Resolving Names in Directory Operations

  • Article

When any directory operation is requested by a client the domain controller that is contacted resolves names by using its "knowledge" of the entire directory to determine whether the domain controller can complete the operation or whether it must refer the client to another server for part or all of the operation.

LDAP finds an object in the directory according to the path that is specified in the distinguished name (also known as the "DN") of the object. Every object is stored in the directory database according to its relative distinguished name (also known as the "RDN") and parent identifier, not according to its distinguished name. A distinguished name is a series of relative distinguished names that lead from the object's relative distinguished name to the relative distinguished name at the top of the distinguished name hierarchy. Therefore, if you know the relative distinguished name of an object, you can always determine the full distinguished name by following the references to the parent objects and ultimately to the root object. For example, the distinguished name of a user object might be cn= UserName ,ou= OrganizationalUnit ,dc= DomainName ,...dc= DomainName , where the series of relative distinguished names denoted by dc= DomainName identifies the DNS domain of the object. This portion of the distinguished name can be matched to the tree of domain names that is formed by certain attribute values that are stored in cn=Partitions,cn=Configuration, dc= ForestRootDomain .

note-iconNote

The objects in cn=Partitions,cn=Configuration,dc= ForestRootDomain are cross-reference objects they contain information that Active Directory can use to construct the directory tree hierarchy.

Because every domain controller has the information about all directory partitions in the forest, splitting a distinguished name into a suffix (which identifies the relative path within the domain) and a prefix (the dc= components that identify the domain itself) is always a local operation. If the local domain controller stores a copy of the domain in question, the domain controller can verify the prefix of the distinguished name and perform the requested operation. If the local domain controller does not store a copy of the domain in question, it returns either a referral to another server or an error message that states that the object does not exist.