Active Directory forest root domain generally returns referral on querying directly but as soon as we provide a port 3268/3269 to the same domain, it provides results instead of referrals. For eg. you can consider the following 2 queries with ldapsearch
ldapsearch -H ldaps://company-abcd.com -x -D "test\testuser" -W -b "DC=company-abcd,DC=com" "sAMAccountName=testuser" memberOf
ldapsearch -H ldaps://company-abcd.com:3269 -x -D "test\testuser" -W -b "DC=company-abcd,DC=com" "sAMAccountName=testuser" memberOf
What is the reason of above behaviour? Does querying on a port means we are querying one particular domain controller instead of a global catalog
When you don't specify the port, the default port is used. The default port for LDAPS is 636. So your first request is connecting to port 636.
The LDAP or LDAPS ports (389 and 636) only return results for the domain of the server you are connecting to. So if the object you are asking for is on a different (but trusted) domain, then it is normal and expected that you will get a referral.
When you connect to port 3268 or 3269, you are asking for results from the global catalog, which will return results for every domain in the AD forest. So if the object you are looking for is on one of the domains in the forest, it will give you the result without a referral.