Referrals

Active Directory maintains referral information in crossRef objects stored in the partitions container (crossRefContainer) in the configuration container. Earlier in this chapter (the Where to Search section), referrals were discussed in the context of a domain within a domain tree and the generation of referrals to subordinate domains on a subtree search.

Active Directory automatically creates and maintains crossref objects for all domains in the forest. In addition, there are crossRef objects for the configuration and schema containers. These crossRef objects are used to generate referrals in queries that request information about objects that are in the forest, but not contained on the directory server handling the request. These are called internal cross references, because they refer to domains, schema, and configuration containers within the forest itself. In the case of a subtree search, the directory server returns referrals to the subordinate domains that are direct descendants of the directory server's domain. It is up to the client to resolve the referrals by binding to the path specified by the referral and submitting a query. If referral chasing is turned on, the WLDAP32.DLL library takes care of chasing the referral. If referral chasing is turned off, the calling application receives the referral information and then it can decide whether to chase the referral.

In addition to the dnsRoot (DNS name of the domain) and nCName (distinguished name for the domain) properties, the crossRef object also contains the nETBIOSName (NetBIOS name of the domain) and trustParent (distinguished name for the crossRef object representing the domain's direct parent domain) properties.

Active Directory can also have external cross references that refer to objects outside of the forest. External cross references must be added explicitly by an administrator. Note that the target server of the external cross reference must have a DNS root, that is, it must adhere to RFC 2247.

External cross references are used for the following purposes:

• To refer to a name that is totally disjointed from any name in the forest. The "name" can refer to another LDAP server on your network or on the Internet. For example, LDAP client applications used by your company may submit operations to your directory servers for Microsoft.com. You create a crossRef object for Microsoft.com. Now, instead of returning an object not found error, your directory servers can return a referral to Microsoft.com and the clients can chase the referral.
• To refer to an immediate child of an object in the forest.

  For example, suppose you have an object with the following distinguished name:

  CN=SomeObject,OU=SomeOU,DC=Microsoft,DC=Com

  You can add an external cross reference for an object with the name ChildOfSomeObject:

  CN=ChildOfSomeObject,CN=SomeObject,OU=SomeOU,DC=Microsoft,DC=Com

  A subtree search that contains SomeObject will also return a referral to ChildOfSomeObject. Note that there really exists an LDAP server at the address specified by the referral (one of the properties on the crossRef object) and that this LDAP server serves the namespace identified by ChildOfSomeObject.

If referral chasing is turned on, the WLDAP32.DLL library will chase the referral by binding to the server specified by the dNSRoot property of the crossRef object and continue the search on the distinguished name specified by the nCName property or a specific object within the naming context specified by nCName. The credentials used to read the crossRef object are used to bind to the server specified by dNSRoot. Note that the search results from the referral will be returned as part of the results for the original search. This means the client application will see all the rows for both the original search and any referred searches as a single result set.

If referral chasing is turned off, the calling application receives the referral information and then it can decide whether to chase the referral. To chase the referral, the client application must submit another search request to the server, distinguished name, and query filter specified by the referral. Referrals resolved in this way will return separate result sets from the original search request.

Because crossRef objects are stored in the configuration container, every domain controller (DC) has a copy of all crossRef objects. Therefore, every DC contains information about every domain in the forest (as well as their superior/subordinate relationships). This gives every DC the ability to generate referrals to any domain in the forest and referrals for unexplored subordinate domain, schema, or configuration containers on a subtree search.