Solved

Active Directory Users and Computers Find

Posted on 2011-02-22
21
692 Views
Last Modified: 2012-05-11
We have a mixture of 40 Win 2003/2008 DC's in our Domain and when trying to find a user in ADUC, some of the DC's are returning strange results.  Previously if i searched for a user account using find in ADUC by entering the firstname and surname, the result would return the one user i had searched for.  Now some of our DC's are returning multiple results as if it is searching the first and suname individually.  Example, searching John Doe would usually return the user John Doe, but on some DC's it now returns every user called John or any user with John somewhere in the name like Johnson for example.  If i do an LDAP query using custom search this returns the one user i am searching for correctly.  I know this may not seem like a major problem but i have a lot of admins who use the find feature and dont know how to do an LDAP query so need to resolve this.  
0
Comment
Question by:ExproChrisDillon
21 Comments
 

Author Comment

by:ExproChrisDillon
ID: 34950093
this error is not specific to an operating system, it is happening on both win 2003 and 2008.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 34950162
That's normal. GUI uses for query these fields: First Name, Last Name and login
When you use custom search you have to specify searching criteria :)

Regards,
Krzysztof
0
 
LVL 17

Expert Comment

by:Sikhumbuzo Ntsada
ID: 34950188
My gut feeling is the problem could be your functional levels please check if you are running 2008 domain controllers with 2003 functional level, if not the problem is caused by domain controllers not updating their records regularly
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:ExproChrisDillon
ID: 34950191
its not normal, otherwise it would be the same on all of my DC's.  
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 34950194
Hey :)

I did find out a little more since you last raised this issue, on each of the servers concerned can you run a custom search with this LDAP filter:

(anr=John Doe)

It should behave in the same way on each given that controls for it appear to be directory level. That said, it would be nice to see if it's producing ambiguous results because of this.

The documentation on Ambiguous Name Resolution, ANR, is pretty decent:

http://technet.microsoft.com/en-us/library/cc978014.aspx

Chris
0
 

Author Comment

by:ExproChrisDillon
ID: 34950198
Santais24 - i am at 2003 funtional level running 2008 DC's.  
0
 

Author Comment

by:ExproChrisDillon
ID: 34950209
Thanks Chris, will check this out and get back to you.
0
 

Author Comment

by:ExproChrisDillon
ID: 34950249
Chris-Dent - When i use ANR, it does produce the same results as the standard Find on each DC.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 34950267

Well that's good, at least we know which bit is buggering up. Now we just have to figure out why it's different. Hmm, I need to look around.

Chris
0
 

Author Comment

by:ExproChrisDillon
ID: 34950331
Thanks!!
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 34950702

Hmm so can you run this and see if you get anything different depending on DC?

dsquery * "CN=schema,CN=configuration,DC=yourdomain,DC=com" -filter "(searchFlags:1.2.840.113556.1.4.803:=5)"

It should match across the forest as it's stored in the schema.

I'm having trouble locating anything to do with ANR that can be configured on individual DCs.

Chris
0
 

Author Comment

by:ExproChrisDillon
ID: 34950871
I get the same output on each DC.

Thanks
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 34950942
Good, otherwise would be very bad :)

Hmm so I'm still having a great deal of trouble finding any indication of Domain Controller specific ANR configuration (except by different service pack levels, etc).

I wonder if it would be worth trying to trace the actual LDAP query it expands anr= to, if I can find out how we might do that ;)

Chris
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 34951500
Just curious, had you considered calling Product Support Services over this one? It's a hell of an odd problem. I'm still failing to find any way of setting up how it behaves below forest-level, more registry entries to find though :)

Chris
0
 

Author Comment

by:ExproChrisDillon
ID: 34951527
that was going to be my next step because i am completely lost with it!!  :(
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 34951550
It'd be nice if I could come up with some relevant registry keys to check, doesn't seem like a particularly easy thing to check so I have trouble seeing how it ended up that way in the first place...

Chris
0
 

Author Comment

by:ExproChrisDillon
ID: 34951580
yeah its confusing the hell out of me!
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 34951590

Maybe you can browse through some of the registry entries here? :)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS

It'll be fun! :)

Chris
0
 

Author Comment

by:ExproChrisDillon
ID: 34962066
i have opened a case with Microsoft, will let you know the results.
0
 

Accepted Solution

by:
ExproChrisDillon earned 0 total points
ID: 35015713
We have managed to resolve this issue.  We have Quest Change Auditor Agent 5.1.72 installed which broke ANR searches.  Upgraded to version 5.1.85 and this issue is resolved.  I had no idea this agent could affect AD in such a way.  

Chris-Dent, thanks for your help.

Can someone tell me how to close this off?  Chris-Dent was able to establish which part was broken but Microsoft solved the overall problem, do i split the points?
0
 

Author Closing Comment

by:ExproChrisDillon
ID: 35135760
Resolved by Microsoft.
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question