[cifs-protocol] joining readonly domain controller not documented in MS-WKST

Alexander Bokovoy ab at samba.org
Thu Oct 4 13:31:13 UTC 2018


(re-sending, I sent it originally to casemail rather than dochelp)

reading through MS-WKST, I cannot find a reference to
NETSETUP_JOIN_READONLY (0x00000800) flag as mentioned by 


Join the target machine specified in lpServer parameter using a
pre-created account without requiring a writable domain controller.

This option provides the ability to join a machine to domain if an
account has already been provisioned and replicated to a read-only
domain controller. The target read-only domain controller is specified
as part of the lpDomain parameter, after the domain name delimited by a
‘\’ character. This provisioning must include the machine secret. The
machine account must be added via group membership into the allowed list
for password replication policy, and the account password must be
replicated to the read-only domain controller prior to the join
operation. For more information, see the information on Password
Replication Policy Administration.

Starting with Windows 7, an alternate mechanism is to use the offline
domain join mechanism. For more information, see the
NetProvisionComputerAccount and NetRequestOfflineDomainJoin functions.

Note  This flag is supported on Windows Vista and later.

Could you please clarify MS-WKST to mention how operations should be
performed to join read-only DCs?

/ Alexander Bokovoy

More information about the cifs-protocol mailing list