CN changing with first 2016 DC in the domain

  • Last Post 07 June 2018
AlLilianstrom posted this 23 January 2018

We came across something unusual yesterday. One of our Linux admins is working on her PowerShell skills and came across an account where the cn was not was she expected. For us - we provision accounts such that cn is the same as samaccountname. In this case the cn had changed from the samaccountname into "First Last".

Looking at the timestamp of the change from repadmin /showobjmeta the change to cn occurred 2 minutes after the first 2016 DC in the domain started initializing on the 2016 DC. A check of the domain found another account where the same thing happened at the same time. (2 of 20K accounts changed)

I checked our test domains and saw that some accounts had changed there as well - ~2 minutes after the initialization process started on the first 2016 DC in the domain.

My Google-fu has not shown any results.

Has anyone come across this before?


Al Lilianstrom
Authentication Services

Fermi National Accelerator Laboratory

Forum info:
Problems unsubscribing? Email admin@xxxxxxxxxxxxxxxx

Order By: Standard | Newest | Votes
eccoleman posted this 23 January 2018

We have two Win2016 DCs (remaining 9 are still Win2012R2). We use the same mapping of CN=samAccountName, but I've not seen any CN changes like this out of our 460,000 IAM-controlled accounts. Hopefully that's a useful anecdote.

Erik Coleman
University of Illinois at Urbana-Champaign


AlLilianstrom posted this 06 February 2018


Thanks for the reply. I haven't been able to find any reason for this happening anywhere so I was hoping someone else had seen this. Looks like I'm alone on this one.


Al Lilianstrom
Authentication Services

Fermi National Accelerator Laboratory


PhilipElder posted this 06 February 2018

Off the top, compare a known good account with one of the ones that has changed using ADSIEdit. Perhaps there's a setting or sub-setting on the changed accounts that contributed to the bit being flipped?

Philip Elder MCTS
Microsoft High Availability MVP
E-mail: PhilipElder@xxxxxxxxxxxxxxxx
Phone: (780) 458-2028
Blog Site
Twitter: MPECSInc
Skype: MPECS Inc.
Cloud: Canadian Cloud Worx

Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.


MittlemanR posted this 07 June 2018

Did you resolve this mystery yet, Al?

I don't have a 2016 domain yet.

However, yes - I saw automatic CN changes whenever a user was added to Exchange. (Ever since NT4 and Exchange 5.)

CN automatically changed from samaccountname to display name. (Looks like the display name - could be some other name attribute(s))

So, could there be an Exchange connection?


chriss3 posted this 07 June 2018

This is not a mystery, CN timestamp is always retrieved from the DC you query hence it will be different depending on the DC you target.

If you run:

Rpedamin /showreps DC1 CN=Administrator,DC=domain,DC=com


Repadmin /showreps DC2 CN=Administrator,DC=domain,DC=com

You will notice that CN timestamp is different and always last modified at the DC being queried.