Request for Comments (RFC) 2251 defines a referral mechanism that permits a Lightweight Directory Access Protocol (LDAP) server to send the distinguished name (DN) of another LDAP server in response to a search request from a client. When a domain controller (DC) is presented with a DN to start a search from, it first queries the list of
crossRef objects in the configuration container to find the best match. For a
crossRef object to qualify as a potential match for a DN, the
nCName attribute of the
crossRef object must be an exact substring of the DN. From this list of potential
crossRef object matches, the object with the longest
nCName attribute is selected as the best match.
The configuration container automatically holds references to all naming contexts (NCs) in the forest.
- If a crossRef object that matches the search criteria is found and the crossRef object corresponds to an NC that is on the domain controller, the search is performed locally.
- If a crossRef object that matches the search criteria is found and it refers to an NC that is held elsewhere, the domain controller generates a referral based on the dnsRoot attribute of the crossRefobject.
- If a crossRef object that matches the search criteria is not found, the domain controller determines whether a superiorDNSRoot attribute exists for the crossRef object in the forest root domain. If it does exist, the domain controller generates a referral to that location. If it does not exist, the domain controller tries to use the DC naming convention to generate a DNS name for the client referral.
Active Directory automatically generates LDAP referrals. However, if a namespace exists that is subordinate in the DNS hierarchy to an existing Active Directory forest, domain controllers in the superior forest do not generate referrals to NCs in the subordinate namespace. For example, assume the following forest structure:
Forest A
mydomain.com (root)
child.mydomain.com
Forest B
rootb.mydomain.com (root)
childb.rootb.mydomain.com
In this example, domain controllers in forest A do not generate referrals for any domain in forest B because a domain controller assumes that it has full knowledge of the namespace below any NCs that it holds.
CrossRef objects must be created if client referrals are required.
If the subordinate namespace uses the DC naming convention, set the
nCName attribute to the DN of the NC, and set the
dnsRoot attribute to the DNS name of the NC.
In this example, the following
crossRef object is created in the configuration container of the Mydomain.com forest:
CN=ROOTB,CN=Partitions,CN=Configuration,DC=mydomain,DC=com
This object has the following attributes:
nCName: DC=rootb,DC=mydomain,DC=com
dnsRoot: rootb.mydomain.com
If the external NC does not use the DC naming convention, the
dnsRoot attribute of the
crossRef object must be set to the fully qualified domain name (FQDN) of a server that hosts the NC.
To Create a Cross-Reference to an External Domain
- Start ADSI Edit.
- Expand Configuration, expand CN=Configuration, and then expand DC=Domain, DC=com.
- Right-click CN=Partitions, point to New, and then click Object.
- In the Select a class box, click crossRef, and then click Next.
- In the Value box for Attribute: cn, type a meaningful name, and then click Next.
- In the Value box for Attribute: nCName, type the DN for the external domain, and then click Next.
- In the Value box for Attribute: dnsRoot, do one of the following (as appropriate to your situation), and then click Next:
- If the subordinate namespace uses the DC naming convention, type the DNS name of the root domain of the namespace.
- If the subordinate namespace does not use the DC naming convention, type the DNS name of a server that hosts the NC.
- Click Finish.