如何在具有多棵树的 AD 林中的全局目录中搜索用户 [英] How to search for users in Global Catalog within AD forest with multiple trees
问题描述
我有以下两棵树的 AD 森林:
I have the following AD forest with two trees:
- 域 1.有两个子域 Domain2 和 Domain3
- 域 4.没有子域.
Domain1 的 DNS 名称是 domain1.local.Domain4 的 DNS 名称是 domain4.local.
DNS name of the Domain1 is domain1.local. DNS name of the Domain4 is domain4.local.
在每个域中都有一个启用了全局目录的域控制器.
In each domain there is a domain controller with Global Catalog enabled.
我正在尝试通过其 SID 为域 4 中的用户获取 UserPrincipal.该程序在 Domain2 中的机器上运行.
I'm trying to get UserPrincipal for the user from Domain 4 by its SID. The program runs from a machine in Domain2.
我使用以下代码:
// Running on some machine from Domain2
PrincipalContext context = new PrincipalContext(
ContextType.Domain,
"dc2.domain2.domain1.local:3268", // Using Global Catalog port and local domain controller
"DC=domain1, DC=local", // I guess the problem is here
"domain1\super-admin", // User has all necessary rights across all domains
"password");
UserPrincipal principal = UserPrincipal.FindByIdentity(context, "SID-OF-A-USER-FROM-DOMAIN-4");
在我的情况下,principal 为空(未找到用户).
In my case principal is null (the user was not found).
使用上面的代码片段在一个树(域 1 及其子树)中搜索可以正常工作,但我不知道如何修改 PrincipalContext 构造函数的容器参数以真正启用森林范围的搜索.
Searching within one tree (domain1 and its children) works fine with the code snippet above, but I have no idea how to modify the container parameter of the PrincipalContext constructor to really enable forest-wide searches.
一开始我以为DC=domain1, DC=local"指向的是林根,但这里好像有误会.
Initially I thought that "DC=domain1, DC=local" points to the forest root, but it seems I have misunderstanding here.
而且我知道如果我将容器路径更改为DC=domain4, DC=local",那么搜索将起作用,但仅适用于域 4 中的用户.
And I know that if I change the container path to "DC=domain4, DC=local" then the search will work, but only for users in domain4.
但我确实需要这样一个指向整个林的容器路径,以便我可以使用相同的 PrincipalContext 从林中的任何域中搜索用户.
But I really need such a container path that will point to the entire forest, so I could search for users from any domain within a forest using the same PrincipalContext.
感谢任何帮助,特别是如果有人可以澄清我的要求是否可以实现.
Any help is appreciated, especially if anyone could clarify if my requirements are achievable.
推荐答案
除了切换到 DirectorySearcher 之外,我们找不到任何其他解决方案.所以看起来 PrincipalContext 类并不完全支持在整个森林中进行搜索.
We could not find any other solution except switching to DirectorySearcher. So it appears that PrincipalContext class doesn't fully support searching in the whole forest.
我不能说这个解决方案是理想的.我想可以调整它以获得更好的性能.但是我们真的很失望它不能使用 PrincipalContext 来完成.
I cannot say this solution is ideal. I guess it can be tuned for better performance. But we are really disappointed it could not be done using PrincipalContext.
这是我们的代码现在如何工作的粗略想法:
Here is the rough idea how our code works now:
...
// Here is a list of SIDs of users we want to find (initialized somewhere above)
List<string> userSids;
// List of sample results.
List<string> loadedUsers = new List<string>();
using (DirectorySearcher searcher = new DirectorySearcher(new DirectoryEntry("GC://dc2.domain2.domain1.local")))
{
StringBuilder filterStringBuilder = new StringBuilder();
// Just create a single LDAP query for all user SIDs
filterStringBuilder.Append("(&(objectClass=user)(|");
foreach (string userSid in users)
{
filterStringBuilder.AppendFormat("({0}={1})", "objectSid", userSid);
}
filterStringBuilder.Append("))");
searcher.PageSize = 1000; // Very important to have it here. Otherwise you'll get only 1000 at all. Please refere to DirectorySearcher documentation
searcher.Filter = filterStringBuilder.ToString();
// We do not want to go beyond GC
searcher.ReferralChasing = ReferralChasingOption.None;
searcher.PropertiesToLoad.AddRange(
new[] { "DistinguishedName" });
SearchResultCollection results = searcher.FindAll();
foreach (SearchResult searchResult in results)
{
string distinguishedName = searchResult.Properties["DistinguishedName"][0].ToString();
loadedUsers.Add(distinguishedName);
}
}
...
这篇关于如何在具有多棵树的 AD 林中的全局目录中搜索用户的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
