ldapsearch for entire ad forest

Question

In my AD forest i have one primary domain and three child domains.

Is there any way to query forest to search in all domains controllers to chek if user is memberof a group?

I already try ldap bind + search, but using this method i need to query each domain individual.

I also try ldap bind + search to global catalog, but global catalog don't get all the information from the childs domains, special group members.

So is there any way to search the entire forest without need to contact each domain controller?

If not possible by ldapsearch, someone can guide me the correct way?

Thanks in advance

André Bolinhas

Answer 1

You could try ldapsearch against the Global Catalog .

A Global Catalog server is a Domain Controller that stores Global Catalog information; its database stores rows for every object in the AD Forest instead of rows for only the objects in one AD DOMAIN.

Characteristics of Global Catalog

• Global Catalogs are also Domain Controllers
• Global Catalog servers stores information about all objects of all domains of the entire forest.
• Global Catalog servers do Not the complete set of attributes for these objects are stored.
• Global Catalog servers replicate the data with all other Global Catalogs in the forest.
• Global Catalog function increases replication load on the regarding server.
• Global Catalog access over LDAP is done as a normal LDAP connection over TCP port 3268 (or 3269 for LDAP over SSL).
• Global Catalog requests are Read Only.
• Global Catalog Domain Controller have a DNS SRV Record is created in DNS.

There are also several dsquery commands that might work.