none
LDAP Query to Mutliple Trusted Forests

    Question

  • Hi,

    I have a forest setup similar to the following (apologies for the poor diagram)

    I have been trying to query the entire Forest Structure using 3268, pointing it to a global catalog on contoso.com but it keeps failing with invalid credentials or lookup referal errors. Is what I am trying to do here even possible or is there another best practice method for doing this?

    Thanks in advance

    Regards

    Chris 

    Tuesday, February 12, 2013 8:59 PM

All replies

  • Use dsquery & you do not need to specify the port number for trusted domains & trusting domain query.

    dsquery group "DC=contoso,DC=com" -name "group name" | dsget group -members -expand (When you run the query for trusted domain  from trusting domain you have to specify the domain DN)

    You will get various DSQUERY; see the below link.

    http://social.technet.microsoft.com/wiki/contents/articles/2195.dsquery-commands.aspx


    Regards
    Biswajit Biswas

    My Blogs|MCC |TNWiki Ninja

    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin



    Wednesday, February 13, 2013 5:01 AM
  • Hi, Thanks for the response. Is this not possible using standard ldap lookups instead of dsquery? Our application uses ldap to list user locations within AD and then populates the database with the users bind details (cn=user,cn=users etc) Is using port 3268 just going to return the results for the forest and not the entire structure including trusted forests? Regards Chris
    Wednesday, February 13, 2013 6:24 AM
  • Yes you can . Connect the trusted domain from ADUC(DSA.MSc). Put you advance query. Let me know about your further query 

    Regards
    Biswajit Biswas

    My Blogs|MCC|TNWiki Ninja

    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin


    Wednesday, February 13, 2013 7:18 AM
  • Hi,

    Thanks again for the response. I don't understand what you mean. I have gone into ADUC and given access to my ldap lookup account. In my example, it means I have got a user in consoso.net and granted them delegate access to contoso.co.uk. When I try to use an LDAP Browser it keeps promting for credentials.

    The other issue I have here is that I need to have a single point of reference for all the forests in my organization so I can query all areas of any forest and this should allow LDAP to work. The only idea I had on this was being able to pull all forest objects into one ldap and query that. I may have to use a third party tool to do this though unless it's possible in Windows 2008 R2?

    Regards

    Chris  

    Wednesday, February 13, 2013 7:23 PM
  • Yes ; you can query all the trusted domains from ADUC & you dont need any delegation for that , normal user account is suffy.

    Regards
    Biswajit Biswas

    My Blogs|MCC |TNWiki N

    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin



    Thursday, February 14, 2013 4:39 AM
  • OK, but how can this be done via a third party LDAP browser/lookup tool? At the moment, the only thing I can think that might make some sense is that simple bind only works for forest.local and not across forest trusts but I'm having a hard time clarifying this

    Regards

    Chris

    Thursday, February 14, 2013 6:19 AM