Can an LDAP query on AD provide the netbios domain name for a single account when using the Global Catalog?

active-directory domain-controller ldap

Solution 1:

I think I figured it out. Using ADSI Edit you can look at properties on an object (e.g., a user), but by default it was filtering out "constructed" attributes. Using the Filter button at the bottom right of the properties screen I was able to show these additional attributes.

The "msDS-PrincipalName" appears to have "[netbios domain name]\[sAMAccountName]" as its value.

If I go into AD Users and Computers and change the "User logon name" from "[email protected]" to "[email protected]" this affects the "userPrincipalName" attribute, but not the "msDS-PrincipalName" attribute. This is good in my case, because my other system (SharePoint) does not recognize this change either.

If I go into AD Users and Computers and change the "User logon name (pre-Windows 2000)" from "KIRKDEV\gwashington" to "KIRKDEV\g2washington" (note, that I cannot change the first part) this does not affect the "userPrincipalName" attribute, but does affect the "msDS-PrincipalName" attribute. This is exactly what I want because my other system (SharePoint) does recognize this change.

Side Note: I said SharePoint does recognize the change, but that is only if the user has never logged into that SharePoint site collection before. Once the user has logged into the SharePoint site collection, the tp_Login field in the UserInfo table is set with the "msDS-PrincipalName" value and that does not seem to change. So, I may have to find a way to force that to be changed or just say that this scenario is not supported.

Solution 2:

To answer your last question you should be able to verify the NetBios name manually by checking the Configuration section and then Directory Partitions in ADSIEdit:

CN=MYNETBIOSNAME,CN=Partitions,CN=Configuration,DC=mydomain,DC=internal

This has both name and netBIOSName properties. Otherwise I think you'd have to get it from a fqdn/DN as squillman suggests.

Solution 3:

For an application? Microsoft makes this fairly straightforward in .NET. This should provide you with a list of domain Netbios names that you can use to create a list of custom objects with the domain DN/DNS/Netbios names, or cross-referencing dictionaries.

Also, what determines if an attribute is available in the Global Catalog is (yet another) attribute called isMemberOfPartialAttributeSet. Using Microsoft SysInternals AD Explorer, you can search the Schema container in a domain, and search for any object that has the isMemberOfPartialAttributeSet = true to see all the attributes that are available for a GC query.

using System.DirectoryServices;
using System.DirectoryServices.ActiveDirectory;

private void GetNetbiosNamesTest()
{
    DomainCollection domains = Forest.GetCurrentForest().Domains;
    foreach (Domain domain in domains)
    {
        Console.WriteLine("Domain Netbios name: {0}", this.GetDomainNetBiosName(domain));
    }
}

private string GetDomainNetBiosName(Domain domain)
{
    ForestRootDirectoryEntry = Forest.GetCurrentForest().RootDomain.GetDirectoryEntry();
    string forestConfigurationBindPath = String.Format("LDAP://CN=Partitions,CN=Configuration,{0}", ForestRootDirectoryEntry.Properties["distinguishedName"].Value);
    ForestRootConfigurationDirectoryEntry = new DirectoryEntry(forestConfigurationBindPath);

    string netBiosName = String.Empty;

    using (DirectorySearcher directorySearcher = new DirectorySearcher(ForestRootConfigurationDirectoryEntry))
    {
        directorySearcher.Filter = String.Format("(&(nETBIOSName=*)(dnsRoot={0}))", domain.Name);
        directorySearcher.PropertiesToLoad.AddRange(new String[] { "dnsRoot", "nETBIOSName" });
        var result = directorySearcher.FindOne();

        if ((result != null) && (result.Properties.Contains("nETBIOSName"))) netBiosName = result.Properties["nETBIOSName"][0].ToString();
    }
    return netBiosName;
}

Solution 4:

You'll have to parse it out of either the dn (distinguishedName) or the AdsDSPath attributes. Domain name entities are prefixed with "DC=" in these attributes. The leftmost DC= will contain your netbios domain name.

For example: cn=myuser,ou=users,dc=mydomain,dc=mycompany,dc=com

mydomain is the netbios domain name.

EDIT:
As Brian Desmond points out, this is not necessarily the authoritative way to find the actual netbios name, it is merely coincidence that they usually correlate. See BoyMars' answer for the authoritative way.

Related

Remove Duplicate Messages from Maildir
What is the reason for choosing a different print processor?
Anyone know of a tool to detect and report on repeating patterns in a log file? [closed]
What is the difference between "sudo -i" and "sudo bash -l"
What Data Center room routine maintenance tasks should be done?
What does "DEL:" mean in the DistinguishedName of an AD Object?
Difference between chroot and jail
Managing battery relearn cycles on LSI and similar RAID controllers
What are 19mm high 3.5" hard disks called?
Name resolution difference between CentOS and Debian
Sendmail: Sender address rejected (Domain not found)
Nginx throws 404 only on php scripts using php-fpm