[Samba] setting up a RODC

Rowland Penny rpenny at samba.org
Tue Aug 7 17:29:21 UTC 2018

On Tue, 7 Aug 2018 18:58:26 +0200
Stefan Kania via samba <samba at lists.samba.org> wrote:

> Mhhhh,
> but as far as I know the Client searches via DNS for the services
> "kerberos", "ldap", "gc" to connect and authenticate. How will find a
> client the RODC if not via DNS? *Headscratching*

I know very little about RODC's but if you find the file
'dns_update_list' on your DC, it contains the DNS records that
samba_dnsupdate creates if they do not exist.

In that file there is this:

# RW domain controller
${IF_RWDC}A            ${DNSDOMAIN}                                          $IP
${IF_RWDC}AAAA         ${DNSDOMAIN}                                          $IP
${IF_RWDC}SRV          _ldap._tcp.${DNSDOMAIN}                               ${HOSTNAME} 389
${IF_RWDC}SRV          _ldap._tcp.dc._msdcs.${DNSDOMAIN}                     ${HOSTNAME} 389
${IF_RWDC}SRV          _ldap._tcp.${DOMAINGUID}.domains._msdcs.${DNSFOREST}  ${HOSTNAME} 389
${IF_RWDC}SRV          _kerberos._tcp.${DNSDOMAIN}                           ${HOSTNAME} 88
${IF_RWDC}SRV          _kerberos._udp.${DNSDOMAIN}                           ${HOSTNAME} 88
${IF_RWDC}SRV          _kerberos._tcp.dc._msdcs.${DNSDOMAIN}                 ${HOSTNAME} 88
${IF_RWDC}SRV          _kpasswd._tcp.${DNSDOMAIN}                            ${HOSTNAME} 464
${IF_RWDC}SRV          _kpasswd._udp.${DNSDOMAIN}                            ${HOSTNAME} 464
# RW and RO domain controller
${IF_DC}CNAME          ${NTDSGUID}._msdcs.${DNSFOREST}                       ${HOSTNAME}
${IF_DC}SRV            _ldap._tcp.${SITE}._sites.${DNSDOMAIN}                ${HOSTNAME} 389
${IF_DC}SRV            _ldap._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN}      ${HOSTNAME} 389
${IF_DC}SRV            _kerberos._tcp.${SITE}._sites.${DNSDOMAIN}            ${HOSTNAME} 88
${IF_DC}SRV _kerberos._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 88

So, as I am sure you can see, your RODC gets 'SITE' ldap records, but
it doesn't get standard ldap records.

Wiser heads than mine created that file ;-)


More information about the samba mailing list