AD Find

AD Find is the second of the two tools I managed to find in the same week. This little tool weighs in at just 700K for the download and about 2mb for the actual file. This tool does exactly what it says, it finds things in Active Directory. The clever part about it is it's possible to say exactly what you want to get back and the format it should be in.
As an example, a few weeks back I had the issue with Bindview not liking non-ASCII characters.

Now, the version of Bindview that's being used where I work is a very old NT4 only aware application which means it will update the SAMAccountName attribute but not the display name.

This isn't a problem as there is a workflow from an HR application which deals with all of that, all bindivew should be doing is delegated group permissions (and yes, I know it's much easier in AD but thats a war story for another time).

Anyway, I was curious to know how many SAMAccountNames didn't match up with display names so I used ADFind to display the CN, Samaccountname, mail, firstname and lastname fields in a CSV format which could then be processed by a filer in Excel. Much quicker than messing around with the native Active Directory tools.

AD Explorer from Sysinternals

Sometimes it's possible to stumble upon a tool and wonder just how you would have gotten a task accomplished without it. Last week I had the good fortune to stumble upon two such applications right at the time when I needed them most. I did consider buying a lottery ticket that evening!

The first one is AD Explorer and it's from sysinternals and it's exactly what it says, a explorer tool for Active Directory. It allows viewing, searching and editing of the AD in ways that are far superior to Active Directory Users and Computers. I suspect the only thing that AD users and computers can do (or do better) that this tool cannot are password changes, logon hour restrictions and limiting logon ID's to specific computers.

One very nice feature this tool has is the ability to take a snapshot of an Active Directory and compare it to another snapshot. Doing this shows just how many changes occur in the AD in just a few days. It's also a great way to see how many differences accumulate between your production and test active directory environments.

Overall this is a fantastic tool and one I'll be using when the MS technotes require delving into some obscure key via ADSIEdit. I'll also be using it in place of tools like Softerras LDAP browser unless I need to something LDAP specfic.

Legacy Systems and a very handy SQL comparrison Tool

On Friday, I had the "pleasure" of having to get a legacy system up and running.
This system was originally introduced to allow users in the business to manage group membership for projects they had ownership of. The idea was that it would cut down user calls to the service desk by about 10% and allow the project managers themselves to get a speedier turn around for new starters.
Sounds fine in theory and in the world of NT4 it wasn't a problem. Move on to the world of Active Directory and things are a little different. The legacy system (Bindview v4.6) has been superceded about 5 times over but we can't just install the latest version. Trust me on this, the latest version is fine but there are many design decisions and compromises as well as several rejections for upgrading the system from a few years back that have all combined to lead to the current problem.

The actual problem was an interesting one. The system was complaining whenever anyone tried to edit a group. A restore of the back end SQL database fixed the problem until the next domain sync occurred when the database would corrupt itself again.

Obviously, the sync was pulling something from the domain that it didn't like.
For the first attempt at a fix I fired up SQL Trace which records every single SQL statement that goes to a selected database. The neat thing about Trace is that it's possible to point the trace results to a SQL database itself and then filter it to get rid of stuff you know isn't going to help - such as SQL agent tasks and so on.
Trace left me with a multi-variable SQL script spanning over 4,000 lines and quite difficult to read or even test so I decided that the next best thing was to restore the working database to new a database name and then find a tool to compare every object on the bindview user table to see what was different between the restore and the one that synced with the domain and promptly broke.

AdeptSQL was the third tool I tried and whilst it has a very simplistic point and click interface it's incredibly powerful for comparing two SQL databases. Once the comparison is done you get two side-by-side windows which represent the two databases. Changes are highlighted by colour - Red for deletions, Blue for new and black for no changes.
This left me with a 2,000 list of changes, deletions and amendments in the database.
AdeptSQL also lets you filter things out and by using these features I eventually tracked the problem down to the description field of two user accounts.
These accounts had spurious characters in them which Bindview being rather old and totally ASCII prompt fell over on. Removing these and waiting for a resync solved the problem.

Whilst AdeptSQL helped me solve that particular problem there is still the problem of this legacy system updating Active Directory whilst not being active directory aware which leads to some other fun and games with the display name versus the SAMAccount name but more on that in a later article.

Centralised Logging

One of the essential features for even a small network is a centralised logging solution.
Having a centralised logging tool makes for much easier trouble shooting as it becomes possible to review logs and search for related events or even search for the same event on separate machines, traditionally this has required quite expensive software such as HP open view in order to implement but a fairly new company might be about to put an end to that.

Enter Splunk, The 'Google of IT data'. This application will happily collect all sorts of different logs once configured and the configuration is not too difficult.

Splunk needs to be installed onto a Linux, Mac or Solaris environment although a Windows version is promised soon. As a workaround Splunk recommend that SNARE is installed on Windows servers. This software will convert event logs into syslog format and send them to a named server.

Putting Splunk in the center of you logging infrastructure as a syslog server and pointing all your syslog capable devices at it and then using SNARE to roll up event logs as syslogs which also get sent to Splunk is very easy to do. Within a few hours you have a surprising amount of data available to be searched by splunk.

And the price for all this information?

SNARE is free, Splunk is free if the amount of data you send to the Splunk server is less than 500mb a day although some of the features are limited.

I will admit to being a fan of Splunk after playing with it in VMWare. Over the next few weeks I'm going to describe how to configure a simple splunk installation for Linux, Windows, NetApp filers and Cisco switches.

The power of the human mind........ to fail.

The human brain is an amazing computer. It can store almost infinite quantities of data, it has near instant recollection to enable you to recognise people, places and perform the essential day to day actitives of breathing.

So why does it let us down in the middle of a crisis when you need to have that vital bit of information or when you remember seeing a tech note on the very problem you are fixing but can't recall the technical notes reference number.

The answer is simply to do with the way the human mind has evolved, Our technological prowess has evolved quicker than the brains ability to deal with this new landscape. When we, as a specics, were huddled in caves a crisis required the 'fight or flight' response and today when you have a crisis in the office that same reaction kicks in and all of a sudden you have trouble recalling technical details yet when the crisis passes you will be doing something else when the brain, still working on the problem in the background, will kick in.
The military actually have special training programmes to allow test pilots and others under extreme pressure to continue to think rationally. It is a very special SKILL.

so, why do we all have problems saying 'I don't know' and recording those oh so useful technical notes when we have the chance?

In the IS industry there seems to be a huge amount of pride in relying on ones memory to get people through a bad day. Checklists and procedures only seem to come into force for the day to day working practices - I have yet to see a company have an emergency procedures checklist.

3,000 test users

Do you ever have need of a few hundred to a few thousand random names to populate your Active Directory in order to test something?

This is the requirement I had a few weeks back so I dug out about 3,000 random names from the 1901 census and threw them into a csv file that can be read by the addusers tool.

My names.csv file can be downloaded by clicking on the blog article link or by clicking here.

To get the users into active directory copy both adduseres.exe and names.csv to the root of your C: drive and then type in:

addusers /c c:\names.csv

addusers /? will give you a list of other options where you can set parameters for passwords and the like.

Tiddly Wiki's

For a couple of projects I'm working on it's nice to have 'scratchpad' type area where information can be quickly written and accessed. A wiki is perfect for this type of information because it can be easily uploaded and modified by people working on the project WITHOUT a need to purchase an horrendously expensive server and a copy of Groove or SharePoint.

GTDTiddly Wiki has some very nice features - It doesn't need to be installed as it's just an index.html file. Java is needed to add in the functionality but beyond that there is no server side configuration needed. I've not yet unleashed any of the three wiki's I have created on a server.

GTDTiddly Wiki is a nice little applet, With the right configuration I don't see why it couldnt be used on a server and as such you can use it for all sorts of quick and dirty project/note keeping websites and these sites can be developed in next to no time.

Free Document Mangement System

One of things that IT departments seem to be very good at is producing documentation, diagrams, PDF's and other assorted paperwork. Some of the material produced is actually very good but trying to keep track of it on today's huge sized hard drives in something of a challenge. What is needed is a good document management system.

One of the first document management systems I ever used was called soft solutions and it was by Novell. It integrated very easily into Wordperfect and made finding documents a very simple task. Since then I've been after something similar for personal usage. I have thousands of PDF's on various things along with thousands of documents and it's getting to the point where I'm bored of recreating the same document!

Microsoft and IBM both currently offer products to fit this market, Microsoft offer Sharepoint Portal Server and IBM has Document Manager. Both products will do the job but both are quite 'weighty' in terms of pre-requisites which is no surprise as both are designed to be used by enterprise sized companies.
What I was after was something lightweight. After some searching I found Knowledge Tree which comes in both a commercial and open source version. The open source copy is free for use.

In a future blog entry I will go through the process of setting up Knowledge Tree and importing documents.

Migration of DHCP database

On my home 'production' network I have a single Active Directory server that runs DNS and DHCP. Whilst not fault tolerant it does the job and for a network that can afford the downtime should the domain controller die its a workable solution.

Recently, this server has been running incredibly slowly. Its actually taking 8 minutes to boot.
As this server has been giving sterling service for a couple of years I decided it was probably time to replace the server with something a little faster and a lot cleaner.

Building the replacement domain controller was simple enough, An autobuild of Windows 2000 server then DCPROMO it to be a domain controller.
The FSMO roles transfered over no problems as did the DNS.

DHCP proved to be slightly more problematic.

All DHCP records are held in a database file under %systemroot%\system32\dhcp - Copying this database to the new server didn't work so it was time to hit Technet's knowledge base.

http://support.microsoft.com/?id=325473


The knowledge base pointed me in the direction of a tool called DHCPEXIM which despite the clunky interface is actually very easy to use. Just highlight the scope(s) you want migrate and click on Export.

On your new DHCP server run DHCPEXIM, select import and point it to the file you just exported. It will display a list of the scopes it knows about and bring them all into your DHCP server.

Note that your DHCP server can already have scopes configured but if you try to import a scope and that scope already exists on your server then the import will fail.

This was tested out on Windows 2000 server to Windows 2000 server but the docs say it should work on NT4 and Windows 2003 as well.

Password Mangement Software

Passwords are a real (but necessary) pain in the neck. These day's it seems that every site requires registration and if you are being good by being secure with different passwords at each site then it will very quickly become unworkable. What is needed is a good tool to manage all the passwords.

Like all software, there are many commercial password management systems out there but when I was looking for a password management tool I was looking for something simple, secure and free. What I found was Oubliette which fits the criteria perfectly. unfortunately, the software is no longer under active development but the last released version has worked for me with no obvious issues or flaws. the only change I am in the process of making to the software is to convert the installation to MSI that way I can deploy the software via a GPO.

Working with TCP/IP Networks

In my previous blog article I gave a couple of troubleshooting tips on DHCP. I also mentioned that I would show a trick for working out TCP/IP subnets.

There are MANY subnet calculators out there and they are very useful for planning and designing a TCP/IP infrastructure but sometimes you may just want to know how to work out if two machines are on the same subnet.

Take the following IP Address and subnet mask:

172.17.1.15
255.255.0.0

From the above example it's nice and easy to see that the network the IP address lives on is 172.17.0.0 - The dividing line between network and host is obvious and clean.

Now try the same with the following:

172.17.14.12
255.255.252.0

Which network does the IP reside on?
The answer is 172.17.12.0

This can be worked out nice and simply by launching calc in scientific mode and performing an AND operation on the value where the subnet is NOT 255 and NOT 0.

Take these three examples:

172.17.30.99/20
172.17.31.221/20
172.17.32.1/20

What's the subnet mask?
255.255.SOMETHING.0

As 255 uses 8 bits for the subnet mask we can work out that it's 255.255 and the something has 4 bits left over. 11110000 equals 128+64+32+16 which is 240 so the subnet mask is:
255.255.240.0

Now perform the AND function on the 224 octet and you get:
30 AND 240 = 16
31 AND 240 = 16
32 AND 240 = 32

These show that the first two IP address are on the 172.17.16.0 and that the last one is on the 172.17.32.0.0 network. The last IP addres will need a gateway in order to talk back to the first two.

This tip is really meant for the sort of situations where you have problems with two machines talking to each other. It's a 'sanity check' that lets you see if both machines are on the same or different VLANs.

If you want something that can give you a whole lot more then you can download a really nice free subnet calculator from solar winds.