I'm creating a user Programmatically, which works just fine. Right after, I create the users home directory and set the permission for
domain\domain admins domain\newlycreateduser
I believe the problem I'm running into is
1) When I run the program from the headquarters building the user is being added to the correct DC but is then being read by a different DC.
2) There is replication lag and so the user cannot be found and I get a IdentityNotMappedException (since it can't find the user to translate)
I'm authenticating my directoryentries as follows, using the same DC across all domains so that it will pick the right DC for germany, netherlands, austria, etc...depending on which DC I am creating the user.
Dim dirEntry As New DirectoryEntry()
dirEntry.Path = "LDAP://000DC01-XX.ad.company.com/OU=Users,DC=XX,DC=ad,DC=company,dc=com
dirEntry.Username = XX & "\Domain-Admin"
dirEntry.Password = "password"
This works fine and I can create users and directories on all writable DCs I specify.
Then I try to set the ACL rules and create the directory (Where item is a listviewdataitem):
Dim securityRules As DirectorySecurity = New DirectorySecurity()
securityRules.AddAccessRule(New FileSystemAccessRule(XX & "\" & Item("SamAccountName").ToString, FileSystemRights.FullControl, InheritanceFlags.ContainerInherit, PropagationFlags.None, AccessControlType.Allow))
securityRules.AddAccessRule(New FileSystemAccessRule(XX & "\" & Item("SamAccountName").ToString, FileSystemRights.FullControl, InheritanceFlags.ObjectInherit, PropagationFlags.InheritOnly, AccessControlType.Allow))
I've tried, as suggested, reading the SID of the created user and using that instead of the account name but that didn't work, same translation error. Perhaps I did not do the translation correctly, I don't know... it did give me an SID when I queried the user but I read it as a string.
As a minor workaround, I can create the user on 000DC01 (the one I'm using for all directory entries) and also 199DC01 (which is probably the one the DirectorySecurity is trying to read from), then I don't get an error and the acl goes through like it should.
So if anyone has any ideas of what I can do to either properly avoid SID translation or somehow authenticate to a specific DC for the DirectorySecurity to look I would very much appreciate it. Please be aware that I consider myself a novice/intermediate programmer.
Thanks!
Update: so I have found that it takes about 10-15 minutes to replicate between two GC DCs.
Is there a way to keep everything confined to only 1 DC, regardless of which DC my computer is connected to?