Jakob Curdes
2024-Jan-24 14:54 UTC
[Samba] How to join Windows server to domain using a Samba RODC / login only against RW DCs?
Hello, we have setup a SAMBA4 RODC in our setup where we have two exisitng RW Samba4 DC's. The RODC is joined correctly and can preload user accounts etc. It also can resolve its own name and the name of other DC's, also the SRV records needed. We created an own site with specific subnet for this RODC "area". But we did not manage to get a join of a Windows server working without also opening the firewall to the RW DCs, and, what is worse,*even after the join, the domain logon only works as long as the firewall is open*, otherwise it will fail with an error about the computer account not being present, although after a manual replication , the computer account that was automatically created during the join (on an RW controller) was correctly replicated to the RODC. So some info is missing on the RODC, but which? Any experience here on the list with samba4 RODC's ? Regards, Jakob
Rowland Penny
2024-Jan-24 15:30 UTC
[Samba] How to join Windows server to domain using a Samba RODC / login only against RW DCs?
On Wed, 24 Jan 2024 15:54:38 +0100 Jakob Curdes via samba <samba at lists.samba.org> wrote:> Hello, we have setup a SAMBA4 RODC in our setup where we have two > exisitng RW Samba4 DC's. > > The RODC is joined correctly and can preload user accounts etc. It > also can resolve its own name and the name of other DC's, also the > SRV records needed. > We created an own site with specific subnet for this RODC "area". > > But we did not manage to get a join of a Windows server working > without also opening the firewall to the RW DCs, and, what is > worse,*even after the join, the domain logon only works as long as > the firewall is open*, otherwise it will fail with an error about the > computer account not being present, although after a manual > replication , the computer account that was automatically created > during the join (on an RW controller) was correctly replicated to the > RODC. So some info is missing on the RODC, but which? Any experience > here on the list with samba4 RODC's ? > > Regards, JakobThere is a big hint in the name: RODC. The 'RO' stands for 'Read Only', so any changes to AD (and joining a computer to AD is a change) must be made on an RWDC and then replicated to the RODC. If a firewall is stopping replication, then you will not be able to join anything. Do you really need an RODC ? Rowland