3.1.1.2.2.3 Referential Integrity

  • Article

Attributes with object reference syntaxes have special behavior, called referential integrity, as specified in section 3.1.1.1.6. The following are object reference syntaxes:

  • Object(Access-Point)

  • Object(DN-String)

  • Object(OR-Name)

  • Object(DN-Binary)

  • Object(DS-DN)

For the four syntaxes other than Object(DS-DN), referential integrity only applies to the object_DN portion of the value.

Active Directory imposes restrictions on which objects can be referenced by an attribute that has referential integrity. An attribute can reference any object in the same NC as the object on which that attribute is located. Additionally, attributes on an object in the domain NC, schema NC, or config NC can reference any object in any domain NC in the forest, any object in the schema NC or the config NC, or the root object of any application NC. For objects in application NCs, such attributes can reference any object in the config NC or the schema NC, or the root object of any application NC, in addition to any object in the same application NC as the object doing the referencing. All other references are disallowed by the server.

These restrictions are identical for AD DS and for AD LDS. Because AD LDS does not support domain NCs, the only cross-NC references in an AD LDS forest are from any NC to any object in the config and schema NCs or to the root of an application NC.