Joining a Windows Server 2008 / 2008 R2 DC to a Samba AD

Revision as of 16:14, 22 December 2014 by Mmuehlfeld (talk | contribs) (Initial version of a "How to join Win 2008 as a DC to a Samba AD")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Introduction

For various reasons user may find themself in a situation, to add a Windows Server 2008 / 2008 R2 as a Domain Controller to their Samba based Active Directory. This process differs from simply joining a Windows Server as a Member Server.

This documentation is valid only for Microsoft Windows Server 2008 and 2008 R2!


Server information

This documentation uses the following configurations/settings:

Existing Samba DCs in the domain:
Domain Controllers:            DC1 (10.99.0.1), DC2 (10.99.0.2)
DCs act also as a DNS server:  yes

Domain information:
DNS Domain Name:               samdom.example.com
NT4 Domain Name (NETBIOS):     SAMDOM
DNS Servers:                   10.99.0.1, 10.99.0.2
Domain Administrator:          Administrator
Domain Administrator Password: passw0rd

Windows DC additionally joined to the domain:
Hostname:                      DC3
IP Address:                    10.99.0.3
Operating System:              Microsoft Windows Server 2008 R2



Installation / Preparation

General

  • Install Windows Server 2008 R2


Configure network

  • Search the Control Panel for „Network and Sharing Center“
  • Click „Change adapter settings“
  • Right-click to your network connection and choose „properties“
  • Configure the IP properties. Make sure, that you use a DNS server, that is authoritative for your AD DNS domain!
File:Join Win2008R2 IP Configuration.png


Date and time settings

Active Directory uses Kerberos for authentication, which relies on a fairly consistent time across the network. This makes it necessary, that, before you can join the server to the Domain, the time does not differ more than 5 minutes (default setting in an AD) to your other Domain Controllers.

  • Search the Control Panel for „Date and Time“
  • Check your date, time and time zone settings.



Joining the Domain

  • Click „Start“ / „Run“, enter „dcpromo.exe“ and click „OK“.
  • Windows Server checks if the necessary features are already installed. If not, they will.
Join Win2008R2 dcpromo install.png
  • Check the option „Use advanced mode installation“. This mode displays some additional options, that may be useful, like specifying an initial DC to replicate from. To continue click „Next“.
  • Read the „Operating System Compatibility“ information and click „Next“.
  • Choose „Existing forest“ / „Add a domain controller to an existing domain“ and click „Next“.
File:Join win2008R2 Deployment Configuration.png
  • Enter the domain name and credentials of an account that is allowed to join a Domain Controller to the Domain (e. g. Domain Administrator). Afterwards click „Next“.
File:Join Win2008R2 Network Credentials.png
  • If your forest contains multiple domains, the „Select a Domain“ window will list all domains and you have to choose the one, you want to join and then click „Next“.
File:Join Win2008R2 Select Domain.png
  • Select the AD Site for the new Domain Controller. If you haven't configured AD Sites, choose the default („Default-First-Site-Name“) and click „Next“.
File:Join Win2008R2 Select Site.png
  • Decite the options of the new Domain Controller and click „Next“. If you install the DNS server option, make sure, that there is at least one DNS server in your network configuration, that is authoritative for the DNS zone of this domain. An appropriate message is shown in the information box. We assume here, to install the new DC with „DNS server“ and „Global catalog“.
Join Win2008R2 DC Options.png
  • If you receive a message, that a delegation for this DNS server cannot be created, continue by clicking „Yes“.
Join Win2008R2 DNS Delegation Failed.png
  • In the „Install from Media“ window, choose to „replicate the data over the network from an existing Domain Controller“ and click „Next“.
File:Join win2008R2 Install From Media.png
  • Choose one of the existing DCs to replicate from or let the wizzard do. Then click „Next“.
File:Join Win2008R2 Choose DC For Replication.png
  • Define the folders for the AD database, logs and SysVol and click „Next“
File:Join win2008R2 Folder Locations.png
  • Set a Directory Service Restore Mode Administrator Passwort. The DSRM passwort is used to boot the Windows DC in a safe-mode, to restore or repair the AD. To continue click „Next“.
File:Join win2008R2 DSRM Password.png
  • A summery is displayed. Verify your settings and click „Next“ to start the Domain Controller promotion process.
  • The wizzard begins to install options, replicate the directory, etc. Depending on the size of your directory and your bandwitdh, this may take some time.
Join Win2008R2 Join Process.png
  • After the wizzard has completed, click „Finish“ and restart the new Domain Controller.
File:Join win2008R2 Join Completed.png
  • The Windows Server is now joined as a Domain Controller.



Directory replication

A few minutes after startup, connections with other DCs will be established automatically and replication begins. On a Samba DC, this can be verified by

# samba-tool drs showrepl
Default-First-Site-Name\DC1
DSA Options: 0x00000001
DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
DSA invocationId: 96bc0d6f-9cea-4011-b9a1-0e9971009b20

==== INBOUND NEIGHBORS ====

DC=DomainDnsZones,DC=samdom,DC=example,DC=com
       Default-First-Site-Name\DC2 via RPC
               DSA object GUID: c14a774f-9732-4ec2-b9fa-2156c95c4e48
               Last attempt @ Sat Dec 20 10:35:19 2014 CET was successful
               0 consecutive failure(s).
               Last success @ Sat Dec 20 10:35:19 2014 CET

DC=DomainDnsZones,DC=samdom,DC=example,DC=com
       Default-First-Site-Name\DC3 via RPC
               DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9
               Last attempt @ NTTIME(0) was successful
               0 consecutive failure(s).
               Last success @ NTTIME(0)

DC=ForestDnsZones,DC=samdom,DC=example,DC=com
       Default-First-Site-Name\DC2 via RPC
               DSA object GUID: c14a774f-9732-4ec2-b9fa-2156c95c4e48
               Last attempt @ Sat Dec 20 10:35:19 2014 CET was successful
               0 consecutive failure(s).
               Last success @ Sat Dec 20 10:35:19 2014 CET

DC=ForestDnsZones,DC=samdom,DC=example,DC=com
       Default-First-Site-Name\DC3 via RPC
               DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9
               Last attempt @ NTTIME(0) was successful
               0 consecutive failure(s).
               Last success @ NTTIME(0)

DC=samdom,DC=example,DC=com
       Default-First-Site-Name\DC2 via RPC
               DSA object GUID: c14a774f-9732-4ec2-b9fa-2156c95c4e48
               Last attempt @ Sat Dec 20 10:35:20 2014 CET was successful
               0 consecutive failure(s).
               Last success @ Sat Dec 20 10:35:20 2014 CET

DC=samdom,DC=example,DC=com
       Default-First-Site-Name\DC3 via RPC
               DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9
               Last attempt @ Sat Dec 20 10:35:09 2014 CET was successful
               0 consecutive failure(s).
               Last success @ Sat Dec 20 10:35:09 2014 CET

CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com
       Default-First-Site-Name\DC2 via RPC
               DSA object GUID: c14a774f-9732-4ec2-b9fa-2156c95c4e48
               Last attempt @ Sat Dec 20 10:35:16 2014 CET was successful
               0 consecutive failure(s).
               Last success @ Sat Dec 20 10:35:16 2014 CET

CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com
       Default-First-Site-Name\DC3 via RPC
               DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9
               Last attempt @ Sat Dec 20 10:35:10 2014 CET was successful
               0 consecutive failure(s).
               Last success @ Sat Dec 20 10:35:10 2014 CET

CN=Configuration,DC=samdom,DC=example,DC=com
       Default-First-Site-Name\DC2 via RPC
               DSA object GUID: c14a774f-9732-4ec2-b9fa-2156c95c4e48
               Last attempt @ Sat Dec 20 10:35:17 2014 CET was successful
               0 consecutive failure(s).
               Last success @ Sat Dec 20 10:35:17 2014 CET

CN=Configuration,DC=samdom,DC=example,DC=com
       Default-First-Site-Name\DC3 via RPC
               DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9
               Last attempt @ Sat Dec 20 10:35:11 2014 CET was successful
               0 consecutive failure(s).
               Last success @ Sat Dec 20 10:35:11 2014 CET

==== OUTBOUND NEIGHBORS ====

DC=DomainDnsZones,DC=samdom,DC=example,DC=com
       Default-First-Site-Name\DC3 via RPC
               DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9
               Last attempt @ Sat Dec 20 10:35:17 2014 CET was successful
               0 consecutive failure(s).
               Last success @ Sat Dec 20 10:35:17 2014 CET

DC=DomainDnsZones,DC=samdom,DC=example,DC=com
       Default-First-Site-Name\DC2 via RPC
               DSA object GUID: c14a774f-9732-4ec2-b9fa-2156c95c4e48
               Last attempt @ NTTIME(0) was successful
               0 consecutive failure(s).
               Last success @ NTTIME(0)

DC=ForestDnsZones,DC=samdom,DC=example,DC=com
       Default-First-Site-Name\DC3 via RPC
               DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9
               Last attempt @ Sat Dec 20 10:35:17 2014 CET was successful
               0 consecutive failure(s).
               Last success @ Sat Dec 20 10:35:17 2014 CET

DC=ForestDnsZones,DC=samdom,DC=example,DC=com
       Default-First-Site-Name\DC2 via RPC
               DSA object GUID: c14a774f-9732-4ec2-b9fa-2156c95c4e48
               Last attempt @ NTTIME(0) was successful
               0 consecutive failure(s).
               Last success @ NTTIME(0)

DC=samdom,DC=example,DC=com
       Default-First-Site-Name\DC3 via RPC
               DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9
               Last attempt @ Sat Dec 20 10:34:26 2014 CET was successful
               0 consecutive failure(s).
               Last success @ Sat Dec 20 10:34:26 2014 CET

DC=samdom,DC=example,DC=com
       Default-First-Site-Name\DC2 via RPC
               DSA object GUID: c14a774f-9732-4ec2-b9fa-2156c95c4e48
               Last attempt @ NTTIME(0) was successful
               0 consecutive failure(s).
               Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com
       Default-First-Site-Name\DC3 via RPC
               DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9
               Last attempt @ Sat Dec 20 10:34:26 2014 CET was successful
               0 consecutive failure(s).
               Last success @ Sat Dec 20 10:34:26 2014 CET

CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com
       Default-First-Site-Name\DC2 via RPC
               DSA object GUID: c14a774f-9732-4ec2-b9fa-2156c95c4e48
               Last attempt @ NTTIME(0) was successful
               0 consecutive failure(s).
               Last success @ NTTIME(0)

CN=Configuration,DC=samdom,DC=example,DC=com
       Default-First-Site-Name\DC3 via RPC
               DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9
               Last attempt @ Sat Dec 20 10:34:21 2014 CET was successful
               0 consecutive failure(s).
               Last success @ Sat Dec 20 10:34:21 2014 CET

CN=Configuration,DC=samdom,DC=example,DC=com
       Default-First-Site-Name\DC2 via RPC
               DSA object GUID: c14a774f-9732-4ec2-b9fa-2156c95c4e48
               Last attempt @ NTTIME(0) was successful
               0 consecutive failure(s).
               Last success @ NTTIME(0)

==== KCC CONNECTION OBJECTS ====

Connection --
       Connection name: 04baf417-eb41-4f31-a5f1-c739f0e92b1b
       Enabled        : TRUE
       Server DNS name : DC2.samdom.example.com
       Server DN name  : CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
               TransportType: RPC
               options: 0x00000001
Warning: No NC replicated for Connection!
Connection --
       Connection name: f55bce90-d458-400a-a4ca-801c3e64bef3
       Enabled        : TRUE
       Server DNS name : DC3.samdom.example.com
       Server DN name  : CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
               TransportType: RPC
               options: 0x00000001
Warning: No NC replicated for Connection!

Depending on your replication settings - if defined - it may take a few minutes until all connections are established. So please be patient! On the long shot that the outbound connections aren't established automatically - even not after several minutes - you can force the replication (generally not necessary!). See samba-tool drs replicate.

Note about the„Warning: No NC replicated for Connection!“ line: It can be safely ignored. See FAQ: Message: Warning: No NC replicated for Connection!



SysVol share

During the join, Windows tries to retrieve the SysVol content from an other Domain Controller. But Samba currently doesn't support SysVol replication (FSR) yet. This causes, that the new Windows DC, doesn't share the SysVol folder.

The folder isn't shared like other folders in Windows. If there is no „SysVol“ share, when you enter \\Hostname („\\DC3“ in this example), change the registry value of „SysvolReady“ in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ to „1“. The share will be visible after the next refresh ([F5]).



SysVol replication

Currently replication of the SysVol share via FSR isn't implemented in Samba. If you make changes on that share, you have to keep them in sync on all your Domain Controllers, including ACLs! An example, how to achieve this, is provided in the SysVol replication between Samba and Windows documentation.



Testing directory replication

To check that replication is working correctly between your domain controllers, try adding/modifying e. g. a user on one DC using either the Samba command line tools or the Windows GUI admin tools. Then check that the changes shows up within a few seconds on the new Domain Controller.