Cross forest LDAP query with one way trust

Question

I have two forests of Active Directories: Forest A trusts Forest B (one way trust). Clients on forest A cannot talk directory to domain controllers on forest B since there is firewall between. Domain controllers in forests A and B are able to talk to each other (assume on all possible ports).

I want client in forest A to be able to do cross forest LDAP query on forest B, through forest A Domain Controller. By using crossRef, it looks like client needs direct access to LDAP port to forest B domain controller, is there another way to achieve this? Can I make the call through forest A domain controller instead?

Answer 1

LDAP query on forest B, through forest A Domain Controller

That just isn't the way it works. Even if there was a two-way trust, any query in Forest B would happen on a Forest B domain controller (or Global Catalog - usually the same as a DC).

So regardless of how you authenticate, you will need a network path open to one of the LDAP ports:

• 389 - default LDAP port
• 636 - LDAP over SSL (LDAPS)
• 3268 - Global Catalog, which returns results for all domains in the forest. Only useful if there is more than one domain in the forest.
• 3269 - GC over SSL

If you don't specify any port, 389 is used. For any of the others, you need to specify a port.

The "trust" just means that you can use credentials from one domain to authenticate to the other domain. So in your case, since Forest A trusts Forest B, then you can use credentials from Forest B to authenticate on a computer joined to Forest A.

Since Forest B does not trust Forest A, you will need to authenticate using an account on Forest B when you perform the search.