[cifs-protocol] What elements of the DIT are required for AD to operate?

Hongwei Sun hongweis at microsoft.com
Thu Jan 14 17:10:36 MST 2010


   I just want to give you a quick update on this request.   The product team is helping us review the list of minimum initial DIT  we compiled from the documentation in the MS-ADTS.  I will let you know once it is complete.



-----Original Message-----
From: Hongwei Sun 
Sent: Tuesday, December 22, 2009 12:43 PM
To: 'Andrew Bartlett'
Cc: pfif at tridgell.net; cifs-protocol at samba.org; Edgar Olougouna
Subject: RE: What elements of the DIT are required for AD to operate?


   I have been actively working with the product team on your request.   This one requires more effort than schema and display specifiers.  Considering the holiday schedule of the product team and support team, including myself, the progresses will be delayed.   I will be on vacation from tomorrow returning  January 4.    Edgar will be my backup to monitor and work on this case.  If you have any additional information, please let us know.

Happy Holidays!!


-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Monday, December 07, 2009 11:16 PM
To: Interoperability Documentation Help
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: What elements of the DIT are required for AD to operate?


In the last few months, we have had great success with joining a Window
2008 R2 server into a Samba4 hosted domain.  It was a great achievement, and the speed of development we achieved over this difficult area is a testament to the support we received at the plugfest.  However, that success was only possible when we have first joined Samba4 to an already operational Active Directory domain, and obtained the full database over DRS replication. 

Samba aims for and requires a high standard of interoperability - a standard of 'either Samba or Windows must be able provision/initialise the domain, without clients or other domain controllers seeing the difference'.  

However, during the development last week we also found out (by painful experience and in discussion with your developers) that Windows performs very few checks on the incoming replicated data, and is not tolerant of deviations from the expected form.  So, to achieve this interoperability, we need to know precisely what things a windows domain controller needs across the directory replication channel, for it to become and operate correctly as a domain controller. 

Put another way: what are the required DIT elements for a server to provision to be the initiator of an Active Directory forest?  

We do already have many of these elements implemented - things like the Display Specifiers and Schema we were very glad to obtain earlier - but it seem there is much more required.  Much of this is in the documentation set - particularly MS-ADTS, but scattered in a way that makes for a great reference, but a poor source for implementation (because it is so easy to miss one). 

My hope is that like the schema and display specifiers, that this information (effectively the minimum initial DIT) can also be made available to us in a similar, machine-readable fashion, for each supported functional level. 


Andrew Bartlett
Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

More information about the cifs-protocol mailing list