Problems doing ldap query on a child domain with enterprise administrator access.
Posted on 2006-11-27
I have a problem between 2 domains. For simplicty, let's call the root domain ROOT.COM, and lets call the child of the root domain CHILD.ROOT.COM.
When I log in as ROOT\Administrator that is a part of the enterprise Administrators group to both ROOT.COM and CHILD.ROOT.COM I definitely have all the rights to all the objects in the root domain and the child domain. But, when I'm logged in as root\Administrator on the domain controller of child.root.com, and I run an application that does an ldap query of an object inside CHILD.ROOT.COM it fails.
For example: When I'm logged in as ROOT\Administrator (member of Enterprise Administrators), logged into the domain controller CHILD.DOMAIN.COM
strLDAPQuery = "<LDAP://DC=CHILD,DC=ROOT,DC=COM>;" & "(sAMAccountName=CHILD$);distinguishedName;" & "subtree"
As you can see, I'm trying to get the distinguishedName of the domain controller that I'm logged into. Why doesn't this work? When I log into the domain controller CHILD.DOMAIN.COM as CHILD/Administrator, the query works fine.
Some additional information and conditions:
-ROOT.COM is a Windows 2003 Domain running in mixed mode (and going to native is not an option, and not sure if it matters)
-I do not want to resort querying the root domain (ROOT.COM) to query objects in the child domains because of its inefficient nature, and the fact that the entire domain could have close to a million objects, and objects with identical sAMAccountNames in different domains.
-I do not want to specify a seperate username and password while making the query. I want the service to be able to make the query using its own credentials its running with.
The ultimate goal is to run a service on all domain controllers using a single service account, and this service account needs to be able to make ldap queries on all domains of this forest from the domain controller that is running this service.
I think I might have the answer already, which has something to do with changing the dsHeuristics value for each domain, but I do not like the implementation steps for it because of the number of domains we have, and the fact that it sounds like I'm opening up a bigger security hole than needed for what needs to get accomplished makes me wonder if there is a better way, or maybe I'm just overlooking something, or a better way to implement it? Thanks for your help!