Active Directory Users and Computers Find

We have a mixture of 40 Win 2003/2008 DC's in our Domain and when trying to find a user in ADUC, some of the DC's are returning strange results.  Previously if i searched for a user account using find in ADUC by entering the firstname and surname, the result would return the one user i had searched for.  Now some of our DC's are returning multiple results as if it is searching the first and suname individually.  Example, searching John Doe would usually return the user John Doe, but on some DC's it now returns every user called John or any user with John somewhere in the name like Johnson for example.  If i do an LDAP query using custom search this returns the one user i am searching for correctly.  I know this may not seem like a major problem but i have a lot of admins who use the find feature and dont know how to do an LDAP query so need to resolve this.  
ExproChrisDillonAsked:
Who is Participating?
 
ExproChrisDillonConnect With a Mentor Author Commented:
We have managed to resolve this issue.  We have Quest Change Auditor Agent 5.1.72 installed which broke ANR searches.  Upgraded to version 5.1.85 and this issue is resolved.  I had no idea this agent could affect AD in such a way.  

Chris-Dent, thanks for your help.

Can someone tell me how to close this off?  Chris-Dent was able to establish which part was broken but Microsoft solved the overall problem, do i split the points?
0
 
ExproChrisDillonAuthor Commented:
this error is not specific to an operating system, it is happening on both win 2003 and 2008.
0
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
That's normal. GUI uses for query these fields: First Name, Last Name and login
When you use custom search you have to specify searching criteria :)

Regards,
Krzysztof
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
Sikhumbuzo NtsadaSenior IT TechnicianCommented:
My gut feeling is the problem could be your functional levels please check if you are running 2008 domain controllers with 2003 functional level, if not the problem is caused by domain controllers not updating their records regularly
0
 
ExproChrisDillonAuthor Commented:
its not normal, otherwise it would be the same on all of my DC's.  
0
 
Chris DentPowerShell DeveloperCommented:
Hey :)

I did find out a little more since you last raised this issue, on each of the servers concerned can you run a custom search with this LDAP filter:

(anr=John Doe)

It should behave in the same way on each given that controls for it appear to be directory level. That said, it would be nice to see if it's producing ambiguous results because of this.

The documentation on Ambiguous Name Resolution, ANR, is pretty decent:

http://technet.microsoft.com/en-us/library/cc978014.aspx

Chris
0
 
ExproChrisDillonAuthor Commented:
Santais24 - i am at 2003 funtional level running 2008 DC's.  
0
 
ExproChrisDillonAuthor Commented:
Thanks Chris, will check this out and get back to you.
0
 
ExproChrisDillonAuthor Commented:
Chris-Dent - When i use ANR, it does produce the same results as the standard Find on each DC.
0
 
Chris DentPowerShell DeveloperCommented:

Well that's good, at least we know which bit is buggering up. Now we just have to figure out why it's different. Hmm, I need to look around.

Chris
0
 
ExproChrisDillonAuthor Commented:
Thanks!!
0
 
Chris DentPowerShell DeveloperCommented:

Hmm so can you run this and see if you get anything different depending on DC?

dsquery * "CN=schema,CN=configuration,DC=yourdomain,DC=com" -filter "(searchFlags:1.2.840.113556.1.4.803:=5)"

It should match across the forest as it's stored in the schema.

I'm having trouble locating anything to do with ANR that can be configured on individual DCs.

Chris
0
 
ExproChrisDillonAuthor Commented:
I get the same output on each DC.

Thanks
0
 
Chris DentPowerShell DeveloperCommented:
Good, otherwise would be very bad :)

Hmm so I'm still having a great deal of trouble finding any indication of Domain Controller specific ANR configuration (except by different service pack levels, etc).

I wonder if it would be worth trying to trace the actual LDAP query it expands anr= to, if I can find out how we might do that ;)

Chris
0
 
Chris DentPowerShell DeveloperCommented:
Just curious, had you considered calling Product Support Services over this one? It's a hell of an odd problem. I'm still failing to find any way of setting up how it behaves below forest-level, more registry entries to find though :)

Chris
0
 
ExproChrisDillonAuthor Commented:
that was going to be my next step because i am completely lost with it!!  :(
0
 
Chris DentPowerShell DeveloperCommented:
It'd be nice if I could come up with some relevant registry keys to check, doesn't seem like a particularly easy thing to check so I have trouble seeing how it ended up that way in the first place...

Chris
0
 
ExproChrisDillonAuthor Commented:
yeah its confusing the hell out of me!
0
 
Chris DentPowerShell DeveloperCommented:

Maybe you can browse through some of the registry entries here? :)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS

It'll be fun! :)

Chris
0
 
ExproChrisDillonAuthor Commented:
i have opened a case with Microsoft, will let you know the results.
0
 
ExproChrisDillonAuthor Commented:
Resolved by Microsoft.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.