LDAP lookup against AD with multiple domains

book

Article ID: 159433

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

If there is a top Level Domain and then multiple domains under it there IS a way for the LDAP to search through the Global catalog of people of an Active Directory (AD)  Usually the domains are segmented and hard to walk through the whole forest or you may run into issues with multiple result sets, which may as a result not return a single string but an array, thus will fail.

Please note: The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in a multidomain Active Directory Domain Services (AD DS) forest. The global catalog is stored on domain controllers that have been designated as global catalog servers and is distributed through multimaster replication. Searches that are directed to the global catalog are faster because they do not involve referrals to different domain controllers.

References:
http://technet.microsoft.com/en-us/library/cc728188%28WS.10%29.aspx ( What Is the Global Catalog? )
http://technet.microsoft.com/en-us/library/cc978012.aspx ( Global Catalog and LDAP Searches  )

Resolution

Rather than going to port 389 (standard) you would go to port 3268 which is for the Global Address book! 

For example the customer I am at has the following tree structure.

Top Company: corp.company.com

Domain 1: xzy.company.com

Domain 2: 123.company.com

Domain 3: abc.company.com

 

Then in the LDAP lookup set the following:

 

Port = 3268

Basedn =

 

Search criteria:

Attr.First\ Name = DC=corp,DC=company,DC=com: (mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$endpoint-user-name$)):mail