[cifs-protocol] RE: Can an AD server have more than one domain?

[Sebastian Canevari]

Hi Andrew,

Someone from our team will be contacting you shortly.

Thanks,

Sebastian Canevari
Senior Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM
7100 N Hwy 161, Irving, TX - 75039
"Las Colinas - LC2"
Tel: +1 469 775 7849
e-mail: sebastc at microsoft.com



-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Wednesday, May 20, 2009 2:03 AM
To: Interoperability Documentation Help
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: Can an AD server have more than one domain?

Documents like MS-SAMR describe prococols that manipulate and open 'domains' in the AD server.  Examples include:

3.1.5.11.1 SamrLookupDomainInSamServer (Opnum 5)

This operation seems to describe the ability to lookup different domains by name.  Presumably multiple domains can be looked up, and 3.1.5.1.5 SamrOpenDomain (Opnum 7) can open any domain by SID.

Other protocols in the AD suite of protocols appear to similarly be able to handle multiple domains.  It appears designed with this generality in mind, but not implemented in Microsoft's products.  

However, as I look at other protocols, it becomes clear that there is a strict notion of a single 'primary domain' of a particular server.  The DSSETUP call dssetup_DsRoleGetPrimaryDomainInformation and some LSA calls clearly only call out a single domain as supported.

Anyway, the reason I ask is that I'm working to rip out extra code in Samba that is lovely and general, but is also unweildy and unnececery.
(But of course to improve support for multiple domains via trusts).  

I just want to check I do not mis-understand, before I wield the axe.

Would you agree with the statement:

While early calls in NT provided for a very high degree of generality in supporting the concept of multiple domains being hosted on a single server, it was not implemented, and in AD numerous technical barriers and later design choices mean that each AD server must host only a single domain (not even other domains in a local AD tree).  Access to other domains is via trusts in the tree, forest and between forests.

Thanks,

Andrew Bartlett

--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.