Joining a Windows Server 2008 / 2008 R2 DC to a Samba AD: Difference between revisions

From SambaWiki
m (Fix link)
m (Fixed link)
(28 intermediate revisions by the same user not shown)
Line 1: Line 1:
= Introduction =
= Introduction =


For various reasons user may find themself in a situation, to add a Windows Server 2008 / 2008 R2 as a <u>Domain Controller</u> to their Samba based Active Directory. This process differs from simply joining a Windows Server as a [[Joining_a_Windows_Client_or_Server_to_a_Domain|Member Server]].
You can join Windows Server 2008 and 2008 R2 as an domain controller (DC) to a Samba Active Directory (AD).


If you want to join a computer running a Windows Server operating system as a domain member, see [[Joining_a_Windows_Client_or_Server_to_a_Domain|Joining a Windows Client or Server to a Domain]].
This documentation is valid only for Microsoft Windows Server 2008 and 2008 R2!






== Server information ==


This documentation uses the following configurations/settings:


= Network Configuration =
'''Existing Samba DCs in the domain:'''
Domain Controllers: DC1 (10.99.0.1), DC2 (10.99.0.2)
DCs act also as a DNS server: yes
'''Domain information:'''
DNS Domain Name: samdom.example.com
NT4 Domain Name (NETBIOS): SAMDOM
DNS Servers: 10.99.0.1, 10.99.0.2
Domain Administrator: Administrator
Domain Administrator Password: passw0rd
'''Windows DC additionally joined to the domain:'''
Hostname: DC3
IP Address: 10.99.0.3
Operating System: Microsoft Windows Server 2008 R2


* Click the <code>Start</code> button, search for <code>View network connections</code>, and open the search entry.


* Right-click to your network adapter and select <code>Properties</code>.


* Configure the IP settings:
:* Assign a static IP address, enter the subnet mask, and default gateway.
:* Enter the IP of a DNS server that is able to resolve the Active Directory (AD) DNS zone.


* Click <code>OK</code> to save the settings.


= Installation / Preparation =


== General ==


* Install Windows Server 2008 R2




= Date and Time Settings =


Active Directory uses Kerberos for authentication. Kerberos requires that the domain member and the domain controllers (DC) are having a synchronous time. If the difference exceeds [http://technet.microsoft.com/en-us/library/cc779260%28v=ws.10%29.aspx 5 minutes] (default), the client is not able to access domain resources for security reasons.
== Configure network ==


Before you join the domain, check the time configuration:
* Search the Control Panel for „Network and Sharing Center“


* Open the <code>Control Panel</code>.
* Click „Change adapter settings“


* Navigrate to <code>Clock, Language and Region</code>.
* Right-click to your network connection and choose „properties“


* Click <code>Date and Time</code>.
* Configure the IP properties. Make sure, that you use a DNS server, that is authoritative for your AD DNS domain!


* Verify the date, time, and time zone settings. Adjust the settings, if necessary.
:[[Image:Join_Win2008R2_IP_Configuration.png]]


* Click <code>OK</code> to save the changes.




== Date and time settings ==


Active Directory uses Kerberos for authentication, which relies on a fairly consistent time across the network. This makes it necessary, that, before you can join the server to the Domain, the time does not differ more than [http://technet.microsoft.com/en-us/library/cc779260%28v=ws.10%29.aspx 5 minutes] (default setting in an AD) to your other Domain Controllers:


* Search the Control Panel for „Date and Time“


= Joining the Windows Server to the Domain =
* Check your date, time and time zone settings.


* Select <code>Start</code> / <code>Run</code>, enter <code>dcpromo.exe</code> and click <code>OK</code>.
= Joining the Domain =


* Windows Server automatically installs missing features, if necessary:
* Click „Start“ / „Run“, enter „dcpromo.exe“ and click „OK“.

* Windows Server checks if the necessary features are already installed. If not, they will.


:[[Image:Join_Win2008R2_dcpromo_install.png]]
:[[Image:Join_Win2008R2_dcpromo_install.png]]


* Check the option „Use advanced mode installation“. This mode displays some additional options, that may be useful, like specifying an initial DC to replicate from. To continue click „Next“.
* Check <code>Use advanced mode installation</code> to display additional options in later steps. Click <code>OK</code>.


* Read the „Operating System Compatibility“ information and click „Next“.
* Read the <code>Operating System Compatibility</code> information and click <code>Next</code>.


* Choose „Existing forest“ / „Add a domain controller to an existing domain“ and click „Next“.
* Select <code>Existing forest</code> / <code>Add a domain controller to an existing domain</code>, and click <code>Next</code>.


* Enter the Samba Active Directory (AD) domain name and credentials that are enabled to join a domain controller (DC) to the domain, such as the domain administrator account. Click <code>Next</code>.
:[[Image:Join_win2008R2_Deployment_Configuration.png]]


* Select the domain to join and click <code>Next</code>.
* Enter the domain name and credentials of an account that is allowed to join a Domain Controller to the Domain (e. g. Domain Administrator). Afterwards click „Next“.


* If AD sites are configured, select the site to join. Otherwise continue using the <code>Default-First-Site-Name</code> site. Click <code>Next</code>.
:[[Image:Join_Win2008R2_Network_Credentials.png]]


* Select the options to enable on the new DC and click <code>Next</code>.
* If your forest contains multiple domains, the „Select a Domain“ window will list all domains and you have to choose the one, you want to join and then click „Next“.

:[[Image:Join_Win2008R2_Select_Domain.png]]

* Select the AD Site for the new Domain Controller. If you haven't configured AD Sites, choose the default („Default-First-Site-Name“) and click „Next“.

:[[Image:Join_Win2008R2_Select_Site.png]]

* Decite the options of the new Domain Controller and click „Next“. If you install the DNS server option, make sure, that there is at least one DNS server in your network configuration, that is authoritative for the DNS zone of this domain. An appropriate message is shown in the information box. We assume here, to install the new DC with „DNS server“ and „Global catalog“.


:[[Image:Join_Win2008R2_DC_Options.png]]
:[[Image:Join_Win2008R2_DC_Options.png]]


* If you receive a message, that a delegation for this DNS server cannot be created, continue by clicking „Yes“.
* If you enabled the <code>DNS server</code> option in the previous step, you may see a note, that a delegation for this DNS server cannot be created. Click <code>Yes</code> to continue.


:[[Image:Join_Win2008R2_DNS_Delegation_Failed.png]]
:[[Image:Join_Win2008R2_DNS_Delegation_Failed.png]]


* In the „Install from Media“ window, choose to „replicate the data over the network from an existing Domain Controller“ and click „Next“.
* Select <code>Replicate data over the network from an existing domain controller</code> and click <code>Next</code>.


* Select a DC as source for the initial directory replication or let the installation wizard choose an appropriate DC. Click <code>Next</code>.
:[[Image:Join_win2008R2_Install_From_Media.png]]


* Set the folders for the AD database, log files and the Sysvol folder. Click <code>Next</code>.
* Choose one of the existing DCs to replicate from or let the wizzard do. Then click „Next“.


* Set a Directory Service Restore Mode Administrator Password (DSRM). It is required to boot the Windows DC in safe-mode to restore or repair the AD. Click <code>Next</code>.
:[[Image:Join_Win2008R2_Choose_DC_For_Replication.png]]


* Verify your settings and click <code>Next</code> to start the DC promotion.
* Define the folders for the AD database, logs and SysVol and click „Next“


* The wizard starts the installation, replicates the directory, and so on.
:[[Image:Join_win2008R2_Folder_Locations.png]]

* Set a Directory Service Restore Mode Administrator Passwort. The DSRM passwort is used to boot the Windows DC in a safe-mode, to restore or repair the AD. To continue click „Next“.

:[[Image:Join_win2008R2_DSRM_Password.png]]

* A summery is displayed. Verify your settings and click „Next“ to start the Domain Controller promotion process.

* The wizzard begins to install options, replicate the directory, etc. Depending on the size of your directory and your bandwitdh, this may take some time.


:[[Image:Join_Win2008R2_Join_Process.png]]
:[[Image:Join_Win2008R2_Join_Process.png]]


* Verify that all DC related DNS records have been created during the promotion. See [[Verifying and Creating a DC DNS Record|Verifying and Creating a DC DNS Record]].
* [[Check_and_fix_DNS_entries_on_DC_joins|Check if all important DNS records exists]]. If not, [[Check_and_fix_DNS_entries_on_DC_joins|add them manually]]. '''It's an important step for a healthy and working replication!'''
:{{Imbox

| type = important
* After the wizzard has completed, click „Finish“ and restart the new Domain Controller.
| text = Do not continue without verifying the DNS records. They must exist for a working directory replication!

}}
:[[Image:Join_win2008R2_Join_Completed.png]]

* The Windows Server is now joined as a Domain Controller.



* After the wizard completed click <code>Finish</code>.


* Restart the computer.


The Windows server now acts as an AD DC.


= Directory replication =


A few minutes after new Domain Controller has started, the connections with other DCs are established automatically and the replication process begins. On a Samba DC, this can be verified using the following command


'''# samba-tool drs showrepl'''
Default-First-Site-Name\DC1
DSA Options: 0x00000001
DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
DSA invocationId: 96bc0d6f-9cea-4011-b9a1-0e9971009b20
==== INBOUND NEIGHBORS ====
DC=DomainDnsZones,DC=samdom,DC=example,DC=com
Default-First-Site-Name\DC2 via RPC
DSA object GUID: c14a774f-9732-4ec2-b9fa-2156c95c4e48
Last attempt @ Sat Dec 20 10:35:19 2014 CET was successful
0 consecutive failure(s).
Last success @ Sat Dec 20 10:35:19 2014 CET
DC=DomainDnsZones,DC=samdom,DC=example,DC=com
Default-First-Site-Name\<u>DC3</u> via RPC
DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=ForestDnsZones,DC=samdom,DC=example,DC=com
Default-First-Site-Name\DC2 via RPC
DSA object GUID: c14a774f-9732-4ec2-b9fa-2156c95c4e48
Last attempt @ Sat Dec 20 10:35:19 2014 CET was successful
0 consecutive failure(s).
Last success @ Sat Dec 20 10:35:19 2014 CET
DC=ForestDnsZones,DC=samdom,DC=example,DC=com
Default-First-Site-Name\<u>DC3</u> via RPC
DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=samdom,DC=example,DC=com
Default-First-Site-Name\DC2 via RPC
DSA object GUID: c14a774f-9732-4ec2-b9fa-2156c95c4e48
Last attempt @ Sat Dec 20 10:35:20 2014 CET was successful
0 consecutive failure(s).
Last success @ Sat Dec 20 10:35:20 2014 CET
DC=samdom,DC=example,DC=com
Default-First-Site-Name\<u>DC3</u> via RPC
DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9
Last attempt @ Sat Dec 20 10:35:09 2014 CET was successful
0 consecutive failure(s).
Last success @ Sat Dec 20 10:35:09 2014 CET
CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com
Default-First-Site-Name\DC2 via RPC
DSA object GUID: c14a774f-9732-4ec2-b9fa-2156c95c4e48
Last attempt @ Sat Dec 20 10:35:16 2014 CET was successful
0 consecutive failure(s).
Last success @ Sat Dec 20 10:35:16 2014 CET
CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com
Default-First-Site-Name\<u>DC3</u> via RPC
DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9
Last attempt @ Sat Dec 20 10:35:10 2014 CET was successful
0 consecutive failure(s).
Last success @ Sat Dec 20 10:35:10 2014 CET
CN=Configuration,DC=samdom,DC=example,DC=com
Default-First-Site-Name\DC2 via RPC
DSA object GUID: c14a774f-9732-4ec2-b9fa-2156c95c4e48
Last attempt @ Sat Dec 20 10:35:17 2014 CET was successful
0 consecutive failure(s).
Last success @ Sat Dec 20 10:35:17 2014 CET
CN=Configuration,DC=samdom,DC=example,DC=com
Default-First-Site-Name\<u>DC3</u> via RPC
DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9
Last attempt @ Sat Dec 20 10:35:11 2014 CET was successful
0 consecutive failure(s).
Last success @ Sat Dec 20 10:35:11 2014 CET
==== OUTBOUND NEIGHBORS ====
DC=DomainDnsZones,DC=samdom,DC=example,DC=com
Default-First-Site-Name\<u>DC3</u> via RPC
DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9
Last attempt @ Sat Dec 20 10:35:17 2014 CET was successful
0 consecutive failure(s).
Last success @ Sat Dec 20 10:35:17 2014 CET
DC=DomainDnsZones,DC=samdom,DC=example,DC=com
Default-First-Site-Name\DC2 via RPC
DSA object GUID: c14a774f-9732-4ec2-b9fa-2156c95c4e48
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=ForestDnsZones,DC=samdom,DC=example,DC=com
Default-First-Site-Name\<u>DC3</u> via RPC
DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9
Last attempt @ Sat Dec 20 10:35:17 2014 CET was successful
0 consecutive failure(s).
Last success @ Sat Dec 20 10:35:17 2014 CET
DC=ForestDnsZones,DC=samdom,DC=example,DC=com
Default-First-Site-Name\DC2 via RPC
DSA object GUID: c14a774f-9732-4ec2-b9fa-2156c95c4e48
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=samdom,DC=example,DC=com
Default-First-Site-Name\<u>DC3</u> via RPC
DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9
Last attempt @ Sat Dec 20 10:34:26 2014 CET was successful
0 consecutive failure(s).
Last success @ Sat Dec 20 10:34:26 2014 CET
DC=samdom,DC=example,DC=com
Default-First-Site-Name\DC2 via RPC
DSA object GUID: c14a774f-9732-4ec2-b9fa-2156c95c4e48
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com
Default-First-Site-Name\<u>DC3</u> via RPC
DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9
Last attempt @ Sat Dec 20 10:34:26 2014 CET was successful
0 consecutive failure(s).
Last success @ Sat Dec 20 10:34:26 2014 CET
CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com
Default-First-Site-Name\DC2 via RPC
DSA object GUID: c14a774f-9732-4ec2-b9fa-2156c95c4e48
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
CN=Configuration,DC=samdom,DC=example,DC=com
Default-First-Site-Name\<u>DC3</u> via RPC
DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9
Last attempt @ Sat Dec 20 10:34:21 2014 CET was successful
0 consecutive failure(s).
Last success @ Sat Dec 20 10:34:21 2014 CET
CN=Configuration,DC=samdom,DC=example,DC=com
Default-First-Site-Name\DC2 via RPC
DSA object GUID: c14a774f-9732-4ec2-b9fa-2156c95c4e48
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
==== KCC CONNECTION OBJECTS ====
Connection --
Connection name: 04baf417-eb41-4f31-a5f1-c739f0e92b1b
Enabled : TRUE
Server DNS name : DC2.samdom.example.com
Server DN name : CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
Connection --
Connection name: f55bce90-d458-400a-a4ca-801c3e64bef3
Enabled : TRUE
Server DNS name : <u>DC3</u>.samdom.example.com
Server DN name : CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!


'''Depending on your replication settings - if defined - it may take a few minutes until all connections are established. So please be patient!''' On the long shot that the outbound connections aren't established automatically - even not after several minutes - you can force the replication (generally not necessary!). See [[Samba-tool_drs_replicate|samba-tool drs replicate]].


= Verifying Directory Replication =
''Note about the„Warning: No NC replicated for Connection!“ line: It can be safely ignored. See [[FAQ#Message:_Warning:_No_NC_replicated_for_Connection.21|FAQ: Message: Warning: No NC replicated for Connection!]]''


See [[Verifying_the_Directory_Replication_Statuses#Displaying_the_Replication_Statuses_on_a_Windows_DC|Displaying the Replication Statuses on a Windows DC]].


{{Imbox
| type = note
| text = To optimize replication latency and cost, the knowledge consistency checker (KCC) on Windows DCs do not create a fully-meshed replication topology between all DCs. For further details, see [[The Samba KCC]].
}}




= SysVol share =


During the join, Windows tries to retrieve the SysVol content from an other Domain Controller. But Samba currently doesn't support SysVol replication (DFS-R) yet. This causes, that the new Windows DC, doesn't share the SysVol folder.


The folder isn't shared like other folders in Windows. If there is no „SysVol“ share, when you enter \\Hostname („\\DC3“ in this example), change the registry value of „SysvolReady“ in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\
to „1“. The share will be visible after the next refresh ([F5]).


= The Sysvol Share =


== Enabling the Sysvol Share ==


If you used a Samba domain controller (DC) as replication partner, the <code>Sysvol</code> share is not enabled. For details how to verify and enable the share, see [[Enabling the Sysvol Share on a Windows DC]].




= SysVol replication =


== Sysvol Replication ==
Currently replication of the SysVol share via DFS-R isn't implemented in Samba. If you make changes on that share, you have to keep them in sync on all your Domain Controllers, including ACLs! An example, how to achieve this, is provided in the [[SysVol_Replication_between_Samba_and_Windows|SysVol replication between Samba and Windows]] documentation.


Samba currently does not support the DFS-R protocol required for Sysvol replication. Please manually synchronise the content between domain controllers (DC) or use a workaround such as [[Robocopy_based_SysVol_replication_workaround|Robocopy-based Sysvol Replication]].








= Testing directory replication =


----
To check that replication is working correctly between your domain controllers, try adding/modifying e. g. a user on one DC using either the Samba command line tools or the Windows GUI admin tools. Then check that the changes shows up within a few seconds on the new Domain Controller.
[[Category:Active Directory]]
[[Category:Domain Control]]

Revision as of 14:07, 18 May 2017

Introduction

You can join Windows Server 2008 and 2008 R2 as an domain controller (DC) to a Samba Active Directory (AD).

If you want to join a computer running a Windows Server operating system as a domain member, see Joining a Windows Client or Server to a Domain.



Network Configuration

  • Click the Start button, search for View network connections, and open the search entry.
  • Right-click to your network adapter and select Properties.
  • Configure the IP settings:
  • Assign a static IP address, enter the subnet mask, and default gateway.
  • Enter the IP of a DNS server that is able to resolve the Active Directory (AD) DNS zone.
  • Click OK to save the settings.



Date and Time Settings

Active Directory uses Kerberos for authentication. Kerberos requires that the domain member and the domain controllers (DC) are having a synchronous time. If the difference exceeds 5 minutes (default), the client is not able to access domain resources for security reasons.

Before you join the domain, check the time configuration:

  • Open the Control Panel.
  • Navigrate to Clock, Language and Region.
  • Click Date and Time.
  • Verify the date, time, and time zone settings. Adjust the settings, if necessary.
  • Click OK to save the changes.



Joining the Windows Server to the Domain

  • Select Start / Run, enter dcpromo.exe and click OK.
  • Windows Server automatically installs missing features, if necessary:
Join Win2008R2 dcpromo install.png
  • Check Use advanced mode installation to display additional options in later steps. Click OK.
  • Read the Operating System Compatibility information and click Next.
  • Select Existing forest / Add a domain controller to an existing domain, and click Next.
  • Enter the Samba Active Directory (AD) domain name and credentials that are enabled to join a domain controller (DC) to the domain, such as the domain administrator account. Click Next.
  • Select the domain to join and click Next.
  • If AD sites are configured, select the site to join. Otherwise continue using the Default-First-Site-Name site. Click Next.
  • Select the options to enable on the new DC and click Next.
Join Win2008R2 DC Options.png
  • If you enabled the DNS server option in the previous step, you may see a note, that a delegation for this DNS server cannot be created. Click Yes to continue.
Join Win2008R2 DNS Delegation Failed.png
  • Select Replicate data over the network from an existing domain controller and click Next.
  • Select a DC as source for the initial directory replication or let the installation wizard choose an appropriate DC. Click Next.
  • Set the folders for the AD database, log files and the Sysvol folder. Click Next.
  • Set a Directory Service Restore Mode Administrator Password (DSRM). It is required to boot the Windows DC in safe-mode to restore or repair the AD. Click Next.
  • Verify your settings and click Next to start the DC promotion.
  • The wizard starts the installation, replicates the directory, and so on.
Join Win2008R2 Join Process.png
  • After the wizard completed click Finish.
  • Restart the computer.

The Windows server now acts as an AD DC.



Verifying Directory Replication

See Displaying the Replication Statuses on a Windows DC.



The Sysvol Share

Enabling the Sysvol Share

If you used a Samba domain controller (DC) as replication partner, the Sysvol share is not enabled. For details how to verify and enable the share, see Enabling the Sysvol Share on a Windows DC.


Sysvol Replication

Samba currently does not support the DFS-R protocol required for Sysvol replication. Please manually synchronise the content between domain controllers (DC) or use a workaround such as Robocopy-based Sysvol Replication.