CODEWITHSUNDEEP
c#active-directorydirectoryservices
Skrymsli
Skrymsli

Reputation: 5313

Detect read-only domain controller with .NET?

I want to be able to determine whether a particular domain controller is read-only. I know I can do stuff like this to get a writeable DC:

using( Domain d = Domain.GetCurrentDomain() )
{ 
    DomainController dc = d.FindDomainController(
        "mysitename", LocatorOptions.WriteableRequired);
}

But given a DomainController object is there a way to determine whether that DC is writeable?

The reason I'm asking is that I want to try to select a preferred domain controller that is 1. Writeable 2. In my site and 3. a global catalog. There doesn't seem to be a good way to find a server with all these attributes.

Upvotes: 1

Views: 3180

Answers (2)

Per Noalt
Per Noalt

Reputation: 5102

One difference between Read-Only and Writable Domain Controllers are that all Read-Only Domain Controllers have the attribute primaryGroupID set to 521 (which is the RID for the "Read-only Domain Controllers" built-in group in Active Directory). Writable Domain Controllers have primaryGroupID set to 516 (the "Domain Controllers" group).

The primary group for a read-only domain controller cannot be easily changed (Active Directory won't allow it) so you should be safe to assume that all RODC:s have that attribute set to 521.

Upvotes: 5

Reed Copsey
Reed Copsey

Reputation: 564641

It's not elegant, but...

If you have the DomainController object, you can do:

bool isWritable = true;
try
{
    using (Domain d = Domain.GetCurrentDomain())
        var dc = d.FindDomainController(theDomainController.Name, LocatorOptions.WriteableRequired);
}
catch(ActiveDirectoryObjectNotFoundException)
{
    isWritable = false;
}

This should determine whether a specific domain controller is writable.

Upvotes: 0

Related Questions