Joining a Windows Server 2012 / 2012 R2 DC to a Samba AD: Difference between revisions

From SambaWiki
m (Fix link)
m (*/ Remove fixed bug from warning)
 
(22 intermediate revisions by 5 users not shown)
Line 1: Line 1:
= Introduction =
= Warning =


{{Imbox
== WARNING ==
| type = warning
| text = There be dragons! Joining a Windows Server as DC to a Samba AD domain is generally not recommended.
}}


= Introduction =
'''Samba based AD currently doesn't support joining a Microsoft Windows 2012/2012R2 Server <u>as a Domain Controller</u> to a Samba Active Directory! Joining as a Member Server works. Follow the [[Joining_a_Windows_Client_or_Server_to_a_Domain|respective documentation]].'''


Samba supports Active Directory (AD) schema version 47, 56 and 69. This enables you to join Windows Server 2012 and 2012 R2 to your Samba AD.
'''This documentation describes the necessary steps and workarounds required for this task. Because of the missing 2012/2012R2 AD schema support in Samba, the join will break your installation!'''


{{Imbox
'''This documentation is for research and debugging only, until all problems and limitations are fixed!'''
| type = important
| text = For samba 4.11 and later, schema 69 support is no longer experimental, but support for Windows Server 2012 and 2012 R2 DCs possibly still is. Please report bugs and incompatibilites. For details, see [[Bug Reporting]].
}}


= Warning =
'''Only use this documentation <u>in labs for testing purposes and not in production</u>, because this process will break replication and the AD database!!!'''


{{Imbox
| type = warning
| text = Joining a Windows Server 2012 or 2012 R2 DC to a Samba AD with 2012R2 functional level breaks the AD replication! Do not use this documentation until the problem is fixed!<br />For more details, see [https://bugzilla.samba.org/show_bug.cgi?id=13618 Bug #13618]. Thankfully Windows 2012 can join a down-level (2008/2008R2) domain, just not at Functional Level 2012/2012R2, provided the schema is updated, which samba can do.
}}


= Requirements and Known Limitations =


* All Samba DCs must run 4.6 or later. For details about updating Samba, see [[Updating_Samba|Updating Samba]].
== KNOWN LIMITATIONS ==


* The Windows Server 2008 or 2008 R2 host used for the initial replication must provide a <code>Sysvol</code> share. For details, see [[Enabling the Sysvol Share on a Windows DC]].
* Samba is shipped with AD schema version 47 (Windows Server 2008 R2). To join a newer version as DC, this schema has to be updated to 56 (Windows Server 2012) or 69 (Windows Server 2012 R2). The Samba AD database backend currently doesn't support all the changes introduced by the new schemas. This would lead to broken replication between Samba and Windows DCs for the affected directory partitions, this cannot be fixed at the moment! '''In simple words: A broken replication makes the AD inconsistent and will destroy your AD!'''
: If the <code>Sysvol</code> share is missing, joining a Windows Server 2012 or 2012 R2 DC fails.


= Network Configuration =
* At least one [[Joining_a_Windows_Server_2008_/_2008_R2_DC_to_a_Samba_AD|Windows Server 2008 / 2008R2 DC]] is required in the domain, because 2012 replicates the AD content via WMI (Windows Management Instrumentation) from the Schema Master, this isn't implemented yet in Samba. This Windows DC must also have an accessible SysVol share, as 2012 syncronizes its content via DFS-R protocol („SysVol Replication“), which also isn't implemented in Samba yet.


* Click the <code>Start</code> button, search for <code>View network connections</code>, and open the search entry.


* Right-click to your network adapter and select <code>Properties</code>.


* Configure the IP settings:
== Server information ==
:* Assign a static IP address, enter the subnet mask, and default gateway.
:* Enter the IP of a DNS server that is able to resolve the Active Directory (AD) DNS zone.


* Click <code>OK</code> to save the settings.
This documentation uses the following configuration/settings:


'''Existing Samba DCs in the domain:'''
Domain Controllers: DC1 (10.99.0.1), DC2 (10.99.0.2)
DCs act also as a DNS server: yes
'''Existing Windows 2008R2 DC in the domain:'''
Domain Controller: DC3 (10.99.0.3)
'''Domain information:'''
DNS Domain Name: samdom.example.com
NT4 Domain Name (NETBIOS): SAMDOM
DNS Servers: 10.99.0.1, 10.99.0.2
Domain Administrator: Administrator
Domain Administrator Password: passw0rd
'''DC additionally joined to the domain:'''
Hostname: DC4
IP Address: 10.99.0.4
Operating System: Microsoft Windows Server 2012 R2








= Date and Time Settings =


Active Directory uses Kerberos for authentication. Kerberos requires that the domain member and the domain controllers (DC) are having a synchronous time. If the difference exceeds [http://technet.microsoft.com/en-us/library/cc779260%28v=ws.10%29.aspx 5 minutes] (default), the client is not able to access domain resources for security reasons.
= Installation / Preparation =


Before you join the domain, check the time configuration:
== General ==


* Open the <code>Control Panel</code>.
* Install Windows Server 2012 / 2012 R2.


* Navigate to <code>Clock, Language and Region</code>.


* Click <code>Date and Time</code>.


* Verify the date, time, and time zone settings. Adjust the settings, if necessary.
== Date And Time Settings ==


* Click <code>OK</code> to save the changes.
Active Directory uses Kerberos for authentication, which relies on a fairly consistent time across the network. This makes it necessary, that, before you can join the client to the Domain, the time on the client does not differ more than [http://technet.microsoft.com/en-us/library/cc779260%28v=ws.10%29.aspx 5 minutes] (default setting in an AD) to your Domain Controller.


* Search for „Network and Sharing Center“


:[[Image:Join_Win2012R2_Search_Date_and_time_settings.png]]


* Check your date, time and time zone settings.




= FSMO Roles =


When you join the first Windows Server 2012 or 2012 R2 host as a domain controller (DC) to an Active Directory (AD), the directory schema of the forest and domain is updated. You must run this process on an existing Windows 2008 or 2008 R2 domain controller (DC) that owns the following flexible single master operation (FSMO) roles:
== Configure Network ==


* Schema Master
* Search for „Network and Sharing Center“
* Infrastructure Master
* PDC Emulator


For details about transfering FSMO roles, see [[Transferring_and_Seizing_FSMO_Roles#Windows_FSMO_Role_Management|Transferring and Seizing FSMO Roles]].
:[[Image:Join_Win2012R2_Search_Network_Sharing_Center.png]]


After the forest and domain schema was updated, you can optionally transfer the FSMO roles back to a Samba DC.
* Click „Change adapter settings“


{{Imbox
* Right-click to your network connection and choose „properties“
| type = important
| text = Forest and domain preparation fails if a Samba DC holds one to three of the previous mentioned roles when you join the first Windows Server 2012 or 2012 R2 DC.
}}


* Configure the IP properties. Make sure, that you use a DNS server, that is authoritative for your AD DNS domain!


:[[Image:Join_Win2012R2_IP_Configuration.png]]






= Installing the Active Directory Domain Services =


* Start the <code>Server Manager</code>.


* Click <code>Add roles and features</code>.
== FSMO Roles ==


* Select <code>Role-based or feature-based installation</code> and click <code>Next</code>.
As mentioned in the [[#KNOWN_LIMITATIONS|KNOWN LIMITATIONS]] section, joining a Windows Server 2012 / 2012 R2 requires an AD schema update. Because the Samba AD database backend doesn't support these changes yet, it's neccessary that the involed Schema Master (forest) and the Infrastructure Master (domain) FSMO role are hold by an already joined Windows 2008 / 2008 R2 DC. This allows the update to proceed, but will irrevocable break the replication with all Samba DCs! <u>This is the main reason, why this documentation is not for usage in production environments!</u>


* Click <code>Select a server from the server pool</code> and select the local Windows Server from the list. Click <code>Next</code>.


* Select <code>Active Directory Domain Services</code>, including all dependencies. Click <code>Next</code>.


* You do not need to select any additional features. Click <code>Next</code>.
=== Schema Master FSMO Role ===


* Start the installation.
This step is a workaround, because since Server 2012, the DC promotion process uses WMI (Windows Management Instrumentation), to retrieve data from the Schema Master.


* Click <code>Close</code>.
See the documentation about [[Transfering_and_Seizing_FSMO_Roles#Windows_FSMO_Role_Management|Windows GUI tools, to transfer the Schema Master role]].






=== Infrastructure Master FSMO Role ===


This workaround is required, because after updating the schema on the Schema Master of the forest, the Infrastructure Master is involved when preparing the domain for the new schema. Because after the schema update - what will break the replication with Samba DCs - it wouldn't be possible to do the preparation against a Samba DC any more.


= Joining the Windows Server to the Domain =
See the documentation about [[Flexible_Single-Master_Operations_(FSMO)_roles#FSMO_role_management_using_the_Windows_GUI|Windows GUI tools, to transfer the Infrastructure Master role]].


* Log in to your Windows Server 2012 or 2012 installation using the local administrator account.


* Start the <code>Server Manager</code>.


* Click the notifier icon on the top navigation bar and click <code>Promote this server to a domain controller</code>.


:[[Image:Join_Win2012R2_Server_Manager_Post_Deployment.png]]
= Installation: Active Directory Domain Services =


* Select <code>Add a domain controller to an existing domain</code>, enter the Samba Active Directory (AD) domain name and credentials that are enabled to join a domain controller (DC) to the domain, like the domain administrator account. Click <code>Next</code>.
The folling steps have to executed on the 2012 / 2012 R2 host, that should be joined as a DC later. Do this locally on this host or use RSAT on Windows 8 / 8.1 to execute the commands remotely.


* Select the options to enable on the new DC and enter the directory services restore mode (DSRM) password. It is required to boot the Windows DC in safe-mode to restore or repair the AD in case of problems. Click <code>Next</code>.
* Open the Server Manager


:[[Image:Join_Win2012R2_DS_Wizzard_Page2.png]]
* Click „Add roles and features“


* If you enabled the <code>DNS server</code> option in the previous step, you may see a note, that a delegation for this DNS server cannot be created. Click <code>Next</code>.
:[[Image:Join_Win2012R2_Server_Manager.png]]


* Samba currently does not support schema replication using the Windows management instrumentation (WMI) protocol. For this reason, select an existing Windows Domain Controller in the domain as replication source and click <code>Next</code>.
* Choose „Role-based or feature-based installation“. Click „Next“.


:[[Image:Join_Win2012R2_DS_Wizzard_Page3.png]]
* „Select a server from the server pool“ and choose the Windows Server out of the list, where to install the AD DC features. Click „Next“.


* Set the folders for the AD database, log files and the Sysvol folder. Click <code>Next</code>.
* Choose „Active Directory Domain Services“ from the list, including all dependencies. Click „Next“.


* Click <code>Next</code> to confirm the operations, Windows is going to perform.
* Add additional features, if wanted. Click „Next“.


* Verify your settings and click <code>Next</code> to start the prerequisite check.
* Start the installation


* Windows runs some prerequisites checks. If errors are displayed, fix them before you continue. Click <code>Install</code>.
* Click „Close“, after the installation is finished.


* Windows promotes the server to a DC. If it is the first Windows Server 2012 or 2012 R2 DC, the forest and domain schema is automatically updated.
: {{Imbox
| type = warning
| text = This step breaks the AD directory replication! For details, see [[#Warning|Warning]].
}}


* If the wizard completes successfully, the Windows server is restarted automatically.


* Verify that all DC related DNS records have been created during the promotion. See [[Verifying and Creating a DC DNS Record|Verifying and Creating a DC DNS Record]].
:{{Imbox
| type = important
| text = Do not continue without checking the DNS records. They must exist for a working directory replication!
}}




= Updating the schema =


'''WARNING: This steps will break your Samba AD! Only do this in a lab environment for testing purposes!'''


The following steps have to be executed on the Windows 2008/2008 R2 DC, that owns the Schema Master and Infrastructure Master role:


= Verifying Directory Replication =
* Log into the existing 2008 / 2008 R2 DC, using an account, that is member of the universal groups „Schema Admins“ and „Enterprise Admins“.


See [[Verifying_the_Directory_Replication_Statuses#Displaying_the_Replication_Statuses_on_a_Windows_DC|Displaying the Replication Statuses on a Windows DC]].
* Insert the Windows 2012 / 2012 R2 Installation DVD


{{Imbox
* Open a commandline and navigate into the following folder (assuming D: is your DVD drive with the 2012 / 2012 R2 installation DVD)
| type = note
| text = To optimize replication latency and cost, the knowledge consistency checker (KCC) on Windows DCs do not create a fully-meshed replication topology between all DCs. For further details, see [[The Samba KCC]].
}}


> D:
> cd support/adprep


:[[Image:Join_Win2012R2_Adprep_DVD.png]]


* Start the forest preparation (schema update on forest level) by executing


> adprep.exe /forestprep


= The Sysvol Share =
:[[Image:Join_Win2012R2_Adprep_Forestprep.png]]
:A successful run should end with the message


== Enabling the Sysvol Share ==
Adprep successfully updated the forest-wide information.


If you used a Samba domain controller (DC) as replication partner, the <code>Sysvol</code> share is not enabled. For details how to verify and enable the share, see [[Enabling the Sysvol Share on a Windows DC]].
:'''After this step the replication between Windows and Samba DCs is broken!'''. On Samba DCs, this can be seen for all inbound connections from Windows DCs. Example:


# samba-tool drs showrepl
.....
CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com
Default-First-Site-Name\DC3 via RPC
DSA object GUID: 691da691-4996-49a0-b5d8-347111d4aa5d
Last attempt @ Sat Dec 20 18:20:14 2014 CET <u>failed, result 1359 (WERR_INTERNAL_ERROR)</u>
28 consecutive failure(s).
Last success @ Sat Dec 20 18:15:14 2014 CET


* Continue executing the domain preparation. There should be no output and only a success message:


== Sysvol Replication ==
:[[Image:Join_Win2012R2_Adprep_Domainprep.png]]


Samba currently does not support the DFS-R protocol required for Sysvol replication. Please manually synchronise the content between domain controllers (DC) or use a workaround such as [[Robocopy_based_SysVol_replication_workaround|Robocopy-based Sysvol Replication]].
:This step will fail, if the Infrastructure Master role wasn't transfered to a Windows host, <u>before</u> updating the schema. In the domain preparation, the Infrastructure Master is involeved. And because of the broken replication after preparing the forest, the changes won't reached the Samba DCs. That's why the domainprep step can't be executed against a Samba DC any more!




Line 182: Line 185:




= Troubleshooting =
= Promote Windows Server 2012 / 2012 R2 to a Domain Controller =

The following steps are executed on the 2012 / 2012 R2 host, that should be joined as a DC to the domain:

* In the Server Manager, click the notify icon, that indicates a outstanding „Post-deployment Configuration“ task and choose „Promote this server to a domain controller“.

:[[Image:Join_Win2012R2_Server_Manager_Post_Deployment.png]]

* Select „Add a domain controller to an existing domain“, enter the domain name and credentials, that are allowed to join a DC to the domain. Afterwards click „Next“

:[[Image:Join_Win2012R2_DS_Wizzard_Page1.png]]

* Set the Domain Controller capabilities, site information and the Directory Service Restore Mode password. The DSRM passwort is used to boot the Windows DC in a safe-mode, to restore or repair the AD. We assume here, to install the new DC with „DNS server“ and „Global catalog“. To continue, choose „Next“.

:[[Image:Join_Win2012R2_DS_Wizzard_Page2.png]]

* If you receive a message, that a delegation for this DNS server cannot be created, ignore it and continue with „Next“.

* Choose a Windows (!) Domain Controller to replicate from. This is necessary, because the schema is replicated via WMI and the SysVol content via FRS. Both is not supported by Samba yet. Click „Next“ to continue.

:[[Image:Join_Win2012R2_DS_Wizzard_Page3.png]]

* Adapt the folder locations, if desired. Click „Next“.

:[[Image:Join_Win2012R2_DS_Wizzard_Page4.png]]


== Error: <code>This operation is only allowed for the Primary Domain Controller of the domain</code> ==
* Review your settings. Click „Next“.


Windows displays this error if it fails to access the <code>Sysvol</code> on the Windows Server 2008 or 2008 R2 replication partner. For details, see [[Enabling the Sysvol Share on a Windows DC]].
* Windows executes some prerequisites checks. While warnings are Ok, any errors have to be solved, before you can continue. Click „Install“, to begin the DC promotion.


:[[Image:Join_Win2012R2_DS_Wizzard_Page5.png]]


:Notice: During the join of the first 2012 / 2012 R2 DC in a forest, the schema is updated, if it wasn't done [[#Updating_the_schema|before]]. The automatic update during the join would fail in a Samba / Windows mixed envionment. That's why we [[#Updating_the_schema|had updated the schema before]].


* The DC promotions begins. If the wizzard finishes its work successful, a message is shown for a short moment, before the new DC automatically reboots.


:[[Image:Join_Win2012R2_DS_Wizzard_Page6.png]]


----
* After the reboot, you can log into the new joined Windows Server 2012 / 2012 R2 Domain Controller.
[[Category:Active Directory]]
[[Category:Domain Control]]

Latest revision as of 08:27, 19 July 2023

Warning

Introduction

Samba supports Active Directory (AD) schema version 47, 56 and 69. This enables you to join Windows Server 2012 and 2012 R2 to your Samba AD.

Warning

Requirements and Known Limitations

  • All Samba DCs must run 4.6 or later. For details about updating Samba, see Updating Samba.
If the Sysvol share is missing, joining a Windows Server 2012 or 2012 R2 DC fails.

Network Configuration

  • Click the Start button, search for View network connections, and open the search entry.
  • Right-click to your network adapter and select Properties.
  • Configure the IP settings:
  • Assign a static IP address, enter the subnet mask, and default gateway.
  • Enter the IP of a DNS server that is able to resolve the Active Directory (AD) DNS zone.
  • Click OK to save the settings.



Date and Time Settings

Active Directory uses Kerberos for authentication. Kerberos requires that the domain member and the domain controllers (DC) are having a synchronous time. If the difference exceeds 5 minutes (default), the client is not able to access domain resources for security reasons.

Before you join the domain, check the time configuration:

  • Open the Control Panel.
  • Navigate to Clock, Language and Region.
  • Click Date and Time.
  • Verify the date, time, and time zone settings. Adjust the settings, if necessary.
  • Click OK to save the changes.



FSMO Roles

When you join the first Windows Server 2012 or 2012 R2 host as a domain controller (DC) to an Active Directory (AD), the directory schema of the forest and domain is updated. You must run this process on an existing Windows 2008 or 2008 R2 domain controller (DC) that owns the following flexible single master operation (FSMO) roles:

  • Schema Master
  • Infrastructure Master
  • PDC Emulator

For details about transfering FSMO roles, see Transferring and Seizing FSMO Roles.

After the forest and domain schema was updated, you can optionally transfer the FSMO roles back to a Samba DC.



Installing the Active Directory Domain Services

  • Start the Server Manager.
  • Click Add roles and features.
  • Select Role-based or feature-based installation and click Next.
  • Click Select a server from the server pool and select the local Windows Server from the list. Click Next.
  • Select Active Directory Domain Services, including all dependencies. Click Next.
  • You do not need to select any additional features. Click Next.
  • Start the installation.
  • Click Close.



Joining the Windows Server to the Domain

  • Log in to your Windows Server 2012 or 2012 installation using the local administrator account.
  • Start the Server Manager.
  • Click the notifier icon on the top navigation bar and click Promote this server to a domain controller.
Join Win2012R2 Server Manager Post Deployment.png
  • Select Add a domain controller to an existing domain, enter the Samba Active Directory (AD) domain name and credentials that are enabled to join a domain controller (DC) to the domain, like the domain administrator account. Click Next.
  • Select the options to enable on the new DC and enter the directory services restore mode (DSRM) password. It is required to boot the Windows DC in safe-mode to restore or repair the AD in case of problems. Click Next.
Join Win2012R2 DS Wizzard Page2.png
  • If you enabled the DNS server option in the previous step, you may see a note, that a delegation for this DNS server cannot be created. Click Next.
  • Samba currently does not support schema replication using the Windows management instrumentation (WMI) protocol. For this reason, select an existing Windows Domain Controller in the domain as replication source and click Next.
Join Win2012R2 DS Wizzard Page3.png
  • Set the folders for the AD database, log files and the Sysvol folder. Click Next.
  • Click Next to confirm the operations, Windows is going to perform.
  • Verify your settings and click Next to start the prerequisite check.
  • Windows runs some prerequisites checks. If errors are displayed, fix them before you continue. Click Install.
  • Windows promotes the server to a DC. If it is the first Windows Server 2012 or 2012 R2 DC, the forest and domain schema is automatically updated.
  • If the wizard completes successfully, the Windows server is restarted automatically.



Verifying Directory Replication

See Displaying the Replication Statuses on a Windows DC.



The Sysvol Share

Enabling the Sysvol Share

If you used a Samba domain controller (DC) as replication partner, the Sysvol share is not enabled. For details how to verify and enable the share, see Enabling the Sysvol Share on a Windows DC.


Sysvol Replication

Samba currently does not support the DFS-R protocol required for Sysvol replication. Please manually synchronise the content between domain controllers (DC) or use a workaround such as Robocopy-based Sysvol Replication.



Troubleshooting

Error: This operation is only allowed for the Primary Domain Controller of the domain

Windows displays this error if it fails to access the Sysvol on the Windows Server 2008 or 2008 R2 replication partner. For details, see Enabling the Sysvol Share on a Windows DC.