ExproChrisDillon
asked on
Active Directory Users and Computers Find
We have a mixture of 40 Win 2003/2008 DC's in our Domain and when trying to find a user in ADUC, some of the DC's are returning strange results. Previously if i searched for a user account using find in ADUC by entering the firstname and surname, the result would return the one user i had searched for. Now some of our DC's are returning multiple results as if it is searching the first and suname individually. Example, searching John Doe would usually return the user John Doe, but on some DC's it now returns every user called John or any user with John somewhere in the name like Johnson for example. If i do an LDAP query using custom search this returns the one user i am searching for correctly. I know this may not seem like a major problem but i have a lot of admins who use the find feature and dont know how to do an LDAP query so need to resolve this.
That's normal. GUI uses for query these fields: First Name, Last Name and login
When you use custom search you have to specify searching criteria :)
Regards,
Krzysztof
When you use custom search you have to specify searching criteria :)
Regards,
Krzysztof
My gut feeling is the problem could be your functional levels please check if you are running 2008 domain controllers with 2003 functional level, if not the problem is caused by domain controllers not updating their records regularly
ASKER
its not normal, otherwise it would be the same on all of my DC's.
Hey :)
I did find out a little more since you last raised this issue, on each of the servers concerned can you run a custom search with this LDAP filter:
(anr=John Doe)
It should behave in the same way on each given that controls for it appear to be directory level. That said, it would be nice to see if it's producing ambiguous results because of this.
The documentation on Ambiguous Name Resolution, ANR, is pretty decent:
http://technet.microsoft.com/en-us/library/cc978014.aspx
Chris
I did find out a little more since you last raised this issue, on each of the servers concerned can you run a custom search with this LDAP filter:
(anr=John Doe)
It should behave in the same way on each given that controls for it appear to be directory level. That said, it would be nice to see if it's producing ambiguous results because of this.
The documentation on Ambiguous Name Resolution, ANR, is pretty decent:
http://technet.microsoft.com/en-us/library/cc978014.aspx
Chris
ASKER
Santais24 - i am at 2003 funtional level running 2008 DC's.
ASKER
Thanks Chris, will check this out and get back to you.
ASKER
Chris-Dent - When i use ANR, it does produce the same results as the standard Find on each DC.
Well that's good, at least we know which bit is buggering up. Now we just have to figure out why it's different. Hmm, I need to look around.
Chris
ASKER
Thanks!!
Hmm so can you run this and see if you get anything different depending on DC?
dsquery * "CN=schema,CN=configuratio
It should match across the forest as it's stored in the schema.
I'm having trouble locating anything to do with ANR that can be configured on individual DCs.
Chris
ASKER
I get the same output on each DC.
Thanks
Thanks
Good, otherwise would be very bad :)
Hmm so I'm still having a great deal of trouble finding any indication of Domain Controller specific ANR configuration (except by different service pack levels, etc).
I wonder if it would be worth trying to trace the actual LDAP query it expands anr= to, if I can find out how we might do that ;)
Chris
Hmm so I'm still having a great deal of trouble finding any indication of Domain Controller specific ANR configuration (except by different service pack levels, etc).
I wonder if it would be worth trying to trace the actual LDAP query it expands anr= to, if I can find out how we might do that ;)
Chris
Just curious, had you considered calling Product Support Services over this one? It's a hell of an odd problem. I'm still failing to find any way of setting up how it behaves below forest-level, more registry entries to find though :)
Chris
Chris
ASKER
that was going to be my next step because i am completely lost with it!! :(
It'd be nice if I could come up with some relevant registry keys to check, doesn't seem like a particularly easy thing to check so I have trouble seeing how it ended up that way in the first place...
Chris
Chris
ASKER
yeah its confusing the hell out of me!
Maybe you can browse through some of the registry entries here? :)
HKEY_LOCAL_MACHINE\SYSTEM\
It'll be fun! :)
Chris
ASKER
i have opened a case with Microsoft, will let you know the results.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Resolved by Microsoft.
ASKER