Joining a Windows Server 2012 / 2012 R2 DC to a Samba AD: Difference between revisions
Mmuehlfeld (talk | contribs) (Rephrased sentence. Added tags.) |
Mmuehlfeld (talk | contribs) m (Removed unnecessary underscore) |
||
Line 76: | Line 76: | ||
* Infrastructure Master |
* Infrastructure Master |
||
To transfer the two FSMO roles to a Windows Server 2008 or 2008 R2 DC, see [[Transferring_and_Seizing_FSMO_Roles#Windows_FSMO_Role_Management|Transferring and Seizing |
To transfer the two FSMO roles to a Windows Server 2008 or 2008 R2 DC, see [[Transferring_and_Seizing_FSMO_Roles#Windows_FSMO_Role_Management|Transferring and Seizing FSMO Roles]]. |
||
If you successfully updated the schema during the first Windows Server 2012 or 2012 R2 join, you can later transfer the roles to a Samba DC again. |
If you successfully updated the schema during the first Windows Server 2012 or 2012 R2 join, you can later transfer the roles to a Samba DC again. |
Revision as of 18:04, 17 May 2017
Introduction
Samba 4.5 introduces support for the directory schemas 56 (Windows Server 2012) and 67 (Windows Server 2012 R2). However, you cannot join the first Windows Server 2012 or 2012 R2 domain controller (DC) directly to a Samba Active Directory (AD), because it uses the Windows management instrumentation (WMI) protocol for several tasks during the process. To work around, you require a Windows Server 2008 or 2008 R2 DC in the domain to join the first 2012 or 2012 R2 DC. After the first DC with this Windows Server version is joined and the directory schema updated, you can this one as replication partner when you join other Windows 2012 or 2012 R2 DCs.
Windows Server 2012 and 2012 R2 as a DC, and the directory schemas 56 and 67 are experimental. If you encounter a bug, please report at https://bugzilla.samba.org. |
Warning
Joining a Windows Server 2012 or 2012 R2 DC to a Samba AD breaks the AD replication! Do not use this documentation until the problem is fixed! For more details, see Bug #12204. |
Requirements and Known Limitations
- All Samba DCs must run 4.5.0 or later. For details about updating Samba, see Updating Samba.
- Windows Server 2012 and 2012 R2 requires the Windows management instrumentation (WMI) protocol during the join, and for the forest and domain preparation. Samba currently does not support this protocol. Thus you must have an existing Windows domain controller (DC) with WMI support in your domain. For example, you can a Windows Server 2008 or 2008 R2 DC as replication partner during the join. For further information, see Joining a Windows Server 2008 / 2008 R2 DC to a Samba AD.
Network Configuration
- Click the
Start
button, search forView network connections
, and open the search entry.
- Right-click to your network adapter and select
Properties
.
- Configure the IP settings:
- Assign a static IP address, enter the subnet mask, and default gateway.
- Enter the IP of a DNS server that is able to resolve the Active Directory (AD) DNS zone.
- Click
OK
to save the settings.
Date and Time Settings
Active Directory uses Kerberos for authentication. Kerberos requires that the domain member and the domain controllers (DC) are having a synchronous time. If the difference exceeds 5 minutes (default), the client is not able to access domain resources for security reasons.
Before you join the domain, check the time configuration:
- Open the
Control Panel
.
- Navigate to
Clock, Language and Region
.
- Click
Date and Time
.
- Verify the date, time, and time zone settings. Adjust the settings, if necessary.
- Click
OK
to save the changes.
FSMO Roles
When you join the first Windows Server 2012 or 2012 R2 host as a domain controller (DC) to an Active Directory (AD) forest, the directory schema and the domain are updated. This update must run on a Windows 2008 or 2008 R2 domain controller (DC). For updating the forest and directory schema, transfer the following two flexible single master operation (FSMO) roles to the Windows DC that is already a domain member:
- Schema Master
- Infrastructure Master
To transfer the two FSMO roles to a Windows Server 2008 or 2008 R2 DC, see Transferring and Seizing FSMO Roles.
If you successfully updated the schema during the first Windows Server 2012 or 2012 R2 join, you can later transfer the roles to a Samba DC again.
This is a necessary requirement and the forest or domain preparation fails if a Samba DC holds one or both roles during the first Windows Server 2012 or 2012 R2 DC is joined! |
Installing the Active Directory Domain Services
- Start the
Server Manager
.
- Click
Add roles and features
.
- Select
Role-based or feature-based installation
and clickNext
.
- Click
Select a server from the server pool
and select the local Windows Server from the list. ClickNext
.
- Select
Active Directory Domain Services
, including all dependencies. ClickNext
.
- You do not need to select any additional features. Click
Next
.
- Start the installation.
- Click
Close
.
Joining the Windows Server to the Domain
- Log in to your Windows Server 2012 or 2012 installation using the local administrator account.
- Start the
Server Manager
.
- Click the notifier icon on the top navigation bar and click
Promote this server to a domain controller
.
- Select
Add a domain controller to an existing domain
, enter the Samba Active Directory (AD) domain name and credentials that are enabled to join a domain controller (DC) to the domain, like the domain administrator account. ClickNext
.
- Select the options to enable on the new DC and enter the directory services restore mode (DSRM) password. It is required to boot the Windows DC in safe-mode to restore or repair the AD in case of problems. Click
Next
.
- If you enabled the
DNS server
option in the previous step, you may see a note, that a delegation for this DNS server cannot be created. ClickNext
.
- Samba currently does not support schema replication using the Windows management instrumentation (WMI) protocol. For this reason, select an existing Windows Domain Controller in the domain as replication source and click
Next
.
- Set the folders for the AD database, log files and the Sysvol folder. Click
Next
.
- Click
Next
to confirm the operations, Windows is going to perform.
- Verify your settings and click
Next
to start the prerequisite check.
- Windows runs some prerequisites checks. If any errors are displayed, fix them before you continue. Click
Install
.
- The DC promotions begins.
- If this is the first Windows Server 2012 or 2012 R2 DC in your AD forest:
This step breaks the AD directory replication! For more details, see Warning. - The installation wizard is only able to run the AD forest preparation. The domain preparation step fails. To work around:
- Log in using the domain administrator account to your existing Windows Server 2008 or 2008 R2 installation that owns the
Schema Master
and theInfrastructure Master
flexible single master operation (FSMO) role.
- Log in using the domain administrator account to your existing Windows Server 2008 or 2008 R2 installation that owns the
- Insert the Windows Server 2012 or Windows 2012 R2 installation DVD.
- Open a command line and change to the
support\adprep
folder on the installation DVD. For example, if you DVD drive isD
:
- Open a command line and change to the
> D: > cd support\adprep\
- Start the domain preparation:
> adprep /domainprep
- You see the following message if the preparation succeeds:
Adprep successfully updated the domain-wide information.
- Restart the Joining the Windows Server to the Domain process.
- If the wizard completes successfully, the Windows server is restarted automatically.
- Verify that all DC related DNS records have been created during the promotion. See Verifying and Creating a DC DNS Record.
Do not continue without checking the DNS records. They must exist for a working directory replication!
Verifying Directory Replication
See Displaying the Replication Statuses on a Windows DC.
To optimize replication latency and cost, the knowledge consistency checker (KCC) on Windows DCs do not create a fully-meshed replication topology between all DCs. For further details, see The Samba KCC. |
During the join, Windows tries to replicate the Sysvol directory content from an existing domain controller (DC). Samba currently does not support the DFS-R protocol. For this reason, the new DC may not show a Sysvol
share. To enable the share:
- Save the following content as plain text in a file named, for example,
Win-Create-Sysvol-Share.reg
:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters] "SysvolReady"=dword:00000001
Use a text editor that stores the file in plain text, such as "Notepad" or "Editor".
- Log in using an account that is member of the local
Administrators
group.
- Double-click the file to import it to the Windows registry.
- Reboot to take the changes effect.
Sysvol replication
Samba currently does not support the DFS-R protocol required for Sysvol replication. Please manually synchronise the content between DC or use a workaround like Robocopy-based Sysvol Replication.