Active Directory LDAP 连接使用 System.DirectoryServices - 服务器无法运行

Question

I'm working on an application that uses some kind of single sign on with Active Directory.

On my side, I'm trying to get some groups to see if the user is member of them.

Sometimes, I get the following error:

The server is not operational

The DirectoryEntry object is created like this:

using(DirectoryEntry ldapConnection = new DirectoryEntry(ldapDomain))
{ Path = ldapPath, AuthenticationType = AuthenticationTypes.Secure }

where ldapDomain is xycorp and the ldapPath is

LDAP://OU=someAppId,OU=someGroupName,OU=someClusterName,OU=someResourceName,DC=x,DC=y,DC=corp 

After some analysis with the AD team we find out that the controller was removed from the xycorp domain but for some reason the Domain Controller is still redirecting to it but the server is down. This generates the error message shown above.

My questions are:

• is there any possible retry mechanism or error handling on my side? (The exception is indeed catch now but is thrown further)
• is there a way to tell the domain controller to not use the server anymore from backend code?
• is there a problem with the construction of the DirectoryEntry ? Is it possible to request the "DC" parameters one at a time and to redirect outside the domain...?
• is there any cache on my side for domain controllers?

Thank you!

Answer 1

This is something your administrators need to fix. It sounds like DNS is still advertising the DC that is down. You can confirm this by typing this in the command line:

nslookup x.y.corp

The DNS lookup will show several IPs in a different order each time you do the lookup. Whichever one shows up first is the one that will be used.

If the IP address of the decommissioned DC still shows up in the list, then they need to fix that. Anything you do in code will just be a hack to get around something that shouldn't be happening in the first place.