DSCT 1.3.X
This release of DSCT is somewhat experimental since it makes use of some pre-release technology from Microsoft. It can probably be considered polite to point out this fact before you actually download and install this release of DSCT.
I am more than interested to hear your feedback so feel free to leave a comment if you run into any issues or if it just works for you.
Active Directory auditing changes are logged on the domain controller where the modification was made. The only way to get the full picture of what happened to an object is to query every domain controller for relevant event log entries. Performing these queries in a sequential way is quite expensive and time consuming.
The new Active Directory auditing integration feature in DSCT makes use of Parallel Extensions (June CTP) for .NET to efficiently query multiple domain controllers in parallel. In techno babble lingo this means that the AD auditing part of DSCT will make use of however many cores you might have in your machine. Running DSCT on a dual core machine will result in 4 (2 per core) parallel queries to retrieve event log entries. The performance increase over a sequential approach is quite remarkable by itself. When you factor in the ease of making parts (where it makes sense) of DSCT multi-threaded with the help of Parallel Extensions it’s just mind blowing.
In closing I’d like to point out that the new auditing feature in DSCT is the only part that makes use of Parallel Extensions. All operations involving Active Directory (reading, comparing, restoring values) use vanilla .NET functionality.
With that out of the way let’s get down to the good stuff.
New features in 1.3.X
- Active Directory audit integration
Retrieve relevant AD audit event log entries for a specific object from all domain controllers in a domain. Filtering options allow you to find and inspect attribute specific event log entries. - Group membership restore
Display differences in group membership for a selected object (users, computers and groups). Allows for full or selective restore of group membership at any time.
Base features
- Display differences between objects in Active Directory and Active Directory Snapshots
- Restore attribute values from snapshots to Active Directory
- Reanimate deleted objects
Download
Requirements
- .NET 3.5 or higher
- MMC 3.0
- Data sources: Active Directory and a mounted Active Directory Snapshot on Windows Server 2008 or Windows Server 2008 R2
- Active Directory audit integration: domain controllers must be Windows Server 2008 (R2 supported). Active Directory auditing must be enabled. RODCs and domain controllers running on older operating systems will be ignored.
- DSCT does not have to be installed on a domain controller nor does it have to be installed on a domain joined machined. A functional DNS infrastructure is recommended.
Testing so far
- x86 and x64 versions installed and tested on Windows Server 2008 x64
- Active Directory and snapshots on Windows Server 2008 and Windows Server 2008 R2 tested as data sources
- Locally on a DC and on a separate (non domain joined) machine
- Restore attribute values has been tested on several attributes including ntSecurityDescriptor, multi-value attributes like member and more normal ones like givenName, sn, accountExpires, etc.
- Group membership restore has been tested on users, computers and groups
- Reanimation functionality has been tested on users, groups and organizationalUnits.
- Active Directory audit integration tested with 10 domain controllers and a total 1.2 million event log entries in the security event logs. 6 of these spread over several domain controllers were of interest. DSCT, running on a dual core machine, retrieved these in roughly 6 seconds.
Known issues in 1.3.X
- Due to a bug in the Windows Server 2008 snapshot feature recently created snapshots will appear to be more up to date than the Active Directory instance. DSCT has a workaround for this scenario. Read this post for further information. This issue does not affect Windows Server 2008 R2.
Fredrik,
Sounds like a great tool – actually it dont work here
The mmc error is
“Exception Type: System.InvalidOperationException
Exception Message: The calie fpr the property DirectorySynchronizationFlag cannot be set …”
Any suggestions?
Thank you very much,
Tom
Upps! Of course the error is: “The value for the property …”
Hi Tom,
thanks for giving DSCT a try. The 1.3.X release is somewhat experimental although I have not encountered the error you describe in my tests. From the error message you posted a first guess is that the user account you are using does not have the sufficient rights to perform DirSync queries. You can to grant the user Replicate Directory Changes rights in Active Directory. See this post for a how to on that: http://support.microsoft.com/kb/303972.
What type of user are you using when running DSCT? Normal user or a domain admin?
You can also try the previous release of DSCT which is version 1.2.1 and can be found on the bottom of http://lindstrom.nullsession.com/?page_id=11
Let me know how it turns out!
Hello Fredrik,
Thank you very much for your respone! I used the domain administror account, which should work, shouldn´t it?!
Maybe there is a problem, because we still have a “Windows Server 2003 forest fucntional level” (still have W2K3 DCs, too)? Is your tool only working in a pure W2K8 enviroment?
I will try the previous release as you suggest and tell you, how/if it works!
Running as domain admin is fine so we can probably exclude insufficient rights from the list.
I’ve done my tests with pure 2008 environments and mixed ones with both 2008 and 2008 R2. I have not tested against mixed 2003/2008 environments so you might be on to something there.
I will give this some thought and get back to you
Fredrik,
Just to explain a little bit more the “enviroment”, in which the problem occurs:
I start your tool (after mounting a snapshot on my DC) and fill out the “data source settings” with this data:
ds host: dc.domain.com
naming context: Default Naming Context
snapshot host: dc.domain.com
specify credentials: domain\admin
After I click on OK, the “USNBug” message appears, BUT (!) I only can see the message, NO options to choice from! As I saw a screenshot on the Daniel Petri webpage, I suppose that I have to click on the bottom of this window, which works, so I see the second USNBug window, where I can search a user and select this account for the write operation. If I click on Update, the third USNBug window appears, which shows me, that the “highestCommitedUSN successfully increases by 1″. After clicking OK, I get the mentioned MMC error …
Interesting, could you take a screenshot of that and email me? Are you running DSCT on the DC or on a client machine? If so, which OS?
Also, I sent you an email so check your inbox
[...] In this example I`ve used a great tool called Directory Service Comparison Tool made by Fredrik Lindström, you can see more info regarding the tool here. [...]
Hello Fredrik,
A great tool
just watch the video and just so easy to make it work.
regards,
Charles Haas
Thanks Charles, I’m glad you find it useful