[cifs-protocol] RE: Can an AD server have more than one domain?

Thu May 21 04:18:00 GMT 2009

On Wed, 2009-05-20 at 08:43 -0700, Sebastian Canevari wrote:
> Hi Andrew,
> 
> Someone from our team will be contacting you shortly.

As a followup (and to make my point particularly clear):

Will 3.1.5.2.1 SamrEnumerateDomainsInSamServer (Opnum 6) ever return
more than 'BUILTIN' and either the netbios domain name of the server, or
(for standalone servers) the netbios name of the server?

Thanks,

Andrew Bartlett

> -----Original Message-----
> From: Andrew Bartlett [mailto:abartlet at samba.org] 
> Sent: Wednesday, May 20, 2009 2:03 AM
> To: Interoperability Documentation Help
> Cc: pfif at tridgell.net; cifs-protocol at samba.org
> Subject: Can an AD server have more than one domain?
> 
> Documents like MS-SAMR describe prococols that manipulate and open 'domains' in the AD server.  Examples include:
> 
> 3.1.5.11.1 SamrLookupDomainInSamServer (Opnum 5)
> 
> This operation seems to describe the ability to lookup different domains by name.  Presumably multiple domains can be looked up, and 3.1.5.1.5 SamrOpenDomain (Opnum 7) can open any domain by SID.
> 
> Other protocols in the AD suite of protocols appear to similarly be able to handle multiple domains.  It appears designed with this generality in mind, but not implemented in Microsoft's products.  
> 
> However, as I look at other protocols, it becomes clear that there is a strict notion of a single 'primary domain' of a particular server.  The DSSETUP call dssetup_DsRoleGetPrimaryDomainInformation and some LSA calls clearly only call out a single domain as supported.
> 
> Anyway, the reason I ask is that I'm working to rip out extra code in Samba that is lovely and general, but is also unweildy and unnececery.
> (But of course to improve support for multiple domains via trusts).  
> 
> I just want to check I do not mis-understand, before I wield the axe.
> 
> Would you agree with the statement:
> 
> While early calls in NT provided for a very high degree of generality in supporting the concept of multiple domains being hosted on a single server, it was not implemented, and in AD numerous technical barriers and later design choices mean that each AD server must host only a single domain (not even other domains in a local AD tree).  Access to other domains is via trusts in the tree, forest and between forests.
> 
> Thanks,
> 
> Andrew Bartlett
> 
> --
> Andrew Bartlett
> http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org
> Samba Developer, Red Hat Inc.
> 
-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/cifs-protocol/attachments/20090521/75da0b10/attachment.bin