none
Issue connecting to read-only domain controller (RODC) from C# application through System.DirectoryServices.AccountManagement

    Question

  • I have an issue when connecting to the active directory. In my organization there are two LDAP one at the central location which is writable domain controller and the other one located near the client and is a read-only domain controller (RODC). The RODC is the exact replica of the central LDAP

    When my application login, it is suppose to connect the RODC which is near. But unfortunately it is connecting to the central one and is causing the login delay.

    While logging-in my C# application does the following operations.
    1. Validate the credentials using LogonUser (native function)
    2. Get the UPN of the user using the following code

    using (PrincipalContext ctx = new PrincipalContext(ContextType.Domain, domainName))
                {
                    using (var up = UserPrincipal.FindByIdentity(ctx, IdentityType.SamAccountName, userName))
                    {
                        if (up != null)
                        {
                            return up.UserPrincipalName;
                        }
                        else
                        {
                            return null;
                        }
                    }
                }

    3.Get the users group using the following code to provide the privilege

    List<string> userGroups = new List<string>();
    using (var ctx =new PrincipalContext(ContextType.Domain, domain))
    {
       using (var up = UserPrincipal.FindByIdentity(ctx, IdentityType.SamAccountName, userName))
                    {
    
                        foreach (var group in up.GetGroups())
                        {
                            if (group.SamAccountName == null)
                            {
                                continue;
                            }
    
                            userGroups.Add(group.SamAccountName);
                        }
                   }
    }
    

    How can I change the application so that it will be connecting to the RODC instead of connecting to the central location.
    If you ask me how do we know it is connecting to the central one, My administrator is using some tool (not sure it may be the firewall) to find that which location my application is connecting.

    Thanks in advance for helping me



    Thanks & Regrads

    Friday, March 30, 2012 3:43 AM

Answers

  • Found the solution with the help of Microsoft support.

    Use the server binding with the machine name 

    string servername = "machineName";
    string continerInfo = "DC=domain,DC=com";
    using (var ctx = new PrincipalContext(ContextType.Domain, servername , continerInfo, ContextOptions.ServerBind | ContextOptions.Negotiate))
    {
    using (var up = UserPrincipal.FindByIdentity(ctx, IdentityType.SamAccountName, userName)) 
     {
    
     }
    
    }


    More..


    DsGetDcName will return the DC in your local site
    DsGetDcName function
    Link: http://msdn.microsoft.com/en-us/library/windows/desktop/ms675983(v=vs.85).aspx

    With the local DC name use the ContextOptions in PrincipalContext, with ServerBind to bind to the DC.
    PrincipalContext Class
    Link: http://msdn.microsoft.com/en-us/library/system.directoryservices.accountmanagement.principalcontext.aspx
    ContextOptions Enumeration
    Link: http://msdn.microsoft.com/en-us/library/system.directoryservices.accountmanagement.contextoptions.aspx


    Thanks & Regrads

    • Marked as answer by ArunSurendran Wednesday, September 12, 2012 3:42 PM
    Wednesday, September 12, 2012 3:42 PM

All replies

  • Hi Me Arun,

      I strongly recommend you that you can read the following articles published by Codeproject:

      Storer.ActiveDirectory - Active Directory User/Group Encapsulation Classes

      http://www.codeproject.com/Articles/18266/Storer-ActiveDirectory-Active-Directory-User-Group 

      Wrapper API for using Microsoft Active Directory Services

      http://www.codeproject.com/KB/system/Wrapper_API.aspx?q=UserPrincipalName 

      Hope it helps you.

    Sincerely,

    Jason Wang


    Jason Wang [MSFT]
    MSDN Community Support | Feedback to us

    Monday, April 02, 2012 6:05 AM
  • Thanks for the reply.

    I read both the article and tried with the directory searcher, still it is reaching the writeable central domain controller than the near one (which is read only domain controller). Any thoughts will be appreciated.


    Thanks & Regrads

    Thursday, April 12, 2012 12:28 PM
  • Someone from Microsoft told me to recompile with

    AuthenticationTypes.ReadonlyServer

    But for the PrincipalContext not sure how I can do that. Can someone help me?


    Thanks & Regrads

    Monday, April 23, 2012 7:42 AM
  • Found the solution with the help of Microsoft support.

    Use the server binding with the machine name 

    string servername = "machineName";
    string continerInfo = "DC=domain,DC=com";
    using (var ctx = new PrincipalContext(ContextType.Domain, servername , continerInfo, ContextOptions.ServerBind | ContextOptions.Negotiate))
    {
    using (var up = UserPrincipal.FindByIdentity(ctx, IdentityType.SamAccountName, userName)) 
     {
    
     }
    
    }


    More..


    DsGetDcName will return the DC in your local site
    DsGetDcName function
    Link: http://msdn.microsoft.com/en-us/library/windows/desktop/ms675983(v=vs.85).aspx

    With the local DC name use the ContextOptions in PrincipalContext, with ServerBind to bind to the DC.
    PrincipalContext Class
    Link: http://msdn.microsoft.com/en-us/library/system.directoryservices.accountmanagement.principalcontext.aspx
    ContextOptions Enumeration
    Link: http://msdn.microsoft.com/en-us/library/system.directoryservices.accountmanagement.contextoptions.aspx


    Thanks & Regrads

    • Marked as answer by ArunSurendran Wednesday, September 12, 2012 3:42 PM
    Wednesday, September 12, 2012 3:42 PM
  • Hello Arun

    I am in same situation and tried your solution...But in my case I am getting LDAP server couldnt find error...Any help would be appreciated.

    Saturday, January 05, 2013 3:30 AM