Solved

Active Directory Users and Computers Find

Posted on 2011-02-22
21
690 Views
Last Modified: 2012-05-11
We have a mixture of 40 Win 2003/2008 DC's in our Domain and when trying to find a user in ADUC, some of the DC's are returning strange results.  Previously if i searched for a user account using find in ADUC by entering the firstname and surname, the result would return the one user i had searched for.  Now some of our DC's are returning multiple results as if it is searching the first and suname individually.  Example, searching John Doe would usually return the user John Doe, but on some DC's it now returns every user called John or any user with John somewhere in the name like Johnson for example.  If i do an LDAP query using custom search this returns the one user i am searching for correctly.  I know this may not seem like a major problem but i have a lot of admins who use the find feature and dont know how to do an LDAP query so need to resolve this.  
0
Comment
Question by:ExproChrisDillon
21 Comments
 

Author Comment

by:ExproChrisDillon
ID: 34950093
this error is not specific to an operating system, it is happening on both win 2003 and 2008.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 34950162
That's normal. GUI uses for query these fields: First Name, Last Name and login
When you use custom search you have to specify searching criteria :)

Regards,
Krzysztof
0
 
LVL 17

Expert Comment

by:Sikhumbuzo Ntsada
ID: 34950188
My gut feeling is the problem could be your functional levels please check if you are running 2008 domain controllers with 2003 functional level, if not the problem is caused by domain controllers not updating their records regularly
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:ExproChrisDillon
ID: 34950191
its not normal, otherwise it would be the same on all of my DC's.  
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 34950194
Hey :)

I did find out a little more since you last raised this issue, on each of the servers concerned can you run a custom search with this LDAP filter:

(anr=John Doe)

It should behave in the same way on each given that controls for it appear to be directory level. That said, it would be nice to see if it's producing ambiguous results because of this.

The documentation on Ambiguous Name Resolution, ANR, is pretty decent:

http://technet.microsoft.com/en-us/library/cc978014.aspx

Chris
0
 

Author Comment

by:ExproChrisDillon
ID: 34950198
Santais24 - i am at 2003 funtional level running 2008 DC's.  
0
 

Author Comment

by:ExproChrisDillon
ID: 34950209
Thanks Chris, will check this out and get back to you.
0
 

Author Comment

by:ExproChrisDillon
ID: 34950249
Chris-Dent - When i use ANR, it does produce the same results as the standard Find on each DC.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 34950267

Well that's good, at least we know which bit is buggering up. Now we just have to figure out why it's different. Hmm, I need to look around.

Chris
0
 

Author Comment

by:ExproChrisDillon
ID: 34950331
Thanks!!
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 34950702

Hmm so can you run this and see if you get anything different depending on DC?

dsquery * "CN=schema,CN=configuration,DC=yourdomain,DC=com" -filter "(searchFlags:1.2.840.113556.1.4.803:=5)"

It should match across the forest as it's stored in the schema.

I'm having trouble locating anything to do with ANR that can be configured on individual DCs.

Chris
0
 

Author Comment

by:ExproChrisDillon
ID: 34950871
I get the same output on each DC.

Thanks
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 34950942
Good, otherwise would be very bad :)

Hmm so I'm still having a great deal of trouble finding any indication of Domain Controller specific ANR configuration (except by different service pack levels, etc).

I wonder if it would be worth trying to trace the actual LDAP query it expands anr= to, if I can find out how we might do that ;)

Chris
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 34951500
Just curious, had you considered calling Product Support Services over this one? It's a hell of an odd problem. I'm still failing to find any way of setting up how it behaves below forest-level, more registry entries to find though :)

Chris
0
 

Author Comment

by:ExproChrisDillon
ID: 34951527
that was going to be my next step because i am completely lost with it!!  :(
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 34951550
It'd be nice if I could come up with some relevant registry keys to check, doesn't seem like a particularly easy thing to check so I have trouble seeing how it ended up that way in the first place...

Chris
0
 

Author Comment

by:ExproChrisDillon
ID: 34951580
yeah its confusing the hell out of me!
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 34951590

Maybe you can browse through some of the registry entries here? :)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS

It'll be fun! :)

Chris
0
 

Author Comment

by:ExproChrisDillon
ID: 34962066
i have opened a case with Microsoft, will let you know the results.
0
 

Accepted Solution

by:
ExproChrisDillon earned 0 total points
ID: 35015713
We have managed to resolve this issue.  We have Quest Change Auditor Agent 5.1.72 installed which broke ANR searches.  Upgraded to version 5.1.85 and this issue is resolved.  I had no idea this agent could affect AD in such a way.  

Chris-Dent, thanks for your help.

Can someone tell me how to close this off?  Chris-Dent was able to establish which part was broken but Microsoft solved the overall problem, do i split the points?
0
 

Author Closing Comment

by:ExproChrisDillon
ID: 35135760
Resolved by Microsoft.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Synchronize a new Active Directory domain with an existing Office 365 tenant
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question