7 Replies Latest reply: Apr 7, 2011 11:06 AM by 853690 RSS

    search in AD domain - subdomain setup returns inconsistent results Pls help

      Hi everyone,

      I am facing a very peculiar and confusing problem when I perform a LDAP search in an Active Directory environment with a main domain and its subdomain.

      domain: ohm-ad.novell.com
      subdomain: subdomain.ohm-ad.novell.com
      There are only 2 computers in the domain - the domain DC and the subdomain DC.
      Binding using userPrincipalName on port 389
      search base is dc=ohm-ad,dc=novell,dc=com
      I have set the Context.REFERRAL to "follow" to follow the referrals automatically.
      I have set the search scope to SUBTREE_SCOPE so that the child domains are also searched.
      My search filter is (objectClass=computer) because I want all the computers in the domain and the subdomain.
      The problem is that the same search( ) call returns different results at different instances.

      At one instance, I get both the domain DC computer and the subdomain DC computer in the search result as expected.
      At another instance, I get only the domain DC computer in the search result which is unexpected.

      Why am I getting inconsistent search results even though the same client code is executed every time?

      Also, if I bind to the global catalog port 3268 instead of 389 in the client code, I consistently get both the domain DC computer and subdomain DC computer in the search result. Also, if i perform the same search using the miscrosoft provided AD search tool called "ldp" with the same search parameters on port 389, I consistently get both the domain DC computer and subdomain DC computer in the search result.

      I am very confused and stuck up. Please help urgently. Any kind of help would be appreciated.


                private static DCQueryResults getServersInternal (String domainController, int portDC,String certLocation,String certPass,String domainName, String loginName, String password,boolean walkThrough,boolean isSSL, boolean isTest) {
                     DCQueryResults results = new DCQueryResults(); 
                    ArrayList<String> svrList = new ArrayList<String>();
                     Hashtable<String, String> envDC = new Hashtable<String, String>();
                     LdapContext ctxDC = null;
      //                Start TLS once the context is initialized.
                     StartTlsResponse tls = null;
                     try {
                     /* use the AD "userPrincipalName" attribute i.e loginName@domainName for the LDAP query 
                      * so that the user object can be located in any container in the AD tree */
                     String adminName = loginName+"@"+domainName;//$NON-NLS-1$
                     String adminPassword = password;
                     String urlDC = "ldap://"+domainController+":"+portDC; //$NON-NLS-1$ //$NON-NLS-2$
                     if (isSSL) {
                          System.setProperty("javax.net.ssl.trustStore",certLocation); //$NON-NLS-1$
                          System.setProperty("javax.net.ssl.trustStorePassword",certPass); //$NON-NLS-1$
                          //               specify use of ssl                    
                          envDC.put(Context.SECURITY_PROTOCOL,"ssl"); //$NON-NLS-1$
                          envDC.put(Context.SECURITY_AUTHENTICATION,"simple");       //$NON-NLS-1$
                          envDC.put(Context.SECURITY_AUTHENTICATION,"simple"); //$NON-NLS-1$
                     envDC.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory"); //$NON-NLS-1$
                     //set security credentials, note using simple cleartext authentication 
                     //We need to chase referrals when retrieving attributes from the DC
                     //as the object may be in a different domain
                     envDC.put(Context.REFERRAL,"follow"); //$NON-NLS-1$
                     ctxDC = new InitialLdapContext(envDC,null);
                     //Create the search controls           
                     SearchControls searchCtls = new SearchControls();
                     if (isTest) {
                          searchCtls.setCountLimit(1);//If it is test just get 1 entry for making it sufficient.
                     //Specify the attributes to return
                     String returnedAtts[]={"dNSHostName","cn","networkAddress"}; //$NON-NLS-1$ //$NON-NLS-2$ //$NON-NLS-3$
                     //specify the LDAP search filter
                     String searchFilter = "(objectClass=computer)"; //$NON-NLS-1$
                     //Specify the Base for the search
                     String searchBase = makeSearchDomainBaseName(domainName);
                     //initialize counter to total the results
                     int totalResults = 0;     
                     NamingEnumeration answer = ctxDC.search(searchBase, searchFilter, searchCtls);
                     //Loop through the search results
                     while (answer.hasMoreElements()) {
                          SearchResult sr = (SearchResult)answer.next();
                               //Now retrieve attributes from the DC
                               Attributes DCattrs = ctxDC.getAttributes(sr.getNameInNamespace());
                               try {
                                    logger.log (Level.FINEST,"   DNS-Name :" +  " Common-Name :" + DCattrs.get("cn").get()+" Network-Name : "); //$NON-NLS-1$ //$NON-NLS-2$ //$NON-NLS-3$ //$NON-NLS-4$
                                    //logger.log (Level.FINEST,"   DNS-Name :" + DCattrs.get("name").get());
                               catch (NullPointerException e)     {
                                    logger.log (Level.SEVERE,"Problem listing attributes from Domain Controller: " + e); //$NON-NLS-1$
                                    throw e;
                               if (!walkThrough) {
                                    if (!isSubTreeEntry(makeServerName(sr.getNameInNamespace()),domainName))
                                      svrList.add( makeServerName(sr.getNameInNamespace()));
                               svrList.add( makeServerName(sr.getNameInNamespace()));
                           logger.log (Level.FINEST,"Total results: " + totalResults); //$NON-NLS-1$
                     catch (Exception e) {
                          logger.log (Level.SEVERE,"Problem searching DomainController directory: " + e.toString()); //$NON-NLS-1$
                          ExceptionHandler.handle(logger, e);
                          svrList = null;
                     finally {
                          try {
                               if (ctxDC != null)
                               if (isSSL && tls != null)
                          } catch (Exception e) {
                               //Don't need to do anything other than logging.
                               logger.log (Level.SEVERE,"Problem Closing the DomainController context references.: " + e.toString()); //$NON-NLS-1$
                               ExceptionHandler.handle(logger, e);
                     return  results;
      Edited by: 809814 on Nov 11, 2010 2:52 AM

      Edited by: 809814 on Nov 11, 2010 2:56 AM

      Edited by: 809814 on Nov 11, 2010 2:57 AM

      Edited by: 809814 on Nov 11, 2010 3:43 AM