[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1621
  • Last Modified:

ADfind - memberOf Not Returning from Subdomain when host is the parent domain

I am using ADfind to query a parent domain for user details (in specific the cn givenName sn sAMAccountName and memberOf fields).  When I point to the parent domain, it pulls all info for members of the parent domain, and everything but the memberOf list for the subdomain.  If I point it to the subdomain, it works fully.  Any ideas why?

This only returns member of if the username belongs to the parent domain
adfind.exe -b -h DOMAIN.NAME -gc -t 10 -f "sAMAccountName=USERNAME" cn givenName sn sAMAccountName memberOf

Open in new window


This works normally both for users in the sub and the parent domain
adfind.exe -b -h SUB.DOMAIN.NAME -gc -t 10 -f "sAMAccountName=USERNAME" cn givenName sn sAMAccountName memberOf

Open in new window

0
SaintRonin
Asked:
SaintRonin
  • 4
  • 3
1 Solution
 
Chev_PCNCommented:
This could be a permissions issue. Please check that the account you are using to run ADFind has the same rights in both the root and child domains.
0
 
SaintRoninAuthor Commented:
Which rights in specific would apply to this field?  

I am not in control of the test environment, but allegedly there is a lookup user for each domain, and when I forced ADfind to use a username/password combination I did not see any change.  It almost seems more like a communications issue than a permissions issue although I do not know how to explain it.

It returns back all/most of a user's attributes with the exception of the memberOf field.  What sort of behavior should be expected if their are some AD / certificate errors going on between the two domains talking?  By the way, each domain has multiple DCs.  I am simply pointing to the main domain and it is deciding which actual server to authenticate against.
0
 
Chev_PCNCommented:
What is your domain functional level in each domain? How many 2003 / 2008 DC's do you have? Try specifying a 2008 DC, and a 2003 DC in the root domain and see if there is a difference.
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
SaintRoninAuthor Commented:
All servers are 2003 R2 64-bit.  Since I am not the system admin, I do not know the details of how their infrastructure is configured.  The ADfind utility is really just being used to dump user data into a text file.  That is where my work really begins, but since I depend on reliable data from ADfind, I need it to work reliably.  

Is there any reason that memberOf data would not be shared bi-directionally between a root and sub domain?
0
 
Chev_PCNCommented:
OK, I'm guessing now, but is is possible that the groups are not showing up because they are "Domain Local" type? Also make sure that if some of your DC's are not GC's, that you point AD to one that is.
0
 
SaintRoninAuthor Commented:
Chev,

Checking on that now.  It sounds plausible to me. :-)
0
 
SaintRoninAuthor Commented:
I could not get a straight answer on the groups, and pointing it to the subdomain worked.  Personally, I think this was the most likely source of the issue, but I cannot confirm it.
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now