2

Active Directory (AD DS) has a concept of 'read-only domain controllers' (RODC). Probably for backward compatibility, the default is that read-only domain controllers are ignored: you have to specify explicitly that you allow connecting to a read-only domain controller.

In our C# code we see that at two places. One is when creating a new System.DirectoryServices.DirectoryEntry: there the problem is easily solved by setting the System.DirectoryServices.AuthenticationTypes.ReadonlyServer flag, which allows an RODC to be used.

My question is how to achieve the same thing for code like the following, which uses classes from the System.DirectoryServices.AccountManagement namespace:

using (PrincipalContext ctx = new PrincipalContext(ContextType.Domain))
using (UserPrincipal userPrincipal = UserPrincipal.FindByIdentity(
                                                      ctx,
                                                      IdentityType.SamAccountName,
                                                      ...))
{
    // ...
}

since we observed that this code ignores any read-only domain controllers.

(Note that the above is exactly the same question as posted at the MSDN "Visual C# General" forum in a thread entitled "Issue connecting to read-only domain controller (RODC) from C# application through System.DirectoryServices.AccountManagement".)

MarnixKlooster ReinstateMonica
  • 9,640
  • 14
  • 54
  • 108

1 Answers1

2

Most likely what happened was this was over looked as this functionality doesn't exist. If it wasn't over looked then it was intentional, as a RODC wouldn't allow you to do many of the methods that exist on a UserPrincipal (eg ChangePassword, Delete, etc). I would imagine that to solve this problem, Microsoft would have to create a new ReadOnlyUserPrincipal. More importantly, why would it make sense to instantiate anything in the System.DirectoryServices.AccountManagement namespace as read only as the namespace appears to be more than a read only service (for lack of a better term), unless a read-only version didn't exist (which is the case). Hence, using a non-read only sevice and pointing it to a read only source doesn't work.

Erik Philips
  • 53,428
  • 11
  • 128
  • 150
  • OK, thanks for this "it's not possible" answer. All we're trying to do in this specific code is to get the UPN given a user's sAMAccountName, which does not require write access. I'm assuming this means we should be doing that through a `DirectoryEntry` instead? That is what I'm going to try, anyway. – MarnixKlooster ReinstateMonica Jun 07 '12 at 15:04