Hi @mity-dave,
Sorry will provide the info tomorrow, but maybe the following is already enough:
This works only if all your domains are in one forest. All domains in a forest share a global catalog (GC) where parts of the information of every object of every domain are replicated read-only. So the GC is part of Active Directory.
If you have multiple forests you will need to query all GCs of the required forests, but that’s an entire different question and will not be answered here.
To contact your GC you need to know which server has this role (ask your AD guys!), let’s assume it’s gc.mydom.local.
The GC uses a special port which is 3268 for clear text, startTLS or 3269 for SSL/TLS.
So in xwiki your config should be like this (for clear text):
xwiki.authentication.ldap.server=gc.mydomain.local
xwiki.authentication.ldap.port=3268
#if all your domains end in .local DC=local should, even empty may work.
xwiki.authentication.ldap.base_DN=“DC=local”
#you have to use a proxy user as bind dn, AD does not allow anonymous bind!
xwiki.authentication.ldap.bind_DN=cn=ldapreader,ou=serviceusers,ou=users,dc=mydomain,dc=local
xwiki.authentication.ldap.bind_pass=secret123!
#I allow to search for username (e.g. jdoe) or userPrincipalName (e.g. jdoe@subdom.mydomain.local) to find user DN.
xwiki.authentication.ldap.user_search_fmt=(|(sAMAccountname={0})(userPrincipalName={0}))
All other options are either default or according to your needs, but with this bare minimum setup you should succeed.
Hope that helps.