Installing RSAT: Difference between revisions

From SambaWiki
m (moved Samba AD management from windows to Installing RSAT on Windows for AD Management: Renaming the page, because it's just about installing RSAT and not providing usefull content about managing AD (this will be described in a different HowTo)
(Complete re-write of the HowTo)
Line 1: Line 1:
= Introduction =
= Samba AD management from Windows =


The easiest way to administrate a Samba Domain and Active Directory is using Microsofts RSAT (Remote Server Administration Tools) on a Windows workstation.
We need install Windows 2003 Adminpak into Windows XP in order to use
GUI tools to manage the domain. Before you begin, make sure that the domain
administrators have administrative rights to control your computer.(To
give any user administrative rights in Windows XP Pro, right click My
Computer, select Manage-> choose Groups-> double click Administrators
and add members from domain into the member list. When you add
members from Active Directory, it will prompt you to enter an
Active Directory username and password).


„samba-tool“ already contains many features for common administration jobs, but compared with the RSAT, it is still missing possibilities. Another advantage is, that using these tools, increases the available documentation (books, online, etc.), because it's the same way, than Windows administrators are doing the tasks.
== Step 1: Installing Windows Remote Administration Tools onto Windows ==


=== Windows Vista/7/8 ===


#Download the Windows Remote Server Administration Tools (RSAT) from:
#* http://www.microsoft.com/downloads/details.aspx?FamilyId=9FF6E897-23CE-4A36-B7FC-D52065DE9960&displaylang=en (Vista)
#* http://www.microsoft.com/downloads/details.aspx?FamilyID=7D2F6AD7-656B-4313-A005-4E344E43997D&displaylang=en (Windows 7)
#* http://www.microsoft.com/download/details.aspx?id=28972 (Windows 8)
#* http://www.microsoft.com/en-us/download/details.aspx?id=39296 (Windows 8.1)
#Follow the "Install RSAT" instructions
*Note: After installing, you have to enable the features in "Turn Windows features on or off" in "Programs" of the Control Panel!)''.


=== Windows XP Pro ===


==== Administration Tools Pack & Support Tools ====
# Download adminpak and supporttools from:
#* http://www.microsoft.com/downloads/en/details.aspx?FamilyID=86b71a4f-4122-44af-be79-3f101e533d95
#* http://download.microsoft.com/download/3/e/4/3e438f5e-24ef-4637-abd1-981341d349c7/WindowsServer2003-KB892777-SupportTools-x86-ENU.exe
#:If you installed an older version of the adminpak, you'll notice the dial-in tab is missing from property pages. Just follow the link above to get SP2 which does not have this issue.
# Run through the installation.
# Press start->run, type 'dsa.msc', if a window 'active directory users and computers' prompt up, it mean you had install adminpak it successfully. You can also find this at Start>Programs>Administrative Tools, which should have a lot more items now.
# Go to c:\Program Files\Support Tools to check whether the support tools were installed correctly; if yes, then your XP workstation is ready to manage the Samba 4 Active Directory.


= Download =
==== Group Policy Management Console ====
# You may also find the Group Policy Management Console useful. You can download it from
#* http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en
#:This is primarily useful when you have larger installs and are managing many machines. You may need to download the .NET Framework first.


* Windows 8.1: http://www.microsoft.com/en-us/download/details.aspx?id=39296
== Step 2: Viewing Samba Active Directory Content ==


* Windows 8: http://www.microsoft.com/download/details.aspx?id=28972
# When logged on as a Domain Administrator, start the Active Directory Users and Computers Snap-In, either by clicking Start -> Programs\Administrative Tools\Active Directory Users and Computers, or by clicking Start -> Run 'dsa.msc'
# Expand the samdom.example.com tree to see existing objects in the domain.
#:[[Image:Samba4dsa.msc.jpg]]


* Windows 7: http://www.microsoft.com/downloads/details.aspx?FamilyID=7D2F6AD7-656B-4313-A005-4E344E43997D&displaylang=en
*Note: You can also manage users using the normal Windows AD user management tools.


* Windows Vista: http://www.microsoft.com/downloads/details.aspx?FamilyId=9FF6E897-23CE-4A36-B7FC-D52065DE9960&displaylang=en
= Setting Up Roaming Profiles =


See the [[Samba_%26_Windows_Profiles|Samba & Windows Profiles HowTo]].


= Adding Organization Units (OU) Into a Samba Domain =


The Organizational Unit (OU) is a powerful feature in Active
Directory. This is a type of container which allows you to drag & drop
users and/or computers into it.


We can link several types of group policies to an OU, and the settings
will push out to all users/computers that sit under the OU. Within a single domain,
you can have as many OUs and sub-OUs as you'd like. The result is that
it can greatly reduce administrative overhead since you are able to
manage everything via an OU. The implementation of Group Policy will
be discussed in the next chapter.


= Installation =
Before we create an OU, we must know what one looks like. By default
we can see a sample OU called 'Domain Controllers', which uses a different
icon in the Windows management tools than the 'users' and 'computers'
containers. We can deploy Group Policy to the users or the computers container.


* Install RSAT using the downloaded installer.
# To create an OU as the Domain Administrator, click Start -> Run -> dsa.msc
# Right click your domain.
# Select New -> Organizational Unit
# Type 'OU Demo'
# You will see a new OU appear, with the name 'OU Demo'.
# You can drag the user 'demo' into the new OU (Don't move other users! Unless you want to get stuck!).
# Right click 'OU Demo', A sub-OU can be created with New -> Organizational Unit.


* Open „Programs and Features“ (use the startmenu/metro search to locate the tool).
Normally OUs are created according to the department setup of your
organization. Be careful not to confuse Groups and OUs. Groups are
used to control permissions, OUs are used for deploying settings to
all users/computers within the OU.


* Click to „Turn Windows features on or off“.
= Implementing Group Policies (GPO) in A Samba Domain =


: Depending on the administrative tasks you want to perform and Samba supports, you can choose which features to install.
Samba Active Directory has support for Group Policies, and can create
the Group Policy on the fly. The basic idea of Group Policies is:-


:Typically administrators install at least the following options (some are required to active additional tabs e. g. in ADUC):
# Group Policies have two kinds of settings: computers and users.
# Computer settings apply to computers, while user settings apply to users.
# We link the group policy to a particular OU, and the group policy will effect all computers/users under the OU.
# To add a group policy, right click 'OU Demo' OU->properties.
# Choose group policy.
# Press new, and name it as 'GP Demo'.
# Press edit to modify the policy.
# Here will demonstrate how to block users from access to the control panel. Open the tree 'User Configuration'->'Administrative Templates'->'Control Panel'.
# Double click on 'Prohibit access to the Control Panel'.
# Press enabled and then press OK. Now the all users under 'OU Demo' won't able to access to the control panel.
# Make sure that the user 'demo' is inside the 'OU Demo' (You can drag and drop it).
# Logout and login as user 'demo'.
# You'll find user demo is not able to access control panel.


:[[Image:Turn_Windows_features_on_or_off_RSAT.png]]
== Notes ==
:User configuration will take effect once you logout and login.
:Computer configuration will take effect when you restart the computer.
:GPO Password Policies are not read by Samba when assigning passwords, to change the policy that Samba uses you must use '''samba-tool domain passwordsettings'''


* After clicking „OK“, the features are getting activated and can be found in the „Administrative tools“ menu.
To learn more about managing and implementing organizational units, group policies, and Active Directory, try a web search for Google in Windows 2003 Active Directory implementation.





= Enabling the „Advanced Features“ view =

Most of the RSAT tools hide content and menu options in their default setting. To enable all features and display the whole content in each program, go to the „View“ menu and activate „Advanced Features“. Typically this option is only visible, when you've marked the root of the tree view. E. g. in ADUC, you see the option in the „View“ menu only when you have clicked to the „Active Directory Users and Computers“ node.

:[[Image:ADUC_enabling_Advanced_Features.png]]





= Reporting incompatibilities and problems =

If you encounter any problems using the Microsoft tools for administrating your Active Directory, please [[Bug_Reporting|report a bug]]

Byside the problem description, please attach a level 10 debug log and if possible a network capture. A great help it is also, if you could provide a network capture against a Microsoft Server, to compare.

Revision as of 20:10, 4 May 2014

Introduction

The easiest way to administrate a Samba Domain and Active Directory is using Microsofts RSAT (Remote Server Administration Tools) on a Windows workstation.

„samba-tool“ already contains many features for common administration jobs, but compared with the RSAT, it is still missing possibilities. Another advantage is, that using these tools, increases the available documentation (books, online, etc.), because it's the same way, than Windows administrators are doing the tasks.



Download



Installation

  • Install RSAT using the downloaded installer.
  • Open „Programs and Features“ (use the startmenu/metro search to locate the tool).
  • Click to „Turn Windows features on or off“.
Depending on the administrative tasks you want to perform and Samba supports, you can choose which features to install.
Typically administrators install at least the following options (some are required to active additional tabs e. g. in ADUC):
File:Turn Windows features on or off RSAT.png
  • After clicking „OK“, the features are getting activated and can be found in the „Administrative tools“ menu.



Enabling the „Advanced Features“ view

Most of the RSAT tools hide content and menu options in their default setting. To enable all features and display the whole content in each program, go to the „View“ menu and activate „Advanced Features“. Typically this option is only visible, when you've marked the root of the tree view. E. g. in ADUC, you see the option in the „View“ menu only when you have clicked to the „Active Directory Users and Computers“ node.

File:ADUC enabling Advanced Features.png



Reporting incompatibilities and problems

If you encounter any problems using the Microsoft tools for administrating your Active Directory, please report a bug

Byside the problem description, please attach a level 10 debug log and if possible a network capture. A great help it is also, if you could provide a network capture against a Microsoft Server, to compare.