0

When I lookup a user in AD, can the user have 2 entries across 2 controllers which are different? If lookup #1 returns an entry and a reference, do I need to follow the reference in order to gain additional information regarding the user? Or will the reference have the same information and hence can be ignored?

Terry Gardner
  • 10,957
  • 2
  • 28
  • 38
No One in Particular
  • 2,846
  • 4
  • 27
  • 32
  • How do you look up the user entry? What kind of information are you trying to retrieve? If you have some codes, it will be easier to understand what you are trying to do and what you are asking. – Harvey Kwok Jul 14 '12 at 04:33
  • Harvey - I am using LDAP to find user entries (keying off of userPrincipalName). The result comes back with the entry, but there are also some references. I don't understand why the AD controller sent the references with the entry. The user entry seems complete. Should I follow the references? – No One in Particular Jul 14 '12 at 04:42

1 Answers1

0

userPrincipalName uniqueness is not enforced by Active Directory. It's the applications which create the user object or modify the userPrincipalName responsible for making sure it's unique across the forest. If Active Directory detects there is more than one user object with the same userPrincipalName assgined, the user will be unable to logon using that userPrincpialName. Check out this Microsoft KB for details.

There are a lot of reasons that you can receive a LDAP reference result. One common reason is that there are some child domains under a parent domain and you are trying to do a subtree search starting from a parent domain.

The domain controller from parent domain cannot provide a complete answer to your query because some of the directory partitions are being taken care by the domain controllers of the child domains. Therefore, it returns you some Subordinate References. It hints the client to follow the reference and get the complete result. For a complete list of reference result, you can check here

If I understand your question correctly, you run a LDAP query based on the userPrincipalName and already got one entry back from the parent domain. You are asking whether you should stop the query or you should follow the reference and continue the query. I would say you should always follow the reference and continue the query. If you find more than one user object with the same userPrincipalName, you probably want to handle the case properly. For example, like what Windows did, stop the user from logging on or give a warning message somewhere.

Harvey Kwok
  • 11,713
  • 6
  • 37
  • 59
  • Harvey - great answer. I have come to the conclusion that the AD setup is messed up. The referral link you pointed to says ( first sentence of the 2nd paragraph) that a referral is the controller's way of saying it doesn't have the requested entry, but thinks it knows where it is. In my case, it does have the entry and it gives me a referral. This seems to contradict the article. The dual update case is not applicable to this specific instance, but I will have to keep it in mind. Thanks! – No One in Particular Jul 14 '12 at 11:53