unable to get/retrive membership info in cross domain scenerio

brajkishor Singh 1 Reputation point
2021-10-17T04:10:41.847+00:00

Hello
We are experience issue with membership info not retrieving within cross domain environment
let me explain more about it:-
for exam-user1 reside in domain A & its part of some more security group. When we trying to search user from Domain B unable to get complete membership info of user1,Only i can see user is part of domain user only

Note-Transitive trust (Forest wise) already setup
All groups created in domain A & have the type Global /security
Issue with few of user only rest users residing into same OU & we can see the membership info from domain B

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,727 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,103 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Gary Reynolds 9,376 Reputation points
    2021-10-17T08:13:09.12+00:00

    Hi @brajkishor Singh

    Yes this is expected behaviour, if you are viewing the user's membership with ADUC. The membership of a user is stored in the memberof attribute, as DN based on the domain A name context. When domain B try to resolve the members it will pass the DN to the domain B to be resolved. However, while you have a trust, this doesn't provide an LDAP referral, so the domain B domain controllers will not be able to resolve the DN and will return the following error:

    Error: (0x0A) A referral was returned from the server, Server Error: 0000202B: RefErr: DSID-03100838, data 0, 1 access points  
    	ref 1: 'w2k12.local', Ext Error: (8235) A referral was returned from the server.  
      
    Referral: ldap://w2k12.local/DC=w2k12,dc=local  
    

    So the membership can't be displayed. The reason why the domain users is displayed, is because this is the primary group, which stored in primaryGroupID attribute, and this is stored as a RID (part of the SID) which can be resolved by the SIDtoName API, as it will use the trust to resolve the name.

    Gary.


  2. Limitless Technology 39,301 Reputation points
    2021-10-19T09:09:59.533+00:00

    Hello BrajkishorSingh,

    Thank you for your question and reaching out.

    In order to retrieve all groups user belongs to you have to query one Global Catalog in each domain of the entire forest for the user's membership (user's tokenGroups attribute will return you nested groups as well), then remove duplicated groups.

    Be aware that Active Directory cannot return more than 5K values of a single attribute in one query. If a user belongs to more than 10K groups, then AD will return you only first 5K. You have to use technique called range retrieval to query for membership in that case.

    You won't be able to search for group members in a different forest by using the memberOf property because it's just not set when you add a user to a domain local group that belongs to another forest.

    Instead, AD creates an object of type ForeignSecurityPrincipal in the domain of the group that has the target user's SID as its CN. Then the DN of that object gets added to the group's members property.


    --If the reply is helpful, please Upvote and Accept as answer--