Active Directory LDAP Referrals

compdigit44
compdigit44 used Ask the Experts™
on
We have a Windows 2012 R2 domain with 8 DC's. We have a third party app being setup with LDAP and needs to set if referral are enabled or not in the domain. From my understanding, referrals are enabled by default in AD and cannot be disabled. Is this correct?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Michael B. SmithManaging Consultant

Commented:
No, they can't be disabled.

Author

Commented:
I was was correct in stating this is on by default? The purpose of referrals it to reach out to other LDAP servers to find an object if not present on the current server because of replication. Is this correct?
Michael B. SmithManaging Consultant

Commented:
Yes, it is on by default.

If they want to NOT receive referrals, then tell them to connect to the GC (global catalog) port, not the LDAP port.

Author

Commented:
Why is that?
Managing Consultant
Commented:
The global catalog contains "all" the data it can contain on every server that is marked as a global catalog. That's why it's called a "global catalog" for a forest. :-)

Therefore it knows that issuing a referral will never allow a requestor to obtain additional information. So it doesn't issue referrals.

Now, you are almost certainly thinking, "why wouldn't everything use a global catalog?"

The answer is simple - GCs don't contain all information about objects. Only certain specific selected data is stored in the GC. An object returned from the GC query may only be a few percent in size when compared to the object returned from a normal LDAP query. The QUESTION becomes - does the GC query contain the required information?

Only you/your app-vendor can answer that question.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial