Joining a Samba DC to an Existing Active Directory: Difference between revisions

From SambaWiki
mNo edit summary
No edit summary
Line 96: Line 96:
0 consecutive failure(s).
0 consecutive failure(s).
Last success @ Fri Feb 26 17:25:41 2010 EST
Last success @ Fri Feb 26 17:25:41 2010 EST

== Testing Replication ==

To check that replication is working correctly between your two domain
controllers, try adding a user on the Samba DC using either the Samba
command line tools, or the Windows GUI admin tools. Then check that
the user shows up within a few seconds on your Windows domain
controller.

Similarly, try modifying a user on the Windows domain controller and
check that the modifies show up correctly on the Samba server

== Report your success/failure! ==

Samba4 as a replicating domain controller is still developing rapidly,
and we like to hear from users about their successes and
failures. While Samba4 is still in alpha release we would encourage
you to report both your successes and failures to the samba-technical
mailing list on http://lists.samba.org

Please be aware that Samba4 is not complete, so you should deploy it
carefully until it is ready for a non-alpha release.

Revision as of 06:38, 26 February 2010

Samba4 joining a domain as a DC

As of Samba4 alpha11, Samba4 now has the ability to join an existing Active Directory domain as an additional domain controller. The process of joining a Samba4 server to an existing domain is a bit different to provisioning a new domain. This process is the equivalent of the 'dcpromo' command on Windows servers.

This HOWTO will assume you configured and installed Samba in the default location of /usr/local/samba. It assumes you are joining Samba to an existing domain called 'samba.example.com'.

Getting ready for joining Samba as a DC to an exiting domain

You need to build Samba4 as usual, but don't do the provision step. You should remove any existing smb.conf in /usr/local/samba/etc/smb.conf

You should have your Windows domain setup correctly as your default realm in /etc/krb5.conf, and you should have these options setup in /etc/krb5.conf:

[libdefaults]
 dns_lookup_realm = true
 dns_lookup_kdc = true
 default_realm = SAMBA.EXAMPLE.COM

You should then test to make sure that DNS and kerberos are setup correctly to point at your existing Windows DC. Test that it is all working by trying a kinit as a domain administration:

kinit administrator
Password: XXXXXXXX

Once all that is setup you can move on to the main domain join step

Joining the Windows domain as a DC

Run the following command as root:

bin/net vampire samba.example.com -Uadministrator --realm=samba.example.com

It should show a set of debug messages about replicating the domain contents, like this:

Partition[CN=Configuration,DC=sample,DC=example,DC=com] objects[1596] linked_values[1]

then it will show a message like this:

mark ROOTDSE with isSynchronized=TRUE
Vampired domain VSOFS8 (S-1-5-21-2848215498-2472035911-1947525656)

at this point you have joined your Samba4 server to the Windows domain, and you are ready to start your Samba domain controller.

Starting Samba

You start samba as a DC in the same way that you start it as a normal server, just run the command 'samba' from the sbin directory of your installation.

When you first start Samba as a new DC in a Windows domain, you may find errors messages like these in the samba log file:

UpdateRefs failed with WERR_DS_DRA_BAD_NC/NT code 0xc00020f8 for 5344d0a6-78a1-4758be69-66d933f1123._msdcs.samba.example.com CN=RID Manager$,CN=System,DC=samba,DC=example,DC=com

This is caused by the Windows domain controller not yet having run its Knowledge Consistency Checker (KCC) which means it has not yer created connections to the new Samba DC.

To fix this, you can either run "repadmin /kcc" on the Windows DC as an administrator, or you can use the Samba net command to do the same thing, like this:

bin/net drs kcc -Uadministrator windowsdc.samba.example.com

You should then check that replication between the Windows DC and the Samba DC is working correctly by using the net drs showrepl command:

Default-First-Site-Name\Windows
DSA Options: 0x00000001
Site Options: (none)
DSA object GUID: 794640f3-18cf-40ee-a211-a93992b67a64
DSA invocationID: 794640f3-18cf-40ee-a211-a93992b67a64

==== INBOUND NEIGHBORS ====

DC=samba,DC=example,DC=com
       Default-First-Site-Name\SAMBA via RPC
               DSA object GUID: 5344d0a6-78a1-4758-be69-b66d933f1123
               Last attempt @ Fri Feb 26 17:25:41 2010 EST was successful.
               0 consecutive failure(s).
               Last success @ Fri Feb 26 17:25:41 2010 EST

CN=Configuration,DC=samba,DC=example,DC=com
       Default-First-Site-Name\SAMBA via RPC
               DSA object GUID: 5344d0a6-78a1-4758-be69-b66d933f1123
               Last attempt @ Fri Feb 26 17:25:41 2010 EST was successful.
               0 consecutive failure(s).
               Last success @ Fri Feb 26 17:25:41 2010 EST

CN=Schema,CN=Configuration,DC=samba,DC=example,DC=com
       Default-First-Site-Name\SAMBA via RPC
               DSA object GUID: 5344d0a6-78a1-4758-be69-b66d933f1123
               Last attempt @ Fri Feb 26 17:25:41 2010 EST was successful.
               0 consecutive failure(s).
               Last success @ Fri Feb 26 17:25:41 2010 EST

Testing Replication

To check that replication is working correctly between your two domain controllers, try adding a user on the Samba DC using either the Samba command line tools, or the Windows GUI admin tools. Then check that the user shows up within a few seconds on your Windows domain controller.

Similarly, try modifying a user on the Windows domain controller and check that the modifies show up correctly on the Samba server

Report your success/failure!

Samba4 as a replicating domain controller is still developing rapidly, and we like to hear from users about their successes and failures. While Samba4 is still in alpha release we would encourage you to report both your successes and failures to the samba-technical mailing list on http://lists.samba.org

Please be aware that Samba4 is not complete, so you should deploy it carefully until it is ready for a non-alpha release.