I've dug a little bit more on the RODC set up. I've tried using BIND with DLZ and without as well as the internal DNS server.
In both cases, I get an error when the RODC tries to register itself to gc._ msdcs.test.com. Under DLZ, it fails for a non-secure transaction: Jul 26 15:11:39 dc named[3341]: samba_dlz: disallowing update of signer=RODC\$\@TEST.COM name=gc._msdcs.test.com type=A error=insufficient access rights When using the internal DNS server, it fails with the following output: [2013/07/26 18:39:56, 0] ../source4/rpc_server/netlogon/dcerpc_netlogon.c:2574(netr_dnsupdate_RODC_callback) ../source4/rpc_server/netlogon/dcerpc_netlogon.c:2574: IRPC callback failed NT_STATUS_IO_TIMEOUT Also forced on the clients to use the Try Next Closes Site, but it gives an error. What is the behavior of an RODC? It should have a copy of the AD without the passwords, and also it has a copy of the DNS records? Does it act like a proxy between one subnet and the main DC? Should a new DNS entry be added to advertise the RODC as an available KDC/AD? Thanks On Thu, Jul 25, 2013 at 4:33 PM, Andreas Calvo <flipy....@gmail.com> wrote: > I'm preparing a lab to test the scenario in which a remote office uses a > RODC to cache all users/computers/GPOs from a DC. > I've set up a environment with all requirements (two subnets, one with a > DC and the other with a RODC). > I've joined the domain with a windows machine to the RODC subnet with both > DCs being up. > > Using the windows tools (DSA), I've placed a user account and the machine > account inside the Allowed password replication group. > > I've switched off the master DC, and tried to login with the cached user > in the cached computer, but it failed. > > I've preloaded (samba-tool rodc preload) both the user account and the > machine account in the RODC, without luck. > > I've a couple of questions: > - Does samba 4.0.7 supports caching passwords for users? > - What is the preload command for? Caching of passwords? > > The following link ( > http://technet.microsoft.com/en-us/library/dd736918%28v=ws.10%29.aspx) > talks about setting up the Next Closest DC in the network in the DC > settings to allow RODCs to be trusted, should this be performed as well? > Or is it enough to set it up as a GPO? > -- Atentamente, Andreas Calvo -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
