[cifs-protocol] [REG:110081752971983] RE: How to RODCs get their membership of the ENTERPRISE_RODCs group

Hongwei Sun hongweis at microsoft.com
Tue Aug 17 17:24:44 MDT 2010 

Andrew,

   You mentioned that all the documentation talks about RODCs being a member of the enterprise read only domain controller group, which has a RID of 498.  What part of the document do you refer to ?   

  In MS-ADTS 7.1.1.3.2 "Read-Only Domain Controller Object", there is the following statement:

	PrimaryGroupID:  Contains the value 521.

	This attribute is populated during creation of the RODC corresponding to the RODC object. The primary group of an RODC object is the domain 	relative well-known RODCs security group. So the primaryGroupID attribute of an RODC object equals the RID of the RODCs security group, 521.

  It looks like that this is an expected behavior based on this statement.

  Should I take the question as why tokenGroups of  rootDSE has 498 but the tokenGroups of RODC account doesn't have it ?

Thanks!

Hongwei


-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Tuesday, August 17, 2010 12:22 AM
To: Interoperability Documentation Help
Cc: tridge at samba.org; cifs-protocol at samba.org
Subject: How to RODCs get their membership of the ENTERPRISE_RODCs group

We are working on having Samba support having Win2k8 servers as read only domain controller in the Samba4 domain. 

We noticed that RODCs are given primaryGroupID of 521 - the RODC group for the local domain.  This happens when they join over LDAP (we can't find the documentation for this either, but it's clear from our testing). 

However, all the documentation talks about RODCs being a member of the enterprise read only domain controller group - which has a RID of 498. 

How is the 498 implied from the 521?  There isn't a member link between the groups for example.  Is it simply linked during token construction somehow?  It also does not appear in the tokenGroups of the RODC account over LDAP (as found in a base search on the RODC object).

tokenGroups: S-1-5-21-3565189888-2228146013-2029845409-572
tokenGroups: S-1-5-21-3565189888-2228146013-2029845409-521

However, it does show up in the tokenGroups in the rootDSE, if we connect *as* the RODC

tokenGroups: S-1-5-21-3565189888-2228146013-2029845409-1116
tokenGroups: S-1-5-21-3565189888-2228146013-2029845409-521
tokenGroups: S-1-1-0
tokenGroups: S-1-5-32-554
tokenGroups: S-1-5-32-545
tokenGroups: S-1-5-2
tokenGroups: S-1-5-11
tokenGroups: S-1-5-15
tokenGroups: S-1-5-21-3565189888-2228146013-2029845409-498
tokenGroups: S-1-5-21-3565189888-2228146013-2029845409-572
tokenGroups: S-1-5-64-10

Can you please explain how we are meant to get from one to the other?

Thanks, 

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

More information about the cifs-protocol mailing list