I have Forest with two DC=92s and a child domain with an Exchange Server
and two DC=92s.
An application checks if a user has read/write privileges to the
Exchange Information Store and if not adds the security descriptor. If
I immediately recheck the security descriptor the privilege is still
missing. After a minute or so it appears.
In order to locate the DC I use:
::DsGetDcName(szExchangeServer, NULL, NULL, NULL, 0,
&domainControllerInfo);
strDomain =3D domainControllerInfo->DomainName;
I then bind to the rootDSE using: LDAP://=94strDomain=94/rootDSE
Read the configurationNamingContext which I then use as the root of a
search with a filter of objectClass=3Dm***chExchangeServer, returning
ADsPath
I open ADsPath get the nTSecurityDescriptor and add an ACE for the
user.
I reopen the ADsPath and check the nTSecurityDescriptor to find the
ACE is absent.
Looking at a wireshark trace I can see that I am talking to the child
domain DC which is what was returned in domainControllerInfo-
>DomainName but when the LDAP command to save the new security
descriptor is sent the DC replies with a referal to the Forest DC and
the command is resubmitted =96 this is all =93under the hood=94.
Consequently the child DC doesn=92t know about the update until the
Forest DC replicates.
This is a long wided way of asking how I can determine which DC will
receive the referal from the child DC so that I can conduct my dialog
with it from the outset thus eliminating the delay waiting for
replication.
Brian
