[cifs-protocol] What elements of the DIT are required for AD to operate? (SRX091208600025)
billwe at microsoft.com
Tue Dec 8 06:28:34 MST 2009
Good morning Andrew - thanks for your question - I have created the below case for us to track our efforts regarding that. One of my colleagues will take ownership and contact you shortly.
SRX091208600025 : [MS-ADTS] required DIT elements for Active Directory forest
MCSE, MCTS / Senior Escalation Engineer, US-CSS DSC PROTOCOL TEAM
8055 Microsoft Way
Charlotte, NC 28273
TEL: +1(980) 776-8200
CELL: +1(704) 661-5438
FAX: +1(704) 665-9606
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Tuesday, December 08, 2009 12:16 AM
To: Interoperability Documentation Help
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: What elements of the DIT are required for AD to operate?
In the last few months, we have had great success with joining a Window
2008 R2 server into a Samba4 hosted domain. It was a great achievement, and the speed of development we achieved over this difficult area is a testament to the support we received at the plugfest. However, that success was only possible when we have first joined Samba4 to an already operational Active Directory domain, and obtained the full database over DRS replication.
Samba aims for and requires a high standard of interoperability - a standard of 'either Samba or Windows must be able provision/initialise the domain, without clients or other domain controllers seeing the difference'.
However, during the development last week we also found out (by painful experience and in discussion with your developers) that Windows performs very few checks on the incoming replicated data, and is not tolerant of deviations from the expected form. So, to achieve this interoperability, we need to know precisely what things a windows domain controller needs across the directory replication channel, for it to become and operate correctly as a domain controller.
Put another way: what are the required DIT elements for a server to provision to be the initiator of an Active Directory forest?
We do already have many of these elements implemented - things like the Display Specifiers and Schema we were very glad to obtain earlier - but it seem there is much more required. Much of this is in the documentation set - particularly MS-ADTS, but scattered in a way that makes for a great reference, but a poor source for implementation (because it is so easy to miss one).
My hope is that like the schema and display specifiers, that this information (effectively the minimum initial DIT) can also be made available to us in a similar, machine-readable fashion, for each supported functional level.
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
More information about the cifs-protocol