G
Guest
Kinda complicated question for those who would like to show off their chops...
Background:
4 Domains of Windows 2003 DCs in a forest running in Windows 2000 native.
All domains are running Windows 2000 native. 1 root domain, 1 child domain
and 2 grandchild domains. There is an application making LDAP queries of
each domain in the context of an account I'll call LDAPAcct that lives in the
child domain without using the fully qualified name of the account. The
application will not accept the FQDN of the account when making the LDAP
query.
Issue:
When the application runs the LDAP query against either grandchild domain
the grandchild DC doesn't find the account in the local domain DB, so it
prepends another domain name to the username in the request and sends it to
that domain for authentication. The issue is that one grandchild domain
prepends the root domain name (rootdomain\LDAPAcct) and the other grandchild
domain prepends the correct child domain name (childdomain\LDAPAcct). Since
the account lives in the child domain, when the root domain is prepended the
query fails.
Question:
Is there anyone who understands the mechanism that a DC will use in a
situation like this when referring an unqualified account name to another
domain for authentication? If so can you give me some guidance?
Thanks for any insight
Mark
Background:
4 Domains of Windows 2003 DCs in a forest running in Windows 2000 native.
All domains are running Windows 2000 native. 1 root domain, 1 child domain
and 2 grandchild domains. There is an application making LDAP queries of
each domain in the context of an account I'll call LDAPAcct that lives in the
child domain without using the fully qualified name of the account. The
application will not accept the FQDN of the account when making the LDAP
query.
Issue:
When the application runs the LDAP query against either grandchild domain
the grandchild DC doesn't find the account in the local domain DB, so it
prepends another domain name to the username in the request and sends it to
that domain for authentication. The issue is that one grandchild domain
prepends the root domain name (rootdomain\LDAPAcct) and the other grandchild
domain prepends the correct child domain name (childdomain\LDAPAcct). Since
the account lives in the child domain, when the root domain is prepended the
query fails.
Question:
Is there anyone who understands the mechanism that a DC will use in a
situation like this when referring an unqualified account name to another
domain for authentication? If so can you give me some guidance?
Thanks for any insight
Mark
