[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

ADfind - memberOf Not Returning from Subdomain when host is the parent domain

Posted on 2011-02-28
7
Medium Priority
?
1,613 Views
Last Modified: 2012-05-11
I am using ADfind to query a parent domain for user details (in specific the cn givenName sn sAMAccountName and memberOf fields).  When I point to the parent domain, it pulls all info for members of the parent domain, and everything but the memberOf list for the subdomain.  If I point it to the subdomain, it works fully.  Any ideas why?

This only returns member of if the username belongs to the parent domain
adfind.exe -b -h DOMAIN.NAME -gc -t 10 -f "sAMAccountName=USERNAME" cn givenName sn sAMAccountName memberOf

Open in new window


This works normally both for users in the sub and the parent domain
adfind.exe -b -h SUB.DOMAIN.NAME -gc -t 10 -f "sAMAccountName=USERNAME" cn givenName sn sAMAccountName memberOf

Open in new window

0
Comment
Question by:SaintRonin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 9

Expert Comment

by:Chev_PCN
ID: 35004306
This could be a permissions issue. Please check that the account you are using to run ADFind has the same rights in both the root and child domains.
0
 

Author Comment

by:SaintRonin
ID: 35007062
Which rights in specific would apply to this field?  

I am not in control of the test environment, but allegedly there is a lookup user for each domain, and when I forced ADfind to use a username/password combination I did not see any change.  It almost seems more like a communications issue than a permissions issue although I do not know how to explain it.

It returns back all/most of a user's attributes with the exception of the memberOf field.  What sort of behavior should be expected if their are some AD / certificate errors going on between the two domains talking?  By the way, each domain has multiple DCs.  I am simply pointing to the main domain and it is deciding which actual server to authenticate against.
0
 
LVL 9

Expert Comment

by:Chev_PCN
ID: 35029176
What is your domain functional level in each domain? How many 2003 / 2008 DC's do you have? Try specifying a 2008 DC, and a 2003 DC in the root domain and see if there is a difference.
0
Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

 

Author Comment

by:SaintRonin
ID: 35032238
All servers are 2003 R2 64-bit.  Since I am not the system admin, I do not know the details of how their infrastructure is configured.  The ADfind utility is really just being used to dump user data into a text file.  That is where my work really begins, but since I depend on reliable data from ADfind, I need it to work reliably.  

Is there any reason that memberOf data would not be shared bi-directionally between a root and sub domain?
0
 
LVL 9

Accepted Solution

by:
Chev_PCN earned 1500 total points
ID: 35034090
OK, I'm guessing now, but is is possible that the groups are not showing up because they are "Domain Local" type? Also make sure that if some of your DC's are not GC's, that you point AD to one that is.
0
 

Author Comment

by:SaintRonin
ID: 35039679
Chev,

Checking on that now.  It sounds plausible to me. :-)
0
 

Author Closing Comment

by:SaintRonin
ID: 35074452
I could not get a straight answer on the groups, and pointing it to the subdomain worked.  Personally, I think this was the most likely source of the issue, but I cannot confirm it.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
Backups and Disaster RecoveryIn this post, we’ll look at strategies for backups and disaster recovery.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question