Blog

SPN

The SPN option is used to search for Service Principal Names in the AD.  The format of the search string entered in the SPN field is service\host name, e.g. cifs/dc01. wildcards card be used e.g. mssqlsvc/* to get all the SQL SPN in the domain.  Avoid using wildcards for the host name for service names that are included in the sPNMappings attribute as this will cause the details of all the computer objects to be returned. 

The option uses the sPNMappings settings to search for alternative service names against the host name.  These are the service names that are associated to host service name included in the SPMMappings attribute - alerter, appmgmt, cisvc, clipsrv, browser, dhcp, dnscache, replicator, eventlog, eventsystem, policyagent, oakley, dmserver, dns, mcsvc, fax, msiserver, ias, messenger, netlogon, netman, netdde, netddedsm, nmagent, plugplay, protectedstorage, rasman, rpclocator, rpc, rpcss, remoteaccess, rsvp, samss, scardsvr, scesrv, seclogon, scm, dcom, cifs, spooler, snmp, schedule, tapisrv, trksvr, trkwks, ups, time, wins, www, http, w3svc, iisadmin, msdtc.

The Requested SPN Only option is used to limit the item displayed from the found SPNs to the same as requested service name, if this option is deselected, then all the SPN entries assigned to the account are displayed.  

LDAP Ping

This option uses low level packet injection to simulate the function of the DsGetDcName API to allow options to be disabled, which are not available through the API.  The primary reason for this option is to test CLDAP, when the NeutralizeNT feature of NT\Windows hybrid mode.  Since NT4 has pretty much disappeared and there is no longer a requirement for this option.  However, it still works with Windows 2000+ AD servers.  

To use the function, you have to specify both the server and domain name.

HowTo: Find what Schema updates have been performed

The AD schema can be extended by installing additional schema extensions, which add additional classes and\or attributes to the AD.  There is no builtin method to determine what schema extensions have been installed.  NetTools, however, does have an option to display the schema updates that have been added to the AD.  

The Schema History option uses the WhenCreated attribute to determine when changes were made to the AD, and then using it's internal database to try and retrieve the name update based on what attributes or classes have been added.

See Schema History List

HowTo: Find which DCs have the FSMO roles

You don't have to work with AD for every long before you need to know or find out which domain controller is hosting a certain FSMO role e.g. Schema updates, or troubleshoot password issues etc.  Luckily NetTools is able to display all the FSMO roles with just two clicks.

The Site DC List option in NetTools will display the FSMO roles for all the domain controllers in the forest.

Key for the Roles:

G - Global Catalog
D - Domain Master
I - Infrastructure Master
P - PDC Master
R - RID Master
S - Schema Master

DsGetDcName

The DsGetDcName API is one of the most important APIs in an Active Directory environment, it is responsible for finding domain controllers in the forest\domain.  The API is implemented in the netlogon service and is used by most AD API\functions when trying to find a domain controller, see this Microsoft blog for more information.

The API supports a number of options to define the features or functionality the returned domain controller should supports. See the Microsoft article on the API for the definition of the options that are available here.

NetTools calls the DsGetDcName API directly and indirectly to find a domain controller and global catalogs in the domain.  The Server and Domain fields on the various options in NetTools, maps to the Server and Domain fields of the DsGetDcName API inputs.  If you receive an LDAP error 0x51 connection failed error when connecting to a server, use this option to confirm that the netlogon and DNS are working correctly and then DC Resolution to confirm that the server is up and functioning.

Overlapping Subnets

This function will scan all the IP address ranges defined in the forest and display any IP address ranges that overlap another IP address range. Back in early days of AD overlapping subnets was considered bad, but now it's a common practice to define a catch all IP address range and assign it to the site that contains the default domain controllers, then define more precise or small IP address range to sites to controls which domain controllers are used for authentication.

When the test is run the output will display all the IP address ranges that are overlapping and to which sites that they are assigned, if the overlaps are for different sites, a yellow indicator is shown, if the overlaps are for the same site, then a green indicator is displayed.  The lights are not design to represent good or bad configuration, but just to make it easier to spot where IP address ranges are assigned to different sites.

overlap

Locked Accounts

This option will display all the locked accounts in the domain, additional details are also display for the accounts, including when the user's password was lasted changed, locked out time and last bad password time.  

The details returned are the value of the attributes stored on the specified server, as some attributes are not replicated between Domain Controller, and are the local values on the specified server, and may not represent the most up to date value.  To retrieve the most up value from all the Domain Controllers you should use the Last Logon option, which a linked option from the right click context menu which will automatically display the details for the selected item. See Last Logon

The unlock button can be used to unlock the selected accounts, this can be a single or multiple accounts.

HowTo: Find the DN of an object

In the Active Directory every object has a unique identifier - a DN or Distinguished Name, this is used by a number of different tools and services to reference the object, so be able to find the DN of an object is a basic task that is required when managing Active Directory.

In NetTools there are numerous options to find or display the DN of objects. Here are few of them:

User Search -  will return a number of common objects for the items found, include the DN in the distinguishedName column.  The DN can be copied using the right click context menu.

ACL Browser - you are able to browse the directory and display the structure in the left hand pane, the right click context menu has an option to copy the DN of the of the selected object.

GPO Explorer - you are also able to browser the directory, and the contents tab will show the objects in the selected OU or container.  There is a DN column in the table of the contents tab which has the DN of the objects.

Output Tables
The table outputs for a number of options include the DN of the objects returned, the column is normally called DN, this can be copied using the right click context menu.

AD Properties - is a context menu item available throughout NetTools.  The AD properties dialog has a simpler format as the properties dialog in AD User & Computers management console, there is a tab called Object which has the DN of the object. 

AD Attributes - is another context menu item that is available, this dialog will display all the attributes on an object, the distinguished Name attributes is also displayed.

Group Manager

Group Manager provides the ability to bulk update the membership of groups. Lists of users or groups can be used to update the group membership of the selected group.  The group to be managed is specified as either the SamAccountName or DN, when the Refresh button is pressed the current membership of the group is displayed on the left hand pane.   The right hand pane is used to paste the list of users and groups that are to be added or removed from the group. The list that is pasted into the right pane can contain SamAccountNames, UPN, email, DN or SIDs or any combination of these.

Once the list has been imported, clicking on the Report button will display which objects in the list are members of the group.

To add or remove objects from the group, you need to tick the corresponding objects you which to change, then click on the Add or Remove button.  There are right click context menus that help selecting and deselecting of objects.

In the above screenshot the list of 5 users have been added to the group.  This shows that an error was returned by AD for the first users as they were already members of the group, the remain three users were added successfully to the group.  Once the Add is complete the left hand pane is updated to the current list of members. 

The Include Cross forest lookup option, allows for the details of objects in different domains in the same forest to be displayed.  This option is not selected by default to improve the performance in a multi-domain environment.

SID History Bulk

The SID History (Bulk) option is used to add SID History to objects which is used to support domain migrations.  This function is based on the DsAddSidHistory API, this API has a list of requirements that must be in place before it can update the SID history attribute on the target objects. Details of the requirements can be found here.  The function has to successfully complete a validation on the details before the file import and run options are enabled.

Definitions
Source Domain: this is the domain that has the source objects
Target Domain: this is the domain where the SID from the source object, will be added to the SID History attribute of the target object.

NetTools needs to be run on the domain controller in the target domain.  The validation details need to be entered and then click the Validate button.

sid history validation

This is the output of the validation test for a successful validation, if there are any issues, the details will be displayed.  The validation test doesn't check for the audit requirements but will be reported as a error when you try to execute the change.  Check the Microsoft article above for details of the audit requirements.

Validating Source Domain Information
Uplevel Domain
Source Domain: TARGET
Source DC: dc03.target.net
Source domain local group exists
Source Domain Validation Complete
Validating Target Domain Information
Uplevel Domain
Target Domain: NETTOOLS
Target DC: dc01.nettools.net
Target Domain Validation Complete
Validating Target Domain SPN Bind
Bound to target DC
Validation complete

Once the validation is complete the Import file and execute buttons are enabled.  The input file is a semi-comma separated list of source and target object names, the object names need to be based on the SamAccountName.  Once the file has been imported the source and target objects pairs are displayed in the import pane.  When the execute button is pressed, the result of the changes are displayed in the status column.

Side Note:  I have completed numerous domain migrations, with and without SID history and while SID history does make the initial phase of the migration simpler, it does mean you move the remediation of permissions and the removal of SID History to the end of the migration\project. Usually this means that there limited time or appetite to complete this work, and as a result SID History never gets removed.  This does have the side effect of increasing the size of the user's access token and while the introduction of Windows 2012, and the introduction of larger access token buffers, which can reduced this impact, it can still cause intermittent authentication issues, especially with IIS.  My advise is not to use SID History and complete the remediation of the permissions before migrating the users as this will ensure that you can identify and resolve issues earlier in the project timeline, which then removes the possibility of SID History issues waiting to bit you in the future.