• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 696
  • Last Modified:

Active Directory Users and Computers Find

We have a mixture of 40 Win 2003/2008 DC's in our Domain and when trying to find a user in ADUC, some of the DC's are returning strange results.  Previously if i searched for a user account using find in ADUC by entering the firstname and surname, the result would return the one user i had searched for.  Now some of our DC's are returning multiple results as if it is searching the first and suname individually.  Example, searching John Doe would usually return the user John Doe, but on some DC's it now returns every user called John or any user with John somewhere in the name like Johnson for example.  If i do an LDAP query using custom search this returns the one user i am searching for correctly.  I know this may not seem like a major problem but i have a lot of admins who use the find feature and dont know how to do an LDAP query so need to resolve this.  
0
ExproChrisDillon
Asked:
ExproChrisDillon
1 Solution
 
ExproChrisDillonAuthor Commented:
this error is not specific to an operating system, it is happening on both win 2003 and 2008.
0
 
Krzysztof PytkoActive Directory EngineerCommented:
That's normal. GUI uses for query these fields: First Name, Last Name and login
When you use custom search you have to specify searching criteria :)

Regards,
Krzysztof
0
 
Sikhumbuzo NtsadaCommented:
My gut feeling is the problem could be your functional levels please check if you are running 2008 domain controllers with 2003 functional level, if not the problem is caused by domain controllers not updating their records regularly
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
ExproChrisDillonAuthor Commented:
its not normal, otherwise it would be the same on all of my DC's.  
0
 
Chris DentPowerShell DeveloperCommented:
Hey :)

I did find out a little more since you last raised this issue, on each of the servers concerned can you run a custom search with this LDAP filter:

(anr=John Doe)

It should behave in the same way on each given that controls for it appear to be directory level. That said, it would be nice to see if it's producing ambiguous results because of this.

The documentation on Ambiguous Name Resolution, ANR, is pretty decent:

http://technet.microsoft.com/en-us/library/cc978014.aspx

Chris
0
 
ExproChrisDillonAuthor Commented:
Santais24 - i am at 2003 funtional level running 2008 DC's.  
0
 
ExproChrisDillonAuthor Commented:
Thanks Chris, will check this out and get back to you.
0
 
ExproChrisDillonAuthor Commented:
Chris-Dent - When i use ANR, it does produce the same results as the standard Find on each DC.
0
 
Chris DentPowerShell DeveloperCommented:

Well that's good, at least we know which bit is buggering up. Now we just have to figure out why it's different. Hmm, I need to look around.

Chris
0
 
ExproChrisDillonAuthor Commented:
Thanks!!
0
 
Chris DentPowerShell DeveloperCommented:

Hmm so can you run this and see if you get anything different depending on DC?

dsquery * "CN=schema,CN=configuration,DC=yourdomain,DC=com" -filter "(searchFlags:1.2.840.113556.1.4.803:=5)"

It should match across the forest as it's stored in the schema.

I'm having trouble locating anything to do with ANR that can be configured on individual DCs.

Chris
0
 
ExproChrisDillonAuthor Commented:
I get the same output on each DC.

Thanks
0
 
Chris DentPowerShell DeveloperCommented:
Good, otherwise would be very bad :)

Hmm so I'm still having a great deal of trouble finding any indication of Domain Controller specific ANR configuration (except by different service pack levels, etc).

I wonder if it would be worth trying to trace the actual LDAP query it expands anr= to, if I can find out how we might do that ;)

Chris
0
 
Chris DentPowerShell DeveloperCommented:
Just curious, had you considered calling Product Support Services over this one? It's a hell of an odd problem. I'm still failing to find any way of setting up how it behaves below forest-level, more registry entries to find though :)

Chris
0
 
ExproChrisDillonAuthor Commented:
that was going to be my next step because i am completely lost with it!!  :(
0
 
Chris DentPowerShell DeveloperCommented:
It'd be nice if I could come up with some relevant registry keys to check, doesn't seem like a particularly easy thing to check so I have trouble seeing how it ended up that way in the first place...

Chris
0
 
ExproChrisDillonAuthor Commented:
yeah its confusing the hell out of me!
0
 
Chris DentPowerShell DeveloperCommented:

Maybe you can browse through some of the registry entries here? :)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS

It'll be fun! :)

Chris
0
 
ExproChrisDillonAuthor Commented:
i have opened a case with Microsoft, will let you know the results.
0
 
ExproChrisDillonAuthor Commented:
We have managed to resolve this issue.  We have Quest Change Auditor Agent 5.1.72 installed which broke ANR searches.  Upgraded to version 5.1.85 and this issue is resolved.  I had no idea this agent could affect AD in such a way.  

Chris-Dent, thanks for your help.

Can someone tell me how to close this off?  Chris-Dent was able to establish which part was broken but Microsoft solved the overall problem, do i split the points?
0
 
ExproChrisDillonAuthor Commented:
Resolved by Microsoft.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now