?
Solved

ADfind - memberOf Not Returning from Subdomain when host is the parent domain

Posted on 2011-02-28
7
Medium Priority
?
1,611 Views
Last Modified: 2012-05-11
I am using ADfind to query a parent domain for user details (in specific the cn givenName sn sAMAccountName and memberOf fields).  When I point to the parent domain, it pulls all info for members of the parent domain, and everything but the memberOf list for the subdomain.  If I point it to the subdomain, it works fully.  Any ideas why?

This only returns member of if the username belongs to the parent domain
adfind.exe -b -h DOMAIN.NAME -gc -t 10 -f "sAMAccountName=USERNAME" cn givenName sn sAMAccountName memberOf

Open in new window


This works normally both for users in the sub and the parent domain
adfind.exe -b -h SUB.DOMAIN.NAME -gc -t 10 -f "sAMAccountName=USERNAME" cn givenName sn sAMAccountName memberOf

Open in new window

0
Comment
Question by:SaintRonin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 9

Expert Comment

by:Chev_PCN
ID: 35004306
This could be a permissions issue. Please check that the account you are using to run ADFind has the same rights in both the root and child domains.
0
 

Author Comment

by:SaintRonin
ID: 35007062
Which rights in specific would apply to this field?  

I am not in control of the test environment, but allegedly there is a lookup user for each domain, and when I forced ADfind to use a username/password combination I did not see any change.  It almost seems more like a communications issue than a permissions issue although I do not know how to explain it.

It returns back all/most of a user's attributes with the exception of the memberOf field.  What sort of behavior should be expected if their are some AD / certificate errors going on between the two domains talking?  By the way, each domain has multiple DCs.  I am simply pointing to the main domain and it is deciding which actual server to authenticate against.
0
 
LVL 9

Expert Comment

by:Chev_PCN
ID: 35029176
What is your domain functional level in each domain? How many 2003 / 2008 DC's do you have? Try specifying a 2008 DC, and a 2003 DC in the root domain and see if there is a difference.
0
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

 

Author Comment

by:SaintRonin
ID: 35032238
All servers are 2003 R2 64-bit.  Since I am not the system admin, I do not know the details of how their infrastructure is configured.  The ADfind utility is really just being used to dump user data into a text file.  That is where my work really begins, but since I depend on reliable data from ADfind, I need it to work reliably.  

Is there any reason that memberOf data would not be shared bi-directionally between a root and sub domain?
0
 
LVL 9

Accepted Solution

by:
Chev_PCN earned 1500 total points
ID: 35034090
OK, I'm guessing now, but is is possible that the groups are not showing up because they are "Domain Local" type? Also make sure that if some of your DC's are not GC's, that you point AD to one that is.
0
 

Author Comment

by:SaintRonin
ID: 35039679
Chev,

Checking on that now.  It sounds plausible to me. :-)
0
 

Author Closing Comment

by:SaintRonin
ID: 35074452
I could not get a straight answer on the groups, and pointing it to the subdomain worked.  Personally, I think this was the most likely source of the issue, but I cannot confirm it.
0

Featured Post

Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
In this blog post, we’ll look at how using thread_statistics can cause high memory usage.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question