[cifs-protocol] [REG:110081752971983] RE: How to RODCs get their membership of the ENTERPRISE_RODCs group
hongweis at microsoft.com
Mon Aug 23 17:37:26 MDT 2010
I have been testing and debugging the Windows behavior related to tokenGroups rootDSE attribute in RODC. It seems that I cannot duplicate what you have observed. I have a RODC joined to a domain that has two more RWDCs. I got the following output for the rootDSE in RODC object and RootDSE when I did a base search to the RODC from another DC in the same domain. They don't include RID 498.
ldap_search_s(ld, "CN=RODC01,OU=Domain Controllers,DC=contoso,DC=com", 0, "(objectclass=*)", attrList, 0, &msg)
Getting 1 entries:
Dn: CN=RODC01,OU=Domain Controllers,DC=contoso,DC=com
tokenGroups (2): S-1-5-21-3071076805-1052773752-2226054901-572; S-1-5-21-3071076805-1052773752-2226054901-521;
I am wondering what the difference is between your environment and my repro. Andrew mentioned that "However, it does show up in the tokenGroups in the rootDSE, if we connect *as* the RODC". Does that mean Samba DC is connected as a RODC ?
From: tridge at samba.org [mailto:tridge at samba.org]
Sent: Tuesday, August 17, 2010 7:30 PM
To: Hongwei Sun
Cc: Andrew Bartlett; cifs-protocol at samba.org; MSSolve Case Email
Subject: [REG:110081752971983] RE: How to RODCs get their membership of the ENTERPRISE_RODCs group
> You mentioned that all the documentation talks about RODCs being
> a member of the enterprise read only domain controller group,
> which has a RID of 498. What part of the document do you refer
> to ?
See for example [MS-DRSR] 126.96.36.199.12 which has this:
* 1. Caller is an RODC. An RODC will always be a member of
* "Enterprise Read-Only Domain Controllers" (RID 498)
> Should I take the question as why tokenGroups of rootDSE has 498
> but the tokenGroups of RODC account doesn't have it ?
that is one way to look at it.
We can see via tokenGroups that RODCs are a member of both the group
with RID 498 and the group with RID 521.
Normally a user becomes a member of a group in one of three ways.
1) via it being the primaryGroupID of the user
2) via a member attribute on a group (or equivalently via a memberOf
3) via some "special handling" that adds things like anonymous or
world or other special groups
We suspect that RODCs being a member of 498 is due to something in the
"special handling" category, but we'd like to know what the nature of
that special handling is.
For example, is it something as simple as "when constructing the token
for a user, always add RID 498 if they have RID 521 in their token
from the same domain". Where things may get tricky is in the
inter-domain (eg. forest) handling. We'd like to make sure we get this
right, or at least understand how we're getting it wrong :-)
More information about the cifs-protocol