What happens if two AD objects have the same RDN?

A. Every Active Directory (AD) object has a distinguished name (DN—e.g., CN=John Savill,CN=Users,DC=SavillTech,DC=Com) that uniquely identifies the object and its position in AD. The system also creates a relative distinguished name (RDN), which is a name relative to the container (e.g., CN=John Savill for the user).

Two objects with the same RDN can't exist in one container. For example, in the container CN=Users,DC=SavillTech, CN=John Savill and OU=John Savill are allowed because one is a user and the other is an organisational unit (OU). However, CN=John Savill and CN=John Savill aren't allowed.

The only way you can have a duplicate RDN is if two objects are created on different domain controllers (DCs). But at the next replication cycle, the system will rename the older object.

To find objects that the system has renamed because of RDN collisions, use the search.vbs script in \support\tools\support.cab as follows:

cscript search.vbs "LDAP://<server>/dc=<domain>,dc=com" 
/C:"(CN=*\0ACNF:*)" /P:distinguishedName /S:SubTree 
Any matches will display the RDN for the renamed objects.
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.