Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET
Exchange Server

Harnessing the Power of Ambiguous Name Resolution (ANR)

Harnessing the power of Ambiguous Name Resolution (ANR)

Understanding ANR

The computer industry loves acronyms. Acronyms save time, instead of having to utter long sentences and waste time; you can speak the latest buzzword in the form of an acronym and in addition to saving time you will also sound cool… The following article deals with such an acronym- ANR.

Since the overuse of acronyms one major issue with ANR as an acronym is that it may be interpreted in different ways. I personally have heard this acronym to be deciphered in the following forms:

Sponsored Content

Say Goodbye to Traditional PC Lifecycle Management

Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.

  1. Ambiguous Name Resolution
  2. Automatic Name Resolution
  3. Address Name Resolution

The good news though is that the form in which you wish to interpret ANR is not important since when you say ANR to a person proficient in Exchange server you can mean only one thing…

Note: This article is published with permission from

What is the definition of ANR?!?!?!?

ANR is the ability of an Exchange/LDAP client to determine information based on partial data. Since we are mainly focused on Exchange server I will emphasize the Exchange related facets of this subject.

  1. When using an Exchange client such as Outlook, a user might enter partial data in the From, To, CC or Bcc fields.
  2. The client, with the help of the Exchange directory will try to match the partial data and provide the address of the matching object.
  3. If an exact match is found then the address representing the matching object will be auto completed.
  4. If an ambiguous match is found then all potential matches are displayed and the client is allowed to choose the object he or she want to use.

By whom and how can ANR be used?

Ambiguous Name Resolution (ANR) can be used by LDAP clients, which in turn makes the process of binding to objects in the directory simpler.

Exchange allows different clients to use the ANR feature – the two major clients to use the feature are Outlook and Outlook Web Access (OWA).

There are two modes of using ANR:

  1. Standard – The user enters a partial string that is matched both exactly and partially against specific attributes in the directory (according to the lists provided earlier for the different versions of Exchange). The results can be either exact or a list of possible matches.
  2. Specific Match– When the client needs the string he is searching for to be exactly matched he or she can submit the string preceded by the equal sign (=Jason).

Understanding ANR (Looking behind the scenes)

The current versions of Exchange (2000/2003) use the Active Directory as their directory service; as such ANR uses the Active Directory when scanning for possible matches. Once the user has entered a piece of partial data specific fields in the directory are scanned and if a match (full or partial is found) the client acts accordingly.

When ANR leaps into action (in a default configuration) it will search the following attribute fields of the Active Directory:

  1. First Name (GivenName)
  2. Last Name (Surname)
  3. Display Name (displayName)
  4. LegacyExchangeDN
  5. msExchMailNickname
  6. Relative Distinguished Name of the object (RDN)
  7. Office (physicalDeliveryOfficeName)
  8. E-mail address (proxyAddress)
  9. Security Account Manager account (sAMAccountName)

When ANR is used in conjunction with Exchange 5.5 it will try to match partial strings with the following attributes:

  1. Last Name (Surname)
  2. Display Name (Display-Name)
  3. Alias Name(Mail-nickname)
  4. Office (Physical-Delivery-Office-Name)
  5. E-mail Addresses (Proxy-Addresses)

Harnessing the power of ANR

In some cases it might be beneficial to include additional attributes to be matched using ANR. As an example a company might want to use a personal identifier when identifying its employees or they might want to include the Description field when ANR is employed.

The benefits are quite obvious, by adding additional attributes to be used by ANR a system manager provides his users with better means of identifying specific users when using Exchange server.

Adding additional attributes to be used by ANR (Exchange 2000/2003

As stated earlier in this document in the case of the current versions of Exchange (2000/2003) the directory service used by Exchange server is the Active directory. Since ANR is not a feature specific to Exchange server, but to the directory service used by Exchange, to add additional attributes to be used by ANR the Active Directory has to be changed.

The Active Directory holds its own mold and it calls it the Schema.

The Schema acts as a mold for the Active Directory since it holds the template for each and every object (and attribute) created inside the Active Directory.

In addition to being a mold for objects the Schema also controls three very important options for each and every attribute:

  1. Indexing – If checked the attribute will be indexed
  2. Ambiguous Name Resolution – If checked the attribute will be used by ANR
  3. Replication of the attribute to a Global Catalog – If checked the attribute will be replicated to all Global Catalogs in the forest.

To have ANR search an additional attribute use the following steps:

  1. Log on to the Domain Controller that serves as the Schema Master of the forest (see Determining FSMO Role Holders for additional info).

Note that you can also perform this operation from a different DC, or even from a workstation computer, as long as you have the ADMINPAK tools installed, and youve logged on as a member of the Schema Admins and Enterprise Admins groups. However, it is preferred to perform this operation on the Domain Controller that serves as the Schema Master of the forest.

  1. Register the Schmmgmt.dll file by running the following command from the Run command:
​regsvr32 schmmgmt.dll
  1. Open Start > Run > MMC.
  2. Open the Console menu and choose Add/Remove Snap-in.
  3. Click Add and choose the Active Directory Schema.
  4. Click Add.
  5. Click Close.
  6. Expand the Active Directory Schema.
  7. Choose the Attributes branch.
  8. Open the properties for the attribute that you want ANR to use.
  9. Check the following boxes
  • Index this attribute in the Active Directory
  • Replicate this attribute to the Global Catalog
  • Ambiguous Name Resolution (ANR)
  1. Click on OK.
  2. Close the management tool.

Warning: Keep in mind that since this procedure may add a new attribute to the Global Catalog it may cause a replication wave throughout your forest. You should plan this procedure to be executed at an idle time for the organization.

Warning: Also, make sure you understand the meaning of editing the Schema. By performing the wrong action or editing the wrong attribute you may very easily wreck your entire Active Directory forest, and will not be able to reverse this operation.

After completing the procedure (and the replication of the attribute) ANR should be able to use it.

Adding additional attributes to be used by ANR (Exchange 5.5)

  1. Start the Microsoft Exchange Server Administrator program in raw mode: <driveLetter>:\exchsrvr\bin\admin /r
  2. On the View menu, click Raw Directory. This adds the Schema container in the left pane.
  3. Double-click the Schema object, and then press the F5 key to refresh the display.
  4. Find the attribute in the list, and then open its properties.
  5. When a message box is displayed, click Yes to view the raw properties of the object.
  6. From the Object attributes list, click the Search-Flags attribute.
  7. In the Edit value box, type a value of either 1 or 2 and then click Set:
  • The value of 1 indexes the attribute
  • The value of 2 indexes the attribute and adds it to ANR
  1. Click OK to close the properties


It is my opinion that a system manager must look at his systems and find ways to improve the services he provides for the users. More then often system managers tend to focus only on the administrative benefits of a system yet system managers must remember that they provide a service to customers, which are the users that use the system. System managers should keep their customers happy by providing beneficial services but in most cases the customers dont know what to ask for.

By expanding the coverage of ANR and educating the users/customers about its benefits a system manager can provide a useful service that will raise the satisfaction of his customers…or in other words, it is there so why not try it?

Note: This article is published with permission from

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: