问题
I'm trying to bind to an Active Directory server in C# but on-site I seem to have issues not reproducible in the test environment.
I'm getting an Exception
System.Runtime.InteropServices.COMException (0x8007203A): The server is not operational.
at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.RefreshCache()
at System.DirectoryServices.DirectoryEntry.FillCache(String propertyName)
at System.DirectoryServices.DirectoryEntry.get_NativeGuid()
the code looks like this
// domainStr = "LDAP://domainname/rootDSE
using (var de = new DirectoryEntry(domainStr, Username, Password))
{
var guid = de.NativeGuid;
}
however if I try to connect the the Domain Controller instead (domainStr = "LDAP://domainController/rootDSE" or fully qualified domainStr = "LDAP://domainController.DomainName") it works just fine.
I tried
var d = Domain.GetDomain(new DirectoryContext(
DirectoryContextType.Domain,
domainStr,
Username,
Password));
but I get the exact same Exception when doing that.
I'm wondering if I'm doing something wrong, maybe a different LDAP URL would work better or if that's a common problem I'm having (even though google searches bring up that problem I haven't found a solution that works for me)
Also it might be worth pointing out that the server the software is running on is not in any Active Directory and I have a list of ADs that I connect to (hence the username and password when trying to connect)
回答1:
It's because the DNS server doesn't have an A record for the domain. The DNS server doesn't know what IP address to resolve to when you pass a domain name to it. Normally, you don't have this problem because by default the MS Windows built-in DNS server would add this A record for you. However, in large enterprise, very often, they are not using MS Windows built-in DNS server. In many cases, people just don't bother to add an A record to the domain name.
If possible, you can ask your customer to add an A record to the DNS server. Alternatively, ask you customer to fix up the c:\windows\system32\drivers\etc\hosts file. Then, add an A record there. You can just make it point to any one of the domain controller. However, this approach does not scale because user in different sites are all going to resolve the domain name to the same IP address. To some remote site users, they may experience slowness issue.
If you also want to solve the scalability issue, you can consider to impersonate the user instead of passing the username password into the DirectoryEntry. Once you impersonate a domain user, you can use server-less binding like this LDAP://RootDSE.
来源:https://stackoverflow.com/questions/5374773/cant-connect-to-ad-without-specifically-connecting-to-a-dc