[Samba] How to join Windows server to domain using a Samba RODC / login only against RW DCs?

Jakob Curdes jc at info-systems.de
Wed Jan 24 20:21:03 UTC 2024 

> Jakob Curdes via samba<samba at lists.samba.org>  wrote:
>
>> Hello, we have setup a SAMBA4 RODC in our setup where we have two
>> exisitng RW Samba4 DC's.
>>
>> The RODC is joined correctly and can preload user accounts etc. It
>> also can resolve its own name and the name of other DC's, also the
>> SRV records needed.
>> We created an own site with specific subnet for this RODC "area".
>>
>> But we did not manage to get a join of a Windows server working
>> without also opening the firewall to the RW DCs, and, what is
>> worse,*even after the join, the domain logon only works as long as
>> the firewall is open*, otherwise it will fail with an error about the
>> computer account not being present, although after a manual
>> replication , the computer account that was automatically created
>> during the join (on an RW controller) was correctly replicated to the
>> RODC. So some info is missing on the RODC, but which? Any experience
>> here on the list with samba4 RODC's ?
>>
>> Regards, Jakob
> There is a big hint in the name: RODC.
> The 'RO' stands for 'Read Only', so any changes to AD (and joining a
> computer to AD is a change) must be made on an RWDC and then replicated
> to the RODC.
> If a firewall is stopping replication, then you will not be able to
> join anything.
>
> Do you really need an RODC ?

Hi Rowland, yes we do, for a remote site where we need authorization. I 
know that e.g. the computer account during join cannot be created on an 
RODC, we circumvent that by temporarily opening the firewall so that the 
server can communicate with the RWDCs during join. We also created a 
separate site with the RODC, associated the local network with it, in 
the expectation that the computer then will use this DC after the join. 
But this part does not work. As there is a description for an RODC join 
on the samba wiki, I suppose there is a way to achieve what we want; I 
think we are missing a piece somewhere. (For Windows systems, there is a 
description somewhere how to join a computer to an RODC without write 
access to any DC, by pre-creating the computer account, but this is not 
easily translatable to the samba solution as far as I see).

So yes, we are aware of this restriction, but if we see the computer 
account on the RODC, this problem should be superseded, so why can we 
not complete a login using this DC?

Best regards, Jakob Curdes

More information about the samba mailing list