Information about joeware mixed with wild and crazy opinions...
You really want to get this applied ASAP then…
http://support.microsoft.com/kb/2855336
Specifically for
http://support.microsoft.com/kb/2853952
joe
Just a quick reminder now that we seem to have a flood of folks moving from 2003 to 2008R2 and 2012 Active Directory…
Your application partitions like the Domain and Forest DNS Zones also have an Infrastructure Master (IM) FSMO role attached to them that may cause certain things to break if you don’t keep them up to date.
So for example, if you try to run the ADPREP /RODCPREP and you start seeing errors like:
Adprep encountered an LDAP error. Error code: 0x0. Server extended error code: 0x0, Server error message: (null).
Then check the infrastructure object of the NC with AdFind or some other tool and look at the fSMORoleHolder attribute to make sure that the value is a correct and valid value.
For example something like this:
G:\adprep>adfind -domaindns -f name=infrastructure fSMORoleOwner
AdFind V01.47.00cpp Joe Richards (joe@joeware.net) October 2012
Using server: DC1.dev.wtf.corp.com:389
Directory: Windows Server 2008 R2
Base DN: DC=DomainDnsZones,DC=dev,DC=wtf,DC=corp,DC=comdn:CN=Infrastructure,DC=DomainDnsZones,DC=dev,DC=wtf,DC=corp,DC=com
>fSMORoleOwner: CN=NTDS Settings\0ADEL:036c1840-901a-405e-a9c9-57b2991bee0a,CN=DELETED_DC\0ADEL:a0f01247-672
4-4c06-ab64-68fcd071a339,CN=Servers\0ADEL:33779907-a4cd-44e3-9831-2eed4ea43430,CN=Default-First-Site-Name\0ADEL:2
b50ea91-cb6c-492d-9f3e-43b62954dad4,CN=Sites,CN=Configuration,DC=dev,DC=wtf,DC=corp,DC=com1 Objects returned
is bad…
You can read more at
http://support.microsoft.com/kb/949257
and
Of course if you have AdMod, you don’t need to use the script to modify the value. You can simply do something like
admod -b <DN_of_IM_Object> fSMORoleOwner::<DN_of_NTDS_Settings_Object_of_Desired_DC>
joe
P.S. Yes I agree that error from AdPrep sucks ass. :) When someone says they received LDAP Error Code 0x00 I am happy for them since the command completed successfully as LDAP Error 0x00 is LDAP_SUCCESS aka Sucessful request (sic). See more LDAP error codes (and perhaps some typos) at http://support.microsoft.com/kb/218185. π
In April 2013 Microsoft released an update rollup for Windows Server 2012 and Windows 8. There are some important updates in the rollup such that people should work to get the updates installed ASAP, especially if virtualizing a server OS.
http://support.microsoft.com/kb/2822241
Specifically for folks who manage AD and may get a call about this⦠There is a fix around an access denied issue when an object access audit policy is defined to domain members (I saw several posts on the inter-web on this in relation to VMware and drives that are configured as hot-plug).
http://support.microsoft.com/kb/2811670
joe
I have a personal request of everyone that reads this blog or knows someone who reads this blog or if you even just have a computer! My girlfriend Tracy Stefanides has been nominated for a customer service award called the ROSE award here in the Detroit Metro area. She is really good at what she does and really deserves this recognition. If you could go to this link
and vote for her that would be great! If you can, vote from multiple devices and/or browsers. π
Please vote by June 22nd!
thanks, joe
I want to apologize to anyone who tried to download any utilities the last few days and were unable to.
I finally have the download CGI script working properly. The script has worked solid since 2010 for literally tens of thousands of downloads and suddenly, with no edits to it, no change in the time stamp, no change in permissions, no nothing, stops working. The hosting provider POWWEB (powweb.com) dragged their feet "troubleshooting" for a couple of days and finally came back to me and said everything is fine and the script is broke. They couldn’t explain to me why a script that has worked flawlessly for three years should suddenly break when no one has touched it.
So I spent 15 minutes and debugged the script line by line (yes the old print "I am here – 1!… print "I am here – 2!" game) and found that the redirect line at the very end was failing and causing the web daemon to throw a 500 Internal Server error. When I pulled the line out all by itself in its own CGI script it failed again with the same error.
The redirect lines outputs a pair of lines, a line with a 302 status message and a line that specifies the new location for the file which forces the redirect. Removing the status line completely caused the script to start working properly again.
<rant>
So once again I have been reminded of how bad the POWWEB support team is and when I have an issue just try to sort it out myself. <sarcasm> Go team. </sarcasm>
If you are going to tell me that my issue is a script problem, I am not sure why it takes two days to get to that point – how fast can you test the web daemon and CGI module to validate that your server is functioning properly? And I say that as a high level escalation engineer for a very large IT service company, not as someone without a clue. I, someone who doesn’t deal with web scripts but once in a while, sorts out the issue in 15 minutes that the "professionals" couldn’t sort out in 2 days?
</rant>
So anyway, once again you can download utilities, my deepest apologies for the delay.
joe
Folks trying to download joeware utilities may be encountering issues right now. I am working with the Hosting Provider to get it fixed.
joe
This is an open call out to the AD Community asking for folks to comment (or email me) with a list of the Role Based Access Control Products that they are aware of. Specifically tools that do NOT use native AD ACLing but instead perform all access via proxy like can be done with Quest Active Roles Server.
joe
I saw this link on my friend Bob’s blog (http://www.bobbobel.com/the-everything-active-directory-page) today…
I see a glaring omission but I will let it slide. π
joe
Once again, apologies for the slow turnaround time on this. It was a combination of being really busy with my real job along with the poor questions I asked and the way the poll plugin worked. I had to work out how to extract the raw data from the MySQL DB to make some real sense out of it. Also as mentioned, I am pretty sure we had some ballot box stuffing going on so I did some filter based on IP addresses. I am looking around for some better polling software. I likely will have to use something outside of WordPress based on what I have seen so far but hope to put together a better poll that is well suited to multi-question polling.
So this is NOT a scientific poll. I need better software, better questions, and a bigger sample set as well as a method to guarantee unique responses to get something I would call scientific. However it is still very interesting and enlightening, at least to me.
Overall I was pretty surprised to see the penetration of the virtual DCs in production environments. This is not even close to what I have been experiencing out in the field with the hundreds of customers I work with.
So we start off with Lab environments. Good to see so many lab environments, it seems to be the first thing cut in many orgs when they don’t want to spend money thereby turning their production environment into their lab. I shouldn’t have to point out that that can be a bit dangerous. I was surprised there was a response of "No, we don’t need one."; I put that response in as sort of a trick response. The "No, we have a lab domain in the production forest" also kind of surprised me. That being said, I regularly see environments that have no lab environment. It sucks and I usually find out after something has hurt their production environment and I ask how the testing went in the lab and I am fed all sorts of excuses of why they don’t have one and why they don’t need one in the face of an actual outage that would have been exposed had it been tested in a lab environment.
Next up, RODCs. RODCs don’t seem very popular. This aligns with what I generally see out in the world. A lot of folks start with plans for RODCs but then run into the implementation details and decide they don’t want to do it or, for some reason, usually apps, can’t do it.
Of the folks using RODCs, a lot of them are being virtualized. I am absolutely behind that. In fact I have long thought Server Core Virtual RODCs was a really good branch office design.
This is the breakdown of the size of environments of folks that responded. Again I was surprised, this time I was surprised by the number of responses for folks with what I generally consider smaller environments. I am really glad to see it though because it isn’t just the customers with 100,000 users that need to use efficient command line methods to effectively support their environment with minimal costs.
For environments under 25,000 users, virtualization is very heavy in the poll. If you are in this space I could see how people think "everyone" is virtualizing. I just recommend that you really follow the guidelines from MSFT. In smaller environments that I have run into outside of work that have virtualized DCs they usually aren’t following one or more of the guidelines, usually completely or nearly completely compromising their redundancy.
And for the biggest surprise for me was the 25,000 or more users space. This is completely outside of what I see in my real work. It hasn’t penetrated as much as it has in the smaller environments but still, there is a lot of it out there.
"The Cloud" – that place where all of your IT issues are solved. But the sales folks are a little "nebulous" on exactly how…
β joe (@joewaredotnet) May 11, 2013
[joeware – never stop exploring… :) is proudly powered by WordPress.]
