[cifs-protocol] [Pfif] What elements of the DIT are required for AD to operate?

tridge at samba.org tridge at samba.org
Thu Jan 14 18:40:28 MST 2010

Hi Hongwei,

 >    I just want to give you a quick update on this request.  The
 >    product team is helping us review the list of minimum initial
 >    DIT we compiled from the documentation in the MS-ADTS.  I will
 >    let you know once it is complete.


I should also mention that while we'd like to get this answered, it is
no longer holding us up. Previously we were able to use dcpromo only
if the directory had been initially created on windows. If it was
created by Samba then dcpromo would fail. That is what led to this
request as we knew that something was wrong with our initialisation of
the directory, but we didn't know what.

Now we've got past that problem after we applied the schema fixes we
mentioned in another CAR.

We'd still like to see something saying what elements of the directory
are needed by windows DCs and clients, especially if you can tell us
what is needed for the different functional levels, but it is no
longer holding up our core development, so the urgency is a bit lower
than before.

Related to this, we've been puzzling a bit as to whether we should
create some of the groups that show up on some windows DCs, for
example the TelnetClients group, and the IIS_IUSRS groups. We suspect
we do need to create the ones that use fixed SIDs, and perhaps don't
need to create the ones that use dynamically allocated SIDs, as we
suspect the latter ones (like TelnetClients) is created when windows
components are installed, even if the directory was created by
Samba. It would be good to get this confirmed.

Similarly, we suspect some of the foreign security principles might
need to be pre-created when we create the directory.

Cheers, Tridge

More information about the cifs-protocol mailing list