search cancel

LDAP lookup against AD with multiple domains


Article ID: 159433


Updated On:


Data Loss Prevention Enforce


If there is a top Level Domain and then multiple domains under it there IS a way for the LDAP to search through the Global catalog of people of an Active Directory (AD)  Usually the domains are segmented and hard to walk through the whole forest or you may run into issues with multiple result sets, which may as a result not return a single string but an array, thus will fail.

Please note: The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in a multidomain Active Directory Domain Services (AD DS) forest. The global catalog is stored on domain controllers that have been designated as global catalog servers and is distributed through multimaster replication. Searches that are directed to the global catalog are faster because they do not involve referrals to different domain controllers.

References: ( What Is the Global Catalog? ) ( Global Catalog and LDAP Searches  )


Rather than going to port 389 (standard) you would go to port 3268 which is for the Global Address book! 

For example the customer I am at has the following tree structure.

Top Company:

Domain 1:

Domain 2:

Domain 3:


Then in the LDAP lookup set the following:


Port = 3268

Basedn =


Search criteria:

Attr.First\ Name = DC=corp,DC=company,DC=com: (mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$endpoint-user-name$)):mail