When using Active Directory, can a user's entry be split across several controllers?

Question

When I lookup a user in AD, can the user have 2 entries across 2 controllers which are different? If lookup #1 returns an entry and a reference, do I need to follow the reference in order to gain additional information regarding the user? Or will the reference have the same information and hence can be ignored?

Answer 1

userPrincipalName uniqueness is not enforced by Active Directory. It's the applications which create the user object or modify the userPrincipalName responsible for making sure it's unique across the forest. If Active Directory detects there is more than one user object with the same userPrincipalName assgined, the user will be unable to logon using that userPrincpialName. Check out this Microsoft KB for details.

There are a lot of reasons that you can receive a LDAP reference result. One common reason is that there are some child domains under a parent domain and you are trying to do a subtree search starting from a parent domain.

The domain controller from parent domain cannot provide a complete answer to your query because some of the directory partitions are being taken care by the domain controllers of the child domains. Therefore, it returns you some Subordinate References. It hints the client to follow the reference and get the complete result. For a complete list of reference result, you can check here

If I understand your question correctly, you run a LDAP query based on the userPrincipalName and already got one entry back from the parent domain. You are asking whether you should stop the query or you should follow the reference and continue the query. I would say you should always follow the reference and continue the query. If you find more than one user object with the same userPrincipalName, you probably want to handle the case properly. For example, like what Windows did, stop the user from logging on or give a warning message somewhere.