Joining a Windows Server 2008 / 2008 R2 DC to a Samba AD: Difference between revisions
Mmuehlfeld (talk | contribs) m (Fix sentence) |
Slowfranklin (talk | contribs) |
||
(22 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
= Warning = |
|||
{{Imbox |
|||
| type = warning |
|||
| text = There be dragons! Joining a Windows Server as DC to a Samba AD domain is generally not recommended. |
|||
}} |
|||
= Introduction = |
= Introduction = |
||
You can |
You can join Windows Server 2008 and 2008 R2 as an domain controller (DC) to a Samba Active Directory (AD). |
||
If you want to join a computer running a Windows Server operating system as a domain member, see [[Joining_a_Windows_Client_or_Server_to_a_Domain|Joining a Windows Client or Server to a Domain]]. |
If you want to join a computer running a Windows Server operating system as a domain member, see [[Joining_a_Windows_Client_or_Server_to_a_Domain|Joining a Windows Client or Server to a Domain]]. |
||
Line 11: | Line 18: | ||
= Network Configuration = |
= Network Configuration = |
||
* Click the |
* Click the <code>Start</code> button, search for <code>View network connections</code>, and open the search entry. |
||
* Right-click to your network adapter and select |
* Right-click to your network adapter and select <code>Properties</code>. |
||
* Configure the IP settings: |
* Configure the IP settings: |
||
Line 19: | Line 26: | ||
:* Enter the IP of a DNS server that is able to resolve the Active Directory (AD) DNS zone. |
:* Enter the IP of a DNS server that is able to resolve the Active Directory (AD) DNS zone. |
||
* Click |
* Click <code>OK</code> to save the settings. |
||
Line 31: | Line 38: | ||
Before you join the domain, check the time configuration: |
Before you join the domain, check the time configuration: |
||
* Open the |
* Open the <code>Control Panel</code>. |
||
* Navigrate to |
* Navigrate to <code>Clock, Language and Region</code>. |
||
* Click |
* Click <code>Date and Time</code>. |
||
* Verify the date, time, and time zone settings. Adjust the settings, if necessary. |
* Verify the date, time, and time zone settings. Adjust the settings, if necessary. |
||
* Click |
* Click <code>OK</code> to save the changes. |
||
Line 47: | Line 54: | ||
= Joining the Windows Server to the Domain = |
= Joining the Windows Server to the Domain = |
||
* Select |
* Select <code>Start</code> / <code>Run</code>, enter <code>dcpromo.exe</code> and click <code>OK</code>. |
||
* Windows Server automatically installs missing features, if necessary: |
* Windows Server automatically installs missing features, if necessary: |
||
Line 53: | Line 60: | ||
:[[Image:Join_Win2008R2_dcpromo_install.png]] |
:[[Image:Join_Win2008R2_dcpromo_install.png]] |
||
* Check |
* Check <code>Use advanced mode installation</code> to display additional options in later steps. Click <code>OK</code>. |
||
* Read the |
* Read the <code>Operating System Compatibility</code> information and click <code>Next</code>. |
||
* Select |
* Select <code>Existing forest</code> / <code>Add a domain controller to an existing domain</code>, and click <code>Next</code>. |
||
* Enter the Samba Active Directory (AD) domain name and credentials that are enabled to join a domain controller (DC) to the domain, |
* Enter the Samba Active Directory (AD) domain name and credentials that are enabled to join a domain controller (DC) to the domain, such as the domain administrator account. Click <code>Next</code>. |
||
* Select the domain to join and click |
* Select the domain to join and click <code>Next</code>. |
||
* If AD sites are configured, select the site to join. Otherwise continue using the |
* If AD sites are configured, select the site to join. Otherwise continue using the <code>Default-First-Site-Name</code> site. Click <code>Next</code>. |
||
* Select the options to enable on the new DC and click |
* Select the options to enable on the new DC and click <code>Next</code>. |
||
:[[Image:Join_Win2008R2_DC_Options.png]] |
:[[Image:Join_Win2008R2_DC_Options.png]] |
||
* If you enabled the |
* If you enabled the <code>DNS server</code> option in the previous step, you may see a note, that a delegation for this DNS server cannot be created. Click <code>Yes</code> to continue. |
||
:[[Image:Join_Win2008R2_DNS_Delegation_Failed.png]] |
:[[Image:Join_Win2008R2_DNS_Delegation_Failed.png]] |
||
* Select |
* Select <code>Replicate data over the network from an existing domain controller</code> and click <code>Next</code>. |
||
* Select a DC as source for the initial directory replication or let the installation |
* Select a DC as source for the initial directory replication or let the installation wizard choose an appropriate DC. Click <code>Next</code>. |
||
* Set the folders for the AD database, log files and the Sysvol folder. Click |
* Set the folders for the AD database, log files and the Sysvol folder. Click <code>Next</code>. |
||
* Set a Directory Service Restore Mode Administrator Password (DSRM). It is required to boot the Windows DC in safe-mode to restore or repair the AD. Click |
* Set a Directory Service Restore Mode Administrator Password (DSRM). It is required to boot the Windows DC in safe-mode to restore or repair the AD. Click <code>Next</code>. |
||
* Verify your settings and click |
* Verify your settings and click <code>Next</code> to start the DC promotion. |
||
* The |
* The wizard starts the installation, replicates the directory, and so on. |
||
:[[Image:Join_Win2008R2_Join_Process.png]] |
:[[Image:Join_Win2008R2_Join_Process.png]] |
||
* Verify that all DC related DNS records have been created during the promotion. See [[ |
* Verify that all DC related DNS records have been created during the promotion. See [[Verifying and Creating a DC DNS Record|Verifying and Creating a DC DNS Record]]. |
||
:{{Imbox |
|||
: '''Do not continue without checking the records. The records must exist for a working directory replication!''' |
|||
| type = important |
|||
| text = Do not continue without verifying the DNS records. They must exist for a working directory replication! |
|||
}} |
|||
* After the |
* After the wizard completed click <code>Finish</code>. |
||
* Restart the computer. |
* Restart the computer. |
||
Line 100: | Line 110: | ||
= Verifying |
= Verifying Directory Replication = |
||
See [[Verifying_the_Directory_Replication_Statuses#Displaying_the_Replication_Statuses_on_a_Windows_DC|Displaying the Replication Statuses on a Windows DC]]. |
|||
A few minutes after the domain controller (DC) started, the connections with all other DCs are automatically established and the replication begins. |
|||
{{Imbox |
|||
To verify the directory replication, run on a Samba DC: |
|||
| type = note |
|||
| text = To optimize replication latency and cost, the knowledge consistency checker (KCC) on Windows DCs do not create a fully-meshed replication topology between all DCs. For further details, see [[The Samba KCC]]. |
|||
}} |
|||
# samba-tool drs showrepl |
|||
Default-First-Site-Name\SAMBADC |
|||
DSA Options: 0x00000001 |
|||
DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f |
|||
DSA invocationId: 96bc0d6f-9cea-4011-b9a1-0e9971009b20 |
|||
==== INBOUND NEIGHBORS ==== |
|||
DC=DomainDnsZones,DC=samdom,DC=example,DC=com |
|||
Default-First-Site-Name\Win2008R2DC via RPC |
|||
DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9 |
|||
Last attempt @ NTTIME(0) was successful |
|||
0 consecutive failure(s). |
|||
Last success @ NTTIME(0) |
|||
DC=ForestDnsZones,DC=samdom,DC=example,DC=com |
|||
Default-First-Site-Name\Win2008R2DC via RPC |
|||
DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9 |
|||
Last attempt @ NTTIME(0) was successful |
|||
0 consecutive failure(s). |
|||
Last success @ NTTIME(0) |
|||
DC=samdom,DC=example,DC=com |
|||
Default-First-Site-Name\Win2008R2DC via RPC |
|||
DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9 |
|||
Last attempt @ Sat Dec 20 10:35:09 2014 CET was successful |
|||
0 consecutive failure(s). |
|||
Last success @ Sat Dec 20 10:35:09 2014 CET |
|||
CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com |
|||
Default-First-Site-Name\Win2008R2DC via RPC |
|||
DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9 |
|||
Last attempt @ Sat Dec 20 10:35:10 2014 CET was successful |
|||
0 consecutive failure(s). |
|||
Last success @ Sat Dec 20 10:35:10 2014 CET |
|||
CN=Configuration,DC=samdom,DC=example,DC=com |
|||
Default-First-Site-Name\Win2008R2DC via RPC |
|||
DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9 |
|||
Last attempt @ Sat Dec 20 10:35:11 2014 CET was successful |
|||
0 consecutive failure(s). |
|||
Last success @ Sat Dec 20 10:35:11 2014 CET |
|||
==== OUTBOUND NEIGHBORS ==== |
|||
DC=DomainDnsZones,DC=samdom,DC=example,DC=com |
|||
Default-First-Site-Name\Win2008R2DC via RPC |
|||
DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9 |
|||
Last attempt @ Sat Dec 20 10:35:17 2014 CET was successful |
|||
0 consecutive failure(s). |
|||
Last success @ Sat Dec 20 10:35:17 2014 CET |
|||
DC=ForestDnsZones,DC=samdom,DC=example,DC=com |
|||
Default-First-Site-Name\Win2008R2DC via RPC |
|||
DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9 |
|||
Last attempt @ Sat Dec 20 10:35:17 2014 CET was successful |
|||
0 consecutive failure(s). |
|||
Last success @ Sat Dec 20 10:35:17 2014 CET |
|||
DC=samdom,DC=example,DC=com |
|||
Default-First-Site-Name\Win2008R2DC via RPC |
|||
DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9 |
|||
Last attempt @ Sat Dec 20 10:34:26 2014 CET was successful |
|||
0 consecutive failure(s). |
|||
Last success @ Sat Dec 20 10:34:26 2014 CET |
|||
CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com |
|||
Default-First-Site-Name\Win2008R2DC via RPC |
|||
DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9 |
|||
Last attempt @ Sat Dec 20 10:34:26 2014 CET was successful |
|||
0 consecutive failure(s). |
|||
Last success @ Sat Dec 20 10:34:26 2014 CET |
|||
CN=Configuration,DC=samdom,DC=example,DC=com |
|||
Default-First-Site-Name\Win2008R2DC via RPC |
|||
DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9 |
|||
Last attempt @ Sat Dec 20 10:34:21 2014 CET was successful |
|||
0 consecutive failure(s). |
|||
Last success @ Sat Dec 20 10:34:21 2014 CET |
|||
==== KCC CONNECTION OBJECTS ==== |
|||
Connection -- |
|||
Connection name: f55bce90-d458-400a-a4ca-801c3e64bef3 |
|||
Enabled : TRUE |
|||
Server DNS name : Win2008R2DC.samdom.example.com |
|||
Server DN name : CN=NTDS Settings,CN=Win2008R2DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com |
|||
TransportType: RPC |
|||
options: 0x00000001 |
|||
Warning: No NC replicated for Connection! |
|||
It can take a several minutes until all connections are established. If the outgoing connections on existing Samba DCs to the Windows DC are not established after 15 minutes, start the replication manually. For details, see [[Samba-tool_drs_replicate|samba-tool drs replicate]]. |
|||
If you are seeing the warning "No NC replicated for Connection!", see [[FAQ#Message:_Warning:_No_NC_replicated_for_Connection.21|FAQ: Warning: No NC replicated for Connection!]]. |
|||
= The Sysvol Share = |
|||
== |
== Enabling the Sysvol Share == |
||
To test that the directory replication works correctly, add for example a user on an existing domain controller (DC) and verify that it shows up automatically on the new promoted Windows DC. |
|||
= The Sysvol Share = |
|||
If you used a Samba domain controller (DC) as replication partner, the <code>Sysvol</code> share is not enabled. For details how to verify and enable the share, see [[Enabling the Sysvol Share on a Windows DC]]. |
|||
* Save the following content to a plain text file named "Win-Create-Sysvol-Share.reg" using a text editor like "Notepad" or "Editor" (not Word/Wordpad/OpenOffice/LibreOffice/etc.): |
|||
Windows Registry Editor Version 5.00 |
|||
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters] |
|||
"SysvolReady"=dword:00000001 |
|||
== Sysvol Replication == |
|||
* Log in using an account that is member of the local "Administrators" group. |
|||
Samba currently does not support the DFS-R protocol required for Sysvol replication. Please manually synchronise the content between domain controllers (DC) or use a workaround such as [[Robocopy_based_SysVol_replication_workaround|Robocopy-based Sysvol Replication]]. |
|||
* Double-click the file to import it to the Windows registry. |
|||
* Reboot to take the changes effect. |
|||
== Sysvol replication == |
|||
---- |
|||
Samba currently does not support the DFS-R protocol required for Sysvol replication. Please manually synchronise the content between domain controllers (DC) or use a workaround like [[Robocopy_based_SysVol_replication_workaround|Robocopy-based Sysvol Replication]]. |
|||
[[Category:Active Directory]] |
|||
[[Category:Domain Control]] |
Latest revision as of 15:47, 27 March 2023
Warning
There be dragons! Joining a Windows Server as DC to a Samba AD domain is generally not recommended. |
Introduction
You can join Windows Server 2008 and 2008 R2 as an domain controller (DC) to a Samba Active Directory (AD).
If you want to join a computer running a Windows Server operating system as a domain member, see Joining a Windows Client or Server to a Domain.
Network Configuration
- Click the
Start
button, search forView network connections
, and open the search entry.
- Right-click to your network adapter and select
Properties
.
- Configure the IP settings:
- Assign a static IP address, enter the subnet mask, and default gateway.
- Enter the IP of a DNS server that is able to resolve the Active Directory (AD) DNS zone.
- Click
OK
to save the settings.
Date and Time Settings
Active Directory uses Kerberos for authentication. Kerberos requires that the domain member and the domain controllers (DC) are having a synchronous time. If the difference exceeds 5 minutes (default), the client is not able to access domain resources for security reasons.
Before you join the domain, check the time configuration:
- Open the
Control Panel
.
- Navigrate to
Clock, Language and Region
.
- Click
Date and Time
.
- Verify the date, time, and time zone settings. Adjust the settings, if necessary.
- Click
OK
to save the changes.
Joining the Windows Server to the Domain
- Select
Start
/Run
, enterdcpromo.exe
and clickOK
.
- Windows Server automatically installs missing features, if necessary:
- Check
Use advanced mode installation
to display additional options in later steps. ClickOK
.
- Read the
Operating System Compatibility
information and clickNext
.
- Select
Existing forest
/Add a domain controller to an existing domain
, and clickNext
.
- Enter the Samba Active Directory (AD) domain name and credentials that are enabled to join a domain controller (DC) to the domain, such as the domain administrator account. Click
Next
.
- Select the domain to join and click
Next
.
- If AD sites are configured, select the site to join. Otherwise continue using the
Default-First-Site-Name
site. ClickNext
.
- Select the options to enable on the new DC and click
Next
.
- If you enabled the
DNS server
option in the previous step, you may see a note, that a delegation for this DNS server cannot be created. ClickYes
to continue.
- Select
Replicate data over the network from an existing domain controller
and clickNext
.
- Select a DC as source for the initial directory replication or let the installation wizard choose an appropriate DC. Click
Next
.
- Set the folders for the AD database, log files and the Sysvol folder. Click
Next
.
- Set a Directory Service Restore Mode Administrator Password (DSRM). It is required to boot the Windows DC in safe-mode to restore or repair the AD. Click
Next
.
- Verify your settings and click
Next
to start the DC promotion.
- The wizard starts the installation, replicates the directory, and so on.
- Verify that all DC related DNS records have been created during the promotion. See Verifying and Creating a DC DNS Record.
Do not continue without verifying the DNS records. They must exist for a working directory replication!
- After the wizard completed click
Finish
.
- Restart the computer.
The Windows server now acts as an AD DC.
Verifying Directory Replication
See Displaying the Replication Statuses on a Windows DC.
To optimize replication latency and cost, the knowledge consistency checker (KCC) on Windows DCs do not create a fully-meshed replication topology between all DCs. For further details, see The Samba KCC. |
If you used a Samba domain controller (DC) as replication partner, the Sysvol
share is not enabled. For details how to verify and enable the share, see Enabling the Sysvol Share on a Windows DC.
Sysvol Replication
Samba currently does not support the DFS-R protocol required for Sysvol replication. Please manually synchronise the content between domain controllers (DC) or use a workaround such as Robocopy-based Sysvol Replication.