Solved

Active Directory Users and Computers Find

Posted on 2011-02-22
21
685 Views
Last Modified: 2012-05-11
We have a mixture of 40 Win 2003/2008 DC's in our Domain and when trying to find a user in ADUC, some of the DC's are returning strange results.  Previously if i searched for a user account using find in ADUC by entering the firstname and surname, the result would return the one user i had searched for.  Now some of our DC's are returning multiple results as if it is searching the first and suname individually.  Example, searching John Doe would usually return the user John Doe, but on some DC's it now returns every user called John or any user with John somewhere in the name like Johnson for example.  If i do an LDAP query using custom search this returns the one user i am searching for correctly.  I know this may not seem like a major problem but i have a lot of admins who use the find feature and dont know how to do an LDAP query so need to resolve this.  
0
Comment
Question by:ExproChrisDillon
21 Comments
 

Author Comment

by:ExproChrisDillon
ID: 34950093
this error is not specific to an operating system, it is happening on both win 2003 and 2008.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 34950162
That's normal. GUI uses for query these fields: First Name, Last Name and login
When you use custom search you have to specify searching criteria :)

Regards,
Krzysztof
0
 
LVL 17

Expert Comment

by:Sikhumbuzo Ntsada
ID: 34950188
My gut feeling is the problem could be your functional levels please check if you are running 2008 domain controllers with 2003 functional level, if not the problem is caused by domain controllers not updating their records regularly
0
 

Author Comment

by:ExproChrisDillon
ID: 34950191
its not normal, otherwise it would be the same on all of my DC's.  
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 34950194
Hey :)

I did find out a little more since you last raised this issue, on each of the servers concerned can you run a custom search with this LDAP filter:

(anr=John Doe)

It should behave in the same way on each given that controls for it appear to be directory level. That said, it would be nice to see if it's producing ambiguous results because of this.

The documentation on Ambiguous Name Resolution, ANR, is pretty decent:

http://technet.microsoft.com/en-us/library/cc978014.aspx

Chris
0
 

Author Comment

by:ExproChrisDillon
ID: 34950198
Santais24 - i am at 2003 funtional level running 2008 DC's.  
0
 

Author Comment

by:ExproChrisDillon
ID: 34950209
Thanks Chris, will check this out and get back to you.
0
 

Author Comment

by:ExproChrisDillon
ID: 34950249
Chris-Dent - When i use ANR, it does produce the same results as the standard Find on each DC.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 34950267

Well that's good, at least we know which bit is buggering up. Now we just have to figure out why it's different. Hmm, I need to look around.

Chris
0
 

Author Comment

by:ExproChrisDillon
ID: 34950331
Thanks!!
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 70

Expert Comment

by:Chris Dent
ID: 34950702

Hmm so can you run this and see if you get anything different depending on DC?

dsquery * "CN=schema,CN=configuration,DC=yourdomain,DC=com" -filter "(searchFlags:1.2.840.113556.1.4.803:=5)"

It should match across the forest as it's stored in the schema.

I'm having trouble locating anything to do with ANR that can be configured on individual DCs.

Chris
0
 

Author Comment

by:ExproChrisDillon
ID: 34950871
I get the same output on each DC.

Thanks
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 34950942
Good, otherwise would be very bad :)

Hmm so I'm still having a great deal of trouble finding any indication of Domain Controller specific ANR configuration (except by different service pack levels, etc).

I wonder if it would be worth trying to trace the actual LDAP query it expands anr= to, if I can find out how we might do that ;)

Chris
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 34951500
Just curious, had you considered calling Product Support Services over this one? It's a hell of an odd problem. I'm still failing to find any way of setting up how it behaves below forest-level, more registry entries to find though :)

Chris
0
 

Author Comment

by:ExproChrisDillon
ID: 34951527
that was going to be my next step because i am completely lost with it!!  :(
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 34951550
It'd be nice if I could come up with some relevant registry keys to check, doesn't seem like a particularly easy thing to check so I have trouble seeing how it ended up that way in the first place...

Chris
0
 

Author Comment

by:ExproChrisDillon
ID: 34951580
yeah its confusing the hell out of me!
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 34951590

Maybe you can browse through some of the registry entries here? :)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS

It'll be fun! :)

Chris
0
 

Author Comment

by:ExproChrisDillon
ID: 34962066
i have opened a case with Microsoft, will let you know the results.
0
 

Accepted Solution

by:
ExproChrisDillon earned 0 total points
ID: 35015713
We have managed to resolve this issue.  We have Quest Change Auditor Agent 5.1.72 installed which broke ANR searches.  Upgraded to version 5.1.85 and this issue is resolved.  I had no idea this agent could affect AD in such a way.  

Chris-Dent, thanks for your help.

Can someone tell me how to close this off?  Chris-Dent was able to establish which part was broken but Microsoft solved the overall problem, do i split the points?
0
 

Author Closing Comment

by:ExproChrisDillon
ID: 35135760
Resolved by Microsoft.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now