LDAP query to GC for group members returns nothing for remote Groups

[Moses M]

The "member" AD attribute is supposed to be replicated to GCs. When I query
a GC via LDAP port 3268, I cannot get the list of group members for groups
in remote domains. Am I missing something here? Because of low bandwidth, I
don't want to directly query GCs/DCs in remote domains, or use LDAP
referrals.

Thanks for any input.

-- Moses

 

[Herb Martin]

The "member" AD attribute is supposed to be replicated to GCs. When I query
a GC via LDAP port 3268, I cannot get the list of group members for groups
in remote domains. Am I missing something here? Because of low bandwidth, I
don't want to directly query GCs/DCs in remote domains, or use LDAP
referrals.

I could be wrong because I am basing it on simple
facts by extrapolation (not tested): GCs explicitly
hold Universal group membership for the entire
forest, but not domain local or global groups.

You would (likely) need to get those from the
domain partition.

 

[Moses M]

I was working on the assumption that all attributes that are flagged for
replication to the GC would be available on any GC for relevant objects.
Appears not so. Thanks for the input!
-- Moses

 

[Herb Martin]

I think the rule is that items which the GC would store
in it's Domain partition are not physically int it's
GC partition (but remember I am working by
extrapolation.)

 

[Joe Richards [MVP]]

The member attribute of groups is handled specially. Only Universal group member
attribute is actually replicated from GC to GC. You can query a GC of a specific
domain and get memberships of all groups of that one domain though...

Yes, it makes no sense. I agree.