joeware - never stop exploring... :)

Information about joeware mixed with wild and crazy opinions...

1/5/2012

So we watched Food, Inc…

by @ 7:59 pm. Filed under rants

So after several years of many people saying "You have got to watch Food, Inc." Tracy, Ashley, and I sat down and watched it last night through my brand spanking new Roku XS via streaming from Amazon (totally free because I am an Amazon Prime member).

Food, Inc Streaming on Amazon oh and here is the Roku XS

 

Quite frankly, and sadly, there wasn’t a lot in there that surprised me. Much of it I knew of through news reports or had made educated assumptions about based on the news reports or my own occasional investigations into food in the stores. My mind doesn’t just try to work out issues around Active Directory, Windows or even just computers, anytime I hear any kind of issue my brain goes off on its own and tries to work out how the issue could have occurred and what could have been done to prevent it.

However, I was completely shocked by the statistic that in the 70s the FDA performed on the order of 50,000 inspections of meat facilities but by the 90’s that had reduced to somewhere south of 10,000 with the idea that the companies could be "self-policing". Poppycock. Doveryai, no proveryai. The other big shock was over the part about the patenting of Soy Bean seeds and how one company pretty much owns all soy beans grown now. That not only shocked me but was outright ridiculous. Just plain stupid in fact. Then on top of it laws that prevent citizens from actually speaking their opinion on foods in states like Colorado? Hello? People bitching all over about what our current president is doing yet no major focus on issues we have had for years that have far more dire and direct consequence?

The piece on Kevin’s law which would give the FDA the right to shut a facility down that actively needs to be shut down and the fact that it keeps getting introduced in congress and never gets out of committee really pissed me off. Again, this doesn’t surprise me, I think government is one of the main sources of scoundrels and corrupt human beings but hearing of this absolutely common sense item being blocked for so long is insane. The fact that I can tell you the movie stars who got divorced this last month and who is going to what bowl games but had no clue this important legislation was being blocked for so long tells you how bad our "news and media" is in terms of reporting what is actually important. The whole country is being slowly poisoned by our food supply and we are more worried (or at least told by the press that we are more worried) about some nitwit nobody person who is famous for being famous marrying some noodle head basketball player who is now famous for being married and divorced from the person who is famous for being famous. Sigh.

Back to the soybeans… Monsanto was just doing what it could do to try and make money and get ahead in its business, you can’t fault them for that unless you feel that companies should be looking out for the welfare of our population which if that is the case, what color is the sky in your world because that certainly isn’t the world we live in. No, it was our government’s job to look out for our welfare and to stop the BS that Monsanto pulled off on the farmers. The government failed on a massive scale. Crap like that is the kind of thing that could get me to one day choose to run for office and try to find a way to stop the stupid stuff that gets through. In order to do it, it would require fixing how congress works at a fundamental level.

Now don’t think I am all "crazy" against everything the movie said I should be against. I didn’t agree with all of the points stated either.

The first thing I didn’t agree with was that they seemed to imply at one point that if this very low income family would simply switch to eating "good food" from the crap fast food then the husband/father’s Type 2 diabetes would magically clear up and all would be good and they would have to spend a couple of hundred dollars a month on medicine. This is a chicken and egg problem though. The family with their current level of knowledge can’t just switch and spend the money on the good food and hope dad makes it through the period "getting healthy" period alive or at least not blind without his meds. Though I also didn’t agree that fast food was always the cheapest food. Is it cheaper than the processed foods in the stores, almost certainly. But you can get unprocessed staple items for a lot cheaper than the special pears they were trying to compare the fast food to. Obviously one of the complaints was they didn’t have enough time to cook good food as well… That excuse doesn’t work for me, if you don’t work on eating better you won’t have any time for anything – you will likely be dead or in a hospital. 

The next thing I didn’t agree with was the implication that if everyone just stopped buying the "bad food" and only bought from local organic farmers everything would be magically fixed. This is completely unreasonable from two viewpoints in my mind. The first being simple economics and the second being scale of operations.

First the economics… Have you looked at the cost of organic food? I looked up the yogurt mentioned in the show, Yobaby yogurt. That yogurt on Amazon (Walmart doesn’t carry it within 50 miles of my house) was $19.14 + $13.41 shipping and handling for six 4 oz containers. We eat a lot of yogurt, eat it daily, in fact I am eating a nice Yoplait Mountain Blueberry yogurt as I write this. I can tell you, I couldn’t fit that organic yogurt cost into my weekly or even monthly food budget with all the other stuff I am paying for (like my old house that I couldn’t sell in this market for anywhere near what I owe if my life depended on it thanks to the lack of real oversight by the government into the banks making crappy loans) and I make pretty good money – while I’m not in the "infamous" 1% I am not anywhere near the bottom either. If that were the cost of the only yogurt ever available again I wouldn’t have another bite of yogurt again which means some other possibly less healthy snack choice.

Another economic issue is with the CSAs (Community Supported Agriculture). I took the time to look at a CSA farm that is about 15 miles from my house this morning. They want you to pay a subscription every year for 16-18 weeks of vegetables during the summer. The cheapest membership that gives you vegetables (and vegetables only) on a weekly basis was $600.00. Note that there is no guarantee of quality or quantity or that you will ever get ANY product at all, you as a member assume all risk. You pay the money, they try to produce something, whatever if anything they harvest you get a portion of if you come pick it up. I happen to have had the foresight and capital to buy a house in a relatively rural area so I have several local farms around me that I use extensively in the summer and I can tell you that even shopping at them multiple times a week I don’t even come close to spending $600, a more realistic amount is likely $360-$400 for GUARANTEED quality and quantity as I pick out exactly what I want before I pay for it and I get the type and quantity of the items that I want. Perhaps this week I want a bunch of radishes and corn but no peppers. Next week the opposite.  I do not understand how anyone can think that that CSA makes sense other than the people collecting the money. Sorry, that model will not ever work in any significant way at those types of prices and the risk being solely assumed by the consumers. The other reason everyone switching to local organic isn’t going to work is sheer scale. The movie actually stated the problem but failed to recognize it and question the guy who was stating that buying local organic was the answer to everything. The problem is that farmers cannot scale to the volume required without themselves becoming a giant farm that they were pointing at as the bad guys. It was stated that a classic farmer could feed in the single or low teen digits numbers of people. Certainly that is higher with machinery but I do not believe for a moment that they are going to reach the volume the "big farms" can attain measured in the hundreds of people without the same shortcuts and pesticides, etc. Ditto all of that for local organic meat suppliers. Just thinking about the feeding of the cows alone and the amount of land it would require to expand the farms out to so that the cows could constantly get fresh grass is unrealistic.

There was more but I am done typing. If you haven’t seen the movie I do recommend it. It is likely to be extremely eye opening to many people. Perhaps if enough people watched it and responded to it the bitching about the government would be about things we could fix by removing the corruption versus the talking points politicians choose to throw out there as topics they want to talk about.

   joe

Rating 4.00 out of 5

1/4/2012

sAMAccountName is always unique in a Windows domain… or is it?

by @ 7:33 pm. Filed under tech

So while chatting with an admin this week he mentioned that his company synced data from their single domain forest into an external database with a primary key of sAMAccountName. This was a topic of interest for him because they had just learned it was possible to have two different objects in Active Directory with the same sAMAccountName value. They learned this little known but important piece of information through direct experience as it actually happened to them. When something like that happens, it kind of messes with any external systems that are using sAMAccountName as a unique key causing varying levels of chaos and disaster and really isn’t all that great for the AD Admins either because it is likely to cause some level of authentication issues for whomever is duplicated.

I know what you are thinking, "but joe… while SAM Names aren’t unique within a multi-domain forest,  they are supposed to be unique within a domain!!!" And that is absolutely correct, they are *supposed* to be unique in a domain[1]. That is, however, a far cry from being guaranteed to be unique.  What’s the difference you ask? The difference is this… If something is supposed to be unique, some decent but reasonable amount of work will be put into play to produce a method that will be used to try to reach a state where you are generally going to have a unique value. If something is guaranteed to be unique, whatever amount of work is necessary to assure that there is no way you can duplicate values no matter what you do is used instead. The sAMAccountName attribute falls squarely into the *supposed* to be unique category.  Microsoft gives it the old college try to work towards uniqueness but don’t go whole hog and absolutely make sure it isn’t possible.

Those of us who have been around since the NT4 days or perhaps those who do a lot of work with the SAM DB on non-domain controllers (member servers, standalone servers, and client machines) are quite used to and expectant of the ability to have unique sAMAccountNames. Since you have but a single SAM DB (aka a portion of the registry) that can be updated at any given moment, that SAM DB is going to be able to enforce uniqueness. Once we moved into the world of Active Directory and a loosely consistent multi-master replication model things changed and the lines blurred a little.

Creating objects with duplicate sAMAccountName attributes method 1 – loosely consistent multi-master replication

The first method to produce objects with duplicate sAMAccountNames that cropped up, a side effect really of the new cool "loosely consistent" replication engine coupled with the multi-master approach to directories, was the day Windows 2000 was released. As soon as you have more than one domain controller for a given domain, you have the ability to create objects that break the uniqueness rule for sAMAccountName. It is quite simple to accomplish, you simply create an object on two different domain controllers inside of the replication convergence period for those DCs. If the DCs are in the same site, that means you have seconds or possibly minutes for convergence, if the DCs are in different sites then you could have hours or days to accomplish the task.

For example, you take a simple script like

admod -hh joeware-dc1 -add -b cn=testcase1,ou=usersample,dc=joeware,dc=local objectclass::user samaccountname::testcase1
admod -hh joeware-dc2 -add -b cn=testcase1,ou=test,dc=joeware,dc=local objectclass::user samaccountname::testcase1

and run it and it is pretty likely you will generate two different user objects with the same sAMAccountName after replication convergence. Like so:

C:\temp>adfind -default -f name=testcase1

AdFind V01.45.00cpp Joe Richards (joe@joeware.net) March 2011

Using server: JOEWARE-DC1.joeware.local:389
Directory: Windows Server 2003
Base DN: DC=joeware,DC=local

dn:CN=testcase1,OU=usersample,DC=joeware,DC=local
>objectClass: top
>objectClass: person
>objectClass: organizationalPerson
>objectClass: user
>cn: testcase1
>distinguishedName: CN=testcase1,OU=usersample,DC=joeware,DC=local
>instanceType: 4
>whenCreated: 20120103220701.0Z
>whenChanged: 20120103220701.0Z
>uSNCreated: 1011021
>uSNChanged: 1011022
>name: testcase1
>objectGUID: {85FF63EE-EF50-4EDB-8414-445ECEBB320A}
>userAccountControl: 546
>badPwdCount: 0
>codePage: 0
>countryCode: 0
>badPasswordTime: 0
>lastLogoff: 0
>lastLogon: 0
>pwdLastSet: 0
>primaryGroupID: 513
>objectSid: S-1-5-21-3641047700-3957557241-2644433309-7689
>accountExpires: 9223372036854775807
>logonCount: 0
>sAMAccountName: testcase1
>sAMAccountType: 805306368
>objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=joeware,DC=local

dn:CN=testcase1,OU=test,DC=joeware,DC=local
>objectClass: top
>objectClass: person
>objectClass: organizationalPerson
>objectClass: user
>cn: testcase1
>distinguishedName: CN=testcase1,OU=test,DC=joeware,DC=local
>instanceType: 4
>whenCreated: 20120103220702.0Z
>whenChanged: 20120103220717.0Z
>uSNCreated: 1011023
>uSNChanged: 1011023
>name: testcase1
>objectGUID: {8C815AFB-42E1-4A0F-84AD-D0ABC0228F88}
>userAccountControl: 546
>codePage: 0
>countryCode: 0
>pwdLastSet: 0
>primaryGroupID: 513
>objectSid: S-1-5-21-3641047700-3957557241-2644433309-8111
>accountExpires: 9223372036854775807
>sAMAccountName: testcase1
>sAMAccountType: 805306368
>objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=joeware,DC=local

2 Objects returned

 

"but joe… what about the collision detection logic?"

admod -hh joeware-dc1 -add -b cn=testcase3,ou=usersample,dc=joeware,dc=local objectclass::user samaccountname::testcase3
admod -hh joeware-dc2 -add -b cn=testcase3,ou=usersample,dc=joeware,dc=local objectclass::user samaccountname::testcase3

C:\temp>adfind -default -f name=testcase3*

AdFind V01.45.00cpp Joe Richards (joe@joeware.net) March 2011

Using server: JOEWARE-DC1.joeware.local:389
Directory: Windows Server 2003
Base DN: DC=joeware,DC=local

dn:CN=testcase3,OU=usersample,DC=joeware,DC=local
>objectClass: top
>objectClass: person
>objectClass: organizationalPerson
>objectClass: user
>cn: testcase3
>distinguishedName: CN=testcase3,OU=usersample,DC=joeware,DC=local
>instanceType: 4
>whenCreated: 20120103221530.0Z
>whenChanged: 20120103221530.0Z
>uSNCreated: 1011039
>uSNChanged: 1011040
>name: testcase3
>objectGUID: {DFA20362-6899-41F6-94F2-3B7D5924FB41}
>userAccountControl: 546
>badPwdCount: 0
>codePage: 0
>countryCode: 0
>badPasswordTime: 0
>lastLogoff: 0
>lastLogon: 0
>pwdLastSet: 0
>primaryGroupID: 513
>objectSid: S-1-5-21-3641047700-3957557241-2644433309-7691
>accountExpires: 9223372036854775807
>logonCount: 0
>sAMAccountName: testcase3
>sAMAccountType: 805306368
>objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=joeware,DC=local

dn:CN=testcase3\0ACNF:c928020b-f156-4e08-8e87-314eb8817a2a,OU=usersample,DC=joeware,DC=local
>objectClass: top
>objectClass: person
>objectClass: organizationalPerson
>objectClass: user
>cn: testcase3\0ACNF:c928020b-f156-4e08-8e87-314eb8817a2a
>distinguishedName: CN=testcase3\0ACNF:c928020b-f156-4e08-8e87-314eb8817a2a,OU=usersample,DC=joeware,DC=local
>instanceType: 4
>whenCreated: 20120103221530.0Z
>whenChanged: 20120103221546.0Z
>uSNCreated: 1011041
>uSNChanged: 1011041
>name: testcase3\0ACNF:c928020b-f156-4e08-8e87-314eb8817a2a
>objectGUID: {C928020B-F156-4E08-8E87-314EB8817A2A}
>userAccountControl: 546
>codePage: 0
>countryCode: 0
>pwdLastSet: 0
>primaryGroupID: 513
>objectSid: S-1-5-21-3641047700-3957557241-2644433309-8113
>accountExpires: 9223372036854775807
>sAMAccountName: testcase3
>sAMAccountType: 805306368
>objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=joeware,DC=local

2 Objects returned

As you can clearly see, collision logic absolutely works for duplicated RDNs… but there is nothing around checking for duplication of sAMAccountName when replicating in objects from another DC. The only check in place for duplicate sAMAccountName attributes is on object instantiation when the SAM Rules code is called to validate the attribute settings for a given object.

 

Creating objects with duplicate sAMAccountName attributes method 2 – tombstone reanimation

The second method for creating objects with duplicate sAMAccountName attributes surfaced, again as a side effect, in Windows Server 2003 with the release of the new tombstone reanimation functionality. This is the functionality that gave you a basic object "undelete" capability in Active Directory. Prior to 2003 if you deleted something and needed it back, well you better have functioning backups. With Windows Server 2003 the AD team gave us the ability to recover the tombstones so they could be used again (YEAH![2]). This functionality is not all that well known and even some of the people who know about it don’t really know how to accomplish it so in most shops this method for duplicating the sAMAccountName attribute is not as likely[3].

So for example, here I will create a user object, delete it, create another user object with the same SAM Name and then recover the original user object’s tombstone.

C:\>admod -b CN=testcase5,CN=Users,DC=k8r2dom,DC=loc -add objectclass::user samaccountname::testcase5

AdMod V01.16.00cpp Joe Richards (joe@joeware.net) March 2011

DN Count: 1
Using server: K8R2Dom-DC1.k8r2dom.loc:389
Directory: Windows Server 2008 R2

Adding specified objects…
   DN: CN=testcase5,CN=Users,DC=k8r2dom,DC=loc…

The command completed successfully

C:\>adfind -showdel -default -f name=testcase5* samaccountname

AdFind V01.45.00cpp Joe Richards (joe@joeware.net) March 2011

Using server: K8R2Dom-DC1.k8r2dom.loc:389
Directory: Windows Server 2008 R2
Base DN: DC=k8r2dom,DC=loc

dn:CN=testcase5,CN=Users,DC=k8r2dom,DC=loc
>sAMAccountName: testcase5

1 Objects returned

C:\>adfind -default -f name=testcase5* -dsq | admod -del

AdMod V01.16.00cpp Joe Richards (joe@joeware.net) March 2011

DN Count: 1
Using server: K8R2Dom-DC1.k8r2dom.loc:389
Directory: Windows Server 2008 R2

Deleting specified objects…
   DN: CN=testcase5,CN=Users,DC=k8r2dom,DC=loc…

The command completed successfully

C:\>admod -b CN=testcase5,ou=testou,DC=k8r2dom,DC=loc -add objectclass::user samaccountname::testcase5

AdMod V01.16.00cpp Joe Richards (joe@joeware.net) March 2011

DN Count: 1
Using server: K8R2Dom-DC1.k8r2dom.loc:389
Directory: Windows Server 2008 R2

Adding specified objects…
   DN: CN=testcase5,ou=testou,DC=k8r2dom,DC=loc…

The command completed successfully

C:\>adfind -showdel -default -f name=testcase5* samaccountname

AdFind V01.45.00cpp Joe Richards (joe@joeware.net) March 2011

Using server: K8R2Dom-DC1.k8r2dom.loc:389
Directory: Windows Server 2008 R2
Base DN: DC=k8r2dom,DC=loc

dn:CN=testcase5,OU=testOU,DC=k8r2dom,DC=loc
>sAMAccountName: testcase5

dn:CN=testcase5\0ADEL:9a4e0a1f-4498-4ef3-aa1e-76bf0c69c61e,CN=Deleted Objects,DC=k8r2dom,DC=loc
>sAMAccountName: testcase5

2 Objects returned

C:\>adfind -showdel -default -rb "cn=deleted objects" -f name=testcase5* -dsq | admod -undel

AdMod V01.16.00cpp Joe Richards (joe@joeware.net) March 2011

DN Count: 1
Using server: K8R2Dom-DC1.k8r2dom.loc:389
Directory: Windows Server 2008 R2

Undeleting specified objects…
   DN: CN=testcase5\0ADEL:9a4e0a1f-4498-4ef3-aa1e-76bf0c69c61e,CN=Deleted Objects,DC=k8r2dom,DC=loc…

The command completed successfully

C:\>adfind -showdel -default -f name=testcase5

AdFind V01.45.00cpp Joe Richards (joe@joeware.net) March 2011

Using server: K8R2Dom-DC1.k8r2dom.loc:389
Directory: Windows Server 2008 R2
Base DN: DC=k8r2dom,DC=loc

dn:CN=testcase5,CN=Users,DC=k8r2dom,DC=loc
>objectClass: top
>objectClass: person
>objectClass: organizationalPerson
>objectClass: user
>cn: testcase5
>distinguishedName: CN=testcase5,CN=Users,DC=k8r2dom,DC=loc
>instanceType: 4
>whenCreated: 20120104214547.0Z
>whenChanged: 20120104214802.0Z
>uSNCreated: 498225
>uSNChanged: 498257
>name: testcase5
>objectGUID: {9A4E0A1F-4498-4EF3-AA1E-76BF0C69C61E}
>userAccountControl: 546
>badPwdCount: 0
>codePage: 0
>countryCode: 0
>badPasswordTime: 0
>lastLogoff: 0
>lastLogon: 0
>pwdLastSet: 0
>primaryGroupID: 513
>operatorCount: 0
>objectSid: S-1-5-21-1767008341-141532995-3086693677-62124
>adminCount: 0
>accountExpires: 0
>logonCount: 0
>sAMAccountName: testcase5
>sAMAccountType: 805306368
>lastKnownParent: CN=Users,DC=k8r2dom,DC=loc
>objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=k8r2dom,DC=loc
>dSCorePropagationData: 20120104214802.0Z
>dSCorePropagationData: 16010101000000.0Z

dn:CN=testcase5,OU=testOU,DC=k8r2dom,DC=loc
>objectClass: top
>objectClass: person
>objectClass: organizationalPerson
>objectClass: user
>cn: testcase5
>distinguishedName: CN=testcase5,OU=testOU,DC=k8r2dom,DC=loc
>instanceType: 4
>whenCreated: 20120104214650.0Z
>whenChanged: 20120104214650.0Z
>uSNCreated: 498237
>uSNChanged: 498238
>name: testcase5
>objectGUID: {05C87B3D-DFED-4740-9E6E-7F82BC499F82}
>userAccountControl: 546
>badPwdCount: 0
>codePage: 0
>countryCode: 0
>badPasswordTime: 0
>lastLogoff: 0
>lastLogon: 0
>pwdLastSet: 0
>primaryGroupID: 513
>objectSid: S-1-5-21-1767008341-141532995-3086693677-62125
>accountExpires: 9223372036854775807
>logonCount: 0
>sAMAccountName: testcase5
>sAMAccountType: 805306368
>objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=k8r2dom,DC=loc
>dSCorePropagationData: 16010101000000.0Z

2 Objects returned

C:\>

As you can see, we once again have two user objects in the same domain with the same sAMAccountName attribute values. A good argument could be put together that perhaps a validation of the SAM Name should be made in this case but like with replication, it just wasn’t something they wanted to put the extra work into as, again like replication, it is a pretty small edge case.

 

$DUPLICATE-<hexchars> for sAMAccountName???

"Ok joe… so while I don’t like it, it makes sense, but I swear I have seen $DUPLICATE-<hexchars> for a user or (more likely) computer objects in AD before so I thought that there was conflict resolution to handle these things for sAMAccountName like RDNs and (effectively) DNs???"

Yes it is definitely possible you saw this, but that conflict resolution did not occur during either of the processes above. It occurred later when someone tried to create yet another new object with the duplicated name or when someone tries to authenticate using the duplicated SAM Name.

Example 1 – creating a new object with the same duplicated SAM Name

C:\>admod -b CN=testcase5,cn=computers,DC=k8r2dom,DC=loc -add objectclass::user samaccountname::testcase5

AdMod V01.16.00cpp Joe Richards (joe@joeware.net) March 2011

DN Count: 1
Using server: K8R2Dom-DC1.k8r2dom.loc:389
Directory: Windows Server 2008 R2

Adding specified objects…
   DN: CN=testcase5,cn=computers,DC=k8r2dom,DC=loc…: [K8R2Dom-DC1.k8r2dom.loc] Error 0x44 (68) – Already Exists

ERROR: Too many errors encountered, terminating…

The command did not complete successfully

C:\>adfind -showdel -default -f name=testcase5 samaccountname

AdFind V01.45.00cpp Joe Richards (joe@joeware.net) March 2011

Using server: K8R2Dom-DC1.k8r2dom.loc:389
Directory: Windows Server 2008 R2
Base DN: DC=k8r2dom,DC=loc

dn:CN=testcase5,CN=Users,DC=k8r2dom,DC=loc
>sAMAccountName: $DUPLICATE-f2ac

dn:CN=testcase5,OU=testOU,DC=k8r2dom,DC=loc
>sAMAccountName: testcase5

2 Objects returned

 

Example 2 – trying to authenticate to the duplicated SAM Name

C:\>adfind -showdel -default -f name=testcase1 samaccountname

AdFind V01.45.00cpp Joe Richards (joe@joeware.net) March 2011

Using server: K8R2Dom-DC1.k8r2dom.loc:389
Directory: Windows Server 2008 R2
Base DN: DC=k8r2dom,DC=loc

dn:CN=testcase1,CN=Users,DC=k8r2dom,DC=loc
>sAMAccountName: testcase1

dn:CN=testcase1,OU=testOU,DC=k8r2dom,DC=loc
>sAMAccountName: testcase1

2 Objects returned

C:\>adfind -default -s base -dn -u k8r2dom\testcase1 -p password -exterr

AdFind V01.45.00cpp Joe Richards (joe@joeware.net) March 2011

LDAP_BIND: [] Error 0x31 (49) – Invalid Credentials
Extended Error: No extended error info available.
Terminating program.

C:\>adfind -showdel -default -f name=testcase1 samaccountname

AdFind V01.45.00cpp Joe Richards (joe@joeware.net) March 2011

Using server: K8R2Dom-DC1.k8r2dom.loc:389
Directory: Windows Server 2008 R2
Base DN: DC=k8r2dom,DC=loc

dn:CN=testcase1,CN=Users,DC=k8r2dom,DC=loc
>sAMAccountName: $DUPLICATE-f2aa

dn:CN=testcase1,OU=testOU,DC=k8r2dom,DC=loc
>sAMAccountName: testcase1

2 Objects returned

 

This concludes this blog post. I hope that it was informative and I hope to bring a lot more like this to the blog again this year. Once again I apologize for my relative absence last year. 🙂

 

   joe

 

 

[1] This is obviously about Active Directory Domain Services, ADAM or ADLDS can have duplicate sAMAccountName attributes all day assuming you have sAMAccountName defined in the schema. There is absolutely NOTHING in place to assure or guarantee anything for it.

[2] Anything that helps me avoid authoritative restores is a YEAH! type of thing. 🙂

[3] The main reason for the lack of knowing is likely that Microsoft never produced any kind of "reanimate" GUI interface which effectively prevented some 90% of the Windows admins out there from ever knowing about it and probably even more from using it. A second "strike", if you will, was that a tombstone object didn’t normally have all of the attributes that were populated on the object prior to deletion so even if you knew how to perform the reanimation, you may end up performing a restore of the object anyway to get all of the info for the object. Now if you knew about the functionality and you knew how to take advantage of it it likely was very useful for you when absolutely needed and you didn’t want to fuss around with an authoritative restore (again [2]). Of course now we have recycle bin so we are many steps beyond tombstone reanimation now (or have the capability to be…) but in terms of this blog post, tombstone reanimation gave us a new method to duplicate a sAMAccountName.

Rating 4.50 out of 5

12/28/2011

Default Tombstone Lifetime yet again… Alternate working title: TechNet why do you hate tombstoneLifetime and correct information?

by @ 10:15 am. Filed under tech

Many moons ago I wrote a post about how a TechNet article on the default tombstone lifetime was wrong. That TechNet article eventually ended up getting corrected at some point though it doesn’t seem to be properly linked anymore to the GUID URL that I had for it – so much for theory of never losing TechNet articles again because they were "unique" GUID links… Regardless, it has been brought to my attention that once again a TechNet article has screwed this simple topic up when updating it for PowerShell[1].

http://technet.microsoft.com/en-us/library/dd392260(WS.10).aspx

Both here

By default, tombstoneLifetime is set to null. When tombstoneLifetime is set to null, the tombstone lifetime defaults to 180 days (hard-coded in the system)

and

In Windows Server 2003 with Service Pack 1 (SP1), Windows Server 2003 with Service Pack 2 (SP2), Windows Server 2008, or Windows Server 2008 R2 operating systems, when tombstoneLifetime is set to null its value defaults to 180 days.

So for now and all eternity, please link to, copy and paste, recite, or whatever you do around this topic from this blog post.

The tombstoneLifetime attribute is very simple. Don’t worry about the operating system as it exists now, don’t worry about the operating system as it existed when the Active Directory was initially built, it is all moot. The one and only way to know what the tombstoneLifetime value for a forest is is to look at it.

  1. If the value of tombstoneLifetime is NULL or <NOT SET> the value *IS* 60 days.
  2. If the value of tombstoneLifetime is > 0. The value *IS* the integer specified measured in days.

You can easily ascertain the value by using the following command: [2]

adfind -config -f objectclass=ntdsservice tombstonelifetime

Which will look like

C:\>adfind -config -f objectclass=ntdsservice tombstonelifetime

AdFind V01.45.00cpp Joe Richards (joe@joeware.net) March 2011

Using server: K8R2Dom-DC1.k8r2dom.loc:389
Directory: Windows Server 2008 R2
Base DN: CN=Configuration,DC=k8r2dom,DC=loc

dn:CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=k8r2dom,DC=loc
>tombstoneLifetime: 180

1 Objects returned

Or if you really want to make this simple, use the following:

adfind -config -f objectclass=ntdsservice tombstonelifetime -oao 60

which will display the integer value no matter what through some AdFind "magic". That magic being that the -oao switch when specified with a value will populate that value in any empty attributes. So if the value isn’t populated in AD, it will still look like it is when the output is displayed.

For example, same command with one non-existent attribute to help illustrate the point:

C:\>adfind -config -f objectclass=ntdsservice tombstonelifetime hardcodedWindowsADTombstoneLifetimeValue -oao 60

AdFind V01.45.00cpp Joe Richards (joe@joeware.net) March 2011

Using server: K8R2Dom-DC1.k8r2dom.loc:389
Directory: Windows Server 2008 R2
Base DN: CN=Configuration,DC=k8r2dom,DC=loc

dn:CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=k8r2dom,DC=loc
>tombstoneLifetime: 180
>hardcodedWindowsADTombstoneLifetimeValue: 60

1 Objects returned

You can do the same with CSV

adfind -config -f objectclass=ntdsservice tombstonelifetime -nodn -csv 60

which could look something like:

C:\>adfind -config -f objectclass=ntdsservice tombstonelifetime hardcodedWindowsADTombstoneLifetimeValue -csv 60 -nodn
"tombstonelifetime","hardcodedWindowsADTombstoneLifetimeValue"
"180","60"

Simple?

In 2017 when this gets screwed up again in TechNet when they are describing how to figure it out with whatever new fancy tool they have now switched to the above information will STILL be correct and that AdFind command will still work just fine.

 

     joe

 

[1] Further proof that PowerShell isn’t doing anything new, it is simply redoing what was done before with more verbose commands… 😉

[2] Or… even shorter  "adfind -b -pr -f objectclass=ntdsservice tombstonelifetime". That can be an exercise for the class to figure out what is happening there. 

Rating 4.00 out of 5

12/22/2011

Happy Winter Solstice. :)

by @ 3:02 pm. Filed under general

To all… Have safe and restive celebrations. Apologies for not getting much done in this space this last year, I will endeavor to perform better in the coming year. 🙂

 

And so as to not insult (real or imagined) anyone out there, a purely scientific salutation!

 

HappyWinterSolstice

Rating 4.00 out of 5

12/17/2011

O’Reilly Updating eBooks…

by @ 12:16 pm. Filed under general

http://briandesmond.com/blog/active-directory-4th-edition-updates/

 

This seems kind of weird to me… So now we need version numbers on books.

Person1: Active Directory 4th Edition says xxx and yyy.

Person2: No it doesn’t, it says aaa and bbb.

Rating 3.00 out of 5

12/14/2011

Updated WordPress Version…

by @ 9:09 pm. Filed under general

I have updated the WordPress software, if you run into issues, let me know. 🙂

 

     joe

Rating 3.00 out of 5

12/12/2011

Two-Factor Authentication for AD as a best-practice or standard?

by @ 6:09 pm. Filed under tech

Is anyone out there using 2FA for AD as a best practice or their standard? I am not asking about things like VPN, I am simply meaning basic AD auth once you are already on the internal network.

    joe

Rating 3.00 out of 5

12/8/2011

Calling all techno-nerds/geeks…

by @ 8:40 pm. Filed under tech

If you haven’t noticed, Radio Shack is making an honest attempt at wrangling in all the geeks/nerds that used to go hang out there back in the 80’s. Check out this DIY website they have set up, lots of cool Arduino projects.

http://www.radioshackdiy.com/

If there were only more time in the days for me… I am interested in playing with far too many things. 🙂

 

    joe

Rating 4.00 out of 5

12/6/2011

Another alternative energy source

by @ 8:44 pm. Filed under alternatives

This is pretty cool, based on a Stirling Engine which was originally conceived in the early 1800’s!

 

http://www.whispergen.com

 

http://en.wikipedia.org/wiki/Stirling_engine

Rating 4.33 out of 5

11/22/2011

Panning for Gold…

by @ 2:33 pm. Filed under quotes

Using scripts to process data is more like panning for gold than transmuting lead into gold. So if there is gold in the garbage, the scripts can find it, consolidate it, and output it in a shiny pretty form. If there isn’t any gold, then you will just get some finely sorted and polished garbage.

      – me

Rating 4.60 out of 5
« Older Entries
Newer Entries »

[joeware – never stop exploring… :) is proudly powered by WordPress.]