none
Determine if ldap attribute must be unique value across the entire Domain RRS feed

  • Question

  • Hi,  

    There are attributes that must be unique (sAMAccountName, legacyExchangeDN, distinguishedname,objectguid) in an active directory Domain.

    My question is, how do i know if attribute attribute must have only one single value in the active directory ?

    I assume this is defined somewhere in the schema of the ldap, because on the attribute itself, you cannot determine it, but when trying to add 2 mailboxes with the same name, you get duplication error - so its probably on the server somewhere.

    Thanks

    Thursday, May 24, 2018 6:46 AM

All replies

  • Hello,

    As far as I know you can't view this information using standard mmc, I think you will have to dive into msdn documentation.

    Below 2 articles regarding this :

    https://blogs.msdn.microsoft.com/openspecification/2009/07/10/understanding-unique-attributes-in-active-directory/

    https://blogs.technet.microsoft.com/389thoughts/2017/02/03/uniqueness-requirements-for-attributes-and-objects-in-active-directory/

    Best Regards,

    Thursday, May 24, 2018 10:29 AM
  • The Schema does not define which attributes must be unique. In fact conflicts can happen.

    If you attempt to create an object with the same RDN (Relative Distinguished Name) as another object in the parent OU or container, the system (the domain controller processing the object creation) recognizes the conflict immediately before saving the new object and raises an error. Duplicate RDN would result in a duplicate distinguished name. But two people connected to different domain controllers can create objects with the same RDN at nearly the same time (before replication makes the conflict apparent). But as soon as replication reveals the duplicates, the name of one of the objects is mangled to correct the situation. The system, the domain controller, does this.

    Similarly, two objects with the same sAMAccountName can be created. They would be created while connected to different domain controllers before replication prevents saving the duplicate. In this case, a process runs periodically on the DC with the PDC Emulator FSMO role to find duplicate sAMAccountName values. In my tests it took about 30 minutes, but some people have experienced longer. When the process detects a duplicate, one of the sAMAccountName values is mangled to make it unique. Details (and links to references) in this Wiki:

    https://social.technet.microsoft.com/wiki/contents/articles/15435.active-directory-duplicate-object-name-resolution.aspx

    The process used to create objectGUID values when an object is created is designed to make it very unlikely that there would ever be duplicates. The odds of a duplicate are very small, but not zero. I have never heard of a duplicate, and I do not know if there would be any remediation.

    Also, objectSID values must be unique, but since each DC gets a unique pool of RID values from the DC with the RID Master role, I cannot envision a scenario where there would be duplicates. If a DC runs out of RIDs, and the RID Master is not available, new objects cannot be saved. If somehow a duplicate did occur, I have no idea how the system would react.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Thursday, May 24, 2018 12:31 PM