Solved

ADfind - memberOf Not Returning from Subdomain when host is the parent domain

Posted on 2011-02-28
7
1,603 Views
Last Modified: 2012-05-11
I am using ADfind to query a parent domain for user details (in specific the cn givenName sn sAMAccountName and memberOf fields).  When I point to the parent domain, it pulls all info for members of the parent domain, and everything but the memberOf list for the subdomain.  If I point it to the subdomain, it works fully.  Any ideas why?

This only returns member of if the username belongs to the parent domain
adfind.exe -b -h DOMAIN.NAME -gc -t 10 -f "sAMAccountName=USERNAME" cn givenName sn sAMAccountName memberOf

Open in new window


This works normally both for users in the sub and the parent domain
adfind.exe -b -h SUB.DOMAIN.NAME -gc -t 10 -f "sAMAccountName=USERNAME" cn givenName sn sAMAccountName memberOf

Open in new window

0
Comment
Question by:SaintRonin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 9

Expert Comment

by:Chev_PCN
ID: 35004306
This could be a permissions issue. Please check that the account you are using to run ADFind has the same rights in both the root and child domains.
0
 

Author Comment

by:SaintRonin
ID: 35007062
Which rights in specific would apply to this field?  

I am not in control of the test environment, but allegedly there is a lookup user for each domain, and when I forced ADfind to use a username/password combination I did not see any change.  It almost seems more like a communications issue than a permissions issue although I do not know how to explain it.

It returns back all/most of a user's attributes with the exception of the memberOf field.  What sort of behavior should be expected if their are some AD / certificate errors going on between the two domains talking?  By the way, each domain has multiple DCs.  I am simply pointing to the main domain and it is deciding which actual server to authenticate against.
0
 
LVL 9

Expert Comment

by:Chev_PCN
ID: 35029176
What is your domain functional level in each domain? How many 2003 / 2008 DC's do you have? Try specifying a 2008 DC, and a 2003 DC in the root domain and see if there is a difference.
0
Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.

 

Author Comment

by:SaintRonin
ID: 35032238
All servers are 2003 R2 64-bit.  Since I am not the system admin, I do not know the details of how their infrastructure is configured.  The ADfind utility is really just being used to dump user data into a text file.  That is where my work really begins, but since I depend on reliable data from ADfind, I need it to work reliably.  

Is there any reason that memberOf data would not be shared bi-directionally between a root and sub domain?
0
 
LVL 9

Accepted Solution

by:
Chev_PCN earned 500 total points
ID: 35034090
OK, I'm guessing now, but is is possible that the groups are not showing up because they are "Domain Local" type? Also make sure that if some of your DC's are not GC's, that you point AD to one that is.
0
 

Author Comment

by:SaintRonin
ID: 35039679
Chev,

Checking on that now.  It sounds plausible to me. :-)
0
 

Author Closing Comment

by:SaintRonin
ID: 35074452
I could not get a straight answer on the groups, and pointing it to the subdomain worked.  Personally, I think this was the most likely source of the issue, but I cannot confirm it.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

731 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question