Active Directory console session type issue
Examined one of the new features in the 9.4.7 BETA:
- Added a new Active Directory console session type
But I can't really say that what happened is a bug. When you add the AD console session, you have to tell RDM what domain controller to use. When I click on the browse button next to the "Domain Controller" text box so that I can browse computer objects on the domain, it provides me a list of all computer objects on the domain (identical to what it looks like if I was performing an import from AD). I would think that it should only show me available domain controllers and not all computer objects.
But I'd like to also make a suggestion on this feature as well that may help here. I'm not entirely sure of the internal workings on how RDM is querying AD, but it seems to be a lengthy process (it took maybe 30 or 40 seconds after I clicked the browse button to display the list of computer objects). Question is whether you can leverage Microsoft's domain design to make this process easier for you and quicker for us. When you have a Windows AD domain, you can browse the FQDN and almost instantly an available domain controller is selected for you. I know some of how the process works in AD, but maybe that type of design can be integrated into RDM (why have to choose a DC at all)? If you create an AD console in RDM, why limited yourself to a single domain controller (because it may be unavailable or unreachable), then the console session won't work? So I wonder if RDM can use the same process that Windows uses to query a domain and have Windows provide RDM with an available DC to use.
Example - if I was Wile E. Coyote (Genius) and my domain FQDN was "acme.com", I could open Windows Explorer (or a command prompt, etc.) and browse to "\acme.com" and it will instantly show me the shares available on the domain (i.e., NETLOGON, etc.), even though I never told Windows which DC to use. Anyway, the thing is, if one DC is down, Windows will quickly redirect my request to another available DC in the domain (if there is one). If that design could be integrated into RDM, a user of this feature wouldn't limit themselves to a single DC, and they since they wouldn't need to choose a specific DC, it wouldn't take 30-40 seconds to load after clicking the browse button to list computer objects. As for performance, my speed is 1GB network cards, we have 8 (eight) domain controllers, and a few thousand computer objects in this domain. This one isn't a very large domain.
Anyway, might not be doable, or it might be too much for a single feature to implement, but just maybe something to consider.
As always, thanks and good work
edited by STGdb on 6/12/2014
All Comments (5)
Hi,
Thank you very much for your feedback. We were not sure if people would find this feature useful but I see the potential. I have entered an improvement request to browse only for the domain controller.
For the other part, I will need to do some research but we use WMI to query the domain and I've never been able to get the results without specifying the domain controller.
http://www.codeproject.com/Tips/599697/Get-list-of-Active-Directory-users-in-Csharp
David Hervieux
Thanks. I understand completely, you all have added enough features in RDM (it is packed), Truth be told, I was actually kind of thinking ahead to another forum topic that I posted (AD sync) and I guess you're may be about ready to tackle AD sync soon (I just didn't want to cross forum threads). If your working on the AD sync stuff also, I was thinking the same process that I mentioned here (to query the domain for an available DC) would also be helpful with AD sync as well (and I think that feature will be more widely used by RDM users). If you can get it working now, it might benefit other RDM features later. If not, no worries.
Some possible links to check out:
MSDN
SO
Thanks and have a great weekend
I just tried out the AD synchronizer - works well, it picked up on all "servers" that I didn't have in my session list already. I see that you now have "My Domain" as an option now - thank you. So much quicker when doing AD queries, it works well.
But back to the AD Console - I just tried it and have a problem (BTW - nice feature to send an error report directly to Devolutions). That was something new also.
When I try and AD Console session and click on Reset Password, Unlock User, etc. (it keeps asking for my creds, even though it is set to "My Personal Credentials"). I'm trying to figure out the format for the credentials that RDM wants for the AD Console session. If I use <domain\username>, it tells me wrong username or password. If I use just my domain admin username, my error is:
NullReferenceException - Object reference not set to an instance of an object.
at Devolutions.RemoteDesktopManager.Frames.Embedded.FreEmbeddedActiveDirectoryConsole.GetActiveDirectoryUserSelected()
at Devolutions.RemoteDesktopManager.Frames.Embedded.FreEmbeddedActiveDirectoryConsole.butResetPassword_Click(Object sender, EventArgs e)
at System.Windows.Forms.Control.OnClick(EventArgs e)
at DevExpress.XtraEditors.BaseButton.OnClick(EventArgs e)
at DevExpress.XtraEditors.BaseButton.OnMouseUp(MouseEventArgs e)
at System.Windows.Forms.Control.WmMouseUp(Message& m, MouseButtons button, Int32 clicks)
at System.Windows.Forms.Control.WndProc(Message& m)
at DevExpress.Utils.Controls.ControlBase.WndProc(Message& m)
at DevExpress.XtraEditors.BaseControl.WndProc(Message& msg)
at System.Windows.Forms.Control.ControlNativeWindow.OnMessage(Message& m)
at System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m)
at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)
Thanks
Hi,
I will forward your issue to Olivier. He is currently working on improving the console and the sync. I suspect that the My credentials are not handled correctly. You should only have to send your Admin username / password in any format.
However I think that if you use My Domain we can't provide another user name/password. This might explain the issue you get.
David Hervieux
David:
The active directory console is a great idea. I the project I'm working on, I plain to use to give a quick and easy access to AD operators to give a easy to use tool to do rutinary task in the AD environment without need to use AD standard tools. Great