Joining a Windows Client or Server to a Domain: Difference between revisions

From SambaWiki
(Add section 'Samba AD vs. MS AD compatibility' including 4 FAQs)
m (/* added Windows 2019 as domain member)
 
(27 intermediate revisions by 2 users not shown)
Line 1: Line 1:
= Introduction =
The questions and answers on this page have been extracted from the [http://lists.samba.org/archive/samba-technical/ Samba technical mailing list].


After setting up a [[Active_Directory_Domain_Controller|Samba Active Directory (AD)]] or an [[NT4_Domains|Samba NT4 domain]], you have to join machines to the domain. Only machines joined to the domain are enabled to use domain resources. During the join, a machine account is created in the domain to authenticate the computer as a member.


In case, you are joining a Windows Server <u>as a domain controller (DC)</u> to an AD, see:
* [[Joining_a_Windows_Server_2008_/_2008_R2_DC_to_a_Samba_AD|Joining a Windows Server 2008 / 2008 R2 DC to a Samba AD]]
* [[Joining_a_Windows_Server_2012_/_2012_R2_DC_to_a_Samba_AD|Joining a Windows Server 2012 / 2012 R2 DC to a Samba AD]]


Use this documentation for joining a Windows client or server operating system to a Samba AD or Samba NT4 domain as a domain member.


= General =


== Can I use Samba 4.0 as an AD DC on my production server right now? ==


We have now released Samba 4.0, and a number of users have it in use in a production environment. All the features from the Samba 3.6 series are now available, for example, the file server in the smbd binary.


Of course, normal Systems Administration caution is generally advised, as an AD Domain is the central hub for authentication on a network. We also advise participation on our mailing lists to discuss any issues that arise.


= System Requirements =
We do however encourage people to try Samba 4.0 as an AD DC, report bugs, and give feedback.


== Supported Windows Versions ==


To join a domain, the Windows edition requires the corresponding capabilities. You can join the following Windows operating systems as a domain member:


<u>Workstation editions:</u>
== When will Samba 4.0 releases be made? ==
* Windows 10: Pro, Enterprise, and Education
* Windows 8 and 8.1: Pro and Enterprise
* Windows 7: Professional, Ultimate, and Enterprise
* Windows Vista: Business, Ultimate, and Enterprise
* Windows XP: Professional
* Windows 2000: Professional
* Windows NT4 ''(only NT4 domain support)''


<u>Server (all editions):</u>
For the current Samba 4.0 and 4.x release plans, please see [[Samba Release Planning]].
* Windows Server 2019
* Windows Server 2016
* Windows Server 2012 and 2012R2
* Windows Server 2008 and 2008R2
* Windows Server 2003 and 2003R2
* Windows Server 2000






== Permissions ==
== How to do or fix ... in an outdated Samba version? ==


To join a machine to a domain you require:
Often people are asking for help/support for very outdated versions on the mailing lists or other places. You should really consider of moving to a recent version (best would be to the latest version of the current series). See the [[Samba_Release_Planning|Samba Release Planning page]] to get an overview, which versions are still maintainanced.
* local administrator permissions on the computer you want to join
* credentials of a domain account that is enabled to join machines to the domain. For example:
** the domain administrator account
** an account with [[Delegation/Joining_Machines_to_a_Domain|delegated permissions]] (AD only)
: Note, that in an AD authenticated user accounts are enabled to join up to 10 machines to the domain, if the administrator has not disabled the feature. See https://support.microsoft.com/kb/243327/en


Every release of Samba improves its features, fixes many bugs and adds more compatibility. In many cases, upgrading fixes the problems people are having with their old versions. Often, not even the developers can say when the requested feature was added to Samba. If your problem turns out to be a bug, then it will only be fixed in maintained version trees. So please consider upgrading, you will have a much better chance of getting a response and help from other users and developers on the mailing lists, etc.


If you are required to run an outdated version that was shipped with your distribution and it is out of maintainance by Samba, you should contact your vendor (Redhat, SuSE, etc.) for support.


== Required Settings for NT4 Domains ==
If you were brought here by a response to one of your questions somewhere, please consider this as a first try to help.


If you are joining the host to a Samba NT4 domain, some Windows operating systems require modifications. See [[Required_Settings_for_Samba_NT4_Domains|Required Settings for Samba NT4 domain]].




== How do I update from Samba 3.x to 4.x? ==


See the [[Updating_Samba|Updating Samba HowTo]].




= DNS Settings (AD only) =


In an Active Directory (AD), a working DNS configuration is indispensable. AD uses DNS to locate domain controllers (DC), resolve host names, and for many other tasks. Ensure that the client has at least one DNS server configured, that is able to resolve the AD DNS zone. For further information, see [[Windows_DNS_Configuration|DNS Configuration on Windows Hosts]].
== Can I provision a member or a standalone server? ==


Whilst 'samba-tool domain provision --help' shows this as one of the options:


--server-role=ROLE The server role (domain controller | dc | member
server | member | standalone). Default is dc.


The only server that you can provision at the moment is a 'domain controller' or 'dc' for short. The other options will not work yet, so if you require a member server, see the [[Setup_a_Samba_AD_Member_Server|Setup_a_Samba_AD_Member_Server]] HowTo.




= Date and Time Settings (AD only) =


Active Directory uses Kerberos for authentication. Kerberos requires that the domain member and the domain controllers (DC) are having a synchronous time. If the difference exceeds [http://technet.microsoft.com/en-us/library/cc779260%28v=ws.10%29.aspx 5 minutes] (default), the client is not able to access domain resources for security reasons.


Before you join the domain, check the time configuration:


* Open the <code>Control Panel</code>.
= Samba AD vs. MS AD compatibility =


* Navigate to <code>Clock, Language and Region</code>.
== Does Samba AD allow Windows Server 2008 / 2008 R2 to be joined as DC? ==


* Click <code>Date and Time</code>.
Yes. See [[Joining_a_Windows_Server_2008_/_2008_R2_DC_to_a_Samba_AD|Joining a Windows Server 2008 / 2008 R2 DC to a Samba AD]]


* Verify the date, time, and time zone settings. Adjust the settings, if necessary.


* Click <code>OK</code> to save the changes.


== Does Samba AD allow Windows Server 2008 / 2008 R2 to be joined as Member Server? ==


Yes. See [[Joining_a_Windows_Client_to_a_Domain|Joining a Windows Client to a Domain]]. The join is done like for Windows Workstations.






== Does Samba AD allow Windows Server 2012 / 2012 R2 to be joined as DC? ==
= Joining a Windows Client or Server to a Domain =


* Open the <code>Control Panel</code>.
No. See [[#Does_Samba_support_MS_AD_schema_extensions.3F|FAQ 'Does Samba support MS AD schema extensions?' for details]].


* Navigate to <code>System and Security</code> / </code>System</code>.


* Click <code>Change settings</code>, next to the computer name.


* On the <code>Computer Name</code> tab, click the <code>Change</code> button.
== Does Samba AD allow Windows Server 2012 / 2012 R2 to be joined as Member Server? ==


* Verify the computer name. If you rename the computer, reboot before joining the domain.
Yes. See [[Joining_a_Windows_Client_to_a_Domain|Joining a Windows Client to a Domain]]. The join is done like for Windows Workstations.


* Select <code>Domain</code>, enter the name of your domain, and click <code>OK</code>.
:[[Image:Join_Enter_Domain_Name.png]]
: Active Directory (AD) only: You can enter the NetBIOS name of the domain, if your client is able to resolve it. For example: <code>samdom</code> instead of <code>samdom.example.com</code>.


* Enter the credentials of an account that is able to join a computer to the domain. For example, the domain administrator account. Click <code>OK</code> to continue.


* Reboot the computer after the computer successfully joined the domain.




= Configuration Parameters =


== Can I turn off some of the 'server services' options? ==


The options of 'server services' are set during the Samba AD DC provisioning/join and are based on the choices made during this process. If you don't have the 'server services' in your smb.conf, this only means that the options of this parameter are on its default.


----
All of the parameters set are required. The only reasonable changes are:
[[Category:Active Directory]]

[[Category:Domain Members]]
* Disable spoolss:
[[Category:NT4 Domains]]

server services = ... -spoolss

* [[Changing_the_DNS_backend#Changing_from_Samba_Internal_DNS_to_BIND_DLZ|Change DNS backend from Samba Internal to BIND9_DLZ]]:

server services = ... -dns

* [[Changing_the_DNS_backend#Changing_from_BIND_DLZ_to_Samba_Internal_DNS|Change DNS backend from BIND9_DLZ to Samba Internal]]:

server services = ... dns



== If all server services options are required for an AD DC, why is this parameter required at all? ==

It wasn't ever intended that the 'server services' parameter would be something that admins would even see, but a late change in development (the final merge of the file servers) caused this to gain much more prominence than was ever expected.

If you use the internal DNS, then you can remove the 'server services' parameter completely from your smb.conf. All AD required services are started by default automatically.

If you use BIND_DLZ, then it's enough to have the short following version (all other services are started by default automatically):

server services = -dns



== I keep getting asked for username/password when trying to access a public share on the AD DC. ==

On a non AD domain, you can use 'map to guest = bad user' in smb.conf to allow windows machines that are not part of the domain, to access public shares. This will not work with an AD domain, guest access to the domain needs to be based on the 'guest' account being enabled, but unfortunately, this is not yet implemented.

= Replication =

== Is replication of Active Directory supported by a Samba AD DC? ==

Yes. Everything that is done inside the Active Directory (user/group management, ACL changes, etc.), is replicated to other DCs.



== Is SysVol share replication supported by a Samba AD DC? ==

It's currently not implemented. But as a workaround you can replicate changes e. g. with rsync. Depending on the kind of workaround you choose, you may have to do changes only on one DC, if your tool doesn't support bi-directional replication. You can find a [[SysVol_Replication|HowTo for a rsync-based replication]] on the Wiki.



== Message: Warning: No NC replicated for Connection! ==

When Samba registers for replication, there are a couple of flags that aren't correctly set. That's what the DRS command shows: They are not set. It's pretty harmless and you can ignore this warning.



== Is it possible to replicate between Samba AD and an external LDAP server? ==

No. This is currently not supported and is not expected to be supported. The Active Directory LDAP has a different schema layout to the LDAP with which Samba 3.x was traditionally deployed, this is just one of the many serious issues.

== How do I get DNS failover in a Multi-DC environment? ==

* First set up your additional DC following the [[Samba_AD_DC_HOWTO|Samba AD DC HowTo]]. You just skip the provisioning/upgrading part.

* Then join your new DC to the domain. See [[Join_a_domain_as_a_DC|Join Samba as an additional DC]].

* In the output of "samba-tool drs showrepl", you should see that the DNS partition was successfully replicated.

* Finally you have to configure your clients to also use the DNS on the additional DC.



== Why does directory replication fail to Windows servers for git build Samba <= 4.1.13? ==

Please check
# samba-tool testparm -v --suppress-prompt | grep samba_kcc
samba kcc command = /usr/local/samba/sbin/samba_kcc

If your result is as shown above, add the following line in your smb.conf

kccsrv:samba_kcc = false

= Joining A Domain As Domain Controller =

== Error „UpdateRefs failed with WERR_DS_DRA_BAD_NC/NT“ in Logfiles ==

When you start Samba the first time as a new Domain Controller in an existing Windows domain, you may find errors messages like the following in the Samba logfiles:

UpdateRefs failed with WERR_DS_DRA_BAD_NC/NT code 0xc00020f8 for 5344d0a6-78a1-4758be69-66d933f1123._msdcs.samdom.example.com CN=RID Manager$,CN=System,DC=samba,DC=example,DC=com

This is caused by the Knowledge Consistency Checker (KCC) not having being
run by the Windows Domain Controller yet, this means it has not yet
created connections to the new Samba DC.

To fix this, you can either run "repadmin /kcc" on the Windows DC as
an Administrator or you can use the samba-tool command to do the same
thing, like this:

# samba-tool drs kcc -Uadministrator windowsdc.samdom.example.com



== Message: "Failed to find our own NTDS Settings invocationId in the ldb!" during joining ==

Check if you have an existing <tt>smb.conf</tt> and remove it before joining.





= DNS =

== Can the internal DNS have more than one forwarder? ==

No. If you require more than one host to forward foreign requests to, you must use BIND_DLZ.





= Trusts =

== Does Samba support trust relationship with AD? ==

Trusts are currently not finished implemented. Samba can be trusted, but can't trust yet.

But even this is unofficial and should not be relied on, because
"[https://lists.samba.org/archive/samba/2014-July/182830.html parts that appear to work are a partial development that just happen to be in our released versions]" (July 2014).



== Do trusts only not work in Samba AD only environments, and are fine in Samba AD/Windows environments? ==

No. The Samba DC just won't know much about the trust.






= Kerberos =

== How to disable des and rc4 in the AD DC? ==

'samba-tool domain exportkeytab', export keytab files including arcfour-hmac-md5, des-cbc-md5 and des-cbc-crc. The 'allow_weak_keys = false' option (which is the default) in the
krb5.conf is the tool for controlling this. Currently this only disables DES, and only at runtime, not at the layer the keytab export uses.

When Heimdal will be updated, this have to be done carefully, because arcfour-hmac-md5 has been declared weak, and this will break Windows 2003 and WinXP clients.

Additionally, until Samba 4.2, were defaulting to Windows 2003 functional level, so haven't been storing the newer AES keys.





= GPO =

== Is it possible to set user specific password policies in Samba4 (e. g. on a OU-base)? ==

Samba can't handle GPO restrictions. You have to use 'samba-tool domain passwordsettings' to change password policies. But this only applies on domain level.

Background: The password settings have to be used and validated by the server. Otherwise a modified Windows client or a Unix client (which doesn't handle GPOs) could bypass these settings. But Samba can't evaluate and apply GPO restrictions. It only serves GPOs via the SysVol share.



== Incompatible permissions of GPO objects and SysVol share ==

If you click in GPMC to a GPO, you get a message "The permissions for this GPO in the SYSVOL folder are inconsistent with those in Active Directory. It is recommended that these permissions be consistent. To change the SYSVOL permissions to those in Active Directory, click OK." Clicking OK won't fix the problem. Instead run

# samba-tool ntacl sysvolreset





= LDAP backend =

== Will Samba 4 have a built-in, full fledged LDAP server? ==

Yes. While we certainly won't compare ourselves with the
standards-based products from other vendors (our aim is to please AD
clients first, and hopefully do so while complying with the standards),
it will include an LDAPv3 server.



== Why is the LDAP backend (used so successfully in classic Samba domains) not supported with the AD DC?==

We certainly appreciate the bind that the LDAP server situation puts our administrators in. We went to great lengths to try and avoid this, but were unable to make it work, while also supporting features such as DRS replication, and many of the finer points of AD's LDAP server. The biggest killer for the feature was the need for runtime schema translation, or for the administrator to load the AD schema and layout on their external LDAP server (which rather defeats the purpose).

The there are three ways out of this difficult situation
* continue to use Samba as a 'classic' domain controller as-is using smbd/nmbd (this code remains and remains supported).
* Add schema extensions to our LDAP server (disabled by default, but supported), and cope with the AD-specified layout restrictions.
* Somehow sync Samba with an existing LDAP server.

There are major challenges with synchronisation of directories - but it certainly may be an option in some situations.

We certainly understand that it appears almost rude, on the face of it, to step up from being an equal partner in the unix-LDAP ecosystem supporting a number of different directory servers to demanding that everyone else use only our internal server. We do wish it didn't have to be this way, and we have left in (with tests) as much of the code we used for the [[Samba4/LDAP Backend|LDAP backend]] experiment as is possible, in case somehow someone builds a workable use case in the future.



== Is it planned to support openLDAP as backend again? ==

An LDAP backend to the AD DC is not a viable proposition
at this point in time, as even with the addition of massive extra
resources trying to revive it would create an incredible distraction.

The biggest issue is that a significant part of the complexity of the AD
DC turns out to be in our ldb modules. Creating a general-purpose,
OpenLDAP backed AD DC would involve rewriting many of these modules as
OpenLDAP overlays, outside the standard Samba programming environment.

Totally removing the LDAP listener would require rewriting even more code than that,
and would (based on the past experience of Luke Howard's XAD) require extensive patches to OpenLDAP.

Specific issues include the metadata required for both DRS replication
and dirsync, schema manipulation, transactions, Access Control Lists,
impersonation (if Samba still operated as an LDAP proxy) or authentication
(if OpenLDAP was the LDAP listener) and AD-specific matching
rules.

The components of LDAP that are left unaltered, after all this is done, are actually the easy bits, as is seen by the relative simplicity of ldb itself.

Finally, as mentioned in the previous question, even if this was all done, the schema would still be the AD
schema, which removes the advantage of doing all that work in the first
place.

The team has decided not to peruse this as a development avenue, and
no viable approach to re-opening this functionality has been proposed, but
where it does not compromise development, the technical doors open for some
special case development here have been left open, with code and tests remaining in the tree.



== Are anonymous LDAP searches possible? ==

While there are many good reasons to do or not do this, Samba follows
AD, including honouring the dsHuristics flag for this.
[http://support.microsoft.com/kb/326690 http://support.microsoft.com/kb/326690]

However, it is better to authenticate and Kerberos if used correctly
can make that transparent.





= Migration from a Samba NT4-style domain to Samba AD =

== User 'Administrator' in your existing directory has SID ..., expected it to be ...-500 ==

The error says what's wrong: In your NT4-style domain backend, the RID of the domain administrator account isn't 500, what it should be (see. [http://support.microsoft.com/kb/243330/en Windows well-known security identifiers]). Change it to 500 and start over. You can remove the account, too, as it will be automatically created during the AD provisioning.





= Schemas =

== Will it also be possible in the future to extend the server by loading user defined schema's? ==

Yes, [[Samba_AD_Schema_Extenstions|user-defined schema]] may be loaded into the Samba AD DC. It is experimental, so you must set

dsdb:schema update allowed = yes

in the smb.conf to permit it.



== Does Samba support MS AD schema extensions? ==

Samba is shipped with AD schema version 47 (MS Windows Server 2008 R2). Schema updates, as they are required when adding a DC running Windows Server 2012 or newer, are currently not supported by the Samba backend. The schema update against a Samba DC will fail and if done against a Windows 2008 R2 DC in the domain, it will break AD replication with all Samba DCs and makes your AD inconsistent!





= WINS =

== Why is Network Neighbourhood empty or does not show all machines in an Samba AD environment? ==

The master browser code in smbd does not collect names because the netbios server in the AD DC does not have the browsing code in it. We would like to add that, but it just is a matter of a developer finding it to be a personal (or employer) priority. (Sadly on the AD DC, there isn't spare developer time just floating around).

As a workaround, you can try Samba4Wins: [ftp://ftp.sernet.de/pub/samba4wins/ ftp://ftp.sernet.de/pub/samba4wins/]

Latest revision as of 11:53, 4 May 2020

Introduction

After setting up a Samba Active Directory (AD) or an Samba NT4 domain, you have to join machines to the domain. Only machines joined to the domain are enabled to use domain resources. During the join, a machine account is created in the domain to authenticate the computer as a member.

In case, you are joining a Windows Server as a domain controller (DC) to an AD, see:

Use this documentation for joining a Windows client or server operating system to a Samba AD or Samba NT4 domain as a domain member.



System Requirements

Supported Windows Versions

To join a domain, the Windows edition requires the corresponding capabilities. You can join the following Windows operating systems as a domain member:

Workstation editions:

  • Windows 10: Pro, Enterprise, and Education
  • Windows 8 and 8.1: Pro and Enterprise
  • Windows 7: Professional, Ultimate, and Enterprise
  • Windows Vista: Business, Ultimate, and Enterprise
  • Windows XP: Professional
  • Windows 2000: Professional
  • Windows NT4 (only NT4 domain support)

Server (all editions):

  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 and 2012R2
  • Windows Server 2008 and 2008R2
  • Windows Server 2003 and 2003R2
  • Windows Server 2000


Permissions

To join a machine to a domain you require:

  • local administrator permissions on the computer you want to join
  • credentials of a domain account that is enabled to join machines to the domain. For example:
Note, that in an AD authenticated user accounts are enabled to join up to 10 machines to the domain, if the administrator has not disabled the feature. See https://support.microsoft.com/kb/243327/en


Required Settings for NT4 Domains

If you are joining the host to a Samba NT4 domain, some Windows operating systems require modifications. See Required Settings for Samba NT4 domain.



DNS Settings (AD only)

In an Active Directory (AD), a working DNS configuration is indispensable. AD uses DNS to locate domain controllers (DC), resolve host names, and for many other tasks. Ensure that the client has at least one DNS server configured, that is able to resolve the AD DNS zone. For further information, see DNS Configuration on Windows Hosts.



Date and Time Settings (AD only)

Active Directory uses Kerberos for authentication. Kerberos requires that the domain member and the domain controllers (DC) are having a synchronous time. If the difference exceeds 5 minutes (default), the client is not able to access domain resources for security reasons.

Before you join the domain, check the time configuration:

  • Open the Control Panel.
  • Navigate to Clock, Language and Region.
  • Click Date and Time.
  • Verify the date, time, and time zone settings. Adjust the settings, if necessary.
  • Click OK to save the changes.



Joining a Windows Client or Server to a Domain

  • Open the Control Panel.
  • Navigate to System and Security / System.
  • Click Change settings, next to the computer name.
  • On the Computer Name tab, click the Change button.
  • Verify the computer name. If you rename the computer, reboot before joining the domain.
  • Select Domain, enter the name of your domain, and click OK.
Join Enter Domain Name.png
Active Directory (AD) only: You can enter the NetBIOS name of the domain, if your client is able to resolve it. For example: samdom instead of samdom.example.com.
  • Enter the credentials of an account that is able to join a computer to the domain. For example, the domain administrator account. Click OK to continue.
  • Reboot the computer after the computer successfully joined the domain.