Finding something that’s not there
Posted by BPuhl on January 11, 2008
Active Directory is good for a lot of things. Administration, publishing, etc… and so long as you take a bit of care (insert objectClass v. objectCateory argument here) then it does a pretty damn good job with processing queries as well. Considering it’s a directory, I sure as heck hope so right!
Anyway, recently we’ve been having some issues with the dogfood deployment, and I was asked to find something which “wasn’t there”. Specifically, the request was: Can you query AD to find all of the machine accounts which do not have their HOST/<FQDN> SPN registered?
hmmm…lemme think about that for half a second…ummm…nope, sorry.
Instead, how do you do this? Well, how I did it was to hack out a quick VB Script, that connected to AD, did a paged query for all computer accounts in the default OU returning their SPN’s, and loop through each computer account, building the string that would be that machine HOST/<FQDN> SPN and then looping through the array of the servicePrincipalName attribute (it’s multivalued, so ADSI returns it as an array), to string compare to see if the SPN was there or not. Spit out to a file if it’s not there.
Not the most elegant, nor the most efficient way. Even running the script on a 64-bit DC that’s been online for a while (presumes the cache is built up some), it still took about 10 minutes to walk through 200,000 machines.
So if you’re ever in the position of needing to find something which isn’t there, then at least you know that this is how I did it.
And if anyone has the, “Hey, you should’a just done this” comment – please type it below for the rest of us.