Get-QADUser PasswordLastSet child domain vs global catalog mismatch

I was using some powershell code I found online to remind OWA users (that don't get reminder from windows when they log in) that their pwd was going to expire.  I found this code to allow one script to serve for both parent and child domain accounts. But the value for PasswordLastSet doesn't match between the info at the child domain controller and the GC...

When I run Get-QADUser username -SearchRoot "DC=mydomain,DC=com" -UserGlobalCatalog | select SamAccountName, PasswordLastSet,Domain

I get

SamAccountName   PasswordLastSet             Domain
username                9/29/2011 ...                  CHILD

When I run GetQADUser username -Service "childdc.mydomain.com" | select SamAccountName, PasswordLastSet,Domain

I get the correct Pwd last set value

SamAccountName   PasswordLastSet             Domain
username                9/17/2012 ...                  CHILD

What is wrong w/ my AD if the global catalog doesn't appear to be receiving the updated information?  How to fix so GC has the up to date info?
schraudogAsked:
Who is Participating?
 
NavdeepCommented:
Hi,

Run the following command. You need to install resource kit tools repadmin /syncall or alternatively use replmon and manually sync the dc/gc or use active directory sites and services to sync the info.

Regards,
ExchangeADTech [v-2nas]
0
 
schraudogAuthor Commented:
when I do repadmin /syncall, the  command completes successfully


C:\Users\Administrator.mydomain>repadmin /syncall
CALLBACK MESSAGE: The following replication is in progress:
    From: d56c4641-30c6-4667-95bc-cd416b4e4e93._msdcs.mydomain.com
    To  : 7e1e3ffa-71a9-4dee-847f-d6a741c041cd._msdcs.mydomain.com
CALLBACK MESSAGE: The following replication completed successfully:
    From: d56c4641-30c6-4667-95bc-cd416b4e4e93._msdcs.mydomain.com
    To  : 7e1e3ffa-71a9-4dee-847f-d6a741c041cd._msdcs.mydomain.com
CALLBACK MESSAGE: SyncAll Finished.
SyncAll terminated with no errors.

But that is sync'ing betwen GC's in the parent only.  No mention of syncing w/ the child DC.  We don't seem to have any problems that we know about other than this field PasswordLastSet.  Perhaps we have issues we don't know about.
0
 
NavdeepCommented:
Hi,

Do you have 2 users with same samaccountname in parent and child domain?

regards,
Navdeep
0
 
SubsunCommented:
I couldn't find any details on the PasswordLastSet property returned by Get-QADUser. I presume Get-QADUser converts the value in the pwdLastSet attribute in to a date. If so, the pwdLastSet attribute is not replicated/stored in the global catalog by default and this search cannot be performed across an entire forest.

Pwd-Last-Set attribute
http://technet.microsoft.com/en-us/subscriptions/ms679430%28v=vs.85%29.aspx
0
 
schraudogAuthor Commented:
In the end, we found there was a replication issue between child domain and parent.  The child domain had a corrupt AD database that needed to be defragged offline using these directions.

http://technet.microsoft.com/en-us/library/cc794920(v=ws.10).aspx

Now when running:
Get-QADUser username -SearchRoot "DC=mydomain,DC=com" -UseGlobalCatalog
and running:
GetQADUser username -Service "childdc.mydomain.com"
they both return the same PasswordLastSet.  It is just the command using the GlobalCatalog is a LOT faster.

I give v-2nas the points as repadmin /syncall didn't answer my question, it did put me on the right track.  thanks.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.