Recipe 10.13 Modifying the Attributes Included with Ambiguous Name Resolution

10.13.1 Problem

You want to modify the attributes that are included as part of ANR.

10.13.2 Solution

For Windows 2000 Active Directory, you need to enable schema modifications before proceeding. See Recipe 10.2 for more information.

10.13.2.1 Using a graphical user interface
  1. In order to proceed, you must have first indexed the attribute.

  2. Open the Active Directory Schema snap-in.

  3. In the left pane, click on the Attributes folder.

  4. In the right pane, double-click the attribute you want to edit.

  5. Check the box beside ANR.

  6. Click OK.

10.13.2.2 Using a command-line interface

You can include an attribute as part of ANR by using the ldifde utility and an LDIF file that contains the following:

dn: cn=rallencorp-LanguagesSpoken,cn=schema,cn=configuration,<ForestRootDN>
changetype: modify
replace: searchFlags
searchFlags: 5
-

If the LDIF file were named add_anr_attr.ldf, you would run the following command:

> ldifde -v -i -f add_anr_attr.ldf
10.13.2.3 Using VBScript
' This code will make an attribute part of the ANR set.
' ------ SCRIPT CONFIGURATION ------
' Set to the common name (not LDAP display dame) of the attribute
strAttrName = "<AttrCommonName>"   ' e.g. rallencorp-LanguagesSpoken
' ------ END CONFIGURATION ---------

set objRootDSE = GetObject("LDAP://RootDSE")
set objAttr = GetObject("LDAP://cn=" & strAttrName & "," & _
                        objRootDSE.Get("schemaNamingContext"))
objAttr.Put "searchFlags", 5
objAttr.SetInfo
WScript.Echo "New ANR attribute: " & strAttrName

The CLI and VBScript solutions assume that searchFlags wasn't previously set and just blindly overwrites whatever value is present if one was. Check out Recipe 4.12 for a better solution that will enable the bit you want without overwriting any previous settings.

10.13.3 Discussion

ANR is an efficient search algorithm that allows for a complex search filter to be written using a single comparison. For example, a search for (anr=Jim Smith) would translate into the following query:

  • An OR filter with every attribute in the ANR set against Jim Smith*

  • A filter for givenName = Jim* and sn = Smith*

  • A filter for givenName = Smith* and sn = Jim*

These filters are ORed together and then processed by Active Directory. Since all default ANR attributes are also indexed, the query return should come back quickly.

Here is a list of the default attributes that are included as part of ANR searches. The LDAP display name of the attribute is shown first with the common name in parenthesis.

  • displayName (Display-Name)

  • givenName (Given-Name)

  • legacyExchangeDN (Legacy-Exchange-DN)

  • msDS-AdditionalSamAccountName (ms-DS-Additional-Sam-Account-Name)

  • physicalDeliveryOfficeName (Physical-Delivery-Office-Name)

  • name (RDN)

  • sAMAccountName (SAM-Account-Name)

  • sn (Surname)

msDS-AdditionalSamAccountName was added as an ANR attribute in Windows Server 2003.

It is important to make sure that any new ANR attributes are also indexed. ANR searches are intended to be very fast, and if a non-indexed attribute was added to the set, it could dramatically impact the performance of the searches.

You can find which attributes are included in the ANR set by using the following search criteria:

Base
cn=Schema,cn=Configuration,<ForestRootDN>
Filter
(&(objectcategory=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=4))
Scope
onelevel

Alternatively, to find attributes that aren't included in ANR, change the previous search filter to the following:

(&(objectcategory=attributeSchema)(!(searchFlags:1.2.840.113556.1.4.803:=4)))

10.13.4 See Also

Recipe 4.12 for modifying a bit-flag attribute, Recipe 10.7 for adding a new attribute, MS KB 243299 (Ambiguous Name Resolution for LDAP in Windows 2000), and MS KB 243311 (Setting an Attribute's searchFlags Property to Be Indexed for ANR)



    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List