Friday Mail Sack: I Have No Idea What to Call This Edition

Friday Mail Sack: I Have No Idea What to Call This Edition

  • Comments 6
  • Likes

Hiya folks, Ned here with a slightly late Mail Sack coming your way. Today we discuss reading event logs, PowerShell, FSMO, DFSR, DFSN, GCs, virtualization, RDC, LDAP queries, DPM, SYSVOL migration, and Netmon.

Do it.

Question

Logparser.exe doesn’t seem to read the message body when run against Security event logs on Windows Server 2008 R2:

logparser -i:EVT -o:CSV -resolveSIDs:ON "SELECT * INTO goo.csv FROM security"

Security,97760,2011-03-09 07:57:23,2011-03-09 07:57:23,4689,8,Success Audit event,13313,The name for category 13313 in S
ource "Microsoft-Windows-Security-Auditing" cannot be found. The local computer may not have the necessary registry info
rmation or message DLL files to display messages from a remote computer,
Microsoft-Windows-Security-Auditing,S-1-5-21-336
6683618-1989269118-3947618792-500|administrator|CONTOSO|0x57e6f4|0x0|0xbc8|C:\Windows\System32\mmc.exe,2008r2-01-f.conto
so.com,,A process has exited. Subject: Security ID: S-1-5-21-3366683618-1989269118-3947618792-500 Account Name: administ
rator Account Domain: CONTOSO Logon ID: 0x57e6f4 Process Information: Process ID: 0xbc8 Process Name: C:\Windows\System3
2\mmc.exe Exit Status: 0x0 ,

Answer

I am able to reproduce this issue. I can also see LogParser failing to parse some other ‘modern’ events in other logs, like the Application event log. Considering the tool was written in 2005 and only lists its support as Win2003 and XP, this looks like expected behavior.

You can do pretty much everything LogParser is doing with the event logs using PowerShell 2 on the later OS though, so you may not care to run this all down:

Get-WinEvent
http://technet.microsoft.com/en-us/library/dd367894.aspx

It is crazy powerful and can do Xpath, structured XML queries, and hash-table queries.

Even WEVTUTIL.EXE can do much of this, although not with as much output formatting control like PowerShell. Leave logparser to the older OSes.

Question

We’re thinking about virtualizing DFSR and DFSN. Is it supported? Are a lot of customers virtualizing these workloads?

Answer

Totally supported. Like anything virtual though, expect a slight performance hit.

There is a huge amount of virtualization happening. Enough now that you can just assume anything Windows is being run virtualized a lot. Maybe not many by percentage, but when your OS install base is in the hundreds of millions…

The main concern we have in this scenario is one we see on physical a lot now also (Warren can attest to this): the use of el cheapo iSCSI solutions rather than fiber-channel and other beefier network fabrics, especially combined with cheap SANs that have poor to non-existent support. You absolutely get what you pay for in this environment. The other thing to keep in mind is that - like all multimaster database systems - you absolutely CANNOT use snapshots with it: http://support.microsoft.com/kb/2517913/ 

Question

Do cross-forest trusts figure into Infrastructure Master FSMO role placement? I.e. can the IM run on a GC if the other forests is not all GCs too? I have two single-domain forests with a cross-forest Kerberos trust.

Answer

  • In the single domain forest it doesn’t matter where it goes at all, as the IM has no work to do until you have multiple domains in that forest.
  • If that single domain forest ever adds a domain, each IM will need to run on a non-GC server unless all DCs in that individual domain are also GCs.
  • The IM doesn’t care about the other forest at all. The forest is a boundary of what the IM is tracking, it does not traverse Kerberos trusts to other forests.
  • One more bit of recent weirdness that we don’t mention often: Once you enable the AD Recycle Bin, the Infrastructure Master stops mattering as a FSMO role and each DC takes on the role of updating themselves in regards to cross-domain object references (see http://msdn.microsoft.com/en-us/library/cc223753(PROT.13).aspx)

Question

When using DFSR and you rename a file does the whole file get replicated? What about if the same file exists in two different folders folders: will each one replicate when a user makes copies of files between different folders?

Answer

1. Nope: http://blogs.technet.com/b/askds/archive/2009/04/01/understanding-dfsr-debug-logging-part-9-file-is-renamed-on-windows-server-2003-r2.aspx

2. Not if using at least one server with Enterprise Edition in the replication partnership, so that cross-file similarity can be used:

http://blogs.technet.com/b/askds/archive/2010/08/20/friday-mail-sack-scooter-edition.aspx (see Question “The documentation on DFSR's cross-file RDC is pretty unclear – do I need two Enterprise Edition servers or just one? Also, can you provide a bit more detail on what cross-file RDC does?”)

Proof on this one (as I don’t have an article with debug log example):

Two files in two folders, both identically named, data’ed, secured. They have sequential UID version numbers. Below is the inbound debug log from the server replicating the files (heavily edited for clarity and brevity).

20110308 10:26:38.491 2264 INCO  3282 InConnection::ReceiveUpdates Received: uid:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 gvsn:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 fileName:samefile.exe session:8 connId:{07C54B74-C2FB-4417-8830-3488E368480B} csId:{C929D10A-601B-41D8-A620-2D161733473B} csName:badseed ß the first file starts replicating inbound

20110308 10:26:38.491 2592 MEET  1342 Meet::Install Retries:0 updateName:samefile.exe uid:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 gvsn:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 connId:{07C54B74-C2FB-4417-8830-3488E368480B} csName:badseed updateType:remote

20110308 10:26:38.491 2592 MEET  4228 Meet::ProcessUid Uid related not found. updateName:samefile.exe uid:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 gvsn:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 connId:{07C54B74-C2FB-4417-8830-3488E368480B} csName:badseed

20110308 10:26:38.491 2592 MEET  5692 Meet::FindNameRelated Access name conflicting file. updateName:samefile.exe uid:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 gvsn:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 connId:{07C54B74-C2FB-4417-8830-3488E368480B} csName:badseed

20110308 10:26:38.491 2592 MEET  4647 Meet::GetNameRelated Name related not found. updateName:samefile.exe uid:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 gvsn:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 connId:{07C54B74-C2FB-4417-8830-3488E368480B} csName:badseed

20110308 10:26:38.491 2592 MEET  3346 Meet::UidInheritEnabled UidInheritEnabled:0 updateName:samefile.exe uid:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 gvsn:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 connId:{07C54B74-C2FB-4417-8830-3488E368480B} csName:badseed

20110308 10:26:38.491 2592 MEET  1992 Meet::Download Start Download updateName:samefile.exe uid:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 gvsn:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 connId:{07C54B74-C2FB-4417-8830-3488E368480B} csName:badseed csId:{C929D10A-601B-41D8-A620-2D161733473B} ß file replicated starts replicating inbound.

20110308 10:26:38.913 2592 RDCX   769 Rdc::SeedFile::Initialize RDC signatureLevels:1, uid:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 gvsn:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 fileName:samefile.exe fileSize(approx):737280 csId:{C929D10A-601B-41D8-A620-2D161733473B} enableSim=1 ß added the file’s signature info to the cross-file RDC similarity table

20110308 10:26:39.131 2592 STAG  1215 Staging::LockedFiles::Lock Successfully locked file UID: {0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 GVSN: {0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 state: Downloading (refCount==1)

20110308 10:26:39.131 2592 STAG  4107 Staging::OpenForWrite name:samefile.exe uid:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 gvsn:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222

20110308 10:26:39.225 2592 INCO  6593 InConnection::LogTransferActivity Received RAWGET uid:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 gvsn:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 fileName:samefile.exe connId:{07C54B74-C2FB-4417-8830-3488E368480B} csId:{C929D10A-601B-41D8-A620-2D161733473B} stagedSize:361599 ß file was replicated WITHOUT RDC as we had never seen this file before and had no similar files anywhere

20110308 10:26:39.225 2592 MEET  2163 Meet::Download Done downloading content updateName:samefile.exe uid:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 gvsn:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 connId:{07C54B74-C2FB-4417-8830-3488E368480B} csName:badseed

20110308 10:26:39.241 2592 STAG  1215 Staging::LockedFiles::Lock Successfully locked file UID: {0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 GVSN: {0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 state: Downloaded (refCount==1)

20110308 10:26:39.241 2592 STAG  1263 Staging::LockedFiles::Unlock Unlocked file UID: {0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 GVSN: {0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 state: Downloading (refCount==0) ß done staging file

20110308 10:26:39.241 2592 MEET  2775 Meet::TransferToInstalling Transferring content from staging area into Installing updateName:samefile.exe uid:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 gvsn:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 connId:{07C54B74-C2FB-4417-8830-3488E368480B} csName:badseed

20110308 10:26:39.256 2592 MEET  2808 Meet::TransferToInstalling Obtaining fid of the newly installed file updateName:samefile.exe uid:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 gvsn:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 connId:{07C54B74-C2FB-4417-8830-3488E368480B} csName:badseed

20110308 10:26:39.256 2592 MEET  2821 Meet::TransferToInstalling Read 733988 bytes, wrote 733988 bytes updateName:samefile.exe uid:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 gvsn:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 connId:{07C54B74-C2FB-4417-8830-3488E368480B} csName:badseed ß expanded from staging into the Installing folder

20110308 10:26:39.256 2592 MEET  2225 Meet::Download Download Succeeded : true updateName:samefile.exe uid:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 gvsn:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 connId:{07C54B74-C2FB-4417-8830-3488E368480B} csName:badseed csId:{C929D10A-601B-41D8-A620-2D161733473B}

20110308 10:26:39.256 2592 MEET  4228 Meet::ProcessUid Uid related not found. updateName:samefile.exe uid:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 gvsn:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 connId:{07C54B74-C2FB-4417-8830-3488E368480B} csName:badseed

20110308 10:26:39.256 2592 MEET  5692 Meet::FindNameRelated Access name conflicting file. updateName:samefile.exe uid:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 gvsn:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 connId:{07C54B74-C2FB-4417-8830-3488E368480B} csName:badseed

20110308 10:26:39.256 2592 MEET  4647 Meet::GetNameRelated Name related not found. updateName:samefile.exe uid:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 gvsn:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 connId:{07C54B74-C2FB-4417-8830-3488E368480B} csName:badseed

20110308 10:26:39.256 2592 MEET  3346 Meet::UidInheritEnabled UidInheritEnabled:0 updateName:samefile.exe uid:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 gvsn:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 connId:{07C54B74-C2FB-4417-8830-3488E368480B} csName:badseed

20110308 10:26:39.256 2592 MEET  3013 Meet::InstallRename Moving contents from Installing to final destination. Attributes:0x20 updateName:samefile.exe uid:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 gvsn:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 connId:{07C54B74-C2FB-4417-8830-3488E368480B} csName:badseed

20110308 10:26:39.256 2592 MEET  3043 Meet::InstallRename File moved. rootVolume:{E6D66386-E6B2-11DF-845F-806E6F6E6963} parentFid:0x2AA00000000E2BD fidInInstalling:0x100000000E2C3 usn:0xb01ec28 updateName:samefile.exe uid:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 gvsn:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 connId:{07C54B74-C2FB-4417-8830-3488E368480B} csName:badseed

20110308 10:26:39.256 2592 MEET  3143 Meet::InstallRename Update database with new contents updateName:samefile.exe uid:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 gvsn:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 connId:{07C54B74-C2FB-4417-8830-3488E368480B} csName:badseed

20110308 10:26:39.256 2592 MEET  3234 Meet::InstallRename Updating database. updateName:samefile.exe uid:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 gvsn:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 connId:{07C54B74-C2FB-4417-8830-3488E368480B} csName:badseed

20110308 10:26:39.256 2592 MEET  3244 Meet::InstallRename -> DONE Install-rename completed updateName:samefile.exe uid:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 gvsn:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 connId:{07C54B74-C2FB-4417-8830-3488E368480B} csName:badseed csId:{C929D10A-601B-41D8-A620-2D161733473B} ß moved the file into the replicated folder, done replicating for all intents and purposes

20110308 10:26:39.256 2592 MEET  1804 Meet::InstallStep Done installing file updateName:samefile.exe uid:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 gvsn:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 connId:{07C54B74-C2FB-4417-8830-3488E368480B} csName:badseed

20110308 10:26:39.256 2592 STAG  1263 Staging::LockedFiles::Unlock Unlocked file UID: {0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 GVSN: {0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 state: Downloaded (refCount==0)

Now I copy the exact same file into another folder on the upstream server, with same security, attributes, data, and name. Just a different path.

 

20110308 10:26:56.497 2592 RDCX  1311 Rdc::SeedFile::UseSimilar similarrelated (SimMatches=16) uid:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12223 gvsn:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12223 fileName:samefile.exe csId:{C929D10A-601B-41D8-A620-2D161733473B} (related:

uid:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 gvsn:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 fileName:samefile.exe csId:{C929D10A-601B-41D8-A620-2D161733473B}) ß the server recognizes that the new file it was told about has an identical copy already replicated to another folder.

20110308 10:26:56.497 2592 STAG  1215 Staging::LockedFiles::Lock Successfully locked file UID: {0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 GVSN: {0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 state: Downloaded (refCount==1)

20110308 10:26:56.497 2592 RDCX  1510 Rdc::SeedFile::UseRelated "SimilarityRelated" file already staged uid:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12223 gvsn:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12223 fileName:samefile.exe csId:{C929D10A-601B-41D8-A620-2D161733473B} (related: uid:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 gvsn:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 fileName:samefile.exe csId:{C929D10A-601B-41D8-A620-2D161733473B}) ß even better, the file is still staged, so we don’t have to go stage a copy

20110308 10:26:56.497 2592 RDCX  3742 Rdc::FrsSignatureIndexFile::Open Opening FrsSignatureIndexFile OK for write Levels=1..1 uid:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 gvsn:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222

20110308 10:26:56.497 2592 RDCX   467 StreamToIndex RDC generate begin: (0..1), uid:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 gvsn:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 fileName:samefile.exe csId:{C929D10A-601B-41D8-A620-2D161733473B}

20110308 10:26:56.513 2592 RDCX   509 StreamToIndex RDC generate end: (0..1), uid:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 gvsn:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 fileName:samefile.exe csId:{C929D10A-601B-41D8-A620-2D161733473B}

20110308 10:26:56.513 2592 RDCX  3742 Rdc::FrsSignatureIndexFile::Open Opening FrsSignatureIndexFile OK for read Levels=1..1 uid:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 gvsn:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222

20110308 10:26:56.513 2592 RDCX  2359 Rdc::SeedFile::OpenSeedSigDB Using seed file for uid:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12223 gvsn:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12223 fileName:samefile.exe csId:{C929D10A-601B-41D8-A620-2D161733473B} seed(type:SimilarityRelated uid:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 gvsn:{0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 fileName:samefile.exe depth=1) ß we then create a new copy of the file using the signature bytes from the old copy. The actual new file is not copied over the wire.

20110308 10:26:56.653 2592 STAG  1263 Staging::LockedFiles::Unlock Unlocked file UID: {0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 GVSN: {0F26D474-860E-4A5D-9466-19B11C468E26}-v12222 state: Downloaded (refCount==0)

ß after this it will look just like the first file where it gets expanded to Installing, copied to real RF.

Question

Whenever I use LDIFDE or CSVDE to export just users, I also get computers. How do all these other LDAP apps do it? 

image

There should only be 14 users in this test domain but I get 33 entries that include computers.

Answer

There are a number of ways to skin this cat.

Give this LDAP filter a try:

ldifde -f foo.txt -r "(&(!objectclass=computer)(objectclass=user))"

image

See the difference? It is including any objects who have a class of ‘user’ but excluding (with the “!”) any that are also class of ‘computer’. This is necessary because computers are users. :) See the first few lines of one of the computers returned by the original query:

dn: CN=XP-05,CN=Computers,DC=contoso,DC=com
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: XP-05
distinguishedName: CN=XP-05,CN=Computers,DC=contoso,DC=com
instanceType: 4
whenCreated: 20101201143854.0Z
<snip>

A good alternative from the Comments: (&(objectCategory=person)(objectClass=user))

And another good one: (sAMAccountType=805306368)

(You guys think about this a lot don't you? :P) 

Question

Are DFSR and DPM compatible?

Answer

Yes, as long as your DFSR servers have this KB977381 version (or newer) of DFSR.EXE/DFSRS.EXE installed, they are compatible. The article doesn’t state it, but the filter driver I/O requests that DFSR didn’t understand were DPMs.

Question

Is it ok to migrate SYSVOL to DFSR before you have all domains in the forest at a Windows Server 2008 domain functional level, or the whole forest at Windows Server 2008 forest functional level? Do I need to be concerned about site-based policies that might be accessed through out the forest?

Answer

Per-domain is fine, the individual domains don’t matter to each other at all in regards to SYSVOL migration. GP is completely unaware of the replication type, so site-based policies don’t matter either. The main effect will be that once you have DFSR being used, you will hopefully have fewer GP problems due to replication latency and FRS’ general instability.

Regardless: make sure you are using our latest DFSRS, DFSRMIG and ROBOCOPY hotfixes.

KB972105 All files are conflicted on all domain controllers except the PDC Emulator when a DFSR migration of the SYSVOL share reaches the Redirected state in Windows Server 2008 or in Windows Server 2008 R2 - http://support.microsoft.com/default.aspx?scid=kb;EN-US;972105

KB968429  List of currently available hotfixes for Distributed File System (DFS) technologies in Windows Server 2008 and in Windows Server 2008 R2 - http://support.microsoft.com/default.aspx?scid=kb;EN-US;968429

Netmon Loot

If you use NetMon, make sure you check out all of the sweet experts and parsers that keep coming out of various teams. We don’t advertise these well, but there are some really useful ones these days:

- Ned “Tired” Pyle

  • For the question about ldifde, this filter (&(objectCategory=person)(objectClass=user)) would yield the same result and would also guarantee that an index is involved regardless of the OS the customer's DCs are running.

  • Good point Brian, thanks.

  • Ned,

    For virtualizing DFSR, you may to also point out potential issues with virtualizing DFSR machines.  The recently posted article at support.microsoft.com/.../en-us made me sit up in my chair and realize the potential issues with using system images or snapshots to rebuild a DFSR machine.

  • Eh, good point. Especially since I wrote that KB. :)

  • Ned,

    here's a user object filter that's even more effective:

    (sAMAccountType=805306368)

    Nils

  • Good one Nils.