I have two domain controllers configured with non-contiguous namespaces. There is a two-way forest trust and crossRef objects set up between domains. I can successfully execute an LDAP search for any particular object in either domain. However, I would like to be able to execute a single LDAP search for all User objects in both directories pointed against a single baseDN.
Is this possible?
I don't think any LDAP client tools will automatically perform the same query over two servers (unless the first server returns a referral to the second).
You could set up a LDAP proxy, using OpenLDAP 's
metabackend, which acts as a proxy to integrate several naming contexts from several different servers in one single tree. I have successfully used it to do just this on several Windows 2003 domains. Add therewriteoverlay and you can represent both domains under one LDAP tree.For example, if you have several AD domains named
COMPANYONE.COMandCOMPANYTWO.NET, you would end up with the following LDAP tree:Thus, you could base searches on the base DN
o=all-companies, which would return entries from both servers.Check out OpenLDAP's back-meta man page.
In my opinion, setting up OpenLDAP is probably going to be more work than you want to go through for the convenience of running one LDAP query.
I would create a VBScript / PowerShell script to take a supplied query, execute it against both domains, and return the results to you.
This would be a fairly simple script to write. If I get some time later tonight and you haven't found a suitable solution (and you're interested), I'll try to cook one up.