[Samba] How to join Windows server to domain using a Samba RODC / login only against RW DCs?

Rowland Penny rpenny at samba.org
Wed Jan 24 15:30:59 UTC 2024


On Wed, 24 Jan 2024 15:54:38 +0100
Jakob Curdes via samba <samba at lists.samba.org> wrote:

> Hello, we have setup a SAMBA4 RODC in our setup where we have two 
> exisitng RW Samba4 DC's.
> 
> The RODC is joined correctly and can preload user accounts etc. It
> also can resolve its own name and the name of other DC's, also the
> SRV records needed.
> We created an own site with specific subnet for this RODC "area".
> 
> But we did not manage to get a join of a Windows server working
> without also opening the firewall to the RW DCs, and, what is
> worse,*even after the join, the domain logon only works as long as
> the firewall is open*, otherwise it will fail with an error about the
> computer account not being present, although after a manual
> replication , the computer account that was automatically created
> during the join (on an RW controller) was correctly replicated to the
> RODC. So some info is missing on the RODC, but which? Any experience
> here on the list with samba4 RODC's ?
> 
> Regards, Jakob

There is a big hint in the name: RODC.
The 'RO' stands for 'Read Only', so any changes to AD (and joining a
computer to AD is a change) must be made on an RWDC and then replicated
to the RODC.
If a firewall is stopping replication, then you will not be able to
join anything.

Do you really need an RODC ?

Rowland 



More information about the samba mailing list