Joining a Windows Server 2012 / 2012 R2 DC to a Samba AD: Difference between revisions

From SambaWiki
m (fix link)
(20 intermediate revisions by one other user not shown)
Line 1: Line 1:
= Introduction =
= Introduction =


Samba supports Active Directory (AD) schema version 56 and 67. This enables you to join Windows Server 2012 and 2012 R2 to your Samba AD. However, you cannot join the first Windows Server 2012 or 2012 R2 domain controller (DC) directly, because the process uses the Windows management instrumentation (WMI) protocol for several tasks. To work around the problem, you require a Windows Server 2008 or 2008 R2 DC in the domain to join the first 2012 or 2012 R2 DC. After the first Windows Server 2012 or 2012 R2 DC was joined, you can this one as replication partner when joining further Windows DCs.
== WARNING ==


{{Imbox
'''Samba based AD currently doesn't support joining a Microsoft Windows 2012/2012R2 Server <u>as a Domain Controller</u> to a Samba Active Directory! Joining as a Member Server works. Follow the [[Joining_a_Windows_client_to_a_domain|respective documentation]].'''
| type = important
| text = The support for Windows Server 2012 and 2012 R2 DCs, including the directory schemas 56 and 67, is experimental. Please report bugs an incompatibilites. For details, see [[Bug Reporting]].
}}


'''This documentation describes the necessary steps and workarounds required for this task. Because of the missing 2012/2012R2 AD schema support in Samba, the join will break your installation!'''


'''This documentation is for research and debugging only, until all problems and limitations are fixed!'''


'''Only use this documentation <u>in labs for testing purposes and not in production</u>, because this process will break replication and the AD database!!!'''


== KNOWN LIMITATIONS ==


= Warning =
* Samba is shipped with AD schema version 47 (Windows Server 2008 R2). To join a newer version as DC, this schema has to be updated to 56 (Windows Server 2012) or 69 (Windows Server 2012 R2). The Samba AD database backend currently doesn't support all the changes introduced by the new schemas. This would lead to broken replication between Samba and Windows DCs for the affected directory partitions, this cannot be fixed at the moment! '''In simple words: A broken replication makes the AD inconsistent and will destroy your AD!'''


{{Imbox
* At least one [[Joining_a_Windows_Server_2008_/_2008_R2_DC_to_a_Samba_AD|Windows Server 2008 / 2008R2 DC]] is required in the domain, because 2012 replicates the AD content via WMI (Windows Management Instrumentation) from the Schema Master, this isn't implemented yet in Samba. This Windows DC must also have an accessible SysVol share, as 2012 syncronizes its content via DFS-R protocol („SysVol Replication“), which also isn't implemented in Samba yet.
| type = warning
| text = Joining a Windows Server 2012 or 2012 R2 DC to a Samba AD breaks the AD replication! Do not use this documentation until the problem is fixed!<br />For more details, see [https://bugzilla.samba.org/show_bug.cgi?id=13618 Bug #13618] and [https://bugzilla.samba.org/show_bug.cgi?id=13619 Bug #13619].
}}


= Requirements and Known Limitations =
== Server information ==


* All Samba DCs must run 4.6 or later. For details about updating Samba, see [[Updating_Samba|Updating Samba]].
This documentation uses the following configuration/settings:


* Windows Server 2012 and 2012 R2 requires the Windows management instrumentation (WMI) protocol during the join, and for the forest and domain preparation. Samba currently does not support this protocol. Therefore you must run a Windows domain controller (DC) with WMI support in your domain. For example, you can a Windows Server 2008 or 2008 R2 DC as replication partner during the join.
'''Existing Samba DCs in the domain:'''
Domain Controllers: DC1 (10.99.0.1), DC2 (10.99.0.2)
DCs act also as a DNS server: yes
'''Existing Windows 2008R2 DC in the domain:'''
Domain Controller: DC3 (10.99.0.3)
'''Domain information:'''
DNS Domain Name: samdom.example.com
NT4 Domain Name (NETBIOS): SAMDOM
DNS Servers: 10.99.0.1, 10.99.0.2
Domain Administrator: Administrator
Domain Administrator Password: passw0rd
'''DC additionally joined to the domain:'''
Hostname: DC4
IP Address: 10.99.0.4
Operating System: Microsoft Windows Server 2012 R2


* The Windows Server 2008 or 2008 R2 host used for the initial replication must provide a <code>Sysvol</code> share. For details, see [[Enabling the Sysvol Share on a Windows DC]].
: If the <code>Sysvol</code> share is missing, joining a Windows Server 2012 or 2012 R2 DC fails.








= Installation / Preparation =


= Network Configuration =
== General ==


* Click the <code>Start</code> button, search for <code>View network connections</code>, and open the search entry.
* Install Windows Server 2012 / 2012 R2.


* Right-click to your network adapter and select <code>Properties</code>.


* Configure the IP settings:
:* Assign a static IP address, enter the subnet mask, and default gateway.
:* Enter the IP of a DNS server that is able to resolve the Active Directory (AD) DNS zone.


* Click <code>OK</code> to save the settings.
== Date And Time Settings ==


Active Directory uses Kerberos for authentication, which relies on a fairly consistent time across the network. This makes it necessary, that, before you can join the client to the Domain, the time on the client does not differ more than [http://technet.microsoft.com/en-us/library/cc779260%28v=ws.10%29.aspx 5 minutes] (default setting in an AD) to your Domain Controller.


* Search for „Network and Sharing Center“


:[[Image:Join_Win2012R2_Search_Date_and_time_settings.png]]


* Check your date, time and time zone settings.


= Date and Time Settings =


Active Directory uses Kerberos for authentication. Kerberos requires that the domain member and the domain controllers (DC) are having a synchronous time. If the difference exceeds [http://technet.microsoft.com/en-us/library/cc779260%28v=ws.10%29.aspx 5 minutes] (default), the client is not able to access domain resources for security reasons.


Before you join the domain, check the time configuration:
== Configure Network ==


* Open the <code>Control Panel</code>.
* Search for „Network and Sharing Center“


* Navigate to <code>Clock, Language and Region</code>.
:[[Image:Join_Win2012R2_Search_Network_Sharing_Center.png]]


* Click „Change adapter settings“
* Click <code>Date and Time</code>.


* Verify the date, time, and time zone settings. Adjust the settings, if necessary.
* Right-click to your network connection and choose „properties“


* Click <code>OK</code> to save the changes.
* Configure the IP properties. Make sure, that you use a DNS server, that is authoritative for your AD DNS domain!


:[[Image:Join_Win2012R2_IP_Configuration.png]]








= FSMO Roles =


When you join the first Windows Server 2012 or 2012 R2 host as a domain controller (DC) to an Active Directory (AD), the directory schema of the forest and domain is updated. You must run this process on an existing Windows 2008 or 2008 R2 domain controller (DC) that owns the following flexible single master operation (FSMO) roles:
== FSMO Roles ==


* Schema Master
As mentioned in the [[#KNOWN_LIMITATIONS|KNOWN LIMITATIONS]] section, joining a Windows Server 2012 / 2012 R2 requires an AD schema update. Because the Samba AD database backend doesn't support these changes yet, it's neccessary that the involed Schema Master (forest) and the Infrastructure Master (domain) FSMO role are hold by an already joined Windows 2008 / 2008 R2 DC. This allows the update to proceed, but will irrevocable break the replication with all Samba DCs! <u>This is the main reason, why this documentation is not for usage in production environments!</u>
* Infrastructure Master
* PDC Emulator


For details about transfering FSMO roles, see [[Transferring_and_Seizing_FSMO_Roles#Windows_FSMO_Role_Management|Transferring and Seizing FSMO Roles]].


After the forest and domain schema was updated, you can optionally transfer the FSMO roles back to a Samba DC.


{{Imbox
=== Schema Master FSMO Role ===
| type = important
| text = Forest and domain preparation fails if a Samba DC holds one to three of the previous mentioned roles when you join the first Windows Server 2012 or 2012 R2 DC.
}}


This step is a workaround, because since Server 2012, the DC promotion process uses WMI (Windows Management Instrumentation), to retrieve data from the Schema Master.


See the documentation about [[Flexible_Single-Master_Operations_(FSMO)_roles#FSMO_role_management_using_the_Windows_GUI|Windows GUI tools, to transfer the Schema Master role]].






= Installing the Active Directory Domain Services =
=== Infrastructure Master FSMO Role ===


* Start the <code>Server Manager</code>.
This workaround is required, because after updating the schema on the Schema Master of the forest, the Infrastructure Master is involved when preparing the domain for the new schema. Because after the schema update - what will break the replication with Samba DCs - it wouldn't be possible to do the preparation against a Samba DC any more.


* Click <code>Add roles and features</code>.
See the documentation about [[Flexible_Single-Master_Operations_(FSMO)_roles#FSMO_role_management_using_the_Windows_GUI|Windows GUI tools, to transfer the Infrastructure Master role]].


* Select <code>Role-based or feature-based installation</code> and click <code>Next</code>.


* Click <code>Select a server from the server pool</code> and select the local Windows Server from the list. Click <code>Next</code>.


* Select <code>Active Directory Domain Services</code>, including all dependencies. Click <code>Next</code>.


* You do not need to select any additional features. Click <code>Next</code>.
= Installation: Active Directory Domain Services =


* Start the installation.
The folling steps have to executed on the 2012 / 2012 R2 host, that should be joined as a DC later. Do this locally on this host or use RSAT on Windows 8 / 8.1 to execute the commands remotely.


* Click <code>Close</code>.
* Open the Server Manager


* Click „Add roles and features“


:[[Image:Join_Win2012R2_Server_Manager.png]]


* Choose „Role-based or feature-based installation“. Click „Next“.


* „Select a server from the server pool“ and choose the Windows Server out of the list, where to install the AD DC features. Click „Next“.


= Joining the Windows Server to the Domain =
* Choose „Active Directory Domain Services“ from the list, including all dependencies. Click „Next“.


* Log in to your Windows Server 2012 or 2012 installation using the local administrator account.
* Add additional features, if wanted. Click „Next“.


* Start the installation
* Start the <code>Server Manager</code>.


* Click the notifier icon on the top navigation bar and click <code>Promote this server to a domain controller</code>.
* Click „Close“, after the installation is finished.


:[[Image:Join_Win2012R2_Server_Manager_Post_Deployment.png]]


* Select <code>Add a domain controller to an existing domain</code>, enter the Samba Active Directory (AD) domain name and credentials that are enabled to join a domain controller (DC) to the domain, like the domain administrator account. Click <code>Next</code>.


* Select the options to enable on the new DC and enter the directory services restore mode (DSRM) password. It is required to boot the Windows DC in safe-mode to restore or repair the AD in case of problems. Click <code>Next</code>.


:[[Image:Join_Win2012R2_DS_Wizzard_Page2.png]]


* If you enabled the <code>DNS server</code> option in the previous step, you may see a note, that a delegation for this DNS server cannot be created. Click <code>Next</code>.
= Updating the schema =


* Samba currently does not support schema replication using the Windows management instrumentation (WMI) protocol. For this reason, select an existing Windows Domain Controller in the domain as replication source and click <code>Next</code>.
'''WARNING: This steps will break your Samba AD! Only do this in a lab environment for testing purposes!'''


:[[Image:Join_Win2012R2_DS_Wizzard_Page3.png]]
The following steps have to be executed on the Windows 2008/2008 R2 DC, that owns the Schema Master and Infrastructure Master role:


* Set the folders for the AD database, log files and the Sysvol folder. Click <code>Next</code>.
* Log into the existing 2008 / 2008 R2 DC, using an account, that is member of the universal groups „Schema Admins“ and „Enterprise Admins“.


* Click <code>Next</code> to confirm the operations, Windows is going to perform.
* Insert the Windows 2012 / 2012 R2 Installation DVD


* Verify your settings and click <code>Next</code> to start the prerequisite check.
* Open a commandline and navigate into the following folder (assuming D: is your DVD drive with the 2012 / 2012 R2 installation DVD)


* Windows runs some prerequisites checks. If errors are displayed, fix them before you continue. Click <code>Install</code>.
> D:
> cd support/adprep


* Windows promotes the server to a DC. If it is the first Windows Server 2012 or 2012 R2 DC, the forest and domain schema is automatically updated.
:[[Image:Join_Win2012R2_Adprep_DVD.png]]
: {{Imbox
| type = warning
| text = This step breaks the AD directory replication! For details, see [[#Warning|Warning]].
}}


* If the wizard completes successfully, the Windows server is restarted automatically.
* Start the forest preparation (schema update on forest level) by executing


* Verify that all DC related DNS records have been created during the promotion. See [[Verifying and Creating a DC DNS Record|Verifying and Creating a DC DNS Record]].
> adprep.exe /forestprep
:{{Imbox
| type = important
| text = Do not continue without checking the DNS records. They must exist for a working directory replication!
}}


:[[Image:Join_Win2012R2_Adprep_Forestprep.png]]
:A successful run should end with the message


Adprep successfully updated the forest-wide information.


:'''After this step the replication between Windows and Samba DCs is broken!'''. On Samba DCs, this can be seen for all inbound connections from Windows DCs. Example:


# samba-tool drs showrepl
.....
CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com
Default-First-Site-Name\DC3 via RPC
DSA object GUID: 691da691-4996-49a0-b5d8-347111d4aa5d
Last attempt @ Sat Dec 20 18:20:14 2014 CET <u>failed, result 1359 (WERR_INTERNAL_ERROR)</u>
28 consecutive failure(s).
Last success @ Sat Dec 20 18:15:14 2014 CET


= Verifying Directory Replication =
* Continue executing the domain preparation. There should be no output and only a success message:


See [[Verifying_the_Directory_Replication_Statuses#Displaying_the_Replication_Statuses_on_a_Windows_DC|Displaying the Replication Statuses on a Windows DC]].
:[[Image:Join_Win2012R2_Adprep_Domainprep.png]]


{{Imbox
:This step will fail, if the Infrastructure Master role wasn't transfered to a Windows host, <u>before</u> updating the schema. In the domain preparation, the Infrastructure Master is involeved. And because of the broken replication after preparing the forest, the changes won't reached the Samba DCs. That's why the domainprep step can't be executed against a Samba DC any more!
| type = note
| text = To optimize replication latency and cost, the knowledge consistency checker (KCC) on Windows DCs do not create a fully-meshed replication topology between all DCs. For further details, see [[The Samba KCC]].
}}




Line 178: Line 172:




= The Sysvol Share =
= Promote Windows Server 2012 / 2012 R2 to a Domain Controller =


== Enabling the Sysvol Share ==
The following steps are executed on the 2012 / 2012 R2 host, that should be joined as a DC to the domain:


If you used a Samba domain controller (DC) as replication partner, the <code>Sysvol</code> share is not enabled. For details how to verify and enable the share, see [[Enabling the Sysvol Share on a Windows DC]].
* In the Server Manager, click the notify icon, that indicates a outstanding „Post-deployment Configuration“ task and choose „Promote this server to a domain controller“.


:[[Image:Join_Win2012R2_Server_Manager_Post_Deployment.png]]


* Select „Add a domain controller to an existing domain“, enter the domain name and credentials, that are allowed to join a DC to the domain. Afterwards click „Next“


== Sysvol Replication ==
:[[Image:Join_Win2012R2_DS_Wizzard_Page1.png]]


Samba currently does not support the DFS-R protocol required for Sysvol replication. Please manually synchronise the content between domain controllers (DC) or use a workaround such as [[Robocopy_based_SysVol_replication_workaround|Robocopy-based Sysvol Replication]].
* Set the Domain Controller capabilities, site information and the Directory Service Restore Mode password. The DSRM passwort is used to boot the Windows DC in a safe-mode, to restore or repair the AD. We assume here, to install the new DC with „DNS server“ and „Global catalog“. To continue, choose „Next“.


:[[Image:Join_Win2012R2_DS_Wizzard_Page2.png]]


* If you receive a message, that a delegation for this DNS server cannot be created, ignore it and continue with „Next“.


* Choose a Windows (!) Domain Controller to replicate from. This is necessary, because the schema is replicated via WMI and the SysVol content via FRS. Both is not supported by Samba yet. Click „Next“ to continue.

:[[Image:Join_Win2012R2_DS_Wizzard_Page3.png]]


* Adapt the folder locations, if desired. Click „Next“.


= Troubleshooting =
:[[Image:Join_Win2012R2_DS_Wizzard_Page4.png]]


== Error: <code>This operation is only allowed for the Primary Domain Controller of the domain</code> ==
* Review your settings. Click „Next“.


Windows displays this error if it fails to access the <code>Sysvol</code> on the Windows Server 2008 or 2008 R2 replication partner. For details, see [[Enabling the Sysvol Share on a Windows DC]].
* Windows executes some prerequisites checks. While warnings are Ok, any errors have to be solved, before you can continue. Click „Install“, to begin the DC promotion.


:[[Image:Join_Win2012R2_DS_Wizzard_Page5.png]]


:Notice: During the join of the first 2012 / 2012 R2 DC in a forest, the schema is updated, if it wasn't done [[#Updating_the_schema|before]]. The automatic update during the join would fail in a Samba / Windows mixed envionment. That's why we [[#Updating_the_schema|had updated the schema before]].


* The DC promotions begins. If the wizzard finishes its work successful, a message is shown for a short moment, before the new DC automatically reboots.


:[[Image:Join_Win2012R2_DS_Wizzard_Page6.png]]


----
* After the reboot, you can log into the new joined Windows Server 2012 / 2012 R2 Domain Controller.
[[Category:Active Directory]]
[[Category:Domain Control]]

Revision as of 15:42, 14 September 2018

Introduction

Samba supports Active Directory (AD) schema version 56 and 67. This enables you to join Windows Server 2012 and 2012 R2 to your Samba AD. However, you cannot join the first Windows Server 2012 or 2012 R2 domain controller (DC) directly, because the process uses the Windows management instrumentation (WMI) protocol for several tasks. To work around the problem, you require a Windows Server 2008 or 2008 R2 DC in the domain to join the first 2012 or 2012 R2 DC. After the first Windows Server 2012 or 2012 R2 DC was joined, you can this one as replication partner when joining further Windows DCs.



Warning

Requirements and Known Limitations

  • All Samba DCs must run 4.6 or later. For details about updating Samba, see Updating Samba.
  • Windows Server 2012 and 2012 R2 requires the Windows management instrumentation (WMI) protocol during the join, and for the forest and domain preparation. Samba currently does not support this protocol. Therefore you must run a Windows domain controller (DC) with WMI support in your domain. For example, you can a Windows Server 2008 or 2008 R2 DC as replication partner during the join.
If the Sysvol share is missing, joining a Windows Server 2012 or 2012 R2 DC fails.



Network Configuration

  • Click the Start button, search for View network connections, and open the search entry.
  • Right-click to your network adapter and select Properties.
  • Configure the IP settings:
  • Assign a static IP address, enter the subnet mask, and default gateway.
  • Enter the IP of a DNS server that is able to resolve the Active Directory (AD) DNS zone.
  • Click OK to save the settings.



Date and Time Settings

Active Directory uses Kerberos for authentication. Kerberos requires that the domain member and the domain controllers (DC) are having a synchronous time. If the difference exceeds 5 minutes (default), the client is not able to access domain resources for security reasons.

Before you join the domain, check the time configuration:

  • Open the Control Panel.
  • Navigate to Clock, Language and Region.
  • Click Date and Time.
  • Verify the date, time, and time zone settings. Adjust the settings, if necessary.
  • Click OK to save the changes.



FSMO Roles

When you join the first Windows Server 2012 or 2012 R2 host as a domain controller (DC) to an Active Directory (AD), the directory schema of the forest and domain is updated. You must run this process on an existing Windows 2008 or 2008 R2 domain controller (DC) that owns the following flexible single master operation (FSMO) roles:

  • Schema Master
  • Infrastructure Master
  • PDC Emulator

For details about transfering FSMO roles, see Transferring and Seizing FSMO Roles.

After the forest and domain schema was updated, you can optionally transfer the FSMO roles back to a Samba DC.



Installing the Active Directory Domain Services

  • Start the Server Manager.
  • Click Add roles and features.
  • Select Role-based or feature-based installation and click Next.
  • Click Select a server from the server pool and select the local Windows Server from the list. Click Next.
  • Select Active Directory Domain Services, including all dependencies. Click Next.
  • You do not need to select any additional features. Click Next.
  • Start the installation.
  • Click Close.



Joining the Windows Server to the Domain

  • Log in to your Windows Server 2012 or 2012 installation using the local administrator account.
  • Start the Server Manager.
  • Click the notifier icon on the top navigation bar and click Promote this server to a domain controller.
Join Win2012R2 Server Manager Post Deployment.png
  • Select Add a domain controller to an existing domain, enter the Samba Active Directory (AD) domain name and credentials that are enabled to join a domain controller (DC) to the domain, like the domain administrator account. Click Next.
  • Select the options to enable on the new DC and enter the directory services restore mode (DSRM) password. It is required to boot the Windows DC in safe-mode to restore or repair the AD in case of problems. Click Next.
Join Win2012R2 DS Wizzard Page2.png
  • If you enabled the DNS server option in the previous step, you may see a note, that a delegation for this DNS server cannot be created. Click Next.
  • Samba currently does not support schema replication using the Windows management instrumentation (WMI) protocol. For this reason, select an existing Windows Domain Controller in the domain as replication source and click Next.
Join Win2012R2 DS Wizzard Page3.png
  • Set the folders for the AD database, log files and the Sysvol folder. Click Next.
  • Click Next to confirm the operations, Windows is going to perform.
  • Verify your settings and click Next to start the prerequisite check.
  • Windows runs some prerequisites checks. If errors are displayed, fix them before you continue. Click Install.
  • Windows promotes the server to a DC. If it is the first Windows Server 2012 or 2012 R2 DC, the forest and domain schema is automatically updated.
  • If the wizard completes successfully, the Windows server is restarted automatically.



Verifying Directory Replication

See Displaying the Replication Statuses on a Windows DC.



The Sysvol Share

Enabling the Sysvol Share

If you used a Samba domain controller (DC) as replication partner, the Sysvol share is not enabled. For details how to verify and enable the share, see Enabling the Sysvol Share on a Windows DC.


Sysvol Replication

Samba currently does not support the DFS-R protocol required for Sysvol replication. Please manually synchronise the content between domain controllers (DC) or use a workaround such as Robocopy-based Sysvol Replication.



Troubleshooting

Error: This operation is only allowed for the Primary Domain Controller of the domain

Windows displays this error if it fails to access the Sysvol on the Windows Server 2008 or 2008 R2 replication partner. For details, see Enabling the Sysvol Share on a Windows DC.