Monday, June 9, 2008

Determining AD attribute replication

This post describes a command-line method of checking the schema to see whether an attribute is replicated in Active Directory, useful for determining whether any DC is authoritative for a particular attribute, or if you'll get different results for each DC.

This queries the attribute definition in the schema of the root domain in a directory to check the System-Flags attribute and see whether the first bit is set. The first bit of the systemFlags attribute is set to 1 if the attribute is NOT replicated.

For example:
  • dsquery * cn=pwd-last-set,cn=schema,cn=configuration,DC=forestRootDomain
  • dsquery * cn=pwd-last-set,cn=schema,cn=configuration,DC=forestRootDomain -filter "!(&(systemFlags:1.2.840.113556.1.4.803:=1))"
  • dsquery * cn=last-logon,cn=schema,cn=configuration,DC=forestRootDomain -filter "!(&(systemFlags:1.2.840.113556.1.4.803:=1))"
  • dsquery * cn=last-logon-timestamp,cn=schema,cn=configuration,DC=forestRootDomain -filter "!(&(systemFlags:1.2.840.113556.1.4.803:=1))"

Explanation:

  1. The first query returns the attributes of the schema entry for the password last set attribute. Note that systemFlags is 16.
  2. The second query performs a bitwise AND operation against the systemFlags attribute value and 1 and the result of a NOT operation. This returns a valid match because the pwd-last-set systemFlags value is 16 (10 in hex), so the first bit is not set, meaning the attribute is replicated.
  3. The third query returns nothing because the last-logon attribute is not replicated, the systemFlags value is 17, so the first bit is set and we're negating that result.
  4. The fourth query against a 2003 DC for the new replicated last logon timestamp is a new property to 2003 that allows easy tracking of when a user logged on, regardless of their authenticating DC.

To show all replicated attributes in the AD Schema (remove the '!' to show all attributes that aren't replicated):

dsquery * cn=schema,cn=configuration,DC=forestRootDomain -filter "(&(objectClass=attributeSchema)(objectCategory=attributeSchema)(!systemFlags:1.2.840.113556.1.4.803:=1))" -limit 0


References

System-Flags attribute:
http://msdn2.microsoft.com/en-us/library/ms680022.aspx

User Security Attributes:
http://msdn2.microsoft.com/en-gb/library/ms677943.aspx

Pwd-last-set attribute:
http://msdn2.microsoft.com/en-us/library/ms679430.aspx

How to query Active Directory by using a bitwise filter:
http://support.microsoft.com/kb/269181



Wayne's World of IT (WWoIT), Copyright 2008 Wayne Martin.
at

No comments:

Post a Comment