Active Directory (AD DS) has a concept of ‘read-only domain controllers’ (RODC). Probably for backward compatibility, the default is that read-only domain controllers are ignored: you have to specify explicitly that you allow connecting to a read-only domain controller.
In our C# code we see that at two places. One is when creating a new System.DirectoryServices.DirectoryEntry: there the problem is easily solved by setting the System.DirectoryServices.AuthenticationTypes.ReadonlyServer flag, which allows an RODC to be used.
My question is how to achieve the same thing for code like the following, which uses classes from the System.DirectoryServices.AccountManagement namespace:
using (PrincipalContext ctx = new PrincipalContext(ContextType.Domain))
using (UserPrincipal userPrincipal = UserPrincipal.FindByIdentity(
ctx,
IdentityType.SamAccountName,
...))
{
// ...
}
since we observed that this code ignores any read-only domain controllers.
(Note that the above is exactly the same question as posted at the MSDN “Visual C# General” forum in a thread entitled “Issue connecting to read-only domain controller (RODC) from C# application through System.DirectoryServices.AccountManagement”.)
Most likely what happened was this was over looked as this functionality doesn’t exist. If it wasn’t over looked then it was intentional, as a RODC wouldn’t allow you to do many of the methods that exist on a
UserPrincipal(eg ChangePassword, Delete, etc). I would imagine that to solve this problem, Microsoft would have to create a newReadOnlyUserPrincipal. More importantly, why would it make sense to instantiate anything in theSystem.DirectoryServices.AccountManagementnamespace as read only as the namespace appears to be more than a read only service (for lack of a better term), unless a read-only version didn’t exist (which is the case). Hence, using a non-read only sevice and pointing it to a read only source doesn’t work.