Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. "ERROR_DS_NON_BASE_SEARCH" error when you run an LDAP query

"ERROR_DS_NON_BASE_SEARCH" error when you run an LDAP query

View products that this article applies to.

Symptoms

Consider the following scenario:

  • You have an Active Directory Domain Services (AD DS) domain or Active Directory LDAP Directory Service (AD LDS) instance that has custom or third-party schema extensions.
  • Your domain controllers (DCs) or LDS servers have Windows Server 2012 R2 or a later version installed.

In this scenario, when you run Active Directory LDAP queries in tools or applications, you receive an error message that resembles the following: 

 

You may notice that the errors occur after you add Windows Server 2012 R2 or newer-based domain controllers or LDS servers, or after you install an application or update that modifies the Active Directory schema.

↑ Back to the top

Cause

The LDAP query finds an object that has an attribute that matches the search criteria. However, that attribute has the fBASEONLY (0x00000800) search flag set. This flag causes the following behavior to occur:

Specifies that the attribute is not to be returned by search operations that are not scoped to a single object. Read operations that would otherwise return an attribute that has this search flag set instead fail with operationsError / ERROR_DS_NON_BASE_SEARCH. (See Search flags)

Searches that use other criteria return the expected results.

An application may search on such attributes for the following reasons:

  • The application reads the aggregate schema and explicitly asks for all known attributes on all queries.
  • The application requests all attributes that it has permission to read. Tools such as LDIFDE and LDP do this, and script run-times such as ADSI and PowerShell also do this.

↑ Back to the top

Resolution


To resolve this problem, follow these steps:

  1. Note the data value from the error message (in the example in the "Symptoms" section, this value is "-1634973829").
  2. Export the directory schema. To do this, open an administrative Command Prompt window, and then run the following command: 
    Ldifde /d "#schemanamingcontext" /f forest-schema.txt
  3. Search the exported schema file for the data value. The value matches the msDS-IntId value that is associated with the attribute in the schema.
  4. Note the FQDN of the attribute that has the target msDS-IntId value. For example:

    dn: CN=Contoso-Attr1,CN=Schema,CN=Configuration,DC=contoso,DC=com
    ...
    msDS-IntId: -1634973829

  5. You can resolve the problem by using one of the following methods:
    • Remove the flag from the attributes.

      Note This is the simplest resolution, as long as no other users or applications depend on the flag.
    • Modify the tools or applications that make failed LDAP queries so that their search criteria do not include the affected attributes.

      Note This resolution is more complex and may not be practical. Tools and applications tend to automatically query for and retrieve all readable attributes. This is especially when they query for common object types.

↑ Back to the top

References

For more information about the search flag values, see Search flags.

↑ Back to the top

Keywords: LDAP query, LDAP search, schema extension

↑ Back to the top

Article Info
Article ID : 4505437
Revision : 28
Created on : 6/3/2019
Published on : 6/3/2019
Exists online : False
Views : 955