Directory Services

Referrals

Active Directory maintains referral data in crossRef objects stored in the partitions container (crossRefContainer) in the configuration container. In the Deciding Where to Search topic, referrals are discussed in the context of a domain within a domain tree and the generation of referrals to subordinate domains on a subtree search.

Active Directory creates and maintains crossRef objects for all domains in the forest. In addition, there are crossRef objects for the configuration and schema containers. These crossRef objects are used to generate referrals in response to queries that request data about objects that exist in the forest, but not contained on the directory server handling the request. These are called internal cross references, because they refer to domains, schema, and configuration containers within the forest.

If referral chasing is not enabled and a subtree search is performed, the search will return all objects within the specified domain that meet the search criteria. The search will also return referrals to any subordinate domains that are direct descendants of the directory server domain. The client must resolve the referrals by binding to the path specified by the referral and submitting another query.

If referral chasing is turned on and a subtree search is performed, the underlying LDAP API will automatically bind to any referrals and add the search results to the result set. This causes the referral chasing to be transparent to the caller.

For more information about setting the referral chasing search preference, see Specifying Other Search Options.

In addition to the dnsRoot (DNS name of the domain) and nCName (distinguished name for the domain) properties, the crossRef object also contains the nETBIOSName (NetBIOS name of the domain) and trustParent (distinguished name for the crossRef object representing the domain's direct parent domain) properties.

Active Directory can also have external cross references that refer to objects outside of the forest. External cross references must be added explicitly by an administrator. Be aware that the target server of the external cross reference must have a DNS root; that is, it must adhere to RFC 2247.

To refer to a name that is unique to any name in the forest, the name can refer to another LDAP server on a network or on the Internet. For example, LDAP client applications used by your company may submit operations to your directory servers for Fabrikam.com. You create a crossRef object for Fabrikam.com. Now, instead of returning an object not found error, your directory servers can return a referral to Fabrikam.com and the clients can chase the referral. For example, if you have an object with the following distinguished name.

CN=SomeObject,OU=SomeOU,DC=Fabrikam,DC=Com
You can add an external cross reference for an object with the name ChildOfSomeObject.
CN=ChildOfSomeObject,CN=SomeObject,OU=SomeOU,DC=Fabrikam,DC=Com

A subtree search that contains SomeObject will also return a referral to ChildOfSomeObject. Be aware that there exists an LDAP server at the address specified by the referral (one of the properties on the crossRef object) and that this LDAP server serves the namespace identified by ChildOfSomeObject.

Because crossRef objects are stored in the configuration container, each domain controller (DC) has a copy of all crossRef objects. Therefore, every DC contains data about every domain in the forest as well as their superior/subordinate relationships. This enables each DC to generate referrals to any domain in the forest and referrals for unexplored subordinate domain, schema, or configuration containers on a subtree search.

For more information about referrals, see the following topics:

For more information and a code example that shows how to obtain the distinguished name of the partitions container, see Example Code for Locating the Partitions Container.