none
Send ldap query to forest, the query results located in domain inside the forest RRS feed

  • Question

  • Hi all,

    I have a configuration of 1 Forest and 1 Domain (Total 2 domains, One is forest and one is domain, and 2 DCs, one for each)

    The domain is inside the forest - There is Tree root trust between them.


    On the domain I have exchange 2013, The forest contain the security groups.

    So there are two DCs, one for the forest (forest is also a domain as i understand) and one for the domain.

    I am trying to run LDAP query:

    The query is targeted for the Forest.

    The query is querying a user that is located on the domain.

    I dont get response because of this, since the forest does not contain the user, it return empty list. The question is:

    Is it possible to query the forest and receive results (Can the forest forward the query to the domains?) from the domain ?

    I cannot change the configuration to query the domain and not the forest, since this is legacy code i maintain.

    Thanks

    Wednesday, March 21, 2018 8:39 AM

Answers

  • First, anr is short for Ambiguous Name Resolution. LDAP converts the filter clause into one that queries several "name" attributes, like displayName, cn, mail, sAMAccountName, givenName and sn, etc. It is designed so you can find people when you know their name, but not which attribute has the name.

    Second, the GC is replicated to all DC's in the forest that also have the GC role. But only attributes in the Partial Attribute Set (PAS) are replicated to the GC's. I doubt that all of the attributes you list are in the PAS. Also, attributes can be added to the set. You can check in your environment by running the following at a command prompt:

    dsquery * "cn=Schema,cn=Configuration,dc=mydomain,dc=com" -Filter "(isMemberOfPartialAttributeSet=TRUE)" -Attr lDAPDisplayName
    

    substitute you domain for mydomain.com. This outputs the LDAPDisplay name of all attributes in the PAS. But it looks like targeting the GC will not help you in this case, if you need all of those attributes.

    Reference for ANR:

    http://social.technet.microsoft.com/wiki/contents/articles/22653.active-directory-ambiguous-name-resolution.aspx

    Reference for PAS:

    https://social.technet.microsoft.com/wiki/contents/articles/23097.active-directory-attributes-in-the-partial-attribute-set.aspx


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    • Marked as answer by ilan.sch Thursday, March 22, 2018 7:38 AM
    Wednesday, March 21, 2018 1:05 PM
  • Hi Richard, I am having progress. Thanks for your help !

    Remember, LH159 is the forest, LH159A is the Domain

    First of all, I went to the forest, opened Active Directory Sites and Services, browsed to Sites->Default-First-Site-Name->Servers and saw both DCs have Global Catalog enabled. 
    Then i opened mmc.exe, snappedin the Active Directory Schema, went over all the query attributes and made sure they have "Replicate this attribute to the Global Catalog" enabled.

    Next i ran the following test: Query a user that exist inside the Domain, from a machine that is inside the domain, but the query destination is Forest.
    This means: 
    Open LDP.exe from machine in Domain (LH159A), Connected to the forest machine LH159 on port 3268, selected as Base DN: DC=LH159A,DC=com
    Then i executed my query and received response. 
    This means that the GC search is valid.
    See photo attached, So i assume i need to see via the CPP code (wrapper for winldap.h) how to force it query the GC



    • Edited by ilan.sch Wednesday, March 21, 2018 2:12 PM
    • Marked as answer by ilan.sch Thursday, March 22, 2018 7:38 AM
    Wednesday, March 21, 2018 2:11 PM

All replies

  • LDAP query will perform a search according to the criteria you specify.

    If these criteria target a specific domain, you need to change them in order to target a different domain

    Specifics would depend on the actual query - you might want to provide it if you are looking for more specific answer.

    Details at

    https://technet.microsoft.com/en-us/library/aa996205(v=exchg.65).aspx

     https://social.technet.microsoft.com/Forums/office/en-US/77e5d1e4-ed3f-429f-8b0b-0c89055bbdaa/ldap-search-base-string?forum=winservergen

    hth
    Marcin

    Wednesday, March 21, 2018 9:48 AM
  • All of your DCs should also be GCs (Global Catalogs). If your query targets the GC port, you will be able to retrieve information on all objects in the forest. The GC is a read only database of all objects in the forest, but only a partial set of the attributes (not all attributes). If what you need is in the partial set, it will work for you. The base of the query would use GC:// instead of LDAP://. See this for reference:

    https://msdn.microsoft.com/en-us/library/ms677936%28v=vs.85%29.aspx

    https://msdn.microsoft.com/en-us/library/ms675564(v=vs.85).aspx


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Wednesday, March 21, 2018 10:07 AM
  • Thank you Richard to detailed explaination, i done some homework, lets continue.
    I have performed this GlobalCatalogs query:
    PS C:\Users\Administrator> Get-ADForest LH159A.COM | FL GlobalCatalogs
    GlobalCatalogs : {LH159-DC1.LH159.com, LH159A-DC1.LH159A.com}
    PS C:\Users\Administrator> Get-ADForest LH159.COM | FL GlobalCatalogs
    GlobalCatalogs : {LH159-DC1.LH159.com, LH159A-DC1.LH159A.com}

    Also, I have parsed the query i send, the attribute list is:  
    msexchimmutableid - replicated
    proxyAddresses - replicated
    userprincipalname - replicated
    msexchmailboxguid - replicated
    legacyexchangedn - replicated
    msexchrecipienttypedetails - replicated
    anr - NOT REPLICATED
    distinguishedname - replicated
    objectguid - replicated

    anr is not an attribute so i assume it should not be replicated..

    My question is, Are the global catalog are synced accross DCs? i assume they are if domain are in trust.

    Wednesday, March 21, 2018 12:45 PM
  • First, anr is short for Ambiguous Name Resolution. LDAP converts the filter clause into one that queries several "name" attributes, like displayName, cn, mail, sAMAccountName, givenName and sn, etc. It is designed so you can find people when you know their name, but not which attribute has the name.

    Second, the GC is replicated to all DC's in the forest that also have the GC role. But only attributes in the Partial Attribute Set (PAS) are replicated to the GC's. I doubt that all of the attributes you list are in the PAS. Also, attributes can be added to the set. You can check in your environment by running the following at a command prompt:

    dsquery * "cn=Schema,cn=Configuration,dc=mydomain,dc=com" -Filter "(isMemberOfPartialAttributeSet=TRUE)" -Attr lDAPDisplayName
    

    substitute you domain for mydomain.com. This outputs the LDAPDisplay name of all attributes in the PAS. But it looks like targeting the GC will not help you in this case, if you need all of those attributes.

    Reference for ANR:

    http://social.technet.microsoft.com/wiki/contents/articles/22653.active-directory-ambiguous-name-resolution.aspx

    Reference for PAS:

    https://social.technet.microsoft.com/wiki/contents/articles/23097.active-directory-attributes-in-the-partial-attribute-set.aspx


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    • Marked as answer by ilan.sch Thursday, March 22, 2018 7:38 AM
    Wednesday, March 21, 2018 1:05 PM
  • Hi Richard, I am having progress. Thanks for your help !

    Remember, LH159 is the forest, LH159A is the Domain

    First of all, I went to the forest, opened Active Directory Sites and Services, browsed to Sites->Default-First-Site-Name->Servers and saw both DCs have Global Catalog enabled. 
    Then i opened mmc.exe, snappedin the Active Directory Schema, went over all the query attributes and made sure they have "Replicate this attribute to the Global Catalog" enabled.

    Next i ran the following test: Query a user that exist inside the Domain, from a machine that is inside the domain, but the query destination is Forest.
    This means: 
    Open LDP.exe from machine in Domain (LH159A), Connected to the forest machine LH159 on port 3268, selected as Base DN: DC=LH159A,DC=com
    Then i executed my query and received response. 
    This means that the GC search is valid.
    See photo attached, So i assume i need to see via the CPP code (wrapper for winldap.h) how to force it query the GC



    • Edited by ilan.sch Wednesday, March 21, 2018 2:12 PM
    • Marked as answer by ilan.sch Thursday, March 22, 2018 7:38 AM
    Wednesday, March 21, 2018 2:11 PM
  • Good work so far. I think you just need to specify the GC port, which is 3268 (instead of the normal port 389). It could something like base DN "GC://DC=LH159A,DC=com", or "LH159A.com:3268".

    Edit: Does this help?

    https://msdn.microsoft.com/en-us/library/aa366938(v=vs.85).aspx


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)



    Wednesday, March 21, 2018 9:47 PM
  • Hi,

    I finally solved it. the problem was in the baseDN (in the code, the base dn is not part of the filter, its a property, in ldp.exe i set it manually), the baseDN was set to the forest, and the data and query is targeting the domain, so i need to set the baseDN to be on the domain also.


    Thank alot for assistance I have learned alot in the past day.


    • Edited by ilan.sch Thursday, March 22, 2018 7:38 AM
    Thursday, March 22, 2018 7:37 AM