joeware - never stop exploring... :)

Information about joeware mixed with wild and crazy opinions...

3/31/2015

AD Sites Without Domain Controllers Aren’t Inherently Bad

by @ 7:59 pm. Tags: ,
Filed under tech

I posted a quick post the other day about Third Party Active Directory Assessments raising issues that while not great, aren’t earth shattering issues. I wasn’t meaning to hang all Third Party companies out to dry, but to alert folks that they need to fully understand what the AD Assessments are really saying and don’t just depend on the verbiage provided. This stuff isn’t rocket science. You google a lot of these terms and you will get a variety of hits.

Anywho… One of the items I mentioned was Active Directory Logical Sites defined that don’t have Domain Controllers “in them”. The generally specified issue is that this configuration is against Microsoft Best Practice and causes extra unnecessary and inefficient authentication traffic.

When I see something like that in an assessment I want to slap my forehead and often do. It has really helped with my forehead wrinkles as I get up there in age and I won’t have a use for Botox for a while… Winking smile

Assuming the AD Sites, AD Site Links, and Subnets are correct and properly defined, the “closest” Domain Controllers for *EVERY* domain in the forest will register DNS records for that domain in that site. Any machines that resides on a subnet assigned to that site will use those Domain Controllers (assuming they work). The location of those DCs is all done through the normal DC Locator Process and isn’t less efficient than if there is an actual DC in that site. The machine doesn’t know if the DC is in the site or not when it gets the DNS records back – there is nothing in the record to indicate that, it just gets a list of DCs it is supposed to use and it tries to use them.

There are a multitude of solid valid reasons for creating AD Sites that don’t have Domain Controllers in them, AD Sites are there to define the logical if not physical structure of the network for location of a variety of resources; not just Domain Controllers for authentication and replication. If they were only for Domain Controllers and a Site without a Domain Controller wasn’t expected or bad I wouldn’t expect DCs to handle the situation so well and properly register records and the DC Locator to find them so easily. Heck I would expect it to go even further, there would be no reason for most people to even see Sites, Site Links, and Subnets in AD and they very likely could be locked down to Admins and Domain Controllers.

I was going to write up some detailed discussion around this to further emphasize my point but I really don’t need to, it is all laid out in the DC Locator Process documentation as it is quite detailed. Read the following links if you think I am confused.

Check out

Domain Controller Locator: https://technet.microsoft.com/en-us/library/cc961830.aspx

and

Domain Controller Location Process: https://technet.microsoft.com/en-us/library/cc978011.aspx

and

Finding a Domain Controller in the Closest Site: https://technet.microsoft.com/en-us/library/cc978016.aspx

and

Fooling the DC Locator: http://blogs.technet.com/b/ad/archive/2009/01/02/fooling-the-dc-locator.aspx

 

Here is a hopefully simple example…

I have a single domain forest with six domain controllers spread across two sites with a third “empty” site defined and by empty I mean that it doesn’t have a DC in it.

C:\>adfind -sites -f objectclass=site -dsq | adfind -s subtree -f objectclass=server -dn -db

AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015

Using server: DNSTEST-DC1.dnstest.loc:389
Directory: Windows Server 2012 R2

BaseDN: CN=Site1,CN=Sites,CN=Configuration,DC=dnstest,DC=loc
dn:CN=DNSTEST-DC1,CN=Servers,CN=Site1,CN=Sites,CN=Configuration,DC=dnstest,DC=loc
dn:CN=DNSTEST-DC2,CN=Servers,CN=Site1,CN=Sites,CN=Configuration,DC=dnstest,DC=loc

BaseDN: CN=Site2,CN=Sites,CN=Configuration,DC=dnstest,DC=loc
dn:CN=DNSTEST-DC3,CN=Servers,CN=Site2,CN=Sites,CN=Configuration,DC=dnstest,DC=loc
dn:CN=DNSTEST-DC4,CN=Servers,CN=Site2,CN=Sites,CN=Configuration,DC=dnstest,DC=loc
dn:CN=DNSTEST-DC5,CN=Servers,CN=Site2,CN=Sites,CN=Configuration,DC=dnstest,DC=loc
dn:CN=DNSTEST-DC6,CN=Servers,CN=Site2,CN=Sites,CN=Configuration,DC=dnstest,DC=loc

BaseDN: CN=EmptySite,CN=Sites,CN=Configuration,DC=dnstest,DC=loc

6 Objects returned

Or perhaps you prefer the more succinct

C:\>adfind -sites -f objectclass=site -dsq | adfind -s subtree -f objectclass=server -dn -db -stripdn

AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015

Using server: DNSTEST-DC1.dnstest.loc:389
Directory: Windows Server 2012 R2

BaseDN: CN=Site1,CN=Sites,CN=Configuration,DC=dnstest,DC=loc
dn:DNSTEST-DC1
dn:DNSTEST-DC2

BaseDN: CN=Site2,CN=Sites,CN=Configuration,DC=dnstest,DC=loc
dn:DNSTEST-DC3
dn:DNSTEST-DC4
dn:DNSTEST-DC5
dn:DNSTEST-DC6

BaseDN: CN=EmptySite,CN=Sites,CN=Configuration,DC=dnstest,DC=loc

6 Objects returned

Or if you prefer a pretty picture

image

 

The Site Links

C:\>adfind -sitelinks sitelist cost

AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015

Using server: DNSTEST-DC1.dnstest.loc:389
Directory: Windows Server 2012 R2
Base DN: CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=dnstest,DC=loc

dn:CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=dnstest,DC=loc

dn:CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=dnstest,DC=loc

dn:CN=Site2-EmptySite,CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=dnstest,DC=loc
>cost: 10
>siteList: CN=EmptySite,CN=Sites,CN=Configuration,DC=dnstest,DC=loc
>siteList: CN=Site2,CN=Sites,CN=Configuration,DC=dnstest,DC=loc

dn:CN=Site1-EmptySite,CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=dnstest,DC=loc
>cost: 80
>siteList: CN=EmptySite,CN=Sites,CN=Configuration,DC=dnstest,DC=loc
>siteList: CN=Site1,CN=Sites,CN=Configuration,DC=dnstest,DC=loc

dn:CN=DEFAULTIPSITELINK,CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=dnstest,DC=loc
>cost: 100
>siteList: CN=Site2,CN=Sites,CN=Configuration,DC=dnstest,DC=loc
>siteList: CN=Site1,CN=Sites,CN=Configuration,DC=dnstest,DC=loc

dn:CN=SMTP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=dnstest,DC=loc

6 Objects returned

or

C:\>adfind -sitelinks sitelist cost -stripdn

AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015

Using server: DNSTEST-DC1.dnstest.loc:389
Directory: Windows Server 2012 R2
Base DN: CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=dnstest,DC=loc

dn:Inter-Site Transports

dn:IP

dn:Site2-EmptySite
>cost: 10
>siteList: EmptySite
>siteList: Site2

dn:Site1-EmptySite
>cost: 80
>siteList: EmptySite
>siteList: Site1

dn:DEFAULTIPSITELINK
>cost: 100
>siteList: Site2
>siteList: Site1

dn:SMTP

6 Objects returned

or

image

 

Some improperly informed consultants might think that any machine that “lives” in the subnets defined for EmptySite would randomly select a Domain Controller from all available Domain Controllers in the Domain. That is incorrect, once the client has determined what site it is in (which it will remember through reboots and update as necessary as you move around location to location) the DC Locator Process will pull the DNS entries for that site and will know EXACTLY what DCs to use. The DNS entries will come from ALL of the DCs looking at sites that aren’t covered by a DC in the site and calculate which, by virtue of the Site Link Topology, is closest and then register those DCs in that site. Again this happens for EVERY domain in the forest. So your little 5 user site down in some unheard of town in South Dakota will have DNS entries for the closest DC from the Asia Pacific Domain in the site’s DNS “zone”.  

An example of those DNS entries where the Site Links are configured such that Site 2 is “Closest” or “Lower Cost” to EmptySite:

C:\>nslookup -type=srv _ldap._tcp.emptysite._sites.dnstest.loc
Server:  localhost
Address:  127.0.0.1

_ldap._tcp.emptysite._sites.dnstest.loc SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = dnstest-dc3.dnstest.loc
_ldap._tcp.emptysite._sites.dnstest.loc SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = dnstest-dc5.dnstest.loc
_ldap._tcp.emptysite._sites.dnstest.loc SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = dnstest-dc6.dnstest.loc
_ldap._tcp.emptysite._sites.dnstest.loc SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = dnstest-dc4.dnstest.loc
dnstest-dc3.dnstest.loc internet address = 192.168.3.3
dnstest-dc5.dnstest.loc internet address = 192.168.3.5
dnstest-dc6.dnstest.loc internet address = 192.168.3.6
dnstest-dc4.dnstest.loc internet address = 192.168.3.4

 

The only cases where I am aware of machines using any random DC in a domain off the top of my head are

  1. Machine is on an IP Address that doesn’t align to any subnet objects defined in Active Directory
  2. An application requesting resolution of the domain name to an IP address outside of the Windows DNS resolution process (perhaps custom DNS lookups with non-MSFT API) and thereby bypassing the DC Locator process.

So to restate, an Active Directory Site without a Domain Controller is not a problem per se. It could be part of a problem if the Sites and Site Links aren’t intelligently configured so that the “closest” DCs properly register records in DNS for that site. However once you sort out the Site Links life should be good. If the “closest” DCs still aren’t close enough for quick-enough efficient-enough authentication, then you need to add Domain Controllers – not delete the logical AD Site.

     joe

Rating 4.60 out of 5

3/24/2015

AD Assessments

by @ 4:53 pm. Filed under tech

The AD Assessment reports that I regularly see lately from various “largish” “well known” Third Party Consulting companies seem to often be no more than bad opinions and sensationalism to try and make the customer feel good for over-paying for the AD “Consultants” to come in and look around.

Yes there are a lot of stupid things out there, stop making them out to be “end-of-the-world” class problems.

For example, a large number of empty groups is indeed silly and should be removed but it isn’t a substantial waste on your Active Directory causing excessive unnecessary replication nor is it going to massively slow down Active Directory or authentication. Plus there is always the possibility that the groups are used, just not populated except for certain times. For example, Schema Admins is generally empty in many orgs, should it be deleted? That is probably not the norm but telling a company to simply go delete 5,000 or 10,000 groups without any understanding of why they are there and if they are used at all is a bit shortsighted. It has been a long while since I tried to size out objects in AD But I seem to recall 10k empty groups with 60 character names was roughly 25MB. I am not going to haphazardly blow away groups that I am not sure about just to try and recoup 25MB. Heck even if I did that and then waited for the lifetime to expire on the tombstones I am not going to bother performing offline defrags to get that space back. If you are THAT tight on space in the world of the disks we have today, you have much greater issues my friend.

Another example, AD Sites that don’t have Domain Controllers… They aren’t the end of the world either and aren’t causing inefficiencies in user logons and extra authentication traffic. There are valid reasons for sites without Domain Controllers in an AD Topology for other applications and it is why it is handled so well by default with the closest DCs picking up those sites and registering DNS records for them.

Don’t get me wrong, I am a strong proponent of Object Life Cycle Management which is something many (probably most) companies screw up, but I am not a proponent of FUD Reports to justify stupidly highly paid outside consultants. So, when I get ahold of a report that has that FUD in it, don’t be surprised when I let the management know my opinion of the person who wrote it and their understanding of Active Directory.

    joe

Rating 4.67 out of 5

Security is like…

by @ 3:31 pm. Filed under general

Security is like high-school sex:

Everyone thinks everyone else is doing it.

Everyone wishes they were doing it.

Only a few are actually doing it.

And the few that are doing it, aren’t doing it well.

(stolen from the internet)

Rating 4.50 out of 5

3/19/2015

30 Second Admin – Default Domain Password Policies for Entire Forest

by @ 6:16 pm. Tags: ,
Filed under tech

Your boss walks into your cube with a harried look on her face… Hey ADMIN dude or dudette… The Security people are asking for the Default Domain Password Policies for all of the domains in the forest for an audit and I need it in the next 30 seconds because I am already late…

Ok…

[Thu 03/12/2015 15:34:06.57]
C:\>for /f %i in (‘adfind -sc domainlist’) do @adfind -hh %i -sc dompol -dloid

AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015

Using server: server1.americas.company.net:389
Directory: Windows Server 2012
Base DN: DC=americas,DC=company,DC=net

dn:DC=americas,DC=company,DC=net
>forceLogoff: -9223372036854775808 [undefined/never/forever]
>lockoutDuration: -18000000000 [-30.00 minutes(s)]
>lockOutObservationWindow: -9000000000 [-15.00 minutes(s)]
>lockoutThreshold: 6
>maxPwdAge: -77760000000000 [-90.00 day(s)]
>minPwdAge: -864000000000 [-1.00 day(s)]
>minPwdLength: 8
>pwdProperties: 1 [DOMAIN_PASSWORD_COMPLEX(1)]
>pwdHistoryLength: 6
>ms-DS-MachineAccountQuota: 0

1 Objects returned

AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015

Using server: server2.asiapacific.company.net:389
Directory: Windows Server 2008 R2
Base DN: DC=asiapacific,DC=company,DC=net

dn:DC=asiapacific,DC=company,DC=net
>forceLogoff: -9223372036854775808 [undefined/never/forever]
>lockoutDuration: -18000000000 [-30.00 minutes(s)]
>lockOutObservationWindow: -9000000000 [-15.00 minutes(s)]
>lockoutThreshold: 6
>maxPwdAge: -77760000000000 [-90.00 day(s)]
>minPwdAge: -864000000000 [-1.00 day(s)]
>minPwdLength: 8
>pwdProperties: 1 [DOMAIN_PASSWORD_COMPLEX(1)]
>pwdHistoryLength: 6
>ms-DS-MachineAccountQuota: 0

1 Objects returned

AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015

Using server: server0.company.net:389
Directory: Windows Server 2008 R2
Base DN: DC=company,DC=net

dn:DC=company,DC=net
>forceLogoff: -9223372036854775808 [undefined/never/forever]
>lockoutDuration: -18000000000 [-30.00 minutes(s)]
>lockOutObservationWindow: -9000000000 [-15.00 minutes(s)]
>lockoutThreshold: 6
>maxPwdAge: -77760000000000 [-90.00 day(s)]
>minPwdAge: -864000000000 [-1.00 day(s)]
>minPwdLength: 8
>pwdProperties: 1 [DOMAIN_PASSWORD_COMPLEX(1)]
>pwdHistoryLength: 6
>ms-DS-MachineAccountQuota: 0

1 Objects returned

AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015

Using server: server3.emea.company.net:389
Directory: Windows Server 2008 R2
Base DN: DC=emea,DC=company,DC=net

dn:DC=emea,DC=company,DC=net
>forceLogoff: -9223372036854775808 [undefined/never/forever]
>lockoutDuration: -18000000000 [-30.00 minutes(s)]
>lockOutObservationWindow: -9000000000 [-15.00 minutes(s)]
>lockoutThreshold: 6
>maxPwdAge: -77760000000000 [-90.00 day(s)]
>minPwdAge: -864000000000 [-1.00 day(s)]
>minPwdLength: 8
>pwdProperties: 1 [DOMAIN_PASSWORD_COMPLEX(1)]
>pwdHistoryLength: 6
>ms-DS-MachineAccountQuota: 0

1 Objects returned

[Thu 03/12/2015 15:34:21.62]

Highlight in command prompt window, copy, CTL-V paste into notepad. CTL-P ALT-P. Tell her to go to the printer.

If you have an LPT defined in the command prompt it is even faster.

[Thu 03/12/2015 15:35:53.67]
C:\>for /f %i in (‘adfind -sc domainlist’) do @adfind -hh %i -sc dompol > LPT1

[Thu 03/12/2015 15:36:08.56]

She wasn’t really thinking you could do it in 30 seconds, she was trying to give you a sense of urgency… But you were able to do it anyway. Great job! :)

If you have a single domain forest this can be reduced further to simply

[Thu 03/12/2015 15:37:04.26]
C:\>adfind -sc dompol -dloid

AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015

Using server: server1.americas.company.net:389
Directory: Windows Server 2012
Base DN: DC=americas,DC=company,DC=net

dn:DC=americas,DC=company,DC=net
>forceLogoff: -9223372036854775808 [undefined/never/forever]
>lockoutDuration: -18000000000 [-30.00 minutes(s)]
>lockOutObservationWindow: -9000000000 [-15.00 minutes(s)]
>lockoutThreshold: 6
>maxPwdAge: -77760000000000 [-90.00 day(s)]
>minPwdAge: -864000000000 [-1.00 day(s)]
>minPwdLength: 8
>pwdProperties: 1 [DOMAIN_PASSWORD_COMPLEX(1)]
>pwdHistoryLength: 6
>ms-DS-MachineAccountQuota: 0

1 Objects returned

[Thu 03/12/2015 15:37:10.74]

You don’t need the -dloid switch but it does make it faster when you know for a fact that you don’t have to decode any special attributes. That switch disables a dynamic search of the Schema to find time/sid/guid type attributes for intelligent decoding. Since the attributes used for this are long time known attributes they are actually hard coded into some tables in AdFind for decoding.

    joe

P.S. All of these commands were run as a normal userid, not an admin ID. In most AD Forests much if not most information is readily available to normal users so if you are simply querying, you may only need to be a normal user. So yes, your manager could have gotten the information herself, not to mention those Security people could have gotten it as well…

Rating 4.25 out of 5

3/9/2015

AdFind For The Win! :)

by @ 6:53 pm. Filed under general

Even the folks at Microsoft know which command line Active Directory LDAP Query tool is the best for professionals… :)

 

https://technet.microsoft.com/en-us/library/dn535775.aspx#BKMK_LDAPQuery

 

image

Rating 4.60 out of 5

2/28/2015

AdFind V01.49.00 Released

by @ 4:45 pm. Filed under updates

I found a bug in –dloid functionality so I have corrected the bug and re-release AdFind with a new version number – V01.49.00.

http://www.joeware.net/freetools/tools/adfind/

If you are unfamiliar with –dloid it tells AdFind to NOT download a partial schema to get the OID/Type info for attributes to decode special attributes such as GUIDs and SIDs etc. There are some hardcoded attributes that I will still decode but anything dynamically added won’t be in there. This can cut a second or two off of the run time of the tool which doesn’t matter all that much for when you run the command directly but if you have a script that calls adfind over and over again it can be significant savings.

Note that one fix in V01.48.00 was for AdFind to automatically enable this for non-MSFT directories. That is how I broke the actual switch when specified. My bad. Smile

   joe

Rating 4.50 out of 5

2/26/2015

Never….

by @ 8:41 am. Filed under quotes

Never attribute to malice that which is adequately explained by stupidity.

  – Robert J Hanlon

Rating 4.00 out of 5

2/19/2015

…who in the AD world doesn’t use ADFIND…

by @ 12:57 pm. Filed under general

I love getting emails that contain stuff like this from Microsoft Employees:

Second, who in the AD world doesn’t use ADFIND. I know lots of people dump native MS tools for your tool :). BTW, I owned Active Directory 4rd and 5th editions and I wanted to tell you that you did an awesome job on those books.

Rating 4.50 out of 5

1/27/2015

Princess you are killing me…

by @ 12:18 am. Filed under general

Princess (https://jorgequestforknowledge.wordpress.com/) you are killing me. You keep posting these "Finding Attributes…" posts and in every one you are specifying the long way with AdFind with no mention of the shortcuts. I keep adding comments that remain un-moderated. Please start specifying the shortcuts too. Thanks!

Anyone that sees this post and knows Princess please let him know. Thanks! :)

    joe

Rating 4.50 out of 5

1/17/2015

AdFind V01.48.00 Released

by @ 1:11 pm. Filed under tech, updates

It has been over two years since V01.47.00 was released but finally AdFind V01.48.00 has been released. I have no excuses other than allowing my day job to completely overrun my personal life. I would love to spend my days working on building and releasing tools but financially it just isn’t feasible at this time. :) I do apologize for the extended period of inactivity. I do intend to do things differently this year and have some exciting thoughts around some tools. This is the year I tackle ESE coding and going directly into the AD Database tables. I have been looking to do that for some time as I have been intrigued by ESE coding from long conversations with Brett Shirley (one of the few ESE Devs at Microsoft and someone I am proud to have as a friend).

Anyway… I started updating the code base almost exactly a year ago and fixed bugs and added features in bursts throughout the year when I found time. At the very least you will find a bunch of new decodes built in for Windows Server 2012, Windows Server 2012 R2, and Windows Server Threshold but hopefully you will find the bug fixes and new features useful as well.

So without further adieu… Here is the general list of changes

Added many Windows Server 2012, Windows Server 2012 R2, and Windows Server Threshold Decodes

Added "mode decodes" for versions > Threshold as Windows Server Threshold+. I kept finding I was annoyed when newer versions of the OS modes that weren’t decoded properly defaulted to the most recent decoded version. I.E. Windows Server Threshold will decode as Windows Server 2012 in V01.47.00 whereas the version after Threshold will decode as Windows Server Threshold+ in V01.48.00. I intend to get out a quick update to change the decodes from Windows Server Threshold to whatever it formally becomes when it becomes it. ;)

Added a bunch more decodes for various attributes. New values that have been added, additional attributes, etc.

Tweaked a bunch of shortcuts so they are more intelligent with base selection, GC use, and enabling -dloid to speed up queries when possible, etc.

Added new features and modifiers for several shortcuts.

In one of the previous versions I changed how AdFind handled what happens when you specify the same attribute multiple times and had it normalize down to a single attribute so that the output was consistent between CSV and non-CSV output. Non-CSV output will always only show the attribute once, CSV output would populate two fields with the attribute. Apparently some folks used that functionality so I changed it back so that you can specify a single attribute multiple times and it will show up in the CSV output.

I ran into some cases where I needed to specify IPv6 IP addresses and the -h option got confused by that (it was parsing the string on colons to retrieve the port) so I updated the code so that it can handle IPv6 format addresses. I.E. [2001:0:5ef5:79fb:45:32c6:94fa:def9]:389.

To better support non-Microsoft LDAP Directories I have set AdFind up to auto-detect if a Directory is paging-capable and if not it will disable its use of paged queries. 

To give more options for cmd piping scenarios I have changed the -b switch and STDIN stream reading to allow for SIDs, GUIDs, and IIDs. The code will detect the base type in the background and then properly wrap the string in the appropriate formatting. For example, SIDs will be changed from S-1-x-xxx-xxx-xxx to <SID=S-1-x-xxx-xxx-xxx>, GUIDs will be changed from 9AF9CD11-9AB3-44DF-B014-8673F3C562C6 or {9AF9CD11-9AB3-44DF-B014-8673F3C562C6} to <GUID=9AF9CD11-9AB3-44DF-B014-8673F3C562C6>. IIDs which are objectGUIDs that are BASE64 encoded and used in AzureAD are converted from BASE64 and then encoded as a GUID. Note that these queries may be a little slower than using a normal base because of the overhead AD has in locating the objects.

I have added several more constants for -replacedn

Added :dnwdata:= matching rule for -bit in filters.

Added BASE64 for -binenc.

Added HEX/BASE64 options for -guidbinout and -sidbinout. For example:

[Tue 01/13/2015 23:02:09.22]
F:\Dev\cpp\AdFind\Release>adfind -hh thr-dc1 -s base -b {9AF9CD11-9AB3-44DF-B014-8673F3C562C6} objectguid -guidbinout base64

AdFind V01.48.00.00cpp Joe Richards (joe@joeware.net) January 2015

Using server: THR-DC1.threshold.loc:389
Directory: Windows Server Threshold

dn:DC=threshold,DC=loc
>objectGUID: Ec35mrOa30SwFIZz88Vixg==

1 Objects returned

And you may realize… Voila that is the IID for that object. Which, in review you could also do the following then

[Tue 01/13/2015 23:07:28.41]
F:\Dev\cpp\_old\OLD\AdFind\Release>adfind -hh thr-dc1 -s base -b Ec35mrOa30SwFIZz88Vixg== objectguid

AdFind V01.48.00.00cpp Joe Richards (joe@joeware.net) January 2015

Using server: THR-DC1.threshold.loc:389
Directory: Windows Server Threshold

dn:DC=threshold,DC=loc
>objectGUID: {9AF9CD11-9AB3-44DF-B014-8673F3C562C6}

1 Objects returned

Added several special bases: -sitelinks, -legacydns, -quotas.

Added two new shortcuts: -sc sitelinkdmp and -scsitelinkdmpl. You specify the site short name with the shortcut and it will dump the links for that site ex: -sc sitelinkdmp:site2

Several new switches:

-exclrepl : For some reason MSFT didn’t think to not return some of the AD Replication Metadata in the star (*) default attribute set so in larger environments you can literally get screens of output when just dumping the NC Head object that you pretty much won’t care about. This switch is like a shortcut switch in that it simply adds several attributes to the -excl switch in the background.

-ametal/-vmetal: Versions of -ameta and -vmeta with -list enabled too.

-encguidtoiid: Encode a GUID to an IID. Doesn’t need to talk to AD to do this.

-deciidtoguid: Decode an IID to a GUID. Doesn’t need to talk to AD to do this.

-objcnterrlevel: This one is an often requested switch… Dear joe, please output the returned object count in the errorlevel attribute… Well since I already populate the errorlevel attribute for status of the execution I had to think long and hard about doing this. I finally decided to add the switch. Note I didn’t perform comprehensive tests for this one. As always, if you see issues, please let me know.

-stripdn: This was a customer request as well, it simply strips DNs down to the most relevant RDN for all normal DN type attributes (based on attribute syntax)… For example:

[Tue 01/13/2015 23:24:30.34]
F:\Dev\cpp\AdFind\Release>adfind -hh thr-dc1 -default -s one -dn -stripdn

AdFind V01.48.00.00cpp Joe Richards (joe@joeware.net) January 2015

Using server: THR-DC1.threshold.loc:389
Directory: Windows Server Threshold
Base DN: DC=threshold,DC=loc

dn:Builtin
dn:Computers
dn:Domain Controllers
dn:ForeignSecurityPrincipals
dn:Infrastructure
dn:LostAndFound
dn:Managed Service Accounts
dn:NTDS Quotas
dn:Program Data
dn:System
dn:TPM Devices
dn:Users

12 Objects returned

That may not look interesting but this may look more interesting:

[Tue 01/13/2015 23:28:51.19]
F:\Dev\cpp\AdFind\Release>adfind -hh thr-dc1 -config -f objectclass=sitelink sitelist -stripdn -list
Site3
Site2
Default-First-Site-Name

-fdnx: This allows DN Expansion for some common base DNs within a filter. This is so you can come up with a general query command that could work in multiple environments or so you can type less. It is actually put into place to help with the two new shortcuts.

[Tue 01/13/2015 23:33:29.74]
F:\Dev\cpp\AdFind\Release>adfind -hh thr-dc1 -sc sitelinkdmpl:site3 -po
Selected Switches
    -alldc
    -arecex
    -config
    -f (&(objectclass=sitelink)(sitelist=CN=site3,CN=Sites,[CONFIG]))
    -fdnx
    -flagdc
    -h thr-dc1
    -hh thr-dc1
    -list
    -po
    -rb CN=Inter-Site Transports,CN=Sites
    -rootdsedc
    -s subtree
    -samdc
    -sc sitelinkdmpl:site3
    -schdc
    -sitelinks
    -sitenamedc
    -sites
    -tdcas
    -utc

Selected Attributes
    name

DEFAULTIPSITELINK

Note the filter "-f (&(objectclass=sitelink)(sitelist=CN=site3,CN=Sites,[CONFIG]))"

 

I usually release a new version of AdMod with AdFind but I didn’t want to hold AdFind back any longer so AdMod will be released at some later date.

You can find AdFind V01.48.00 at http://www.joeware.net/freetools/tools/adfind. Feel free to check out the sponsored link when you are there. :)

 

   joe

Rating 4.83 out of 5

[joeware – never stop exploring… :) is proudly powered by WordPress.]