We help IT Professionals succeed at work.

dsquery can give wrong results?

if the AD database is not maintained right, we could have wrong result in the following scenario:

The server is still in the database. so dsquery brings it back, but in reality, that server was trashed last year..

what about the other way:
can a server be on the domain and not in the AD database and hence not reported by dsquery ?

I think the problem is dsquery  is not real time, right?
Watch Question

Senior Solutions Architect
DSQuery is run only on execution so essentially it is real time.
You server may be trashed but there could still be a computer account for that record
Run a search in ADUC console for the names returned in dsquery..

Is this a DC or just an ordinary server?
If the AD database is corrupt it will complain.
I've not seen an AD database giving me "false information" except in the scenario where a DC was forcibly removed and a proper cleanup was not performed.
This could easily happen if you just format server without deleting the computer account.


this is just a regular server.

in the other scenario,
if the server is good and working on the domain fine, will it be in the AD database guaranteed? (is there potential for human error/oversight that there may not be an entry for this  machine on the AD)
Leon FesterSenior Solutions Architect

Only machines that have been joined to your domain will exist in AD.
Linux and UNix server for example won't always appear in AD unless they've been added.
Normally they don't get added, but the possibility exists.


in other words, if the machine is working well  on a domain, will dsquery *always* catch it and bring it back in the result?
Leon FesterSenior Solutions Architect
dsquery only queries the AD database.
Yes it should return all "working well on a domain machines"

Remeber, AD is a database so Garbage in = Garbage out.
If the AD database is dirty then you can possibly find incorrect results.

Dirty database is usually created when machines are just formatted and re-installed as new, without deleting the computer accounts or in the case of DC's running DCPROMO.

Computers that no longer physically exist can safely be deleted from AD.
You have the following options.
1. Search for and delete the computer account in ADUC.
2. Search for and delete the computer account in adsiedit.msc
3. Search for and delete the domain controllers in ntdsutil.


ok, great.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.