CODEWITHSUNDEEP
.netactive-directorydomaincontroller
MarnixKlooster ReinstateMonica
MarnixKlooster ReinstateMonica

Reputation: 9769

How can PrincipalContext / UserPrincipal.FindByIdentity() use a read-only domain controller?

Active Directory (AD DS) has a concept of 'read-only domain controllers' (RODC). Probably for backward compatibility, the default is that read-only domain controllers are ignored: you have to specify explicitly that you allow connecting to a read-only domain controller.

In our C# code we see that at two places. One is when creating a new System.DirectoryServices.DirectoryEntry: there the problem is easily solved by setting the System.DirectoryServices.AuthenticationTypes.ReadonlyServer flag, which allows an RODC to be used.

My question is how to achieve the same thing for code like the following, which uses classes from the System.DirectoryServices.AccountManagement namespace:

using (PrincipalContext ctx = new PrincipalContext(ContextType.Domain))
using (UserPrincipal userPrincipal = UserPrincipal.FindByIdentity(
                                                      ctx,
                                                      IdentityType.SamAccountName,
                                                      ...))
{
    // ...
}

since we observed that this code ignores any read-only domain controllers.

(Note that the above is exactly the same question as posted at the MSDN "Visual C# General" forum in a thread entitled "Issue connecting to read-only domain controller (RODC) from C# application through System.DirectoryServices.AccountManagement".)

Upvotes: 2

Views: 1676

Answers (1)

Erik Philips
Erik Philips

Reputation: 54638

Most likely what happened was this was over looked as this functionality doesn't exist. If it wasn't over looked then it was intentional, as a RODC wouldn't allow you to do many of the methods that exist on a UserPrincipal (eg ChangePassword, Delete, etc). I would imagine that to solve this problem, Microsoft would have to create a new ReadOnlyUserPrincipal. More importantly, why would it make sense to instantiate anything in the System.DirectoryServices.AccountManagement namespace as read only as the namespace appears to be more than a read only service (for lack of a better term), unless a read-only version didn't exist (which is the case). Hence, using a non-read only sevice and pointing it to a read only source doesn't work.

Upvotes: 2

Related Questions