Working with Read Only Domain Controllers(RODC).

Hemanth Thummala hemanth.thummala at gmail.com
Tue Jan 13 17:35:54 MST 2015 

Hi ,

We are currently using samba 3.6.12 stack and uses windows active directory
for authentication.

While working with RODCs, we have learned that we need to perform some
manual steps in order to communicate with Read Only DCs consistently.

Basically we found people start working with RODCs in two ways.

1) Join the domain using writable DC and wait for the sync to happen on
RODCs.
2) Perform manual steps which are required by join process.

Approach #1 : Join the domain using Writable DC.

1) Perform domain join now using writable domain controller(net ads join -S
<writableDC>)
2) Allow this computer account credentials to be cached on RODC. On
writable DC(specified in webUI), run this command:
     net localgroup "Allowed RODC Password Replication Group" <Samba server
NetBios name>$ /add
4) On Writable DC, Force the replication of computer account credentials to
RODC
        command: REPADMIN /RODCPWDREPL <RODC-HOSTNAME> <RWDC-HOSTNAME>
<FQDN of samba server>

At this point, RODC should have the computer account credentials. And
controller should be able to talk to RODC from now onwards.

Approach #2: Join the domain using RODC

1) On one of the Read-Write DCs perform the following operations:
     a. Pre-create the computer object and set the custom password for the
same.
       cmd: net computer \\<Samba server NetBios name> /add & net user
<Samba server NetBios name>$ <custom password>

     b. Allow this computer account credentials to be cached on RODC
        eg: net localgroup "Allowed RODC Password Replication Group" <Samba
server NetBios name>$ /add

     c. Force the replication of computer account credentials to RODC
        eg: REPADMIN /RODCPWDREPL <RODC> <RWDC> <FQDN of Samba server>

2) On CC, need to set the CC account password same as the one provided in
pre-creation time(1a).
    cmd: net -f changesecretpw
    This will prompt for the password.Provide the same password given at
step 1a.


We have validated these steps internally and works fine for us. I am not
sure if Samba has some official documentation related to RODC support.
Someone can point me if we have such documentation. If not, we would need
your comments for the same.

Most of these steps are taken from following blog:
https://jorgequestforknowledge.wordpress.com/2009/01/01/domain-join-through-an-rodc-instead-of-an-rwdc/

Thanks,
Hemanth.

More information about the samba-technical mailing list