joeware - never stop exploring... :)

Information about joeware mixed with wild and crazy opinions...

9/22/2017

NETDOM bug for /namesuffixes switch

by @ 11:04 pm. Filed under tech

A bit of a bug there Microsoft…

[Fri 09/22/2017 22:50:53.57]
C:\>netdom trust k16tst.test.loc /namesuffixes:k16tst2.test.loc
   Name, Type, Status, Notes
1. *.hello.k16tst2.test.loc, Exclusion
2. *.k16tst2.test.loc, Name Suffix, Admin-Disabled
3. k16tst2.test.loc, Domain DNS name, Enabled
4. K16TST2, Domain NetBIOS name, Admin-Disabled, For k16tst2.test.loc
5. s-1-5-21-2034487785–2134286760–1379125265, Domain SID, Admin-Disabled, For k16tst2.test.loc

The command completed successfully.

VERSUS

[Fri 09/22/2017 22:26:24.74]+
E:\DEV\cpp\vs\AdFind>release\adfind -f objectclass=trusteddomain msds-trustforesttrustinfo -samdc

AdFind V01.51.00cpp (beta) Joe Richards (support@joeware.net) September 2017

Using server: K16TST-DC1.k16tst.test.loc:389
Directory: Windows Server 2016
Base DN: DC=k16tst,DC=test,DC=loc

dn:CN=k16tstchld.k16tst.test.loc,CN=System,DC=k16tst,DC=test,DC=loc

dn:CN=k16tst2.test.loc,CN=System,DC=k16tst,DC=test,DC=loc
> msDS-TrustForestTrustInfo: Version=1 Entries=3
> msDS-TrustForestTrustInfo: Record=0 Type=TLN_EXCL Flags=0 TopLevelName=hello.k16tst2.test.loc
> msDS-TrustForestTrustInfo: Record=1 Type=TLN_INCL Flags=2 TopLevelName=k16tst2.test.loc [TLN_DISABLED_ADMIN]
> msDS-TrustForestTrustInfo: Record=2 Type=DOMINF Flags=5 DNSName=k16tst2.test.loc NetBIOSName=K16TST2 [NB_DISABLED_ADMIN] SID=S-1-5-21-2034487785-2160680536-2915842031 [SID_DISABLED_ADMIN]

2 Objects returned

Where do you ask??

5. s-1-5-21-2034487785–2134286760–1379125265, Domain SID, Admin-Disabled, For k16tst2.test.loc

>msDS-TrustForestTrustInfo: Record=2 Type=DOMINF Flags=5 DNSName=k16tst2.test.loc NetBIOSName=K16TST2 [NB_DISABLED_ADMIN] SID=S-1-5-21-2034487785-2160680536-2915842031 [SID_DISABLED_ADMIN]

[Fri 09/22/2017 22:26:40.65]+
E:\DEV\cpp\vs\AdFind>sidtoname S-1-5-21-2034487785-2160680536-2915842031 k16tst.test.loc

SidToName V02.00.00cpp Joe Richards (joe@joeware.net) March 2003

[Domain]: K16TST2

The command completed successfully.

Rating 4.00 out of 5

There is a huge difference…

by @ 10:12 pm. Filed under quotes

There is a huge difference between software written by people who actually use it and people who just write it.

   – me

Rating 4.33 out of 5

6/24/2017

Don’t build the Titanic when a paddle boat will do

by @ 1:01 pm. Filed under general

When poking around today I found a comment I made on a post two years ago, I thought I would share it here as it is just as true today.

…complexity kills. A lot of my work is around trying to figure out and fix stuff where people got too complex for the task at hand. Either they weren’t very good at what they did and made it complex accidently, the environment grew beyond intents over time and was patched into complexity, or someone was trying to be fancy and thought a complex solution was sexier and made them look smarter or something (I call this consultant / vendor syndrome). For the record, the simplest most elegant solutions are the most sexy. Those are the ones that have real life down the road and are more likely not to be ripped out and replaced. I personally am far more impressed and joyful at simple solutions than complex ones stacked up with all sorts of various interconnections. Don’t build the Titanic when a paddle boat will do.

This goes when fixing anything, you don’t always have to fix the entire problem in one fell swoop. Sometimes it not only makes sense, but makes infinitely more sense to solve issues in small bite-size pieces that slowly work you back to how something should really be done. When I worked for HP Enterprise Services I regularly saw cases where they would try to fix something but building a whole new solution that was a massive undertaking and would be paralyzed and unable to do anything until that was completed and unfortunately more times than not those massive solutions would end up getting killed before anything got done and so we would never move off the dime and fix even small things because people didn’t look at solving them at the micro level and wanted only to deal with them at the macro level. That is when I first started saying “don’t build the Titanic when a paddle boat will do”. I said it because I would visualize our many issues and problems as us floating down the river without so much as a stick to our name and someone would say let’s fix that and the solution was to build the Titanic and everyone would have great job and expectations and two years later nothing was built and nothing was going to be built and in the meanwhile we are still waterlogged in the river and could have been much better off if we had just built a paddleboat.

   joe

Rating 4.33 out of 5

5/29/2017

We do it for the result, not the process.

by @ 11:34 am. Filed under general

Last Friday I wrote the email below and sent it to the Directory Services team (which I am the Technical Expert for). I have received some very positive feedback so I thought I would share the verbiage here as well because this really applies to every medium to senior level person in the business and if you are a low level person in the business it is something you should keep in mind as well. Also if you haven’t read the Amazon Letter to the ShareHolders referenced, please do yourself a favor and read that as well.

==

From: Joe Richards
Sent: Friday, May 26, 2017 6:14 PM
Subject: We do it for the result, not the process.

I wanted to send out an email to the team calling out the signature I have had on my emails for a while.

This text came as a warning from the CEO of a competitor and it is very sage advice. It is important information for this team to keep at the top of our minds at all times. Even though this was only recently published by our competitor this basic concept was taught to me in the late 90’s and has been a fundamental underlying mindset of nearly every team I have had any input into and has worked very well.

Good process serves you so you can serve customers. But if you’re not watchful, the process can become the thing. This can happen very easily in large organizations. The process becomes the proxy for the result you want. You stop looking at outcomes and just make sure you’re doing the process right.[1]

We care about the outcomes, not whether or not we followed process properly because our deliverable isn’t the process, our deliverable is the result we are trying to achieve when we are following the process. What matters are the outcomes. This aligns with the old joke, “The operation was a success but the patient died”. We have and build processes to make it more likely we will get to successful correct outcomes. We OWN the process, if we don’t get the right outcome, we OWN the resulting failure. When we fail, we take that failure and analyze it with an eye to fix the process to prevent future failure.

By now you have probably heard me say several times, “Does this step add value to the process?” or “Does this process add value to what we are doing?” as well as “Question everything.” If something isn’t adding value or worse, puts us in a position to fail, it must be questioned and, if not removed outright, corrected to make sure it gives us the needed value and allows a successful result.

This isn’t cart blanche to throw out all process but it is a responsibility on each of our parts to question process and try to correct it in a feasible manner that leads us to the correct result.  Even if we are in the middle of some process and we see a potential bad result coming, if we have time and/or the potential badness outweighs moving forward we stop and figure it out or we get clarification before proceeding. Anytime something doesn’t feel right, question it.

We are professionals. We own a service and the processes around it. Process is only a tool to help guide us in the correct direction to do the right thing and we have to be aware enough of and understanding enough of what it is that we are doing and do everything with great purpose such that we can see when the process is failing us and correct it. If we have a failure, our answer should not be, “We followed the process.” It should be “Yes, we failed, we will correct things so it doesn’t happen again.” We are professionals.

    joe

[1] The whole letter to the Amazon shareholders from which this snippet was pulled can be found at https://www.amazon.com/p/feature/z6o9g6sysxur57t and is a great read.

Good process serves you so you can serve customers. But if you’re not watchful, the process can become the thing. This can happen very easily in large organizations. The process becomes the proxy for the result you want. You stop looking at outcomes and just make sure you’re doing the process right.

Rating 4.60 out of 5

5/13/2017

Everything I Need to Know I Learned in Monty Python and the Holy Grail

by @ 6:35 pm. Filed under general

Be pragmatic: Everyone told the King of Swamp Castle that he was “daft to build a castle on a swamp,” and sure enough, his first attempt sank into the muck. “So I built a second one,” he says. “That sank into the swamp. So I built a third. That burned down, fell over, then sank into the swamp. But the fourth one stayed up.”

This is the kind of thinking that produces epic SAP implementation failures. The King and his melancholy son Alice … I mean, Herbert … could’ve spared themselves a lot of trouble if they had listened to trusted advisors and built on another site. Be pragmatic and be willing to shift your plan as events and conditions warrant. Oh, and no singing.

<SNIP>

https://msdn.microsoft.com/en-us/magazine/mt742864.aspx?f=255&MSPPError=-2147217396

Rating 4.50 out of 5

5/11/2017

Getting the DN of the parent of an object

by @ 10:33 pm. Tags:
Filed under general, tech

Do you remember how several years ago I added to AdFind the ability to display the parent of the object you searched for? Microsoft finally added that ability as well for any LDAP query as of Windows Server 2012 R2 and ADLDS for Windows 8.1/Windows Server 2012 R2.

The attribute is called msDS-parentdistname.

[Thu 05/11/2017  22:10:46.92]
E:\>adfind -e k16 -f name=unix* msDS-parentdistname -dpdn

AdFind V01.50.00cpp Joe Richards (support@joeware.net) May 2017

Using server: K16TST-DC1.k16tst.test.loc:389
Directory: Windows Server 2016
Base DN: DC=k16tst,DC=test,DC=loc

dn:OU=Unix,OU=TestOU,DC=k16tst,DC=test,DC=loc
>parentdn: OU=TestOU,DC=k16tst,DC=test,DC=loc
>msDS-parentdistname: OU=TestOU,DC=k16tst,DC=test,DC=loc

dn:CN=UnixCN,CN=TestContainer,DC=k16tst,DC=test,DC=loc
>parentdn: CN=TestContainer,DC=k16tst,DC=test,DC=loc
>msDS-parentdistname: CN=TestContainer,DC=k16tst,DC=test,DC=loc

dn:CN=unixCNgroup,CN=UnixCN,CN=TestContainer,DC=k16tst,DC=test,DC=loc
>parentdn: CN=UnixCN,CN=TestContainer,DC=k16tst,DC=test,DC=loc
>msDS-parentdistname: CN=UnixCN,CN=TestContainer,DC=k16tst,DC=test,DC=loc

dn:CN=unixgroup,OU=Unix,OU=TestOU,DC=k16tst,DC=test,DC=loc
>parentdn: OU=Unix,OU=TestOU,DC=k16tst,DC=test,DC=loc
>msDS-parentdistname: OU=Unix,OU=TestOU,DC=k16tst,DC=test,DC=loc

dn:CN=unixgroup2,OU=Unix,OU=TestOU,DC=k16tst,DC=test,DC=loc
>parentdn: OU=Unix,OU=TestOU,DC=k16tst,DC=test,DC=loc
>msDS-parentdistname: OU=Unix,OU=TestOU,DC=k16tst,DC=test,DC=loc

5 Objects returned

Now I could change AdFind to just use that attribute but since I know for a fact people who are using AdFind for earlier Windows versions and for non-Microsoft LDAP implementations it will stay right where it is.

     joe

Rating 4.33 out of 5

5/10/2017

AdFind -sslinfo

by @ 9:06 pm. Tags:
Filed under general, tech

One of the new switches I have added to AdFind V01.50.00 is the –sslinfo switch.

This is some functionality I have long wanted to have in AdFind because getting info about the certs the Domain Controllers (or ADLDS) is presenting can be very useful information, especially for troubleshooting. That being said this switch should probably still have the BETA tag on it because it isn’t fully integrated into the rest of AdFind. That means you won’t be able to ask for just specific attributes that it outputs for the certs or get the info in CSV format or do ANY of the output manipulation that you can do with most things. You will also notice the normal server info header info isn’t there either.

I do intend to fix it and make it work in the normal way. The reason it is done this way is because it was a last minute add because I needed it (which is why AdFind and 90% of its functionality was produced anyway) and it is outside the normal LDAP data stream flow so is outside of the space where I have all of the searching/formating functionality.

If you haven’t checked it out though it is pretty cool.

[Wed 05/10/2017 20:59:31.16]
E:\issues\OU_DC>adfind -hh k16tst-dc1.k16tst.test.loc -sslinfo

AdFind V01.50.00cpp Joe Richards (support@joeware.net) May 2017

dn:CN=Certificate Info,CN=k16tst-dc1.k16tst.test.loc
>ciEncodingType: X509_ASN_ENCODING (0x01)
>ciVersion: CERT_V3 (0x02)
>ciNotBefore: 2017/04/27-09:24:40 Eastern Daylight Time
>ciNotAfter: 2018/04/27-09:24:40 Eastern Daylight Time
>ciSignatureAlgorithm: 1.2.840.113549.1.1.13
>ciIssuer: CN=CA1,DC=k16tst,DC=test,DC=loc
>ciSubject: CN=K16TST-DC1.k16tst.test.loc
>ciAltNameDNSName: K16TST-DC1.k16tst.test.loc
>ciAltNameDNSName: k16tst.test.loc
>ciAltNameDNSName: K16TST

dn:CN=SSL Connection Information,CN=k16tst-dc1.k16tst.test.loc
>ciProtocol: Transport Layer Security 1.2 client-side (SP_PROT_TLS1_2_CLIENT)
>ciCipherAlgorithm: AES 256-bit encryption algorithm (CALG_AES_256)
>ciCipherStrength: 256 bits
>ciHashAlgorithm: 384 bit SHA hashing algorithm (CALG_SHA_384)
>ciHashStrength: 0 bits
>ciKeyExchAlgorithm: Ephemeral elliptic curve Diffie-Hellman key exchange (CALG_ECDH_EPHEM)
>ciKeyExchStrength: 255 bits

The command completed successfully

[Wed 05/10/2017 20:59:33.33]
E:\issues\OU_DC>adfind -hh k16tst-dc2.k16tst.test.loc -sslinfo

AdFind V01.50.00cpp Joe Richards (support@joeware.net) May 2017

dn:CN=Certificate Info,CN=k16tst-dc2.k16tst.test.loc
>ciEncodingType: X509_ASN_ENCODING (0x01)
>ciVersion: CERT_V3 (0x02)
>ciNotBefore: 2017/04/08-12:15:53 Eastern Daylight Time
>ciNotAfter: 2018/04/08-12:15:53 Eastern Daylight Time
>ciSignatureAlgorithm: 1.2.840.113549.1.1.13
>ciIssuer: CN=CA1,DC=k16tst,DC=test,DC=loc
>ciSubject: CN=K16TST-DC2.k16tst.test.loc
>ciAltNameDNSName: K16TST-DC2.k16tst.test.loc

dn:CN=SSL Connection Information,CN=k16tst-dc2.k16tst.test.loc
>ciProtocol: Transport Layer Security 1.2 client-side (SP_PROT_TLS1_2_CLIENT)
>ciCipherAlgorithm: AES 256-bit encryption algorithm (CALG_AES_256)
>ciCipherStrength: 256 bits
>ciHashAlgorithm: 384 bit SHA hashing algorithm (CALG_SHA_384)
>ciHashStrength: 0 bits
>ciKeyExchAlgorithm: Ephemeral elliptic curve Diffie-Hellman key exchange (CALG_ECDH_EPHEM)
>ciKeyExchStrength: 255 bits

The command completed successfully

Rating 4.00 out of 5

5/4/2017

AdFind V01.50.00 Released

by @ 9:49 pm. Tags:
Filed under general, tech, updates

May the Fourth be with you. Smile 

I have uploaded the release version of AdFind V01.50.00 to the www.joeware.net web site. You can find it at:

http://www.joeware.net/freetools/tools/adfind

I have mentioned previously some of the updates, the big change was to change from using the Code Gear (Embarcadero previously Borland) Builder C++ to Visual Studio 2015 and then to Visual Studio 2017. That conversion alone results in a 20%+ improvement in performance.

I have to eat some dinner so I will try to write some more blog entries later on about some of the new features. Mostly at this point you all know what the tool does and this just does it a little more better before.

    joe 

Rating 4.67 out of 5

5/2/2017

AdFind close to the finish line…

by @ 5:04 am. Filed under general, tech

I believe we will see AdFind released in the next few days. It seems to be very stable, I use it every single day for literally thousands of queries of a very large production Active Directory environments (millions of user accounts). Speed perfs are amazingly useful especially for the Security Descriptors. I got most of what I wanted into it though to be honest what I mostly wanted was a stable Visual Studio version with Windows 2016 decodes. I am working on updating the web page now. I had to go find the old web site source code as I switched laptops since the last time I released and silly me didn’t put the web site code with the rest of my source code… When am I going to learn that web pages are like app code if not actual app code and needs version control just like my cpp files?? I guess now. Smile

BTW, sad day. I finally bit the bullet and switched it from reporting Active Directory Application Mode if the ADAM service is older than the 2003 era service. The reason being that the number of emails I was receiving saying “Hey it is calling my ADLDS server an Active Directory Application Mode Server, what is wrong with the tool??” has increased substantially and I don’t have the time to explain to every admin who doesn’t understand the history. Overall, quick rant… The quality of admins (in general, just not AD) has been going down in the world, sadly, as well as those who understand the history. I am not the only one seeing this, I have had conversations with several well known (to me and the general AD public) MVPs and former MVPs who feel the same. Even though the product is in the C:\Windows\ADAM folder and has ADAM in the default installation path a lot of people now no longer know what ADAM is… Congratulations Microsoft Marketing…

Long live ADAM!

adam

Rating 4.00 out of 5

4/28/2017

Flash Back Friday

by @ 7:11 pm. Filed under general, tech

 

But the schema says description is multivalued…

http://blog.joeware.net/2006/01/21/222/

Rating 3.00 out of 5

[joeware – never stop exploring… :) is proudly powered by WordPress.]