joeware - never stop exploring... :)

Information about joeware mixed with wild and crazy opinions...

4/14/2015

They said it couldn’t be done… NT4 in a 2012 R2 FFL6 Domain

by @ 6:09 pm. Filed under tech

I now have a Windows NT 4.0 Member Server joined and able to log into a 2012 R2 FFL6 Domain.

Don’t ask me why… If I told you I would have to kill you.

I will see about writing up how I worked through the WireShark traces to figure out what needed to be tweaked to get it to work or perhaps just the changes I needed to make to get it to work.

The most fun was getting NT4 running in 2012 R2 HyperV and not being able to use a mouse. Took me back a-ways (like almost 20 years) using all keyboard controls to whip around in NT4. But then most of my Enterprise (thousands of servers) NT4 work was done pre-RDP/TS days via remote command line through RCMD. You know remote command line management like they are pushing in PowerShell now like it is a new thing. 😉

It is just spectacular how fast NT4 runs in HyperV with no need for integration services… Oh and on a 1GB system disk that has 800MB free.

 

NT4in2012R2FFL6Forest

Rating 4.60 out of 5

4/13/2015

MaaS???

by @ 7:16 pm. Filed under general

Machine as a Service…

Skynet is coming… Security Guard Robot – only $6.95 an hour.

http://knightscope.com/order.html

image

Rating 3.00 out of 5

Well… If that doesn’t bring back some memories…

by @ 6:20 pm. Filed under general

NT4

Rating 4.50 out of 5

1500VA CyberPower UPS on sale at Amazon Save $50

by @ 2:44 pm. Filed under tech

Just wanted to give heads up, the 1500VA 900w CyberPower UPS is on sale at Amazon today for a daily deal. I have 4 of these in the house already and just ordered another 3 (max order limit).

It is Prime Eligible too if you are a Prime member and if you aren’t a Prime member… Why not?

http://www.amazon.com/gp/product/B000FBK3QK/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=B000FBK3QK&linkCode=as2&tag=wwwjoewarenet-20&linkId=4HRLSHVEFDHIIVG5

EDIT: Oh it is more than just the CyberPower, other UPSes as well.

http://www.amazon.com/b/?_encoding=UTF8&camp=1789&creative=390957&linkCode=ur2&node=11266775011&rh=i%3Aelectronics%2Cn%3A11266775011&smid=ATVPDKIKX0DER&tag=wwwjoewarenet-20&linkId=5FSY3E34JRG6YY3V

Rating 4.50 out of 5

4/3/2015

OpenSource from Microsoft on CodePlex

by @ 7:33 am. Filed under tech

https://www.codeplex.com/site/users/view/Microsoft

Rating 3.00 out of 5

OpenSource from Microsoft on GitHub

by @ 7:25 am. Filed under tech

https://github.com/Microsoft

Rating 3.00 out of 5

4/2/2015

Darn, ClusterMaps Blew Up

by @ 8:25 pm. Filed under general

I just noticed this evening that my ClusterMaps Icon was messed up. When I went to check up on it I found out that one of their servers blew up and they for some reason can’t put humpty dumpty back together again so years of stats data is currently lost. Sad smile

http://blog.clustrmaps.com/2015/03/25/important-www4-servermap-news/

Oh well… Life goes on. Smile

    joe

Rating 3.00 out of 5

3/31/2015

AD Sites Without Domain Controllers Aren’t Inherently Bad

by @ 7:59 pm. Tags: ,
Filed under tech

I posted a quick post the other day about Third Party Active Directory Assessments raising issues that while not great, aren’t earth shattering issues. I wasn’t meaning to hang all Third Party companies out to dry, but to alert folks that they need to fully understand what the AD Assessments are really saying and don’t just depend on the verbiage provided. This stuff isn’t rocket science. You google a lot of these terms and you will get a variety of hits.

Anywho… One of the items I mentioned was Active Directory Logical Sites defined that don’t have Domain Controllers “in them”. The generally specified issue is that this configuration is against Microsoft Best Practice and causes extra unnecessary and inefficient authentication traffic.

When I see something like that in an assessment I want to slap my forehead and often do. It has really helped with my forehead wrinkles as I get up there in age and I won’t have a use for Botox for a while… Winking smile

Assuming the AD Sites, AD Site Links, and Subnets are correct and properly defined, the “closest” Domain Controllers for *EVERY* domain in the forest will register DNS records for that domain in that site. Any machines that resides on a subnet assigned to that site will use those Domain Controllers (assuming they work). The location of those DCs is all done through the normal DC Locator Process and isn’t less efficient than if there is an actual DC in that site. The machine doesn’t know if the DC is in the site or not when it gets the DNS records back – there is nothing in the record to indicate that, it just gets a list of DCs it is supposed to use and it tries to use them.

There are a multitude of solid valid reasons for creating AD Sites that don’t have Domain Controllers in them, AD Sites are there to define the logical if not physical structure of the network for location of a variety of resources; not just Domain Controllers for authentication and replication. If they were only for Domain Controllers and a Site without a Domain Controller wasn’t expected or bad I wouldn’t expect DCs to handle the situation so well and properly register records and the DC Locator to find them so easily. Heck I would expect it to go even further, there would be no reason for most people to even see Sites, Site Links, and Subnets in AD and they very likely could be locked down to Admins and Domain Controllers.

I was going to write up some detailed discussion around this to further emphasize my point but I really don’t need to, it is all laid out in the DC Locator Process documentation as it is quite detailed. Read the following links if you think I am confused.

Check out

Domain Controller Locator: https://technet.microsoft.com/en-us/library/cc961830.aspx

and

Domain Controller Location Process: https://technet.microsoft.com/en-us/library/cc978011.aspx

and

Finding a Domain Controller in the Closest Site: https://technet.microsoft.com/en-us/library/cc978016.aspx

and

Fooling the DC Locator: http://blogs.technet.com/b/ad/archive/2009/01/02/fooling-the-dc-locator.aspx

 

Here is a hopefully simple example…

I have a single domain forest with six domain controllers spread across two sites with a third “empty” site defined and by empty I mean that it doesn’t have a DC in it.

C:\>adfind -sites -f objectclass=site -dsq | adfind -s subtree -f objectclass=server -dn -db

AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015

Using server: DNSTEST-DC1.dnstest.loc:389
Directory: Windows Server 2012 R2

BaseDN: CN=Site1,CN=Sites,CN=Configuration,DC=dnstest,DC=loc
dn:CN=DNSTEST-DC1,CN=Servers,CN=Site1,CN=Sites,CN=Configuration,DC=dnstest,DC=loc
dn:CN=DNSTEST-DC2,CN=Servers,CN=Site1,CN=Sites,CN=Configuration,DC=dnstest,DC=loc

BaseDN: CN=Site2,CN=Sites,CN=Configuration,DC=dnstest,DC=loc
dn:CN=DNSTEST-DC3,CN=Servers,CN=Site2,CN=Sites,CN=Configuration,DC=dnstest,DC=loc
dn:CN=DNSTEST-DC4,CN=Servers,CN=Site2,CN=Sites,CN=Configuration,DC=dnstest,DC=loc
dn:CN=DNSTEST-DC5,CN=Servers,CN=Site2,CN=Sites,CN=Configuration,DC=dnstest,DC=loc
dn:CN=DNSTEST-DC6,CN=Servers,CN=Site2,CN=Sites,CN=Configuration,DC=dnstest,DC=loc

BaseDN: CN=EmptySite,CN=Sites,CN=Configuration,DC=dnstest,DC=loc

6 Objects returned

Or perhaps you prefer the more succinct

C:\>adfind -sites -f objectclass=site -dsq | adfind -s subtree -f objectclass=server -dn -db -stripdn

AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015

Using server: DNSTEST-DC1.dnstest.loc:389
Directory: Windows Server 2012 R2

BaseDN: CN=Site1,CN=Sites,CN=Configuration,DC=dnstest,DC=loc
dn:DNSTEST-DC1
dn:DNSTEST-DC2

BaseDN: CN=Site2,CN=Sites,CN=Configuration,DC=dnstest,DC=loc
dn:DNSTEST-DC3
dn:DNSTEST-DC4
dn:DNSTEST-DC5
dn:DNSTEST-DC6

BaseDN: CN=EmptySite,CN=Sites,CN=Configuration,DC=dnstest,DC=loc

6 Objects returned

Or if you prefer a pretty picture

image

 

The Site Links

C:\>adfind -sitelinks sitelist cost

AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015

Using server: DNSTEST-DC1.dnstest.loc:389
Directory: Windows Server 2012 R2
Base DN: CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=dnstest,DC=loc

dn:CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=dnstest,DC=loc

dn:CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=dnstest,DC=loc

dn:CN=Site2-EmptySite,CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=dnstest,DC=loc
>cost: 10
>siteList: CN=EmptySite,CN=Sites,CN=Configuration,DC=dnstest,DC=loc
>siteList: CN=Site2,CN=Sites,CN=Configuration,DC=dnstest,DC=loc

dn:CN=Site1-EmptySite,CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=dnstest,DC=loc
>cost: 80
>siteList: CN=EmptySite,CN=Sites,CN=Configuration,DC=dnstest,DC=loc
>siteList: CN=Site1,CN=Sites,CN=Configuration,DC=dnstest,DC=loc

dn:CN=DEFAULTIPSITELINK,CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=dnstest,DC=loc
>cost: 100
>siteList: CN=Site2,CN=Sites,CN=Configuration,DC=dnstest,DC=loc
>siteList: CN=Site1,CN=Sites,CN=Configuration,DC=dnstest,DC=loc

dn:CN=SMTP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=dnstest,DC=loc

6 Objects returned

or

C:\>adfind -sitelinks sitelist cost -stripdn

AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015

Using server: DNSTEST-DC1.dnstest.loc:389
Directory: Windows Server 2012 R2
Base DN: CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=dnstest,DC=loc

dn:Inter-Site Transports

dn:IP

dn:Site2-EmptySite
>cost: 10
>siteList: EmptySite
>siteList: Site2

dn:Site1-EmptySite
>cost: 80
>siteList: EmptySite
>siteList: Site1

dn:DEFAULTIPSITELINK
>cost: 100
>siteList: Site2
>siteList: Site1

dn:SMTP

6 Objects returned

or

image

 

Some improperly informed consultants might think that any machine that “lives” in the subnets defined for EmptySite would randomly select a Domain Controller from all available Domain Controllers in the Domain. That is incorrect, once the client has determined what site it is in (which it will remember through reboots and update as necessary as you move around location to location) the DC Locator Process will pull the DNS entries for that site and will know EXACTLY what DCs to use. The DNS entries will come from ALL of the DCs looking at sites that aren’t covered by a DC in the site and calculate which, by virtue of the Site Link Topology, is closest and then register those DCs in that site. Again this happens for EVERY domain in the forest. So your little 5 user site down in some unheard of town in South Dakota will have DNS entries for the closest DC from the Asia Pacific Domain in the site’s DNS “zone”.  

An example of those DNS entries where the Site Links are configured such that Site 2 is “Closest” or “Lower Cost” to EmptySite:

C:\>nslookup -type=srv _ldap._tcp.emptysite._sites.dnstest.loc
Server:  localhost
Address:  127.0.0.1

_ldap._tcp.emptysite._sites.dnstest.loc SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = dnstest-dc3.dnstest.loc
_ldap._tcp.emptysite._sites.dnstest.loc SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = dnstest-dc5.dnstest.loc
_ldap._tcp.emptysite._sites.dnstest.loc SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = dnstest-dc6.dnstest.loc
_ldap._tcp.emptysite._sites.dnstest.loc SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = dnstest-dc4.dnstest.loc
dnstest-dc3.dnstest.loc internet address = 192.168.3.3
dnstest-dc5.dnstest.loc internet address = 192.168.3.5
dnstest-dc6.dnstest.loc internet address = 192.168.3.6
dnstest-dc4.dnstest.loc internet address = 192.168.3.4

 

The only cases where I am aware of machines using any random DC in a domain off the top of my head are

  1. Machine is on an IP Address that doesn’t align to any subnet objects defined in Active Directory
  2. An application requesting resolution of the domain name to an IP address outside of the Windows DNS resolution process (perhaps custom DNS lookups with non-MSFT API) and thereby bypassing the DC Locator process.

So to restate, an Active Directory Site without a Domain Controller is not a problem per se. It could be part of a problem if the Sites and Site Links aren’t intelligently configured so that the “closest” DCs properly register records in DNS for that site. However once you sort out the Site Links life should be good. If the “closest” DCs still aren’t close enough for quick-enough efficient-enough authentication, then you need to add Domain Controllers – not delete the logical AD Site.

     joe

Rating 4.67 out of 5

3/24/2015

AD Assessments

by @ 4:53 pm. Filed under tech

The AD Assessment reports that I regularly see lately from various “largish” “well known” Third Party Consulting companies seem to often be no more than bad opinions and sensationalism to try and make the customer feel good for over-paying for the AD “Consultants” to come in and look around.

Yes there are a lot of stupid things out there, stop making them out to be “end-of-the-world” class problems.

For example, a large number of empty groups is indeed silly and should be removed but it isn’t a substantial waste on your Active Directory causing excessive unnecessary replication nor is it going to massively slow down Active Directory or authentication. Plus there is always the possibility that the groups are used, just not populated except for certain times. For example, Schema Admins is generally empty in many orgs, should it be deleted? That is probably not the norm but telling a company to simply go delete 5,000 or 10,000 groups without any understanding of why they are there and if they are used at all is a bit shortsighted. It has been a long while since I tried to size out objects in AD But I seem to recall 10k empty groups with 60 character names was roughly 25MB. I am not going to haphazardly blow away groups that I am not sure about just to try and recoup 25MB. Heck even if I did that and then waited for the lifetime to expire on the tombstones I am not going to bother performing offline defrags to get that space back. If you are THAT tight on space in the world of the disks we have today, you have much greater issues my friend.

Another example, AD Sites that don’t have Domain Controllers… They aren’t the end of the world either and aren’t causing inefficiencies in user logons and extra authentication traffic. There are valid reasons for sites without Domain Controllers in an AD Topology for other applications and it is why it is handled so well by default with the closest DCs picking up those sites and registering DNS records for them.

Don’t get me wrong, I am a strong proponent of Object Life Cycle Management which is something many (probably most) companies screw up, but I am not a proponent of FUD Reports to justify stupidly highly paid outside consultants. So, when I get ahold of a report that has that FUD in it, don’t be surprised when I let the management know my opinion of the person who wrote it and their understanding of Active Directory.

    joe

Rating 4.67 out of 5

Security is like…

by @ 3:31 pm. Filed under general

Security is like high-school sex:

Everyone thinks everyone else is doing it.

Everyone wishes they were doing it.

Only a few are actually doing it.

And the few that are doing it, aren’t doing it well.

(stolen from the internet)

Rating 4.50 out of 5

[joeware – never stop exploring… :) is proudly powered by WordPress.]