Geek Answers Handbook

Should I bind to Active Directory using a domain name or domain controller name?

I am working on an application that talks to Active Directory through an LDAP provider using both C # and C ++. The application runs on Windows 2003, 2008 and 2008 R2. I use anchor lines that look like this:

LDAP://mydomain.com/CN=Fred,DC=mydomain,DC=com LDAP://server.mydomain.com/CN=Fred,DC=mydomain,DC=com .

The application is responsible for the read and write operations in the directory. For example, in one scenario, he creates a new organizational unit, and then creates several users and groups in this new organizational unit. In another scenario, it is a directory view for an interactive user and allows the user to create a new group or user account.

So far I have used domain binding (the first example binds the line at the top), based on the MSDN recommendation

In most cases, the binding should not be unnecessarily tied to a single server. Active Directory Domain Services supports server binding, which means that Active Directory can be bound to the default domain without specifying a domain controller name

The problem occurs when there are several domain controllers in a domain; At the moment I will name them Lefty and Righteous. If I bind to the directory using LDAP://mydomain.com/blah , I implicitly connect to Lefty or Righty. Here is an example scenario of what happens:

  • Snap to mydomain.com root. Active Directory gits choose Lefty as the server for communication.
  • Create a new unit called Container. OU created by Lefty.
  • Attempt to bind to a new unit. Active Directory guitars choose Righty as the server they need to talk to, so they crash because Righty doesn't know about the new unit.
  • Wait 10-15 seconds and try again. Linking is performed when talking to any server.

In step 3, rebinding is not strictly required, but in some scenarios two different executables are involved, so I cannot use IADs or DirectoryEntry . Inside, I think Active Directory guts use DsGetDcName to choose which server to talk to, and the docs for this have a discussion of how it selects a domain controller and how it caches this information. Unfortunately, this is not what the application can really control, as far as I can tell. In some cases, I see applications connecting to one domain controller or another in series, but in other cases, the applications seem to switch between domain controllers (as described above), and everything does not work.

Workaround: Is this just a fundamental limitation of domain binding? I think the problem will disappear if I bind directly to a specific domain controller, but this greatly complicates the application code, so I was hoping to avoid this.

+4
source share
2 answers

This is an integral issue with ldap server replications. I have never used C # api. I worked on eDirectory on Linux. Immediately after creating the object, if you intend to reference it, the best option is to stick with the / DC server.

why does this complicate the application? write a function to pick up the server. The function should do a dns search for the domain (example.com), if you have several domain controllers, it will return the entire ip address, pick up the one that works (ping, ldap root dse search) and return it to the caller.

Try to use this function only when you encounter the problem you mentioned above. In other places, just stick to the domain.

+1
source

First one . I would say that @Kalyan: you wrote a method that first selects a domain controller at the beginning of your work and store it in a public place, and then the whole EXE uses it.

Second one . You can probably force replication from the domain controller in which you first create the OU using the SyncReplicaFrom ... methods in the DirectoryServer class in System.DirctoryService.ActiveDirectory or use Interop with the DsReplicaSyncAll Function . I am not sure if this second way is a good way.

Note. From the pure point of view of LDAP, perhaps there is a RootDSE attribute or somewhere else that forces replication as " schemaUpdateNow " to force a SCHEMA reload.

0
source

More articles:


All Articles