Ldap 多个域的查询
[英]Ldap queries with multiple domains
问题描述
I have question about LDAP queries and DC in general (in Microsoft AD):
我对 LDAP 查询和一般 DC 有疑问(在 Microsoft AD 中):
- Does a DC can contain only one domain?一个 DC 是否只能包含一个域? or sub domain can be also on it?或子域名也可以吗?
- Does sub-domain reside in a separate DC?子域是否位于单独的 DC 中?
- if i want to get data from multiple domain/sub domains what are the ways to get all user, groups and relationship between them using LDAP queries (not using GC and without referrals)?如果我想从多个域/子域获取数据,使用 LDAP 查询(不使用 GC 且不使用推荐)获取所有用户、组和它们之间的关系的方法是什么? is the only way to do a separate LDAP query to every DC?是对每个 DC 进行单独的 LDAP 查询的唯一方法吗?
Thanks谢谢
waiting for your help等待你的帮助
1 个解决方案
解决方案1
0 2023-01-25 14:35:05
Domain controllers are in charge of a single domain and holds information only about this single domain.域控制器负责单个域并仅保存有关该单个域的信息。 Global Catalogs hold information about selected attributes of users and groups of all the forest (master domain and all its subdomains), so the easiest way is to run the query against a GC.全局目录包含有关所有林(主域及其所有子域)的用户和组的选定属性的信息,因此最简单的方法是针对 GC 运行查询。 Those never respond with referrals.那些从不回应推荐。
Every single domain controller can be configured to be a Global Catalog if needed.如果需要,每个域 controller 都可以配置为全局目录。 GC endpoint runs on port 3268 for LDAP and 3269 for LDAPS, so chances are that executing your regular LDAP(S) query against GC ports will result in what you wish. GC 端点在 LDAP 的端口 3268 和 LDAPS 的 3269 端口上运行,因此对 GC 端口执行常规 LDAP(S) 查询很可能会得到您想要的结果。 You can get the list of all GCs in the forest by querying DNS for SRV records, ie nslookup -type=SRV _gc._tcp.<forest name> .您可以通过查询 DNS 的 SRV 记录来获取森林中所有 GC 的列表,即nslookup -type=SRV _gc._tcp.<forest name> 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.