Help with ldap query referrals

  • Last Post 21 August 2018
tedosheroff posted this 16 August 2018

Hi everyone, I can’t seem to get a definitive answer on this so I’ll ask the group.  In a single AD domain/forest how to ldap referrals work?  Doesn’t each Domain Controller (DC) have an entire copy of the directory and therefore have no need to send back a referral to an ldap query?  If the previous statement is true, why would a DC send back a referral to a client which we are seeing?   The reason I’m asking is because we have some linux hosts in AWS that use our ldap services and they are having trouble chasing down referrals due to firewall rules.  They initially contact a DC on an EC2 host in AWS via vpc peering between the vpc where the linux hosts live and the vpc where DC/DNS servers live.  Why is the DC giving back referrals to the linux hosts on their ldap queries?  Shouldn’t the DC’s have all the answers to the ldap query since we only have one domain/forest????  Or is there something going on here with the subnet database possibly not being fully updated with all the AWS subnets that we are using???   Thank you, Ted O.

Order By: Standard | Newest | Votes
bdesmond posted this 16 August 2018

Have you looked at the search base the app is sending? Is it correct?







Brian Desmond


w – 312.625.1438 | c – 312.731.3132.



tedosheroff posted this 16 August 2018

Hi Brian,

Yes.  Appears to be good.  They are using the root of the directory.





barkills posted this 16 August 2018




tedosheroff posted this 17 August 2018

Hi Brian A.,

Every DC in this single domain/forest is a GC.


>[BA] …Some bind/search operations naturally fall outside the scope of the forest/domain’s naming context, and an AD name suffix routing entry may result in a referral to another known directory

server (a trusted domain/forest/Kerberos realm).

Thanks BA for the expalanation but I don’t think I follow completely.  Do you have an example of this?


I will get more details on the ldap bind\query\base from these linux hosts.  I think they are mostly looking for group memberships and checking uid and gid’s on user and group objects.


Thank you,

Ted O.




barkills posted this 17 August 2018

If you ask for a userPrincipalName or a servicePrincipalName, then AD may need to issue a referral elsewhere depending on what value you ask for.


For example, if I connect to and then try to bind with

user@xxxxxxxxxxxxxxxx, then will first check to see if an explicit UPN with that value is on any users in the forest. Then it will check its list of trusts for a name suffix routing for Assuming

there is one, it’ll issue a referral to a DC for Something similar happens for servicePrincipalName values, but those are not bind operations.


The data model for an AD group includes the possibility that the members are not all in the forest of the group. That normally shouldn’t trigger a referral, but if you are trying to take action on the members,

I suppose that might. How AD models that is by use of foreign service principals, a kind of shadow object that represents the object stored elsewhere—so it is a bit of a reach to imagine a referral happening in this scenario.





GuyTe posted this 21 August 2018

IIRC there was a change somewhere around W2K8R2, that changed the way the referrals for app partitions (i.e. DNS app partitions) are returned for SLD domains. This broke couple of Java apps back



Have you looked at the trace? What partitions are returned as referrals?