Posts Tagged ‘AD’

How to remove lingering objects from complex environment

Saturday, December 27th, 2014

Based on “Clean that Active Directory forest of lingering objects” article on Glenn LeCheminant’s weblog here is an extract of my own development:

Overview:

Lingering objects are not desired entities in AD. If one or more domain controllers are disconnected from environment and back after some period of time (called: tombstone), deleted objects can be reintroduced by them. Clearing of AD is serious challenge and requires complex solution in complex environment.

Microsoft prepared simple tool to perform proper removal. However using it depends on design of the environment. Because connections between all sites are not always fully meshed, lacks in “seeing” domain controllers each other is mitigated by simple trick: one domain controller in particular domains is chosen as reference server for its own domain partition and is used by any other domain controller with global catalog function from other domains as reference source. The best is PDC because it should be accessible at least from any domain controller in its own domain and in theory from other domains. However it’s not really manadatory and any DC can be used. In rare cases of communication issue there is needed additional step described below.

Practice:

Below procedure can be used for effective removal of lingering objects in entire forest. It bases on preparing reference domain controller with clean, writable domain partition, and using it as an authoritative source for any other domain controller holding write (DC) or read-only (GC) version of this partition.

Solution is covered by using following command:

repadmin.exe /removelingeringobjects <targetDC> <sourceDCGUID> <partitionDN> | /advisory_mode

Note:

sourceDCGUID can be found in several ways:

repadmin /showreps <myDC>
nslookup -q=CNAME _msdcs.<my>.<domain>
dsquery * "CN=NTDS Settings,CN=<myDC>,CN=Servers,CN=,CN=Sites,CN=Configuration,DC=<my>,DC=<domain>" -scope base -attr objectGuid

This procedure requires to finish three steps in every domain in entire forest:

Step 1: Cleaning up domain partition on reference DC

Series of commands run against one choosen DC allow to clean up its partition in reference to all other DCs in this domain:

repadmin /removelingeringobjects DC1 DC2guid DC=my,DC=domain
repadmin /removelingeringobjects DC1 DC3guid DC=my,DC=domain
...
repadmin /removelingeringobjects DC1 DCnguid DC=my,DC=domain

In case of communication issue (because of firewall restriction, etc.) finish clearing process of chosen DC with the rest of DCs and begin again Step 1 with failured ones:

linger1

Step 2: Cleaning up writable version of domain partition on remaining DCs

Series of commands run against all other DCs of affected domain allow to clean up their partitions in reference to DC choosen in Step 1:

repadmin /removelingeringobjects DC2 DC1guid DC=my,DC=domain
repadmin /removelingeringobjects DC3 DC1guid DC=my,DC=domain
...
repadmin /removelingeringobjects DCn DC1guid DC=my,DC=domain

In case of communication issue repeat Step 2 with failured DCs:

linger2

 

Step 3: Cleaning up read-only version of domain partition on all GCs in entire forest

Series of commands run against all GCs located in different domains allow to clean up their read-only version of affected domain partitions in reference to any DCs from Step 1 or Step 2.

repadmin /removelingeringobjects AB1 DC1guid DC=my,DC=domain
repadmin /removelingeringobjects CD2 DC1guid DC=my,DC=domain
...
repadmin /removelingeringobjects XYn DC1guid DC=my,DC=domain

In case of communication issue replace DC1guid with any other one from Step 1 or 2. If all DC guids don’t allow to establish proper communication between GC under clearing process and any DC which is owner of affected domain partition, use the nearest last GC which walked through Step 3 without failure, to re-host this partition:

repadmin /unhost <myGC> DC=root,DC=local
repadmin /rehost <myGC> DC=root,DC=local <clean GC>

linger3

 

Events:

The following events are logged during clearing lingering objects:

Events logged on DC without lingering objects:

1388: SRC is off, lingering objects appeared

1988: SRC is on, lingering objects blocked

2042: Too long since source replication

Events logged on DC with lingering objects during:

repadmin /removelingeringobjects … /advisory_mode

1938: Starting detection summary

1946: For each lingering object detected

1942: Final detection summary

Events logged on DC with lingering objects during:

repadmin /removelingeringobjects …

1937: Starting removal summary

1945: For each lingering object detected and removed

1939: Final removal summary

Reference articles:

Fixing Replication Lingering Object Problems (Event IDs 1388, 1988, 2042)

http://technet.microsoft.com/en-us/library/cc738018%28v=ws.10%29.aspx

Event ID 1388 or 1988: A lingering object is detected

http://technet.microsoft.com/en-us/library/cc780362%28v=ws.10%29.aspx

Lingering objects may remain after you bring an out-of-date global catalog server back online

http://support.microsoft.com/kb/314282

Outdated Active Directory objects generate event ID 1988 in Windows Server 2003

http://support.microsoft.com/kb/870695

How to find and remove lingering objects in Active Directory

http://sandeshdubey.wordpress.com/2011/10/09/how-to-find-and-remove-lingering-objects-in-active-directory/

Clean that Active Directory forest of lingering objects

http://blogs.technet.com/b/glennl/archive/2007/07/26/clean-that-active-directory-forest-of-lingering-objects.aspx

Repadmin for Experts

http://technet.microsoft.com/en-us/library/cc811549%28v=ws.10%29.aspx

Enable strict replication consistency

http://technet.microsoft.com/en-us/library/cc784245%28v=ws.10%29.aspx

 

VBS scripts to query everything

Wednesday, December 24th, 2014

There are a few simple scripts developed by me to automate somehow regular reporting against set of servers. Result is usually presented in csv file to use it quickly in Excel or similar calculation software.

Scripts to query WMI:

Script to report installed roles and features:

getRoles.zip

usage: cscript /nologo getRoles.vbs servers.txt

Example of input file: servers.txt

1
2
3
DC1
DC2
FS1

Example of output file: getRoles_26-09-2014_12-30-14.csv

1
2
3
4
5
6
Server;Role ID;Role Name
DC1;256;Role Administration Tools
DC1;257;Active Directory Domain Services Tools
DC1;299;Active Directory Domain Controller Tools
DC2;6;File Services
DC2;9;Active Directory Lightweight Directory Services

Script to report info about installed services:

getServices.zip

usage: cscript /nologo getServices.vbs servers.txt

Example of input file: servers.txt

1
2
3
DC1
DC2
FS1

Example of output file: getServices_19-11-2013_07-30-15.csv

1
2
3
4
Server;Display Name;Start Mode;State;Status;Path Name;Account
FS1;Disk Defragmenter;Manual;Stopped;OK;C:\Windows\system32\svchost.exe -k defragsvc;localSystem 
FS1;DHCP Client;Auto;Running;OK;C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted;NT Authority\LocalService 
FS1;DNS Client;Auto;Running;OK;C:\Windows\system32\svchost.exe -k NetworkService;NT AUTHORITY\NetworkService

Script to report information about capacity of local disks:

getCapacity.zip

usage: cscript /nologo getCapacity.vbs servers.txt

Example of input file: servers.txt

1
2
3
DC1
DC2
FS1

Example of output file: getCapacity_01-10-2013_13-01-51.csv

1
2
3
4
Hostname;Drive;Size (GB);Used (GB);Free space (GB);Percent of free space
DC1;C:;59,95;27,03;32,92;54,91% 
DC2;E:;350,00;6,49;343,50;98,15% 
FS1;C:;29,30;28,09;1,21;4,11%

Script to report activation status:

getActivationStatus.zip

usage: cscript /nologo getActivationStatus.vbs servers.txt

Example of input file: servers.txt

1
2
3
DC1
DC2
FileServer1

Example of output file: getActivationStatus_17-06-2013_10-12-18.csv

1
2
3
4
Hostname;Activated;Product 
DC1;Activated;Windows Server(R), ServerEnterprise edition 
DC2;Activated;Windows Server(R), ServerEnterprise edition 
FS1;Activated;Windows Server(R), ServerStandard edition

Script to report about sharings:

getSharings.zip

usage: cscript /nologo getSharings.vbs servers.txt

Example of input file: servers.txt

1
2
3
DC1
DC2
FS1

Example of output:

1
2
3
4
5
6
7
Hostname;Share;Type;Path;Trustee;Permissions
FS1;print$;Disk Drive;C:\Windows\system32\spool\drivers;Everyone;READ
FS1;print$;Disk Drive;C:\Windows\system32\spool\drivers;Administrators;FULL CONTROL
FS1;Users;Disk Drive;C:\Users;Administrators;FULL CONTROL
FS1;Users;Disk Drive;C:\Users;Everyone;FULL CONTROL
FS1;Xerox Phaser 6110MFP;Printer Queue;Xerox Phaser 6110MFP,LocalsplOnly;Everyone;FULL CONTROL
FS1;Xerox Phaser 6110MFP;Printer Queue;Xerox Phaser 6110MFP,LocalsplOnly;ALL APPLICATION PACKAGES;FULL CONTROL

Scripts to query registry:

Script to report installed software:

getSoftware.zip

usage: cscript /nologo getSoftware.vbs servers.txt

Example of input file: servers.txt

1
2
3
DC1
DC2
FS1

Example of output file: getSoftware_12-06-2013_13-51-58.csv

1
2
3
4
Server;Name;Version;Publisher;Installation Date;Install Location
DC1;Adobe Flash Player 10 ActiveX;10.0.32.18;Adobe Systems Incorporated;;
DC1;FileZilla Client 3.2.4.1;3.2.4.1;;;C:\Program Files\FileZilla FTP Client
DC1;Windows Internet Explorer 7;20070813.185237;Microsoft Corporation;20090819;

Script to report status of WSUS:

getWSUS.zip

usage: cscript /nologo getWSUS.vbs servers.txt

Example of input file: servers.txt

1
2
3
DC1
DC2
FS1

Example of output:

1
2
3
4
Server;AUOptions;Description;Scheduled Install Date;Next Detection Time 
DC1;1;Never check for updates (not recommended);2013-03-02 00:00:00;2013-03-01 14:07:17 
DC2;2;Check for updates but let me choose wheter to download and install them;;2013-03-02 03:04:51
FS1;4;Install updates automatically (recommended);2013-03-02 02:00:00;2013-03-01 17:28:32

Scripts to query LDAP:

Script to enumarate groups where user, specified in input file, belongs to directly (nesting level = 0) and indirectly (nesting level > 0):

getMemberOf.zip

usage: cscript /nologo getMemberOf.vbs users.txt

Example of input file: users.txt

1
2
3
Administrator
myUser
myNextUser

Example of output:

1
2
3
4
User;Group;Nesting level
Administrator;Administrators;0
Administrator;Schema Admins;0
Administrator;Denied RODC Password Replication Group;1

Feel free to use them.

 

Site links topology

Saturday, May 4th, 2013

Based on solution developed for Active Directory Topology Visualization part 1 purpose I’ve made very similar script to have nice picture of defined site links in AD.

I think it’s quite good to know if gap in replication is not caused by lack of site link, etc.

Details:

Nothing special was developed by me. I simply query via vbs script this DN:

CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=my,DC=domain

and result is presented in dot language formatted file.

Vbs code can be downloaded here and feel free to use it:

getSiteLinks.zip

usage:

cscript /nologo getSiteLinks.vbs

Gallery:

Result of above vbs script can look like as follow:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
GRAPH siteLinks {
 
    node [fontname=helvetica, image="site.png", labelloc=b, color=white];
 
    Site1 -- HQ;
    Site2 -- Site3;
    Site2 -- HQ;
    Site3 -- HQ;
    Test -- HQ;
    Site2 -- HQ;
    Site4 -- HQ;
    Site5 -- Site6;
    Site5 -- HQ;
    Site6 -- HQ;
    Site6 -- HQ;
    Site7 -- Site3;
    Site7 -- HQ;
    Site3 -- HQ;
    Site8 -- Site4;
    Site8 -- Site9;
    Site8 -- HQ;
    Site4 -- Site9;
    Site4 -- HQ;
    Site9 -- HQ;
    Backup -- HQ;
    Site7 -- Site10;
    Site7 -- HQ;
    Site10 -- HQ;
    Test -- HQ;
 
}

and based on it GraphViz can generate:

dot diagram layout (command: dot *.dot -Tjpg -odot.jpg):

dot3

fdp diagram layout (command: fdp *.dot -Tjpg -ofdp.jpg):

fdp3

sfdp diagram layout (command: sfdp *.dot -Tjpg -osfdp.jpg):

sfdp3

Example of site node picture:

site

There is possible to use any other picture to present site in diagram than above one. The most important is to put picture file of site (site.png in this case) in the same location where dot file is stored before compilation.

 

Active Directory Topology Visualization part 1

Saturday, May 4th, 2013

Overview:

Except of Microsoft Active Directory Topology Diagrammer, which requires licensed MS Visio installed, there is no easy way to show how physical topology of Active Directory looks like. As the Chinese proverb goes, “A picture is worth a thousand words”, result of 17 repadmin /replsum <DC> commands even prepared in MS Excel will not tell as much as below screen:

circo

Details:

GraphViz is open-source tool based on dot language dedicated for drawing diagrams. It allows to present any graph or network in simple static form with information like direction of flow between nodes or node specific details. It is perfect tool to show how Active Directory Domain Controllers replicate each other and allows to find bottleneck or critical paths in AD physical topology.

Usage is very simple and requires GraphViz package installed locally and own developed script to prepare input for this tool based on dot language.

1. Below code is dot language script topology.dot used as input for GraphViz package to generate nice diagram:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
DIGRAPH replicationTopologyLite {
 
    fontname=helvetica;
    node [fontname=helvetica, image="server.png", labelloc=t,color=white];
 
    SUBGRAPH cluster_AS {
    label = "AS"
 
    ASDC015;
 
    }
 
    SUBGRAPH cluster_US {
    label = "US"
 
    USDC014;
 
    }
 
    SUBGRAPH cluster_EU {
    label = "EU"
 
    EUDC014;
 
    }
 
    EUDC014 -> ASDC015;
    EUDC014 -> USDC014;
    ASDC015 -> EUDC014;
    USDC014 -> EUDC014;
 
}

note:

– AD Sites: EU, US and AS are specified as SUBGRAPH cluster_XX and are presented as rectangles in final diagram

– AD DCs: EUDC014, USDC014 and ASDC015 are simply nodes in diagram

– example of server picture to put into the same folder where topology.dot is located:

server

2. Command to generate picture of dot diagram layout:

dot topology.dot -Tjpg -O

 and result:

dot

3. Examples of commands to generate all kind of diagram layouts:

dot *.dot -Tjpg -odot.jpg
fdp *.dot -Tjpg -ofdp.jpg
sfdp *.dot -Tjpg -osfdp.jpg
circo *.dot -Tjpg -ocirco.jpg
neato *.dot -Tjpg -oneato.jpg
osage *.dot -Tjpg -oosage.jpg
twopi *.dot -Tjpg -otwopi.jpg

Practice:

Dot file can be prepared manually or a bit smarter. Below vbs is my own developed and many time used script which queries AD regarding to sites, domain controllers and connection objects and generates dot launguage file used later in GraphViz package.

Vbs script is available to download here and feel free to use it:

getReplicationTopologyLite.zip

usage:

cscript /nologo getReplicationTopologyLite.vbs DC

Gallery:

Below diagrams are examples of AD replication topology:

dot2

fdp1However more complex environments (>100 DCs) require a few tricks to make pictures more readable. I usually add dotted style for connections for example:

1
2
3
4
5
6
DIGRAPH replicationTopology {
 
    fontname=helvetica;
    node [fontname=helvetica, image="server.png", labelloc=b,color=white];
    edge [style=dotted];    ...

or trying to generate all kind of diagram layouts to choose the most suitable to study. In most cases huge networks need specific approach.

A few useful links:

1. Official GraphViz web site: http://www.graphviz.org

2. Dot guide: http://www.graphviz.org/pdf/dotguide.pdf

3. Wikipedia about GraphViz: http://en.wikipedia.org/wiki/Graphviz

4. Active Directory Topology Visualization part 2

Let the “more readable replication topology” be with you.