Enumerating Indirect Group Memberships

A colleague asked me yesterday if I knew how to get a list of all direct AND indirect group memberships that a user had. He wanted to use this to estimate the Kerberos token size for users with large numbers of group memberships as this can cause access problems if it exceeds set limits.

I vaguely remembered that I had something like this in a script I wrote to enumerate the members of a group both directly and indirectly. It uses the functionality of the Remote Server Administration Tools. There's also a hotfix to correct the output. I dug out the script and revised it to provide what he required.

In its simplest form, the command to run is:

dsget user <fulldn> -memberof -expand

For example:

dsget user "CN=testuser,OU=Staff,DC=company,DC=com" -memberof -expand

This will provide a list of group memberships in fulldn format. To simplify it to SAM group names you can pipe the output to another dsget command for the groups:

dsget user <fulldn> -memberof -expand | dsget group -samid

You can also simplify the input if you pipe in the dsquery command for the user:

dsquery user -samid <samid> | dsget user -memberof -expand | dsget group -samid

For example:

dsquery user -samid testuser | dsget user -memberof -expand | dsget group -samid 

Edit: You can use the same technique to list the members of a group:
dsquery group -samid <Groupname> | dsget group -members | dsget user -samid -fn -ln

Also, be wary of pasting one of these command strings in Outlook, as it has the tendency to automatically change hyphens to the longer "dash", which is an invalid character if you copy it out of Outlook and paste it to the command prompt.

DNS Suffix Search Order via DHCP

I was recently working on a new parallel domain with one of the members of my team and the issue of DNS Suffix Search Order came up. The search order had to be set to include the parallel domain, the primary domain and a number of other things.

I was adamant that the search order could be set by DHCP as well as by GPO, but I couldn't specifically remember the details. My engineer pointed me to this Microsoft Knowledge Base article that states:

The following methods of distribution are not available for pushing the domain suffix search list to DNS clients:

• Dynamic Host Configuration Protocol (DHCP). You cannot configure DHCP to send out a domain suffix search list. This is currently not supported by the Microsoft DHCP server.

Fortunately, an engineer from another department came to the rescue with DHCP Option 135. This can be added in Windows Server 2008 as follows (I believe this originated in a TechNet post):

1. On the 2008 Server running DHCP, open the DHCP MMC.
2. Expand DHCP and choose the DHCP server name.
3. Right click on IPv4
4. Choose "Set Predefined Options"
5. Click on Add.
6. Name: "Domain suffix search order"
Data Type: String
Code: "135" (without the quotation marks)
Description: "List of domain suffixes in order" (without the quotation marks)
String: enter your search suffixes separated by comma with no spaces
sample1.com.au,sample2.net,sample3.org

7. Click onto the OK to save changes .
8. Exit the DHCP MMC and restart the DHCP Server Service.
9. Open the DHCP MMC again and now scope option 135 is a listed option.

Reverse DNS

I recently had a guy ask me how he could fix a corrupt reverse DNS.

Simple enough, I thought and proceeded to instruct him how to change the AD Integrated DNS zone to a "Standard Primary" DNS zone, then take the DNS file, import it into Excel and manipulate the data however he wanted. He could then just put the file back and reload the DNS zone and that's that.

I also told him how he could use DNSCMD to export the DNS data from an AD Integrated zone.:
dnscmd /ZoneExport FQDN_of_zonename Zone_export_file

He then started telling me he had problems locating the reverse DNS information and it was at this point my techie sense started tingling. He may not even have a reverse DNS zone (it is completely optional, but can be quite useful), or may actually be referring to his DNS resolver cache. (I haven't determined the answer yet).

Reverse DNS operates just like regular DNS, but instead of looking up an IP address using a hostname, you look up the hostname from the IP address. This can be very useful in easily determining which host is the source or destination of traffic, instead of finding the port on the local switch.

Reverse DNS zones use the network address in reverse notation and the suffix in-addr.arpa. So if your network's IP Schema is based on subnets of the private range 172.16.0.0, you could have a reverse DNS zone of 16.172.in-addr.arpa, which could contain entries for all hosts within all subnets on your network. Of course, if you have an extremely large network, you probably want to break this down further, such as 10.16.172.in-addr.arpa, etc.

So, if your host server.company.com has an (A) record of 172.16.10.99, he can have a pointer DNS record type (PTR) in the reverse DNS zone of 99.10.16.172.in-addr.arpa pointing back to its designated hostname of server.company.com.

Reverse DNS zones for IPv6 use the special zone ip6.arpa and store their loooong IPv6 addresses as a sequence of nibbles in reverse order in much the same way as the IPv4 addresses are stored in reverse order. So an IPv6 address of 2001:0db8:85a3::62cd will be stored as a PTR record as d.c.2.6.0.0.0.0.3.a.5.8.8.b.d.0.1.0.0.2.ip6.arpa.

A DNS resolver cache on a caching name server will resolve a query, even though they are not authoritative for the result, by making a query to the authoritative server on behalf of the client. The caching name server will then store this record for it's Time-To-Live (TTL) in a local cache. This will result in quicker resolutions and reduced load on Internet name servers. A corrupted resolver cache can simply be cleared and it will rebuild itself with use.

Importing Autocomplete File into Outlook 2010

This is something I answered over at Experts Exchange and thought I'd post here as well.

The .NK2 file used by Outlook 2003 and Outlook 2007 and is used to suggest addresses when you start typing in the recipients field is no longer used by Outlook 2010.

This file can be imported by Outlook 2010 and the contacts placed in the "Suggested Contacts" folder in the mailbox.

Copy the .NK2 file to the "C:\Users\%username%\AppData\Roaming\Microsoft\Outlook" folder (assuming the client is Windows 7)

Rename the nk2-file to the name of your mail profile:

     In the Control Panel, type "mail" into the search box.
     Run the Mail applet.
     Click on the Show Profiles… button.
     By default, your profile is called “Outlook”. So in that case you would call your file “outlook.nk2”.

Start Outlook with the /importnk2 switch:

     outlook.exe /importnk2

Outlook will import the NK2 data into the Suggested Contacts folder.