Security groups, ntfs access lists and active directory synchroniz

Hello,

our windows service has to create an OU for teams, a sub OU for _groups and
create default security groups within this _groups OU for user and management.

Next step is to create a few directories on a file server and assign some
rights to these directories to the mentioned user-group.

This works fine, if the %logonserver% is the same as the domain controller
which was used to create the groups in active directory or if there was
enough time for active directory replication between group creation and ntfs
acl assignment.
Otherwise a wellknown error will break the workflow:

Some or all identity references could not be translated

The question is, how can I force the windows service to use the same domain
controller to resolve names to SID in order to use them with ACLs, as I used
to create the group?

We have location based domain controllers, so we need to directly connect
the domain controller which is responsible for a given region, but the
windows service is always located at the same location - lets say Berlin. The
machine in Berlin is allways connected to a domain controller in Berlin, but
if we need to create a security group in Munich, we would create them there.
But it takes some time before the group can be used in Berlin in order to
create the File Access Rights.

Any ideas how to solve this without being forced to install the same service
at each location?

Best regards
Michael

Always use the SecurityIdentifier version of the IdentityReference when
setting the ACLs on the file server. The ACL code is failing because it
cannot convert the NTName to a SID, so if you just start with the SID you
avoid this problem (and get better perf).

You can get the SID of the security principal from AD by reading the
objectSid attribute via LDAP and converting that to a byte[] (which you then
pass to the SecurityIdentifier constructor).

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Michael Mueller" <MichaelMueller (AT) discussions (DOT) microsoft.com> wrote in
message news8CC4F5B-E40E-4D7B-BA71-763178D599C0 (AT) microsoft (DOT) com...

Quote:

Hello,

our windows service has to create an OU for teams, a sub OU for _groups
and
create default security groups within this _groups OU for user and
management.

Next step is to create a few directories on a file server and assign some
rights to these directories to the mentioned user-group.

This works fine, if the %logonserver% is the same as the domain controller
which was used to create the groups in active directory or if there was
enough time for active directory replication between group creation and
ntfs
acl assignment.
Otherwise a wellknown error will break the workflow:

Some or all identity references could not be translated

The question is, how can I force the windows service to use the same
domain
controller to resolve names to SID in order to use them with ACLs, as I
used
to create the group?

We have location based domain controllers, so we need to directly connect
the domain controller which is responsible for a given region, but the
windows service is always located at the same location - lets say Berlin.
The
machine in Berlin is allways connected to a domain controller in Berlin,
but
if we need to create a security group in Munich, we would create them
there.
But it takes some time before the group can be used in Berlin in order to
create the File Access Rights.

Any ideas how to solve this without being forced to install the same
service
at each location?

Best regards
Michael

This sounds like a good solution for my problem. It will take a few weeks
until I come back to this project, but I am going to implement it that way.

Thank you

Michael

"Joe Kaplan" wrote:

Quote:

Always use the SecurityIdentifier version of the IdentityReference when
setting the ACLs on the file server. The ACL code is failing because it
cannot convert the NTName to a SID, so if you just start with the SID you
avoid this problem (and get better perf).

You can get the SID of the security principal from AD by reading the
objectSid attribute via LDAP and converting that to a byte[] (which you then
pass to the SecurityIdentifier constructor).

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Michael Mueller" <MichaelMueller (AT) discussions (DOT) microsoft.com> wrote in
message news8CC4F5B-E40E-4D7B-BA71-763178D599C0 (AT) microsoft (DOT) com...
Hello,

our windows service has to create an OU for teams, a sub OU for _groups
and
create default security groups within this _groups OU for user and
management.

Next step is to create a few directories on a file server and assign some
rights to these directories to the mentioned user-group.

This works fine, if the %logonserver% is the same as the domain controller
which was used to create the groups in active directory or if there was
enough time for active directory replication between group creation and
ntfs
acl assignment.
Otherwise a wellknown error will break the workflow:

Some or all identity references could not be translated

The question is, how can I force the windows service to use the same
domain
controller to resolve names to SID in order to use them with ACLs, as I
used
to create the group?

We have location based domain controllers, so we need to directly connect
the domain controller which is responsible for a given region, but the
windows service is always located at the same location - lets say Berlin.
The
machine in Berlin is allways connected to a domain controller in Berlin,
but
if we need to create a security group in Munich, we would create them
there.
But it takes some time before the group can be used in Berlin in order to
create the File Access Rights.

Any ideas how to solve this without being forced to install the same
service
at each location?

Best regards
Michael