:48.599,”216048.609884″
06/08/2008 20:24:49.599,”360909.160668″
06/08/2008 20:24:50.599,”359313.537159″
06/08/2008 20:24:51.599,”216058.961104″
06/08/2008 20:24:52.615,”287855.543216″
06/08/2008 20:24:53.615,”362659.902837″
06/08/2008 20:24:54.615,”292073.121217″
06/08/2008 20:24:55.615,”292124.653467″
06/08/2008 20:24:56.615,”219204.028101″
06/08/2008 20:24:57.615,”219607.804823″

 

Plugged into Excel, these are the stats for those 35 data points

Idle

• Min: 0
• Max: 409.19317
• Avg: 11.691233
• Median: 0
• Skew: 5.9160798
• Variance: 4783.9729

AdFind

• Min: 432.15
• Max: 1,975,074.79  (1.88 MB/s)
• Avg: 1,364,136.09 (1.30 MB/s)
• Median: 1,558,286.02 (1.49 MB/s)
• Skew: -1.55
• Variance: 301,963,579,984.33

PoS

• Min: 76,356.32
• Max: 431,409.47 (.41 MB/s)
• Avg: 265,391.52 (.25 MB/s)
• Median: 287,855.54 (.27 MB/s)
• Skew: -0.21
• Variance: 6,301,469,856.37

 

Average of 1.3 MB per second versus .25  MB per second… AdFind is pulling the data 5 times faster… This absolutely does not support what Brandon saw in his tests which makes me question what is different or is the PoS timing script he is using that bad? Both tools have to pull the same amount of data to get object counts, there are no shortcuts… If AdFind pulls the data 5 times faster, it has the potential to be at least 5 times faster at execution.

 

5. Umm there is a problem in the PoS Script… It doesn’t seen to know how to count correctly.

Here is what AdFind says the count is… 711387

Here is what the script says the count is… 711145

Looking at the script I am pretty sure I know what is wrong but will let Brandon sort it out.  Good learning exercise…

 

6. The PoS doesn’t seem so fast in relation to AdFind…  (at least to me)

So here are the results of the actual tests…

First the two count run…

 

2008-06-08 20:52:45
PS>
2008-06-08 20:52:46
PS>
2008-06-08 20:52:46
PS>adfind -default -f objectclass=* -c

AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007

Using server: TEST-DC1.test.loc:389
Directory: Windows Server 2003
Base DN: DC=test,DC=loc

711387 Objects returned
2008-06-08 20:53:19
PS>adfind -default -f objectclass=* -c

AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007

Using server: TEST-DC1.test.loc:389
Directory: Windows Server 2003
Base DN: DC=test,DC=loc

711387 Objects returned
2008-06-08 20:54:01
PS>
2008-06-08 20:54:01
PS>
2008-06-08 20:54:01
PS>.\Test-DSProtocalsSP.ps1
711145
2008-06-08 20:57:22
PS>.\Test-DSProtocalsSP.ps1
711145
2008-06-08 21:00:48
PS>
2008-06-08 21:00:48
PS>
2008-06-08 21:00:48
PS>

Here are the numbers

AdFind

1. 20:52:46 – 20:53:19  = 33 seconds
2. 20:53:19 – 20:54:01 = 42 seconds

 

PoS

1. 20:54:01 – 20:57:22 = 201 seconds (3 minutes 21 seconds)
2. 20:57:22 – 21:00:48 = 206 seconds (3 minutes 26 seconds)

 

This is showing AdFind is roughly 4.5-6.25 times faster than the PoS script which is what the network traffic implied.

 

So let’s look at the 10 count test and see if we have consistency…

 

2008-06-08 21:01:27
PS>
2008-06-08 21:02:08
PS>
2008-06-08 21:02:08
PS>adfind -default -f objectclass=* -c

AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007

Using server: TEST-DC1.test.loc:389
Directory: Windows Server 2003
Base DN: DC=test,DC=loc

711387 Objects returned
2008-06-08 21:02:49
PS>adfind -default -f objectclass=* -c

AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007

Using server: TEST-DC1.test.loc:389
Directory: Windows Server 2003
Base DN: DC=test,DC=loc

711387 Objects returned
2008-06-08 21:03:36
PS>adfind -default -f objectclass=* -c

AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007

Using server: TEST-DC1.test.loc:389
Directory: Windows Server 2003
Base DN: DC=test,DC=loc

711387 Objects returned
2008-06-08 21:04:22
PS>adfind -default -f objectclass=* -c

AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007

Using server: TEST-DC1.test.loc:389
Directory: Windows Server 2003
Base DN: DC=test,DC=loc

711387 Objects returned
2008-06-08 21:05:06
PS>adfind -default -f objectclass=* -c

AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007

Using server: TEST-DC1.test.loc:389
Directory: Windows Server 2003
Base DN: DC=test,DC=loc

711387 Objects returned
2008-06-08 21:05:52
PS>adfind -default -f objectclass=* -c

AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007

Using server: TEST-DC1.test.loc:389
Directory: Windows Server 2003
Base DN: DC=test,DC=loc

711387 Objects returned
2008-06-08 21:06:38
PS>adfind -default -f objectclass=* -c

AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007

Using server: TEST-DC1.test.loc:389
Directory: Windows Server 2003
Base DN: DC=test,DC=loc

711387 Objects returned
2008-06-08 21:07:25
PS>adfind -default -f objectclass=* -c

AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007

Using server: TEST-DC1.test.loc:389
Directory: Windows Server 2003
Base DN: DC=test,DC=loc

711387 Objects returned
2008-06-08 21:08:13
PS>adfind -default -f objectclass=* -c

AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007

Using server: TEST-DC1.test.loc:389
Directory: Windows Server 2003
Base DN: DC=test,DC=loc

711387 Objects returned
2008-06-08 21:09:02
PS>adfind -default -f objectclass=* -c

AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007

Using server: TEST-DC1.test.loc:389
Directory: Windows Server 2003
Base DN: DC=test,DC=loc

711387 Objects returned
2008-06-08 21:09:47
PS>
2008-06-08 21:09:47
PS>
2008-06-08 21:09:47
PS>.\Test-DSProtocalsSP.ps1
711145
2008-06-08 21:13:17
PS>.\Test-DSProtocalsSP.ps1
711145
2008-06-08 21:16:47
PS>.\Test-DSProtocalsSP.ps1
711145
2008-06-08 21:20:14
PS>.\Test-DSProtocalsSP.ps1
711145
2008-06-08 21:23:49
PS>.\Test-DSProtocalsSP.ps1
711145
2008-06-08 21:27:18
PS>.\Test-DSProtocalsSP.ps1
711145
2008-06-08 21:30:45
PS>.\Test-DSProtocalsSP.ps1
711145
2008-06-08 21:34:14
PS>.\Test-DSProtocalsSP.ps1
711145
2008-06-08 21:37:50
PS>.\Test-DSProtocalsSP.ps1
711145
2008-06-08 21:41:22
PS>.\Test-DSProtocalsSP.ps1
711145
2008-06-08 21:45:22
PS>
2008-06-08 21:45:22
PS>
2008-06-08 21:45:22
PS>

 

Here are the numbers

 

AdFind

1. 21:02:08 – 21:02:49 = 41 seconds
2. 21:02:49 – 21:03:36 = 47 seconds
3. 21:03:36 – 21:04:22 = 46 seconds
4. 21:04:22 – 21:05:06 = 44 seconds
5. 21:05:06 – 21:05:52 = 46 seconds
6. 21:05:52 – 21:06:38 = 46 seconds
7. 21:06:38 – 21:07:25 = 47 seconds
8. 21:07:25 – 21:08:13 = 48 seconds
9. 21:08:13 – 21:09:02 = 49 seconds
10. 21:09:02 – 21:09:47 = 45 seconds

 

PoS

1. 21:09:47 – 21:13:17 = 210 seconds (3 minutes 30 seconds)
2. 21:13:17 – 21:16:47 = 210 seconds (3 minutes 30 seconds)
3. 21:16:47 – 21:20:14 = 207 seconds (3 minutes 27 seconds)
4. 21:20:14 – 21:23:49 = 215 seconds (3 minutes 35 seconds)
5. 21:23:49 – 21:27:18 = 209 seconds (3 minutes 29 seconds)
6. 21:27:18 – 21:30:45 = 207 seconds (3 minutes 27 seconds)
7. 21:30:45 – 21:34:14 = 209 seconds (3 minutes 29 seconds)
8. 21:34:14 – 21:37:50 = 216 seconds (3 minutes 36 seconds)
9. 21:37:50 – 21:41:22 = 212 seconds (3 minutes 32 seconds)
10. 21:41:22 – 21:45:22 = 240 seconds (4 minutes 0 seconds)

 

After seeing those numbers I thought wow and then tried it all again but flipped it around and had PoS run first and then AdFind. In summary the PoS stuff started at 22:51:49 and finished at 23:30:22, that is 37 minutes and 33 seconds or 2253 seconds or an average of 225.3 seconds for 10 runs (compared to 21:09:47 to 21:45:22 which is 35 minutes and 35 seconds or 2135 seconds or an average of 213.5 seconds for 10 runs). The AdFind stuff started at 23:30:22 and finished at 23:37:59, that is 7 minutes 37 seconds or 457 seconds or an average of 45.7 seconds for 10 runs (compared to 21:02:08 to 21:09:47 which is 7 minutes 39 seconds or 459 seconds or an average of 45.9 seconds for 10 runs). So we are seeing that AdFind is between 4.22 and 5.85 times faster than PoS.

 

I consider those numbers to be very consistent as well as very telling. I can’t for the life of me explain why Brandon and my numbers are so dramatically different other than maybe trying to use a PoS script to measure the perf of AdFind and the other PoS Script may not be the optimal test framework and is maybe introducing some other errors? Alternately maybe he has some special tuning for .NET stuff? That shouldn’t be needed, but I know I don’t have any special tunings, my machine has whatever the .NET stuff loads as is and PowerShell loaded on top. I guess possibly he changed the script and didn’t post the latest version to his blog… I don’t know. I just know where he was seeing seconds of difference, I see no way of that occurring.

 

Thoughts?

 

    joe

 

 

[1] I think it sort of went like this… He maybe got tired of hearing about PowerShell being fat and slow (ditto .NET) so set out to prove that it could be as performant or maybe close to as performant as native code. I am just guessing based on my knowledge of Brandon and what he has written on this testing. I know Brandon sometimes likes to fight for the sake of fighting[2]… not a problem, I am fine with that. I debated with him in person for several days at the last MVP summit.

[2] Yes you really do Brandon.

[3] FWIW, I think most folks are just going to up and assume .NET and PoS are going to be slower and accept it for what it is; people don’t use those technologies because they want raw run performance, they want ease of getting to what they want to get to[4].

[4] I am, despite what some may think, ok with that. In fact, I often tell people who are starting out now in DS programming to look at the .NET stuff instead of the native stuff[5] because quite honestly with the exception of true professional programmers I think the raw LDAP and native code stuff might be a bit much for many of the computer people of today… However, this doesn’t mean I am looking at using it. I am already spun up on the native and raw LDAP stuff.

[5] Using the .NET Framework will be easier to spin up and go for most of the folks in the field today who aren’t already seasoned programmers (with real language backgrounds… this IMO excludes VB from discussion); especially admins.  However, I don’t want them writing any serious app that is doing a ton of work that I will be dependent on using heavily. Using it to get some basic stuff going or stuff that I never have to use I have no problem with.

[6] That is because it means the “next generation” programming mechanisms aren’t going to make us all upgrade our hardware yet again… How does it go… Something like…  Intel Giveth us Speed, Microsoft takes it away… In all honesty, I don’t expect to see .NET being truly performant to any well written native code standards until it is embedded in the core and absolutely HAS to be performant. Note the key use of “well written”. Just because someone writes in native code, doesn’t mean they write well and for those people that don’t write well, they likely will do better writing in .NET. So anyway, I want to see .NET and PoS work well and efficiently because it will likely be heavily used and I would rather people not be running a bunch of slow crap out there as I may end up dealing with it one way or another.

[7] We are slowly moving out from the intricacies of the hardware abstracting more and more. It is a curve where on the far left we have the binary machine language which is all 0’s and 1’s and as you move towards the right you get to more and more complexity and robustness and hopefully ease of use. But also as you move to the right while you gain the ease of use abstraction, you pay more and more penalty in performance for that abstraction. First step after machine language… Assembler, then Macro Assembler, and then say C and then C++ and FORTRAN and COBOL, etc etc etc… We have moved further and further right in the curve[8] as we “evolve” in our use of computers and as the right becomes more acceptable either by becoming more performant from learning and making things more efficient or we just are more accepting of the trade offs because computers get faster and what ran slow yesterday runs faster today or we just can’t be bothered to worry about the speed period.

[8] The .NET framework is on the far right side of this curve right now and may or may not be what we go to next as the de facto for things that native C++, IMO, is now. I don’t think it has been proven conclusively one way or the other yet. Java has been claiming it is the de facto now for at least 10 years. I still haven’t written a line of Java though back in the late 90’s all my “cool” friends said I would, it was just a matter of time…. “You just wait joe… No one will be writing anything in C++ in 10 years… it will all be Java[9] and CORBA[10]…”

[9] The .NET stuff, at least to me, is Microsoft’s “Java”. Might as well called it MSava (sic) in my mind. Anyway now all my .NET friends say the same things to me my Java friends said. Granted, they are more likely to be correct, but not guaranteed to be…

[10] Interestingly, at least to me, is that now right around 10 years later most people in the computer world know of and have heard of Java but say “What the frack is CORBA???”

[11] I can’t take the credit for .FAT, but I like it just the same.

The 2008 MVP Summit is over. It included some 2000 MVPs from around the world. I didn’t see and talk to most or even a large number, relatively, of the MVPs. Pretty much I stuck to the 40 or so DS MVPs that were present as well as a bunch of Exchange MVPs[1]. There were some security MVPs as well as a single PowerShell MVP (the unknown MVP) I spent time with as well. Nothing personal, you just don’t have the time in the days available to do otherwise, can’t possibly meet and see everyone you want to, the days are very very filled and busy and all of the folks I see are friends from around the world who I usually get to see once or if I am lucky, twice a year. Not every DS MVP is someone I care to see but the good far outweighs the bad.

As mentioned, the days were packed from the moment I opened my eyes until the moment my head hit the pillow again. Consequently as my life moved into last night I was nearly part of the "walking dead" universal group[2] and I didn’t even need the incredible Heavenly Bed of the Westin to let me sleep like a dead man though it certainly was nice. If you ever stay in Seattle, I do highly recommend the Westin. Ask for a high floor, you will not be disappointed I expect. I have stayed in enough hotels at this point to know that many if not most seem to have issues with the bed and the shower, at least relative to the Westin. I use the Westin as the standard for what I expect and/or want in those two categories.

Seattle was once again a beautiful hostess to our time to catch up and see what is going on with our friends building the products we work on every day.While it was gray and rainy much of the time, its just something you come to expect out of Seattle if you come here enough. You just look at it and say… "Hey its just Seattle being Seattle."

And when I say our friends building the products, that is something I mean almost without exception. These people on the DS team are my friends. I may beat up on them occasionally but if I am not beating up on them, I think or at least hope they realize that may not be a good thing because my care and ownership in the product has left me if I am not willing to spend the energy to find out what I don’t like and debate it with them. These are people that although I see them rarely in the overall scope of my life, have great impact on my life and I would very much enjoy seeing them regularly. They are very smart people, in some cases they are scary smart people. I greatly enjoy my interactions with them and look forward to any time I get to spend with them or communicating with them.

I would like to say thanks to the MVP program for putting the summit together so I can come out and see all my friends, both MVP and Microsoft. Thanks to Sean O’ for all his work with the MVPs, I wish you weren’t leaving us but do understand and wish you great luck and success. I unfortunately don’t think the new guy will replace you, just take your old job but hopefully I am wrong. Especially I want to thank the DS Team (including the ever growing and incredibly important AD Backseat Architects) for taking time out to spend with us and talk with us and debate with us on what we should and shouldn’t be doing. I want to thank the team for taking time out to see us, trying hard to make amazing products and also for making me laugh. I wish many of the stories we heard weren’t NDA items because they are incredibly funny and it helps illustrate that these builders of the products we load on our computers are people too and make mistakes and laugh at things just like everyone else in the world.

Let me, for a moment, point out the Backseat Architects specifically… I don’t know everyone in that group but I know of at least three and these three are some of the most passionate and well informed people concerned the DS that I know of. How many companies do you know with people who leave a group or maybe never were even officially part of a group care enough about it to establish a DL to discuss the group and products from that group and help the official folks with all of it? I would love to be on that DL so if any of you figure out a way to pull that off, please do.

Overall, the people around the world who rip on Microsoft and say it and the people who work there are evil and looking to do bad things, etc simply don’t know the people inside the company. They are good people, real people, who want to make things better and do so within the confines and boundaries that exist for them. I know of no other company that I have worked with that has such passion for its products and customers. Not everyone at MSFT is like that, but certainly most of the people I deal with in Redmond certainly are and it is extremely obvious to me.

So thanks to those folks so closely tied to the DS… Thanks for seeing us, thanks for explaining things to us, thanks for debating with us, thanks for the hilarious stories we can’t share with anyone, and thanks for being who you are and doing what you do every day… Thank you ~Eric, Brett, Dmitri, Matt, Nathan, Stephanie, Moon, Uday, Dushyant, Dennis, Siddharth, James, Jason,  and all of the folks I got to meet on this trip whom I haven’t gotten to know well yet.

Several of you will continue hearing from me regularly, some of you should expect to hear from me more, probably considerably  more, so I can make sure I get my input into what you are doing because, well, because I care; I want you to continue to produce products I want to continue to use.   If any of you need anything from me, you know where to find me. If I don’t respond, it is simply because I am very busy and just behind or Exchange or Outlook ate the message you sent and you know who to go tap on the shoulder about that.

 

    joe

 

[1] Which seem to, as a whole, like me now – ExchMbx really raised my value in the eyes of the Exchange MVPs I think. I don’t feel this was always the case, there was a time where at least some of them were upset with me because they thought I was just calling their baby ugly because I simply felt like saying it was. Over time they seemed to have realized I had some clue what I was talking about and didn’t just do it to complain, but because I wanted to see the product get better… and again, I don’t think ExchMbx hurt me in their eyes…

[2] Bad geek humour

A man with one watch knows what time it is; a man with two watches is never quite sure.

I was thinking of this quote the other day as I was trying to figure out what version(s) of the .NET framework were loaded on a Windows Server 2003 Server[1]. I had an application that said it wanted the 2.0 framework, I ran the 2.0 framework installer that came with the app and it said it wasn’t compatible with the version loaded. So I asked the simple question, well wtf is loaded?

I thought this is an easy question right? .NET is supposed to be a component of the OS, etc. I look in control panel and I see something for .NET 1.1 but nothing else, I run it, maybe it is just named poorly… Nope, just 1.1 stuff.

I googled for an answer, I keep finding “look at this and that DLL” or “look at these reg keys” or “look for these subfolders” and I am like, that can’t be right. Let me ask some of my friends…. Smart friends, I mostly have very smart friends, I really enjoy talking to smart people and I have been lucky enough to have a lot of smart people in my life.

In the responses back I received several methods… And they didn’t seem to align with each other… I didn’t know what framework versions I had loaded. I still really don’t…

Method #1:

Look at the subdirectories under %windir%\windows.net\framework

HKEY_LOCAL_MACHINE\software\microsoft\.netframework\v2.0 SP1
HKEY_LOCAL_MACHINE\software\microsoft\.netframework\v2.0.50727
HKEY_LOCAL_MACHINE\software\microsoft\.netframework\v3.0

Method #2

Look for the file mscorlib.dll under %windir%\windows.net\framework

C:\WINDOWS\microsoft.net\framework\v1.1.4322\mscorlib.dll
C:\WINDOWS\microsoft.net\framework\v2.0.50727\mscorlib.dll

Method #3

Look for .NET in output from wmic product (snipped at … on each line for readability)[2]

Microsoft .NET Framework 3.0 Service Pack 1 Microsoft .NET Framework 3.0 Service Pack 1 …
Microsoft .NET Framework 2.0 Service Pack 1 Microsoft .NET Framework 2.0 Service Pack 1 …
Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 …

Method #4

Look at entries in registry

HKEY_LOCAL_MACHINE\software\microsoft\.netframework\v2.0 SP1
HKEY_LOCAL_MACHINE\software\microsoft\.netframework\v2.0.50727
HKEY_LOCAL_MACHINE\software\microsoft\.netframework\v3.0

Method #5

Looking at Add/Remove programs

Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.0 Service Pack 1

 

So let’s tally the results shall we… Excuse the format, no table formatting in this version of livewriter…

Version                   Count                % sources

Version1.1                  3                        60%
Version 2                    3                        60%
Version 2 SP1             4                        80%
Version 3                    3                        60%
Version 3 SP1             2                        40%

 

Yes I still don’t authoritatively know what versions of .NET I have loaded. I am relatively confident I have 1.1 because I see icons for it in Control Panel, I am a little more confident I have Version 2 SP1 as well since almost all of the sources of what I have said I have it. I won’t even guess on the rest.

 

So I figured that maybe I could look at one of MSFT’s big new management tools, PowerShell (PoS) and it would show me… well if it does, I couldn’t find it[3] in the 5 minutes of looking I spent. It seems like it would at least tell me what it thinks it is using possibly.

 

Does anyone else other than the friends I spoke to in IM think this is a lot harder and indeterminate than it should be for something alleged to be so important in the OS? Honestly, there should be a simple command that I run from the CMD that tells me, why yes, you have these versions of the framework loaded… I found some code that will allegedly enumerate framework versions but it was .NET code… Firstly I shouldn’t have to compile something to do this since again, it is allegedly so important to the OS (recall Windows Server 2003 had an initial name of Windows .NET Server and then Windows 2003 .NET Server). Second, most people can’t compile code period. Oh yeah thirdly, it shouldn’t have to be .NET code… What if I don’t have the right framework to run it?

This is still a simple example, I have no doubt that on Windows Server 2008 this is more complicated since yet another version is likely in place and we haven’t even looked at x86 versus x64 versions… How much more complicated will that make it?

 

Again this should be simple. Why isn’t it? At this point I will take a button on System Properties that tells me the .NET frameworks that are available on the system. I think at this point we have learned enough about things to know that knowing versions on a system could be useful info for people debugging things or looking at requirements for an application, etc. Arguably developers who write apps that run on this framework should have code that checks when it is installed to see if the pre-reqs are there, but lets be realistic, I don’t even expect MSFT software to truly do that let alone third parties.

 

Another topic I am not even go deep into but was sent to me is version numbers in .NET and what they mean… I had some knowledgeable people who thought version number increases meant CLR changes… Not so says Scott – http://www.hanselman.com/blog/HowToSetAnIISApplicationOrAppPoolToUseASPNET35RatherThan20.aspx

Add features, rev the major version number??? To me that would be like changing AdFind’s major rev number for added features. I would be up on like Version 30-something for AdFind… V37.0.0… With the same core code… That just doesn’t sit with me right. I wonder what happens with the version number when the CLR does receive some changes? Call it something else entirely?

 

    joe

 

 

[1] God I hate that name, see how awkward that was to type and to read out loud – MSFT get off the model year methodology for naming OSes, at least for Servers, I don’t give a frack what you name your Client OSes… Servers should be something like Windows 7.x.x, Windows 8.x.x, Windows 9.x.x…

[2] Funny IM chat about this when my friend told me about it and I made an observation…

• Me: lol, wmi* = “this isn’t fast”
• Me: They were trying to get us ready for .NET
• Friend: nod, ironic we’ve actually found something slower that what we’re trying to determine the version of
• Me: hahahahaha

[3] As a side note I find it annoying that it doesn’t handle dir /? very nicely.

I don’t use it, don’t really intend to use it unless absolutely forced kicking and screaming to. Will not write a provider for AdFind nor AdMod nor any of my tools for it.

 

     love joe

http://support.microsoft.com/?kbid=944332

 

User Creation via PowerShell Did Not Succeed When Using LoadGen on Exchange Server 2007

Cause

This error may occur if the user account running LoadGen is not a member of the Enterprise Administrators group. This is one of the requirements.
If you do not log on as the Enterprise Administrator (for example if you log on as the local administrator), Exchange Load Generator cannot create users in Active Directory. Exchange Load Generator must have sufficient rights to create users, organizational units, distribution groups, and query-based distribution groups. Exchange Load Generator must be running under an account that is a member of the Enterprise Administrators group.

 

Resolution

Use Active Directory Users and Computers (ADUC) to add the user to Enterprise Administrator Group.
To view the group membership of a user, double-click the user account name in the Active Directory Users and Computers snap-in, and then click Member Of. If you are logged on as a user who has the correct permissions, you can add a user to a security group. To add a user to a security group, double-click the group in the Active Directory Users and Computers snap-in, click Members, and then click Add.

I guess the person working on this tool hadn’t taken his Active Directory nor “Get a Security clue” classes yet.

I am amazed someone could publish that article without being completely embarrassed.

    In certain company

        She’ll tell you she’s an orphan

               After you meet her family…

That is what I will remember as the last moments of the Directory Experts Conference 2007. Officially the conference ended the day before but that was the song playing on the radio as I zipped up my suitcase and rolled out of the hotel room to go jump onto the airport shuttle; putting a fork in yet another DEC in a sad way. Should have left the radio on jazz.

I have attended the last four US based DEC’s. Those being

DEC 2007 Las Vegas, NV – Red Rock Casino Resort
DEC 2006 Las Vegas, NV – Green Valley Resort
DEC 2005 Vancouver, BC
DEC 2004 Reston, VA (Washington D.C)

They have all had their pluses and minuses, overall I have enjoyed each and I am happy to be what I consider a  ”DEC Family Member”. I may be pushing it a little because I really don’t have much to do with the setup or running of the event, I just attend and have fun and talk to people. I consider myself a family member because I have presented but even before I presented I think I was in the family based on how other attendees treated me. I think folks like coming up and chatting with me but every year it seems there are a few more folks who are a little more tentative to do so unless they have someone officially introduce us, possibly they are scared or uncomfortable, I am not sure. If I am standing there, I am fair game, come chat. If I am engrossed in a conversation, come up but get a feel for the conversation before diverting it. If I appear to be making for a lavatory, point me in the right direction and heaven forbid, please don’t stop me.

This year was a bit interesting for me…. I had people who wanted to take a picture of me with them, I had people who would just stare for 5,10,20 minutes[1] before approaching me (yeah I noticed), I was hugged, I was pecked on the cheek(s) in European high style, I might have been kissed on the lips by Ulf but maybe that was just a dream of mine, I was even bowed to by a couple of different people – none of whom were of Asian descent which is when I would expect it. On top of that I had a lot of people who asked when the joe and Dean Show was going to be and what room it was in as they didn’t want to miss it. This made me feel pretty good. I had someone I worked with in the past[2] who told me I changed his life for the better due to my guidance and I guess inspiration and pushing him to learning perl which he then parlayed into PowerShell knowledge; that made me feel great. I can’t count the number of folks who were just thrilled with my work in the newsgroups and/or the joeware utilities. I heard stories of my utilities saving tens if not hundreds of thousands of hours for companies globally. Admins who because of what I have done made their jobs easier so they could sooner go home to their wives, kids, bags of peanut M&M’s, whatever, you name it. How can I not feel on top of the world after all of that?

 

So lets get into the specifics…

The Resort

This year, for the second year in a row, DEC was held just outside of Las Vegas. Last year we were in Green Valley Resort, this year we were in Red Rock Casino Resort. I guess it is the same folks who run both but the Red Rock just smoked Green Valley. It was amazing, my nearest comparison would be a Yucatan Peninsula type resort. I mean it wasn’t the Aventura Spa Palace which will kill you with amazement, but it was trying awfully hard to be that good.

The resort is absolutely something I recommend. It had an amazing restaurant called TBones Chophouse which despite its unfortunate name was very very good. So good that Dean and I chose that place for our last meal at the resort. I admit, it was on the costly side. If costly isn’t your bag, they have an amazing $9.99 chicken fajita dinner right across the casino from TBones.

The casino itself was pretty nice, it got a little packed at times but it was no where near as bad or as, dare I say it, low class, as the casino’s on the strip. Not that the strip is a bad place, it is just that it is an entirely different feel. If you want the “experience” of Vegas, you want the strip. If you want Vegas without that experience, you want Red Rock – though you could always take a shuttle down to the strip and get that experience on your terms. I do have to say though that you can get outstanding accommodations on the strip as well, the Venetian for instance has some amazing rooms if you upgrade a level or two. However, when you hit the casino, you will be inundated with the experience again.

The Red Rock Shuttle from the airport was a gorgeous drive… We left the airport and drove on some highway that appeared to have been built yesterday with a ton of other new development. I saw mountains… Mountains I say.

[Picture courtesy of our friend Sean Deuby]

I didn’t know there were Mountains around Vegas, I never saw them before when I was there. It was quite new to me and I just sat back and watched the view and thought… I can’t believe this is Vegas. Little did I know, but that was to be the theme of the entire time at Red Rock. While driving I was also thinking how I wish I had my Rubicon (Jeep Wrangler) here to drive into the mountains and see if I can find the real answer to the life the universe and everything… To a Michigan boy living in SE Michigan which was, long ago, a bog so it is very very flat – mountains, waterfalls, and other “big” natural areas like that that give the full experience of being big hit pretty hard and you start wondering if all of the answers are in those areas since they seem to be so powerful.

[My Wrangler Rubicon is the green truck. The grey one is my Power Wagon, about the size of a London Apartment]

So yes, Red Rock was definitely gorgeous, go out to their website, you will see how gorgeous. Here is another photo from our resident MVP shutter bug, Sean.

 

The People

Amazing people. You had the NetPro folks like Gil, Stella and of course Christine who makes you feel like the party couldn’t start with out you. There was a new NetPro person I met this year who seemed to be helping Stella out quite a bit, the very lovely and talented Michelle Maloof. I saw Stella smiling considerably more this DEC than in previous years so hopefully Michelle will continue helping Stella out for the DEC 2008.   Admit it Stella, you love me while hating me at the same time.

You also have the other “normal” attendees, many of whom have amazing stories and tell you of things that they have encountered that maybe you never saw yourself. I have learned a great deal just in casual conversations with folks. Both in terms of things that I haven’t ever seen but also in learning how others encounter and deal with issues and what kinds of issues they have. As I have said to many folks, the types of issues that I and folks like Dean run into tend to be quite different from the problems of most admins. I like understanding the problems most admins have. That helps me figure out what I can help with.

On top of that you have a whole metric ton of MVPs and folks who are MVPs in my own head who could have it any time they want they just haven’t taken the time to get off their butt and get the official award. The likes of Ulf, Jorge, Dean, Guido, Darren, Sean, Katherine, JoeK, Hunter, and Stuart Fuller, and even Laura Hunter and Mark Arnold the special Exchange MVP.

Finally but not leastly (definitely not) you have the MSFT contingent… When I think of this group the first person who always comes to mind is my friend Stuart Kwan of the Ottawa Kwan Clan. And every time I think of Stuart I think of the first time I saw him back in the Whistler RAP in like 2002 or so maybe??? I went out to Redmond with some Ford folks and Stuart walked up to the front of the room and apologized that he was at low ebb due to being sick and then proceeded to blow my socks off with energy from I don’t know where. If his hands moved any faster I was afraid he would fly through the ceiling. Since then it has been one good experience after another. Outside of Stuart we had more MSFT participation this year than any other DEC I can recall. The amount of DS Dev Team folks was absolutely great. I hope they found enough value themselves in being there to do it again next year. I don’t think the “normal” attendees really understood the number and quality of people they had there. They had PMs for every major portion of AD in attendance and they had the luck to have Dmitri Gavrilov there as well. I expect the number of people who knew who he was was very small in relation to the number of people there, but someone that makes the MVPs all stand at attention should be a sign to anyone watching how major a role someone plays. We also were lucky to have a member of the Live team with us to present on AD (they’ll let anyone talk about it…). Well that member happened to be part of the AD BackSeat Architecture group (they have a DL and everything) – you will know him as ~Eric or Eric Fleischman. Eric is pretty well known in the AD Circles (and to readers of my blog) because he seems to be everywhere participating in every possible public communication channel. Dmitri on the other hand is out there as well, but he tends to be a little more focused on what he gets involved in. We also had the likes of Nathan Muggli, Stephanie Cheung, Moon, and Uday as well which may all be names you have heard of. Some of whom I was able to sit down and talk to at great length and some of whom I wanted to sit down with but couldn’t get untied enough to do so so folks expect me to be emailing you, especially you Stephanie. The DS Platform team is really a very great team. Lots of very good people. I am proud to have some level of association with them. There were others there as well such as Brian Puhl, Robert DeLuca, Ulric, Nitin, and “Paul” Balarajan (Paul is quoted for inside joke) who were all great to chat with. I am not purposely trying to leave anyone out, my mind was shot by the time we got to Monday from lack of sleep.

 

 The Conference Facilities

Unfortunately I have to say I was less than thrilled here. I wasn’t too happy with the general layout, it was kind of spread out and too compressed all at the same time… Hard for me to explain it. Basically you had these semi-wide hallways that vendors tried to line up on the sides of with food/drinks in the middle and people had to sort of scoot past them. These hallways went off in different directions so either people gathered and it got to the point where no one could move or they went off into other areas. The big open hall in Vancouver and at Green Valley beat Red Rock here hands down. People could filter out of the sessions and mill around in the middle of the hall making many many magic conversation circles. They also had lots of sitting areas for people to sit around and chat if that is what they wanted too. There was also considerable issues with logistics in terms of what speakers were in what rooms and whether or not it made sense. Speakers with large crowds were stuck in smaller rooms, speakers with smaller crowds were in larger rooms. It was really quite frustrating. This hit the ultimate frustration when I went to go into the Stuart Kwan Keynote and instead of being in the big ballroom he was in a majorly reduced size room with a single entrance. I tried to get in but there were so many people already clustered around the doorway it just wasn’t going to happen. It was the only keynote I have missed from Stuart since attending DEC. I was extremely disappointed, especially as I look through the slide deck of his presentation and I see references to Dean and myself. I would love to have heard the context around that.

 

The Sunday Workshop

I have to say that this was rough. I showed up to check it out on Saturday afternoon and saw that there were “challenges”. On the positive side, there was hardware coming out of folks ears… A nice big HP SAN and a bunch of blades and memory enough to make a mainframe jealous. However the hotel power wasn’t quite up to the need initially and I distinctly recall one point where there was a lot of beeping from the SAN/Blade enclosure as someone ran a big heavy cart over the power lines and killed the power to the electronics. Yeah, not pretty. The MVPs working on the workshop guts kept a swinging though on through the night and stayed there the whole night trying to get things into place, knocking down one huge issue after another. Unfortunately, come the morning they still didn’t have it where they wanted so the session started out considerably less interactive than initially designed. That being said, I think the workshop as a whole was successful, I think a lot of people learned a lot of cool new stuff they didn’t know about before.

 

The Conference Overall

Dean and I mentioned a couple of years ago when we were in Vancouver that we thought that DEC *might* be getting too large. I am not positive but I think we have hit that now. I understand that it was necessarily going to grow, that means that acceptance of the technology is taking off more and more. However the conference has also expanded into MIIS, ADFS, RMS, etc. While I am sure there were some or even many that appreciated that, I spoke to many who didn’t. It was sort of like diluting food coloring by adding too much water or blowing up a red balloon until it was pink. The magic circles which I loved about previous DECs were not as frequent, or at least I didn’t run into them as frequently which further enticed me to stay “closer to home” and hang with my normal clique of people. The circles I did walk up to were discussing ADFS/RMS/MIIS and quite frankly, I don’t care about those technologies in the slightest. The closest out of those is MIIS and as I keep saying to folks inside of MSFT, until it runs on ESE I don’t see myself using it much. Too many other products that can do what I need that don’t require SQL Server. As for ADFS… once it does fat clients I will find it more sexy and spend some time on it, until then, I don’t care. Stuart is one of the big guys in that space so it hurts me to say that but I really don’t care too much about the web stuff, Sharepoint is a big pain in the ass and I don’t do Web App Dev – so why should I care about ADFS. RMS…. Bah don’t get me started there but I have some songs I downloaded from Urge that I payed for that I can’t copy between machines and use unless I burn to CD and then rip back to MP3. To me RMS means, give up control of your PC, I have no desire to do that. Even though MSFT has seen fit to brand all of these things as “Active Directory” for a marketing edge, it doesn’t, to me, mean they should be full tracks at DEC.

Possibly the conference facilities are the issue that caused the loss of the magic circles? Possibly it was the dilution of the true AD technology? Possibly it was the overall size? I don’t know, I just know that family feeling I liked so much about DEC in the past was not there for me this year. Quite a few people I spoke with felt the same way. There were lots of people that I wanted to see, expected to see, that I never ran into. Looking over the list of attendees I saw even more people I wanted to see that I hadn’t seen in years and didn’t see them either.

Since reducing the size of DEC likely isn’t an option, I am hoping that the next forum will not have the same impact on extra-sessional gathering. I think possibly getting more segregation between the tracks may assist in removing some of the dilution. I would be curious to know how much cross track attendance there really was. The only cross-track session I saw that had any interest for me was about ADAM and quite frankly, that should have been in the AD Tracks, not MIIS/ADFS or wherever it landed.

 

Conference Sessions

As a whole, these were very good. There was a serious focus on RODCs and I think that bothered some people but the coverage doesn’t surprise me as it is the biggest feature to hit AD since AD itself hit. I don’t think some companies realize HOW much this will change how they deploy DCs or at least how I visualize they will deploy DCs. The security exposure of AD goes down considerably with RODCs and I expect to see far greater DC deployments with RODCs. RODCs have been discussed by MSFT since at least DEC 2004 in Washington DC when Stuart first started asking folks what they thought of the idea. The initial idea was caching DCs like caching DNS servers which I adored but that was quickly squashed and RODCs became the goal.

There were several sessions I wanted to attend but the rooms were just overpacked so I ended up in other sessions or just hung out chatting with folks in the halls. My favorite session was done by ~Eric Fleischman where he talked about scaling Active Directory. It was a good session. I tried to submit a few DCRs in the session as innocent questions. Dean ended up outing me on one of them. Eric speaks well, I can’t recall now how long I have known him but it has been an enjoyable experience overall and I have met with him personally on several occasions now and what people saw in the session is who Eric is though he did try to pin him down to the level of the session more than he might do in a real life conversation. You can be talking to Eric and all of a sudden have your eyes glaze over as he hits some level of abstraction that is so abstract you no longer can see the original problem. You want an interesting discussion, sit down and talk to Eric about what AD looks like 10 years from now.

Actually Dean, myself, and a couple of other MVPs sat down and spoke with Nathan, Eric, and Dmitri the last day over lunch about the next 10 years. They have some very interesting ideas on where it is going and interestingly they seemed to fall in line with where I thought they should be going though I was looking at a completely different form of implementation than they were as I was basing things on what I see today or small advances from what I see today whereas they build this stuff, they can make it look like anything they want and their 10 year thoughts illustrate that. To state my basic opinion, I see Centralized IT as being dead for managing policy and process in the future. It just doesn’t make sense, IT doesn’t have the knowledge to make the decisions so don’t own the decisions nor the resources, why are they in the middle of everything? Because that is the cheapest/securest model at the moment, or that is what we seem to think. IT should be running systems and making sure they function, period. That is where we have to go in the x years.

 

Next Year

As always, there is always a next year. I hope it will bounce back from what it was this year. I have heard the “tentative” city, I am not sure if it is something I can share. However I can say that I hope the real city ends up being in Hawaii or the Yucatan peninsula. That would rock. I loved sitting around the pool discussing super high level tech stuff with really intelligent people and those are two places I would really like to do it. I also wouldn’t mind being flown down to Australia for it. While I recently saw a show that makes Australia as one of the most dangerous places in the world in terms of small critters than can kill you in painful ways, I have heard so much about it from so many people and how they all think I would fit in so well that I would really like to check it out. My one fear is that I would go and then decide to never return though.

Dean and I tentatively, yes TENTATIVELY, signed up for the “joe and Dean Show Part Deux”. The interest really did seem to be there for it. While I am not one who generally likes presenting, if we can figure out a way where we are all just chatting, that would be good. Dean and I discussed some ideas while sitting by the pool. Mostly I was thinking up humourous things that could be put into the slide deck, maybe I should leave tech entirely and just get into standup as I mostly just seem to want to make people laugh and smile. If you crack a joke poorly, the worse thing that can happen is they say you aren’t funny. But if you present something that isn’t right people can say you are an idiot. I like to think my mom didn’t raise no idiots, stacks of evidence to the contrary aside… =)

 

   joe

 

 

[1] I presume to see if I tore anyone’s head off and ate their entrails. Note that it is entirely a rumour that I am that mean; I really am a pretty nice guy for the most part. I just happen to not hold back opinions when I have one and that can unnerve people. Not that I am always right, but if I don’t think something is correct and my opinion or level of caring is high enough I will counter. Don’t agree with me, argue, debate, tell me what you think.

[2] I didn’t work directly with him, we both worked for the same company supporting the servers for another company. I was in the US and he was in England but what I did was generally global in nature and definitely had impact on nearly everyone supporting servers for that company.

http://www.microsoft.com/windowsserver2003/technologies/management/powershell/default.mspx

Yep its true… Can’t say that the name PowerShell makes me quiver or anything. I recall how the first time I heard the Monad name I was like, hey pretty cool name, a science (chemistry) term. The name PowerShell makes me think of a MAC. 

Oh well, it appears it will be released to web Q4 2006.

  joe