joeware - never stop exploring... :)

On a regular basis I will say some tool or app or something requires DFL2 or DFL3 or FFL2 or something like that, I am amazed still how many people do not know what that means and I get a response of “huh? I don’t think I have that tool.” or “I typed in DFL2 and it says it is a bad command".”   

DFL stands for Domain Functional Level. It tells you quickly the minimum level that your Domain Controllers in a given domain must be. And FFL stands for Forest Functional Level. And you may surmise it tells you what the minimum level that your Domain Controllers must be across the entire forest. Here is a nice KB about it all http://support.microsoft.com/kb/322692.

These functional levels are important because certain types of functionality only become available once you hit certain functionality levels. A few “important” FL’s that I regularly mention:

• DFL2 – Windows Server 2003 Domain Functional Level. This DFL gets you the lastLogonTimeStamp attribute.
• FFL2 – Windows Server 2003 Forest Functional Level. This FFL gets you Linked Value Replication (LVR) which is a pretty substantial change in how your replication works. To most people that means that you don’t replicate entire group memberships when a single member changes, you replicate just the changed values. It means that you can avoid a particularly nasty replication error due to version store exhaustion you could hit with very large groups and it also means that you can have the opportunity to experience lingering backlinks.
• DFL3 – Windows Server 2008 Domain Functional Level. This gets you Fine Grained Password Policy.
• FFL4 – Windows Server 2008 R2 Forest Functional Level. This gets you to a state that you can enable the AD Recycle Bin.

 

You may ask… but why would they need to do this… Because when you are writing operating systems, you can’t always back port every function to every old version of the OS. This could be due to substantial changes in the new OS that just won’t allow the change to be ported backwards, or it could be more costly than it is worth, or it could be a desire to get people to upgrade to the new versions so you can stop supporting the old versions or say, make money on selling new versions of the OS.   So you have to set a minimum bar and the bar is set via the DFL and FFL requirements. You want the whole domain or the whole forest to be at that required level because you want consistency. Say you only have fine grained password policy working on 1/3 of your domain controllers, how much fun would that be for your users? Not much at all if I can hazard a guess. You would need to know what the OS of your DC is before you could know properly what kind of password you might be able to use or whether you will lock out or not for some given bad number of attempts. Or from a replication standpoint, if 1/4 of your DCs know about LVR but the other 3/4’s don’t, that would be a pain in the butt to deal with even if MSFT said, we will waste the time to write the code to make this work for you by sending the whole group membership to those 3/4 that don’t know LVR.

 

Here is a quick pair of tables to tell you the DFL/FFL numbers and their related OS level…

DFL Level	OS Version
0	Windows 2000
1	Windows Server 2003 (interim)
2	Windows Server 2003
3	Windows Server 2008
4	Windows Server 2008 R2

 

FFL Level	OS Version
0	Windows 2000
1	Windows Server 2003 (interim)
2	Windows Server 2003
3	Windows Server 2008
4	Windows Server 2008 R2

 

If you are looking at the values of “1” and thinking, “WTF is that?” Don’t worry about it. It is rare and unless you are a developer of AD software or actually dealing with a situation that requires you to be involved with a D/FFL1 environment, you don’t need to worry about it. I personally have never seen one in actual production, only in test labs. If you want to learn what it is, knock yourself out, I am not going to spend any more time on it here.

BTW, you can easily ascertain what functionality modes you are at with AdFind and querying the RootDSE of a DC.

Ex 1:

C:\>adfind -rootdse domaincontrollerfunctionality domainfunctionality forestfunctionality

AdFind V01.42.00cpp Joe Richards (joe@joeware.net) April 2010

Using server: TEST-DC1.test.loc:389
Directory: Windows Server 2003

dn:
>domainFunctionality: 2 [Windows Server 2003 Domain Mode]
>forestFunctionality: 2 [Windows Server 2003 Forest Mode]
>domainControllerFunctionality: 2 [Windows Server 2003 Mode]

1 Objects returned

Ex 2:

C:\temp>adfind -rootdse domaincontrollerfunctionality domainfunctionality forestfunctionality

AdFind V01.42.00cpp Joe Richards (joe@joeware.net) April 2010

Using server: K8R2Dom-DC01.K8R2Dom.loc:389
Directory: Windows Server 2008 R2

dn:
>domainFunctionality: 4 [Windows Server 2008 R2 Domain Mode]
>forestFunctionality: 4 [Windows Server 2008 R2 Forest Mode]
>domainControllerFunctionality: 4 [Windows Server 2008 R2 Mode]

1 Objects returned

 

   joe

It has been almost 11 years since Windows 2000 and Active Directory hit the world and apps are still having issues. At this point I just want to look at vendors and say “Seriously??? Figure it out already.”.

So I am just going to start typing issues that I have encountered that by now shouldn’t really be issues IMO. Maybe by doing this, vendors will stumble upon it and make sure their apps don’t have these issues. This isn’t an all inclusive list, this is just me typing things that pop into my head as I sit here watching TV.

Simple Binds

The first thing that pops into my head is simple bind. If you are using simple bind you absolutely should be using LDAPS. Period. You have this important (at least it should be right?) application that needs to talk to AD so they give you an ID and you set a nice safe secure password to keep the ID and your application and any data it has access to safe and then you throw out there in the clear for the world to see.

Hard-coding DCs

Hard-coding DCs is probably one of the most frustrating things to hit Active Directory Admins around the world. Someone thinks their application is so important that, of course, the AD Admins, who have nothing else to worry about, will be constantly focused on the DC the application people decided to target and make sure it has 110% uptime. Ah yeah, not going to happen. Application vendors, developers, integrators, and support teams… the AD Support people have lots of things to do that have nothing to do with your application, they very likely don’t even remember talking to you about your app if they know you exist at all.

There are multiple ways to solve this issue but the most professional is to set things up like MSFT intended. Microsoft didn’t come up with the idea of publishing SRV records for the services so they could keep the DNS people in work, they did it so applications can locate DC resources as needed. I have seen teams in companies working on UNIX apps as long ago as 2002 writing their own DC Locator services. If these teams who work for companies whose focus in the world is something entirely different than writing software to integrate with AD can pull this off, how come vendors who write LDAP products that they sell can’t accomplish the same thing? Especially when they say their applications are Active Directory aware. I would propose that if an LDAP based application can’t locate the closest DCs via some sort of DC Locator functionality, they are NOT Active Directory aware and we should be pretty quick to tell them that. I haven’t looked in a while, but I expect JNDI still doesn’t work right for this[2]. That is pretty annoying because it is so ubiquitous out there, if they could fix that, lots of apps would be fixed.

Poor Handling of Multiple Domain / Complex Domain Configurations

What is an Active Directory forest supposed to look like? Default answer for most companies, including sometimes, even MSFT, one single domain in the forest. Reality though is much different. As much as many companies, especially now a days, would like to have a single domain forest for their corporate AD, they often have an AD forest that was built up from several geographically based NT4 domains that they had deployed before AD came along. Possibly even having more than one or two domains for a single geographic area. This could be for a variety of reasons but the most common I have encountered are 1) NT4 SAM DB size limitations  2) Corporate HQ gets its own domain and everyone else in the geographic region gets another 3) Business user domain versus manufacturing domains.

These domains are often combined in a variety of configurations. The most common I have experienced is the empty forest root with child domains for each of the geographic domains. This is so common for me that I am in shock if I don’t see it in larger multinational companies. You will have company.com, na.company.com (or am.company.com or americas.company.com or nam.company.com or northam.company.com or amer.company.com, etc), eu.company.com (or emea.company.com or ema.company.com or europe.company.com, etc), ap.company.com (or apj.company.com or apac.company.com) and possibly a few more depending on the company. But in general, you have americas, europe/middle east, and asia pacific rim all as children of the forest root. I have also encountered a case where someone actually used grandchildren domains which is, for me, unusual to see. You will also occasionally run into environments where different domain trees are deployed. Out of all of these, the different domain trees are probably the worst for normal MSFT based apps and scripts. Most scripts do not take this case into account and if you try to run generic scripts that make assumptions instead of properly checking the RootDSE for the namespace and therefore get confused and can’t find things they should be finding.

People writing tools for alternate LDAP directories that get “ported” to work on AD tend to make additional mistakes that hurt you even when you have a nice pretty namespace layout (as defined by having a nice clean domain hierarchy like parent and 3 children). That issue is that they have you point at a single DC (aka LDAP server) and expect to be able to see the whole LDAP hierarchy for the forest. That can work, but only if you point at a Global Catalog and specify the GC port… But wait, now you don’t have access to all of the attributes and if the tool writes to AD, that offers additional issues. Add in multiple domain trees and you can totally freak out those alternate directory tools.

Lack of Paging/Ranging Support

This one is another one of the “If your LDAP app can’t do this, your app really isn’t Active Directory Aware” items in my book. I hate when I see emails or forum posts or any mechanism of asking, hey, how do I change the page size or default range size in Active Directory because I have an app that doesn’t do paging/ranging. My response is usually of two parts, 1) “If you increase it now, what happens later when that isn’t enough? You raise it again? Will your app be smart enough to know it has hit the limit?”  2) Go beat on the vendor to fix their app.

If you have are a vendor and your app doesn’t page or range properly, you can be 100% sure that if one of your customers or your possible customers asks me about it and what I think I will say they need to run as fast as they can from your app because you do not know enough about Active Directory to be messing with it.

LDAP Signing/Sealing

LDAP Signing and Sealing is really cool, for security. It sucks for when you are trying to troubleshoot an application that doesn’t have good logging and you want to use a network sniffer to figure out what is happening. Application developers, yes use LDAP Signing and Sealing, but please give an easy to find and use method to disable it at least for short periods of time so when your application isn’t doing what is expected, we have a method to troubleshoot it that doesn’t entirely depend on what you foresaw you needed to do for logging. Hey if it only disables for 24 hours and then resets itself or maybe it resets itself between every launch of the app, whatever, that is fine.

LDAP Logging

This is one I fall down on myself, logging of LDAP transactions. Active Directory’s logging is traditionally pretty weak. Many LDAP Servers will log darn near everything you could possibly want from the requests the server will handle to a text file, Active Directory doesn’t. Now there is some stuff in the Event Tracing functionality that is more difficult than just saying, log this stuff to a text file, but I haven’t yet had time to dig into. You can learn more from Brandon (http://bsonposh.com/archives/347) and Tony (http://www.activedir.org/Articles/tabid/54/articleType/ArticleView/articleId/49/Default.aspx).

Inefficient and/or Incorrect Queries

This one really irks me when I see it from big time vendors. While paging and ranging and domain controller location and even complex forest structures take some decent knowledge to figure out, an ok filter really shouldn’t be that difficult. A vendor who doesn’t produce a decent query for AD really should invest some time and money into figuring it out. At the very least read the following document – http://msdn.microsoft.com/en-us/library/ms808539.aspx. It’s bad enough to find this in apps when looking at network traces (and yes even MSFT has screwed this up themselves) because you can maybe hope no one will go look and see what you screwed up, but when you actually publish this in a support document you publish on the web… sheesh. As a recent example, I had to go through the Google Apps Directory Sync for Postini Services document this last week, I ran into a couple of bad queries right off:

All users, but exclude disabled users:

(&(&(objectclass=user)(objectcategory=person))(!(userAccountControl=514)))

This isn’t inefficient, it is just incorrect. If you are checking for disabled users, you need to perform a bit-wise check of userAccountControl, not check it for a specific value.

Active Directory LDAP: All users
(objectClass=person)

Unless you have indexed objectClass or you have deployed Windows Server 2008, this will be inefficient. Also it will return more than users… such as contacts, trusts, etc.

Active Directory LDAP: All email users (alternate)
(&(objectclass=user)(objectcategory=person))

This one is incorrect for what they are looking for, it is an efficient query for all users… Regardless of email status. Will still get trusts btw.

If Google is looking for good AD people… contact me… ;o)

Inefficient ADSI Use

This last one may confuse people. Folks may think… “Hey it’s a Microsoft framework, doesn’t it just work efficiently automatically?” No. This impacts people using ADSI directly or the .NET stuff that thunks down to ADSI, i.e. the stuff under System.DirectoryServices (excluding S.DS.Protocols). My recommendation here is if you aren’t completely positive about what ADSI is doing with what you are telling it, get out a network sniffer and look at the traffic for your operations and see if you can clean it up[1]. Heck do it even if you think you know exactly what it is doing. You could very likely find parts of your app that are incredibly inefficient and slow and unnecessarily beating up the DCs. One quick one here is app developers not taking advantage of IADs:GetInfoEx to pull the actual individual attributes needed versus the whole object. When and why is this important? If you have an app running on one machine that is dealing with one off AD Objects occasionally then the importance goes down a little as it won’t be generating a lot of load on the DC or network though personally I think you should still only pull what you need. If it is an app running on hundreds of thousands of machines and you are pulling the whole object instead of just the attributes you need then you are pulling way too much data from the DC. Or if you have the app running on one machine but pulling lots of objects, again, you are pulling way too much data from the DC.

 

    joe

 

[1] I would love for the Microsoft Developers on the Exchange team to pay attention to this point because I was looking at an Exchange 2010 network trace the other day and the best thing that I had to say was that whatever I was looking at was an unnecessary network and AD utilization pig. Every object that it pulled it pulled twice. The first time to see if it existed with just the objectClass, the next time it pulled the whole object, for every object.

[2] UPDATE (2010-12-09): I was looking for something and I found what appears to look like good news for JNDI. It seems that in the JNDI 1.5 docs they discuss automatic discovery of LDAP Service. (http://download.oracle.com/javase/1.5.0/docs/guide/jndi/jndi-ldap.html)  It doesn’t look like they look at site specific records, but at least they are looking at LDAP SRV records which is further along than they were previously that I recall.

The other day I had an IM conversation that went sort of like:

AD Engineer [12:37 PM]:
I’ve got a puzzler here… you around?  I know it’s lunchtime
Richards, Joe (Active Directory) [12:37 PM]:
what up dog?
AD Engineer [12:38 PM]:
lol
k in ADUC, tool of champions, I see a count
Richards, Joe (Active Directory) [12:38 PM]:
What is this ADUC that you speak of?
AD Engineer [12:38 PM]:
COMPANY.COM\OU1\OU2 has contacts, sync’d from Lotus notes
so…
filter is set to 2000 objects by default
Richards, Joe (Active Directory) [12:39 PM]:
k
AD Engineer [12:39 PM]:
click the OU, and it shows 2000 of 15048
Richards, Joe (Active Directory) [12:39 PM]:
k
AD Engineer [12:39 PM]:
use adfind -b ou=OU2,ou=OU1,dc=company,dc=com -h dc01 -sc adobjcnt
and I get 8264

Raise your hand if you think AdFind has the right count.

Ok.

Raise your hand if you think ADUC has the right count.

Ok.

Anyone encounter this before?

Likely anyone who has more than 2000 objects in any container in their directory that they have looked at in ADUC has seen this situation whether they knew it or not.

Sometime after Windows 2000, Microsoft decided that there were containers with lots of objects in them and that GUIs likely needed to make decisions about how to best display the information based on the number of objects in the containers. For example, if you know a container has around 10 objects in it, there is no real performance hit to grab them all and display them. However, if the container has 10,000 objects in it, there could be a serious impact to performance and you could lock a GUI up waiting for the objects to get pulled across the network and populated. So Microsoft added a new attribute in Windows Server 2003 (and ADAM) to address this need.

The attribute is called msDS-Approx-Immed-Subordinates. The documentation on the attribute is here.The attribute is a constructed attribute built on the fly every time you ask for it. It is a rough order of magnitude hip shot SWAG for the number of child objects in a container. The value could be close or it could be pretty far off, the more objects, the more “off” it will likely be. The idea is to give you a rough order of magnitude so you can make some decisions on how you want to access and display the data.

Here are some examples:

[Wed 11/10/2010 22:38:43.00]
C:\>adfind -schema -s base msDS-Approx-Immed-Subordinates -list
2254

[Wed 11/10/2010 22:40:35.23]
C:\>adfind -schema -s one -c -list

3992 Objects returned

 

[Wed 11/10/2010 22:40:41.40]
C:\>adfind -default -s base msDS-Approx-Immed-Subordinates -list
186

[Wed 11/10/2010 22:41:39.81]
C:\>adfind -default -s one -c -list

39 Objects returned

 

[Wed 11/10/2010 22:41:49.01]
C:\>adfind -config -s base msDS-Approx-Immed-Subordinates -list
12

[Wed 11/10/2010 22:44:23.68]
C:\>adfind -config -s one -c -list

10 Objects returned

 

You will notice that the smaller the true number, the closer the SWAG is.

 

So now here is a nice side use of the attribute if you need to find any empty OU’s so you can clean up your environment (we all need a little bit of cleanup right?) quick and easy like…

adfind -default  msDS-Approx-Immed-Subordinates -f objectcategory=organizationalunit -csv  | findstr \"0\"

That will give you a listing of all OU’s that have no objects in them.

 

Cool?

 

   joe

For the longest time Gil’s book Active Directory Programming has been out of print and to buy it would cost you a couple of hundred dollars… That is pretty steep for the book although it is a good book. Well I just looked on Amazon today for someone else and found that there are several used copies of it up on Amazon now for less than $20… So go get that book. Then take it to TEC and have Gil sign it!!!

I actually bought myself another one just to have a spare. Not sure why, but it felt like the right thing to do. In fact, that is a great thing to do… So everyone out there should maybe buy a spare of my book too – Active Directory for Totally Cool People.  

 

   joe

http://www.engadget.com/2010/11/02/international-space-station-marks-ten-years-of-continuous-habita/

http://nexus.realtimepublishers.com/accwp.php?ref=dj4

The book does require registration, but there’s no corporate sponsor – so there’s no associated spamming

I think this could seriously rock.

 

http://www.appleinsider.com/articles/10/10/13/apples_anti_sexting_patent_generating_big_buzz.html

Apple patents are a dime a dozen but one discovered this week is grabbing the attention of even the largest media conglomerates because it appears as if it could be used by parents to prevent their children from participating in sexually-explicit text message conversations.