CN changing with first 2016 DC in the domain

  • 46 Views
  • Last Post 2 weeks ago
AlLilianstrom posted this 4 weeks ago

We came across something unusual yesterday. One of our Linux admins is working on her PowerShell skills and came across an account where the cn was not was she expected. For us - we provision accounts such that cn is the same as samaccountname. In this case the cn had changed from the samaccountname into "First Last".

Looking at the timestamp of the change from repadmin /showobjmeta the change to cn occurred 2 minutes after the first 2016 DC in the domain started initializing on the 2016 DC. A check of the domain found another account where the same thing happened at the same time. (2 of 20K accounts changed)

I checked our test domains and saw that some accounts had changed there as well - ~2 minutes after the initialization process started on the first 2016 DC in the domain.

My Google-fu has not shown any results.

Has anyone come across this before?

al

--
Al Lilianstrom
Authentication Services

Fermi National Accelerator Laboratory
www.fnal.gov
lilstrom@xxxxxxxxxxxxxxxx

Forum info: http://www.activedir.org
Problems unsubscribing? Email admin@xxxxxxxxxxxxxxxx

Order By: Standard | Newest | Votes
eccoleman posted this 4 weeks ago

We have two Win2016 DCs (remaining 9 are still Win2012R2). We use the same mapping of CN=samAccountName, but I've not seen any CN changes like this out of our 460,000 IAM-controlled accounts. Hopefully that's a useful anecdote.

--
Erik Coleman
University of Illinois at Urbana-Champaign

show

AlLilianstrom posted this 2 weeks ago

Erik,

Thanks for the reply. I haven't been able to find any reason for this happening anywhere so I was hoping someone else had seen this. Looks like I'm alone on this one.

al

--
Al Lilianstrom
Authentication Services

Fermi National Accelerator Laboratory
www.fnal.gov
lilstrom@xxxxxxxxxxxxxxxx

show

PhilipElder posted this 2 weeks ago

Off the top, compare a known good account with one of the ones that has changed using ADSIEdit. Perhaps there's a setting or sub-setting on the changed accounts that contributed to the bit being flipped?

Philip Elder MCTS
Microsoft High Availability MVP
E-mail: PhilipElder@xxxxxxxxxxxxxxxx
Phone: (780) 458-2028
www.mpecsinc.com
Blog Site
Twitter: MPECSInc
Skype: MPECS Inc.
Cloud: Canadian Cloud Worx


Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.

show

Close