libnet_join

[Brad Henry]

Andrew Bartlett wrote:

>BTW, do you now join as a DC only if we asked for a BDC join?  (Compared
>with a member server join).
>
>Andrew Bartlett
>
>  
>
Yep, it's implemented as a test at the end of libnet_JoinDomain(). While 
testing that functionality this morning I found a problem with the 
current logic.

If a host performs a BDC join following a member join, the server dn 
stuff gets created,  but the machine account remains under OU=Computers. 
Would preferred behaviour be to fail (not perform any changes, report 
back an error condition), or promote the existing account to become a 
BDC? How about the other way around?

My thoughts would be that it's sensible to allow the changing of 
accounts between BDC and member server varieties in both directions. 
Having to delete and recreate machine accounts is ugly and changes 
SID's, which probably don't want. At the very least, 'dcpromo.exe' 
allows this behavior on 2k3, so it would make sense to follow this 
convention.

The question that arises from this is: Would we want that behaviour 
automated within the libnet_join code, or would it be better to have 
explicit 'demote' and 'promote'  functions in libnet provided as net 
commands, for example? The automated behaviour would be nice, but 
accidentally demoting a dc because you were ssh'd into the wrong host 
and typed 'net join <domain> member' would not. :)


Thanks,
Brad