Nah I think you missed what I was saying. When I said AD is
a big bucket of nails, I was trying to say, it is an LDAP directory, its in the
owners manual. Being an LDAP directory, the natural way of retrieving info out
of it is with LDAP. You simply need to work out the format of the data which is
the same you do for any attribute say pwdLastSet or whatever.
In terms of efficiency, if this is something that has to be
done multiple times (almost always the case, very often you don't do something
once unless it is a bulk update) then scripting the solution (especially in a
way that doesn't require configuration changes that will be changed back each
time) is going to end up being by far the more efficient and safe way.
I
don't consider small perl scripts to be big guns of programming. I have some big
gun perl scripts but they run thousands of lines just in logic whereas most of
this script was comment and formatting lines and it was only maybe 130 lines.
Probably 50 lines without formatting/commenting and could have been even tighter
had I specified where to start directly or not allowed it to be done on a domain
by domain basis. Totally a difference of opinion in definition there, but I do A
LOT of scripting as trying to use native tools is almost always too inflexible
or slow for us. We write scripts and slowly tweak them as we need different
things. The more scripting you do, the faster you get at it and the more
powerful a tool it becomes for you.
As a
rule I like to keep things within a single script, as that way it is easier to
fully automate or make into a web page. Having multiple manual processes to
accomplish something is usually difficult to get automated. The exception is
when I am modifying things, at that point I tend to like to do the lookups and
decision making in one script and the updates in another as I like to slow
myself down. As I get more comfortable with the changes and have done it lots of
times manually then I will combine the scripts.
Its
all fun.
-------------
http://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Tuesday, March 30, 2004 9:30 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Anyone ever convert dnsRecord attribute?
lol. Cut once, pound to fit?
LDAP is a directory, as is DNS both of which are optimized
for fast reads. One is just specialized for one task that the other
isn't. When either can work, I suppose it's often left to preference,
but I hate to get out the big guns of programming when something is already done
that can do the job with less effort. Seems inefficient to
me.
Either way, the solution was found and you helped
him out in a way he was happy with.
Al
From: joe [mailto:[EMAIL PROTECTED]
Sent: Monday, March 29, 2004 7:03 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Anyone ever convert dnsRecord attribute?
Active Directory is a big bucket of
nails....
Using LDAP doesn't require making configuration changes
that should go through a change control process and could be messed up by
mistake. Also doesn't require Admin rights.
-------------
http://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Monday, March 29, 2004 12:11 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Anyone ever convert dnsRecord attribute?
Not that I don't like LDAP, Joe but when all of my
solutions are a hammer, my problems begin to look like nails
;)
I think this is a problem with an easier solution that
reading via LDAP. That's way overkill for what he's looking to do.
He could just as easily change perms and allow himself to transfer the zone to
his own workstation and pipe it to a text file. Lot simpler. He
could also use a batch file and the dnscmd utility and be done already.
Al
From: joe [mailto:[EMAIL PROTECTED]
Sent: Friday, March 26, 2004 5:22 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Anyone ever convert dnsRecord attribute?
Interesting problem.
What specifically do you need out of the octet string, just
the host name?
Anyone have a map of what exactly is in octet string or
what data should be in it even if you don't know the format? I would assume
probably serial number and some other info? It isn't in MSDN that I see.
dn:DC=0,DC=20.10.169.in-addr.arpa,CN=MicrosoftDNS,CN=System,DC=joehome,DC=com
>dnsRecord: 0B00 0C00 05F0 0000 0200 0000 0000 0E10 0000 0000 0000 0000 0901 0762 6F62 7465 7374 00
>dnsRecord: 0B00 0C00 05F0 0000 0200 0000 0000 0E10 0000 0000 0000 0000 0901 0762 6F62 7465 7374 00
dn:DC=1,DC=20.10.169.in-addr.arpa,CN=MicrosoftDNS,CN=System,DC=joehome,DC=com
>dnsRecord: 0C00 0C00 05F0 0000 0300 0000 0000 0E10 0000 0000 0000 0000 0A01 0862 6F62 7465 7374 3200
>dnsRecord: 0C00 0C00 05F0 0000 0300 0000 0000 0E10 0000 0000 0000 0000 0A01 0862 6F62 7465 7374 3200
From this it appears that the hostname starts at about the
13th dword. So above would be 0A01 0862 6F62 7465 7374 3200 and 0A01 0862 6F62
7465 7374 3200 for the names which would resolve into bobtest and bobtest2.
This could be done fairly painlessly with perl I think...
As for Al's question about why enumerate via LDAP? Because
its there baby, that is the beauty of using LDAP. If you aren't going to do LDAP
queries, might as well be using a SQL Server or flat file or something.
Let me see what I can do with this. I just put the
Disturbed CD in, feeling like doing some hacking.
BTW, if you didn't go to the Directory Experts Conference,
you missed a good time. NetPro did a good job and there was a lot of good
discussions. Plus some of the stuff Stuart was talking about was pretty darn
cool.
-------------
http://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AD
Sent: Friday, March 26, 2004 3:18 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Anyone ever convert dnsRecord attribute?
David,
I am sure it will work but my DNS as over
45000+ objects and it is running on a production network. It scares me a little
to do that.
Y
From: Chianese, David P.
Sent: Fri 26/03/2004 2:47 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Anyone ever convert dnsRecord attribute?
As Al
mentioned, why not convert the zone to Std. Primary and take a copy of the zone
files that are written to disk. Then revert it back to ADI. I have
done this before without incident to supply our BIND unix servers
copies (or pieces) of our zone files. I have done this in the past for
stale PTR records as well.
Regards,
Dave
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of AD
Sent: Friday, March 26, 2004 2:30 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Anyone ever convert dnsRecord attribute?I am looking for duplicate registrations in the reverse lookup zone. I am hoping to export everything to txt (40000+ objects) file so I can parse using excel. I actually found the article you mention but the I have to install the WMI provider on the DC. I am hoping to avoid this if I can. Tha't why I am hoping to use LDAP with some sort of OctetString converter.Y
From: Mulnick, Al
Sent: Fri 26/03/2004 1:04 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Anyone ever convert dnsRecord attribute?You mean like a zone transfer?DNS.CMD could be useful, scripting could be useful such as this one http://www.microsoft.com/technet/community/scriptcenter/network/scnet163.mspx (note the requirements).DNSLINT might have some value for you as well.Heck, Nslookup in a loop might be useful but you'd have to know what you're going after.Saying all of that, you could transfer the zone to a non-integrated instance and parse the zone file if you really wanted to.I'd opt for the script, but that's me.Al
From: AD [mailto:[EMAIL PROTECTED]
Sent: Friday, March 26, 2004 1:00 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Anyone ever convert dnsRecord attribute?Hi Al,Can you elaborate how I can export the entire zone via DNS.ThanksYves
From: Mulnick, Al
Sent: Fri 26/03/2004 11:57 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Anyone ever convert dnsRecord attribute?Why do you want to enumerate via LDAP? Why not via DNS?
From: AD [mailto:[EMAIL PROTECTED]
Sent: Friday, March 26, 2004 11:39 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Anyone ever convert dnsRecord attribute?Help,We have a DNS integrated zone and I have a need to enumerate all reverse lookup records. Unfortunetaly the computer name in saved in a octectstring format attribute called dnsRecord.Lookup a record in theDC=xx.in-addr.arpa,CN=MicrosoftDNS,CN=System,DC=DomainName"container and you will see what I am talking about.As anyone ever written a function to convert this octetstring to something that is readable?ThanksYves St-Cyr
