Tuesday, October 18, 2011

Find Non Replicated Attributes in Active Directory

The quick hitter series is back and this entry was inspired by a colleague (thanks Funk!)

If you are querying AD you may get inaccurate results if you are querying an attribute that is not replicated between all domain controllers.   Two common attributes I see people having issues with are lastlogon and whenchanged.  The issue here is suppose you query for lastlogon and get a value.  That may not be accurate as there may be a newer value on another DC.  On a side note for that issue lastlogontimestamp is usually good enough for most folks...but I digress.

Is there a way to find what attributes are not replicated between DCs?  The answer to that is yes and there are various methods to find this information.  I once again go to the great ADFIND tool from MVP Joe Richards   Joe was recently awarded the MVP for the 10th straight year and that is well deserved.

Adfind has a ton of great shortcuts and one of them is to find non-replicated attributes.

adfind -sc norepl cn -nodn

I only outputted the cn of the object and didn't need the distinguished name so left that off with -nodn

You can see part of the output below.  Notice the whenchanged attribute that was mentioned earlier.



systemFlags contains a flag that defines if an attribute is replicated.  As you can see in the link if the value 1 is applied to an attribute it will not be replicated.  So you could also get fancy with adfind and do something like

adfind -schema -bit -f  "&(objectclass=attributeschema)(systemflags:AND:=1)" cn -nodn
That should give you the exact same result as the previous command.  I'd personally always go with the shortcuts...they are there to make things easier...thanks Joe :)