Friday Mail Sack: Gargamel Edition

Friday Mail Sack: Gargamel Edition

  • Comments 6
  • Likes

Hi folks, Ned here again. This week we talk about 10 reasons not to use list object access dsheuristics, USMT trivia nuggets, poor man’s DFSDIAG, how to get network captures without installing a network capture tool, and some other random goo. Oh yeah, and friggin’ Smurfs.

Question

We’re thinking about using List Object Access dsheuristics mode to control people seeing data in Active Directory. Are there any downsides to this?

Answer

There are a few – here are at least ten in no particular order (thanks to PFE Matt Reynolds for some of these, although he may never realize it):

  1. This can greatly increase the number of access check calls that are made, and can have a significant negative effect on performance.
  2. This will require a huge amount of work and ongoing maintenance. You will need to create and look after – forever - selective “views” for admins, help desks, service accounts, etc.
  3. This was designed more for hosted “multi-tenant solutions” that are very specialized.
  4. Microsoft applications are not generally tested with this setting.
  5. If you can find a third party vendor that tests this, I will have a heart attack and die from shock. If you can then find a vendor that is willing to change their code if you run into problems, I will then rise from the grave and eat my own pants.
  6. It’s very difficult to test how well apps are handling this, as it’s designed to “omit data”. That could have all sorts of weird effects on apps expecting to see certain built-in or “always available” objects.
  7. Active Directory is a… directory. It’s designed to share info. Specific sensitive attribute data can always be marked confidential and that’s probably really what you want here.
  8. Doing this is one of the least useful security measures in a whole litany of things that you probably haven’t implemented – encrypting your LDAP traffic, using IPSEC everywhere, using two-factor smart cards for all user access, encrypting all drives, preventing physical removal of computers. Or making sure your web servers don’t allow ancient SQL injection attacks. Focus!
  9. This makes you unique. You don’t want to be unique.
  10. Just because you can do something does not mean you should do something. We provide an option to format your hard drive as well.

Strangely, two people asked about this in the past few weeks.

Question

Can USMT perform “incremental” or “differential” scans into a store? We have a lot of data to capture and it may take awhile, especially when going to a remote store. We’d like to do it in phases if possible.

Answer

Sorry, no. USMT completely deletes the destination store contents when you start a scanstate (this is why you have to specify /o if the store already exists). If you perform a hardlink migration though, you are not copying data and it will scan much faster than a classic store.

If you have to use a remote compressed classic store and you’re worried about reliability, run your scanstate to a local store location on the disk, then copy that store folder to a network location afterwards. Make sure you calculate space estimations to ensure you are not going to run out of disk, naturally.

Question

I don’t have any Win2008 servers – so I cannot use DFSDIAG.EXE – but I’d like to report on their DFS Namespace health. Are there other tools?

Answer

File Services Management Pack for System Center Operations Manager 2007
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=14307

That will monitor health of Win2003 DFSN very well indeed. You can also use DFSDIAG via RSAT on Vista and Win7 clients; why do I suspect that you’re looking for a more… frugal… option, though? ;-P

The old DFSUTIL.EXE tool will stand in for DFSDIAG in a pinch, but it requires you to both run more commands and interpret the results carefully. It’s not going to spend much time explaining what’s wrong, so much as show you what it thinks is configured and let you decide if that’s wrong or not. Some of the more useful commands:

dfsutil.exe /root:<dfs name> /view /verbose

dfsutil.exe /server:<root server> /view

dfsutil.exe /domain:<domain> /view

dfsutil /sitename:<root server or dc or target or client>

dfsutil /root: <dfs name> /sitecosting /display

dfsutil /root: <dfs name> /insite /display

dfsutil /root: <dfs name> /targetfailback /display

dfsutil /root: <dfs name> /targetpriority /server:<target> /display

dfsutil.exe /root:<dfs name> /checkblob

dfsutil /viewdfsdirs:<volume name>

image
Coolish

image
Oops

No complaining, we released DFSDIAG two OSes ago and you’re on a dying one. Plus we wrote it for a reason!

Question

The USMT hotfix KB2023591 only lists downloads for Windows 7/Windows Server 2008 R2.

image

Is there a version for older operating systems?

Answer

USMT 4.0 only cares that you run it against a client OS SKU, and that it be XP or later. The download is a CAB file and doesn’t have any OS checking for installation, only scanstate and loadstate enforce the OS. If you dig into the nugget of that main KB at the bottom you will see only:

clip_image002

The reason it lists the OS on the download page is it has to say something, and USMT is built from the Windows 7/R2 source tree. So there you go.

Awesome Technique for Win7/2008 R2 Network Captures

Not a question, but a cool method that is too small to rate a full blog post: if you need to get a network capture on a Windows 7 or Windows Server 2008 R2 computer and you do not have or want Netmon installed, you can use NETSH.EXE. From an elevated CMD prompt run:

netsh trace start capture=yes tracefile=c:\yourcapture.etl

Do whatever you needed to do

netsh trace stop

Boom – network capture, written in ETL format.

image

Open that file in Netmon 3.4 and you get all the usual capture info, plus other conversation and process info. AND other cool stuff – open the CAB file it created and you find a bunch of useful files with IP info, firewall event logs, applied group policies, driver versions, and more. All the goo I gather manually when I am getting a capture. Sweet!

image

Thanks to Tim “Mighty” Quinn for demoing this here.

Other Stuff

A few years ago TechNet Magazine stopped printing paper copy and switched to a web-only format. I lost track of them after that, but this weekend, I started going through their online versions from 2010 and 2011. It turns out there’s good stuff I’d been missing. Here are a few cherry picked articles; feel free to point out some other favorites in the Comments:

Windows Confidential: Testing, Testing (Raymond Chen)
http://technet.microsoft.com/en-us/magazine/gg675933.aspx

An interesting explanation of what Beta used to mean, and what it means now, from a Principal SDE who has been developing Windows since the Tithonian age. Heck, his blog is ready to collect Social Security.

Troubleshooting 201: Ask the Right Questions (Stephanie Krieger)
http://technet.microsoft.com/en-us/magazine/ff955771.aspx

How to be an effective troubleshooter. Don’t stop reading just because the author is an Office expert; it’s applicable across all aspects of IT. A truly excellent article that should be required reading for new admins.

Toolbox (Greg Steen)
http://technet.microsoft.com/en-us/magazine/ff628337.aspx?sdmr=toolbox&sdmi=columns

Unlike me, these folks can recommend useful third party utilities. It’s a monthly column and some of these are pretty slick.

Windows PowerShell: HTML Reports in PowerShell (Don Jones)
http://technet.microsoft.com/en-us/magazine/hh127059.aspx

An easy technique to take harsh text output and turn it into fluffy HTML. Perfect for punching up reporting to show your manager with zero extra effort, leaving more time for you to work on real issues. Or, you know, see your children grow up. Cat’s in the cradle and the silvaaaaah spoooon…

Using Kerberos for SharePoint Authentication (Pav Cherny)
http://technet.microsoft.com/en-us/magazine/ee914605.aspx

Yes please! If you have a friend that admins SharePoint, share this with them. In fact, bribe them to follow it. Whatever it takes. NTLM is the Devil and SharePoint feeds him a jalapenos.

image

The Daily Mail was granted a “rare and remarkable” interview with Bill Gates last week. It’s a very interesting read.

Remember when I said yesterday that it sucks to use the Internet in Australia and Canada? Well it sucks in other places too… The article isn’t what I’d call “complete” (it misses 98% of the world and doesn’t include my gigantic US ISP, Time Warner, for example – TW doesn’t care if I download 5 TB or 5KB, as fast and as often as I like, as long as I pay on time; I use Sprint for my phone for the very same reason – flat rate unlimited data without metering rules). A nifty piece – I recommend the comments.

Why, Andalusia? Whyyyyyyyyyyy!?!?!?!?! I mean, I expect this from Belgium… Maybe Platformas knows.

Have a nice weekend folks.

- Ned “those dudes totally smurfed their smurf up” Pyle

  • List Object mode tends to come up with Education customers in particular as they are subject to FERPA. Think of FERPA as Congress dictating how you run your AD. The definitions in it are broad and depending on how counsel at the customer interpets it, you may need to make AD accounts disappear for users who have "opted out". There's obviously multiple ways to do this but List Object mode is one I know some customers have implemented.

  • Thanks for the real world example Brian. It sounds a bit like SOX, where there's an industry of compliance people out there to interpret vague laws and turn it into cold hard cash with big expensive projects. The same folks that say Sarbanes absolutely *requires* object access auditing be enabled. ;-) Ah well, everyone's gotta eat.

    I'm curious how a user object being visible is bad though, since you can use confidential attributes or security to block access to the actual attribute data - the part that really matters since it conceivably has PII. And those don't have the performance implications. That's the big problem - you are making everything slower and bashing the DCs to pieces to prevent seeing the (typically valueless) CN of a user.

  • The MS Exchange team tells you to set the domain in List Object Mode if you want to segregate the address lists in Exchange 2007.

    technet.microsoft.com/.../bb936719(EXCHG.80).aspx

    I tested this in a lab, and the result was that if I browsed ie. an user object with ADUC, I just saw it as an "unknown" object (but the name was visible) and I was unable to open it. For the address list part it had none effect at all.

  • Oops - so you mean that the stesp on that technet site didn't work? If so I can see about gettibg it fixed.

  • Well, address list segregation is exacty what the hosting (multi-tenancy) scenario is all about. It doesn't assume seriously hiding from ADUC because hosting customers are never supposed to use ADUC. Customer admins should use some kind of hosting control panel. And end users should obviously use OWA or Outlook.

    After all, that doesn't make sense any more since Exchange 2010 has a completely different multi-tenancy model.

  • At least I didn't see any different in the Exch2007 address lists. They where hidden even if I turned on List Object Mode vs List Child Mode in AD (following the other steps in the article). I had a little "chat" with you Ned back then, and you ment LDAP searches would go slower in List Object mode among one thing.

    If you use Microsoft Provisioning System you might have a fair chance to do the maintenance requiered in List Object mode. If not, forget about it (was my conclusion) :)

    This only applied to Exch2007 like Pronichkin said.