So unfortunately I had to make a change that I very much try to avoid making with my utilities, I modified the core behavior of one of the shortcuts. Certainly this is much less painful than changing core behavior of a switch but it is still painful.
First… why do I avoid making core behavior changes to switches, et alii? Anyone who has written a script or batch file likely knows… The reason is because you have scripts and batch files that are written that depend on the tools and if you change the default core behavior of the underlying tool, you need to relook at scripts.
So what did I change and why… I changed the shortcut -sc adobjcnt. The change was absolutely required because the shortcut is actually broken for specific scenarios. Broken you say?? No way joe, I use it regularly, it works like a champ. And yes I thought the same thing… Right up until I got a few emails from people who use their root domain in a multi-domain forest for more than an empty placeholder[1][2]… If they actually want to count the objects in the parent domain *and just* the parent domain then there is an issue. The issue being that I, in my infinite lack of omniscience, had set the -gc switch as one of the switches in the shortcut. I did it because I thought I was going to help people out. If you want to get a user count of say your Asia domain and you are sitting in Iowa, why not hit a Global Catalog that is 100 feet away instead of a Domain Controller on the other side of the world for that information? Much much faster that way and doesn’t require the admin to have a full understanding of how the AD world works in order to be a little more (hopefully) productive.
Example 1: Single Domain Forest – not a problem with the current shortcut
F:\dev\cpp\>adfind -gc -root -s one -dn
AdFind V01.45.00cpp Joe Richards (joe@joeware.net) March 2011
Using server: DC1.dom1.loc:389
Directory: Windows Server 2008 R2
Base DN: DC=dom1,DC=loc
dn:CN=Builtin,DC=dom1,DC=loc
dn:CN=Computers,DC=dom1,DC=loc
dn:OU=Domain Controllers,DC=dom1,DC=loc
dn:CN=ForeignSecurityPrincipals,DC=dom1,DC=loc
dn:CN=Infrastructure,DC=dom1,DC=loc
dn:CN=LostAndFound,DC=dom1,DC=loc
dn:CN=Managed Service Accounts,DC=dom1,DC=loc
dn:CN=NTDS Quotas,DC=dom1,DC=loc
dn:CN=Program Data,DC=dom1,DC=loc
dn:CN=System,DC=dom1,DC=loc
dn:CN=Users,DC=dom1,DC=loc
11 Objects returned
Example 2: Non-standard Multi-Domain Forest – Multiple Domain Trees – not a problem with the current shortcut (NOT RECOMMENDED!!!!)
F:\dev\cpp\>adfind -gc -root -s one -dn
AdFind V01.45.00cpp Joe Richards (joe@joeware.net) March 2011
Using server: DC1.dom1.loc:389
Directory: Windows Server 2008 R2
Base DN: DC=dom1,DC=loc
dn:CN=Builtin,DC=dom1,DC=loc
dn:CN=Computers,DC=dom1,DC=loc
dn:OU=Domain Controllers,DC=dom1,DC=loc
dn:CN=ForeignSecurityPrincipals,DC=dom1,DC=loc
dn:CN=Infrastructure,DC=dom1,DC=loc
dn:CN=LostAndFound,DC=dom1,DC=loc
dn:CN=Managed Service Accounts,DC=dom1,DC=loc
dn:CN=NTDS Quotas,DC=dom1,DC=loc
dn:CN=Program Data,DC=dom1,DC=loc
dn:CN=System,DC=dom1,DC=loc
dn:CN=Users,DC=dom1,DC=loc
11 Objects returned
But if you back up a level…
F:\dev\cpp\>adfind -gc -b dc=loc -s one -dn
AdFind V01.45.00cpp Joe Richards (joe@joeware.net) March 2011
Using server: DC1.dom1.loc:389
Directory: Windows Server 2008 R2
dn:DC=dom1,DC=loc
dn:DC=dom2,DC=loc
dn:DC=dom3,DC=loc
3 Objects returned
Example 3: Standard Multi-Domain Forest – Single Domain Tree – this is a problem when non-empty root
F:\dev\cpp\>adfind -gc -root -s one -dn
AdFind V01.45.00cpp Joe Richards (joe@joeware.net) March 2011
Using server: DC1.dom1.loc:389
Directory: Windows Server 2008 R2
Base DN: DC=dom1,DC=loc
dn:CN=Builtin,DC=dom1,DC=loc
dn:DC=child1,DC=dom1,DC=loc
dn:DC=child2,DC=dom1,DC=loc
dn:DC=child3,DC=dom1,DC=loc
dn:CN=Computers,DC=dom1,DC=loc
dn:OU=Domain Controllers,DC=dom1,DC=loc
dn:CN=ForeignSecurityPrincipals,DC=dom1,DC=loc
dn:CN=Infrastructure,DC=dom1,DC=loc
dn:CN=LostAndFound,DC=dom1,DC=loc
dn:CN=Managed Service Accounts,DC=dom1,DC=loc
dn:CN=NTDS Quotas,DC=dom1,DC=loc
dn:CN=Program Data,DC=dom1,DC=loc
dn:CN=System,DC=dom1,DC=loc
dn:CN=Users,DC=dom1,DC=loc
14 Objects returned
The issue crops up, like I said, when you have a parent domain in a multi-domain forest. When you specify -gc the children of the parent domain all become available and are just normal branches in the LDAP tree so AD returns all of the objects meeting the LDAP Filter from those branches as well as the area that you really want.
I have been working through this for a while now trying to figure out the best way to fix it as again, I didn’t want to make behavior changes. But none of the excuses I can come up with about what users could or should do when using the utility seem to allow me to NOT change it. I don’t mind making users do their work when using my utilities but when they have to hop on one foot and balance a flaming can of gasoline I figure that is a bit extreme.
So it is with regret that I have to announce that the -sc adobjcnt shortcuts will no longer specify the -gc switch for you. If you in actuality want to hit the GC then you will need to specify the -gc switch separately. I know I know, not very painful but I am sure someone somewhere won’t read this nor the release notes that will come out for V01.46.00 until after something bad has happened based on the new count values being returned and I will get a nice nasty gram about it. So be it, when you have done it and have written me and complained and then I have sent a link to this blog post and you have read know that "I told you so!". ;) Anyway, if you have the -sc adobjcnt switch specified in some batch files, just do a nice find and replace of "-sc adobjcnt" with "-gc -sc adobjcnt" and that should take care of it nicely for you.
joe
[1] Wild but true, there are indeed people who have non-empty root multi-domain forests… When I see them I am sometimes thinking "So you could argue the point about not having an empty root but couldn’t go the step further and argue just having a single domain forest model?"
[2] It will also have issues if you have grandchildren domains as well. But I don’t like to mention grandchildren domains because they make me itch. If you have grandchildren domains you almost certainly turned left at the wrong time along the AD design process. I can’t say I have ever, in my more than a decade of working on Active Directories around the world, walked into a facility and said either of "Oh you have (multiple domain trees | grandchildren domains)[3]!!! Great idea!"
[3] Perl regex expression there, means either string in parens.
[i]Oh you have (multiple domain trees | grandchildren domains)[3]!!! Great idea!”[/i}
Funny as hell!! Not only are your blog posts back and great in 2012…my first saved Joeware quote for the year.