SUMMARY
Request
for Comment (RFC) 2251 defines a referral that makes it possible for a
Lightweight Directory Access Protocol (LDAP) server to send the distinguished
name (also known as DN) of another LDAP server in response to a client's search request. When
a domain controller is presented with a distinguished name on which to base a search, it first looks through
the list of CrossRef objects in the configuration container to find the
cross-reference with the most name parts in common with the base of the search. Note
that the configuration container automatically holds references to all other
naming contexts in the forest.
If a CrossRef object is found that matches the search
base and the cross-reference corresponds to a naming context (NC) held locally on the domain controller, the search
is performed locally. If the matching CrossRef object refers to an NC held elsewhere,
the domain controller generates a referral to the server that is pointed to by the CrossRef object. If no
CrossRef object is found that matches the search base, the domain controller checks whether there is a superiorDNSRoot attribute on the CrossRef object for the forest root
domain, and if there is, the domain controller generates a referral to that location. If there
is not, it tries to use the domain controller naming convention to generate a DNS name
to refer the client to.
Active Directory automatically generates LDAP
referrals. However, in the case where a server hosts an NC that does not use the
domain controller naming convention, a CrossRef object must be created to override the default
behavior. In this case, the nCName attribute should be set to the external NC
and the dNSRoot attribute should be set to the FQDN of a server that hosts that
NC.
back to the top
Create a Cross-Reference to an External Domain
- Using the ADSIEdit snap-in in Microsoft Management Console
(MMC), connect to the configuration naming context and locate the partitions
container.
- Create a new CrossRef object.
- For the cn attribute, type a meaningful name (for example, the domain
name).
- For the ncName attribute, type the distinguished name for the external domain.
- For the dnsRoot attribute, type a real Domain Name System (DNS) name for the
server that hosts the naming context.
For example, if you need cross-references to generate LDAP
referrals for "mydomain.msft" (assuming that mydomain.msft is external to
yourdomain.msft) to the "server1.mydomain.msft" server, set the following
properties for the CrossRef object:
- cn=mydomain.msft
- NcName=DC=mydomain,DC=msft
- DnsRoot=server1.mydomain.msft (this name needs to be
resolved by using DNS)
Note that this method allows the Active Directory-based server
to generate referrals to external domains. The client that sends the request
still needs to be able to chase referrals.
back to the top