locked
Adamsync support for multiple domains RRS feed

  • Question

  • I’m using AD LDS to consolidate multiple domains and forests into a single LDAP engine, I also use the Bind Redirect feature to get the password from original AD DC’s.

    I have multiple domains in multiple forests

    DomainA
    DomainB
    DomainC

    From my application I want to be able to search the AD LDS instance created, and get the user information from the three domains, even if I have user with the same sAMAcccountName in diferent forest.

    So my idea was to create one container in AD LDS for each domain and then synchronize each AD DC to each container in Ad LDS.

    Unfortunately if in the xml configuration file for each domain I can’t specify any <target-dn> that isn’t the root application directory partition that I create for my AD LDS instance, can choose for example “cn=domainA,dc=domain,dc=com” if I specify in the AD LDS instance creation that the Application Directory partition was “dc=domain,dc=com”……………… I get an error in ADAMSync saying “The Target partition given was not the head of a partition. Adamsync cannot continue"

    Is there any workaround for this problem ???

     

    Thank you,

    Paulo

    Thursday, November 4, 2010 11:24 PM

Answers

  • I'm not the expert here either, but this works for me :-)

    Create four partitions (of type domainDNS) as follows:

    • DC=contoso,DC=com
    • DC=ForestA,DC=contoso,DC=com
    • DC=ForestB,DC=contoso,DC=com
    • DC=ForestC,DC=contoso,DC=com

    Create some user objects in the partitions ForestA, ForestB and ForestC.

    Change the search options in LDP.EXE to enable “chase referrals”.

    Search for your users (e.g. filter of “(objectClass=User)” using a base DN of DC=contoso,DC=com and Subtree search enabled.  This should find all users in all four partitions.  In other words, you don’t need to manually create any crossRef objects or create DNS records for this to work.

    Obviously, this will only work if your LDAP client (application) is capable of chasing referrals.

    Alexei

    • Marked as answer by Bruce-Liu Friday, December 3, 2010 12:12 PM
    Wednesday, November 10, 2010 2:23 AM

All replies

  • Hi Paulo

    This appears to be a limitation introduced in 2008:

    If you are preparing to synchronize an AD LDS instance on a computer running Windows Server 2008, you must specify a naming context head as the value for <target-dn>. If you do not specify a naming context head as the distinguished name of the target AD LDS instance in the configuration file, the following error message appears when you attempt to run adamsync in the next step: "The target partition given was not the head of a partition. AdamSync cannot continue."

    http://technet.microsoft.com/en-us/library/cc794836(WS.10).aspx

    The only workaround I can think of is to create a separate partition within the ADLDS intance for each source forest.

    Alexei

     

    Friday, November 5, 2010 1:05 AM
  • Well ............the issue that I see with that solution is the fact the we will not be hable to do an ldap search against all the partitions ............. or am I wrong ?

    Thank you,

    Paulo

    Friday, November 5, 2010 4:30 PM
  • Hi Paulo

    ADLDS supports LDAP referrals, so this approach should be possible.

    http://technet.microsoft.com/en-us/library/cc786123(WS.10).aspx

    Alexei

    Friday, November 5, 2010 6:41 PM
  • Hi Alexei,

    As you can see I'm just starting in the AD LDS world .......I did some research and the only place were I can create crossRef object was in CN=Configurations,CN=Partitions.....

    how can I create referrals in my AD LDS structure ? can you give me some link with examples ?

    Thank you,

    Paulo

    Tuesday, November 9, 2010 4:48 PM
  • I'm not the expert here either, but this works for me :-)

    Create four partitions (of type domainDNS) as follows:

    • DC=contoso,DC=com
    • DC=ForestA,DC=contoso,DC=com
    • DC=ForestB,DC=contoso,DC=com
    • DC=ForestC,DC=contoso,DC=com

    Create some user objects in the partitions ForestA, ForestB and ForestC.

    Change the search options in LDP.EXE to enable “chase referrals”.

    Search for your users (e.g. filter of “(objectClass=User)” using a base DN of DC=contoso,DC=com and Subtree search enabled.  This should find all users in all four partitions.  In other words, you don’t need to manually create any crossRef objects or create DNS records for this to work.

    Obviously, this will only work if your LDAP client (application) is capable of chasing referrals.

    Alexei

    • Marked as answer by Bruce-Liu Friday, December 3, 2010 12:12 PM
    Wednesday, November 10, 2010 2:23 AM
  • Hi,

    I am new to AD LDS and just want to know if I understood your answer.

    I have a single multidomain forest (parent domain with child domains). I need to synchronize all forest users to an AD LDS server. Should I create an AD LDS instance for each domain or can all users be synchronized to a single partition?.

    Thanks,

    Yassine

    Tuesday, December 14, 2010 4:22 PM
  • It's a simple to fix it. Just unpack and replace original file adamsync.exe from version for Windows 2003.
    • Proposed as answer by Fredless Tuesday, October 15, 2013 6:12 AM
    Tuesday, September 25, 2012 4:23 AM