I have a situation where in my application queries Global Catalog over 3269 port for fetching a DN, it always expects a unique result for each user query and it throws exception if the result is more than one CN for same user (If user is part of more than one AD group). I want to avoid this situation by querying only 2 domains out of complete set of domains in the forest, please guide me if i can achieve this by any filter on Global Catalog query or is it possible to query two domains at the same time , thanks in advance.
Asked
Active
Viewed 376 times
1 Answers
0
It is not possible to only include results from specific domains in the forest when you are querying the Global Catalog.
There are a few attributes that contain the domain of the account, but none of them can be used in a query. The distinguishedName, of course, has the domain DN in it, but AD doesn't allow you to query a partial match on distinguishedName (for example, (distinguishedName=*DC=domain,DC=com) won't work).
There are also the attributes msDS-PrincipalName (the DOMAIN\username format) and canonicalName (domain.com/Users/TheUser format), but those are both constructed attributes, which are calculated at the time you ask for them, so they cannot be used in queries.
You can do two things:
- Query the Global Catalog, then discard the results from the domains you don't want. You can do this by examining the domain portion of
distinguishedName,msDS-PrincipalName, orcanonicalName. (since the last two are constructed attributes, so you have to ask for them to be returned in the search, otherwise they won't be) - Don't use the Global Catalog. Query the two domains separately.
Option 1 will probably be a faster since you're only doing one search instead of two.
Gabriel Luci
- 38,328
- 4
- 55
- 84