Is Active Directory transaction-aware?

Asked 7/8, 2009 at 14:19 Answered 7/1, 2017 at 18:16

Solved .net active-directory transactions msdtc

Simple question but I can't find the answer anywhere: is Active Directory transaction-aware?

In other words, will the following change be rolled back (since I didn't call scope.Complete()):

using (var scope = new TransactionScope())
{
    DirectoryEntry entry = ...;
    entry.Properties["givenName"].Value = "New Given Name";
    entry.CommitChanges();
}

If not, is it possible to enable this somehow? Right now I have code that performs database updates and corresponding AD updates and I have compensating logic for the AD updates if they somehow fail. This solution is far from optimal.

Kind regards, Ronald Wildenberg

Roberson answered 7/8, 2009 at 14:19 Comment(2)

Why can't you test it yourself? I cannot find any clear docs on whether or not AD is transaction-aware - I would think (and hope!) so! LDAP in general appears to be transaction-aware, at least – Romaine 7/8, 2009 at 20:39

At the moment I'm working on a machine that is not joined to a domain... That should be fixed today, so then I'll perform some tests. It's strange however there doesn't seem to be any documentation on this topic. – Roberson 10/8, 2009 at 6:17

Short answer is - no. ActiveDirectory is essentially an LDAP implementation (with some fancy extensions but at it's core it is still LDAP). Neither the LDAP protocols nor the specs have the concept of transactions so this really isn't possible.

It would be possible to emulate transactions on the client side but you'd have to do that yourself or use Spring which, I believe, will do that for you - obviously this is not as safe as server side transactions that you'd expect from a DB. A note on Spring - I'm not completely sure that Spring.NET supports 'transactions' for LDAP yet but they have something like that in the Java implementation of Spring. It might be worth a look.

From reading the docs on the CommitChanges method it just says that it sends your changes to the server - if it doesn't make a point of saying that they are transaction safe I would assume that they're not.

Some random thoughts - I guess it would be possible that Microsoft could add something like this onto ActiveDirectory (as it is more than just LDAP) but they probably won't if they haven't yet.

Sherilyn answered 10/8, 2009 at 15:50 Comment(2)

I finally had the time and opportunity to do a small test and AD is not transactional. However, I can't find any documentation on Spring offering transaction support for LDAP resources. Are you sure they implement this? When the underlying resource (Active Directory for instance) is not transaction-aware, the only option you're left with is to wrap the (entire) API of the resource with a transaction-aware API and respond correctly to commits and rollback yourself. It doesn't really matter whether its Java (JNDI) or C# (System.DirectoryServices) but this is the only way I know of. – Roberson 17/8, 2009 at 13:50

Have a look at this: springsource.org/ldap I've not used it myself but that is what I was talking about. It says 'Spring LDAP provides transaction support' but my impression that it is, as you say, a wrapper over the whole LDAP API that keeps track of failures etc and tries to rollback, replay etc. – Sherilyn 18/8, 2009 at 5:17

No. LDAP doesn't directly support transactions, however, it is possible to 'roll your own' solution by writing an enlistment class that implements the IEnlistmentNotification Interface. IEnlistmentNotification works with both explicit and implicit transactions in the System.Transactions namespace.

You can find more documentation (and an example) here: https://msdn.microsoft.com/en-us/library/system.transactions.ienlistmentnotification(v=vs.110).aspx

Pontefract answered 7/1, 2017 at 18:16 Comment(0)

Recommended topics

Hot tags