joeware - never stop exploring... :)

Recently there was a post on AD Org that spawned a discussion on the history of Active Directory. My friend ~Eric who is about as pragmatic as they come (though he can’t seem to get the hang of posting regular blog posts[1]) said well heck if we want the history of AD, lets all stop guessing about it and loop in the guy who is responsible for a huge portion of it. The Mr. AD himself, Don Hacherl, the guy I think of as being a 9/10 in AD when someone asks me to rate myself in AD technology and I say about a 5/6 while listening to some MCTs and other annoying folks declaring themselves a 9 when they haven’t even ever run a production AD.

Don is extremely intelligent, writes well, and was there with AD from the beginning. When he says something my initial response is always just to say “Oh ok” and accept whatever he says as authoritative and I don’t do that with many people, I often like to debate points. I can’t think of a single thing  I have read that he has written that I later changed my mind on and thought he was wrong about. I am sure there must something somewhere, but I haven’t hit it or at least don’t recall hitting it. I look forward to one day being lucky enough to meet him in person and shake his hand and say thanks for making such a cool product.

But anyway, Don took the time to respond to the AD Org list with his view on the history of AD which is great. Here are snippets of the conversation (not all emails and not all parts of the emails) below for your enjoyment and so we never lose it.

—

From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of John Christie
Sent: Wednesday, August 06, 2008 4:17 PM
To: activedir
Subject: [ActiveDir] History of AD…

My colleague has made the following statements:

* Novell directory services was previously called Novell Active Directory

* Microsoft licensed/purchased a cut down version of Novell Directory Services and then developed it.

As far as I’m aware, Novell eDirectory has only ever been marketed as Novell NDS. He’s not the type to do windups so does anyone have any knowledge which can confirm or deny his claims?

—

From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Wednesday, August 06, 2008 8:21 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] History of AD…

What I heard about AD History is that Jim Allchin who was formerly an architect of the Banyan Vines OS and StreetTalk Directory Service joined Microsoft around 1990 and played a fundamental role in the Cairo project which developed, among many other things, the X500 foundation for Active Directory.

So I may assume AD might come – in a certain way from – StreetTalk as I was also said that Microsoft closely partnered with Banyan whose engineers played a fundamental role in building some AD parts.

But this is the first time I heard AD comes from NDS!!!

Gabriele

—

—–Original Message—–
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Tom Kern
Sent: Wednesday, August 06, 2008 8:30 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] History of AD…

AD history=exchange 5.5

—

This is where ~Eric looped in Don with a BCC… Great job ~Eric; I take back some of the bad things I have said about you in the past.

From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Eric Fleischman
Sent: Thursday, August 07, 2008 12:24 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] History of AD…

Replying to the thread again as there is probably someone that can help tell the tale of how AD started…he can tell it from the perspective of someone who was there….

—

From me…

From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Thursday, August 07, 2008 1:35 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] History of AD…

Oh that gave me a pretty good chuckle.

eDirectory if I recall was released in November 99 which was about the time Windows 2000 went RTM (I recall that being Dec 99 and RC3 was Nov 99, Beta started sometime in 1997).

Having spent hundreds of hours looking around the Windows Source code, specifically the AD Source I can say I have yet to have seen a single Novell reference for anything in any of the core areas of the DS other than maybe a mention in a comment to not futz with something because it could impact Netware.

The closest that can claim parentage over AD would be Exchange and I think even that is a bit of a stretch as from what I have heard, things were substantially changed to make it work properly as a solid generic LDAP directory service.

   joe

—

From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of neil.ruston@barclayswealth.com
Sent: Thursday, August 07, 2008 9:20 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] History of AD…

eDir is the latest version of what was named NDS. NDS hit the streets in 1993, when Netware 4 was released.

Before that, Novell installed a SAM equivalent on each Netware server (called a Bindery), all of which were isolated from each other.

Novell may have re-badged their product when w2k/AD was shipped, but in truth, they had a fully fledged directory product years previous anyway.

I think the last place you’ll find MS ‘acquiring’ code, is from Novell J [go read the bashing both vendors performed back in 99/00 and you’ll realise there was no love lost!]

neil

—

—–Original Message—–
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Tomasz Onyszko
Sent: Thursday, August 07, 2008 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] History of AD…

Beside exchange I wonder if anything from Site Server or parts of MCIS has also influenced AD :). At the end site server delivered LDAP directory.

—

And finally Don’s response… I have to say when I saw Don Hacherl in the From Column when I looked at my AD Org folder I was like Holy Schnikey!!! I expect I wasn’t the only one who did that and judging from responses from some of the other MVPs both on and offlist I am confident that is true. Don used to post in the newsgroups back years ago. His posts were always quite awesome. I learned a lot from them.

From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Don Hacherl
Sent: Thursday, August 07, 2008 10:45 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] History of AD…

Thanks for tipping me off to this thread, Eric.  I’ll see if I can clear up the pre-history.

The oldest traceable part of AD started life at 3Com in 1988 or 1989.  This was an (incomplete!) X.500-ish directory with custom communication protocols, built on top of a C-Tree database, running under 16-bit OS/2.  By 1990 3Com had abandoned its network software efforts and the directory code moved to Microsoft as part of some complicated deal.  The LanMan group planned to include the directory service in LanMan 3.0 and immediately started porting it to the JET Blue ISAM and building an RPC front end compliant with the X/Open XDS API.

At this point (in early 1991) Jim Allchin, who had recently taken over the LanMan group, cancelled LanMan 3.0 and scrapped its directory service project.  In its place he created the Cairo project, which included a completely non-X.500 like directory service that lived as part of OFS, the Cairo file system.

The email group at Microsoft picked up two pieces out of the wreckage of LanMan 3.0: the DS and an X.400 MTA.  We (this is when I became dev lead of the DS) ported the DS to Windows NT, finished the JET and XDS work, and added a MAPI RPC interface, a query engine, the KCC, a modifiable schema, the link table, and much, much more.  This version of the DSA (plus the MTA and a custom message store) shipped in Exchange 4.0 in 1996.  By this point there’s very little of the original code left, although some elderly data structures live on, at least in name.

Around late 1995 Cairo, and its attendant directory service, were cancelled.  This left the OS team with an urgent need for a DS (for Windows 2000) but no plans to build one.  To fill the hole, the week after Exchange 4.0 shipped two of us from the Exchange DS dev team made a copy of the DS sources and moved to the Windows group, where we got re-christened Active Directory, and the rest is history.

In summary:

• AD has no relation to Novell NDS/eDirectory.  Novell was a competitor (the competitor), not a licensee/licensor.
• AD has no relation to Banyan StreetTalk.  Although both Jim Allchin and one member of the AD dev team were former Banyan employees, there was no license or co-work between Microsoft and Banyan.
• AD has no relation to Cairo, except the relation that mammals have to dinosaurs.
• AD did not inherit code or functionality from Site Server or MCIS.  It did inherit their customers.
• AD is a direct descendant of the DSA in Exchange 4.0  (Note that LDAP support got added separately to the two branches of the directory in Exchange 5.something and Windows 2000.  Anything that important is clearly worth doing twice.)

Don

—

Then the followups begin…

From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of AFidel@ddrc.com
Sent: Thursday, August 07, 2008 10:56 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] History of AD…

Was there code sharing between the Exchange 5.x and AD LDAP layers, or were the two efforts silo’d?
Thanks,
Andrew

—

From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Don Hacherl
Sent: Thursday, August 07, 2008 12:43 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] History of AD…

The two LDAP efforts were mostly separate.  Exchange went first and AD followed.  As I recall we didn’t borrow any code, but we did borrow one of the developers for a month or two.  That let us benefit from their experience without code porting difficulties.  (The addition of per-attribute access controls in AD made lots of AD code diverge from the Exchange DS very rapidly.)

Don

—

Some info more on Exchange than AD, written by a bunch of Hewett-Packard guys…

From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Tony Murray
Sent: Thursday, August 07, 2008 1:32 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] History of AD…

Yeah, not the full story perhaps, but a lot of the history is here:

http://windowsitpro.com/Common/adforceimages/Decade_of_exchange.pdf

Tony

—

From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Thursday, August 07, 2008 5:19 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] History of AD…

Great stuff! What a fascinating thread!

Before reading Don’s piece, I was trying to google-find some more historical details about AD, but did not find any really interesting and when compared to Don’s they appear misleading.

1) Dead-End Road to Cairo (http://business2-cnet.com.com/2009-1017-857509.html)

“October 1998: Microsoft says it will rename Windows NT 5.0 to be called Windows 2000. The operating system will include Active Directory, technology originally slated for Cairo”.

2) Banyan VINES (http://en.wikipedia.org/wiki/Banyan_VINES, as the header tells it requires improvement)

“…Banyan was sharing their technological advantages with a much larger competitor. Using that information, Microsoft soon began work on its own implementation of a directory services model to be called Active Directory and rolled out with its OS 5.0, Windows 2000. Even while hiring away James Allchin, known as the “Father of StreetTalk,” Microsoft ran into technical difficulties, particularly in world-wide synchronization of Active Directory across time zones. Not afraid to use outside expertise, Microsoft actually partnered with Banyan in one of Banyan’s last strategic and, many would argue, ultimately fatal partnerships, as Banyan sent a team of its most experienced StreetTalk engineers to Redmond to “fix Active Directory.“

3) Cairo (http://en.wikipedia.org/wiki/Cairo_(operating_system)

Although Cairo never emerged as a shipping product, its main features were shipped as parts of other Microsoft operating systems…… DCE/RPC shipped in Windows NT 3.1. X.500 shipped as part of Active Directory in Windows 2000.

Don, I think that it would be greatly valuable for the entire DS community if you gave your contribution by correcting the misleading infos at Wikipedia (e.g. clarifying the Cairo or StreetTalk supposed dependency).

Finally I think that an “AD History” piece would be a must-have among ActiveDir.org articles, what do you think Tony? 😉

Thank you very much – Gabriele.

—

From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Don Hacherl
Sent: Friday, August 08, 2008 12:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] History of AD…

I fixed the Cairo page.  The Vines article really requires a major chunk to be thrown out, even to acheive Wikipedia’s “neutral point of view” standard.  I’ll see what I can do.

—

From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Don Hacherl
Sent: Friday, August 08, 2008 12:41 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] History of AD…

I fixed the two Wikipedia articles.

The CNet article is really just the standard corporate marketing form of historical revisionism that I used to complain about but long ago learned to tune out.  I can almost hear a marketeer telling me “We always intended to include directory services in Cairo.  ‘Active Directory’ is the marketing label we put on a directory service technology as we brought it to market.  Therefore, had we brought Cairo to market it would have contained directory service technology that would have been labelled ‘Active Directory’.  The fact that the underlying technology of ‘Active Directory’ in that hypothetical Cairo universe is different than the underlying technology of ‘Active Directory’ in this universe is interesting, but fundamentally unimportant, and drawing fine distinctions like that would just muddy the message we’re trying to get through to customers.”  Then I’d roll my eyes and go back to my office, thankful that I was in development.

Don

—

 

Hope some of you find that interesting. 🙂

 

   joe

 

 

[1] I think he is mad at me still for telling him to buy a lawn mower for his house a few years ago indicating that it was fun to mow your lawn as a homeowner. For me it, for ~Eric, it has been less so. If you live in Redmond and you run into him, be sure to ask him about his lawn mowing adventures as he is happy to regale you with those stories along with the person who has caused him so much pain and misery regarding it. I have one thing to say… His wife told him to hire a lawn service… I told him to buy a lawn mower. He listened to me… He absolutely hates mowing… Is that karma or what? 🙂

More from the mailbag….

I just downloaded and tried your memberof utility, but I think I’m missing something.

What I want to do is – in the Windows logon script – determine if the logged on user is in a particular group so I can take a specific action.  The easy part has been to figure out this information, but the impossible part has been communicating that result back to the logon script in a way that it can handle.

Anyway, I saw this utility and thought it might have a way to do what I want.  So I downloaded it and ran it from the command prompt to check out what it does, and when I typed memberof and hit enter, I got a list which includes my name and all of the groups I belong to.  Then I tried memberof –group domainname\groupname to see if, by specifying the group, I could get a simple yea/nay that I’m in it or not.  I also tried the same command with a group I’m not in – and got the same results.  All I get back in every case is these two lines.

Security Principal: [GROUP] domainname\groupname

Group Memberships:

Of course, where is say “domainname” and “groupname” I specified the actual ones.  Also, I know I should be able to do this as a normal user, but I have domain admin rights and this is still what I get.

Am I just mistaken about what the tool does or am I missing some obvious syntax?  Any help is appreciated.

 

 

My response…

 

The -group and -computer switches are for if you want to specify looking at the memberof attribute of a specific group or computer, not to check for existence of that group or computer in the user’s memberof attribute.

You could pipe memberof’s output to findstr and then check that way, something like

[Thu 08/07/2008  9:33:29.70]
G:\new1\Dev\CPP\MemberOf>memberof

MemberOf V02.03.00cpp Joe Richards (joe@joeware.net) June 2006

Security Principal: [USER] TEST\$joe
Group Memberships:
  [Local Security] [Administrators] CN=Administrators,CN=Builtin,DC=test,DC=loc
  [Local Security] [DnsAdmins] CN=DnsAdmins,CN=Users,DC=test,DC=loc
  [Global Security] [Domain Admins] CN=Domain Admins,CN=Users,DC=test,DC=loc
  [Global Security] [Domain Users] CN=Domain Users,CN=Users,DC=test,DC=loc
  [Universal Security] [Enterprise Admins] CN=Enterprise Admins,CN=Users,DC=test,DC=loc
  [Universal Security] [Schema Admins] CN=Schema Admins,CN=Users,DC=test,DC=loc
  [Local Security] [Users] CN=Users,CN=Builtin,DC=test,DC=loc

[Thu 08/07/2008  9:34:21.31]
G:\new1\Dev\CPP\MemberOf>memberof |findstr /i “CN=Users,CN=Builtin,DC=test,DC=loc”

MemberOf V02.03.00cpp Joe Richards (joe@joeware.net) June 2006

  [Local Security] [Users] CN=Users,CN=Builtin,DC=test,DC=loc

[Thu 08/07/2008  9:34:30.29]
G:\new1\Dev\CPP\MemberOf>echo %errorlevel%
0

[Thu 08/07/2008  9:34:33.12]
G:\new1\Dev\CPP\MemberOf>memberof |findstr /i “CN=Users2,CN=Builtin,DC=test,DC=loc”

MemberOf V02.03.00cpp Joe Richards (joe@joeware.net) June 2006

[Thu 08/07/2008  9:34:38.90]
G:\new1\Dev\CPP\MemberOf>echo %errorlevel%
1

  joe

http://www.unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html

Another one from the mailbag…

adfind -b cn=ZZZ,ou=Users,ou=AAA,ou=XXX,ou=ad,DC=YYY,DC=com dn msexchmailboxsecuritydescriptor publicDelegates publicDelegatesBL -f “(&(objectcategory=person)(objectclass=user))” -sddc++ -resolvesids >> C:\textfile.txt

what an i missing to pull permissions off a mailbox that they user has applied on the client. Say I have an account reviewer to my contacts in my mailbox

Thanks for any help

 

This one needed a bit of a long winded answer, here is part of what I responded with…

Unfortunately for your question you are running into the crapissions that Exchange uses and calls the Exchange permissioning system. Off the top of my head there are five separate and distinct ways in which permissions are applied in Exchange. Its been a bit since I looked at these but let me regurgitate what I recall…

First off this is Exchange 2000/2003, I haven’t played with 2007 but I expect it hasn’t changed.

The first set of permissions are applied in the configuration “partition/naming context/container” on the Exchange objects at the ORG level and below on the nTSecurityDescriptor attribute. These are worked with with any AD Permissions tool. These permissions are used for Exchange for managing the config stuff but also in the case of “Send As / Receive As” are also translated to Full Mailbox permissions on the mailboxes. I.E. If you want to give someone full mailbox control over all mailboxes in a DB, SG, Server, AG, or the Org you give them “Send As / Receive As” over that level of the objects in the configuration container and they will show up as “inherited” permissions on the mailbox itself and will be reflected in the second set of permissions – the msExchMailboxSecurityDescriptor.

The second set of permissions are in the normal domain partition or at least reflected there in the msExchMailboxSecurityDescriptor attribute. This attribute is only authoritative (and can be set) for a mailbox until the mailbox has been instantiated in the store, once that occurs, this attribute *may* reflect a copy of the permissions in the store. I have seen cases where this attribute does not properly reflect what is in the store for the mailboxes. Usually though it seems right. Anything that shows as inherited is coming from the config NC as mentioned above, anything explicit was applied directly to the user. You cannot inherit permissions to this through the domain NC OU structures. You can work with these permissions via CDOEXM with info from the following link – http://support.microsoft.com/kb/310866

The third set of permissions are maintained in the normal domain partition on the nTSecurityDescriptor. This is where you would add Send As / Receive As when you want it to work actually as Send As / Receive As instead of being a full mailbox control. These can be inherited down through the OU structure. Not sure why MSFT even did this but they did. Seemed like an unnecessary complication on a system that was already too complicated. If you have Send As you can send as the person. These are worked with with any AD Permissions tool.

The fourth set of permissions are maintained in specific attributes such as the publicDelegates. This allows you to send mail on behalf of the person. You get no permissions over the mailbox folders unless specifically granted. The GUI in Outlook can really confuse people on this. This is also very special in that there is the AD component and the Store component and they are separate and can get out of sync. This was a common problem (more common than people may realize) for folks with multi-domain forests when their outlook client connected to a GC that wasn’t a DC for the domain the user was in. One side of that permission (in the store) could be set up or removed, but not the AD side. This can cause all sorts of funky issues with your public delegates. This was the reason I fought for and eventually got the change to DSACCESS to have it try to give you a GC that is a DC for the domain your user account was in.

The fifth and important to you set of permissions aren’t really permissions so much as they are MAPI properties inside the mailbox on the folders, etc that reside there. This information is NOT in any way shape or form mapped back into AD. The only way to get that info is to contact the mailbox and enumerate the folders via CDO. Take a look at
http://support.microsoft.com/kb/295558

 

Hope this helps.

   joe

This was part of a message in my inbox, it was about using OldCmp and this was one of the questions.

We want to move all the users into the appropriate OU based on the first two digits of their username. Can we move users into an OU?

Something like: -move –b ou=Carlisle, dc=domain, dc=com –af “(name=ca*)”

My response

Do you want to move any users with that prefix or do you want to do it based on their age?

If you just want to move them regardless, use adfind output piped to admod to do it… Something like

adfind -b ou=blah,dc=domain,dc=com -f “name=ca*” -dsq | admod -move ou=newparent,dc=domain,dc=com -upto xxx

where xxx is the max number you want to move at once. If you don’t know how many there are but want to move them all, you can use -unsafe instead of -upto.

Now if you do want to do it based on age as well, then you will want to use oldcmp and would look something like

oldcmp -move -users -age XX -newparent ou=newparent,dc=domain,dc=com -f “(name=ca*)”

  joe

http://www.tgdaily.com/content/view/38817/108/

Brian wrote up a great little article on the steps he took in troubleshooting a service that was crashing, I highly recommend this article.

 

http://briandesmond.com/blog/archive/2008/08/05/msdtc-exits-on-pdce-transfer.aspx

Got this question in the mailbag today, thought I would share as it is common question

I’m looking for a reference or some lead on how I can comprehensively report the date of the last time all user accounts passwords in AD were reset.  I was wondering if you could point to something out there.

My response

You can dump when accounts had their password changed, but that includes password changes as well as password resets… i.e. if someone changed a password by supplying the old password or if there was an administrative action. There is no way outside of the audit log to determine when accounts were reset only.

If you just need to know when all passwords were last changed, you can do something like

adfind -b dc=domain,dc=com -f “&(objectcategory=person)(objectclass=user)” pwdlastset -tdcs