Implementing Active Directory Change Notifications in .NET

Question

I am trying to get change notifications from active directory, so that I can update data in database if anythinghanges in my AD. I searched and found a good example by Ryan Dunn.

I tried implementing his code. The application starts without any errors but it is not generating me any notification. Can someone help me out?

My domain is corp.am2k8vm.com on win 2008 server machine and i have few users on active directory for testing purposes.

using System;
using System.Collections.Generic;
using System.DirectoryServices.Protocols;
using System.DirectoryServices;
namespace ChangeNotifications
{
    class Program
    {
        static void Main(string[] args)
        {
            using (LdapConnection connect = CreateConnection("192.168.182.209"))                //can also use localhost
            {
                using (ChangeNotifier notifier = new ChangeNotifier(connect))
                {
                    //register some objects for notifications (limit 5)
                    notifier.Register("dc=am2k8vm,dc=com", SearchScope.OneLevel);                     //not sure if the parameters are correct here as i am new to active directory stuff
                    notifier.Register("cn=Andy Main,ou=users,dc=am2k8vm,dc=com", SearchScope.Base); //not sure if the parameters are correct here as i am new to active directory stuff
                    notifier.ObjectChanged += new EventHandler<ObjectChangedEventArgs>(notifier_ObjectChanged);
                    Console.WriteLine("Waiting for changes...");
                    Console.WriteLine();
                    Console.ReadLine();
                }
            }
        }
        static void notifier_ObjectChanged(object sender, ObjectChangedEventArgs e)
        {
            Console.WriteLine(e.Result.DistinguishedName);
            foreach (string attrib in e.Result.Attributes.AttributeNames)
            {
                foreach (var item in e.Result.Attributes[attrib].GetValues(typeof(string)))
                {
                    Console.WriteLine("\t{0}: {1}", attrib, item);
                }
            }
            Console.WriteLine();
            Console.WriteLine("====================");
            Console.WriteLine();
        }
        static private LdapConnection CreateConnection(string server)
        {
            LdapConnection connect = new LdapConnection(server);
            connect.SessionOptions.ProtocolVersion = 3;
            connect.AuthType = AuthType.Negotiate;  //use my current credentials
            return connect;
        }
    }
    public class ChangeNotifier : IDisposable
    {
        LdapConnection _connection;
        HashSet<IAsyncResult> _results = new HashSet<IAsyncResult>();

        public ChangeNotifier(LdapConnection connection)
        {
            _connection = connection;
            _connection.AutoBind = true;
        }
        public void Register(string dn, SearchScope scope)
        {
            SearchRequest request = new SearchRequest(
                dn, //root the search here
                "(objectClass=*)", //very inclusive
                scope, //any scope works
                null //we are interested in all attributes
                );
            //register our search
            request.Controls.Add(new DirectoryNotificationControl());
            //we will send this async and register our callback
            //note how we would like to have partial results
            IAsyncResult result = _connection.BeginSendRequest(
                request,
                TimeSpan.FromDays(1), //set timeout to a day...
                PartialResultProcessing.ReturnPartialResultsAndNotifyCallback,
                Notify,
                request
                );
            //store the hash for disposal later
            _results.Add(result);
        }
        private void Notify(IAsyncResult result)
        {
            //since our search is long running, we don't want to use EndSendRequest
            PartialResultsCollection prc = _connection.GetPartialResults(result);
            foreach (SearchResultEntry entry in prc)
            {
                OnObjectChanged(new ObjectChangedEventArgs(entry));
            }
        }
        private void OnObjectChanged(ObjectChangedEventArgs args)
        {
            if (ObjectChanged != null)
            {
                ObjectChanged(this, args);
            }
        }
        public event EventHandler<ObjectChangedEventArgs> ObjectChanged;
        #region IDisposable Members
        public void Dispose()
        {
            foreach (var result in _results)
            {
                //end each async search
                _connection.Abort(result);
            }
        }
        #endregion
    }
    public class ObjectChangedEventArgs : EventArgs
    {
        public ObjectChangedEventArgs(SearchResultEntry entry)
        {
            Result = entry;
        }
        public SearchResultEntry Result { get; set;}
    }
}

Answer 1

I'm going to push you to consider a different path altogether, even though I know nothing about your app.

Change notifications are all well and good, but there are some downsides. AD doesn't scale to huge numbers of them. If you are offline for a while you miss some changes. Etc.

There is another mechanism I would encourage you to consider named DirSync. Think of DirSync as a "raw expose" of the AD internal replication protocol, given to you over LDAP. The idea of DirSync is that you can issue a query and say "what's changed?" and AD will answer. In with the answer is an opaque cookie. When you issue the query again next time, you provide the cookie again and it will tell you what has changed since the last cookie was issued.

Lots of nice elements of this:

• DirSync has a nice scale story. You can ask for changes to 1 object or 1 million and we know DirSync will scale to your needs.
• DirSync has a clean story for being offline for a period of time. You can be disconnected for a second or a week, come back and catch up with all that you missed.
• DirSync queries are super fast. Issuing one every minute or something like that should be a-ok.
• DirSync has a clean multi-DC story. You can use the cookie across DCs and it will (mostly) just work for you. (I say mostly as you might get dup changes, but that's about it).
• Perhaps most of all, DirSync has a very clean consistency story. I push clients who use DirSync to do the efficient DirSync query in most calls, but every now and then (daily? weekly? monthly? Depends upon the app...) you can just throw the cookie away and full sync. This essentially forces you to really design a clean e2e solution that always ensures you have a nice, safe way to get your offline db to align with the truth in AD and also be efficient 99%+ of the time. And the "oh something went wrong" code path is super well tested as it is a mainline code path! And it happens to be the same as the normal code path.

You would need to defensively code assuming you get dup changes, but that's a reasonable assumption for most apps.

Hope this helps.