Blog Post: Friday Mail Sack: Goat Riding Bambino Edition

Hi folks, Ned here again. I?m trying to get back into the swing of having a mail sack every week but they can be pretty time consuming to write (hey, all this wit comes at a price!) so I am experimenting with making them a little shorter. This week we talk AD PowerShell secrets, USMT and Profile scalability, a little ADUC and DFSR, and some other random awesomeness.

Question

Can you explain how the AD PowerShell cmdlet Get-ADComputer gets IP information? (ex: Get-ADComputer -filter * -Properties IPv4Address). Properties are always AD attributes, but I can not find that IPv4Address attribute on any computer object and even after I removed the A records from DNS I still get back the right IP address for each computer.

Answer

That?s an excellent question and you were on the right track. This is what AD PowerShell refers to as an ?extendedAttribute? internally, but what a human might call a ?calculated value?. AD PowerShell special-cases a few useful object properties that don?t exist in AD by using other LDAP attributes that do exist, and then uses that known data to query for the rest. In this case, the dnsHostName attribute is looked up normally, then a DNS request is sent with that entry to get the IP address.

Even if you removed the A record and restarted DNS, you could still be returning the DNS entry from your own cache. Make sure you flush DNS locally where you are running PowerShell or it will continue to ?work?.

To demonstrate, here I run this the first time:

Which queries DNS right after the powershell.exe contacts the DC for the other info (all that buried under SSL here, naturally):

Then I run the identical command again ? note that there is no DNS request or response this time as I?m using cached info.

It still tells me the IP address. Now I delete the A record and restart the DNS service, then flush the DNS cache locally where I am running PowerShell, and run the same PowerShell command:

Voila! I have broken it. :)

Question

Is there is a limit on the number of profiles that USMT 4.0 can migrate? 3.01 used to have problems with many (20+) profiles, regardless of their size.

Answer

No limit ? the issues that caused 3.0 to be so slow and periodically unreliable have been resolved in 4.0. If possible you should use hardlink migration, as that as fast as H? well, it?s really fast.

To prove it (and to show erstwhile USMT admins a quick and dirty way to create some stress test profiles):

1. I create 100 test users:

2. I log them all on and create/load their profiles, using PSEXEC.EXE:

3. I copy 5.5MB of data into each profile?s ?Documents? folder just to to make it interesting (they are already 4+MB on their own, so let?s call them ~10MB apiece):

4. I run the harshest, slowest possible migration I can, where USMT writes to a compressed store on a remote file share, with AES_256 encryption, from an x86 Windows 7 computer with only 768MB of RAM, while cranking all logging to the max:

This (amazingly, if you ever used USMT 3.01) takes only 15 minutes and completes without errors.

5. I restore them all to another similarly configured computer:

This takes about 30 minutes and there are no issues?

6. I bask in the turbulence of my magnificence.

Question

Is it possible in DSA.MSC to have the Find: Users, Contacts, and Groups default to finding computers or include computers with the user, contacts, and groups? Is there a better way to search for computers?

Answer

The Find tool does not provide for user customization ? even starting it over without closing DSA.MSC loses your last setting. ADUC is a cruddy old tool, DSAC.EXE is the (much more flexible) replacement and it will do what you want for remembering settings.

There are a few zillion other ways to find computers also. Not knowing what you are trying to do, I can?t recommend one over the other; but there?s DSQUERY.EXE, CSVDE.EXE, many excellent and free 3^rd parties, etc.

Question

If I delete or disable the outbound connection from a writable DFSR replicated folder, I get warning that the ?topology is not fully connected?. Which is good.

But if that outbound connection is for a read-only replica, no errors. Is this right?

Answer

It?s an oversight on our part. While technically nothing bad will happen in this case (as read-only servers - of course - do not replicate outbound), you should get this message in all cases (There are also 6020 and 6022 DFSR warning events you can use to track this condition). A read-only can be converted to a read-write, and you will definitely want an outbound connection for that.

We?re looking into this; in the meantime, just don?t do it anywhere. :)

Other Things

• Cubs-Red Sox this weekend. This is their first meeting since 1918, and there is a lot of interesting history between the teams. The least we can do is help the Sox to a three game winning streak? >_<

Just to make myself feel better: ?Little roller up along first. Behind the bag! It gets through Buckner!?

• If you have parents, siblings, children away at college, nephews, cousins, grandparents, or friends, we have the newest weapon in the war on:
  

1. Malware
2. Your time monopolized as free tech support

Yes, it?s the all new, all web Microsoft Safety Scanner. It even has a gigantic button, so you know it?s gotta be good. Make those noobs mash it and tell you if there are any problems while you go make a sandwich.

• Finally: thank goodness my wife hasn?t caught this craze yet. She has never met a shoe she didn?t buy.

Have a nice weekend folks.

Ned ?86 years between championships? That?s nothing? try 103, you big babies!? Pyle

Michelle Branch Melissa Howard Samantha Mumba Busy Philipps Thora Birch