So in the last week I have received two email questions that were about an interesting issue with the Active Directory attribute description.
To paraphrase both of the questions
It says in the schema that description is multivalued but every time I try to use admod to add a second value to the description it fails and admod output an error. Why can’t admod add multiple values to an attribute like the help says it can…
The quick answer is, this isn’t a problem with admod my friends… It is a problem with the object and attribute that you chose to add a second value to. I know what the problem is, do you? Yes I know some of you do, but for those that don’t and because I feel like having a decent length tech blog entry today while I chill to the Bare Naked Ladies Rock Spectacular album I will dive into it a bit.
So….
I will agree that yes, description is listed as multivalued in the schema, look my own tools say it is…
C:\>adfind -sc s:description issinglevalued
AdFind V01.29.00cpp Joe Richards (joe@joeware.net) December 2005
Using server: 2k3dc01.joe.com:389
Directory: Windows Server 2003
Base DN: CN=Schema,CN=Configuration,DC=joe,DC=com
dn:CN=Description,CN=Schema,CN=Configuration,DC=joe,DC=com
>isSingleValued: FALSE
1 Objects returned
So hmmmm, if it is NOT isSingleValued that means it *is* multivalued. Good.
So lets take an object with no current description
C:\>adfind -default -f name=someuser description
AdFind V01.29.00cpp Joe Richards (joe@joeware.net) December 2005
Using server: 2k3dc01.joe.com:389
Directory: Windows Server 2003
Base DN: DC=joe,DC=com
dn:CN=someuser,CN=Users,DC=joe,DC=com
1 Objects returned
and try to add two values to it…
C:\>admod -b CN=someuser,CN=Users,DC=joe,DC=com "description:++:Description 1;Description 2" -exterr
AdMod V01.06.00cpp Joe Richards (joe@joeware.net) June 2005
DN Count: 1
Using server: 2k3dc01.joe.com
Modifying specified objects...
DN: CN=someuser,CN=Users,DC=joe,DC=com...: [2k3dc01.joe.com] Error 0x14 (20) - Attribute Or Value Exists
Extended Error: 00002081: AtrErr: DSID-030F10D6, #1:
0: 00002081: DSID-030F10D6, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att d (description)
ERROR: Too many errors encountered, terminating...
The command did not complete successfully
Hmm that didn’t fair so well… I got an error. ATT_OR_VALUE_EXISTS… how odd, I know the value doesn’t exist, I have full control over that account and don’t see a description so I am confident it doesn’t have one. PLUS…. it is multivalued (or more accurately it is *not* issinglevalued).
Lets try to do this one value at a time…
Value 1:
C:\>admod -b CN=someuser,CN=Users,DC=joe,DC=com "description:+:Description 1" -exterr
AdMod V01.06.00cpp Joe Richards (joe@joeware.net) June 2005
DN Count: 1
Using server: 2k3dc01.joe.com
Modifying specified objects...
DN: CN=someuser,CN=Users,DC=joe,DC=com...
The command completed successfully
Yep that worked, now the second value
C:\>admod -b CN=someuser,CN=Users,DC=joe,DC=com "description:+:Description 2" -exterr
AdMod V01.06.00cpp Joe Richards (joe@joeware.net) June 2005
DN Count: 1
Using server: 2k3dc01.joe.com
Modifying specified objects...
DN: CN=someuser,CN=Users,DC=joe,DC=com...: [2k3dc01.joe.com] Error 0x14 (20) - Attribute Or Value Exists
Extended Error: 00002081: AtrErr: DSID-030F10D6, #1:
0: 00002081: DSID-030F10D6, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att d (description)
ERROR: Too many errors encountered, terminating...
The command did not complete successfully
Hmm this joeware stuff is flakey, maybe I need two plus signs instead of one…
C:\>admod -b CN=someuser,CN=Users,DC=joe,DC=com "description:++:Description 2" -exterr
AdMod V01.06.00cpp Joe Richards (joe@joeware.net) June 2005
DN Count: 1
Using server: 2k3dc01.joe.com
Modifying specified objects...
DN: CN=someuser,CN=Users,DC=joe,DC=com...: [2k3dc01.joe.com] Error 0x14 (20) - Attribute Or Value Exists
Extended Error: 00002081: AtrErr: DSID-030F10D6, #1:
0: 00002081: DSID-030F10D6, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att d (description)
ERROR: Too many errors encountered, terminating...
The command did not complete successfully
Errr no I guess not.
Editor Note: The two plus signs are only needed when sending in multiple values AT ONCE in one command, it tells admod to look for delimiters within the attribute value string so it can chop them up and send them in separately. If I didn’t make you specify it explicitely I would be trying to guess which could be troublesome as while I can generally guess what I may do in a given situation, I certainly can’t do it for the tens (or dare I say hundreds) of thousands of fine folks downloading my utilities. However I was nice enough to make it so you only had to type one more character. Or maybe it was so I only had to type one more character, I am quite lazy. Either way, I think it is a pretty good design, I spent a long time thinking how to properly handle that. Command line parameterization is not the easiest thing to do well I think. I think so because I think about it a lot.
So where were we… Why yes, ok can’t add multiple values to a multiple value attribute specifically description. I wonder if my object is “corrupted” (da da DAAAAAAAA – cut to commercial for feminine hygene products followed by a cat litter commercial with those crazy dancing cats (how come my cat doesn’t dance like that, does she need tap lessons or is it that brand of litter (note to self, buy cat litter brand xyz to test for dancing ability in cat)?)… and we’re back…).
People like to think that, if something doesn’t work the way that they think it should work, the darn thing must be corrupted because there can be no other explanation. If I followed in the footsteps of that brain trust I would now start deleting the objects I couldn’t set multiple values on and recreating them and ending up with exactly the same problem plus a few dozen more when the user can’t access any of the stuff they could before.
In all of my years of working on NT (Ok so maybe it is only about 10 or so years not the 25 years that statement seems to imply) I have not once, let me make that stronger not once encountered in the hundreds (yes hundreds) of thousands of IDs I have managed a single case of a corrupted ID. Now let me be careful and say I am not saying this isn’t possible, just that I as a thinking person will not immediately jump to the idea that a user ID is corrupted simply because I have always found some other explanation which ended up being more logical and actually correct.
Well what the heck, lets just try another object for grins… We will try this on the parent of the someuser ID.
C:\>admod -b CN=Users,DC=joe,DC=com "description:++:Description 1;Description 2" -exterr
AdMod V01.06.00cpp Joe Richards (joe@joeware.net) June 2005
DN Count: 1
Using server: 2k3dc01.joe.com
Modifying specified objects...
DN: CN=Users,DC=joe,DC=com...
The command completed successfully
Hey… did that…. actually…. work?
C:\>adfind -s base -b CN=Users,DC=joe,DC=com "description:++:Description 1;Description 2" description
AdFind V01.29.00cpp Joe Richards (joe@joeware.net) December 2005
Using server: 2k3dc01.joe.com:389
Directory: Windows Server 2003
dn:CN=Users,DC=joe,DC=com
>description: Description 2
>description: Description 1
>description: Default container for upgraded user accounts
1 Objects returned
Why yes it did! And not only that, it actually has three values now because it had one already…
I could use that as proof to show that indeed, my someuser object is corrupted. It wouldn’t be valid proof but I could convince others who like to believe in corrupt as a quick answer to things too. Another option is that the parent already had a value so AD was nice enough to let me add more. I could see people saying that too. That is a sellable explanation…
I wonder is different between these two objects…
o They both have the description attribute and there is only description attribute so that can’t be it…
o They are both in the same AD.
o They are both objects that can contain other objects.
Editors note: SAY WHAT!!! They can both contain other objects? What’s in that glass of water you are drinking son? A user in AD is represented by the user class which is indeed a container type class. I know ADUC doesn’t usually show you users that way but they are indeed containers and can be the parents of other objects.
o So wait a minute, maybe that editor is on to something… What is this class thing… The someuser ID is of class user and the parent is of class container (Editor again: Though they can both contain objects). That is a difference, could it be that different classes are handled differently for the description attribute?
NO! The schema is the end all be all rule source and if it says something there then it has to so!
< EndSarcasm>
Ok, as this is getting long in the tooth I will spill it…
Yes, the schema is the end all be all of rules but exceptions make the rule (you forgot that rule huh!). There are times where Microsoft found itself in a tight spot, this is often around the whole idea of legacy support. You know legacy support, that is when you want something new but you also don’t want your old stuff to break? This is the thing that Apple has had such issues with over the years when they come out with a completely different way of doing things and breaking everything old and then asking “how come everyone isn’t thrilled???”. This legacy support is tough but unfortunately necessary in many cases.
The property or attribute called description of a user or group in NT4 had a specific meaning and format. It was single valued. However, why shouldn’t it be multivalued in AD where we have better capacity for storing info because ESE just blows the crap out of the registry as a storage container. Ah… but darn, description can’t be multivalued because, well it isn’t in NT4. But why should we be limited by NT4, this isn’t the 90’s!!!?!!! That is assinine!!! But we can’t break everything built before. Well maybe the people should fix their Shite! But we have to be good to the people. But Brett has crazy hair!! But if we break things we will end up having to figure out how to fix them later when someone in the Air Force bitches at Bill! And so on and so on.
So the idea, allow for advancement, but not on the items that can’t be handled that way. Users and groups can have their descriptions read and modified both through LDAP which allows for multiple values and through the NET API which is a LEGACY (YES LEGACY PEOPLE!!! This includes you folks using the WinNT ADSI provider for AD – LEGACY say it with me LEEEEEGGGGGGAAAAAAACCCCCYYYYYYY) mechanism. That means that they will have to have tighter rules for the description attribute than say objects that didn’t exist in the NT4 directory, like objectclasses container, organizationalunit, o, l, etc… Allowing multiple values on objects that can be read by the legacy API will surely confuse that API as well as any code depending on it. MS could fix that for their own stuff but what about the hundreds of thousands of other programs and scripts that couldn’t handle it. If you have multiple values for description, which one would you send back through the legacy API? There is no concept of order in the multivalued attributes. Order is as order does on those babies, deal with it. So all description value entries being equal which do you display, which do you update if a legacy API wants to change something? Do you slap the values all together? That certainly isn’t the way it used to work. And again, what order should that new single string take? Lots of questions. Easier to just lock off those objects from having multiple values for that attribute. Of course, it would be nice to have a switch or mode where we could turn off that legacy support when we know that our own environment will work fine without the legacy support.
So now you are saying, wow, where is this documented. Well here of course. Where else? I don’t know, never saw it officially documented anywhere. Is this the only thing that works like this? Heck no. There are other things, if you see something weird that doesn’t follow the schema rules, try checking the same thing against a non SAM-Type object/attribute. The SAM – Security Accounts Manager has to have lots of legacy support still so anything that existed in and for NT4 still works. So what are all of the things? I don’t know, I find them just like you find them. Just try to recognize them as such and don’t jump to the conclusion of object corruption.
Maybe that legacy type stuff will go away but today isn’t looking good, neither is tomorrow.
joe
great article… missing white space here! 😉
Cheers,
“Whore-hey”
Thanks joe. Good stuff! Will also check out XYZ cat litter…