Active Directory Cookbook Blog

Active Directory Turns 4 

I agree with a lot of Mark Minasi's observations about the need for AD to become more flexible, but I, however, believe it has generally lived up to expectations (mine anyway). Let's keep in mind that W2K, and AD for that matter, were written from scratch. Pre-W2K, MS didn't have the best track record when it comes to v1 products. Fortunately, AD has been extremely stable and reliable. Don't get me wrong, I'm as disappointed as anyone about some of AD's inflexibility (e.g., no schema delete capability and minimal forest restructuring), but what AD provides is extremely powerful and far exceeds anything developed previously. Multi-master replication, integrated schema, group policy, integrated LDAP, Kerberos and DNS support, etc. were not available in any other directory service offering.

As far as AD being "hard", I think that is largely in the eyes of the deployer. The reason why many people feel AD is hard is because it is so integrated with technologies such as LDAP, Kerberos and DNS. Administrators that could get away in the past w/o knowing DNS, can't anymore. Microsoft toed the LDAP line pretty closely, so if you have experience with an LDAP directory previously, the learning curve isn't quite as steep, but if you don't, then that is something else you have to learn. Also, migrating away from something like NT4 to AD adds enourmous complexity while you juggle multiple environments. Those that are building AD from the ground up w/o any legacy baggage find it much easier to deploy.

To sum up, I've been a happy AD customer (or I guess I wouldn't have written 3 books on the subject), but that doesn't mean I don't see room for improvement. I have a long list of new features or enhancements I'd like to see added, but compared to the alternatives out there, I'd take AD any day.

# posted by Robbie (2/28/2004 09:16:14 PM)

Solution Guide for Windows Security and Directory Services for UNIX 

I had an early look at this doc before it was released to the public. MS wrote it for both AD and UNIX admins to read, and anytime you have such a disparate audience you are bound to not cover everything both would like. But if you are looking to integrate AD with UNIX there isn't much documentation available, so this is better than what was available previously :-)

# posted by Robbie (2/27/2004 05:27:37 PM)

Sun to provide Microsoft ID management 

Finally Sun catches a clue and is looking to integrate their ID management system with Microsoft ID systems (such as Active Directory). I'll be interested to find out if it lives up to that promise.

# posted by Robbie (2/27/2004 04:46:42 PM)

NetPro Announces Change Auditing Solution for Active Directory 

NetPro announces their new ChangeAuditor product and it sounds really cool. It reportedly answers the five W's (who, what, when, why and where) of Active Directory object modification. I'm really curious how they get some of that, especially the "who". Identifying who modified an object in Active Directory has always been a challenge.

# posted by Robbie (2/23/2004 05:13:50 PM)

NetPro Announces Directory Experts Conference for Active Directory Europe 2004 

If you aren't able to make Directory Experts Conference Spring 2004 in Washington, D.C., you have another chance to get some of the same material at Directory Experts Conference Europe 2004. I'm speaking at the Washington, D.C. conference, but I'm not able to attend the one in Europe. Netpro has signed up a great crew of speakers for both conferences.

# posted by Robbie (2/22/2004 11:40:49 AM)

Eight year old boy passes MS Cert Test 

This is one of the reasons why I'm not a big fan of Microsoft Certifications. Now don't get me wrong, obviously the boy that passed the test is extremely bright and will probably go on to do great things, but I seriously doubt you'll find an eight year old boy that will pass the CCIE tests. The MS certifications are viewed by a lot of people (me included) as purely paper tests. You don't have to have lick of operational experience, but you can still do well on the tests. I don't know if this boy has a lot of operational experience outside of his home, but my feeling is that computer certifications should require more than just book knowledge. That's why requiring labs, although more expensive, weeds out many that have memorized the test questions.

# posted by Robbie (2/22/2004 11:34:59 AM)

Army Begins Active Directory Rollout 

The US Army is rolling out Active Directory. That's pretty cool. I'd like to see their replication topology!

# posted by Robbie (2/22/2004 11:24:36 AM)

Virtual Server 2004 RTM Slips To Mid-2004  

Virtual Server or VMWare? I've always been a big VMWare fan, but unfortunately, Microsoft has never really supported it, especially in an Active Directory environment. I've run across issues in the past where LSASS would fail (presumably due to a VMWare issue) and Microsoft wouldn't do much with it. It was a bizarre issue. Anyway, when Virtual Server comes out, I'll give it a shot.

# posted by Robbie (2/22/2004 11:10:13 AM)

Active Directory Performance Testing Tool (ADTest.exe) 

If you need to simulate load on your AD servers, check out ADTest.exe. It is a command-line tool that has a bunch of options and works well for basic performance testing.

Here is the syntax for the tool to give you an idea of what it can do:

C:\>adtest /?

Active Directory Performance Test
Release Version: 5.2.3790.1064 (3790)

Usage: adtest -r testname [options]

-adam Test ADAM
-apppart or -ap Adam Application Partition
-bindfrequency or -bf Bind Frequency
-bindperthread or -bt Use One Bind for each thread
-debug or -d Debug level (0-5)
-dmusers or -dm Directory Mark Users
-domain or - Domain to connect to
-encrypted or -e Enable Encryption
-fail or - fail on error
-file or -f File to read tests from
-h or -? Display command line help
-hats or - Display command line help for ATS
-interval or -i Report interval in seconds
-ldapfile or -lf Generate LDIF file
-userfile or -uf File Containing UserNames
-ldapinit or -li Use LDAP_INIT instead of LDAP_OPEN
-ldapver or -lv Set LDAP Version mode DEFAULT=3
-log or -o Filename of log file
-logerr or -oe Filename of error log file
-logrnd or -or Filename of random log file
-loop or -l Number of loops to run
-mms or - Metadirectory
-mult or -m Multiple root values
-nds or - Skip W2K domain discovery
-nobindperthread or -nobt Use One Bind for all threads
-nomult or -nom Single root for all threads
-noqb or - Skip initial Kerberos bind
-notad or - Make no assumptions about Server
-nounbind or - Skip unbind between binds
-password or - Password to bind with
-pause or -p Pause after initial setup
-port or - LDAP Port ( 389=LDAP, 3268=GC )
-quiet or -q Run in quiet mode
-quicktest or -qt Dump first thread; first action
-root or - Value for [ROOT]
-rootMin or - Smallest value for [ROOT]
-rootMax or - Largest value for [ROOT]
-run or -r Test to run
-sam or - Test SAM
-sequential or -seq Loop sequentially. Ignore ATS
-server or - Server to connect to
-set or -s Variable -set x=1:y=2 (exact case)
-showfail or -sf Dump failures to screen
-simple or -sb ldap_simple_bind
-signed or - Enable LDAP Signing
-threads or -t Number of threads to launch
-user or -u User account to bind
-verify or -v Verify level (0-5)
-noclear or -x Do not clear context

Please send bugs/comments/suggestions to adptool@microsoft.com

C:\>

# posted by Robbie (2/03/2004 10:54:45 AM)

myITforum.com : Book Review - Active Directory Cookbook 

Rod Trent over at myITforum.com posted a nice review of Active Directory Cookbook. Thanks for the feedback Rod! You might also be interested in Windows Server Cookbook, which should be out this summer.

# posted by Robbie (2/02/2004 07:48:08 PM)

New command-line tool to find inactive computer accounts in AD 

Joe does it again with a very cool command-line freeware tool called OLDCMP that helps identify old/inactive/unused computer accounts. Thanks Joe!

Here is the syntax and help info for the tool, which should give you an idea of just how powerful it is:

C:\>oldcmp /?

OldCmp V01.04.00cpp Joe Richards (joe@joeware.net) January 2004

Usage:
OldCmp [switches]

Switches: (designated by - or /)

-report Write report of objects
-disable Disable objects
-delete Delete objects
Delete will only work on disabled objects.
-stamp When used with delete w/ expire account as well
The idea being you can see the date it was done then.
-safety x How many objects to modify. (Default 10)
With this set, stops updating after x mods.
I did this because it is very easy to hurt yourself.
-unsafe Update ALL of the objects identified.
-forreal REALLY MAKE THE MODS, this is the final safety.

-h host Host to use. (Default is to autofind DC)
-s scope Scope of search. OneLevel, Subtree. (Default Subtree)
-b basedn RFC 1779 DN to start search at (Default domain root)
-f filter RFC 2254 LDAP filter (Default is confusing :)
-af addon RFC 2254 LDAP filter to add to builtin filter
-t xxx Timeout value in seconds. (Default 300 seconds)
-bit Bitwise operator filter conversion enable
:AND:= converts to :1.2.840.113556.1.4.803:=
:OR:= converts to :1.2.840.113556.1.4.804:=
-ps size Page size. (Default 100)
-nodc Exclude DCs from queries
-norefer No LDAP referrals

-onlydisabled Only disabled accounts (Default All)
-age x Min Days Old. (Default 90 days)
-maxage x Max Days Old. (Default Infinity)

-format x Report Format (Default HTML)
CSV - Delimited Text
HTML - Standard HTML
DHTML - Dynamic HTML (IE Only)
-sh Will autodisplay HTM/HTML/TXT files after run
-file x File to write to. (Default oldcmp-.htm
-append Append to file instead of overwrite
-delim x Delimiter for CSV. (Default ;)
Specify TAB for \t (tab character)
-nolc Do not normalize machine names to lc - RAW Case
-nohtmlheader Don't insert base HTML (title, body...)
-sort x Sort by various fields. (Default Password Age)
cn = name
pwage = password age
age = object age
OS = operating system version
Ex1:
oldcmp
Display this help

Ex2a:
oldcmp -report
Generate html report of all cmpaccs > 90 days old
Ex2a:
oldcmp -report -format dhtml -sh
Generate dhtml report of all cmpaccs > 90 days old
Open the report after generating it
Ex2c:
oldcmp -report -format csv
Generate csv report of all cmpaccs > 90 days old

Ex3a:
oldcmp -report -age 0
Generate html report of all cmpaccs
Ex3b:
oldcmp -report -age 0 -format csv -delim tab
Generate csv (tab delimited) report of all cmpaccs

Ex4:
oldcmp -report -age 0 -onlydisabled
Generate html report of all disabled cmpaccs

Ex5:
oldcmp -report -age 0 -onlydisabled -sort cn
Generate html report of all disabled cmpaccs, sort on name

Ex6:
oldcmp -delete -age 0 -onlydisabled
Generate html report of all disabled cmpaccs, sort on pwage
Will show you what it would try to delete. Only up to 10.

Ex7:
oldcmp -delete -age 0 -onlydisabled -safety 100
Generate html report of all disabled cmpaccs, sort on pwage
Will show you what it would try to delete. Only up to 100.

Ex8:
oldcmp -delete -age 0 -onlydisabled -unsafe
Generate html report of all disabled cmpaccs, sort on pwage
Will show you what it would try to delete. All cmpaccs.

Ex9:
oldcmp -delete -age 0 -onlydisabled -unsafe -forreal
Generate html report of all disabled cmpaccs, sort on pwage
Will REALLY DELETE all accounts identified.

Ex10:
oldcmp -disable -unsafe -forreal
Generate html report of all cmpaccs > 90 days, sort on pwage
Will REALLY DISABLE all accounts identified.

Ex11:
oldcmp -report -sort OS -age 0 -maxage 60
Generate html report of all cmpaccs still valid, sort on OS

Ex12:
oldcmp -report -af "(operatingsystem=Windows XP Professional)" -onlydisabled
-age 0
Generate html report of all disabled Windows XP machines

Ex13:
oldcmp -report -b ou=mycmps,dc=domain,dc=com
Generate html report of cmpaccs >90 days in specified OU

Note: This tool is VERY POWERFUL and could be VERY DANGEROUS!
I put a lot of safety locks in it ON PURPOSE!!!

This thing can be used for quite a bit of different computer
auditing if you know what you are doing.

Thanks to many of the members of the activedir.org listserv. Lots
of good feedback came in from them when they betatested this tool
for me. Special thanks to Ryan Durant and Bob Free for helping me
with the DHTML option. It wouldn't have made it this soon without
that needed assistance. Thanks everyone!

This software is Freeware. Use it as you wish at your own risk.
If you have improvement ideas, bugs, or just wish to say Hi, I
receive email 24x7 and read it in a semi-regular timeframe.
You can usually find me at joe@joeware.net

# posted by Robbie (2/01/2004 11:49:25 AM)

This page is powered by Blogger. Isn't yours?