Share via

GC | Why am I able to see members of the child domain global groups via Global Catalog?

Orange2021 1 Reputation point
2021-06-14T04:25:00.587+00:00

Hi Experts,

I was doing some research around Global Catalog and universal/global groups and all of the online posts on this topic state that a Global Catalog can only see/retrieve information about members of universal groups, however, I built the below setup in my lab environment and I found that I am able to retrieve the members of global groups without any issues, any ideas?

Root Domain root.local

Child domain ad.root.local

When I connect via LDAP to the Root Domain on GC port (3268), I am able to fetch global groups and their members which are located in the child domain, any idea how/why this works?

Note: The LDAP query filter contains objectclass=person and the memberOf attribute for a group that is located within the child domain

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Server | User experience | Other

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2021-06-15T06:32:58.693+00:00

    Hello @Orange2021 ,

    Thank you so much for your reply.

    I am sorry, I know nothing above Linux shell.

    Would you please check the same thing via Windows Built-in ldp.exe tool? If the result is different.

    For example:

    1.On DC in the child domain and open LDP.exe.
    105684-ldp1.png

    2.Connect to root domain DC (change port to 3268 instead of 389).
    105638-ldp2.png

    3.Bind.
    105695-ldp3.png

    4.Search something.
    105639-ldp4.png

    Hope the information above is helpful.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Was this answer helpful?

    0 comments
  2. Orange2021 1 Reputation point
    2021-06-14T11:04:33.38+00:00

    Hi @Anonymous

    Thanks, I had a look at the LDAP query and I figured this out, I was pointing my LDAP (GC port) query towards the domain controller for the root domain and this is what happened

    1 - When searching for (memberof=cn=test_global_group,cn=users,dc=ad,dc=root,dc=local) where test_global_group is a global group on the child domain, I get no results back, but this works fine for universal groups which is what I was expecting to happen

    2 - I realized that my older query contained the attribute primarygroupid which I believe is an attribute that is replicated to GC, and my global group was set as a primary group for the users which is how I managed to retrieve the members of global groups via GC

    Answers to your questions:

    1.where did you connect via LDAP? Domain Controller in the root domain or Domain Controller in the child domain or one client in the root domain or any other machine in the root domain or child domain?

    I connected to the domain controller for the root domain.

    2.How did you connect via LDAP to the Root Domain on GC port (3268)? Please provide the detailed steps with screenshot if possible.

    From Linux shell, I used the following command

    ldapsearch -H ldap://x.x.x.x:3268 -x -b 'DC=root,DC=local' -D 'username@root.local' -w 'PASSWORD' -LLL '(&(objectclass=person)(|(primarygroupid=123)(memberof=cn=test_global_group,cn=users,dc=ad,dc=root,dc=local)))' member

    3.Based on "The LDAP query filter contains objectclass=person and the memberOf attribute for a group that is located within the child domain", Please provide the detailed steps with screenshot if possible.

    I think the above command covers this as well,

    Thanks,

    Was this answer helpful?

    0 comments
  3. Anonymous
    2021-06-14T06:01:47.153+00:00

    Hello @Orange2021 ,

    Thank you for posting here.

    To better understand the question, please confirm the following information at your convenience, so that I will check it in my lab.

    Based on the description "When I connect via LDAP to the Root Domain on GC port (3268)":

    1.where did you connect via LDAP? Domain Controller in the root domain or Domain Controller in the child domain or one client in the root domain or any other machine in the root domain or child domain?

    2.How did you connect via LDAP to the Root Domain on GC port (3268)? Please provide the detailed steps with screenshot if possible.

    3.Based on "The LDAP query filter contains objectclass=person and the memberOf attribute for a group that is located within the child domain", Please provide the detailed steps with screenshot if possible.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.