User account automation:account is created in site1 OK, but when creating the folders/permissions on

[Marlon Brown]

An external vendor that is deploying a system to automate account creation
using ADSI claims that the script is failing when accounts he just created
on our main site is used to setup permissions on folders that are on remote
sites (replication to remote sites = 30 minutes).

Therefore he tries to setup folder permissions on file servers that are on
remote sites and at that time the account is not found (replication not
completed) and it fails. If he waits 30 minutes and run his function to
setup the folder permissions, it works.

What would be the best way to solve this ?

I'd say putting a delay of 40 minutes before starting the folder permission
function could be a simple to way to avoid problems.
Any other idea ? Binding to specific domain controllers that are on the main
site should also do it, right ?

Let me know if you can point me to an article about binding to specific DC's
(VB).

 

[Matjaz Ladava [MVP]]

Your consultant is right.

Creating a account at specific AD in remote site would definitly make your
script work in the timeframe of intersite AD replication. To bind to
specific DC, you need to use notation in the form of

LDAP://servername/ou=...,dc=....

just put servername in front.

--
Regards

Matjaz Ladava
MVP Windows Server - Directory Services
(e-mail address removed), (e-mail address removed)

 

[Marlon Brown]

Hey, but wait a minute:

Imagine I create a test1 account on site1-DC1. Then I go to
\\removefileserver-that-authenticates-to-dcsite3\c$\home and attempt to
grant permissions to the test1 user there. That works right away, because
the %logonserver% I authenticate to is still the the DC1-Site1.

Then after going to the ServerWhereContractorRunsScript and I see that I did
not specified the Subnet of that server on AD Sites & Services.
Now I assigned that specific server's subnet to authenticate only to Site1
and in theory that should work as long as he always run the script from that
one server. Does that make sense ?

 

[Matjaz Ladava [MVP]]

If the server is not in any subnets described in AD sites, then other sites
will cover authentication for that server otherwise the server will locate
its nearest DC. Generaly speaking you should always maintain your sites
configuraion aligned with your physical config. What about running script
remotely ? Scripts have this posibility.

--
Regards

Matjaz Ladava
MVP Windows Server - Directory Services
(e-mail address removed), (e-mail address removed)

 

[Marlon Brown]

Thanks. I made sure the subnet where the server scripts are executed
authenticate only to my main site - from there scripts are working
accordingly now.