Solved

Problems doing ldap query on a child domain with enterprise administrator access.

Posted on 2006-11-27
2
2,127 Views
Last Modified: 2008-01-09
I have a problem between 2 domains.  For simplicty, let's call the root domain ROOT.COM, and lets call the child of the root domain CHILD.ROOT.COM.

When I log in as ROOT\Administrator that is a part of the enterprise Administrators group to both ROOT.COM and CHILD.ROOT.COM I definitely have all the rights to all the objects in the root domain and the child domain.  But, when I'm logged in as root\Administrator on the domain controller of child.root.com, and I run an application that does an ldap query of an object inside CHILD.ROOT.COM it fails.

For example: When I'm logged in as ROOT\Administrator (member of Enterprise Administrators), logged into the domain controller CHILD.DOMAIN.COM

        strLDAPQuery = "<LDAP://DC=CHILD,DC=ROOT,DC=COM>;" & "(sAMAccountName=CHILD$);distinguishedName;" & "subtree"

As you can see, I'm trying to get the distinguishedName of the domain controller that I'm logged into.  Why doesn't this work?  When I log into the domain controller CHILD.DOMAIN.COM as CHILD/Administrator, the query works fine.

Some additional information and conditions:
-ROOT.COM is a Windows 2003 Domain running in mixed mode (and going to native is not an option, and not sure if it matters)
-I do not want to resort querying the root domain (ROOT.COM) to query objects in the child domains because of its inefficient nature, and the fact that the entire domain could have close to a million objects, and objects with identical sAMAccountNames in different domains.
-I do not want to specify a seperate username and password while making the query.  I want the service to be able to make the query using its own credentials its running with.

The ultimate goal is to run a service on all domain controllers using a single service account, and this service account needs to be able to make ldap queries on all domains of this forest from the domain controller that is running this service.

I think I might have the answer already, which has something to do with changing the dsHeuristics value for each domain, but I do not like the implementation steps for it because of the number of domains we have, and the fact that it sounds like I'm opening up a bigger security hole than needed for what needs to get accomplished makes me wonder if there is a better way, or maybe I'm just overlooking something, or a better way to implement it?  Thanks for your help!
0
Comment
Question by:LFMIKE
2 Comments
 
LVL 51

Accepted Solution

by:
Netman66 earned 500 total points
ID: 18024058
Is the zone _msdcs.domain.com AND _msdcs.child.domain.com on the Child's DNS server?

Are those zones at the top level with the child.domain.com zone?

Does that query run from ADUC Saved Queries?

0
 

Author Comment

by:LFMIKE
ID: 18025162
Netman66,
The Child does not have a DNS server. Maybe that would have helped the problem, but I found a solution that doesn't require any changes to the dns.

Just want to share the solution with people that find this that might be interested.  I personally wasn't aware, but if you run a ldap getrootdse and get defaultnamingcontext, you are not getting the defaultnamingcontext of the domain controller you're logged onto, you are getting the defaultnamingcontext of the user you're logged on as.  with or without the dns server, (i have to mention i have not done any tests outside of what is stated) it looks like you can query any parent or child domain from at least the domain controller, logged in as any domain administrator to any domain in the tree.  but you must specify the right domain name, and then the right base string.

For example: logged in as ROOT\Administrator or CHILD\Administrator
These were successful
<LDAP:\\root.com\dc=root,dc=com>
<LDAP:\\child.root.com\dc=child,dc=root,dc=com>
You can also specify FQDN of the server to hit a specific server for the query.

These were NOT successful
<LDAP:\\root.com\dc=child,dc=root,dc=com>
<LDAP:\\child.root.com\dc=root,dc=com>

Here is the interesting part
<LDAP:\\dc=child,dc=root,dc=com> did not work while logged in as ROOT\Administrator on the CHILD.ROOT.COM domain controller, but it worked while logged in as CHILD\Administrator.

The bottom line, always specify the fqdn of the domain or domain controller you're querying, and make sure your base DN corresponds to the domain the domain controller is running.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cannot uninstall a windows update on server 2003 4 68
Window 2003 R2 unable to allocate a relative identifier 16 37
Event ID: 1202 / Source: SceCli 6 84
DHCP server 6 47
So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
A company’s greatest vulnerability is their email. CEO fraud, ransomware and spear phishing attacks are the no1 threat to a company’s security. Cybercrime is responsible for the largest loss of money to companies today with losses projected to r…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now