Bizarre LDAP referral behavior in Windows 2003 AD

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

I will try to be brief with this message, but this is a very strange problem
I am seeing. I have a Microsoft 2003 Active Directory installation with about
12 DC's. All the DC's are GC's and all are part of the same domain. No child
domains. DNS is integrated into AD. Replication and DNS are working fine.

The strange behavior I am seeing is when we do a LDAP query from the top
level domain name, lets say dc=test,dc=net using a non microsoft LDAP browser
or from our BEA Weblogic server running on Unix, we get a subordinate
referral to the following locations...

forestdnszones.test.net
domaindnszones.test.net
test.net

And we get back the expected results back after running through all the
referrals.

The query is a simple user lookup for validation in a web application. The
query looks like this ...

Base Search DN= dc=test,dc=net
(&(sAMAccountName=joetest)(objectclass=user))

Yet if I change the base search dn to cn=users,dc=test,dc=net and run the
same query, I don't get any referrals at all, which I would expect and the
query works perfectly. So why does the top level query do a referral?

I have had Microsoft look at this issue and they cannot give me a reasonable
explaination as to why it does this. If I use their LDP tool to do these
queries, I don't get any referrals at all no matter how I run the query.

The other reason this is a big deal, is because when the three referral
sites I listed above are queried in DNS, anyone of our 12 DC's can be chosen
for the referral because they have this same record name in DNS and most of
which are connected across our Wide area network. This slows down the user
authentication and creates unneeded WAN traffic. The query above is directed
at a local domain controller.

So if anyone has any ideas as to why we get these referrals, I am all ears.

Thank you in advance for any assistance.



.

Relevant Pages

  • Re: Bizarre LDAP referral behavior in Windows 2003 AD
    ... No referrals, just bam, it works. ... partition is generating the referralwhen doing the query on port 389. ... but they feel this is an issue Microsoft ... > visualize something incorrectly stripping off anything that isn't a DNS ...
    (microsoft.public.windows.server.active_directory)
  • Re: Bizarre LDAP referral behavior in Windows 2003 AD
    ... domain head, the DC will generate referrals (unless you submit the query ... DNS is integrated into AD. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Bizarre LDAP referral behavior in Windows 2003 AD
    ... partition defined by the base of your query. ... partitions (and the referrals used to get to them) may become desirable ... > Server to NOT chase referrals, this behavior might just go away? ... >> head and the 2 NDNCs created by the DNS service. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Bizarre LDAP referral behavior in Windows 2003 AD
    ... If you do a network trace, you should be seeing that the last packet in the response has the referrals and you will see that LDP gets them as well as your app. ... I could visualize something incorrectly stripping off anything that isn't a DNS ... If you query the GC port, you should not get any referral entries in the response. ... I have a Microsoft 2003 Active Directory installation with about 12 DC's. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Bizarre LDAP referral behavior in Windows 2003 AD
    ... to NOT chase referrals, this behavior might just go away? ... the DC will generate referrals (unless you submit the query ... DNS is integrated into AD. ...
    (microsoft.public.windows.server.active_directory)