Microsoft KB Archive/817872

= How to Create crossRef Objects for a DNS Namespace Subordinate of an Existing Active Directory Forest =

Article ID: 817872

Article Last Modified on 2/27/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, 64-Bit Datacenter Edition
 * Microsoft Windows Server 2003, Enterprise x64 Edition
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)

-



SUMMARY
This article describes the functionality of the crossRef object in Active Directory. It also describes how to create crossRef objects for a Domain Name Service (DNS) namespace that is subordinate to an existing Active Directory forest.



MORE INFORMATION
Request for Comments (RFC) 2251 defines a referral mechanism that permits a Lightweight Directory Access Protocol (LDAP) server to send the distinguished name (DN) of another LDAP server in response to a search request from a client. When a domain controller (DC) is presented with a DN to start a search from, it first queries the list of crossRef objects in the configuration container to find the best match. For a crossRef object to qualify as a potential match for a DN, the nCName attribute of the crossRef object must be an exact substring of the DN. From this list of potential crossRef object matches, the object with the longest nCName attribute is selected as the best match.

The configuration container automatically holds references to all naming contexts (NCs) in the forest.
 * If a crossRef object that matches the search criteria is found and the crossRef object corresponds to an NC that is on the domain controller, the search is performed locally.
 * If a crossRef object that matches the search criteria is found and it refers to an NC that is held elsewhere, the domain controller generates a referral based on the dnsRoot attribute of the crossRefobject.
 * If a crossRef object that matches the search criteria is not found, the domain controller determines whether a superiorDNSRoot attribute exists for the crossRef object in the forest root domain. If it does exist, the domain controller generates a referral to that location. If it does not exist, the domain controller tries to use the DC naming convention to generate a DNS name for the client referral.

Active Directory automatically generates LDAP referrals. However, if a namespace exists that is subordinate in the DNS hierarchy to an existing Active Directory forest, domain controllers in the superior forest do not generate referrals to NCs in the subordinate namespace. For example, assume the following forest structure:

Forest A

mydomain.com (root)

child.mydomain.com

Forest B

rootb.mydomain.com (root)

childb.rootb.mydomain.com

In this example, domain controllers in forest A do not generate referrals for any domain in forest B because a domain controller assumes that it has full knowledge of the namespace below any NCs that it holds. CrossRef objects must be created if client referrals are required.

If the subordinate namespace uses the DC naming convention, set the nCName attribute to the DN of the NC, and set the dnsRoot attribute to the DNS name of the NC.

In this example, the following crossRef object is created in the configuration container of the Mydomain.com forest:

CN=ROOTB,CN=Partitions,CN=Configuration,DC=mydomain,DC=com

This object has the following attributes:

'''nCName: DC=rootb,DC=mydomain,DC=com

dnsRoot: rootb.mydomain.com'''

If the external NC does not use the DC naming convention, the dnsRoot attribute of the crossRef object must be set to the fully qualified domain name (FQDN) of a server that hosts the NC.

To Create a Cross-Reference to an External Domain

 * 1) Start ADSI Edit.
 * 2) Expand Configuration, expand CN=Configuration, and then expand DC=, DC=com.
 * 3) Right-click CN=Partitions, point to New, and then click Object.
 * 4) In the Select a class box, click crossRef, and then click Next.
 * 5) In the Value box for Attribute: cn, type a meaningful name, and then click Next.
 * 6) In the Value box for Attribute: nCName, type the DN for the external domain, and then click Next.
 * 7) In the Value box for Attribute: dnsRoot, do one of the following (as appropriate to your situation), and then click Next:
 * 8) * If the subordinate namespace uses the DC naming convention, type the DNS name of the root domain of the namespace.
 * 9) * If the subordinate namespace does not use the DC naming convention, type the DNS name of a server that hosts the NC.
 * 10) Click Finish.

