{"id":865,"date":"2012-02-28T13:24:56","date_gmt":"2012-02-28T12:24:56","guid":{"rendered":"http:\/\/web03.partners.extranet.chrisse.com\/?p=865"},"modified":"2012-02-28T13:24:56","modified_gmt":"2012-02-28T12:24:56","slug":"how-the-active-directory-data-store-really-works-inside-ntds-dit-code-1-3","status":"publish","type":"post","link":"https:\/\/blog.chrisse.se\/?p=865","title":{"rendered":"How the Active Directory – Data Store Really Works (Inside NTDS.dit) – Code [1-3]"},"content":{"rendered":"

So what is the “Code [1-3]” all about and where is Part 4 of the series that you might expect?
\nBefore I go ahead with Part 4 I thought it would be a good idea to sum up Part 1 to Part 3 with code (So that you know how we figured out all this stuff while we was coding on ESEDump) \u2013 Note: This most may be targeted for the developer audience more than the general Active Directory administrator.<\/p>\n

Disclaimer: <\/strong>The code samples provided here is code snippets that doesn’t represent any code actual code from the DSA and or any other Microsoft products and technologies, nor those they represent the complete source of ESEDump
\n<\/em><\/p>\n


\nESEHelper \u2013 A managed ESE wrapper around the ESE APIs
\n<\/strong><\/p>\n

We decided that we wanted to work with ESE in C# (and when we first started this project EseManaged from codeplex wasn’t around) and even if we could have used it later on \u2013 I guess we wanted full control and decided to stick with our own wrapper. So when you see references to “EseHelper” in the code snippets below \u2013 you know it’s just a wrapper around: Extensible Storage Engine Native APIs<\/a> \u2013 there is no secrets around this J<\/span><\/p>\n

JET_RETRIVECOLUMN structure custom methods
\n<\/strong><\/p>\n

We extended the JET_RETRIVECOLUMN<\/a> structure with some additional methods to retrieve data.<\/p>\n

Table\u00a00: JET_RETRIVECOLUMN structure
\n<\/span><\/p>\n

\n\n\n<\/colgroup>\n\n\n\n
\n

Code Snippet<\/span><\/p>\n<\/td>\n<\/tr>\n

\/\/ The custom methods in JET_RETRIEVECOLUMN allow us to quickly<\/span>\/\/ interpret each column’s data depending on its data type (string, integer, etc.)<\/span><\/p>\n

internal<\/span>
\nstruct<\/span>
\nJET_RETRIEVECOLUMN<\/span><\/span><\/p>\n

{<\/span><\/p>\n

public<\/span>
\nint<\/span> columnid;<\/span><\/p>\n

public<\/span> IntPtr pvData; \/\/ Pointer to the data block in memory<\/span><\/span><\/p>\n

public<\/span>
\nint<\/span> cbData; \/\/ Size of the allocated data block<\/span><\/span><\/p>\n

public<\/span>
\nint<\/span> cbActual; \/\/ Size of the actual\/used data<\/span><\/span><\/p>\n

public<\/span>
\nint<\/span> grbit;<\/span><\/p>\n

\/\/ Offset to the first byte to be retrieved from a column of type<\/span><\/p>\n

\/\/ JET_coltypLongBinary or JET_coltypLongText<\/span><\/p>\n

public<\/span>
\nint<\/span> ibLongValue;<\/span><\/p>\n

\/\/ Number of values in a multi-valued column<\/span><\/p>\n

\/\/ Can be used to retrive a specific value<\/span><\/p>\n

public<\/span>
\nint<\/span> itagSequence;<\/span><\/p>\n

\/\/ The columnid of the tagged, multi-valued, or sparse column<\/span><\/p>\n

\/\/ when all tagged columns are retrieved by passing 0<\/span><\/p>\n

\/\/ as the columnid to JetRetrieveColumn.”<\/span><\/p>\n

public<\/span>
\nint<\/span> columnidNextTagged;<\/span><\/p>\n

public<\/span>
\nint<\/span> err;<\/span><\/p>\n

public<\/span>
\nvoid<\/span> Initialize(ColumnInfo att)<\/span><\/p>\n

{<\/span><\/p>\n

this<\/span>.Initialize(att.ID, 0);<\/span><\/p>\n

}<\/span><\/p>\n

public<\/span>
\nvoid<\/span> Initialize(ColumnInfo att, int<\/span> cbData)<\/span><\/p>\n

{<\/span><\/p>\n

\/\/ Initialize with a data block of cbData size<\/span><\/p>\n

this<\/span>.Initialize(att.ID, cbData);<\/span><\/p>\n

}<\/span><\/p>\n

public<\/span>
\nvoid<\/span> Initialize(int<\/span> columnid)<\/span><\/p>\n

{<\/span><\/p>\n

\/\/ Initialize with an empty data block<\/span><\/p>\n

this<\/span>.Initialize(columnid, 0);<\/span><\/p>\n

}<\/span><\/p>\n

public<\/span>
\nvoid<\/span> Initialize(int<\/span> columnid, int<\/span> cbData)<\/span><\/p>\n

{<\/span><\/p>\n

\/\/ Reset the fields<\/span><\/p>\n

this<\/span>.cbActual = 0;<\/span><\/p>\n

this<\/span>.cbData = 0;<\/span><\/p>\n

this<\/span>.err = 0;<\/span><\/p>\n

\/\/ Make sure to free any previously used memory in this instance<\/span><\/p>\n

if<\/span> (this<\/span>.pvData != IntPtr.Zero)<\/span><\/p>\n

{<\/span><\/p>\n

Marshal.FreeHGlobal(this<\/span>.pvData);<\/span><\/p>\n

this<\/span>.pvData = IntPtr.Zero;<\/span><\/p>\n

}<\/span><\/p>\n

this<\/span>.columnid = columnid;<\/span><\/p>\n

this<\/span>.itagSequence = 1;<\/span><\/p>\n

\/\/ Allocate a new memory block if necessary (if > 0 bytes requested)<\/span><\/p>\n

this<\/span>.cbData = cbData;<\/span><\/p>\n

if<\/span> (this<\/span>.cbData > 0)<\/span><\/p>\n

this<\/span>.pvData = Marshal.AllocHGlobal(this<\/span>.cbData);<\/span><\/p>\n

}<\/span><\/p>\n

\/\/ Copies the current memory block into a byte array<\/span><\/p>\n

public<\/span>
\nbyte<\/span>[] GetData()<\/span><\/p>\n

{<\/span><\/p>\n

byte<\/span>[] output = new<\/span>
\nbyte<\/span>[this<\/span>.cbActual];<\/span><\/p>\n

Marshal.Copy(this<\/span>.pvData, output, 0, output.Length);<\/span><\/p>\n

return<\/span> output;<\/span><\/p>\n

}<\/span><\/p>\n

\/\/ Interpret the inner data as a GUID<\/span><\/p>\n

public<\/span> Guid GetGuid()<\/span><\/p>\n

{<\/span><\/p>\n

IntPtr pGuid = this<\/span>.pvData;<\/span><\/p>\n

byte<\/span>[] bGuid = new<\/span>
\nbyte<\/span>[16];<\/span><\/p>\n

Marshal.Copy(pGuid, bGuid, 0, bGuid.Length);<\/span><\/p>\n

return<\/span>
\nnew<\/span> Guid(bGuid);<\/span><\/p>\n

}<\/span><\/p>\n

\/\/ Interpret the inner data as a string (automatically checks ASCII or Unicode encoding)<\/span><\/p>\n

public<\/span>
\nstring<\/span> GetString()<\/span><\/p>\n

{<\/span><\/p>\n

byte<\/span>[] data = this<\/span>.GetData();<\/span><\/p>\n

if<\/span> (IsUnicode(data))<\/span><\/p>\n

return<\/span> Encoding.Unicode.GetString(data, 0, data.Length);<\/span><\/p>\n

else<\/span><\/p>\n

return<\/span> Encoding.ASCII.GetString(data, 0, data.Length);<\/span><\/p>\n

}<\/span><\/p>\n

\/\/ Interpret the inner data as a 32-bit integer<\/span><\/p>\n

public<\/span>
\nint<\/span> GetInteger()<\/span><\/p>\n

{<\/span><\/p>\n

return<\/span> BitConverter.ToInt32(this<\/span>.GetData(), 0);<\/span><\/p>\n

}<\/span><\/p>\n

\/\/ Interpret the inner data as a 64-bit integer<\/span><\/p>\n

public<\/span>
\nlong<\/span> GetLong()<\/span><\/p>\n

{<\/span><\/p>\n

return<\/span> BitConverter.ToInt64(this<\/span>.GetData(), 0);<\/span><\/p>\n

}<\/span><\/p>\n

\/\/ Interpret the inner data as a boolean (true\/false)<\/span><\/p>\n

public<\/span>
\nbool<\/span> GetBool()<\/span><\/p>\n

{<\/span><\/p>\n

return<\/span> Marshal.ReadByte(this<\/span>.pvData) == 1 ? true<\/span> : false<\/span>;<\/span><\/p>\n

}<\/span><\/p>\n

\/\/ Determines if a string in a data block is of Unicode or ASCII encoding<\/span><\/p>\n

\/\/ TODO: International 2-byte characters unsupported?<\/span><\/p>\n

private<\/span>
\nbool<\/span> IsUnicode(byte<\/span>[] data)<\/span><\/p>\n

{<\/span><\/p>\n

bool<\/span> isUnicode = false<\/span>;<\/span><\/p>\n

\/\/ Unicode strings’ data always have an even number of bytes<\/span><\/p>\n

if<\/span> (data.Length % 2 == 0)<\/span><\/p>\n

for<\/span> (int<\/span> i = 0; i < data.Length; i += 2)<\/span><\/p>\n

if<\/span> (data[i + 1] == ‘\\0’<\/span>)<\/span><\/p>\n

isUnicode |= true<\/span>;<\/span><\/p>\n

return<\/span> isUnicode;<\/span><\/p>\n

}<\/span><\/p>\n

}<\/span><\/p>\n

\/\/ ColumnInfo stores column metadata (ID, type, table owner)<\/span><\/p>\n

\/\/ Used when retrieving JET columns<\/span><\/p>\n

internal<\/span>
\nstruct<\/span>
\nColumnInfo<\/span><\/span><\/p>\n

{<\/span><\/p>\n

public<\/span>
\nint<\/span> ID;<\/span><\/p>\n

public<\/span>
\nstring<\/span> Name;<\/span><\/p>\n

public<\/span>
\nint<\/span> DataType;<\/span><\/p>\n

public<\/span>
\nstring<\/span> AltName; \/\/added for attribute name<\/span><\/span><\/p>\n

public<\/span>
\nint<\/span> AltId; \/\/ added for attribute id<\/span><\/span><\/p>\n

public<\/span> IntPtr TableId; \/\/ added for table support in caching<\/span><\/span><\/p>\n

public<\/span> ColumnInfo(int<\/span> id, string<\/span> name, int<\/span> type, string<\/span> altname, int<\/span> altid, IntPtr tableid)<\/span><\/p>\n

{<\/span><\/p>\n

this<\/span>.ID = id;<\/span><\/p>\n

this<\/span>.Name = name;<\/span><\/p>\n

this<\/span>.DataType = type;<\/span><\/p>\n

this<\/span>.AltName = altname; \/\/added for attribute name<\/span><\/span><\/p>\n

this<\/span>.AltId = altid;<\/span><\/p>\n

this<\/span>.TableId = tableid; \/\/added for table support in caching<\/span><\/span><\/p>\n

}<\/span><\/p>\n

}<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n

 <\/p>\n

Perform Initialization and Attach to NTDS.dit
\n<\/strong><\/p>\n

First thing we had to figure out was how we attached to the database (NTDS.dit) using JetInit<\/a>, JetBeginSession<\/a>, JetAttachDatabase<\/a> and finally calling JetOpenDatabase<\/a> in addition to those callas we had to set several parameters with JetSetSystemParameter<\/a> for our usage, e.g there is things that need to be turned off as we attach\/open the DB as read-only due to the nature of our application.<\/p>\n

Table\u00a01: ESE Initialization
\n<\/span><\/p>\n

\n\n\n<\/colgroup>\n\n\n\n
\n

Code Snippet<\/span><\/p>\n<\/td>\n<\/tr>\n

\/\/ E.Check makes sure a JET API call is successful, i.e. JET_errSuccess (0)<\/span>\/\/ If the call fails, we throw an exception\/write to the Console<\/span><\/p>\n

\/\/ Initialize ESENT. Setting JetInit will inspect the logfiles to see if the last<\/span><\/p>\n

\/\/ shutdown was clean. If it wasn’t (e.g. the application crashed) recovery will be<\/span><\/p>\n

\/\/ run automatically bringing the database to a consistent state.<\/span><\/p>\n

err = E.Check(EseHelper.JetSetSystemParameter(ref<\/span> instance, EseHelper.JET_sesidNil, new<\/span>
\nIntPtr<\/span>(EseHelper.JET_paramDatabasePageSize), new<\/span>
\nIntPtr<\/span>(0x2000), null<\/span>));<\/span><\/p>\n

err = E.Check(EseHelper.JetCreateInstance(out<\/span> instance, “instance”<\/span>));<\/span><\/p>\n

\/\/ Set up the recovery option (off), the maximum number temporary tables (7) and temporary path<\/span><\/p>\n

err = E.Check(EseHelper.JetSetSystemParameter(ref<\/span> instance, EseHelper.JET_sesidNil, new<\/span>
\nIntPtr<\/span>(EseHelper.JET_paramRecovery), IntPtr<\/span>.Zero, “off”<\/span>));<\/span><\/p>\n

err = E.Check(EseHelper.JetSetSystemParameter(ref<\/span> instance, EseHelper.JET_sesidNil, new<\/span>
\nIntPtr<\/span>(EseHelper.JET_paramEnableOnlineDefrag), IntPtr<\/span>.Zero, null<\/span>));<\/span><\/p>\n

err = E.Check(EseHelper.JetSetSystemParameter(ref<\/span> instance, EseHelper.JET_sesidNil, new<\/span>
\nIntPtr<\/span>(0xa), IntPtr<\/span>.Zero, null<\/span>));<\/span><\/p>\n

err = E.Check(EseHelper.JetSetSystemParameter(ref<\/span> instance, EseHelper.JET_sesidNil, new<\/span>
\nIntPtr<\/span>(EseHelper.JET_paramMaxTemporaryTables), new<\/span>
\nIntPtr<\/span>(7), null<\/span>));<\/span><\/p>\n

err = E.Check(EseHelper.JetSetSystemParameter(ref<\/span> instance, EseHelper.JET_sesidNil, new<\/span>
\nIntPtr<\/span>(EseHelper.JET_paramTempPath), IntPtr<\/span>.Zero, System.IO.Path<\/span>.GetTempPath()));<\/span><\/p>\n

\/\/ Initialize ESE and begin a session<\/span><\/p>\n

err = E.Check(EseHelper.JetInit(ref<\/span> instance));<\/span><\/p>\n

err = E.Check(EseHelper.JetBeginSession(instance, out<\/span> sesid, null<\/span>, null<\/span>));<\/span><\/p>\n

\/\/ Attach a database<\/span><\/p>\n

err = E.Check(EseHelper.JetAttachDatabase(sesid, “NTDS.dit”<\/span>, 1));<\/span><\/p>\n

err = E.Check(EseHelper.JetOpenDatabase(sesid, “NTDS.dit”<\/span>, null<\/span>, out<\/span> dbid, 1));<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n

 <\/p>\n

List the tables inside NTDS.dit
\n<\/strong><\/p>\n

We figured out that by statically opening the “MSysObjects” and positioning over the “RootObjects” index we could enumerate the tables inside the database using the following code snippet.<\/p>\n

Table\u00a02: ESE Enumerate tables inside the database
\n<\/span><\/p>\n

\n\n\n<\/colgroup>\n\n\n\n
\n

Code Snippet<\/span><\/p>\n<\/td>\n<\/tr>\n

\/\/ Simplified:<\/span>\/\/ Method to obtain a list of tables for a given JET database<\/span><\/p>\n

private<\/span>
\nstatic<\/span>
\nvoid<\/span> GetTableNames(IntPtr instance, IntPtr sesid, IntPtr dbid, ref<\/span> EseErrors err)<\/span><\/p>\n

{<\/span><\/p>\n

IntPtr tableid = IntPtr.Zero;<\/span><\/p>\n

List<string<\/span>> tables = new<\/span> List<string<\/span>>();<\/span><\/p>\n

\/\/ E.Check makes sure a JET API call is successful, i.e. JET_errSuccess (0)<\/span><\/p>\n

\/\/ If the call fails, we throw an exception\/write to the Console<\/span><\/p>\n

err = E.Check(EseHelper.JetOpenTable(sesid, dbid, “MSysObjects”<\/span>, IntPtr.Zero, 0, 0, out<\/span> tableid));<\/span><\/p>\n

\/\/ Select the first row in the RootObjects record set<\/span><\/p>\n

err = E.Check(EseHelper.JetSetCurrentIndex(sesid, tableid, “RootObjects”<\/span>));<\/span><\/p>\n

err = E.Check(EseHelper.JetMove(sesid, tableid, EseHelper.JET_MoveFirst, 0));<\/span><\/p>\n

\/\/ Allocate a column array of one element — we only need the name column<\/span><\/p>\n

EseHelper.JET_RETRIEVECOLUMN[] array = new<\/span> EseHelper.JET_RETRIEVECOLUMN[1];<\/span><\/p>\n

\/\/ Loop until we reach the end of the record set or an error occurs<\/span><\/p>\n

while<\/span> (err == 0)<\/span><\/p>\n

{<\/span><\/p>\n

\/\/ Allocate 0x41 bytes for this column’s value<\/span><\/p>\n

\/\/ 0x80 is the column ID (table name)<\/span><\/p>\n

array[0].Initialize(0x80, 0x41);<\/span><\/p>\n

err = E.Check(EseHelper.JetRetrieveColumns(sesid, tableid, Marshal.UnsafeAddrOfPinnedArrayElement(array, 0), array.Length));<\/span><\/p>\n

foreach<\/span> (EseHelper.JET_RETRIEVECOLUMN column in<\/span> array)<\/span><\/p>\n

{<\/span><\/p>\n

if<\/span> (column.cbData != 0x04)<\/span><\/p>\n

{<\/span><\/p>\n

string<\/span> table = column.GetString();<\/span><\/p>\n

\/\/ Print out the table<\/span><\/p>\n

Console.WriteLine(table);<\/span><\/p>\n

}<\/span><\/p>\n

}<\/span><\/p>\n

\/\/ Select the next record (table info row)<\/span><\/p>\n

err = E.Check(EseHelper.JetMove(sesid, tableid, EseHelper.JET_MoveNext, 0));<\/span><\/p>\n

}<\/span><\/p>\n

\/\/ Clean up<\/span><\/p>\n

err = E.Check(EseHelper.JetCloseTable(sesid, tableid));<\/span><\/p>\n

Console.WriteLine();<\/span><\/p>\n

}<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n

 <\/p>\n

Retrieving the Ancestors_col
\n<\/strong><\/p>\n

In Part 3<\/a>, we’re discussing the usage of the “Ancestors_col” column and how it’s used to walk subtrees in the database, the DNTs are stored as bytes within the “Acenstors_col” and are read as in the code snippet below.<\/p>\n

Table\u00a03: Ancestors_col
\n<\/span><\/p>\n

\n\n\n<\/colgroup>\n\n\n\n
\n

Code Snippet<\/span><\/p>\n<\/td>\n<\/tr>\n

if<\/span> (column.err != EseErrors<\/span>.ColumnNull)
\n<\/span>{
\n<\/span><\/p>\n


\nstring<\/span> ancestory = null<\/span>;
\n<\/span><\/p>\n


\nchar<\/span>[] ancestor_separator = { ‘,’<\/span> };
\n<\/span><\/p>\n

 <\/p>\n


\n<\/span>\/\/ Walk through every ancestry record in the returned column data
\n<\/span><\/p>\n


\n<\/span>\/\/ Construct the ancestry string with the returned DNTs<\/span>
\n<\/span><\/p>\n


\nfor<\/span> (int<\/span> i = 0; i < column.GetData().Length; i += sizeof<\/span>(int<\/span>))
\n<\/span><\/p>\n

{
\n<\/span><\/p>\n


\nint<\/span> dnt = BitConverter<\/span>.ToInt32(column.GetData(), i);
\n<\/span><\/p>\n

ancestory = ancestory + dnt + “,”<\/span>;
\n<\/span><\/p>\n

}
\n<\/span><\/p>\n

 <\/p>\n


\n<\/span>\/\/ Remove any trailing “,” characters<\/span>
\n<\/span><\/p>\n

ancestory = ancestory.TrimEnd(ancestor_separator);
\n<\/span><\/p>\n

output = ancestory;
\n<\/span><\/p>\n

}<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n

 <\/p>\n

Reading an object’s full distinguished name
\n<\/strong><\/p>\n

Note:<\/strong> This is our way to read an objects full distinguished name, given an object’s DNT (Distinguished Name Tag) \u2013 But this is not considered safe by the DSA as mentioned in Part 3<\/a> as the “Ancestors_col” is being processed by a background task and might not be in-sync all the times. (Safer would be to walk the tree up \u2013 by each PDNT until PDNT == 2)<\/p>\n

Table\u00a04: Get an objects distinguished name by its DNT
\n<\/span><\/p>\n

\n\n\n<\/colgroup>\n\n\n\n
\n

Code Snippet<\/span><\/p>\n<\/td>\n<\/tr>\n

internal<\/span>
\nstatic<\/span>
\nstring<\/span> DBGetDN(IntPtr<\/span> sesid, IntPtr<\/span> tableid, int<\/span> tag, ref<\/span>
\nEseErrors<\/span> err)
\n<\/span>{
\n<\/span><\/p>\n

\/\/ 0 (zero) means where already positioned at the obejct.
\n<\/span><\/p>\n

if<\/span> (tag != 0)
\n<\/span><\/p>\n

DBFindDNT(sesid, tableid, tag, ref<\/span> err);
\n<\/span><\/p>\n

 <\/p>\n

List<\/span><string<\/span>> DN = new<\/span>
\nList<\/span><string<\/span>>();
\n<\/span><\/p>\n

 <\/p>\n

EseHelper<\/span>.JET_RETRIEVECOLUMN<\/span>[] Ancestors = new<\/span>
\nEseHelper<\/span>.JET_RETRIEVECOLUMN<\/span>[1];
\n<\/span><\/p>\n

 <\/p>\n

Ancestors[0].Initialize(attid<\/span>.GetByDisplayName(“Ancestors_col”<\/span>, tableid), 256 * 6);
\n<\/span><\/p>\n

 <\/p>\n

err = E<\/span>.Check(EseHelper<\/span>.JetRetrieveColumns(sesid, tableid, Marshal<\/span>.UnsafeAddrOfPinnedArrayElement(Ancestors, 0), Ancestors.Length));
\n<\/span><\/p>\n

 <\/p>\n

\/\/ Ensure the “Ancestors_col” exist and contains data.
\n<\/span><\/p>\n

if<\/span> (Ancestors[0].err != EseErrors<\/span>.ColumnNull)
\n<\/span><\/p>\n

{
\n<\/span><\/p>\n


\n\/\/ Loop thru all ancestors.
\n<\/span><\/span><\/p>\n


\nfor<\/span> (int<\/span> i = 0; i < Ancestors[0].GetData().Length; i += sizeof<\/span>(int<\/span>))
\n<\/span><\/p>\n

{
\n<\/span><\/p>\n


\nint<\/span> dnt = BitConverter<\/span>.ToInt32(Ancestors[0].GetData(), i);
\n<\/span><\/p>\n


\nif<\/span> (dnt != 2) \/\/ “2” == $ROOT_OBJECT$ == We hit the top most DN Component.
\n<\/span><\/span><\/p>\n

{
\n<\/span><\/p>\n


\n\/\/ Move the cursor over the ancestor
\n<\/span><\/span><\/p>\n

DBFindDNT(sesid, tableid, dnt, ref<\/span> err);
\n<\/span><\/p>\n

 <\/p>\n


\n\/\/ Define a list of attributes we want to read off each ancestor (object)
\n<\/span><\/span><\/p>\n


\nEseHelper<\/span>.JET_RETRIEVECOLUMN<\/span>[] attrList = new<\/span>
\nEseHelper<\/span>.JET_RETRIEVECOLUMN<\/span>[2];
\n<\/span><\/p>\n

 <\/p>\n

attrList[0].Initialize(attid<\/span>.GetByDisplayName(“RDNtyp_col”<\/span>, tableid), 256 * 24);
\n<\/span><\/p>\n

attrList[1].Initialize(attid<\/span>.GetByDisplayName(“name”<\/span>, tableid), 256 * 24);
\n<\/span><\/p>\n

 <\/p>\n

err = E<\/span>.Check(EseHelper<\/span>.JetRetrieveColumns(sesid, tableid, Marshal<\/span>.UnsafeAddrOfPinnedArrayElement(attrList, 0), attrList.Length));
\n<\/span><\/p>\n

 <\/p>\n


\n\/\/ Make sure the object has both a RDNType and a Name
\n<\/span><\/span><\/p>\n


\nif<\/span> (attrList[0].err != EseErrors<\/span>.ColumnNull && attrList[1].err != EseErrors<\/span>.ColumnNull)
\n<\/span><\/p>\n

{
\n<\/span><\/p>\n


\nstring<\/span> RDNType = DBGetRDNType(tableid, attrList[0].GetInteger());
\n<\/span><\/p>\n


\nstring<\/span> Name = attrList[1].GetString();
\n<\/span><\/p>\n


\n\/\/ Construct this ancestors RDN.
\n<\/span><\/span><\/p>\n

DN.Add(RDNType + “=”<\/span> + Name);
\n<\/span><\/p>\n

}
\n<\/span><\/p>\n

}
\n<\/span><\/p>\n

}
\n<\/span><\/p>\n

DN.Reverse();
\n<\/span><\/p>\n


\nreturn<\/span>
\nstring<\/span>.Join(“,”<\/span>, DN.ToArray());
\n<\/span><\/p>\n

}
\n<\/span><\/p>\n

return<\/span>
\nnull<\/span>;
\n<\/span><\/p>\n

}<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n

 <\/p>\n

Table\u00a05: Get an objects distinguished name (object is referenced by sAMAccountName: ADCH)
\n<\/span><\/p>\n

\n\n\n<\/colgroup>\n\n\n\n
\n

ESEDump<\/span><\/p>\n<\/td>\n<\/tr>\n

\"\"<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

So what is the “Code [1-3]” all about and where is Part 4 of the series that you might expect? Before I go ahead with Part 4 I thought it would be a good idea to sum up Part 1 to Part 3 with code (So that you know how we figured out all this … <\/p>\n

Continue reading “How the Active Directory – Data Store Really Works (Inside NTDS.dit) – Code [1-3]”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"footnotes":""},"categories":[1],"tags":[6,14,16],"class_list":["post-865","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-active-directory","tag-extensible-storage-engine-ese","tag-ntds-dit"],"_links":{"self":[{"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=\/wp\/v2\/posts\/865","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=865"}],"version-history":[{"count":0,"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=\/wp\/v2\/posts\/865\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=865"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=865"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=865"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}