Difference between revisions of "Joining a Windows Server 2012 / 2012 R2 DC to a Samba AD"
m (→KNOWN LIMITATIONS)
|Line 13:||Line 13:|
== KNOWN LIMITATIONS ==
== KNOWN LIMITATIONS ==
* Samba is shipped with AD schema version 47 (Windows Server 2008 R2). To join a newer version as DC, this schema has to be updated to 56 (Windows Server 2012) or 69 (Windows Server 2012 R2). The Samba AD database backend currently doesn't support all changes
* Samba is shipped with AD schema version 47 (Windows Server 2008 R2). To join a newer version as DC, this schema has to be updated to 56 (Windows Server 2012) or 69 (Windows Server 2012 R2). The Samba AD database backend currently doesn't support all changes introduced by the new schemas. This would lead broken replication between Samba and Windows DCs for the affected directory partitions, be fixed at the moment! '''In simple words: A broken replication makes the AD inconsistent and destroy your AD!'''
== Server information ==
== Server information ==
Revision as of 18:22, 17 April 2015
- 1 Introduction
- 2 Installation / Preparation
- 3 Installation: Active Directory Domain Services
- 4 Updating the schema
- 5 Promote Windows Server 2012 / 2012 R2 to a Domain Controller
Samba based AD currently doesn't support joining a Microsoft Windows 2012/2012R2 Server as a Domain Controller to a Samba Active Directory! Joining as a Member Server works. Follow the respective documentation.
This documentation describes the necessary steps and workarounds required for this task. Because of the missing 2012/2012R2 AD schema support in Samba, the join will break your installation!
This documentation is for research and debugging only, until all problems and limitations are fixed!
Only use this documentation in labs for testing purposes and not in production, because this process will break replication and the AD database!!!
- Samba is shipped with AD schema version 47 (Windows Server 2008 R2). To join a newer version as DC, this schema has to be updated to 56 (Windows Server 2012) or 69 (Windows Server 2012 R2). The Samba AD database backend currently doesn't support all the changes introduced by the new schemas. This would lead to broken replication between Samba and Windows DCs for the affected directory partitions, this cannot be fixed at the moment! In simple words: A broken replication makes the AD inconsistent and will destroy your AD!
- At least one Windows Server 2008 / 2008R2 DC is required in the domain, because 2012 replicates the AD content via WMI (Windows Management Instrumentation) from the Schema Master, this isn't implemented yet in Samba. This Windows DC must also have an accessible SysVol share, as 2012 syncronizes its content via DFS-R protocol („SysVol Replication“), which also isn't implemented in Samba yet.
This documentation uses the following configuration/settings:
Existing Samba DCs in the domain: Domain Controllers: DC1 (10.99.0.1), DC2 (10.99.0.2) DCs act also as a DNS server: yes Existing Windows 2008R2 DC in the domain: Domain Controller: DC3 (10.99.0.3) Domain information: DNS Domain Name: samdom.example.com NT4 Domain Name (NETBIOS): SAMDOM DNS Servers: 10.99.0.1, 10.99.0.2 Domain Administrator: Administrator Domain Administrator Password: passw0rd DC additionally joined to the domain: Hostname: DC4 IP Address: 10.99.0.4 Operating System: Microsoft Windows Server 2012 R2
Installation / Preparation
- Install Windows Server 2012 / 2012 R2.
Date And Time Settings
Active Directory uses Kerberos for authentication, which relies on a fairly consistent time across the network. This makes it necessary, that, before you can join the client to the Domain, the time on the client does not differ more than 5 minutes (default setting in an AD) to your Domain Controller.
- Search for „Network and Sharing Center“
- Check your date, time and time zone settings.
- Search for „Network and Sharing Center“
- Click „Change adapter settings“
- Right-click to your network connection and choose „properties“
- Configure the IP properties. Make sure, that you use a DNS server, that is authoritative for your AD DNS domain!
As mentioned in the KNOWN LIMITATIONS section, joining a Windows Server 2012 / 2012 R2 requires an AD schema update. Because the Samba AD database backend doesn't support these changes yet, it's neccessary that the involed Schema Master (forest) and the Infrastructure Master (domain) FSMO role are hold by an already joined Windows 2008 / 2008 R2 DC. This allows the update to proceed, but will irrevocable break the replication with all Samba DCs! This is the main reason, why this documentation is not for usage in production environments!
Schema Master FSMO Role
This step is a workaround, because since Server 2012, the DC promotion process uses WMI (Windows Management Instrumentation), to retrieve data from the Schema Master.
See the documentation about Windows GUI tools, to transfer the Schema Master role.
Infrastructure Master FSMO Role
This workaround is required, because after updating the schema on the Schema Master of the forest, the Infrastructure Master is involved when preparing the domain for the new schema. Because after the schema update - what will break the replication with Samba DCs - it wouldn't be possible to do the preparation against a Samba DC any more.
See the documentation about Windows GUI tools, to transfer the Infrastructure Master role.
Installation: Active Directory Domain Services
The folling steps have to executed on the 2012 / 2012 R2 host, that should be joined as a DC later. Do this locally on this host or use RSAT on Windows 8 / 8.1 to execute the commands remotely.
- Open the Server Manager
- Click „Add roles and features“
- Choose „Role-based or feature-based installation“. Click „Next“.
- „Select a server from the server pool“ and choose the Windows Server out of the list, where to install the AD DC features. Click „Next“.
- Choose „Active Directory Domain Services“ from the list, including all dependencies. Click „Next“.
- Add additional features, if wanted. Click „Next“.
- Start the installation
- Click „Close“, after the installation is finished.
Updating the schema
WARNING: This steps will break your Samba AD! Only do this in a lab environment for testing purposes!
The following steps have to be executed on the Windows 2008/2008 R2 DC, that owns the Schema Master and Infrastructure Master role:
- Log into the existing 2008 / 2008 R2 DC, using an account, that is member of the universal groups „Schema Admins“ and „Enterprise Admins“.
- Insert the Windows 2012 / 2012 R2 Installation DVD
- Open a commandline and navigate into the following folder (assuming D: is your DVD drive with the 2012 / 2012 R2 installation DVD)
> D: > cd support/adprep
- Start the forest preparation (schema update on forest level) by executing
> adprep.exe /forestprep
- File:Join Win2012R2 Adprep Forestprep.png
- A successful run should end with the message
Adprep successfully updated the forest-wide information.
- After this step the replication between Windows and Samba DCs is broken!. On Samba DCs, this can be seen for all inbound connections from Windows DCs. Example:
# samba-tool drs showrepl ..... CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com Default-First-Site-Name\DC3 via RPC DSA object GUID: 691da691-4996-49a0-b5d8-347111d4aa5d Last attempt @ Sat Dec 20 18:20:14 2014 CET failed, result 1359 (WERR_INTERNAL_ERROR) 28 consecutive failure(s). Last success @ Sat Dec 20 18:15:14 2014 CET
- Continue executing the domain preparation. There should be no output and only a success message:
- This step will fail, if the Infrastructure Master role wasn't transfered to a Windows host, before updating the schema. In the domain preparation, the Infrastructure Master is involeved. And because of the broken replication after preparing the forest, the changes won't reached the Samba DCs. That's why the domainprep step can't be executed against a Samba DC any more!
Promote Windows Server 2012 / 2012 R2 to a Domain Controller
The following steps are executed on the 2012 / 2012 R2 host, that should be joined as a DC to the domain:
- In the Server Manager, click the notify icon, that indicates a outstanding „Post-deployment Configuration“ task and choose „Promote this server to a domain controller“.
- Select „Add a domain controller to an existing domain“, enter the domain name and credentials, that are allowed to join a DC to the domain. Afterwards click „Next“
- Set the Domain Controller capabilities, site information and the Directory Service Restore Mode password. The DSRM passwort is used to boot the Windows DC in a safe-mode, to restore or repair the AD. We assume here, to install the new DC with „DNS server“ and „Global catalog“. To continue, choose „Next“.
- If you receive a message, that a delegation for this DNS server cannot be created, ignore it and continue with „Next“.
- Choose a Windows (!) Domain Controller to replicate from. This is necessary, because the schema is replicated via WMI and the SysVol content via FRS. Both is not supported by Samba yet. Click „Next“ to continue.
- Adapt the folder locations, if desired. Click „Next“.
- Review your settings. Click „Next“.
- Windows executes some prerequisites checks. While warnings are Ok, any errors have to be solved, before you can continue. Click „Install“, to begin the DC promotion.
- Notice: During the join of the first 2012 / 2012 R2 DC in a forest, the schema is updated, if it wasn't done before. The automatic update during the join would fail in a Samba / Windows mixed envionment. That's why we had updated the schema before.
- The DC promotions begins. If the wizzard finishes its work successful, a message is shown for a short moment, before the new DC automatically reboots.
- After the reboot, you can log into the new joined Windows Server 2012 / 2012 R2 Domain Controller.