4

The SearchResultReference message is pretty clearly in RFC 4511 section 4.5.3 (https://www.rfc-editor.org/rfc/rfc4511#section-4.5.3) but I am wondering about more specific details of why AD seems to always return three SearchResultReferences with every LDAP search.

You can see this with a normal OpenLDAP client ldapsearch on anything in AD. You will notice you see the normal results returned with three lines beginning with "# refldap://". Assuming your AD domain is "corp.ad.com", and you do a search to a server named "server1.corp.ad.com", you will see the following searchResultReferences in the return message:

# refldap://DomainDnsZones.ad.corp.com/DC=DomainDnsZones,dc=ad,dc=corp,DC=com

# refldap://ForestDnsZones.ad.corp.com/DC=ForestDnsZones,dc=ad,dc=corp,DC=com

# refldap://ad.corp.com/CN=Configuration,dc=ad,dc=corp,DC=com

I can guess that these references are useful for AD but in what way? By what mechanism? For what specific purposes? Can anyone provide an example of how they would be useful or necessary?

Community
  • 1
Chris Paul
  • 41
  • 5
  • I think the reason is, roughly, that they are other places to look for stuff in AD, though it would be helpful to know more details if anyone knows, or knows some pointers. – Chris Paul Dec 31 '19 at 00:13

0 Answers0