Tuesday, October 18, 2011

Find Non Replicated Attributes in Active Directory

The quick hitter series is back and this entry was inspired by a colleague (thanks Funk!)

If you are querying AD you may get inaccurate results if you are querying an attribute that is not replicated between all domain controllers.   Two common attributes I see people having issues with are lastlogon and whenchanged.  The issue here is suppose you query for lastlogon and get a value.  That may not be accurate as there may be a newer value on another DC.  On a side note for that issue lastlogontimestamp is usually good enough for most folks...but I digress.

Is there a way to find what attributes are not replicated between DCs?  The answer to that is yes and there are various methods to find this information.  I once again go to the great ADFIND tool from MVP Joe Richards   Joe was recently awarded the MVP for the 10th straight year and that is well deserved.

Adfind has a ton of great shortcuts and one of them is to find non-replicated attributes.

adfind -sc norepl cn -nodn

I only outputted the cn of the object and didn't need the distinguished name so left that off with -nodn

You can see part of the output below.  Notice the whenchanged attribute that was mentioned earlier.



systemFlags contains a flag that defines if an attribute is replicated.  As you can see in the link if the value 1 is applied to an attribute it will not be replicated.  So you could also get fancy with adfind and do something like

adfind -schema -bit -f  "&(objectclass=attributeschema)(systemflags:AND:=1)" cn -nodn
That should give you the exact same result as the previous command.  I'd personally always go with the shortcuts...they are there to make things easier...thanks Joe :)

5 comments:

  1. Mike, that's really good article and very helpful! Now, it's easy to find out which attributes are not replicated between DCs and their values cannot be reliable as the final output!

    Thank you for that, once again. I learnt now, very easy way to find it out :) ... but of course I will do that using MS DS Tools ;)

    Regards,
    Krzysztof

    ReplyDelete
  2. Come on Krystof the DS tools don't have all the fun shortcuts :)

    ReplyDelete
  3. You're right, Mike :) But I'm big fan of DS Tools and I can't imagine that I couldn't use them for that ;) I think that some day I would say "Good-bye" to them and will use PowerShell or EVEN adfind :P

    Anyway, it's good to have support from your side according to AD stuff and adfind tool with LDAP syntax :]

    I learn from you much! Thank you for that!

    Krzysztof

    ReplyDelete
  4. Overall, a very good post! Thanks.

    FYI, you incorrectly mentioned in the first part of the article that attribute "whenCreated" wasn't replicated, when you correctly stated later that "whenChanged" wasn't a replicated attribute.

    ReplyDelete
  5. Nice catch Anonymous, yeah I mean whenchanged that I had later in the blog post...updated the blog.

    ReplyDelete