Solved

ADfind - memberOf Not Returning from Subdomain when host is the parent domain

Posted on 2011-02-28
7
1,588 Views
Last Modified: 2012-05-11
I am using ADfind to query a parent domain for user details (in specific the cn givenName sn sAMAccountName and memberOf fields).  When I point to the parent domain, it pulls all info for members of the parent domain, and everything but the memberOf list for the subdomain.  If I point it to the subdomain, it works fully.  Any ideas why?

This only returns member of if the username belongs to the parent domain
adfind.exe -b -h DOMAIN.NAME -gc -t 10 -f "sAMAccountName=USERNAME" cn givenName sn sAMAccountName memberOf

Open in new window


This works normally both for users in the sub and the parent domain
adfind.exe -b -h SUB.DOMAIN.NAME -gc -t 10 -f "sAMAccountName=USERNAME" cn givenName sn sAMAccountName memberOf

Open in new window

0
Comment
Question by:SaintRonin
  • 4
  • 3
7 Comments
 
LVL 9

Expert Comment

by:Chev_PCN
ID: 35004306
This could be a permissions issue. Please check that the account you are using to run ADFind has the same rights in both the root and child domains.
0
 

Author Comment

by:SaintRonin
ID: 35007062
Which rights in specific would apply to this field?  

I am not in control of the test environment, but allegedly there is a lookup user for each domain, and when I forced ADfind to use a username/password combination I did not see any change.  It almost seems more like a communications issue than a permissions issue although I do not know how to explain it.

It returns back all/most of a user's attributes with the exception of the memberOf field.  What sort of behavior should be expected if their are some AD / certificate errors going on between the two domains talking?  By the way, each domain has multiple DCs.  I am simply pointing to the main domain and it is deciding which actual server to authenticate against.
0
 
LVL 9

Expert Comment

by:Chev_PCN
ID: 35029176
What is your domain functional level in each domain? How many 2003 / 2008 DC's do you have? Try specifying a 2008 DC, and a 2003 DC in the root domain and see if there is a difference.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:SaintRonin
ID: 35032238
All servers are 2003 R2 64-bit.  Since I am not the system admin, I do not know the details of how their infrastructure is configured.  The ADfind utility is really just being used to dump user data into a text file.  That is where my work really begins, but since I depend on reliable data from ADfind, I need it to work reliably.  

Is there any reason that memberOf data would not be shared bi-directionally between a root and sub domain?
0
 
LVL 9

Accepted Solution

by:
Chev_PCN earned 500 total points
ID: 35034090
OK, I'm guessing now, but is is possible that the groups are not showing up because they are "Domain Local" type? Also make sure that if some of your DC's are not GC's, that you point AD to one that is.
0
 

Author Comment

by:SaintRonin
ID: 35039679
Chev,

Checking on that now.  It sounds plausible to me. :-)
0
 

Author Closing Comment

by:SaintRonin
ID: 35074452
I could not get a straight answer on the groups, and pointing it to the subdomain worked.  Personally, I think this was the most likely source of the issue, but I cannot confirm it.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As technology users and professionals, we’re always learning. Our universal interest in advancing our knowledge of the trade is unmatched by most industries. It’s a curiosity that makes sense, given the climate of change. Within that, there lies a…
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question