I have Forest with two DC’s and a child domain with an Exchange Server
and two DC’s.
An application checks if a user has read/write privileges to the
Exchange Information Store and if not adds the security descriptor. If
I immediately recheck the security descriptor the privilege is still
missing. After a minute or so it appears.

In order to locate the DC I use:

::DsGetDcName(szExchangeServer, NULL, NULL, NULL, 0,
&domainControllerInfo);
strDomain = domainControllerInfo->DomainName;

I then bind to the rootDSE using: LDAP://”strDomain”/rootDSE

Read the configurationNamingContext which I then use as the root of a
search with a filter of objectClass=msExchExchangeServer, returning
ADsPath

I open ADsPath get the nTSecurityDescriptor and add an ACE for the
user.

I reopen the ADsPath and check the nTSecurityDescriptor to find the
ACE is absent.