At work, we’re running a 2008R2 AD forest containing 5 sub-domains. now to query the LDAP can be a pity if you don’t know in which one of the overall 6 domains the queried object is located.
After months of helplessness and various (unsuccessful) experiments with meta-directories, ldap-proxies etc. we discovered that the problem is already solved. the solution is to use a different port, ActiveDirectory provides the so-called “global catalog” (containing all the information from the whole forest) on port 3268.
Assume, your username is “un321” and your account is located in the “it” subdomain of the “ads.forest.private” domain. To query for a user called “ab123” use the following ldapsearch-command:
ldapsearch -x -b “dc=ads,dc=forest,dc=private” -D ‘un321@it.ads.forest.private’ \\
-h ads.forest.private -p 3268 -W “(userPrincipalName=ab123*)”