Hi everyone, I can’t seem to get a definitive answer on this so I’ll ask the group. In a single AD domain/forest how to ldap referrals work? Doesn’t each Domain Controller (DC) have an entire copy of the directory and therefore have no need to send back a referral to an ldap query? If the previous statement is true, why would a DC send back a referral to a client which we are seeing? The reason I’m asking is because we have some linux hosts in AWS that use our ldap services and they are having trouble chasing down referrals due to firewall rules. They initially contact a DC on an EC2 host in AWS via vpc peering between the vpc where the linux hosts live and the vpc where DC/DNS servers live. Why is the DC giving back referrals to the linux hosts on their ldap queries? Shouldn’t the DC’s have all the answers to the ldap query since we only have one domain/forest???? Or is there something going on here with the subnet database possibly not being fully updated with all the AWS subnets that we are using??? Thank you, Ted O.