[cifs-protocol] What elements of the DIT are required for AD to operate?

Andrew Bartlett abartlet at samba.org
Mon Dec 7 22:15:55 MST 2009


In the last few months, we have had great success with joining a Window
2008 R2 server into a Samba4 hosted domain.  It was a great achievement,
and the speed of development we achieved over this difficult area is a
testament to the support we received at the plugfest.  However, that
success was only possible when we have first joined Samba4 to an already
operational Active Directory domain, and obtained the full database over
DRS replication. 

Samba aims for and requires a high standard of interoperability - a
standard of 'either Samba or Windows must be able provision/initialise
the domain, without clients or other domain controllers seeing the

However, during the development last week we also found out (by painful
experience and in discussion with your developers) that Windows performs
very few checks on the incoming replicated data, and is not tolerant of
deviations from the expected form.  So, to achieve this
interoperability, we need to know precisely what things a windows domain
controller needs across the directory replication channel, for it to
become and operate correctly as a domain controller. 

Put another way: what are the required DIT elements for a server to
provision to be the initiator of an Active Directory forest?  

We do already have many of these elements implemented - things like the
Display Specifiers and Schema we were very glad to obtain earlier - but
it seem there is much more required.  Much of this is in the
documentation set - particularly MS-ADTS, but scattered in a way that
makes for a great reference, but a poor source for implementation
(because it is so easy to miss one). 

My hope is that like the schema and display specifiers, that this
information (effectively the minimum initial DIT) can also be made
available to us in a similar, machine-readable fashion, for each
supported functional level. 


Andrew Bartlett
Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20091208/4dcb77d5/attachment.pgp>

More information about the cifs-protocol mailing list