AD Find

AD Find is the second of the two tools I managed to find in the same week. This little tool weighs in at just 700K for the download and about 2mb for the actual file. This tool does exactly what it says, it finds things in Active Directory. The clever part about it is it's possible to say exactly what you want to get back and the format it should be in.
As an example, a few weeks back I had the issue with Bindview not liking non-ASCII characters.

Now, the version of Bindview that's being used where I work is a very old NT4 only aware application which means it will update the SAMAccountName attribute but not the display name.

This isn't a problem as there is a workflow from an HR application which deals with all of that, all bindivew should be doing is delegated group permissions (and yes, I know it's much easier in AD but thats a war story for another time).

Anyway, I was curious to know how many SAMAccountNames didn't match up with display names so I used ADFind to display the CN, Samaccountname, mail, firstname and lastname fields in a CSV format which could then be processed by a filer in Excel. Much quicker than messing around with the native Active Directory tools.

AD Explorer from Sysinternals

Sometimes it's possible to stumble upon a tool and wonder just how you would have gotten a task accomplished without it. Last week I had the good fortune to stumble upon two such applications right at the time when I needed them most. I did consider buying a lottery ticket that evening!

The first one is AD Explorer and it's from sysinternals and it's exactly what it says, a explorer tool for Active Directory. It allows viewing, searching and editing of the AD in ways that are far superior to Active Directory Users and Computers. I suspect the only thing that AD users and computers can do (or do better) that this tool cannot are password changes, logon hour restrictions and limiting logon ID's to specific computers.

One very nice feature this tool has is the ability to take a snapshot of an Active Directory and compare it to another snapshot. Doing this shows just how many changes occur in the AD in just a few days. It's also a great way to see how many differences accumulate between your production and test active directory environments.

Overall this is a fantastic tool and one I'll be using when the MS technotes require delving into some obscure key via ADSIEdit. I'll also be using it in place of tools like Softerras LDAP browser unless I need to something LDAP specfic.

Why Total Cost of Ownership is a fallacy

If I have one more potential supplier try and sell me something on the lie that it will "reduce TCO" I will not only scream but I will beat them to death with a CAT 5 cable.

Total Cost of Ownership (TCO) is one of those almost unmeasurable values that seems to have pride of place in the salespersons portfolio. How do they KNOW a new system (with it's associated equipment, licensing and training costs) will work out cheaper than the old one?
The idea is that newer systems have better support so rather than training someone in an older system and maybe having to buy in more expensive skills more legacy systems it works out cheaper to upgrade or replace with the latest model.

I don't disagree that for some systems which are truly legacy such the old DOS or OS/2 application may well work out cheaper in the long run but the one thing that will truly reduce TCO?

Understand your systems.

Take time to test and document the fixes.

Use your call logging system as a knowledge base.

These three tips alone will truly reduce TCO.

VMWare course

For much of this week I'm on a VMWare course for the second half of my VMWare training. This part of the course is titled Deploy, Secure and Analyse. The course itself is to prepare me for a server consolidation project that the company I work for is kicking off.
The project invovles several VMWare clusters, a Hitachi SAN and blades. Lots of flashing lights and new technology to break support.

Legacy Systems and a very handy SQL comparrison Tool

On Friday, I had the "pleasure" of having to get a legacy system up and running.
This system was originally introduced to allow users in the business to manage group membership for projects they had ownership of. The idea was that it would cut down user calls to the service desk by about 10% and allow the project managers themselves to get a speedier turn around for new starters.
Sounds fine in theory and in the world of NT4 it wasn't a problem. Move on to the world of Active Directory and things are a little different. The legacy system (Bindview v4.6) has been superceded about 5 times over but we can't just install the latest version. Trust me on this, the latest version is fine but there are many design decisions and compromises as well as several rejections for upgrading the system from a few years back that have all combined to lead to the current problem.

The actual problem was an interesting one. The system was complaining whenever anyone tried to edit a group. A restore of the back end SQL database fixed the problem until the next domain sync occurred when the database would corrupt itself again.

Obviously, the sync was pulling something from the domain that it didn't like.
For the first attempt at a fix I fired up SQL Trace which records every single SQL statement that goes to a selected database. The neat thing about Trace is that it's possible to point the trace results to a SQL database itself and then filter it to get rid of stuff you know isn't going to help - such as SQL agent tasks and so on.
Trace left me with a multi-variable SQL script spanning over 4,000 lines and quite difficult to read or even test so I decided that the next best thing was to restore the working database to new a database name and then find a tool to compare every object on the bindview user table to see what was different between the restore and the one that synced with the domain and promptly broke.

AdeptSQL was the third tool I tried and whilst it has a very simplistic point and click interface it's incredibly powerful for comparing two SQL databases. Once the comparison is done you get two side-by-side windows which represent the two databases. Changes are highlighted by colour - Red for deletions, Blue for new and black for no changes.
This left me with a 2,000 list of changes, deletions and amendments in the database.
AdeptSQL also lets you filter things out and by using these features I eventually tracked the problem down to the description field of two user accounts.
These accounts had spurious characters in them which Bindview being rather old and totally ASCII prompt fell over on. Removing these and waiting for a resync solved the problem.

Whilst AdeptSQL helped me solve that particular problem there is still the problem of this legacy system updating Active Directory whilst not being active directory aware which leads to some other fun and games with the display name versus the SAMAccount name but more on that in a later article.

Build your own NAS

Things have really moved on in terms of storage. Not so long ago the largest hard drive you could buy for a home PC was a 200GB IDE. Today, 1TB SATA hard drives are available for less than £100 from my favourite hardware website AUT Direct.

I'll admit that I couldn't resist for long and as I've got a tower PC with 6 IDE hard disks in which are not doing anything at present it was just too much of a lure and I've ordered up 4 1TB disks.
The plan is to replace four of the IDE disks with these 1TB SATA drives and I've bought the necessary SATA drive bays to making swapping them out easier if needed.

As the motherboard is quite old I also purchased two SATA cards which will be able to handle the SATA disks.

The tower also has two IDE disks on an IDE expansion card. This was originally for the OS but I'm going to pull that
and put one of the SATA cards in it's place. The IDE disks are small (either 10 or 20GB) which I'm going to bin and replace with two 250GB IDE disks.

In total the box will have about 4.5TB raw storage capability. I need to configure the 4 SATA drives as RAID 5 in case of a failure. I also want to configure the two 250GB IDE's as RAID1 for the same reason but testing in in VMWare showed it wasn't quite that easy.

The operating system of choice will be OpenFiler. This OS supports all sorts of storage options including CIFS, NFS and iSCSI. It's free and actually supports more than some hardware solutions such as the Buaffalo terrastation I recently bought!

Even so, When finished and configured with the RAID arrays the box should be able to support an impressive 3.2 or so TB or usable storage.

A fun little project......!

Issues upgrading Domain Schema to 2003

So I'm probably a little behind in upgrading my home networks domain schema to support Windows 2003 but better late than never!
The process itself was smooth enough once I'd corrected some problems on the machine but the upgrade logs were not the most helpful troubleshooting aid I've come across.
One particular error had me stumped for a few days:

"Error code: 0x57 Error message: The parameter is incorrect.."

No indication of which parameter it was but as it occurred when checking security descriptors and many blog articles refer to missing security ACL's on GPO's I had a look at those and sure enough, Enterprise admins was missing some rights so I fixed those up and....... the same problem. At this point I'd admit to a lot of head scratching. The event logs didn't shed much light until I realised that the security event logs were not accessible. Sure enough, somehow the ACL's on the security event logs had lost all their rights. Resetting these and then rebooting allowed the process to complete perfectly.