Technical posts about IT

Monthly archives for December, 2011

Powershell Script: Active Directory Database Integrity Check

Dec26
2011 1 Comment Written by Sean Metcalf

Here’s a quick Powershell script that will check your AD database (on Windows Server 2008 R2) for any errors and attempt to fix (some of) them. Running this before creating an IFM media set is highly recommended since it will identify AD database errors.

1
2
3
4
5
6
Write-Output "Checking the NTDS database for errors (semantic database analysis)  `r "
Stop-Service ntds -force
$NTDSdbChecker = ntdsutil "activate instance ntds"  "verbose on"  "semantic database analysis" "Go" q q
Start-Service ntds
Write-Output "Results of Active Directory database integrity check: `r "
$NTDSdbChecker

If you want the script to check the AD database and attempt to fix them, run this:

1
$NTDSdbChecker = ntdsutil "activate instance ntds" "verbose on" "semantic database analysis" "Go Fixup" q q

Note that replacing “Go” with “Go Fixup” runs the semantic check and will attempt to fix any errors.
Also, you can remove the “verbose on” part – I like to see what is happening.

Unlike the file management commands …, which test the integrity of the database with respect to the ESENT database semantics, the semantic analysis analyzes the data with respect to Active Directory semantics. It generates reports on the number of records present, including deleted and phantom records.

References:

Google+FacebookEmailPrintShare
Posted in Favorite, Microsoft Products, Powershell Code, Tech, Troubleshooting - Tagged , , , , , , ,

Microsoft Windows Communication Protocols

Dec21
2011 Leave a Comment Written by Sean Metcalf

About 4 years ago, Microsoft released information on core Windows protocols (among other info) on the web with no strings attached.

http://msdn.microsoft.com/en-us/library/cc216513.aspx

Google+FacebookEmailPrintShare
Posted in Deployment, Microsoft Products, Tech, Technical Reference

Microsoft Active Directory Design Guidance (IPDs)

Dec18
2011 Leave a Comment Written by Sean Metcalf

Not many people know that Microsoft provides a wealth of information useful for designing Active Directory structures. The so called Infrastructure Planning and Design (IPD) series is freely available on TechNet.

Here are a few of the Microsoft Products with IPDs:

Or, if you are feeling bold, download ALL of the IPDs!

The best thing about the IPD docs is the numbers used to determine how many servers to deploy.

For example, here is some extremely useful information for determining Active Directory Domain Controller numbers (from the AD IPD v2.1):

Task 1: Determine Number of Domain Controllers

For each domain in each location identified in Step B1, the minimum number of domain controllers required needs to be identified. The table below describes the minimum number of domain controllers required, based on number of users.

Table 4. Minimum Number of Domain Controllers

User per domain in a site Minimum number of domain controllers required per domain in a site
1–499 One – Single Processor
500–999 One – Dual Processors/Cores
1,000–2,999 Two – Dual Processors/Cores
3,000–10,000 Two – Quad Processors/Cores

For workloads greater than 10,000 users in a site, additional testing should be performed with user workloads to determine the need for additional hardware. Previous guidance stated an extra quad processor system for every additional 5,000 users. However, for authentication-only workloads, this will be overkill for most environments.

If only one domain controller per location exists, consideration should be made for the need to span the WAN to communicate with a domain controller for authentication and access to resources in the event of failure of the local domain controller.

All domain controllers within a domain must be fully aware of all information related to the domain. This is handled by replication of the AD DS database between domain controllers. This replication occurs within AD DS sites and across site boundaries. If the number of replication partners in a given site reaches 15 or more, an additional domain controller should be added to the site. Another domain controller should be added for each additional 15 replication partners.

Review all applications that rely on AD DS data. Some applications, such as Exchange Server, require additional domain controllers in order to function correctly. Evaluate the need for additional domain controllers based on the expected loads and requirements of the applications.

The IPD documents are valuable to the person tasked with design work.

Google+FacebookEmailPrintShare
Posted in Deployment, Favorite, Microsoft Products, Tech, Technical Reference - Tagged , , , , , , , , , , , , , , , , ,

Reference: DCDIAG – What it does

Dec11
2011 Leave a Comment Written by Sean Metcalf

Sure you have run DCDIAG before, but do you know what it actually does?

Here’s the DCDIAG syntax:

dcdiag /test:DNS [/DnsBasic | /DnsForwarders | /DnsDelegation |
 /DnsDynamicUpdate | /DnsRecordRegistration | /DnsResolveExtName [/DnsInternetName:<InternetName>] | 
/DnsAll] [/f:<LogFile>] [/x:<XMLLog.xml>] [/xsl:<XSLFile.xsl> or <XSLTFile.xslt>] [/s:<DomainController>] [/e] [/v]

I usually run DCDIAG with the following switches to check the health of a DC:

DCDIAG /c /v /f:c:\DCDIAG.Log

  • /v: Provides verbose logging displaying additional information on what is being tested and the result.
  • /c: Performs a comprehensive suite of tests.
  • /a: Test all DCs in the site. This is useful if your local Exchange team thinks something is going on with the DCs since Exchange is acting up.
  • /e: Tests ALL the DCs in the enterprise. Use with caution.

Here’s an excellent in-depth post on DCDIAG and what happens behind the scenes when running it:

Google+FacebookEmailPrintShare
Posted in Microsoft Products, Tech, Technical Reference, Troubleshooting - Tagged , , , , ,

How the Active Directory Installation Wizard Works

Dec07
2011 Leave a Comment Written by Sean Metcalf

I was looking for a reference like this before when posting the information on using PowerShell to dynamically create a DCPROMO answer file.

Here’s a technical explanation on How the Active Directory Installation Wizard Works.

Here are my posts involving DCPromo:

Google+FacebookEmailPrintShare
Posted in Deployment, Microsoft Products, Tech, Technical Reference - Tagged , , , ,

Posting Frequency Update

Dec03
2011 Leave a Comment Written by Sean Metcalf

Due to an increased workload and upcoming certification prep, I will only be posting about once a week instead of my stretch of daily posts.

Google+FacebookEmailPrintShare
Posted in Non-Tech

Tracking (Active Directory) Updates, Some of the Finer Points of AD Replication

Dec02
2011 Leave a Comment Written by Sean Metcalf

while digging deep into how Active Directory actually works, I discovered another great article on TechNet called Tracking Updates. It goes into great detail about how AD handles updates (including collisions) and replicates them.

Some of the key points in the article:

  • Every Domain Controller keeps its own incrementing update counter called Update Sequence Numbers (USN) that never goes backward.
  • The DC’s local USN increments with every local change to AD whether the change originated on that DC or was replicated to the DC.
  • Replicated objects replicate the originating DC’s USN of the changed object and receive the next USN from the local DC that received the change.
  • Repadmin provides insight into this information.
  • repadmin /showmeta < object_DN > displays the Local USN of a specific object.
  • repadmin /showmeta displays the originating USN.
  • The USNchanged attribute of an object holds the highest local USN of all attributes of that object.
  • “The high-watermark is a value that the destination domain controller maintains to keep track of the most recent change that it has received from a specific source domain controller for an object in a specific directory partition. The source domain controller uses this value to filter the objects that it considers for replication to the destination.”
  • repadmin /showreps /verbose displays the high-watermark - Look for lines that begin with “USNs:”. The high-watermark USN is the number that is followed by “/OU”.
  • “The up-to-dateness vector is a value that the destination domain controller maintains for tracking the originating updates that are received from all source domain controllers. The source domain controller uses this value to reduce the set of attributes that it sends to the destination domain controller.”
  • repadmin /showutpvec will display up-to-dateness vector information (at least on Windows 2008 R2).
  • When an object in Active Directory is deleted, most of the attributes are zeroed out (set to NULL), the boject is marked as a “tombstone”, the IsDeleted attribute is set to True, and the object is moved to the Deleted Objects OU. There are some attributes which retain their values. These include: objectGuid , objectSid , distinguishedName , nTSecurityDescriptor , and usnChanged (and sIDHistory on Windows 2003 SP1 DCs). This object will replicate as a deleted object in AD until after the Tombstone Lifetime is reached (60 days by default in most Windows 2000 & 2003 AD environments and 180 days in new Windows 2003 SP1/2008/2008R2 AD environments – as in the first DC installed is 2003 SP1 or newer).
  • When a tombstone object reaches the Tombstone Lifetime in AD, each DC’s Garbage Collection process (which runs every 12 hours by default) removes the tombstones older than the Tombstone Lifetime from its local AD database.
  • and much more…
Google+FacebookEmailPrintShare
Posted in Deployment, Favorite, Microsoft Products, Tech, Technical Reference - Tagged , , , , , , , ,

Vendors & Active Directory Integration

Dec01
2011 Leave a Comment Written by Sean Metcalf

I recently had a conversation with a gentleman who was deploying a software product from a company that typically makes hardware appliance type devices based on Linux (or similar) I won’t mention the vendor (begins with B and rhymes with Arcade) to protect the clueless. The conversation involved a request to increase the MaxPageSize size in the LDAP properties on a Domain Controller. This was to enable AD-integration so the Broc- I mean vendor’s software could gather a list of groups to display so the user can select one to be used as an admin group on the device. So, the *Nix-based device would use AD for authentication of its administrators. In order for this to be done, the uer has to select a group from a drop-down list; however, only 1,000 groups could be displayed due to, get this, a “limitation in Active Directory” (hint: there are more than 1,000 groups). I was pretty shocked since AD has been around for over 10 years now and the rest of the world doesn’t seem to have run into this “limitation” before when working with AD. Being the good consultant, I did some research before making a recommendation.

The background: Active Directory is an LDAP v3 compliant directory and as such supports the LDAP spec as defined in the relevant RFCs. One RFC, in particular, jumped out at me: RFC 2696 – LDAP Simple Paged Result Control (1999). This RFC defines how a server can page the results of a client search request. Active Directory and by extension, Domain Controllers, have a default page size of 1,000 objects. This means if you use an LDAP compliant client and request a list of all users, even if the results are greater than 1,000,  you will receive a list of 1,000. Assuming you are using an LDAP client that supports paging, the client will request page 2 after receiving the first 1,000, and then the next page, until the server lets the client know that all of the results were provided. Note the date on the RFC: 1999. That means it has been 12 years since the paging spec was an RFC and likely integrated into any LDAP directory soon after (certainly when AD was released in 2000 it had it).

Microsoft’s MSDN Library has an article on Paged Result Control and how Windows handles it. here’s an excerpt on the details:

The interaction between client and server is as follows.

The client sends the server a search request with the Simple Paged Results control with an empty previous Enumeration Key, also known as a cookie, and the initial page size. The server then returns the number of entries specified by the page size and also returns a cookie used on the next client request to get the next page of results. The client then issues a search with the cookie included (optionally resetting the page size) and the server then responds with up to that number of entries.

Paged results are indicated as a control on the ldap_search_ext function call. Use ldap_create_page_control to construct this control, and then call ldap_search_ext to add the control. This control structure must then be added to the list of server controls in the ldap_search_ext call. When the server returns the first page of results, it includes the resume cookie in the controls field of the SearchResultDone message. The client must then extract the cookie from the search result by retrieving the server controls by using ldap_parse_result and parsing the control with ldap_parse_page_control. The client then uses the cookie in the next call to LDAP_create_page_control to retrieve the next page of results.

So, Microsoft is following the LDAP spec which has a feature introduced in 1999 and in 2011 Broc- a vendor has a software product that doesn’t support the Search Paging feature and blames AD calling it a “limitation”. That’s pretty bad. Furthermore, requesting that AD be modified (technically this modification can be performed on a single DC  with ntdsutil to modify the MaxPageSize value in the LDAP Policy on that server following KB315071), instead of coding the software to leverage a 12 year old feature is even worse!

The crazy thing is that the software populates a drop-down list of groups in AD (remember 1,000 by default). This particular environment has THOUSANDS of groups. how long would it take to scroll through 15,000 groups (or more)…

KB315071 describes the setting:

MaxPageSize – This value controls the maximum number of objects that are returned in a single search result, independent of how large each returned object is. To perform a search where the result might exceed this number of objects, the client must specify the paged search control. This is to group the returned results in groups that are no larger than the MaxPageSize value. To summarize, MaxPageSize controls the number of objects that are returned in a single search result.

Default value: 1,000

The reason why the MaxPageSize is set to 1,000 is to limit the impact of queries on DCs that exceed 1,000 returned objects (happens often in a large enterprise). This is also why modifying this value is not a good idea. If your vendor wants you to modify this value to make it huge, (I’m looking at you IBM, 100,000… Really?) Just say no and request that they support the 1999 feature in the LDAP spec, Paged Result Control, in their LDAP client piece. Even better, don’t support result paging, just provide the ability to scope the query to a specific OU via the Disttinguished Name or how about this? Allow the user to type in the group name and query AD for that. Don’t give us a drop-down list of 15,000 groups!

Of course, if you are feeling nice, you could configure a DC (or RODC) in its own site with a different LDAP policy to support these large queries. Nothing like modifying infrastructure to support a single vendor when everyone else seems to be able to get it right. So, if you are a vendor with a product and you want to Active Directory integrate it, please do the integration the right way and make it enterprise ready. Especially if you are a vendor that is typically in large environments. And please, please, please don’t ask us to make a schema modification to make up for software inadequacies. That’s not the way to manage an enterprise AD structure.

Supposedly, the next version of the vendor’s software resolves this issue…

 

Google+FacebookEmailPrintShare
Posted in Deployment, Microsoft Products, Tech, Technical Reference, Troubleshooting - Tagged , , , , , , , ,
Content Disclaimer: This blog and its contents are provided "AS IS" with no warranties, and they confer no rights. Script samples are provided for informational purposes only and no guarantee is provided as to functionality or suitability. The views shared on this blog do not represent the views of Metcorp Consulting, LLC or its partners. Content Ownership: All content posted here is intellectual work and under the current law, the poster owns the copyright of the article. Terms of Use Copyright © 2011 - 2012