I have 2 domains, each with 2 Domain Controllers:
- company.local
- ad.company.com.au
Both domains are in the same forest and have a bi-direction trust setup. We're migrating to the ad.company.com.au at present, however having some issues with systems that need to query LDAP.
When doing an LDAP search against either Domain Controller in ad.company.com.au we get a referral to company.com.au which is NOT under AD control:
$ ldapsearch -x -h 172.xx.xx.11 -b DC=company,DC=com,DC=au -D "my.username@ad.company.com.au" -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <DC=company,DC=com,DC=au> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
# with manageDSAit control
#
# search result
search: 2
result: 10 Referral
text: 0000202B: RefErr: DSID-031007EF, data 0, 1 access points
ref 1: 'company.
com.au'
ref: ldap://company.com.au/DC=company,DC=com,DC=au
# numResponses: 1
Note the referral points to company.com.au which AD does NOT control — the domain is ad.company.com.au and it is delegated by the company.com.au nameservers to the 2 DC's.
Querying the Global Catalog on the same server gives us the results we expect.
So why would the Domain Controller for a domain not know about the domain in it's LDAP, while the GC does know?
Best Answer
Because you are specifying company.com.au as the search base. If you want to query your domain local partition without getting a referral, use ad.company.com.au as your search base.