3.1.1.1.12 Cross-NC Object References

  • Article

Section 3.1.1.1.6 specifies the referential integrity behavior of attributes with object reference syntaxes. That section only specifies the case of references within a single NC. This section specifies the differences for the case of object references that cross an NC boundary.

Suppose src and dst are objects in different NCs, src has an attribute a with an object reference syntax, and dc is a DC hosting a writable replica of src's NC.

  • When an LDAP Add or Modify creates an object reference within attribute src.a, the server uses the DN (or SID or GUID) specified in the Add or Modify to locate an existing object dst. The behavior is identical to the single NC case, with two exceptions:

    1. Locating the object dst can fail if dc does not host a replica of dst and if dc fails to communicate with a server that hosts a dst replica; the response is error unavailable / <unrestricted>.

    2. Certain cross-NC references are not allowed; the specific references that are not allowed are specified in section 3.1.1.2.2.3. If the reference is not allowed, the response is error constraintViolation / ERROR_DS_NAME_REFERENCE_INVALID.

  • After the assignment, the referential integrity behavior is the same as if the reference did not cross an NC boundary, except that reference src.a reflects the state of object dst at some time t in the past, not at the current time. If the distributed system of DCs in the forest is functioning normally, the difference between the current time and the time t of the previous sentence is bounded by an administrator-configurable amount of time. (During this period of time, between t and the current time, the cross-NC reference can refer to the object by its previous name or at its previous location, or it can refer to the object after the object has been deleted.) The phrase "functioning normally" shown previously means that the DCs are running and communicating as needed, with only transient failures.

The mechanism the system uses for restoring the integrity of object references is specified in section 3.1.1.6.