samba - Jul 2013 - RODC between samba v4 servers

I'm preparing a lab to test the scenario in which a remote office uses a
RODC to cache all users/computers/GPOs from a DC.
I've set up a environment with all requirements (two subnets, one with a DC
and the other with a RODC).
I've joined the domain with a windows machine to the RODC subnet with both
DCs being up.

Using the windows tools (DSA), I've placed a user account and the machine
account inside the Allowed password replication group.

I've switched off the master DC, and tried to login with the cached user in
the cached computer, but it failed.

I've preloaded (samba-tool rodc preload) both the user account and the
machine account in the RODC, without luck.

I've a couple of questions:
- Does samba 4.0.7 supports caching passwords for users?
- What is the preload command for? Caching of passwords?

The following link (
http://technet.microsoft.com/en-us/library/dd736918%28v=ws.10%29.aspx)
talks about setting up the Next Closest DC in the network in the DC
settings to allow RODCs to be trusted, should this be performed as well?
Or is it enough to set it up as a GPO?

I've dug a little bit more on the RODC set up.

I've tried using BIND with DLZ and without as well as the internal DNS
server.

In both cases, I get an error when the RODC tries to register itself to gc._
msdcs.test.com.
Under DLZ, it fails for a non-secure transaction:
Jul 26 15:11:39 dc named[3341]: samba_dlz: disallowing update of
signer=RODC\$\@TEST.COM name=gc._msdcs.test.com type=A error=insufficient
access rights
When using the internal DNS server, it fails with the following output:
[2013/07/26 18:39:56,  0]
../source4/rpc_server/netlogon/dcerpc_netlogon.c:2574(netr_dnsupdate_RODC_callback)
  ../source4/rpc_server/netlogon/dcerpc_netlogon.c:2574: IRPC callback
failed NT_STATUS_IO_TIMEOUT

Also forced on the clients to use the Try Next Closes Site, but it gives an
error.

What is the behavior of an RODC?
It should have a copy of the AD without the passwords, and also it has a
copy of the DNS records?
Does it act like a proxy between one subnet and the main DC?
Should a new DNS entry be added to advertise the RODC as an available
KDC/AD?

Thanks


On Thu, Jul 25, 2013 at 4:33 PM, Andreas Calvo <flipy.bcn at gmail.com>
wrote:
> I'm preparing a lab to test the scenario in which a remote office uses
a
> RODC to cache all users/computers/GPOs from a DC.
> I've set up a environment with all requirements (two subnets, one with
a
> DC and the other with a RODC).
> I've joined the domain with a windows machine to the RODC subnet with
both
> DCs being up.
>
> Using the windows tools (DSA), I've placed a user account and the
machine
> account inside the Allowed password replication group.
>
> I've switched off the master DC, and tried to login with the cached
user
> in the cached computer, but it failed.
>
> I've preloaded (samba-tool rodc preload) both the user account and the
> machine account in the RODC, without luck.
>
> I've a couple of questions:
> - Does samba 4.0.7 supports caching passwords for users?
> - What is the preload command for? Caching of passwords?
>
> The following link (
> http://technet.microsoft.com/en-us/library/dd736918%28v=ws.10%29.aspx)
> talks about setting up the Next Closest DC in the network in the DC
> settings to allow RODCs to be trusted, should this be performed as well?
> Or is it enough to set it up as a GPO?
>


-- 
Atentamente,
Andreas Calvo