Azure Storage Browser

May 16th, 2017

Although there is ready to use nice, free Microsoft Azure Storage Explorer, I’ve developed my own tool to browse Azure Storage:

It’s been created in Visual C# using the latest Microsoft Azure SDK for .NET – 3.0.

The core code is as follow:

with one trick to find if type of Storage Account uses Standard or Premium performance tier:

If connection to Storage Account is established properly, TreeView in the left panel is filled by blobs, files, tables and queues. Clicking any TreeView node allows to present details of its child objects in GridView in the right panel. We can asynchronously upload, download or delete selected objects.

Tool is still at an experimental stage and under development, so all unstable behaviors I fix in daily basis, if any. For now the best is to try it on test environment.

 

Download:

Installer: AzureStorageBrowser

Portable: AzureStorageBrowser

Solution: https://github.com/Grad1ent/AzureStorageBrowser

 

Reference articles:

Get started with Azure Blob storage using .NET

Get started with Azure Queue storage using .NET

Get started with Azure Table storage using .NET

Get started with Azure File storage on Windows

 

 

 

Active Directory quick queries via Powershell

October 6th, 2015

Here is reference to a few quick AD queries via Powershell’s “one command”.

Forest basic info:

Domains’ basic info from entire forest:

List of Domain Controllers:

DCs numbers per domains in whole forest:

Sites:

Subnets:

Site links:

Connection objects on <myDC>:

Replication queue on <myDC>:

Replication status on <myDC>:

Replication status in whole forest:

Active Directory quick queries

January 31st, 2015

Here is reference to a few quick AD queries.

Dump of AD:

List of Domain Controllers:

List of FSMO holders:

List of Global Catalog holders:

List of Sites:

Site where myDC belongs:

List of preffered bridgeheads:

Domain Controller which authenticated my:

All users:

Total number of users:

All active users:

Locked users:

Restricting Active Directory replication traffic to the fixed ports

January 28th, 2015

Overview:

Except of well known ports such 389 TCP/UDP, 636 TCP, 3268 TCP, etc. (full overview is here) Active Directory uses a few ones from dynamic pool for replicaton purposes. If we don’t have strict security policy where is allowed only explicity defined traffic in firewalls we can leave default configuration of communication between domain contollers:

1024  – 65535 TCP Dynamic RPC W2K/W2K3

49152 – 65535 TCP Dynamic RPC W2K8+

However if we would like to have more control over AD and SYSVOL replication we can limit above scope to our needs:

#1. Restricting Active Directory replication traffic to exemplary 5000 TCP port (0x1388):

#2a. Restricting SYSVOL FRS traffic to exemplary 5050 TCP port (0x13ba):

#2b. Restricting SYSVOL DFS-R traffic to exemplary 5050 TCP port:

#3. RPC dynamic port allocation to exemplary 6000 – 6050 TCP port pool:

Practice:

Common operation issues in complex environments, like Event 1722: “The RPC server is unavailable”, are sometimes caused by FW restrictions where are allowed traffics on fixed ports only instead of full RPC dynamic pool. For example just promoted domain controller with default configuration is trying to replicate with remote partner located behind FW via dynamically assigned 49157 TCP port where design of replication topology strictly defines 5000 TCP for example and it is implemented on all DCs and FWs.

To check what ports are used for replication purposes simply query 135 TCP enpoint mapper of each domain contoller. It looks like as follow using portqry.exe:

and in the result try to find section: MS NT Directory DRS Interface to check AD replication ports:

and: Frs2 Service to check DFS-R port:

To find out if above RPC ports are fixed or not simply query registry settings of this domain controller:

Restricted Active Directory replication traffic:

RPC dynamic port allocation:

 

Reference articles:

How to configure a firewall for domains and trusts

Active Directory Replication Over Firewalls

Restricting AD Replication Traffic between DCs to only a few ports

Service overview and network port requirements for Windows

Using PORTQRY for troubleshooting

 

Active Directory numbers

January 18th, 2015

Here is quick reference to find out several metadata of AD.

Schema version:

AD version objectVersion
Windows 2000 Server 13
Windows 2000 Server + Exchange 2000 17
Windows Server 2003 30
Windows Server 2003 R2 31
Windows Server 2008 44
Windows Server 2008 R2 47
Windows Server 8 – Developer Preview 51
Windows Server 8 – Beta 52
Windows Server 2012 56
Windows Server 2012 R2 69
Windows Server 10 Technical Preview 72

Schema revision: adprep /forestprep

AD version Revision
Windows Server 2008 2
Windows Server 2008 R2 5
Windows Server 2003 R2 9
Windows Server 2012 11
Windows Server 10 Technical Preview 15

Schema revision: adprep /domainprep

AD version Revision
Windows Server 2008 3
Windows Server 2008 R2 5
Windows Server 2003 R2 8
Windows Server 2012 9
Windows Server 10 Technical Preview 10

Schema revision: adprep /rodcprep

AD version Revision
Windows Server 2008 2
Windows Server 2012 2
Windows Server 10 Technical Preview 2

Forest Functional Level:

FFL msDS-Behavior-Version
2000 0
2003 Interim 1
2003 2
2008 3
2008 R2 4
2012 5
10 Technical Preview 5

Domain Functional Level:

DFL msDS-Behavior-Version ntMixedDomain
Windows 2000 Native domain Level 0 0
Windows 2000 Mixed domain Level 0 1
Windows 2003 Domain Level 2 0
Windows 2008 Domain Level 3 0
Windows 2008 R2 Domain Level 4 0
Windows 2012 Domain Level 5 0
Windows Server 10 Technical Preview 5 0

Exchange version:
#1 – Forest rangeUpper attribute of ms-Exch-Schema-Version-Pt

#2 – Forest objectVersion attribute of Organization container

#3 – Domain objectVersion attribute on Microsoft Exchange System Objects

Exchange Version #1 #2 #3
Exchange 2000 RTM 4397 - 4406
Exchange 2000 SP3 4406 - 4406
Exchange 2003 RTM 6870 6903 6936
Exchange 2003 SP1 6870 6903 6936
Exchange 2003 SP2 6870 6903 6936
Exchange 2007 RTM 10637 10666 10628
Exchange 2007 SP1 11116 11221 11221
Exchange 2007 SP2 14622 11222 11221
Exchange 2007 SP3 14625 11222 11221
Exchange 2010 RTM 14622 12640 12639
Exchange 2010 SP1 14726 13214 13040
Exchange 2010 SP2 14732 14247 13040
Exchange 2010 SP3 14734 14322 13040
Exchange 2013 RTM 15137 15449 13236
Exchange 2013 CU1 15254 15614 13236
Exchange 2013 CU2 15281 15688 13236
Exchange 2013 CU3 15283 15763 13236

 

Active Directory Topology Visualization part 2

January 11th, 2015

If you have a look closer into Active Directory Topology Visualization part 1 solution developed some time ago you will find that vbs script queries one domain controller to find replication topology. It is quick approach to have overview of AD replication ASAP. However it represents viewpoint only of this domain controller and sometimes it doesn’t have to be objective true.

If domain controllers replicate each other without any issues and there isn’t any modification in numbers of them (adding, removing, etc.) topology should look very the same on every DC and above solution is absolutely enough. But to have proper recognition of condition of AD environment during its modification there is needed something more comprehensive.

Here is my trial to find full overview of AD physical topology and condition of replication as a side effect of quering every particular domain controller in our environment. Below vbs script queries all DCs found in AD, formats information about sites, servers and connection objects into dot syntax and controls pictures of nodes (here: domain controllers) and labels of edges (here: connection objects) to report issues in topology: orphan or not accessible DCs or connection objects just generated and not seen by other DCs.

Practice:

Vbs script to query all DCs:

getReplicationTopology.zip

usage:

Example of dot code generated by above vbs script:

and diagram:

fdp4

Note:

Pictures of nodes used in diagrams:

server DC queried by vbs script

noaccessDC not queried by vbs script because of communication issue

orphanOrphan DC not fully removed from AD during decommission

Gallery:

dot5

fdp6

fdp7

 

Theory:

1. How Active Directory Replication Topology Works

2. KCC and Topology Generation

3. Active Directory Topology Visualization part 1

 

How to remove lingering objects from complex environment

December 27th, 2014

Based on “Clean that Active Directory forest of lingering objects” article on Glenn LeCheminant’s weblog here is an extract of my own development:

Overview:

Lingering objects are not desired entities in AD. If one or more domain controllers are disconnected from environment and back after some period of time (called: tombstone), deleted objects can be reintroduced by them. Clearing of AD is serious challenge and requires complex solution in complex environment.

Microsoft prepared simple tool to perform proper removal. However using it depends on design of the environment. Because connections between all sites are not always fully meshed, lacks in “seeing” domain controllers each other is mitigated by simple trick: one domain controller in particular domains is chosen as reference server for its own domain partition and is used by any other domain controller with global catalog function from other domains as reference source. The best is PDC because it should be accessible at least from any domain controller in its own domain and in theory from other domains. However it’s not really manadatory and any DC can be used. In rare cases of communication issue there is needed additional step described below.

Practice:

Below procedure can be used for effective removal of lingering objects in entire forest. It bases on preparing reference domain controller with clean, writable domain partition, and using it as an authoritative source for any other domain controller holding write (DC) or read-only (GC) version of this partition.

Solution is covered by using following command:

Note:

sourceDCGUID can be found in several ways:

This procedure requires to finish three steps in every domain in entire forest:

Step 1: Cleaning up domain partition on reference DC

Series of commands run against one choosen DC allow to clean up its partition in reference to all other DCs in this domain:

In case of communication issue (because of firewall restriction, etc.) finish clearing process of chosen DC with the rest of DCs and begin again Step 1 with failured ones:

linger1

Step 2: Cleaning up writable version of domain partition on remaining DCs

Series of commands run against all other DCs of affected domain allow to clean up their partitions in reference to DC choosen in Step 1:

In case of communication issue repeat Step 2 with failured DCs:

linger2

 

Step 3: Cleaning up read-only version of domain partition on all GCs in entire forest

Series of commands run against all GCs located in different domains allow to clean up their read-only version of affected domain partitions in reference to any DCs from Step 1 or Step 2.

In case of communication issue replace DC1guid with any other one from Step 1 or 2. If all DC guids don’t allow to establish proper communication between GC under clearing process and any DC which is owner of affected domain partition, use the nearest last GC which walked through Step 3 without failure, to re-host this partition:

linger3

 

Events:

The following events are logged during clearing lingering objects:

Events logged on DC without lingering objects:

1388: SRC is off, lingering objects appeared

1988: SRC is on, lingering objects blocked

2042: Too long since source replication

Events logged on DC with lingering objects during:

repadmin /removelingeringobjects … /advisory_mode

1938: Starting detection summary

1946: For each lingering object detected

1942: Final detection summary

Events logged on DC with lingering objects during:

repadmin /removelingeringobjects …

1937: Starting removal summary

1945: For each lingering object detected and removed

1939: Final removal summary

Reference articles:

Fixing Replication Lingering Object Problems (Event IDs 1388, 1988, 2042)

http://technet.microsoft.com/en-us/library/cc738018%28v=ws.10%29.aspx

Event ID 1388 or 1988: A lingering object is detected

http://technet.microsoft.com/en-us/library/cc780362%28v=ws.10%29.aspx

Lingering objects may remain after you bring an out-of-date global catalog server back online

http://support.microsoft.com/kb/314282

Outdated Active Directory objects generate event ID 1988 in Windows Server 2003

http://support.microsoft.com/kb/870695

How to find and remove lingering objects in Active Directory

http://sandeshdubey.wordpress.com/2011/10/09/how-to-find-and-remove-lingering-objects-in-active-directory/

Clean that Active Directory forest of lingering objects

http://blogs.technet.com/b/glennl/archive/2007/07/26/clean-that-active-directory-forest-of-lingering-objects.aspx

Repadmin for Experts

http://technet.microsoft.com/en-us/library/cc811549%28v=ws.10%29.aspx

Enable strict replication consistency

http://technet.microsoft.com/en-us/library/cc784245%28v=ws.10%29.aspx

 

VBS scripts to query everything

December 24th, 2014

There are a few simple scripts developed by me to automate somehow regular reporting against set of servers. Result is usually presented in csv file to use it quickly in Excel or similar calculation software.

Scripts to query WMI:

Script to report installed roles and features:

getRoles.zip

usage: cscript /nologo getRoles.vbs servers.txt

Example of input file: servers.txt

Example of output file: getRoles_26-09-2014_12-30-14.csv

Script to report info about installed services:

getServices.zip

usage: cscript /nologo getServices.vbs servers.txt

Example of input file: servers.txt

Example of output file: getServices_19-11-2013_07-30-15.csv

Script to report information about capacity of local disks:

getCapacity.zip

usage: cscript /nologo getCapacity.vbs servers.txt

Example of input file: servers.txt

Example of output file: getCapacity_01-10-2013_13-01-51.csv

Script to report activation status:

getActivationStatus.zip

usage: cscript /nologo getActivationStatus.vbs servers.txt

Example of input file: servers.txt

Example of output file: getActivationStatus_17-06-2013_10-12-18.csv

Script to report about sharings:

getSharings.zip

usage: cscript /nologo getSharings.vbs servers.txt

Example of input file: servers.txt

Example of output:

Scripts to query registry:

Script to report installed software:

getSoftware.zip

usage: cscript /nologo getSoftware.vbs servers.txt

Example of input file: servers.txt

Example of output file: getSoftware_12-06-2013_13-51-58.csv

Script to report status of WSUS:

getWSUS.zip

usage: cscript /nologo getWSUS.vbs servers.txt

Example of input file: servers.txt

Example of output:

Scripts to query LDAP:

Script to enumarate groups where user, specified in input file, belongs to directly (nesting level = 0) and indirectly (nesting level > 0):

getMemberOf.zip

usage: cscript /nologo getMemberOf.vbs users.txt

Example of input file: users.txt

Example of output:

Feel free to use them.

 

DFS resources

December 20th, 2014

Here is my trial of grouping DFS resources available to study and I’m sure I missed a lot useful web sites.

Microsoft Official Courses (MOC):

6419B: Configuring, Managing and Maintaining Windows Server 2008-based Servers

Module 4: Configuring and Managing Distributed File System:
– Lesson 1: Distributed File System Overview
– Lesson 2: Configuring DFS Namespaces
– Lesson 3: Configuring DFS Replication
Categorized as Level 200 by Microsoft

6421B: Configuring and Troubleshooting a Windows Server 2008 Network Infrastructure

Module 11: Optimizing Data Access for Branch Offices
– DFS Overview
– Overview of DFS Namespaces
– Configuring DFS Replication
Categorized as Level 200 by Microsoft

20411D: Administering Windows Server 2012

Module 9: Optimizing File Services:
– Overview of DFS
– Configuring DFS Namespaces
– Configuring and Troubleshooting DFS Replication
Categorized as Level 200 by Microsoft

20413C: Designing and Implementing a Server Infrastructure

Module 10: Planning and Implementing File Services:
– Planning and Implementing DFS
Categorized as Level 300 by Microsoft

20414B: Implementing an Advanced Server Infrastructure

Module 7: Planning and Implementing High Availability for File Services and Applications:
– Planning and Implementing DFS
Categorized as Level 300 by Microsoft

Internet:

Perfect repository of all significant resources available in Internet:

DFS Replication: Survival Guide

My own development:

Script to check replication status on all servers found in AD as DFS replication partners:

getDFSRStatus.zip

usage: cscript /nologo getDFSRStatus.vbs

Script to check replication status on one server specified as parameter:

getDFSRStatusLite.zip

usage: cscript /nologo getDFSRStatusLite.vbs <myDFSRServer>

Above scripts generate csv report with status of connection state, target folder state, backlog, etc. Here is an example of output file getDFSRStatus_06-11-2014_13-59-06.csv:

 

DFS-R topology

May 4th, 2013

Topology of DFS-R can be easily visualized by using GraphViz tool.

Based on Active Directory Topology Visualization part 1 solution I’ve developed next script to have clear picture how DFS replication looks like. Design of solution is very the same: vbs script queries AD regarding to DFS replication groups, folders, servers and connections and formats result into dot language file. Then dot file is used as input for GraphViz package to generate picture of DFS-R topology.

Vbs script can be downloaded here without any limitation of using:

getDFSRTopology.zip

usage:

Result:

Generated dot file can look like this:

and based on it here is the picture (command: fdp *.dot -Tjpg -O):

fdp4

Rectangles represent replication groups with replication partners. Opposite to Active Directory Topology Visualization part 1 or Site links topology solutions, where nodes occur only once, here is needed one trick to have the same server in various groups. In line 88 in vbs script I pin to node names additional counter to have group specific servers, however their labels stay the same. It allows to see the same server name in various groups but nodes are definitely different from dot language viewpoint.