Do you read the TechTarget emails? I look at them occasionally when something catches my eye, as of late the things that catch my eye end up being written by Derek Melber. Sadly, the articles usually are pretty bad. I say sadly because at one point, Derek was a Directory Services MVP. I am not entirely sure how he got that rating but I can’t say I am upset to see him not on the awardee listing anymore, interesting though that he still lists himself as one in his bio in the article mentioned below.
I once had to review a chapter he wrote for a Security book, unfortunately that chapter was also about AD. That chapter was marked up pretty bad when I was done. There were things that no one had ever heard of about AD in that chapter, well except maybe anyone who had read something by that author before. Unfortunately when I say no one, I mean no one, no one at MS, no one who wrote any part of the product, no one who had a clue how to use the product. I am not sure if it was an attempt at learning how to write the next Harry Potter novel or just sheer if I write it it is so chutzpah. It really sucks because the rest of that book was outstanding, I had the fewest comments and modifications for the main author of any book I have ever reviewed. Had I the time, I would have rewritten the entire chapter for free because I thought it was that far off base.
If you were at the Directory Experts Conference last year you will recall Derek practically being heckled off the stage as he set about saying many incorrect things with the highlights being that your NTLM Creds (or was it the password I don’t remember, I tried hard to forget) is sent along in kerberos packets for backup in case kerberos isn’t working and that the time zone of a DC can impact its replication so don’t spread DCs across multiple time zones and he knew this because he had helped a customer recover from it…. “insert scared smiley”
Anyway… You know it is bad when you are up on the stage talking about security of Microsoft Active Directory and the Microsoft Active Directory Security PM starts telling you you are wrong from the audience.
So…. what is it this time?
Techtarget / SearchWinIT.com article that came out today (2006-03-07)…
Subject: CLEANING UP ORPHANED DOMAIN CONTROLLERS IN ACTIVE DIRECTORY
First paragraph[1]
Computers that join an Active Directory domain create a trust relationship between one another, which allows the computer and domain controllers to communicate securely. There are times when Active Directory can get a bit confused and lose connections with computers that have joined the domain.
err ok…
Second paragraph
When a domain controller joins an Active Directory domain, it not only creates a secure relationship with the Active Directory database, it is also responsible for housing a copy of the database and authenticating computers and users as they send credentials at logon. If a domain controller loses its connection with the Active Directory database, it is considered to be an orphaned domain controller and needs to be cleaned up.
errrrrrrrrrrrrr. What do you mean loses its connection? Like it can’t read the DIT? It can’t establish a secure channel with other DCs? The time is wrong? No network connectivity? Replication is broken? The whozinitz isn’t inserting properly into the fleeglefarq? What?
Third paragraph
Cleaning up Active Directory Users and Computers
Even though a domain controller is orphaned and fails to authenticate objects to Active Directory, it does not mean that it won’t still show up in Active Directory Users and Computers. When this occurs, you can simply go into Active Directory Users and Computers and remove the icon for the domain controller. However, this will not complete your cleanup; you must still make sure that the object is deleted within the Active Directory database.
Even though a domain controller is orphaned and fails to authenticate objects to Active Directory (again, what does he mean by orphan?)
Remove the “icon” for the domain controller… (I didn’t know you could change let alone delete the icons without hacking the resource file, he must mean the Domain Controller computer object)
you must still make sure that the object is deleted within the Active Directory database… (err, here I think he might be talking about other objects in the directory that refer to the domain controller computer object, but that is a guess)
Fourth paragraph
Cleaning up Active Directory database
After deleting the computer object in the Active Directory Users and Computers, you now need to remove the Active Directory object from the Active Directory database within the domain controllers section. Use the ntdsutil utility. Just run ntdsutil from a command prompt to get into the interface for the utility. Then, enter the Metadata Cleanup menu. There, you will need to make connections to the correct domain and site where the domain controller resides. After you make these connections, you will be able to remove the server object successfully.
After deleting the computer object (Ah he did mean the computer object… Sort of reminds you of those instructions for how to build a model or a kite or whatever and it says, “glue this to that and hold together tightly” and then you turn the page to read “but first”…)
you now need to remove the Active Directory object from the Active Directory database within the domain controllers section (I haven’t the foggiest clue what he means here, that is probably because I only have 6 or so years of experience with AD)
Just run ntdsutil from a command prompt to get into the interface for the utility. (errr – how about “Run NTDSUTIL”)
Metadata Cleanup menu (Oh he meant that! Interesting way of putting it all)
Fifth paragraph
Cleaning up Active Directory sitesThe interface for Active Directory sites does not always sync with the Active Directory database, so you need to ensure that the replication links are removed within the Active Directory Sites and Services interface. This involves simply going into the interface, finding the domain controller under the correct site and removing all replication links, including the domain controller object. You must remove all links referring to the orphaned domain controller referenced under the replication partners within the interface too.
The interface for Active Directory sites does not always sync with the Active Directory database (HUH?)
Argh!
I can’t take anymore… I can’t say I have read a single article with his bi-line in the last year in TechTarget that I didn’t screw up my face and say, well, I guess you could kind of say he means this or that but this article, there is no tracking what he is talking about. If someone described the process to me like this in an interview they would be ushered towards the door so fast you would hear a sonic boom.
He should have saved himself and others a whole bunch of pain and just linked to a Microsoft KB article that actually explains what needs to be cleaned up.
See http://support.microsoft.com/kb/216498
I have another friend that writes for TechTarget, the articles this person writes are also about AD and aren’t too awful. 😉 I mentioned once before to this person that Derek probably shouldn’t be writing something that is read by people who won’t know better. I mention this again. I would like to simply blame it on the fact that he is a bad writer, unfortunately that isn’t the entire issue. If only… I can deal with bad writing.
joe
[1] I apologize if I wasn’t supposed to quote the newsletter here. Don’t worry it isn’t an attempt to steal the material or claim it as my own in any way shape nor form, I want no association to it whatsoever. In fact, feel free to say I said I couldn’t possibly have written it because it is the dead honest truth.
Is he going to be at DEC 2006?? I have a weak girly arm and I’m thinking that some practise shots with rotten tomatoes could be just the thing to help me reach my lifetime goal of becoming a professional heckler.
I hope he does not get paid for it. The crappy translation of a KB article.
>>>If a domain controller loses its connection with the Active Directory database, it is considered to be an orphaned domain controller and needs to be cleaned up.
I guess he means the AD service in Longhorn… I thing the service is not running.. 😉
About the time zone thing…. I remember him saying something like: “don’t configure the PDC FSMO of the forest root domain with an external time source on the internet (or where ever) that is in ANOTHER timezone” –> my brain went: huh?
I was sitting in the front… When he said those things I raised my arm to ask a question of what he meant. I also looked back to check if someone else had questions about it….It scared the sh*t out of me as everyone in the room raised their hands. I thought : “he’s in deep… well you know what”
If you would have written this, I would think you must have been smoking something really bad. I think chances don’t even exist you could have written this. After I read this the first thing I thought was: “how does he make these things up”
I think I know why “some english dude you and I know” “likes” him so much! I think he just got another US fan. 😉
Cheers and see you at DEC,
jorge
Kat,
I do not know if he will be at DEC as an attender. I can say with strong confidence though that he isn’t presenting at DEC, ever again.
I am sure we can still find someone to throw tomatoes at though. Jorge would be a good target, we can see if we can see if we can get him to stop speaking in English. I guess you could always toss them at Dean and I as well, but watch out, Dean will throw back (and won’t stop speaking in English), I will simply ask for Lettuce, bacon bits, and a little bit of Ranch salad dressing.
In fact, I would be interested to see the results of someone heckling Dean, I think he looks forward to people doing that. He gets heckled by some really good MS Internal folks when training them and keeps going back, I expect he has some great responses.
joe
Jorge,
Actually I knew about Derek before our Englishman did. I actually warned him and a few others. When I walked into the presentation I had promised myself and the Limey to not say a word and actually sat on my hands and bit my tongue and sat in the very back so as not to be enticed no matter what. Within the first 10 minutes Dean was ready to jump onto his seat and when Sanjay (then AD Security PM) started speaking up (entirely out of character for Sanjay who is extremely nice and quiet) I knew that my opinion wasn’t wrong. When most of the crowd started heckling I figured I had been wrong, I hadn’t been strong enough in what I had said.
I don’t fault him as a presenter, I don’t know if he was a good presenter or not, he started with flawed material. I don’t expect I am a good presenter either and will find out for sure this year. I know Dean is a great presenter and I expect to let him do all the hard work.
I just found an email address to send comments to TechTarget
kbull@techtarget.com
From: http://searchsecurity.techtarget.com/home/0,289692,sid1,00.html
Katherine Bull
Tell me how we can improve the site Write me at kbull@techtarget.com
joe
Goosh, who is this guy?? I have an idea – if you all at DEC will be after Your sessions You should organize some king of ‘AD charity’ and gather from the attendents spare AD related books (I’m sure some of the peoples will have such with them on DEC). Then You can send it to this guy with “happy learning” wishes.
BTW: do You know if there will be some web interface for throwing tomtatos on-line for peoples who are not on DEC?:)
Y’all are welcome to take aim at me – but now that I’m forewarned, I will be packing my tennis racket, so it could get messy…
*grin*
Pamela
T:
I do not know the status of an eTomato capability for DEC, I would recommend a note to Gil at NetPro as he would be in charge of that.
P:
A tennis racket would be handy for dicing up a cheese block to put on the salad….
I was there at DEC and OMG was Derek out to lunch. It appears from the article that he is a strong adherent of the “Cargo-Cult” School of AD administration. See my favorite Eric Lippert blog entry – http://blogs.msdn.com/ericlippert/archive/2004/03/01/82168.aspx
True story about http://support.microsoft.com/kb/216498
I was once at an interview and the guy asked me what would I do if a DC crashed and we never recoverable. Pretend there was a fire.
I had seen you all and others quote that article so many times and I had read it so many times that I quoted the technet article number. I told him lookup 216498 and perform a metadata cleanup. This guy was so impressed and I was offered the job there.
I thought it was a softball question… I can’t imagine what an interview with Joe or Jorge must be like.
A job interview with me???…. To give you an idea, until now I have sent everyone home after the interview that I have talked with. The fastest one right after 15 minutes. Am I proud of it? In a certain way.. NO!
An interview with me normally takes about 2 hours. Within those 2 hours I walk through the CV and ask a lot of (technical) details.
Instead of people being honest and saying “sorry, I don’t know that” (which I prefer) and start talking about all kinds of b*llsh*t. And after a while I go like… WHAT!?
The best one ever until now… (and I’m not making this up!) A guy that had a job interview for a Active Directory specialist within our company. In his CV he said something like worked with AD a lot. So, “stupid me” felt like asking what “AD” meant. He did not know the answer. He put it in his own CV. Duhhh! I first thought he was kidding me, but he really did not know what AD meant.
Simply said: I hate it when people start talking crap just not to let you know they don’t know something.
An interview with Joe… I wonder if I would survive that!
I am not all that bad actually. And more actually, I don’t do much interviewing, the most I did was several years ago and the folks stopped asking me to step into the interviews because I don’t much believe in the standard interviewing process.
In that I mean that I don’t get into the “what kind of questions should you ask about AD” nor the Microsoft mechanism of asking some off the wall question and seeing how you handle it. I am more of a conversational interviewer, talk to me, tell me about yourself and what you things you like. Then questions pop up in my mind as we go along. I don’t like the direct what do you know about this specific tech questions because they are too immediate and you can study for it. I don’t like the MS questions because I think they are silly and I have met a lot of people that have passed those tests that I would never consider for a technical position.
I recall that had I been interviewed by the strict proper questions technique I wouldn’t have gotten my first job when I got back into IT. The position was for supporting OS/2 servers with OS/2 and Win31 clients on Token Ring. I had no experience with any of it. Instead the panel interview (6-8 managers if I recall) sat and chatted with me about what I like, etc. In the end they said they absolutely wanted me and asked me which of the three positions that was open that I wanted to which I responded I don’t know anything about any of the three positions and I trusted their judgement on which I would be best for. Within six months I was bumped up from support to planning and architecture helping lead the new direction on where they should go. Had they asked me the almost obligitory “someone can’t print to a network printer” question I wouldn’t have had a clue and would have been jetisoned out the door. They had listened to me and figured out that I was a person who fit their culture and liked the stuff so it really didn’t matter what I knew walking in the door, they were confident I would fit and make a difference and I ended up doing so.
So I like tackling the problem the same way. Now a days, folks will send me a resume (CV) to look over and give comments on what may be accurate and what may be fabricated and what areas they should press on if any. Especially if some of the experience listed is from a company I have done work with in the past. It is quite funny what people will put on a resume when they think it can’t be verified.
Some of the best folks I have worked with have had experience that wouldn’t have seemed to have made them very good in IT. One was a TV/VCR salesman at Montgomery Wards (I did that too for several years), one was a fighter pilot, another worked at his dad’s liquor store as a stock boy, another was a printer toner replacement / printer repair guy for Digital Equipment, one was a person whose secret fantasy was to be a buyer for Saks Fifth Avenue, one was a stay at home mom, and one of the people with the most potential of doing amazing out of the ordinary completely new thinking and problem solving was an exotic dancer.
So I guess I don’t look to see how much you know about AD, anyone can learn stuff about AD or any tech for an interview, it is more about your depth of knowledge, the glint in your eye which shows if you like this stuff or not, and how fast you seem to give up on things.
joe
Joe (regarding eTomato): I think it is to late for this edition of DEC but i will try to sugest it to Gil for next edition :).
Regarding interviews:
When I worked for HP in Poland in Managed services division I was asked often by my friend (who by accident was also my manager) to participate in interviews with candidates for AD related positions. It always took 1 hour or 1,5 hour with such guy to talk with a chain of questions – I’ve started with some general questions and then I’ve drilled down to “what if” or “how You will do that” or “how this is working” \ ” what do You mean by that” \ “how do You check that” …. + some design questions. My friend asked me to do this becouse of my little adhesive attitude and in most cases it lead to saying “no thank You” situation.
In fact I was in most cases astonished how these guys are performing their dutys in present job with such lack of knowledge. But probably it was because good guys didn’t want to work in Managed Services :).