DirectorySearcher couldn't find some newly created account

Kevin Zheng 1 Reputation point
2021-03-06T15:51:25.58+00:00

We use windows server as Domain controller, and for AD redundancy, we setup about 4 controllers, we have around 250k account in our domain. And our developer team developed a plugin use .NET's DirectorySearcher function to search users' account in our domain. The code works fine with most cases.

But sometimes it couldn't find some newly created account(not all newly created account, but after about 1 day, it could find them). Not sure what causes this problem.

This is the script we use for created new account.
Import-Module ActiveDirectory

Enter the file path your user CSV file is located

$NewUser = Import-Csv "C:\Users\sgodi3adm\desktop\UserID Creation\NewUser.csv"

foreach ($User in $NewUser)
{

$EmployeeNumber = $User.EmployeeNumber
$UserID = $User.UserID
$FirstName = $User.FirstName
$LastName = $User.LastName
$Description = $User.Description
$EmailAddress = $User.EmailAddress
$Telephone = $User.Telephone
$ExpirationDate = $User.ExpirationDate
$JobTitle = $User.JobTitle
$RoomNumber = $User.RoomNumber
$Password = $User.Password
$Company = $User.Company
$Department = $User.Department

#This section checks to see if the user already exists:

if (Get-ADUser -F {SamAccountName -eq $UserID})
{
    Write-Warning "User $UserID already exists; bypassing"
}
else
{

#Account creation begins. Note that AccountExpirationDate must be in format MM/DD/YYYY in csv sheet

New-ADUser `
    -SamAccountName $UserID `
    -UserPrincipalName "$UserID@ad.uottawa.ca" `
    -Name "$FirstName $LastName" `
    -GivenName $FirstName `
    -Surname $LastName `
    -Enabled $True `
    -ChangePasswordAtLogon $False `
    -DisplayName "$FirstName $LastName" `
    -Department "$Department" `
    -Path "OU=Users,OU=Medicine,OU=Faculties,DC=uottawa,DC=ad,DC=uottawa,DC=ca" `
    -AccountPassword (ConvertTo-SecureString $Password -AsPlainText -Force) `
    -EmployeeID $EmployeeNumber `
    -Description $Description `
    -EmailAddress $EmailAddress `
    -OfficePhone $Telephone `
    -AccountExpirationDate $ExpirationDate `
    -Title $JobTitle `
    -Office $RoomNumber `
    -StreetAddress "451 Smyth Road" `
    -City "Ottawa" `
    -State "Ontario" `
    -PostalCode "K1H8M5" `
    -Country "CA" `
    -Company "Faculty of Medicine, University of Ottawa"

Add-ADGroupMember -Identity "DFS Users" -Members $UserID 
Add-ADGroupMember -Identity "Medicine Users" -Members $UserID 

Write-Host -ForegroundColor Green "User $userID has been created!"
}

}

And this is the C# code we use to search accounts.
internal static SearchResultCollection GetADsObjects(string ADsFilter, string zone)
{
Credentials credentials = new Credentials();
string path = "";
if (zone == "common")
{
credentials = GetCreds("AD_common_Z");
credentials.username += "@uottawa.ad.uottawa.ca";
path = "LDAP://uottawa.ad.uottawa.ca/";
}
else if (zone == "trusted")
{
credentials = GetCreds("AD_trust_Z");
credentials.username += "@uottawa.o.univ";
path = "LDAP://uottawa.o.univ/";
}

        if (credentials != null)
        {
            DirectoryEntry rootDSE = new DirectoryEntry(path + "rootDSE", credentials.username, credentials.password, AuthenticationTypes.Secure);
            string rootDN = (string)rootDSE.Properties["defaultNamingContext"].Value;
            DirectoryEntry searchRoot = new DirectoryEntry(path + rootDN, credentials.username, credentials.password, AuthenticationTypes.Secure);
            DirectorySearcher searcher = new DirectorySearcher(searchRoot);
            searcher.SearchScope = SearchScope.Subtree;
            searcher.ReferralChasing = ReferralChasingOption.All;
            searcher.PropertiesToLoad.AddRange(new string[] { "sAMAccountName" });
            searcher.Filter = "(&(|(ObjectClass=User)(ObjectClass=Person))(" + ADsFilter + "))";
            searcher.Sort = new SortOption("CN", SortDirection.Descending);
            return searcher.FindAll();
        }
        else 
            return null;
    }

Thanks for any kinds of help.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,062 questions
C#
C#
An object-oriented and type-safe programming language that has its roots in the C family of languages and includes support for component-oriented programming.
10,483 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Alberto Poblacion 1,556 Reputation points
    2021-03-06T18:47:13.827+00:00

    [...] sometimes it couldn't find some newly created account (not all newly created account, but after about 1 day, it could find them)

    Most likely it is due to replication between your 4 domain controllers.
    When you create the account, it is created in one of the controllers, but then it takes some time until it is replicated to the others.
    When your program runs, it connects to one of the controllers, which sometimes will not be the one where the account is created. If it connects to a different controller but the account has not yet been replicated there, it will tell you that it does not exist.

    0 comments No comments

  2. Fan Fan 15,306 Reputation points Microsoft Vendor
    2021-03-08T02:01:31.677+00:00

    Hi,
    As APbblaction mentioned, if it happens sometimes, it may caused by the replication.
    You may try to check the result , after check the replication situation.
    I would suggest force the replication for the new user creation in your domain , and then check the result with the code.
    Command :Repadmin /syncall /APeD

    Best Regards,