If a request comes over LDAPI and the mechanism used is external, then passwords can be retrieved provided the requests come from the local root user. This access is audited by eDirectory, and can be monitored for misuse.
To disable the Global Catalog search on a particular server, ensure that the LDAP server is not configured for ports 3268 or 3269.
Although this disables Global Catalog search, it also impacts the functioning of the DSfW server.
If you use a name-mapped installation, you are installing DSfW in an existing tree. To ensure that the installation does not encounter errors, make sure you meet the prerequisites documented in Installation Prerequisites for a Name-Mapped Setup in the OES 11 SP3: Domain Services for Windows Administration Guide.
When a computer account in the DSfW domain is created with password, the key version number attribute is by default set to 1 and is incremented by 1 each time the password is changed for this account.
The gidNumber attribute used by LUM and the primaryGroupID attribute used by Samba refer to the same object.
DSfW requires some DNS objects for smooth operation of the location service. For more details, see General DNS Settings
in the OES 11 SP3: Domain Services for Windows Administration Guide.
When the DSfW server is provisioned, secure dynamic updates are enabled as part of the Update Service Configuration task. Dynamic updates enable DNS client computers to register and dynamically update their resource records with a DNS server whenever changes occur.