This will depend on how the forests are setup in AD, but generally you should be able to query the top level domain using the global catalog port (generally 3268 or 3269 instead of the traditional 389). Using the GC port will allow you to follow continuation referrals (referrals that send you from ldap://example.com to ldap://na.example.com) In this case you should be able to use "ldap://EXAMPLE.COM:3268" with a base of "DC=EXAMPLE,DC=COM" which should allow you to return users and groups from all sub domains.
... View more
