After giving this some additional thought, I would like a second bite at the apple so to speak.

Considering the differences between Windows 2003 R2 and Windows 2008 R2 that could impact LDAP search returns in this manner.

1) The schema used by each DC.

The NIS (UNIX/LINUX POSIX) attributes and values were introduced as part of RFC 2307 support that was added in Windows Server 2003 R2 and have remain unchanged through new versions of AD on the Windows server platform.

2) The compatibility level configured for each DC.

This could have an impact, but is untested by me. Regardless, if both DCs are members of the same domain and unless there is an operational need for them the be different, best practice would have them be at the same compatibility level.

3) The size of your AD environment (the enumeration of objects and attributes).

There are two things that could cause this if your environment is very large (say, over 10,000 objects).

a) The SSSD "enumeration" directive.
If "enumeration = true" the daemon will attempt to cache everything it can read from the target directory to enhance local performance. However if the target user store is large the load on the back end is increased and the local caching facilities will likely become overwhelmed and return inconsistent results. Setting "enumeration = false" basically puts the server into a cache on query mode, which is a better idea in nearly all use cases really.

That said the SSSD config shown has "enumeration = false",so that seems to not be the case here. (It may be worth while to put the daemon in debug mode, add "debug_level=7" to the domain section of the sssd.conf file and check the log to verify the setting is in play).

b) LDAP paging constraints
There is a difference in the LDAP query policies between 2003/2008 R2. Basically 2003 R2 has no limits and 2008 R2 limits LDAP responses to 5000 attributes to prevent the DC from being overwhelmed.

Perhaps this is where the issue lies.

To test you could:

- Adjust/retest the SSSD daemon configuration and retest. The default daemon LDAP paging configuration directives are displayed below:

ldap_page_size has value 1000
ldap_disable_paging is FALSE

- Adjust/retest the LDAP query policy settings for your Windows 2008 R2 DC

- Use LDAP search base filter directives, objectClass filters or explicit SSSD access control directive filters to reduce the enumeration of objects and attributes returned in a search . The downside here being in large complex environments filtering becomes limiting from a system functionality and use case perspective pretty quickly. Hence my preference for the next option.

- Join the target box to the domain, configure SASL/GSSAPI authentication and allow them to perform searches using native/inband security and protocols that should mitigate most of the normal LDAP constraints.


-- lawrence