[cifs-protocol] [REG:118100419160002] joining readonly domain controller not documented in MS-WKST

Jeff McCashland jeffm at microsoft.com
Thu Oct 4 15:09:25 UTC 2018

[DocHelp to BCC, casemail on CC, SR ID on Subject]

Hello Alexander, 

Thank you for your question. We have created SR 118100419160002 to track this issue. One of our engineers will respond soon to assist you.

Best regards,
Jeff McCashland | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team 
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300
We value your feedback.  My manager is Rama Ganesan (ramagane), +1 (425) 703-8712

-----Original Message-----
From: Alexander Bokovoy <ab at samba.org> 
Sent: Thursday, October 4, 2018 6:31 AM
To: Interoperability Documentation Help <dochelp at microsoft.com>
Cc: cifs-protocol at lists.samba.org
Subject: joining readonly domain controller not documented in MS-WKST


(re-sending, I sent it originally to casemail rather than dochelp)

reading through MS-WKST, I cannot find a reference to NETSETUP_JOIN_READONLY (0x00000800) flag as mentioned by


Join the target machine specified in lpServer parameter using a pre-created account without requiring a writable domain controller.

This option provides the ability to join a machine to domain if an account has already been provisioned and replicated to a read-only domain controller. The target read-only domain controller is specified as part of the lpDomain parameter, after the domain name delimited by a '\' character. This provisioning must include the machine secret. The machine account must be added via group membership into the allowed list for password replication policy, and the account password must be replicated to the read-only domain controller prior to the join operation. For more information, see the information on Password Replication Policy Administration.

Starting with Windows 7, an alternate mechanism is to use the offline domain join mechanism. For more information, see the NetProvisionComputerAccount and NetRequestOfflineDomainJoin functions.

Note  This flag is supported on Windows Vista and later.

Could you please clarify MS-WKST to mention how operations should be performed to join read-only DCs?

/ Alexander Bokovoy

More information about the cifs-protocol mailing list