不能连接到AD而不专门连接到直流 [英] can't connect to AD without specifically connecting to a DC

问题描述

我想绑定到Active Directory服务器在C＃中，但在现场我似乎有问题，在测试环境中不能再现。

I'm trying to bind to an Active Directory server in C# but on-site I seem to have issues not reproducible in the test environment.

我发现了一个异常

System.Runtime.InteropServices.COMException (0x8007203A): The server is not operational.
   at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
   at System.DirectoryServices.DirectoryEntry.Bind()
   at System.DirectoryServices.DirectoryEntry.RefreshCache()
   at System.DirectoryServices.DirectoryEntry.FillCache(String propertyName)
   at System.DirectoryServices.DirectoryEntry.get_NativeGuid()  

在code看起来像这样

the code looks like this

// domainStr = "LDAP://domainname/rootDSE
using (var de = new DirectoryEntry(domainStr, Username, Password))
{
    var guid = de.NativeGuid;
}

但是，如果我尝试连接的域控制器，而不是（ domainStr =LDAP：// domainController /的RootDSE或完全合格的 domainStr = LDAP：//domainController.DomainName）只是正常工作

however if I try to connect the the Domain Controller instead (domainStr = "LDAP://domainController/rootDSE" or fully qualified domainStr = "LDAP://domainController.DomainName") it works just fine.

我试过

var d = Domain.GetDomain(new DirectoryContext(
            DirectoryContextType.Domain,
            domainStr,
            Username,
            Password));

但我得到的时候这样做完全一样的异常。

but I get the exact same Exception when doing that.

我想知道如果我做错了什么，也许不同的LDAP URL会更好地工作，或者如果这是我在（即使谷歌搜索带来了这个问题的一个共同的问题，我还没有找到一个解决方案，对我的作品）

I'm wondering if I'm doing something wrong, maybe a different LDAP URL would work better or if that's a common problem I'm having (even though google searches bring up that problem I haven't found a solution that works for me)

此外，它可能是值得指出的是，该软件运行在服务器上没有任何Active Directory和我有我连接到（因此用户名和密码尝试连接时）广告列表

Also it might be worth pointing out that the server the software is running on is not in any Active Directory and I have a list of ADs that I connect to (hence the username and password when trying to connect)

推荐答案

这是因为DNS服务器没有域的A记录。 DNS服务器不知道IP地址，解决当你通过一个域名给它。通常情况下，你没有这个问题，因为默认情况下，MS Windows自带的DNS服务器，将增加这方面的一个记录你。然而，在大型企业，很多时候，他们没有使用MS Windows自带的DNS服务器。在许多情况下，人们只是不打扰到A记录添加到域名。

It's because the DNS server doesn't have an A record for the domain. The DNS server doesn't know what IP address to resolve to when you pass a domain name to it. Normally, you don't have this problem because by default the MS Windows built-in DNS server would add this A record for you. However, in large enterprise, very often, they are not using MS Windows built-in DNS server. In many cases, people just don't bother to add an A record to the domain name.

如果可能的话，你可以问你的客户一个A记录添加到DNS服务器。另外，问你的客户解决了C：\ WINDOWS \ SYSTEM32 \ DRIVERS \ ETC \ hosts文件。然后，有添加一条A记录。你可以只是使它指向域控制器中的任何一个。然而，这种方法不能扩展，因为用户在不同的地点都去解析域名，以相同的IP地址。对于一些远程站点的用户，他们可能会遇到缓慢的问题。

If possible, you can ask your customer to add an A record to the DNS server. Alternatively, ask you customer to fix up the c:\windows\system32\drivers\etc\hosts file. Then, add an A record there. You can just make it point to any one of the domain controller. However, this approach does not scale because user in different sites are all going to resolve the domain name to the same IP address. To some remote site users, they may experience slowness issue.

如果您也想解决可扩展性问题，可以考虑冒充合格的用户名密码进入的DirectoryEntry 的用户来代替。一旦您模拟域用户，您可以使用服务器少这样的 LDAP绑定：// RootDSE的

If you also want to solve the scalability issue, you can consider to impersonate the user instead of passing the username password into the DirectoryEntry. Once you impersonate a domain user, you can use server-less binding like this LDAP://RootDSE.

这篇关于不能连接到AD而不专门连接到直流的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！