"ERROR_DS_NON_BASE_SEARCH" error when you run an LDAP query

Applies to: Windows Server 2019, all versionsWindows Server 2016Windows Server 2012 R2

Symptoms


Consider the following scenario:

  • You have an Active Directory Domain Services (AD DS) domain or Active Directory LDAP Directory Service (AD LDS) instance that has custom or third-party schema extensions.
  • Your domain controllers (DCs) or LDS servers have Windows Server 2012 R2 or a later version installed.

In this scenario, when you run Active Directory LDAP queries in tools or applications, you receive an error message that resembles the following: 

 

You may notice that the errors occur after you add Windows Server 2012 R2 or newer-based domain controllers or LDS servers, or after you install an application or update that modifies the Active Directory schema.

Cause


The LDAP query finds an object that has an attribute that matches the search criteria. However, that attribute has the fBASEONLY (0x00000800) search flag set. This flag causes the following behavior to occur:

Specifies that the attribute is not to be returned by search operations that are not scoped to a single object. Read operations that would otherwise return an attribute that has this search flag set instead fail with operationsError / ERROR_DS_NON_BASE_SEARCH. (See Search flags)

Searches that use other criteria return the expected results.

An application may search on such attributes for the following reasons:

  • The application reads the aggregate schema and explicitly asks for all known attributes on all queries.
  • The application requests all attributes that it has permission to read. Tools such as LDIFDE and LDP do this, and script run-times such as ADSI and PowerShell also do this.

Resolution



To resolve this problem, follow these steps:

  1. Note the data value from the error message (in the example in the "Symptoms" section, this value is "-1634973829").
  2. Export the directory schema. To do this, open an administrative Command Prompt window, and then run the following command:
    Ldifde /d "#schemanamingcontext" /f forest-schema.txt
  3. Search the exported schema file for the data value. The value matches the msDS-IntId value that is associated with the attribute in the schema.
  4. Note the FQDN of the attribute that has the target msDS-IntId value. For example:

    dn: CN=Contoso-Attr1,CN=Schema,CN=Configuration,DC=contoso,DC=com
    ...
    msDS-IntId: -1634973829

  5. You can resolve the problem by using one of the following methods:
    • Remove the flag from the attributes.

      Note This is the simplest resolution, as long as no other users or applications depend on the flag.
    • Modify the tools or applications that make failed LDAP queries so that their search criteria do not include the affected attributes.

      Note This resolution is more complex and may not be practical. Tools and applications tend to automatically query for and retrieve all readable attributes. This is especially when they query for common object types.

References


For more information about the search flag values, see Search flags.