David, Not quite correct...
>From a logical perspective, your tree has a root NC (DC=XYZ,DC=com) and that NC contains a subordinate config NC (CN=Configuration,DC=XYZ,DC=com), which itself contains a subordinate schema NC (CN=Schema,CN=Configuration,DC=XYZ,DC=com). When you search the root domain, and you don't use the LDAP_SERVER_DOMAIN_SCOPE_OID (1.2.840.113556.1.4.1339) control, AD generates referrals to the subordinate NCs that were included in the scope of your search so that you can chase the referrals appropriately *even though there is a replica of that NC on the DC you are searching*. In your case, you get the referral to the only NC subordinate to the root: CN=Configuration. The GC is effectively a separate NC that includes the entire scope of the forest, so there are no subordinate referrals to be had. -gil -----Original Message----- From: Fugleberg, David A [mailto:david.fugleberg@;nwa.com] Sent: Tuesday, October 22, 2002 3:27 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] LDAP referral during subtree search I noticed something while doing LDAP searches against AD that I'd like to understand. Take the example of a single-domain forest called xyz.com. User objects are stored in various OUs, and the OUs exist directly under the domain (OU=orgunit1,DC=xyz,DC=com, OU=orgunit2,DC=xyz,DC=com, etc.) Let's say you want to look for a user object with CN=joeuser, and it might be anywhere in the OU structure. You try two different methods: 1. Bind to a Domain Controller on port 389. Issue a subtree search with a base DN of DC=xyz,DC=com and a filter of (&(cn=joeuser)(objectclass=user)). 2. Bind to a Global Catalog server on port 3268. Issue a subtree search with a base DN of DC=xyz,DC=com and a filter of (&(cn=joeuser)(objectclass=user)). If you do option 1, joeuser is found, and his full DN is returned. The DC also returns an LDAP referral to ldap://xyz.com/CN=Configuration,Dc=xyz,DC=com. If you do option 2, you still get the DN you wanted but no referral is returned. I'm thinking that this is because in option 1, the DC doesn't know whether a user with CN=joeuser exists in some other domain so it refers you to the configuration container which should know about other partitions. The GC, on the other hand, has full knowledge of the forest so does not need to return a referral. Am I on the right track here ? Is there more to it than that ? The reason I care is that we have some Java application servers that currently authenticate against our single-domain AD forest via LDAP. At first, all the relevant users were in the Users container, and the app server was configured like option 1 (using port 389 on a DC) with the search base at the CN=users level. That worked fine. Now we have users in other OUs not under the Users container, and they obviously are never found. The app server seems to choke when I make the search base DC=xyz,DC=com, but if I use Option 2 (against the GC on 3268) it's happy. The only difference I see is the absence of that referral. I think the right thing to do is go ahead and point them at the GC anyhow, but I just wondered if I'm understanding this correctly. Comments ? Dave List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
