none
Problem with group members : Directory object not found

    Question

  • Hello,

    I have a problem with some members of Groups in my Active Directory because they appear with a wrong DN.

    For example in the Group1, I add user1, who is in the DN test.dn.com/staff.

    But when I add him, he will be displayed in grey and with a DN "test.dn.com/External". (And if I click on him, I receive the message: Directory object not found).

    I only have problem with some users. And removing the user and adding him back to the group doesn't solve the problem.

    Thanks for your help

     

     

    Monday, September 20, 2010 10:29 AM

Answers

  • Sounds like either an Infrastructure Master or replication issue. I've seen this with either of these being not right.
    Active Directory, 4th Edition - www.briandesmond.com/ad4/ Blog - www.briandesmond.com
    Tuesday, September 21, 2010 2:58 AM
  • Hi,

     

    I also think this issue is related to Infrastructure Master or Active Directory Replication.

     

    Would you please let us know did you change any settings before the issue began? Please also check the Event Viewer for the replication related error.

     

    As “Marcin Policht” mentioned, the infrastructure master and Global Catalog should not be configured on the same system. I would like to explain why this may cause the issue you encountered possibly:

     

    When an object on one domain controller references an object that is not on that domain controller, it represents that reference as a record containing the GUID, the SID (for references to security principals), and the distinguished name of the object being referenced. If the referenced object moves, its GUID does not change, its SID changes if the move is cross-domain, and its distinguished name always changes.

     

    The infrastructure master for a domain periodically examines the references, within its replica of the directory data, to objects not held on that domain controller. It queries a Global Catalog server for current information about the distinguished name and SID of each referenced object. If this information has changed, the infrastructure master makes the change in its local replica and also replicates the new values to other domain controllers within the domain.

     

    If the infrastructure master and Global Catalog are the same system, then the infrastructure master will not function (and it will post events in event viewer hourly stating so). If the infrastructure master and Global Catalog and are on the same computer, the computer will never update any references because it does not contain any references to objects that it does not hold. That is because a Global Catalog server holds a partial replica of every object in the forest. If all of the domain controllers in a domain are Global Catalog servers, it does not matter what domain controller holds the infrastructure master role.

     

    If you do find some replication related event error, I would like to suggest you refer to the following links to troubleshoot it:

    http://technet.microsoft.com/en-us/library/bb727063.aspx

    http://technet.microsoft.com/en-us/library/bb727057.aspx

     

    Regards,


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, September 21, 2010 7:33 AM
    Moderator
  • Are both domains in the same forest? If so, make sure that Infrastructure Master in the domain where the group resides does not reside on a DC designated as a Global Catalog. If not, verify trust relationship between domains. In both cases, make sure that relevant ports are open between domains by following http://support.microsoft.com/kb/179442

    hth
    Marcin

    Monday, September 20, 2010 5:32 PM

All replies

  • Where exactly are you getting the value of DN attribute (which format, btw. is in fact different from the one you provided)?

    Can you post the output of

    dsquery user domainroot -name username

    where username is the account name of the user in question?

    hth
    Marcin

     

    Monday, September 20, 2010 10:44 AM
  • Can you try browsing from ADUC and right click on the user, select properties, click on the "Member Of" tab, click add and add the group membership from here.  Does that work?  Otherwise can you post the following?

    adfind -f "&(objectcategory=person)(samaccountname=samAccountName*)"

    Make sure to change the second samaccountname to the user in question.

    If you don't already have ADFind http://www.joeware.net/freetools/tools/adfind/index.htm

    http://www.joeware.net/freetools/tools/adfind/usage.htm

     

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs

    Please no e-mails, any questions should be posted in the NewsGroup This
    posting is provided "AS IS" with no warranties, and confers no rights.

    Monday, September 20, 2010 12:11 PM
    Moderator
  • Hello,

    Thank you for your answer.

    I tried dsquery user domainroot -name user1 but I got nothing.

    I saw also that the problem does not appear in a mmc directly on the DC server.

    But it appears on the other servers and computers.

     

    @pbbergs: I did not see your answer. I will try it.

    Monday, September 20, 2010 1:08 PM
  • Where exactly are you getting the value of DN attribute that you listed?

    hth
    Marcin

    Monday, September 20, 2010 2:33 PM
  • It's on an mmc (Active Directory Users and Computers)
    Monday, September 20, 2010 4:42 PM
  • Describe steps you go through and list exactly what you see on the Object tab of the user account - and on the Members tab of a group you added that user to.

    hth
    Marcin

    Monday, September 20, 2010 4:50 PM
  • I checked with Adfind :

    The DN is CN=user1,OU=staff,DC=test,DC=dn,DC=com

    The group1 is not shown in memberof.

    I'm sorry I can't give the real output because of security.

    However I don't have the problem if I add  user1 to a group in the same domain as him. It's only when I add him to a group of another domain. (I precise that other users are in the same case, but doesn't have the problem).

     

     

     

    Monday, September 20, 2010 5:09 PM
  • Are both domains in the same forest? If so, make sure that Infrastructure Master in the domain where the group resides does not reside on a DC designated as a Global Catalog. If not, verify trust relationship between domains. In both cases, make sure that relevant ports are open between domains by following http://support.microsoft.com/kb/179442

    hth
    Marcin

    Monday, September 20, 2010 5:32 PM
  • Check the link below and verify that the membership you are attempting is supported with the group you are attempting to join it to.

    http://technet.microsoft.com/en-us/library/cc755692(WS.10).aspx

     

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs

    Please no e-mails, any questions should be posted in the NewsGroup This
    posting is provided "AS IS" with no warranties, and confers no rights.

    Tuesday, September 21, 2010 1:27 AM
    Moderator
  • Sounds like either an Infrastructure Master or replication issue. I've seen this with either of these being not right.
    Active Directory, 4th Edition - www.briandesmond.com/ad4/ Blog - www.briandesmond.com
    Tuesday, September 21, 2010 2:58 AM
  • Hi,

     

    I also think this issue is related to Infrastructure Master or Active Directory Replication.

     

    Would you please let us know did you change any settings before the issue began? Please also check the Event Viewer for the replication related error.

     

    As “Marcin Policht” mentioned, the infrastructure master and Global Catalog should not be configured on the same system. I would like to explain why this may cause the issue you encountered possibly:

     

    When an object on one domain controller references an object that is not on that domain controller, it represents that reference as a record containing the GUID, the SID (for references to security principals), and the distinguished name of the object being referenced. If the referenced object moves, its GUID does not change, its SID changes if the move is cross-domain, and its distinguished name always changes.

     

    The infrastructure master for a domain periodically examines the references, within its replica of the directory data, to objects not held on that domain controller. It queries a Global Catalog server for current information about the distinguished name and SID of each referenced object. If this information has changed, the infrastructure master makes the change in its local replica and also replicates the new values to other domain controllers within the domain.

     

    If the infrastructure master and Global Catalog are the same system, then the infrastructure master will not function (and it will post events in event viewer hourly stating so). If the infrastructure master and Global Catalog and are on the same computer, the computer will never update any references because it does not contain any references to objects that it does not hold. That is because a Global Catalog server holds a partial replica of every object in the forest. If all of the domain controllers in a domain are Global Catalog servers, it does not matter what domain controller holds the infrastructure master role.

     

    If you do find some replication related event error, I would like to suggest you refer to the following links to troubleshoot it:

    http://technet.microsoft.com/en-us/library/bb727063.aspx

    http://technet.microsoft.com/en-us/library/bb727057.aspx

     

    Regards,


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, September 21, 2010 7:33 AM
    Moderator
  • Thank you Arthur for all these precisions.

    I will try it with my manager when he will be back.

     

    Wednesday, September 22, 2010 9:09 AM