Working with Read Only Domain Controllers(RODC).

Richard Sharpe realrichardsharpe at gmail.com
Wed Jan 14 21:58:48 MST 2015


On Wed, Jan 14, 2015 at 10:47 AM, Hemanth Thummala
<hemanth.thummala at gmail.com> wrote:
> Volker,
>
> I am not sure if I understood your question correctly.
>
> I believe we do not read(atleast in 3.6.12 version) the DC
> properties(read-only/writable) during net join. If we chose(with auto
> discovery) RODC during net join, it is going to be failed with
> STATUS_NOT_SUPPORTED error as we attempt create the computer(member server)
> object on rodc which is not permitted.
>
> If we contact writable DC, we found that adding the computer account to
> "Allowed RODC password replication" group is mandatory. Without that
> winbindd trust secret checks were failing.

Do you have some patches for this?

> Thanks,
> Hemanth.
>
> On Tue, Jan 13, 2015 at 11:29 PM, Volker Lendecke <Volker.Lendecke at sernet.de
>> wrote:
>
>> On Tue, Jan 13, 2015 at 04:35:54PM -0800, Hemanth Thummala wrote:
>> > Hi ,
>> >
>> > We are currently using samba 3.6.12 stack and uses windows active
>> directory
>> > for authentication.
>> >
>> > While working with RODCs, we have learned that we need to perform some
>> > manual steps in order to communicate with Read Only DCs consistently.
>> >
>> > Basically we found people start working with RODCs in two ways.
>>
>> Thanks for that intro!
>>
>> My question would be: Can't we make this transparent in net
>> join?
>>
>> Volker
>>
>> --
>> SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
>> phone: +49-551-370000-0, fax: +49-551-370000-9
>> AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
>> http://www.sernet.de, mailto:kontakt at sernet.de
>>



-- 
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)


More information about the samba-technical mailing list