[cifs-protocol] What elements of the DIT are required for AD to operate?

Hongwei Sun hongweis at microsoft.com
Thu Jan 21 16:20:16 MST 2010


   I attached the file with the list  initially required DIT elements for Windows 2008R2 function level.   All the required DIT elements should be all documented in section 7 of MS-ADTS.  Therefore , we manually reviewed the LDIF dump of a DC and compared with MS-ADTS to decide which elements should be kept.   Please review it and give us feedback.  



-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Monday, December 07, 2009 11:16 PM
To: Interoperability Documentation Help
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: What elements of the DIT are required for AD to operate?


In the last few months, we have had great success with joining a Window
2008 R2 server into a Samba4 hosted domain.  It was a great achievement, and the speed of development we achieved over this difficult area is a testament to the support we received at the plugfest.  However, that success was only possible when we have first joined Samba4 to an already operational Active Directory domain, and obtained the full database over DRS replication. 

Samba aims for and requires a high standard of interoperability - a standard of 'either Samba or Windows must be able provision/initialise the domain, without clients or other domain controllers seeing the difference'.  

However, during the development last week we also found out (by painful experience and in discussion with your developers) that Windows performs very few checks on the incoming replicated data, and is not tolerant of deviations from the expected form.  So, to achieve this interoperability, we need to know precisely what things a windows domain controller needs across the directory replication channel, for it to become and operate correctly as a domain controller. 

Put another way: what are the required DIT elements for a server to provision to be the initiator of an Active Directory forest?  

We do already have many of these elements implemented - things like the Display Specifiers and Schema we were very glad to obtain earlier - but it seem there is much more required.  Much of this is in the documentation set - particularly MS-ADTS, but scattered in a way that makes for a great reference, but a poor source for implementation (because it is so easy to miss one). 

My hope is that like the schema and display specifiers, that this information (effectively the minimum initial DIT) can also be made available to us in a similar, machine-readable fashion, for each supported functional level. 


Andrew Bartlett
Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Windows2008R2_Minimum_DIT_Consolidated.txt
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20100121/7b295003/attachment-0001.txt>

More information about the cifs-protocol mailing list