Sep 15, 2014

powershell: converting int64 datetime to something legible

i find that i’m constantly converting AD datetime fields from something that looks like 130552642641560221 to something that looks like 9/15/2014 10:17:44 AM. i don’t know which you prefer, but to me, the second output is the one that most people won’t complain about when i give it to them.

over on i found this post that wraps it up pretty nicely. so, let’s say you want to look at the lastlogontimestamp attribute of a user named marcus. here’s a typical command that would show you the output:

get-aduser marcus -properties lastlogontimestamp | select lastlogontimestamp

bam. you get the int64 value. personally, i get lost counting nanoseconds* after i exhaust what i can count on both hands. if you’re like me, you can convert this handily to a readable datetime format like this:

get-aduser marcus -properties lastlogontimestamp | select @{ n='llts'; e={[datetime]::fromfiletime($_.lastlogontimestamp)} }

we’re just creating an expression in the hash table to format lastlogontimestamp to the way we want to read it -- like humans. now, the quest powershell modules will do this automatically. of course, no one uses those anymore, right? :)


* and if you were curious, this is the definition of the int64 format -- contains a 64-bit value representing the number of 100-nanosecond intervals since january 1, 1601 (utc).

Sep 2, 2014

enabling deduplication on unnamed volumes (and other stuff)

it dawned on me the other day that while i had enabled deduplication on my office computers, i never did enable it at home. back when ssd was very expensive, i had managed to get a very small drive (64gb.) well, it proved to be too small to be useful.

i ended up replacing the optical drive with a secondary hdd. it runs out of the optical chassis so it spins slower. it did it’s job though – which was to provide more space for not often accessed things. cool. i ran into a couple of things while toying around.

in case you didn’t know you could, windows 8.1 will support deduplication. you just have to get the binaries on to the os. once you install it and enable the features, you need to get into powershell to turn stuff on.

so, here’s a primer on getting all the deduplication commands:

gcm *dedup* | gcm –module deduplication (both work)

CommandType     Name                            ModuleName  
-----------     ----                            ----------  
Function        Disable-DedupVolume             Deduplication
Function        Enable-DedupVolume              Deduplication
Function        Expand-DedupFile                Deduplication
Function        Get-DedupJob                    Deduplication
Function        Get-DedupMetadata               Deduplication
Function        Get-DedupSchedule               Deduplication
Function        Get-DedupStatus                 Deduplication
Function        Get-DedupVolume                 Deduplication
Function        Measure-DedupFileMetadata       Deduplication
Function        New-DedupSchedule               Deduplication
Function        Remove-DedupSchedule            Deduplication
Function        Set-DedupSchedule               Deduplication
Function        Set-DedupVolume                 Deduplication
Function        Start-DedupJob                  Deduplication
Function        Stop-DedupJob                   Deduplication
Function        Update-DedupStatus              Deduplication


first problem i ran into happened when i went to enable the c: drive and received the following error:

enable-dedupvolume -Volume c:
enable-dedupvolume : MSFT_DedupVolume.Volume='c:' - HRESULT 0x8056530b, The specified volume type is not supported. Deduplication is supported on fixed, write-enabled NTFS data volumes and CSV backed by NTFS data volumes.

unfortunately searching for the error code did not yield any results. however, if we look at the error message, it speaks about the volume type. according to technet, this is what is supported:

  • Must not be a system or boot volume. Deduplication is not supported on operating system volumes.
  • Can be partitioned as a master boot record (MBR) or a GUID Partition Table (GPT), and must be formatted using the NTFS file system.
  • Can reside on shared storage, such as storage that uses a Fibre Channel or an SAS array, or when an iSCSI SAN and Windows Failover Clustering is fully supported.
  • Do not rely on Cluster Shared Volumes (CSVs). You can access data if a deduplication-enabled volume is converted to a CSV, but you cannot continue to process files for deduplication.
  • Do not rely on the Microsoft Resilient File System (ReFS).
  • Can’t be larger than 64 TB in size.
  • Must be exposed to the operating system as non-removable drives. Remotely-mapped drives are not supported.

the requirements fell apart on the first bullet for me. oh well, i still have the secondary hdd i can optimize. ran into a small snag, realizing that i had created a mount point so the secondary hdd isn’t an actual volume i can specify by drive letter.

not too big of a deal as long as i know the path where it’s mounted such as:

enable-dedupvolume –Volume c:\data


if the directory is unknown, you could also use the objectid, which you can get from get-volume. the following command would attempt to enable deduplication on all available volumes. obviously, this is not something you want to try on your desktop:

get-volume | % { enable-dedupvolume -volume $_.ObjectId }

Aug 18, 2014

dns resolver behavior

i had an occasion to have to look up windows client behavior when it came to dns. specifically, i wanted to know how the client behaves when the primary name server is offline. before i had to fire up packet trace and check for myself, i stumbled on a couple of useful articles that spell it out.

UPDATE: had a conversation with a talented linux dns guy and discovered a few more useful things to note.

dns client resolver behavior
dns client resolution timeouts
dns forwarders and conditional forwarders resolution timeouts

in summary, it works as follows:

  • dns query sent to preferred
  • if no response within 1 second, dns query sent to alternate
  • if no response within 1 second, dns query sent to preferred again
  • if no response within 2 seconds, dns query sent to preferred and alternate
  • if no response within 4 seconds, dns query sent to preferred and alternate again
  • if no response within 7 seconds, process times out


something to note for linux systems, these appear to be default values:

  • timeout:n
    sets the amount of time the resolver will wait for a response from a remote name server before retrying the query via a different name server.  Measured in seconds, the default is RES_TIMEOUT (currently 5, see <resolv.h>).  The value for this option is silently capped to 30.
  • attempts:n
    sets the number of times the resolver will send a query to its name servers before giving up and returning an error to the calling application.  The default is RES_DFLRETRY (currently 2, see <resolv.h>).  The value for this option is silently capped to 5.
  • rotate
    sets RES_ROTATE in _res.options, which causes round-robin selection of name servers from among those listed.  This has the effect of spreading the query load among all listed servers, rather than having all clients try the first listed server first every time.
  • search
    Resolver queries having fewer than ndots dots default is 1) in them will be attempted using each component of the search path in turn until a match is found.
  • ndots:n
    sets a threshold for the number of dots which must appear in a name given to res_query(3) (see resolver(3)) before an initial absolute query will be made.  The default for n is 1, meaning that if there are any dots in a name, the name will be tried first as an absolute name before any search list elements are appended to it.  The value for this option is silently capped to 15.

in summary, the timeout value indicates how long the client will wait until it tries the next server in the search list. the number of queries attempted per server is dependent on how ndots is configured. once the server list is exhausted, the attempts value indicates if the client should try the list again.

additional settings can be found here:

Aug 12, 2014

troubleshooting wmi…

this exhaustive series on troubleshooting wmi from the ask the performance team blog is too good to pass up. use of wmi is pervasive, guaranteeing that just about all of us have run into wmi issues at some point or another. if you haven’t yet, it’s only a matter of time. might as well do your homework.

here are the topics the series will be covering:

  • WMI: Common Symptoms and Errors
  • WMI: Repository Corruption, or Not?
  • WMI: Missing or Failing WMI Providers or Invalid WMI Class
  • WMI: High Memory Usage by WMI Service or Wmiprvse.exe
  • WMI: How to troubleshoot High CPU Usage by WMI Components
  • WMI: How to Troubleshoot WMI High Handle Count


i’ve blogged a few times about wmi myself:

Jul 24, 2014

misc: flying with cortana

if you’re a windows phone 8.1 user, you’re probably in love with cortana already. she is a fantastic organizer! despite all that, sometimes, she fails to understand your flight itinerary, especially on multi-leg flights. she might capture just one leg of the flight. so how do you fix?

i looked for a way to do this but wasn’t able to find any well-documented procedures, so here’s my shot at it.

  • have cortana search for the flight information. in my test, i’m using aa1947 as an example.
  • click the Show AA 1947 updates link. this will add it to your itinerary.


if the date isn’t right, don’t worry. you can change it.

  • switch over to the interests section.
  • under travel, you should be able to find your flight information. click on it.


  • under the Flight date section, simply choose which date you’re interested in.

now cortana will track that flight for you.