This article describes the functionality of the crossRef
object in Active Directory. It also describes how to create crossRef
objects for a Domain Name Service (DNS) namespace that is subordinate to an existing Active Directory forest.
Request for Comments (RFC) 2251 defines a referral mechanism that permits a Lightweight Directory Access Protocol (LDAP) server to send the distinguished name (DN) of another LDAP server in response to a search request from a client. When a domain controller (DC) is presented with a DN to start a search from, it first queries the list of crossRef
objects in the configuration container to find the best match. For a crossRef
object to qualify as a potential match for a DN, the nCName
attribute of the crossRef
object must be an exact substring of the DN. From this list of potential crossRef
object matches, the object with the longest nCName
attribute is selected as the best match.
The configuration container automatically holds references to all naming contexts (NCs) in the forest.
- If a crossRef object that matches the search criteria is found and the crossRef object corresponds to an NC that is on the domain controller, the search is performed locally.
- If a crossRef object that matches the search criteria is found and it refers to an NC that is held elsewhere, the domain controller generates a referral based on the dnsRoot attribute of the crossRefobject.
- If a crossRef object that matches the search criteria is not found, the domain controller determines whether a superiorDNSRoot attribute exists for the crossRef object in the forest root domain. If it does exist, the domain controller generates a referral to that location. If it does not exist, the domain controller tries to use the DC naming convention to generate a DNS name for the client referral.
Active Directory automatically generates LDAP referrals. However, if a namespace exists that is subordinate in the DNS hierarchy to an existing Active Directory forest, domain controllers in the superior forest do not generate referrals to NCs in the subordinate namespace. For example, assume the following forest structure:
In this example, domain controllers in forest A do not generate referrals for any domain in forest B because a domain controller assumes that it has full knowledge of the namespace below any NCs that it holds. CrossRef
objects must be created if client referrals are required.
If the subordinate namespace uses the DC naming convention, set the nCName
attribute to the DN of the NC, and set the dnsRoot
attribute to the DNS name of the NC.
In this example, the following crossRef
object is created in the configuration container of the Mydomain.com forest:
This object has the following attributes:
If the external NC does not use the DC naming convention, the dnsRoot attribute
of the crossRef
object must be set to the fully qualified domain name (FQDN) of a server that hosts the NC.
To Create a Cross-Reference to an External Domain
- Start ADSI Edit.
- Expand Configuration, expand CN=Configuration, and then expand DC=Domain, DC=com.
- Right-click CN=Partitions, point to New, and then click Object.
- In the Select a class box, click crossRef, and then click Next.
- In the Value box for Attribute: cn, type a meaningful name, and then click Next.
- In the Value box for Attribute: nCName, type the DN for the external domain, and then click Next.
- In the Value box for Attribute: dnsRoot, do one of the following (as appropriate to your situation), and then click Next:
- If the subordinate namespace uses the DC naming convention, type the DNS name of the root domain of the namespace.
- If the subordinate namespace does not use the DC naming convention, type the DNS name of a server that hosts the NC.
- Click Finish.
For more information about RFC 2251, visit the following Internet Engineering Task Force (IETF) Web site:
For more information about the crossRef
object and referrals in Active Directory, visit the following Microsoft Web site: