如何在AD林多树搜索用户在全局编录 [英] How to search for users in Global Catalog within AD forest with multiple trees
问题描述
我有以下的AD森林两棵树:
I have the following AD forest with two trees:
- 域1。有两个子域域2和域3
- Domain4。没有子域。
DNS中域1名是 domain1.local 的。在Domain4的DNS名称是 domain4.local 的。
DNS name of the Domain1 is domain1.local. DNS name of the Domain4 is domain4.local.
在各个领域有启用全局编录的域控制器。
In each domain there is a domain controller with Global Catalog enabled.
我试图让UserPrincipal从域4用户通过其SID。该计划从一台机器了域运行。
I'm trying to get UserPrincipal for the user from Domain 4 by its SID. The program runs from a machine in Domain2.
我用下面的code:
// Running on some machine from Domain2
PrincipalContext context = new PrincipalContext(
ContextType.Domain,
"dc2.domain2.domain1.local:3268", // Using Global Catalog port and local domain controller
"DC=domain1, DC=local", // I guess the problem is here
"domain1\\super-admin", // User has all necessary rights across all domains
"password");
UserPrincipal principal = UserPrincipal.FindByIdentity(context, "SID-OF-A-USER-FROM-DOMAIN-4");
在我的情况下,主要为空(用户找不到)。
In my case principal is null (the user was not found).
在搜索中的一个树(域1及其子)工作正常与上面的code片段,但我不知道如何修改PrincipalContext构造真正使森林范围内的搜索的容器参数。
Searching within one tree (domain1 and its children) works fine with the code snippet above, but I have no idea how to modify the container parameter of the PrincipalContext constructor to really enable forest-wide searches.
起初我以为DC =域1,DC =本地指向林根,但似乎我有误会。
Initially I thought that "DC=domain1, DC=local" points to the forest root, but it seems I have misunderstanding here.
和我知道,如果我改变容器路径为DC = domain4,DC =本地,则搜索将正常工作,但只为用户在domain4。
And I know that if I change the container path to "DC=domain4, DC=local" then the search will work, but only for users in domain4.
但我真的需要这样一个容器路径将指向整个森林,所以我可以使用相同的PrincipalContext森林中搜索任何域中的用户。
But I really need such a container path that will point to the entire forest, so I could search for users from any domain within a forest using the same PrincipalContext.
任何帮助是AP preciated,特别是如果任何人都可以澄清,如果我的要求是可以实现的。
Any help is appreciated, especially if anyone could clarify if my requirements are achievable.
推荐答案
我们找不到,除非切换到DirectorySearcher从其他任何解决方案。所以看来PrincipalContext类不完全支持搜索整个森林。
We could not find any other solution except switching to DirectorySearcher. So it appears that PrincipalContext class doesn't fully support searching in the whole forest.
我不能说这个解决方案是理想的。我想这可以被调整为更好的性能。但我们真的很失望它不能使用PrincipalContext完成。
I cannot say this solution is ideal. I guess it can be tuned for better performance. But we are really disappointed it could not be done using PrincipalContext.
下面是粗略的想法如何我们code现在的工作:
Here is the rough idea how our code works now:
...
// Here is a list of SIDs of users we want to find (initialized somewhere above)
List<string> userSids;
// List of sample results.
List<string> loadedUsers = new List<string>();
using (DirectorySearcher searcher = new DirectorySearcher(new DirectoryEntry("GC://dc2.domain2.domain1.local")))
{
StringBuilder filterStringBuilder = new StringBuilder();
// Just create a single LDAP query for all user SIDs
filterStringBuilder.Append("(&(objectClass=user)(|");
foreach (string userSid in users)
{
filterStringBuilder.AppendFormat("({0}={1})", "objectSid", userSid);
}
filterStringBuilder.Append("))");
searcher.PageSize = 1000; // Very important to have it here. Otherwise you'll get only 1000 at all. Please refere to DirectorySearcher documentation
searcher.Filter = filterStringBuilder.ToString();
// We do not want to go beyond GC
searcher.ReferralChasing = ReferralChasingOption.None;
searcher.PropertiesToLoad.AddRange(
new[] { "DistinguishedName" });
SearchResultCollection results = searcher.FindAll();
foreach (SearchResult searchResult in results)
{
string distinguishedName = searchResult.Properties["DistinguishedName"][0].ToString();
loadedUsers.Add(distinguishedName);
}
}
...
这篇关于如何在AD林多树搜索用户在全局编录的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
