[PATCH] s4-drs: Set default RODC filtered attribute set

Fernando J V da Silva fernandojvsilva at yahoo.com.br
Fri Feb 26 12:33:48 MST 2010


Hi Tridge! Hi Anatoliy!


2010/2/24  <tridge at samba.org>:
> I think Anatoliy mentioned that he thinks that Windows modifies the
> schema attributes as part of the RODC join process. I think you need
> to check whether that is correct by trying a windows->windows RODC
> join, and looking at the schema attributes before and after the join.
>
> Once you work out how this works in Windows please post something and
> we can decide how we will do this in Samba.
>

I've done the test that Tridge recommended above. In summary, I looked
at the attributes that should be part of the RODC filtered set on
three moments: 1) On my DC, before I join another RODC to its domain;
2) On my DC, after I join another RODC and 3) On RODC after the
joining. In both I got the same values for these attributes (it seems
that they haven't changed either on DC or RODC ...). That test was
done on W2K8 functional level, but I rose it to W2K8 R2 and the
attributes still haven't changed (such test would be correct or should
I do something else that I possibly have missed? ...).

The following schema attributes doesn't have the necessary flags to be
part of the RODC filtered set (it differs from the Microsoft
documentation which says that they should ...):

ms-FVE-VolumeGuid
ms-FVE-RecoveryGuid

In MS documentation, there is also the ms-FVE-RecoveryInformation
object, which is a classSchema (instead of attributeSchema) and
doesn't seem to have a searchFlags attribute.

BTW, I also noticed on W2K8 that if you set the searchFlags of an
attributeSchema to make it part of the RODC filtered set (through
ldbmodify), and there is some objects already replicated on a RODC
whose contain values for such attribute, then the values of that
attribute are "deleted" from those objects stored in the RODC
(actually, it seems to make sense ...). I said "deleted" because I
suppose that it happens, as MS documentation says "RODC filtered
attributes aren't stored at RODC", but I'm not sure ... Would it be
possible that they are just kind of "hidden"? Does anybody know
anything else about that behavior? (Or is there anything that I could
do to ensure that those attribute's values are really deleted?). PS:
The opposite also happens (when you remove an attributeSchema from the
RODC filtered set, the objects whose contain that attribute seems to
start replicating to RODCs).

So, it seems we also have to handle the above when we are a RODC and
there is an update on searchFlags of some attributeSchema, right?

Cheers,

-- 
Fernando J V da Silva
M Sc Computer Science Student
Institute of Computing, State University of Campinas
+55 15 8801-2165


More information about the samba-technical mailing list