3

So this is my configuration (simplified for the sake of simplicity):

Setup:

I have two DCs (numbered list for reference):

  1. DC=one,DC=company,DC=com
  2. DC=two,DC=company,Dc=com

In each of them I have a few groups:

  1. DC=one,DC=company,DC=com
    1. one.company.com\some\folder\group1
    2. one.company.com\some\other\folder\group2
    3. one.comapny.com\some\different\folder\here\group3
  2. <b>DC=two,DC=company,Dc=com
    1. two.company.com\some\folder\group4
    2. two.company.com\some\other\folder\group5

Then group1 is a memeber of:

  • one.company.com\some\other\folder\group2
  • one.comapny.com\some\different\folder\here\group3
  • two.company.com\some\folder\group4

So group1 exists in the one.company.com DC and is a member of groups that exist in both DCs: one.company.com and two.company.com.

Question

I'm trying to figure out how I can query AD for group1 and get all of the groups which it is a memberOf across all the DCs?

This is the result of various LDAP calls I've tried:

  • <LDAP://DC=one,DC=company,DC=com>;(&(objectCategory=group)(objectClass=group)(name=group1));name,memberOf;subtree - returns the 2 groups in one.company.com but not the group in two.company.com
  • <LDAP://DC=company,DC=com>;(&(objectCategory=group)(objectClass=group)(name=group1));name,memberOf;subtree - error (as expected)
  • <GC://DC=company,DC=com>;(&(objectCategory=group)(objectClass=group)(name=group1));name,memberOf;subtree - returns the 1 group in two.company.com but not the groups in one.company.com (but not sure why)
  • <GC://DC=corp,DC=company,DC=com>;(&(objectCategory=group)(objectClass=group)(name=group1));name,memberOf;subtree - returns the 1 group in two.company.com but not the groups in one.company.com (but not sure why)
IMTheNachoMan
  • 5,343
  • 5
  • 40
  • 89
  • I'm running into the exact same issue. Were you ever able to figure this out? – Mik Nov 18 '16 at 21:35
  • I didn't. I have to make two queries -- one to each DC. – IMTheNachoMan Nov 27 '16 at 05:06
  • I have 5 domains, and 60k groups. That's a lot of queries. I discovered that the attribute "members" is replicated, while "memberOf" is not. I need to know which groups have membership that meets certain criteria, so I crafted an LDAP query to only return objects that are members of a group and meet the criteria. Unfortunately, since memberOf isn't replicated, I need to instead pull the membership of every group recursively, and compare it against the criteria manually. It's slower, but I'm getting accurate results, at least. – Mik Dec 05 '16 at 05:20

0 Answers0