[Samba] How to join Windows server to domain using a Samba RODC / login only against RW DCs?

Rowland Penny rpenny at samba.org
Wed Jan 24 20:57:59 UTC 2024


On Wed, 24 Jan 2024 21:21:03 +0100
Jakob Curdes via samba <samba at lists.samba.org> wrote:

> 
> > Jakob Curdes via samba<samba at lists.samba.org>  wrote:
> >
> >> Hello, we have setup a SAMBA4 RODC in our setup where we have two
> >> exisitng RW Samba4 DC's.
> >>
> >> The RODC is joined correctly and can preload user accounts etc. It
> >> also can resolve its own name and the name of other DC's, also the
> >> SRV records needed.
> >> We created an own site with specific subnet for this RODC "area".
> >>
> >> But we did not manage to get a join of a Windows server working
> >> without also opening the firewall to the RW DCs, and, what is
> >> worse,*even after the join, the domain logon only works as long as
> >> the firewall is open*, otherwise it will fail with an error about
> >> the computer account not being present, although after a manual
> >> replication , the computer account that was automatically created
> >> during the join (on an RW controller) was correctly replicated to
> >> the RODC. So some info is missing on the RODC, but which? Any
> >> experience here on the list with samba4 RODC's ?
> >>
> >> Regards, Jakob
> > There is a big hint in the name: RODC.
> > The 'RO' stands for 'Read Only', so any changes to AD (and joining a
> > computer to AD is a change) must be made on an RWDC and then
> > replicated to the RODC.
> > If a firewall is stopping replication, then you will not be able to
> > join anything.
> >
> > Do you really need an RODC ?
> 
> Hi Rowland, yes we do, for a remote site where we need authorization.
> I know that e.g. the computer account during join cannot be created
> on an RODC, we circumvent that by temporarily opening the firewall so
> that the server can communicate with the RWDCs during join. We also
> created a separate site with the RODC, associated the local network
> with it, in the expectation that the computer then will use this DC
> after the join. But this part does not work. As there is a
> description for an RODC join on the samba wiki, I suppose there is a
> way to achieve what we want; I think we are missing a piece
> somewhere. (For Windows systems, there is a description somewhere how
> to join a computer to an RODC without write access to any DC, by
> pre-creating the computer account, but this is not easily
> translatable to the samba solution as far as I see).
> 
> So yes, we are aware of this restriction, but if we see the computer 
> account on the RODC, this problem should be superseded, so why can we 
> not complete a login using this DC?
> 

What you will not see is passwords (except for cached ones), they
cannot be created on an RODC, they must be created/changed on an RWDC
and then, if required, replicated to the RODC.

In my opinion, you have nothing missing.

Rowland





More information about the samba mailing list