Re: Guessing root DNs for active directory

But make sure you qualify this as a "GUESS" or swag. As mentioned in my
previous response, the machine FQDN can be disjoint from the AD Domain. This
is fully supported by Microsoft (though occasionally their own apps screw it
up like MOM/SMS). I have seen it quite a few times out in corporate America,
especially in Fortune 5/10/50 level companies.  

It is usually when there is a long standing preexisting DNS implementation
and the company had good UNIX DNS people and said, we aren't changing our
whole structure just for Microsoft... Or alternately they didn't want,
understandably, to have 100,000 hosts in a single zone called something like
company.com or northamerica.company.com because of scaling or difficulting
in delegation, etc. Doesn't matter why, could even be because the sky was
grey the day they designed the DNS hierarchy, the point is that it could be
that way so be aware.

What this means from an example standpoint is that the FQDN of the machine
could be machinename.annarbor.mi.company.com but it could be a member of the
domain northamerica.company.com or even northamerica.ad or
northamerica.company.local or even subcompany.parentcompany.com...  If you
know the logical layout of DNS for a given company, then of course you might
be able to make the guess a bit more scientific, but in a truly generic "you
don't know what you are starting with" environment, you have to be very
careful with this.

While I am at it, something else I have seen people do when trying to guess
AD structure is that you also need to be careful about guessing the
hierarchy of the forest. AD allows for multiple domain trees, so if you see
northamerica.domain.com, there is no guarantee there is a domain.com, it may
in fact be someotherdomain.com that is the forest root. I.E. A structure
that looks like

     (forest root aka rootDomainNamingContext)

someotherdomain.com------------------------------------northamerica.domain.c
om
         |                                                           |
       execs.someotherdomain.com
hr.northamerica.domain.com

I have seen more than one script or utility that would run again
hr.northamerica.domain.com machine and then just assume the root of the
forest was northamerica.domain.com or even domain.com and then screw up
wildly. This can be particularly painful if you need to search the entire
directory for something. You can't specify either someotherdomain.com or
northamerica.domain.com as a base and search everything. So you need to
execute a subtree query against the GC port of a global catalog with a null
search base. Alternately, you can execute a query against the normal LDAP
port of the same type against a global catalog and specify the phantom root
server side search control.

To wrap up though... the proper way on Windows to get a bootstrap DC is to
query the DsGetDCName API. The proper way on other OSes is going to vary.

   joe

--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 

-----Original Message-----
From: bounce-ldap-5210650@...
[mailto:bounce-ldap-5210650@...] On Behalf Of Justin
Dearing
Sent: Monday, October 13, 2008 12:00 PM
To: ldap@...
Subject: [ldap] Re: Guessing root DNs for active directory

On Mon, Oct 13, 2008 at 11:36 AM, Mark H. Wood <mwood@...> wrote:
> There's a DNS way to probe for LDAP (and Kerberos) services.
><snip/>
>
> That is:  if the machine is named "host.baz.bar.foo.xcorp.com" you 
> would try to resolve:
>
>  _tcp._ldap.baz.bar.foo.xcorp.com  SRV
>  _tcp._ldap.bar.foo.xcorp.com      SRV
>  _tcp._ldap.foo.xcorp.com          SRV
>  _tcp._ldap.xcorp.com              SRV
>
> When any SRV RRs are returned, they should point to the DCs for that 
> context.

That will be quite useful. Right now I have two "guesses" as to the ldap
server. I will add this DNS resolution as another guess.