System.DirectoryServices PrincipalContext with read only domain controller

1

I have an application which has certain functionality secured by performing an Active Directory lookup via DirectoryServices.

I am in the midst of migrating this code from a web host in our old domain to a new domain. The code worked flawlessly on the old domain. However, errors occur when testing it against the new domain. We have a full trust between domains as our goal is to migrate off of the old domain. The new domain employs the use of read only domain controllers within the domain, but restricted from the internal network via firewall rules. Only perimeter DMZ servers in the domain can reach the read only domain controllers.

Here is the problematic line of code:

using (PrincipalContext ctx = new PrincipalContext(ContextType.Domain,"mydc.local:389", null, ContextOptions.Negotiate))

When testing against the new domain, I am receiving this:

[COMException (0x8007203a): The server is not operational.

and this:

[ActiveDirectoryServerDownException: The server is not operational.

Along with the FQDN of the read only domain controller.

Since I am specifying the name of the DC, then shouldn't my request go to that DC? Could this be a DNS routing issue in our LDAP SRV records? I have view only access to DNS, and I discovered that the read only DC is referenced in the internal site where the web host resides. Also, those SRV records do not have a priority set. They are all 0. The sys admins insist that there must be a programmatic method for pointing to the primary DC. I have attempted to do so by using roughly 6 variations of my call to PrincipalContext.

I would prefer to stick with the modern API and not resort to writing LDAP strings. On the sys admin side of things, what can be researched or inspected?

On the programmatic side of things, am I directing my request properly? Is there an alternative method or surefire way of avoiding the DC? Perhaps it is up to DNS, but at this point I am uncertain.

Troubleshooting: When I run netstat from the command line on the web host during an LDAP request, I see where an ldap connection is requested to our two writeable DC's. Afterwards, a request is also sent to the read only DC and the error is thrown.

c#
dns
ldap
directoryservices
principalcontext
asked on Stack Overflow Aug 13, 2015 by Gary • edited Aug 14, 2015 by Gary

0 Answers

Nobody has answered this question yet.


User contributions licensed under CC BY-SA 3.0