Friday Mail Sack: Gargamel Edition
Hi folks, Ned here again. This week we talk about 10 reasons not to use list object access dsheuristics, USMT trivia nuggets, poor man’s DFSDIAG, how to get network captures without installing a network capture tool, and some other random goo. Oh yeah, and friggin’ Smurfs.
- The downsides to List Object Access dsheuristics
- USMT differential scanning
- DFSN diagnostic tools for Win2003
- USMT hotfix KB2023591 OS compatibility
- Getting network captures without Netmon or Wireshark, on Win7/R2
- Other stuff
We’re thinking about using List Object Access dsheuristics mode to control people seeing data in Active Directory. Are there any downsides to this?
There are a few – here are at least ten in no particular order (thanks to PFE Matt Reynolds for some of these, although he may never realize it):
- This can greatly increase the number of access check calls that are made, and can have a significant negative effect on performance.
- This will require a huge amount of work and ongoing maintenance. You will need to create and look after – forever - selective “views” for admins, help desks, service accounts, etc.
- This was designed more for hosted “multi-tenant solutions” that are very specialized.
- Microsoft applications are not generally tested with this setting.
- If you can find a third party vendor that tests this, I will have a heart attack and die from shock. If you can then find a vendor that is willing to change their code if you run into problems, I will then rise from the grave and eat my own pants.
- It’s very difficult to test how well apps are handling this, as it’s designed to “omit data”. That could have all sorts of weird effects on apps expecting to see certain built-in or “always available” objects.
- Active Directory is a… directory. It’s designed to share info. Specific sensitive attribute data can always be marked confidential and that’s probably really what you want here.
- Doing this is one of the least useful security measures in a whole litany of things that you probably haven’t implemented – encrypting your LDAP traffic, using IPSEC everywhere, using two-factor smart cards for all user access, encrypting all drives, preventing physical removal of computers. Or making sure your web servers don’t allow ancient SQL injection attacks. Focus!
- This makes you unique. You don’t want to be unique.
- Just because you can do something does not mean you should do something. We provide an option to format your hard drive as well.
Strangely, two people asked about this in the past few weeks.
Can USMT perform “incremental” or “differential” scans into a store? We have a lot of data to capture and it may take awhile, especially when going to a remote store. We’d like to do it in phases if possible.
Sorry, no. USMT completely deletes the destination store contents when you start a scanstate (this is why you have to specify /o if the store already exists). If you perform a hardlink migration though, you are not copying data and it will scan much faster than a classic store.
If you have to use a remote compressed classic store and you’re worried about reliability, run your scanstate to a local store location on the disk, then copy that store folder to a network location afterwards. Make sure you calculate space estimations to ensure you are not going to run out of disk, naturally.
I don’t have any Win2008 servers – so I cannot use DFSDIAG.EXE – but I’d like to report on their DFS Namespace health. Are there other tools?
File Services Management Pack for System Center Operations Manager 2007 http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=14307
That will monitor health of Win2003 DFSN very well indeed. You can also use DFSDIAG via RSAT on Vista and Win7 clients; why do I suspect that you’re looking for a more… frugal… option, though? ;-P
The old DFSUTIL.EXE tool will stand in for DFSDIAG in a pinch, but it requires you to both run more commands and interpret the results carefully. It’s not going to spend much time explaining what’s wrong, so much as show you what it thinks is configured and let you decide if that’s wrong or not. Some of the more useful commands:
dfsutil.exe /root:<dfs name> /view /verbose
dfsutil.exe /server:<root server> /view
dfsutil.exe /domain:<domain> /view
dfsutil /sitename:<root server or dc or target or client>
dfsutil /root: <dfs name> /sitecosting /display
dfsutil /root: <dfs name> /insite /display
dfsutil /root: <dfs name> /targetfailback /display
dfsutil /root: <dfs name> /targetpriority /server:<target> /display
dfsutil.exe /root:<dfs name> /checkblob
No complaining, we released DFSDIAG two OSes ago and you’re on a dying one. Plus we wrote it for a reason!
The USMT hotfix KB2023591 only lists downloads for Windows 7/Windows Server 2008 R2.
Is there a version for older operating systems?
USMT 4.0 only cares that you run it against a client OS SKU, and that it be XP or later. The download is a CAB file and doesn’t have any OS checking for installation, only scanstate and loadstate enforce the OS. If you dig into the nugget of that main KB at the bottom you will see only:
The reason it lists the OS on the download page is it has to say something, and USMT is built from the Windows 7/R2 source tree. So there you go.
Awesome Technique for Win7/2008 R2 Network Captures
Not a question, but a cool method that is too small to rate a full blog post: if you need to get a network capture on a Windows 7 or Windows Server 2008 R2 computer and you do not have or want Netmon installed, you can use NETSH.EXE. From an elevated CMD prompt run:
netsh trace start capture=yes tracefile=c:\yourcapture.etl
Do whatever you needed to do
netsh trace stop
Boom – network capture, written in ETL format.
Open that file in Netmon 3.4 and you get all the usual capture info, plus other conversation and process info. AND other cool stuff – open the CAB file it created and you find a bunch of useful files with IP info, firewall event logs, applied group policies, driver versions, and more. All the goo I gather manually when I am getting a capture. Sweet!
Thanks to Tim “Mighty” Quinn for demoing this here.
A few years ago TechNet Magazine stopped printing paper copy and switched to a web-only format. I lost track of them after that, but this weekend, I started going through their online versions from 2010 and 2011. It turns out there’s good stuff I’d been missing. Here are a few cherry picked articles; feel free to point out some other favorites in the Comments:
Windows Confidential: Testing, Testing (Raymond Chen) http://technet.microsoft.com/en-us/magazine/gg675933.aspx
An interesting explanation of what Beta used to mean, and what it means now, from a Principal SDE who has been developing Windows since the Tithonian age. Heck, his blog is ready to collect Social Security.
Troubleshooting 201: Ask the Right Questions (Stephanie Krieger)
How to be an effective troubleshooter. Don’t stop reading just because the author is an Office expert; it’s applicable across all aspects of IT. A truly excellent article that should be required reading for new admins.
Toolbox (Greg Steen)
Unlike me, these folks can recommend useful third party utilities. It’s a monthly column and some of these are pretty slick.
Windows PowerShell: HTML Reports in PowerShell (Don Jones) http://technet.microsoft.com/en-us/magazine/hh127059.aspx
An easy technique to take harsh text output and turn it into fluffy HTML. Perfect for punching up reporting to show your manager with zero extra effort, leaving more time for you to work on real issues. Or, you know, see your children grow up. Cat’s in the cradle and the silvaaaaah spoooon…
Using Kerberos for SharePoint Authentication (Pav Cherny) http://technet.microsoft.com/en-us/magazine/ee914605.aspx
Yes please! If you have a friend that admins SharePoint, share this with them. In fact, bribe them to follow it. Whatever it takes. NTLM is the Devil and SharePoint feeds him a jalapenos.
The Daily Mail was granted a “rare and remarkable” interview with Bill Gates last week. It’s a very interesting read.
Remember when I said yesterday that it sucks to use the Internet in Australia and Canada? Well it sucks in other places too… The article isn’t what I’d call “complete” (it misses 98% of the world and doesn’t include my gigantic US ISP, Time Warner, for example – TW doesn’t care if I download 5 TB or 5KB, as fast and as often as I like, as long as I pay on time; I use Sprint for my phone for the very same reason – flat rate unlimited data without metering rules). A nifty piece – I recommend the comments.
Have a nice weekend folks.
- Ned “those dudes totally smurfed their smurf up” Pyle