[Samba] RODC between samba v4 servers

Andreas Calvo flipy.bcn at gmail.com
Fri Jul 26 08:48:06 MDT 2013 

I've dug a little bit more on the RODC set up.

I've tried using BIND with DLZ and without as well as the internal DNS
server.

In both cases, I get an error when the RODC tries to register itself to gc._
msdcs.test.com.
Under DLZ, it fails for a non-secure transaction:
Jul 26 15:11:39 dc named[3341]: samba_dlz: disallowing update of
signer=RODC\$\@TEST.COM name=gc._msdcs.test.com type=A error=insufficient
access rights
When using the internal DNS server, it fails with the following output:
[2013/07/26 18:39:56,  0]
../source4/rpc_server/netlogon/dcerpc_netlogon.c:2574(netr_dnsupdate_RODC_callback)
  ../source4/rpc_server/netlogon/dcerpc_netlogon.c:2574: IRPC callback
failed NT_STATUS_IO_TIMEOUT

Also forced on the clients to use the Try Next Closes Site, but it gives an
error.

What is the behavior of an RODC?
It should have a copy of the AD without the passwords, and also it has a
copy of the DNS records?
Does it act like a proxy between one subnet and the main DC?
Should a new DNS entry be added to advertise the RODC as an available
KDC/AD?

Thanks


On Thu, Jul 25, 2013 at 4:33 PM, Andreas Calvo <flipy.bcn at gmail.com> wrote:

> I'm preparing a lab to test the scenario in which a remote office uses a
> RODC to cache all users/computers/GPOs from a DC.
> I've set up a environment with all requirements (two subnets, one with a
> DC and the other with a RODC).
> I've joined the domain with a windows machine to the RODC subnet with both
> DCs being up.
>
> Using the windows tools (DSA), I've placed a user account and the machine
> account inside the Allowed password replication group.
>
> I've switched off the master DC, and tried to login with the cached user
> in the cached computer, but it failed.
>
> I've preloaded (samba-tool rodc preload) both the user account and the
> machine account in the RODC, without luck.
>
> I've a couple of questions:
> - Does samba 4.0.7 supports caching passwords for users?
> - What is the preload command for? Caching of passwords?
>
> The following link (
> http://technet.microsoft.com/en-us/library/dd736918%28v=ws.10%29.aspx)
> talks about setting up the Next Closest DC in the network in the DC
> settings to allow RODCs to be trusted, should this be performed as well?
> Or is it enough to set it up as a GPO?
>



-- 
Atentamente,
Andreas Calvo

More information about the samba mailing list