CN changing with first 2016 DC in the domain

  • 109 Views
  • Last Post 06 February 2018
AlLilianstrom posted this 23 January 2018

We came across something unusual yesterday. One of our Linux admins is working on her PowerShell skills and came across an account where the cn was not was she expected. For us - we provision accounts such that cn is the same as samaccountname. In this case the cn had changed from the samaccountname into "First Last".

Looking at the timestamp of the change from repadmin /showobjmeta the change to cn occurred 2 minutes after the first 2016 DC in the domain started initializing on the 2016 DC. A check of the domain found another account where the same thing happened at the same time. (2 of 20K accounts changed)

I checked our test domains and saw that some accounts had changed there as well - ~2 minutes after the initialization process started on the first 2016 DC in the domain.

My Google-fu has not shown any results.

Has anyone come across this before?

al

--
Al Lilianstrom
Authentication Services

Fermi National Accelerator Laboratory
www.fnal.gov
lilstrom@xxxxxxxxxxxxxxxx

Forum info: http://www.activedir.org
Problems unsubscribing? Email admin@xxxxxxxxxxxxxxxx

Order By: Standard | Newest | Votes
eccoleman posted this 23 January 2018

We have two Win2016 DCs (remaining 9 are still Win2012R2). We use the same mapping of CN=samAccountName, but I've not seen any CN changes like this out of our 460,000 IAM-controlled accounts. Hopefully that's a useful anecdote.

--
Erik Coleman
University of Illinois at Urbana-Champaign

show

AlLilianstrom posted this 06 February 2018

Erik,

Thanks for the reply. I haven't been able to find any reason for this happening anywhere so I was hoping someone else had seen this. Looks like I'm alone on this one.

al

--
Al Lilianstrom
Authentication Services

Fermi National Accelerator Laboratory
www.fnal.gov
lilstrom@xxxxxxxxxxxxxxxx

show

PhilipElder posted this 06 February 2018

Off the top, compare a known good account with one of the ones that has changed using ADSIEdit. Perhaps there's a setting or sub-setting on the changed accounts that contributed to the bit being flipped?

Philip Elder MCTS
Microsoft High Availability MVP
E-mail: PhilipElder@xxxxxxxxxxxxxxxx
Phone: (780) 458-2028
www.mpecsinc.com
Blog Site
Twitter: MPECSInc
Skype: MPECS Inc.
Cloud: Canadian Cloud Worx


Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.

show

Close