Firefly Anniversary on Science Channel November 11.
joeware - never stop exploring... :)
Information about joeware mixed with wild and crazy opinions...
11/1/2012
10/31/2012
AdFind V01.47.00 Released.
I just released AdFind V01.47.00 this evening. It is the Jack Skellington release. 😉
http://www.joeware.net/freetools/tools/adfind
It is a small batch of changes with one fairly important change that is in beta.
- Fixed bugs with -this,-ameta,-vmeta (and general metadata output).
- Changed Win8 decodes strings to Windows 2012.
- Added switch -nopaging.
- Added shortcut -sc ridpool.
The main reason I opened up the code to make changes was to change the Windows 8 references to Windows Server 2012. I also added some new decodes including a supportedCapabilities value that didn’t exist in the beta that I pinged the DS Team about and got them to add ">supportedCapabilities: 1.2.840.113556.1.4.2237 [LDAP_CAP_ACTIVE_DIRECTORY_W8_OID]", that OID name is straight from the MSDN docs.
Especially note the new BETA -nopaging switch. By default, from the very beginning, AdFind has used the LDAP Paging control so it could return any number of entries. Over the years I have had a few people ask for a switch to turn paging off. This is usually related to them trying to query some non-AD LDAP Directory that doesn’t support Paging or because of a bug in AD that messes with Index selection on paged queries (LDAP queries are executed more slowly than expected in the AD or LDS/ADAM directory service and Event ID 1644 may be logged).
I have wanted to add the -nopaging capability for some time but didn’t previously see a way, sort of like what happened with CSV output years ago all of a sudden something clicked and I realized how I could do it so here it is. It is beta because I have found a few oddities that I had to fix and it is possible there could be more as the main loop of the engine just wasn’t built with non-paged queries in mind.
There is also a fix for metadata output, specifically -vmeta for when there is a large number of value metadata entries. For whatever reason when I first set it up I didn’t set it up to properly decode the binary value when value ranging kicked in for the metadata attribute. If it screwed up, it was very obvious, the output would look something like:
dn:CN=group,CN=users,DC=test,DC=loc,DC=adam
>msDS-ReplValueMetaData;binary: X
>msDS-ReplValueMetaData;binary: X
>msDS-ReplValueMetaData;binary: X
>msDS-ReplValueMetaData;binary: X
>msDS-ReplValueMetaData;binary: X
>msDS-ReplValueMetaData;binary: X
>msDS-ReplValueMetaData;binary: X
>msDS-ReplValueMetaData;binary: X
<SNIP>
This isn’t a required upgrade but if you use AdFind to output metadata or work with Windows Server 2012 DCs I would recommend upgrading.
joe
Writing changes to only one ADAM/ADLDS instance
Since ADAM first came out I have received a similar question from several admins and developers (at least double digit but definitely not triple digit numbers) asking how they could make it so changes could only be written to a single ADAM instance so they could control the flow of replication better or always know they had at least one place they could always go for the absolute latest info like, for example, with the PDC and user account passwords in Windows Active Directory Domains. That way if an auth failure occurs, they can manually implement a PDC Chain like functionality. But this could be for other needs as well when you MUST know the absolute current answer to a given question and can’t trust that replication has occurred since the last change.
I wanted to go back to those folks to see how many actually implemented the process I described and if so, what issues they may have encountered with it and possibly what changes they made to the basic model to make it work more efficiently for them. I started searching my email and was not able to track any of them down which is certainly a failure on my part to properly archive my emails all in a nice clean single location (some day that may be the case…) combined with the destruction of I don’t know how many desktop and laptop machines since ADAM came out.
Anyway, I am hoping that one or more of those people may see this blog post and respond to me with feedback on the method. Basically that method involves using local IDs on a single ADAM instance machine.
So if anyone is using this method, please send me feedback (email or comment is good) on how it is working out. If I told you about it either through direct email or responding to a post in a newsgroup, please indicate that, if you got that solution from someone else (I am curious how many people invented this same solution) please indicate that as well. Or if you are just interested in hearing about how to set this up, please let me know that as well.
thanks!
joe
10/29/2012
Running AdFind in an iterative script
If you find that you are running AdFind in an iterative script, say digging up some given attribute for some large list of objects, try using the -DLOID switch. This tells AdFind NOT to download parts of the schema to help with decoding various attributes. You should notice a pretty decent speed increase since you will have less work and less traffic between the DC and the client. Of course if what you are doing depends on that decode. Well then you get to live with it. 🙂
10/18/2012
Forcing replication of SYSVOL via NTFRS
I have been asked this question something like four or five times by different people in the last three days who say they can’t seem to google the answer so here it is…
ntfrsutl.exe forcerepl DestinationDC /r "Domain System Volume (SYSVOL share)" /p SourceDC.domain.com
So if I have a PDC of JoePDC.joe.com and I have a DC named DC1.joe.com and I want to force replication of sysvol from the PDC to the DC, the command would be
ntfrsutl.exe forcerepl DC1 /r "Domain System Volume (SYSVOL share)" /p JoePDC.joe.com
or
ntfrsutl.exe forcerepl DC1.joe.com /r "Domain System Volume (SYSVOL share)" /p JoePDC.joe.com
That is all…
joe
10/5/2012
1AM – 6AM AD Support Call Handling 101: I will find you and I will kill you…
A friend sent me a humourous email today, I felt I should share…
From: SomeADDude
Sent: Friday, October 05, 2012 12:01 PM
To: joe
Subject: Was it wrong of me to answer an AD support call last night like this?I don’t know who you are. I don’t know what you want. If you are looking for a local member server change, I can tell you I don’t have the permissions to do that. But what I do have are a very particular set of skills; skills I have acquired over a very long career. Skills that make me a nightmare for people like you. If you withdraw your ticket now, that’ll be the end of it. I will not look for you, I will not pursue you. But if you don’t, I will look for you, I will find you, and I will kill you.
10/3/2012
AD Wiki RFC
Require registered user ids to add/edit content or no?
Try it anonymous first and see if it goes pear shaped and then lock down if necessary?
Comments or emails is fine, you know the drill. 🙂
joe
9/29/2012
Chardonnay…
Stuart: Hmm. Nice not to drink alone.
Raj: Amen to that. Sometimes I pour a little chardonnay into my dog’s water bowl.
Stuart: You’re kidding.
Raj: She’s kind of a mean drunk, but what are you gonna do?
Stuart: Cheers.
Raj: Cheers.
– Big Bang Theory
In the beginning…
The story so far:
In the beginning the Universe was created.
This has made a lot of people very angry and been widely regarded as a bad move.
– Douglas Adams
[joeware – never stop exploring… :) is proudly powered by WordPress.]
