| Platform SDK: Active Directory, ADSI, and Directory Services |
Before discussing where to bind to begin a search for objects in domains, you need to know a little about how information is stored in Active Directory.
If you have a forest with more than one domain, Active Directory does not store all information about all objects (that is, all properties for every object) on a single domain controller — for performance, scalability, and reliability reasons. A domain controller holds all information about the domain that it is a member of (it has a full replica of the domain). But a domain controller does not hold complete information about any other domain.
So, if you bind to the domain object (with referral chasing turned off — see Referrals), you can search for any object in that domain (and only that domain). The search can retrieve any property and can use a query filter containing any property.
In a forest, domains are arranged hierarchically as domain trees. A domain tree can be just a single domain or a domain with one or more child domains. These child domains, in turn, can have child domains beneath them and so on. A domain tree is also a contiguous namespace. A contiguous namespace means that the child domains are a continuation of the naming hierarchy. For example, a domain microsoft.com (or DC=Microsoft,DC=COM) could have a child domain named mydivision (mydivision.microsoft.com or DC=mydivision,DC=Microsoft,DC=COM), which in turn could have a child domain named mydev (mydev.mydivision.microsoft.com or DC=mydev,DC=mydivision,DC=Microsoft,DC=COM).
So, if you bind to a domain object (with referral chasing turned on) for a domain within a domain tree, you will search that domain and the entire hierarchy below it. The search can retrieve any property and can use a query filter containing any property.
If a domain controller contains a full replica of only its own domain, how can you perform a subtree search on a domain tree? A domain holds references to its child domains. When a domain controller processes a subtree search request against its own domain, the domain controller searches that domain and then returns referrals to each of its child domains to the client. A referral is the way that a directory server communicates that it does not contain the information required to complete a request (such as a query) but has a reference to a server that may contain the required information. In the case of a subtree search of a domain tree, a referral is returned for each direct child domain so that the search can be continued at a domain controller in each child domain. If referral chasing is turned on, the LDAP client library (Wldap32.dll) uses those referrals to bind to a domain controller in each child domain and continue the search. If referral chasing is turned off, the LDAP client does not resolve the referrals and the search is complete. For information, see Referral Chasing.
A subtree search on a domain tree with referral chasing turned on can be time-consuming if there is a slow connection to the domain controllers for the child domains. If you want to search only a single domain, you should turn referral chasing off to avoid having to search the child domains unnecessarily.