Working with Read Only Domain Controllers(RODC).

Volker Lendecke Volker.Lendecke at SerNet.DE
Thu Jan 15 02:08:28 MST 2015

On Wed, Jan 14, 2015 at 10:47:21AM -0800, Hemanth Thummala wrote:
> Volker,
> I am not sure if I understood your question correctly.
> I believe we do not read(atleast in 3.6.12 version) the DC
> properties(read-only/writable) during net join. If we chose(with auto
> discovery) RODC during net join, it is going to be failed with
> STATUS_NOT_SUPPORTED error as we attempt create the computer(member server)
> object on rodc which is not permitted.

How does Windows handle this? Windows should be able to
transparently contact a writable DC at join time. Samba
should be able to do the same. This would most likely
involve code changes, that's why we have this thread. But it
does not sound magic.

> If we contact writable DC, we found that adding the computer account to
> "Allowed RODC password replication" group is mandatory. Without that
> winbindd trust secret checks were failing.

Here as well: Can Samba find out itself whether this
condition is fulfilled and if not, give an appropriate error
message? Or make winbind in that error condition choose a
writable DC?


SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen, mailto:kontakt at

More information about the samba-technical mailing list