Joining a Windows Server 2008 / 2008 R2 DC to a Samba AD: Difference between revisions
From SambaWiki
Mmuehlfeld (talk | contribs) m (Fix link) |
Mmuehlfeld (talk | contribs) (Rewrote guide: Restructured, removed unnecessary content, being more clear) |
||
| Line 1: | Line 1: | ||
= Introduction = |
= Introduction = |
||
You can successfully join Windows Server 2008 and 2008 R2 as an domain controller (DC) to a Samba Active Directory (AD). |
|||
If you want to join a computer running a Windows Server operating system as a domain member, see [[Joining_a_Windows_Client_or_Server_to_a_Domain|Joining a Windows Client or Server to a Domain]. |
|||
This documentation is valid only for Microsoft Windows Server 2008 and 2008 R2! |
|||
== Server information == |
|||
This documentation uses the following configurations/settings: |
|||
= Network Configuration = |
|||
'''Existing Samba DCs in the domain:''' |
|||
Domain Controllers: DC1 (10.99.0.1), DC2 (10.99.0.2) |
|||
DCs act also as a DNS server: yes |
|||
'''Domain information:''' |
|||
DNS Domain Name: samdom.example.com |
|||
NT4 Domain Name (NETBIOS): SAMDOM |
|||
DNS Servers: 10.99.0.1, 10.99.0.2 |
|||
Domain Administrator: Administrator |
|||
Domain Administrator Password: passw0rd |
|||
'''Windows DC additionally joined to the domain:''' |
|||
Hostname: DC3 |
|||
IP Address: 10.99.0.3 |
|||
Operating System: Microsoft Windows Server 2008 R2 |
|||
* Click the "Start" button, search for "View network connections", and open the search entry. |
|||
* Right-click to your network adapter and select "Properties". |
|||
* Configure the IP settings: |
|||
:* Assign a static IP address, enter the subnet mask, and default gateway. |
|||
:* Enter the IP of a DNS server that is able to resolve the Active Directory (AD) DNS zone. |
|||
* Click "OK" to save the settings. |
|||
= Installation / Preparation = |
|||
== General == |
|||
* Install Windows Server 2008 R2 |
|||
= Date and Time Settings = |
|||
Active Directory uses Kerberos for authentication. Kerberos requires that the domain member and the domain controllers (DC) are having a synchronous time. If the difference exceeds [http://technet.microsoft.com/en-us/library/cc779260%28v=ws.10%29.aspx 5 minutes] (default), the client is not able to access domain resources for security reasons. |
|||
== Configure network == |
|||
Before you join the domain, check the time configuration: |
|||
* Search the Control Panel for „Network and Sharing Center“ |
|||
* Open the "Control Panel". |
|||
* Click „Change adapter settings“ |
|||
* Navigrate to "Clock, Language and Region". |
|||
* Right-click to your network connection and choose „properties“ |
|||
* Click "Date and Time". |
|||
* Configure the IP properties. Make sure, that you use a DNS server, that is authoritative for your AD DNS domain! |
|||
* Verify the date, time, and time zone settings. Adjust the settings, if necessary. |
|||
:[[Image:Join_Win2008R2_IP_Configuration.png]] |
|||
* Click "OK" to save the changes. |
|||
== Date and time settings == |
|||
Active Directory uses Kerberos for authentication, which relies on a fairly consistent time across the network. This makes it necessary, that, before you can join the server to the Domain, the time does not differ more than [http://technet.microsoft.com/en-us/library/cc779260%28v=ws.10%29.aspx 5 minutes] (default setting in an AD) to your other Domain Controllers: |
|||
* Search the Control Panel for „Date and Time“ |
|||
= Joining the Windows Server to the Domain = |
|||
* Check your date, time and time zone settings. |
|||
* Select "Start" / "Run", enter "dcpromo.exe" and click "OK". |
|||
= Joining the Domain = |
|||
* Windows Server automatically installs missing features, if necessary: |
|||
* Click „Start“ / „Run“, enter „dcpromo.exe“ and click „OK“. |
|||
* Windows Server checks if the necessary features are already installed. If not, they will. |
|||
:[[Image:Join_Win2008R2_dcpromo_install.png]] |
:[[Image:Join_Win2008R2_dcpromo_install.png]] |
||
* Check |
* Check "Use advanced mode installation" to display additional options in later steps. Click "OK". |
||
* Read the „Operating System Compatibility“ information and click „Next“. |
|||
* Choose „Existing forest“ / „Add a domain controller to an existing domain“ and click „Next“. |
|||
:[[Image:Join_win2008R2_Deployment_Configuration.png]] |
|||
* Enter the domain name and credentials of an account that is allowed to join a Domain Controller to the Domain (e. g. Domain Administrator). Afterwards click „Next“. |
|||
* Read the "Operating System Compatibility" information and click "Next". |
|||
:[[Image:Join_Win2008R2_Network_Credentials.png]] |
|||
* Select "Existing forest" / "Add a domain controller to an existing domain", and click "Next". |
|||
* If your forest contains multiple domains, the „Select a Domain“ window will list all domains and you have to choose the one, you want to join and then click „Next“. |
|||
* Enter the Samba Active Directory (AD) domain name and credentials that are enabled to join a domain controller (DC) to the Domain, like the domain administrator account. Click "Next". |
|||
:[[Image:Join_Win2008R2_Select_Domain.png]] |
|||
* Select the domain to join and click "Next". |
|||
* Select the AD Site for the new Domain Controller. If you haven't configured AD Sites, choose the default („Default-First-Site-Name“) and click „Next“. |
|||
* If AD sites are configured, select the site to join. Otherwise continue using the "Default-First-Site-Name" site. Click "Next". |
|||
:[[Image:Join_Win2008R2_Select_Site.png]] |
|||
* Select the options to enable for the new DC and click "Next". |
|||
* Decite the options of the new Domain Controller and click „Next“. If you install the DNS server option, make sure, that there is at least one DNS server in your network configuration, that is authoritative for the DNS zone of this domain. An appropriate message is shown in the information box. We assume here, to install the new DC with „DNS server“ and „Global catalog“. |
|||
:[[Image:Join_Win2008R2_DC_Options.png]] |
:[[Image:Join_Win2008R2_DC_Options.png]] |
||
* If you receive a |
* If you enabled the "DNS server" option in the previous step, you may receive a note, that a delegation for this DNS server cannot be created. Click "Yes" to continue. |
||
:[[Image:Join_Win2008R2_DNS_Delegation_Failed.png]] |
:[[Image:Join_Win2008R2_DNS_Delegation_Failed.png]] |
||
* |
* Select "Replicate data over the network from an existing domain controller" and click "Next". |
||
* Select a DC as source for the initial directory replication or let the installation wizzard choose an appropriate DC. Click "Next". |
|||
:[[Image:Join_win2008R2_Install_From_Media.png]] |
|||
* Set the folders for the AD database, log files and the Sysvol. Click "Next". |
|||
* Choose one of the existing DCs to replicate from or let the wizzard do. Then click „Next“. |
|||
* Set a Directory Service Restore Mode Administrator Password (DSRM). It is required to boot the Windows DC in safe-mode to restore or repair the AD. Click "Next". |
|||
:[[Image:Join_Win2008R2_Choose_DC_For_Replication.png]] |
|||
* Verify your settings and click "Next" to start the DC promotion. |
|||
* Define the folders for the AD database, logs and SysVol and click „Next“ |
|||
* The wizzard starts the installation, replicats the directory, and so on. |
|||
:[[Image:Join_win2008R2_Folder_Locations.png]] |
|||
:[[Image:Join_Win2008R2_Join_Process.png]] |
|||
* Set a Directory Service Restore Mode Administrator Passwort. The DSRM passwort is used to boot the Windows DC in a safe-mode, to restore or repair the AD. To continue click „Next“. |
|||
* Verify that all DC related DNS records have been created during the promotion. See [[Check_and_fix_DNS_entries_on_DC_joins|Check and Fix DNS Entries on DC Joins]]. |
|||
:[[Image:Join_win2008R2_DSRM_Password.png]] |
|||
: '''Do not continue without checking. The records must exist for a working directory replication!''' |
|||
* After the wizzard completed click "Finish". |
|||
* A summery is displayed. Verify your settings and click „Next“ to start the Domain Controller promotion process. |
|||
* Restart the computer. |
|||
* The wizzard begins to install options, replicate the directory, etc. Depending on the size of your directory and your bandwitdh, this may take some time. |
|||
The Windows server now acts as an AD DC. |
|||
:[[Image:Join_Win2008R2_Join_Process.png]] |
|||
* [[Check_and_fix_DNS_entries_on_DC_joins|Check if all important DNS records exists]]. If not, [[Check_and_fix_DNS_entries_on_DC_joins|add them manually]]. '''It's an important step for a healthy and working replication!''' |
|||
* After the wizzard has completed, click „Finish“ and restart the new Domain Controller. |
|||
:[[Image:Join_win2008R2_Join_Completed.png]] |
|||
* The Windows Server is now joined as a Domain Controller. |
|||
= Verifying the Directory Replication = |
|||
A few minutes after the domain controller (DC) started, the connections with all other DCs are automatically established and the replication begins. |
|||
To verify the directory replication, run on a Samba DC: |
|||
# samba-tool drs showrepl |
|||
= Directory replication = |
|||
A few minutes after new Domain Controller has started, the connections with other DCs are established automatically and the replication process begins. On a Samba DC, this can be verified using the following command |
|||
'''# samba-tool drs showrepl''' |
|||
Default-First-Site-Name\DC1 |
Default-First-Site-Name\DC1 |
||
DSA Options: 0x00000001 |
DSA Options: 0x00000001 |
||
| Line 142: | Line 113: | ||
==== INBOUND NEIGHBORS ==== |
==== INBOUND NEIGHBORS ==== |
||
DC=DomainDnsZones,DC=samdom,DC=example,DC=com |
DC=DomainDnsZones,DC=samdom,DC=example,DC=com |
||
Default-First-Site-Name\ |
Default-First-Site-Name\Win2008R2DC via RPC |
||
DSA object GUID: c14a774f-9732-4ec2-b9fa-2156c95c4e48 |
|||
Last attempt @ Sat Dec 20 10:35:19 2014 CET was successful |
|||
0 consecutive failure(s). |
|||
Last success @ Sat Dec 20 10:35:19 2014 CET |
|||
DC=DomainDnsZones,DC=samdom,DC=example,DC=com |
|||
Default-First-Site-Name\<u>DC3</u> via RPC |
|||
DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9 |
DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9 |
||
Last attempt @ NTTIME(0) was successful |
Last attempt @ NTTIME(0) was successful |
||
| Line 158: | Line 122: | ||
DC=ForestDnsZones,DC=samdom,DC=example,DC=com |
DC=ForestDnsZones,DC=samdom,DC=example,DC=com |
||
Default-First-Site-Name\ |
Default-First-Site-Name\Win2008R2DC via RPC |
||
DSA object GUID: c14a774f-9732-4ec2-b9fa-2156c95c4e48 |
|||
Last attempt @ Sat Dec 20 10:35:19 2014 CET was successful |
|||
0 consecutive failure(s). |
|||
Last success @ Sat Dec 20 10:35:19 2014 CET |
|||
DC=ForestDnsZones,DC=samdom,DC=example,DC=com |
|||
Default-First-Site-Name\<u>DC3</u> via RPC |
|||
DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9 |
DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9 |
||
Last attempt @ NTTIME(0) was successful |
Last attempt @ NTTIME(0) was successful |
||
| Line 172: | Line 129: | ||
DC=samdom,DC=example,DC=com |
DC=samdom,DC=example,DC=com |
||
Default-First-Site-Name\ |
Default-First-Site-Name\Win2008R2DC via RPC |
||
DSA object GUID: c14a774f-9732-4ec2-b9fa-2156c95c4e48 |
|||
Last attempt @ Sat Dec 20 10:35:20 2014 CET was successful |
|||
0 consecutive failure(s). |
|||
Last success @ Sat Dec 20 10:35:20 2014 CET |
|||
DC=samdom,DC=example,DC=com |
|||
Default-First-Site-Name\<u>DC3</u> via RPC |
|||
DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9 |
DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9 |
||
Last attempt @ Sat Dec 20 10:35:09 2014 CET was successful |
Last attempt @ Sat Dec 20 10:35:09 2014 CET was successful |
||
| Line 186: | Line 136: | ||
CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com |
CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com |
||
Default-First-Site-Name\ |
Default-First-Site-Name\Win2008R2DC via RPC |
||
DSA object GUID: c14a774f-9732-4ec2-b9fa-2156c95c4e48 |
|||
Last attempt @ Sat Dec 20 10:35:16 2014 CET was successful |
|||
0 consecutive failure(s). |
|||
Last success @ Sat Dec 20 10:35:16 2014 CET |
|||
CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com |
|||
Default-First-Site-Name\<u>DC3</u> via RPC |
|||
DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9 |
DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9 |
||
Last attempt @ Sat Dec 20 10:35:10 2014 CET was successful |
Last attempt @ Sat Dec 20 10:35:10 2014 CET was successful |
||
0 consecutive failure(s). |
0 consecutive failure(s). |
||
Last success @ Sat Dec 20 10:35:10 2014 CET |
Last success @ Sat Dec 20 10:35:10 2014 CET |
||
CN=Configuration,DC=samdom,DC=example,DC=com |
|||
Default-First-Site-Name\DC2 via RPC |
|||
DSA object GUID: c14a774f-9732-4ec2-b9fa-2156c95c4e48 |
|||
Last attempt @ Sat Dec 20 10:35:17 2014 CET was successful |
|||
0 consecutive failure(s). |
|||
Last success @ Sat Dec 20 10:35:17 2014 CET |
|||
CN=Configuration,DC=samdom,DC=example,DC=com |
CN=Configuration,DC=samdom,DC=example,DC=com |
||
Default-First-Site-Name\ |
Default-First-Site-Name\Win2008R2DC via RPC |
||
DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9 |
DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9 |
||
Last attempt @ Sat Dec 20 10:35:11 2014 CET was successful |
Last attempt @ Sat Dec 20 10:35:11 2014 CET was successful |
||
| Line 216: | Line 152: | ||
DC=DomainDnsZones,DC=samdom,DC=example,DC=com |
DC=DomainDnsZones,DC=samdom,DC=example,DC=com |
||
Default-First-Site-Name\ |
Default-First-Site-Name\Win2008R2DC via RPC |
||
DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9 |
DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9 |
||
Last attempt @ Sat Dec 20 10:35:17 2014 CET was successful |
Last attempt @ Sat Dec 20 10:35:17 2014 CET was successful |
||
0 consecutive failure(s). |
0 consecutive failure(s). |
||
Last success @ Sat Dec 20 10:35:17 2014 CET |
Last success @ Sat Dec 20 10:35:17 2014 CET |
||
DC=DomainDnsZones,DC=samdom,DC=example,DC=com |
|||
Default-First-Site-Name\DC2 via RPC |
|||
DSA object GUID: c14a774f-9732-4ec2-b9fa-2156c95c4e48 |
|||
Last attempt @ NTTIME(0) was successful |
|||
0 consecutive failure(s). |
|||
Last success @ NTTIME(0) |
|||
DC=ForestDnsZones,DC=samdom,DC=example,DC=com |
DC=ForestDnsZones,DC=samdom,DC=example,DC=com |
||
Default-First-Site-Name\ |
Default-First-Site-Name\Win2008R2DC via RPC |
||
DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9 |
DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9 |
||
Last attempt @ Sat Dec 20 10:35:17 2014 CET was successful |
Last attempt @ Sat Dec 20 10:35:17 2014 CET was successful |
||
0 consecutive failure(s). |
0 consecutive failure(s). |
||
Last success @ Sat Dec 20 10:35:17 2014 CET |
Last success @ Sat Dec 20 10:35:17 2014 CET |
||
DC=ForestDnsZones,DC=samdom,DC=example,DC=com |
|||
Default-First-Site-Name\DC2 via RPC |
|||
DSA object GUID: c14a774f-9732-4ec2-b9fa-2156c95c4e48 |
|||
Last attempt @ NTTIME(0) was successful |
|||
0 consecutive failure(s). |
|||
Last success @ NTTIME(0) |
|||
DC=samdom,DC=example,DC=com |
DC=samdom,DC=example,DC=com |
||
Default-First-Site-Name\ |
Default-First-Site-Name\Win2008R2DC via RPC |
||
DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9 |
DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9 |
||
Last attempt @ Sat Dec 20 10:34:26 2014 CET was successful |
Last attempt @ Sat Dec 20 10:34:26 2014 CET was successful |
||
0 consecutive failure(s). |
0 consecutive failure(s). |
||
Last success @ Sat Dec 20 10:34:26 2014 CET |
Last success @ Sat Dec 20 10:34:26 2014 CET |
||
DC=samdom,DC=example,DC=com |
|||
Default-First-Site-Name\DC2 via RPC |
|||
DSA object GUID: c14a774f-9732-4ec2-b9fa-2156c95c4e48 |
|||
Last attempt @ NTTIME(0) was successful |
|||
0 consecutive failure(s). |
|||
Last success @ NTTIME(0) |
|||
CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com |
CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com |
||
Default-First-Site-Name\ |
Default-First-Site-Name\Win2008R2DC via RPC |
||
DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9 |
DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9 |
||
Last attempt @ Sat Dec 20 10:34:26 2014 CET was successful |
Last attempt @ Sat Dec 20 10:34:26 2014 CET was successful |
||
0 consecutive failure(s). |
0 consecutive failure(s). |
||
Last success @ Sat Dec 20 10:34:26 2014 CET |
Last success @ Sat Dec 20 10:34:26 2014 CET |
||
CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com |
|||
Default-First-Site-Name\DC2 via RPC |
|||
DSA object GUID: c14a774f-9732-4ec2-b9fa-2156c95c4e48 |
|||
Last attempt @ NTTIME(0) was successful |
|||
0 consecutive failure(s). |
|||
Last success @ NTTIME(0) |
|||
CN=Configuration,DC=samdom,DC=example,DC=com |
CN=Configuration,DC=samdom,DC=example,DC=com |
||
Default-First-Site-Name\ |
Default-First-Site-Name\Win2008R2DC via RPC |
||
DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9 |
DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9 |
||
Last attempt @ Sat Dec 20 10:34:21 2014 CET was successful |
Last attempt @ Sat Dec 20 10:34:21 2014 CET was successful |
||
0 consecutive failure(s). |
0 consecutive failure(s). |
||
Last success @ Sat Dec 20 10:34:21 2014 CET |
Last success @ Sat Dec 20 10:34:21 2014 CET |
||
CN=Configuration,DC=samdom,DC=example,DC=com |
|||
Default-First-Site-Name\DC2 via RPC |
|||
DSA object GUID: c14a774f-9732-4ec2-b9fa-2156c95c4e48 |
|||
Last attempt @ NTTIME(0) was successful |
|||
0 consecutive failure(s). |
|||
Last success @ NTTIME(0) |
|||
==== KCC CONNECTION OBJECTS ==== |
==== KCC CONNECTION OBJECTS ==== |
||
Connection -- |
|||
Connection name: 04baf417-eb41-4f31-a5f1-c739f0e92b1b |
|||
Enabled : TRUE |
|||
Server DNS name : DC2.samdom.example.com |
|||
Server DN name : CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com |
|||
TransportType: RPC |
|||
options: 0x00000001 |
|||
Warning: No NC replicated for Connection! |
|||
Connection -- |
|||
Connection name: f55bce90-d458-400a-a4ca-801c3e64bef3 |
Connection name: f55bce90-d458-400a-a4ca-801c3e64bef3 |
||
Enabled : TRUE |
Enabled : TRUE |
||
Server DNS name : |
Server DNS name : Win2008R2DC.samdom.example.com |
||
Server DN name : CN=NTDS Settings,CN= |
Server DN name : CN=NTDS Settings,CN=Win2008R2DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com |
||
TransportType: RPC |
TransportType: RPC |
||
options: 0x00000001 |
options: 0x00000001 |
||
Warning: No NC replicated for Connection! |
Warning: No NC replicated for Connection! |
||
It can take a several minutes until all connections are established. If the outgoing connections on existing Samba DCs to the Windows DC are not established after 15 minutes, start the replication manually. For details, see [[Samba-tool_drs_replicate|samba-tool drs replicate]]. |
|||
If you are seeing the warning "No NC replicated for Connection!", see [[FAQ#Message:_Warning:_No_NC_replicated_for_Connection.21|FAQ: Warning: No NC replicated for Connection!]]. |
|||
== Testing the Directory Replication == |
|||
To test that the directory replication works correctly, add for example a user on an existing domain controller (DC) and verify that it shows up automatically on the new promoted Windows DC. |
|||
= SysVol share = |
|||
During the join, Windows tries to retrieve the SysVol content from an other Domain Controller. But Samba currently doesn't support SysVol replication (DFS-R) yet. This causes, that the new Windows DC, doesn't share the SysVol folder. |
|||
The folder isn't shared like other folders in Windows. If there is no „SysVol“ share, when you enter \\Hostname („\\DC3“ in this example), change the registry value of „SysvolReady“ in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ |
|||
to „1“. The share will be visible after the next refresh ([F5]). |
|||
= The Sysvol Share = |
|||
During the join, Windows tries to replicate the Sysvol directory content from an existing domain controller (DC). Samba currently does not support the DFS-R protocol. For this reason, the new DC may not show a "Sysvol" share. To enable the share: |
|||
* Save the following content to a plain text file named "Win-Create-Sysvol-Share.reg" using a text editor like "Notepad" or "Editor" (not Word/Wordpad/OpenOffice/LibreOffice/etc.): |
|||
= SysVol replication = |
|||
Windows Registry Editor Version 5.00 |
|||
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters] |
|||
"SysvolReady"=dword:00000001 |
|||
* Log in using an account that is member of the local "Administrators" group. |
|||
Currently replication of the SysVol share via DFS-R isn't implemented in Samba. If you make changes on that share, you have to keep them in sync on all your Domain Controllers, including ACLs! An example, how to achieve this, is provided in the [[SysVol_Replication_between_Samba_and_Windows|SysVol replication between Samba and Windows]] documentation. |
|||
* Double-click the file to import it to the Windows registry. |
|||
* Reboot to take the changes effect. |
|||
= |
== Sysvol replication == |
||
Samba currently does not support the DFS-R protocol required for Sysvol replication. Please manually synchronise the content between domain controllers (DC) or use a workaround like [[Robocopy_based_SysVol_replication_workaround|Robocopy-based Sysvol Replication]]. |
|||
To check that replication is working correctly between your domain controllers, try adding/modifying e. g. a user on one DC using either the Samba command line tools or the Windows GUI admin tools. Then check that the changes shows up within a few seconds on the new Domain Controller. |
|||
Revision as of 17:05, 31 August 2016
Introduction
You can successfully join Windows Server 2008 and 2008 R2 as an domain controller (DC) to a Samba Active Directory (AD).
If you want to join a computer running a Windows Server operating system as a domain member, see [[Joining_a_Windows_Client_or_Server_to_a_Domain|Joining a Windows Client or Server to a Domain].
Network Configuration
- Click the "Start" button, search for "View network connections", and open the search entry.
- Right-click to your network adapter and select "Properties".
- Configure the IP settings:
- Assign a static IP address, enter the subnet mask, and default gateway.
- Enter the IP of a DNS server that is able to resolve the Active Directory (AD) DNS zone.
- Click "OK" to save the settings.
Date and Time Settings
Active Directory uses Kerberos for authentication. Kerberos requires that the domain member and the domain controllers (DC) are having a synchronous time. If the difference exceeds 5 minutes (default), the client is not able to access domain resources for security reasons.
Before you join the domain, check the time configuration:
- Open the "Control Panel".
- Navigrate to "Clock, Language and Region".
- Click "Date and Time".
- Verify the date, time, and time zone settings. Adjust the settings, if necessary.
- Click "OK" to save the changes.
Joining the Windows Server to the Domain
- Select "Start" / "Run", enter "dcpromo.exe" and click "OK".
- Windows Server automatically installs missing features, if necessary:
- Check "Use advanced mode installation" to display additional options in later steps. Click "OK".
- Read the "Operating System Compatibility" information and click "Next".
- Select "Existing forest" / "Add a domain controller to an existing domain", and click "Next".
- Enter the Samba Active Directory (AD) domain name and credentials that are enabled to join a domain controller (DC) to the Domain, like the domain administrator account. Click "Next".
- Select the domain to join and click "Next".
- If AD sites are configured, select the site to join. Otherwise continue using the "Default-First-Site-Name" site. Click "Next".
- Select the options to enable for the new DC and click "Next".
- If you enabled the "DNS server" option in the previous step, you may receive a note, that a delegation for this DNS server cannot be created. Click "Yes" to continue.
- Select "Replicate data over the network from an existing domain controller" and click "Next".
- Select a DC as source for the initial directory replication or let the installation wizzard choose an appropriate DC. Click "Next".
- Set the folders for the AD database, log files and the Sysvol. Click "Next".
- Set a Directory Service Restore Mode Administrator Password (DSRM). It is required to boot the Windows DC in safe-mode to restore or repair the AD. Click "Next".
- Verify your settings and click "Next" to start the DC promotion.
- The wizzard starts the installation, replicats the directory, and so on.
- Verify that all DC related DNS records have been created during the promotion. See Check and Fix DNS Entries on DC Joins.
- Do not continue without checking. The records must exist for a working directory replication!
- After the wizzard completed click "Finish".
- Restart the computer.
The Windows server now acts as an AD DC.
Verifying the Directory Replication
A few minutes after the domain controller (DC) started, the connections with all other DCs are automatically established and the replication begins.
To verify the directory replication, run on a Samba DC:
# samba-tool drs showrepl
Default-First-Site-Name\DC1
DSA Options: 0x00000001
DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
DSA invocationId: 96bc0d6f-9cea-4011-b9a1-0e9971009b20
==== INBOUND NEIGHBORS ====
DC=DomainDnsZones,DC=samdom,DC=example,DC=com
Default-First-Site-Name\Win2008R2DC via RPC
DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=ForestDnsZones,DC=samdom,DC=example,DC=com
Default-First-Site-Name\Win2008R2DC via RPC
DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=samdom,DC=example,DC=com
Default-First-Site-Name\Win2008R2DC via RPC
DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9
Last attempt @ Sat Dec 20 10:35:09 2014 CET was successful
0 consecutive failure(s).
Last success @ Sat Dec 20 10:35:09 2014 CET
CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com
Default-First-Site-Name\Win2008R2DC via RPC
DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9
Last attempt @ Sat Dec 20 10:35:10 2014 CET was successful
0 consecutive failure(s).
Last success @ Sat Dec 20 10:35:10 2014 CET
CN=Configuration,DC=samdom,DC=example,DC=com
Default-First-Site-Name\Win2008R2DC via RPC
DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9
Last attempt @ Sat Dec 20 10:35:11 2014 CET was successful
0 consecutive failure(s).
Last success @ Sat Dec 20 10:35:11 2014 CET
==== OUTBOUND NEIGHBORS ====
DC=DomainDnsZones,DC=samdom,DC=example,DC=com
Default-First-Site-Name\Win2008R2DC via RPC
DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9
Last attempt @ Sat Dec 20 10:35:17 2014 CET was successful
0 consecutive failure(s).
Last success @ Sat Dec 20 10:35:17 2014 CET
DC=ForestDnsZones,DC=samdom,DC=example,DC=com
Default-First-Site-Name\Win2008R2DC via RPC
DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9
Last attempt @ Sat Dec 20 10:35:17 2014 CET was successful
0 consecutive failure(s).
Last success @ Sat Dec 20 10:35:17 2014 CET
DC=samdom,DC=example,DC=com
Default-First-Site-Name\Win2008R2DC via RPC
DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9
Last attempt @ Sat Dec 20 10:34:26 2014 CET was successful
0 consecutive failure(s).
Last success @ Sat Dec 20 10:34:26 2014 CET
CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com
Default-First-Site-Name\Win2008R2DC via RPC
DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9
Last attempt @ Sat Dec 20 10:34:26 2014 CET was successful
0 consecutive failure(s).
Last success @ Sat Dec 20 10:34:26 2014 CET
CN=Configuration,DC=samdom,DC=example,DC=com
Default-First-Site-Name\Win2008R2DC via RPC
DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9
Last attempt @ Sat Dec 20 10:34:21 2014 CET was successful
0 consecutive failure(s).
Last success @ Sat Dec 20 10:34:21 2014 CET
==== KCC CONNECTION OBJECTS ====
Connection --
Connection name: f55bce90-d458-400a-a4ca-801c3e64bef3
Enabled : TRUE
Server DNS name : Win2008R2DC.samdom.example.com
Server DN name : CN=NTDS Settings,CN=Win2008R2DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
It can take a several minutes until all connections are established. If the outgoing connections on existing Samba DCs to the Windows DC are not established after 15 minutes, start the replication manually. For details, see samba-tool drs replicate.
If you are seeing the warning "No NC replicated for Connection!", see FAQ: Warning: No NC replicated for Connection!.
Testing the Directory Replication
To test that the directory replication works correctly, add for example a user on an existing domain controller (DC) and verify that it shows up automatically on the new promoted Windows DC.
During the join, Windows tries to replicate the Sysvol directory content from an existing domain controller (DC). Samba currently does not support the DFS-R protocol. For this reason, the new DC may not show a "Sysvol" share. To enable the share:
- Save the following content to a plain text file named "Win-Create-Sysvol-Share.reg" using a text editor like "Notepad" or "Editor" (not Word/Wordpad/OpenOffice/LibreOffice/etc.):
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters] "SysvolReady"=dword:00000001
- Log in using an account that is member of the local "Administrators" group.
- Double-click the file to import it to the Windows registry.
- Reboot to take the changes effect.
Sysvol replication
Samba currently does not support the DFS-R protocol required for Sysvol replication. Please manually synchronise the content between domain controllers (DC) or use a workaround like Robocopy-based Sysvol Replication.