2

We are dealing with a chained provisioning request, the goal being to create successively an AD account and an AD LDS userProxy account associated with the just created AD account.

The AD account SID is retrieved just after creation and given in AD LDS userProxy account creation input. Unfortunately, the userProxy account creation fails given that the SID validity is checked against a different DC than the one referenced for AD account creation.

Is there any way to disable the validity check and force a (not yet known on AD LDS side) SID value in the userProxy creation?

If not, what is the preferred way to deal with this kind of problem? Without clue about the DC being requested by the AD LDS for the SID check, waiting for a certain time (for DC replication) does not seem very reliable (how much time?), and lenghten the process duration. Restricting the DC (if it is even possible) on which the AD LDS SID check is performed seems to be too restrictive for the AD LDS admin guys.

lledr
  • 141
  • 5
  • Can you force replication (in your script) between the two DCs after you create the account, but before the validity check? Seems like the easiest solution to me. – HopelessN00b Jun 24 '14 at 17:20
  • If I knew the DC used by AD LDS for check, I would rather create the AD account on this one. Is there a way to question the AD LDS for this info? – lledr Jun 25 '14 at 20:23
  • My AD LDS is weak - I know if it were "full" LDAP, it would be trivial to control or determine which DC these operations were run against, but I don't what LDS supports with regards to specifying DCs. – HopelessN00b Jun 25 '14 at 20:29

0 Answers0