PrincipalContext is not getting the latest user roles from active direcory

Question

I have a custom role provider for an ASP.NET MVC site which is retrieving the roles for a user using a PrincipalContext as below.

This works fine, except there is a long delay between changing groups in Active Directory and it appearing in the PrincipalContext.

The administrator can update groups through the site and would expect that to be visible immediately.

How can I avoid this delay? Is there a cache somewhere? A couple of hours of googling hasn't thrown up any solutions.

I do think this may be an environmental things, as my local machine does this immediately but the test server doesn't.

    context = new PrincipalContext(ContextType.Domain, name, container, userName, _password))

    var p = UserPrincipal.FindByIdentity(context, IdentityType.UserPrincipalName, username);
    var groups = p.GetAuthorizationGroups();

Answer 1

Define 'long'!

Active Directory forests can be divided into sites (nothing to do with web sites, think of them as locations). Replication between servers within a site is carried out every few seconds. By default, replication between sites is 3 hours, whereas replication withing sites is every 15 seconds. Like everything, it's actually more complicated than that but that'll do. So, if your server is in a different site and you're making changes on a local domain controller (DC), your changes could take a while to replicate to the DC being used by the server. (That 3 hours, btw, can be brought down to 15 minutes.) And if there's a site between your site and the server's site, and there are no direct links between them, which could be the case if your AD topology is large and complex, you could have to wait two replication intervals. Or more.

You need to talk to your AD admins to determine this.

You could connect to a DC on the server's site, to make the changes to group membership, and you'd see these more quickly. If you're using Active Directory Users & Computers, or some other UI, then this is quite reasonable. If you're writing an app to make the changes, be sure to use a robust method of picking the DC, so you don't lose the benefits of AD's multi-master topology.