HOW TO: Create a Cross-Reference to an External Domain in Active Directory

Request for Comment (RFC) 2251 defines a referral that makes it possible for a Lightweight Directory Access Protocol (LDAP) server to send the distinguished name (also known as DN) of another LDAP server in response to a client's search request. When a domain controller is presented with a distinguished name on which to base a search, it first looks through the list of CrossRef objects in the configuration container to find the cross-reference with the most name parts in common with the base of the search. Note that the configuration container automatically holds references to all other naming contexts in the forest.

If a CrossRef object is found that matches the search base and the cross-reference corresponds to a naming context (NC) held locally on the domain controller, the search is performed locally. If the matching CrossRef object refers to an NC held elsewhere, the domain controller generates a referral to the server that is pointed to by the CrossRef object. If no CrossRef object is found that matches the search base, the domain controller checks whether there is a superiorDNSRoot attribute on the CrossRef object for the forest root domain, and if there is, the domain controller generates a referral to that location. If there is not, it tries to use the domain controller naming convention to generate a DNS name to refer the client to.

Active Directory automatically generates LDAP referrals. However, in the case where a server hosts an NC that does not use the domain controller naming convention, a CrossRef object must be created to override the default behavior. In this case, the nCName attribute should be set to the external NC and the dNSRoot attribute should be set to the FQDN of a server that hosts that NC.

Create a Cross-Reference to an External Domain

1. Using the ADSIEdit snap-in in Microsoft Management Console (MMC), connect to the configuration naming context and locate the partitions container.
2. Create a new CrossRef object.
3. For the cn attribute, type a meaningful name (for example, the domain name).
4. For the ncName attribute, type the distinguished name for the external domain.
5. For the dnsRoot attribute, type a real Domain Name System (DNS) name for the server that hosts the naming context.

For example, if you need cross-references to generate LDAP referrals for "mydomain.msft" (assuming that mydomain.msft is external to yourdomain.msft) to the "server1.mydomain.msft" server, set the following properties for the CrossRef object:

• cn=mydomain.msft
• NcName=DC=mydomain,DC=msft
• DnsRoot=server1.mydomain.msft (this name needs to be resolved by using DNS)

Note that this method allows the Active Directory-based server to generate referrals to external domains. The client that sends the request still needs to be able to chase referrals.