So I am a little disappointed at the turnout over the responses to the previous “So you think you know AD?” post.
Only M@ was willing to step up and post a public comment and I received about 11 offline responses all saying about the same thing – basically not possible unless some network trickery is involved.
Well folks… it is possible, and not through any special network tricks, it is well within the power of Active Directory to do it. Well Windows Server 2003 and ADAM Active Directory which is why I specifically mentioned a Windows Server 2003 Domain Controller.
In Windows Server 2003 AD (and ADAM) Microsoft exposed a new option value for the LDAP_SERVER_SEARCH_OPTIONS_OID called SERVER_SEARCH_FLAG_PHANTOM_ROOT aka Phantom Root. The description of this option is
Instructs the server to search all NCs that are subordinate to the search base. This will cause the search to be executed over all NCs held on the DC that are subordinate than the search base. This also enables search bases like dc=com, which would cause the server to search all of the NCs that it holds.
So if you submit this control with your query, you can actually use a null search base or any search base you choose say like DC=NET to the LDAP port. This is the same functionality that you get by default when you send the query to the GC Port. It is also the mechanism that you can use to “fake” GC functionality within an ADAM instance with multiple application NCs as mentioned in my book in the ADAM chapter.
So how do you use this? Well AdFind lets you submit the control by using the -PR switch but obviously any program that is using the actual LDAP API instead of say ADSI can also take advantage of it by submitting the proper control.
This is something that can come in useful when doing things in environments which are “filtered”. Or if you want to reduce the number of connections to a given DC in your program. For instance, if the new program I am working on detects that the server it is connected to is a GC and is Windows Server 2003 or better it simply uses the initial connection to it that is already open versus opening another connection to it on the GC port and then managing both connections.
joe
Is that the type of question you would ask in an interview? I’d hate to be in that interview 🙂
Asking side questions about APIs is unfair interview material. Anyone who knows an API well can find nuances of said API that others do not know.
Yep I agree with Eric here, you don’t generally want to dive into those type of details unless of course someone is trying to tell you that they absolutely know everything about everything in Active Directory and then swing away because you will find all sorts of things the person doesn’t know. But then I have only had one bonehead who was willing to say they knew everything about AD.
If I have to interview someone, the questions will usually be quite generic and not specific to AD. I am more interested in general thought process than specific technical details that can be read.
Joe:
I am constantly suprised by how deep the rabbit hole goes with Active Directory. I really have to knuckle down and read your book! 🙂