Joining a Windows Server 2012 / 2012 R2 DC to a Samba AD: Difference between revisions

From SambaWiki
(Rewrote Windows Server 2012/2012 R2 DC to a Samba AD)
m (Added text and put notes/warnings/importants into imbox admonitions)
Line 3: Line 3:
Samba 4.5 introduces support for the directory schemas 56 (Windows Server 2012) and 67 (Windows Server 2012 R2). However, you cannot join the first Windows Server 2012 or 2012 R2 domain controller (DC) directly to a Samba Active Directory (AD), because it uses the Windows management instrumentation (WMI) protocol for several tasks during the process. To work around, you require a Windows Server 2008 or 2008 R2 DC in the domain to join the first 2012 or 2012 R2 DC. After the first DC with this Windows Server version is joined and the directory schema updated, you can this one as replication partner when you join other Windows 2012 or 2012 R2 DCs.
Samba 4.5 introduces support for the directory schemas 56 (Windows Server 2012) and 67 (Windows Server 2012 R2). However, you cannot join the first Windows Server 2012 or 2012 R2 domain controller (DC) directly to a Samba Active Directory (AD), because it uses the Windows management instrumentation (WMI) protocol for several tasks during the process. To work around, you require a Windows Server 2008 or 2008 R2 DC in the domain to join the first 2012 or 2012 R2 DC. After the first DC with this Windows Server version is joined and the directory schema updated, you can this one as replication partner when you join other Windows 2012 or 2012 R2 DCs.


{{Imbox
'''Windows Server 2012 and 2012 R2 as a DC, and the directory schemas 56 and 67 are experimental.''' If you encounter a bug, please report at https://bugzilla.samba.org.
| type = note
| text = Windows Server 2012 and 2012 R2 as a DC, and the directory schemas 56 and 67 are experimental.<br /> If you encounter a bug, please report at https://bugzilla.samba.org.
}}




Line 11: Line 14:
= Warning =
= Warning =


{{Imbox
'''Joining a Windows Server 2012 or 2012 R2 DC to a Samba AD breaks the AD replication! Do not use this documentation until the problem is fixed!'''
| type = warning
For more details, see [https://bugzilla.samba.org/show_bug.cgi?id=12204 Bug #12204].
| text = Joining a Windows Server 2012 or 2012 R2 DC to a Samba AD breaks the AD replication! Do not use this documentation until the problem is fixed!<br />For more details, see [https://bugzilla.samba.org/show_bug.cgi?id=12204 Bug #12204].
}}




Line 30: Line 35:
= Network Configuration =
= Network Configuration =


* Click the "Start" button, search for "View network connections", and open the search entry.
* Click the <code>Start</code> button, search for <code>View network connections</code>, and open the search entry.


* Right-click to your network adapter and select "Properties".
* Right-click to your network adapter and select <code>Properties</code>.


* Configure the IP settings:
* Configure the IP settings:
Line 38: Line 43:
:* Enter the IP of a DNS server that is able to resolve the Active Directory (AD) DNS zone.
:* Enter the IP of a DNS server that is able to resolve the Active Directory (AD) DNS zone.


* Click "OK" to save the settings.
* Click <code>OK</code> to save the settings.




Line 50: Line 55:
Before you join the domain, check the time configuration:
Before you join the domain, check the time configuration:


* Open the "Control Panel".
* Open the <code>Control Panel</code>.


* Navigrate to "Clock, Language and Region".
* Navigrate to <code>Clock, Language and Region</code>.


* Click "Date and Time".
* Click <code>Date and Time</code>.


* Verify the date, time, and time zone settings. Adjust the settings, if necessary.
* Verify the date, time, and time zone settings. Adjust the settings, if necessary.


* Click "OK" to save the changes.
* Click <code>OK</code> to save the changes.




Line 75: Line 80:
If you successfully updated the schema during the first Windows Server 2012 or 2012 R2 join, you can later transfer the roles to a Samba DC again.
If you successfully updated the schema during the first Windows Server 2012 or 2012 R2 join, you can later transfer the roles to a Samba DC again.


{{Imbox
'''Note that this is a necesary requirement and the forest or domain preparation fails if a Samba DC holds one or both roles during the first Windows Server 2012 or 2012 R2 DC is joined!'''
| type = important

| text = This is a necesary requirement and the forest or domain preparation fails if a Samba DC holds one or both roles during the first Windows Server 2012 or 2012 R2 DC is joined!

}}




Line 85: Line 91:
= Installing the Active Directory Domain Services =
= Installing the Active Directory Domain Services =


* Start the "Server Manager".
* Start the <code>Server Manager</code>.


* Click "Add roles and features".
* Click <code>Add roles and features</code>.


* Select "Role-based or feature-based installation" and click "Next".
* Select <code>Role-based or feature-based installation</code> and click <code>Next</code>.


* Click "Select a server from the server pool" and select the local Windows Server from the list. Click "Next".
* Click <code>Select a server from the server pool</code> and select the local Windows Server from the list. Click <code>Next</code>.


* Select "Active Directory Domain Services", including all dependencies. Click "Next".
* Select <code>Active Directory Domain Services</code>, including all dependencies. Click <code>Next</code>.


* You do not need to select any additional features. Click "Next".
* You do not need to select any additional features. Click <code>Next</code>.


* Start the installation.
* Start the installation.


* Click "Close".
* Click <code>Close</code>.




Line 109: Line 115:
* Log in to your Windows Server 2012 or 2012 installation using the local administrator account.
* Log in to your Windows Server 2012 or 2012 installation using the local administrator account.


* Start the "Server Manager".
* Start the <code>Server Manager</code>.


* Click the notifier icon on the top navigation bar and click "Promote this server to a domain controller".
* Click the notifier icon on the top navigation bar and click <code>Promote this server to a domain controller</code>.


:[[Image:Join_Win2012R2_Server_Manager_Post_Deployment.png]]
:[[Image:Join_Win2012R2_Server_Manager_Post_Deployment.png]]


* Select "Add a domain controller to an existing domain", enter the Samba Active Directory (AD) domain name and credentials that are enabled to join a domain controller (DC) to the domain, like the domain administrator account. Click "Next".
* Select <code>Add a domain controller to an existing domain</code>, enter the Samba Active Directory (AD) domain name and credentials that are enabled to join a domain controller (DC) to the domain, like the domain administrator account. Click <code>Next</code>.


* Select the options to enable on the new DC and enter the directory services restore mode (DSRM) password. It is required to boot the Windows DC in safe-mode to restore or repair the AD in case of problems. Click "Next".
* Select the options to enable on the new DC and enter the directory services restore mode (DSRM) password. It is required to boot the Windows DC in safe-mode to restore or repair the AD in case of problems. Click <code>Next</code>.


:[[Image:Join_Win2012R2_DS_Wizzard_Page2.png]]
:[[Image:Join_Win2012R2_DS_Wizzard_Page2.png]]


* If you enabled the "DNS server" option in the previous step, you may see a note, that a delegation for this DNS server cannot be created. Click "Next".
* If you enabled the <code>DNS server</code> option in the previous step, you may see a note, that a delegation for this DNS server cannot be created. Click <code>Next</code>.


* Samba currently does not support schema replication using the Windows management instrumentation (WMI) protocol. For this reason, select an existing Windows Domain Controller in the domain as replication source and click "Next".
* Samba currently does not support schema replication using the Windows management instrumentation (WMI) protocol. For this reason, select an existing Windows Domain Controller in the domain as replication source and click <code>Next</code>.


:[[Image:Join_Win2012R2_DS_Wizzard_Page3.png]]
:[[Image:Join_Win2012R2_DS_Wizzard_Page3.png]]


* Set the folders for the AD database, log files and the Sysvol folder. Click "Next".
* Set the folders for the AD database, log files and the Sysvol folder. Click <code>Next</code>.


* Click "Next" to confirm the operations, Windows is going to perform.
* Click <code>Next</code> to confirm the operations, Windows is going to perform.


* Verify your settings and click "Next" to start the prerequisite check.
* Verify your settings and click <code>Next</code> to start the prerequisite check.


* Windows runs some prerequisites checks. If any errors are displayed, fix them before you continue. Click "Install".
* Windows runs some prerequisites checks. If any errors are displayed, fix them before you continue. Click <code>Install</code>.


* The DC promotions begins.
* The DC promotions begins.


: If this is the first Windows Server 2012 or 2012 R2 DC in your AD forest:
: If this is the first Windows Server 2012 or 2012 R2 DC in your AD forest:
: {{Imbox
: '''Warning: This step breaks the AD directory replication!''' For more details, see [[#Warning|Warning]].
| type = warning
| text = This step breaks the AD directory replication! For more details, see [[#Warning|Warning]].
}}
: The installation wizzard is only able to run the AD forest preparation. The domain preparation step fails. To work around:
: The installation wizzard is only able to run the AD forest preparation. The domain preparation step fails. To work around:


:* Log in using the domain administrator account to your existing Windows Server 2008 or 2008 R2 installation that owns the "Schema Master" and the "Infrastructure Master" flexible single master operation (FSMO) role.
:* Log in using the domain administrator account to your existing Windows Server 2008 or 2008 R2 installation that owns the pSchema Master" and the "Infrastructure Master" flexible single master operation (FSMO) role.


:* Insert the Windows Server 2012 or Windows 2012 R2 installation DVD.
:* Insert the Windows Server 2012 or Windows 2012 R2 installation DVD.


:* Open a command line and change to the "support\adprep" folder on the installation DVD. For example, if you DVD drive is "D":
:* Open a command line and change to the <code>support\adprep</code> folder on the installation DVD. For example, if you DVD drive is <code>D</code>:


> D:
> D:
Line 163: Line 172:


* Verify that all DC related DNS records have been created during the promotion. See [[Verifying and Creating a DC DNS Record|Verifying and Creating a DC DNS Record]].
* Verify that all DC related DNS records have been created during the promotion. See [[Verifying and Creating a DC DNS Record|Verifying and Creating a DC DNS Record]].
:{{Imbox
: '''Do not continue without checking the DNS records. They must exist for a working directory replication!'''
| type = important
| text = Do not continue without checking the DNS records. They must exist for a working directory replication!
}}




Line 346: Line 358:
It can take several minutes until all connections are established. If the connections on existing Samba DCs to the Windows DC are not established within 15 minutes, start the replication manually. For details, see [[Samba-tool_drs_replicate|samba-tool drs replicate]].
It can take several minutes until all connections are established. If the connections on existing Samba DCs to the Windows DC are not established within 15 minutes, start the replication manually. For details, see [[Samba-tool_drs_replicate|samba-tool drs replicate]].


If you are seeing the warning "No NC replicated for Connection!", see [[FAQ#Message:_Warning:_No_NC_replicated_for_Connection.21|FAQ: Warning: No NC replicated for Connection!]].
If you are seeing the warning <code>No NC replicated for Connection!</code>, see [[FAQ#Message:_Warning:_No_NC_replicated_for_Connection.21|FAQ: Warning: No NC replicated for Connection!]].




Line 360: Line 372:
= The Sysvol Share =
= The Sysvol Share =


During the join, Windows tries to replicate the Sysvol directory content from an existing domain controller (DC). Samba currently does not support the DFS-R protocol. For this reason, the new DC may not show a "Sysvol" share. To enable the share:
During the join, Windows tries to replicate the Sysvol directory content from an existing domain controller (DC). Samba currently does not support the DFS-R protocol. For this reason, the new DC may not show a <code>Sysvol</code> share. To enable the share:


* Save the following content to a plain text file named "Win-Create-Sysvol-Share.reg" using a text editor like "Notepad" or "Editor" (not Word/Wordpad/OpenOffice/LibreOffice/etc.):
* Save the following content to a plain text file named <code>Win-Create-Sysvol-Share.reg</code> using a text editor like "Notepad" or "Editor" (not Word/Wordpad/OpenOffice/LibreOffice/etc.):


Windows Registry Editor Version 5.00
Windows Registry Editor Version 5.00
Line 370: Line 382:
"SysvolReady"=dword:00000001
"SysvolReady"=dword:00000001


* Log in using an account that is member of the local "Administrators" group.
* Log in using an account that is member of the local <code>Administrators</code> group.


* Double-click the file to import it to the Windows registry.
* Double-click the file to import it to the Windows registry.

Revision as of 20:37, 9 October 2016

Introduction

Samba 4.5 introduces support for the directory schemas 56 (Windows Server 2012) and 67 (Windows Server 2012 R2). However, you cannot join the first Windows Server 2012 or 2012 R2 domain controller (DC) directly to a Samba Active Directory (AD), because it uses the Windows management instrumentation (WMI) protocol for several tasks during the process. To work around, you require a Windows Server 2008 or 2008 R2 DC in the domain to join the first 2012 or 2012 R2 DC. After the first DC with this Windows Server version is joined and the directory schema updated, you can this one as replication partner when you join other Windows 2012 or 2012 R2 DCs.



Warning



Requirements and Known Limitations

  • All Samba DCs must run 4.5.0 or later. For information about updating, see Updating Samba.
  • Windows Server 2012 and 2012 R2 requires the Windows management instrumentation (WMI) protocol during the join, and for the forest and domain preparation. Samba currently does not support this protocol. Thus you must have an existing Windows domain controller (DC) with WMI support in your domain. For example, you can a Windows Server 2008 or 2008 R2 DC as replication partner during the join. For further information, see Joining a Windows Server 2008 / 2008 R2 DC to a Samba AD.



Network Configuration

  • Click the Start button, search for View network connections, and open the search entry.
  • Right-click to your network adapter and select Properties.
  • Configure the IP settings:
  • Assign a static IP address, enter the subnet mask, and default gateway.
  • Enter the IP of a DNS server that is able to resolve the Active Directory (AD) DNS zone.
  • Click OK to save the settings.



Date and Time Settings

Active Directory uses Kerberos for authentication. Kerberos requires that the domain member and the domain controllers (DC) are having a synchronous time. If the difference exceeds 5 minutes (default), the client is not able to access domain resources for security reasons.

Before you join the domain, check the time configuration:

  • Open the Control Panel.
  • Navigrate to Clock, Language and Region.
  • Click Date and Time.
  • Verify the date, time, and time zone settings. Adjust the settings, if necessary.
  • Click OK to save the changes.



FSMO Roles

When you join the first Windows Server 2012 or 2012 R2 host as a domain controller (DC) to an Active Directory (AD) forest, the directory schema and the domain are updated. This update must run on a Windows 2008 or 2008 R2 domain controller (DC). For updating the forest and directory schema, transfer the following two flexible single master operation (FSMO) roles to the Windows DC that is already a domain member:

  • Schema Master
  • Infrastructure Master

To transfer the two FSMO roles to a Windows Server 2008 or 2008 R2 DC, see Transfering and Seizing FSMO_Roles.

If you successfully updated the schema during the first Windows Server 2012 or 2012 R2 join, you can later transfer the roles to a Samba DC again.



Installing the Active Directory Domain Services

  • Start the Server Manager.
  • Click Add roles and features.
  • Select Role-based or feature-based installation and click Next.
  • Click Select a server from the server pool and select the local Windows Server from the list. Click Next.
  • Select Active Directory Domain Services, including all dependencies. Click Next.
  • You do not need to select any additional features. Click Next.
  • Start the installation.
  • Click Close.



Joining the Windows Server to the Domain

  • Log in to your Windows Server 2012 or 2012 installation using the local administrator account.
  • Start the Server Manager.
  • Click the notifier icon on the top navigation bar and click Promote this server to a domain controller.
Join Win2012R2 Server Manager Post Deployment.png
  • Select Add a domain controller to an existing domain, enter the Samba Active Directory (AD) domain name and credentials that are enabled to join a domain controller (DC) to the domain, like the domain administrator account. Click Next.
  • Select the options to enable on the new DC and enter the directory services restore mode (DSRM) password. It is required to boot the Windows DC in safe-mode to restore or repair the AD in case of problems. Click Next.
Join Win2012R2 DS Wizzard Page2.png
  • If you enabled the DNS server option in the previous step, you may see a note, that a delegation for this DNS server cannot be created. Click Next.
  • Samba currently does not support schema replication using the Windows management instrumentation (WMI) protocol. For this reason, select an existing Windows Domain Controller in the domain as replication source and click Next.
Join Win2012R2 DS Wizzard Page3.png
  • Set the folders for the AD database, log files and the Sysvol folder. Click Next.
  • Click Next to confirm the operations, Windows is going to perform.
  • Verify your settings and click Next to start the prerequisite check.
  • Windows runs some prerequisites checks. If any errors are displayed, fix them before you continue. Click Install.
  • The DC promotions begins.
If this is the first Windows Server 2012 or 2012 R2 DC in your AD forest:
The installation wizzard is only able to run the AD forest preparation. The domain preparation step fails. To work around:
  • Log in using the domain administrator account to your existing Windows Server 2008 or 2008 R2 installation that owns the pSchema Master" and the "Infrastructure Master" flexible single master operation (FSMO) role.
  • Insert the Windows Server 2012 or Windows 2012 R2 installation DVD.
  • Open a command line and change to the support\adprep folder on the installation DVD. For example, if you DVD drive is D:
> D:
> cd support\adprep\
  • Start the domain preparation:
> adprep /domainprep
  • You see the following message if the preparation succeeds:
Adprep successfully updated the domain-wide information.
  • If the wizzard completes successfully, the Windows server is restarted automatically.



Verifying the Directory Replication

A few minutes after the domain controller (DC) started, the connections with all other DCs are automatically established and the replication begins.

To verify the directory replication, run on a Samba DC:

# samba-tool drs showrepl
Default-First-Site-Name\SAMBADC
DSA Options: 0x00000001
DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
DSA invocationId: 96bc0d6f-9cea-4011-b9a1-0e9971009b20

==== INBOUND NEIGHBORS ====
 
DC=DomainDnsZones,DC=samdom,DC=example,DC=com
       Default-First-Site-Name\Win2008R2DC via RPC
               DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9
               Last attempt @ NTTIME(0) was successful
               0 consecutive failure(s).
               Last success @ NTTIME(0)

DC=DomainDnsZones,DC=samdom,DC=example,DC=com
       Default-First-Site-Name\Win2012R2DC via RPC
               DSA object GUID: fb03f58b-1654-4a02-8e11-f0ea120b60cc
               Last attempt @ NTTIME(0) was successful
               0 consecutive failure(s).
               Last success @ NTTIME(0)

DC=ForestDnsZones,DC=samdom,DC=example,DC=com
       Default-First-Site-Name\Win2008R2DC via RPC
               DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9
               Last attempt @ NTTIME(0) was successful
               0 consecutive failure(s).
               Last success @ NTTIME(0)

DC=ForestDnsZones,DC=samdom,DC=example,DC=com
       Default-First-Site-Name\Win2012R2DC via RPC
               DSA object GUID: fb03f58b-1654-4a02-8e11-f0ea120b60cc
               Last attempt @ NTTIME(0) was successful
               0 consecutive failure(s).
               Last success @ NTTIME(0)

DC=samdom,DC=example,DC=com
       Default-First-Site-Name\Win2008R2DC via RPC
               DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9
               Last attempt @ Sat Dec 20 10:35:09 2014 CET was successful
               0 consecutive failure(s).
               Last success @ Sat Dec 20 10:35:09 2014 CET

DC=samdom,DC=example,DC=com
       Default-First-Site-Name\Win2012R2DC via RPC
               DSA object GUID: fb03f58b-1654-4a02-8e11-f0ea120b60cc
               Last attempt @ Sat Dec 20 10:35:09 2014 CET was successful
               0 consecutive failure(s).
               Last success @ Sat Dec 20 10:35:09 2014 CET

CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com
       Default-First-Site-Name\Win2008R2DC via RPC
               DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9
               Last attempt @ Sat Dec 20 10:35:10 2014 CET was successful
               0 consecutive failure(s).
               Last success @ Sat Dec 20 10:35:10 2014 CET

CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com
       Default-First-Site-Name\Win2012R2DC via RPC
               DSA object GUID: fb03f58b-1654-4a02-8e11-f0ea120b60cc
               Last attempt @ Sat Dec 20 10:35:10 2014 CET was successful
               0 consecutive failure(s).
               Last success @ Sat Dec 20 10:35:10 2014 CET

CN=Configuration,DC=samdom,DC=example,DC=com
       Default-First-Site-Name\Win2008R2DC via RPC
               DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9
               Last attempt @ Sat Dec 20 10:35:11 2014 CET was successful
               0 consecutive failure(s).
               Last success @ Sat Dec 20 10:35:11 2014 CET

CN=Configuration,DC=samdom,DC=example,DC=com
       Default-First-Site-Name\Win2012R2DC via RPC
               DSA object GUID: fb03f58b-1654-4a02-8e11-f0ea120b60cc
               Last attempt @ Sat Dec 20 10:35:11 2014 CET was successful
               0 consecutive failure(s).
               Last success @ Sat Dec 20 10:35:11 2014 CET

==== OUTBOUND NEIGHBORS ====

DC=DomainDnsZones,DC=samdom,DC=example,DC=com
       Default-First-Site-Name\Win2008R2DC via RPC
               DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9
               Last attempt @ Sat Dec 20 10:35:17 2014 CET was successful
               0 consecutive failure(s).
               Last success @ Sat Dec 20 10:35:17 2014 CET

DC=DomainDnsZones,DC=samdom,DC=example,DC=com
       Default-First-Site-Name\Win2012R2DC via RPC
               DSA object GUID: fb03f58b-1654-4a02-8e11-f0ea120b60cc
               Last attempt @ Sat Dec 20 10:35:17 2014 CET was successful
               0 consecutive failure(s).
               Last success @ Sat Dec 20 10:35:17 2014 CET
 
DC=ForestDnsZones,DC=samdom,DC=example,DC=com
       Default-First-Site-Name\Win2008R2DC via RPC
               DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9
               Last attempt @ Sat Dec 20 10:35:17 2014 CET was successful
               0 consecutive failure(s).
               Last success @ Sat Dec 20 10:35:17 2014 CET

DC=ForestDnsZones,DC=samdom,DC=example,DC=com
       Default-First-Site-Name\Win2012R2DC via RPC
               DSA object GUID: fb03f58b-1654-4a02-8e11-f0ea120b60cc
               Last attempt @ Sat Dec 20 10:35:17 2014 CET was successful
               0 consecutive failure(s).
               Last success @ Sat Dec 20 10:35:17 2014 CET

DC=samdom,DC=example,DC=com
       Default-First-Site-Name\Win2008R2DC via RPC
               DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9
               Last attempt @ Sat Dec 20 10:34:26 2014 CET was successful
               0 consecutive failure(s).
               Last success @ Sat Dec 20 10:34:26 2014 CET

DC=samdom,DC=example,DC=com
       Default-First-Site-Name\Win2012R2DC via RPC
               DSA object GUID: fb03f58b-1654-4a02-8e11-f0ea120b60cc
               Last attempt @ Sat Dec 20 10:34:26 2014 CET was successful
               0 consecutive failure(s).
               Last success @ Sat Dec 20 10:34:26 2014 CET
 
CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com
       Default-First-Site-Name\Win2008R2DC via RPC
               DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9
               Last attempt @ Sat Dec 20 10:34:26 2014 CET was successful
               0 consecutive failure(s).
               Last success @ Sat Dec 20 10:34:26 2014 CET

CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com
       Default-First-Site-Name\Win2012R2DC via RPC
               DSA object GUID: fb03f58b-1654-4a02-8e11-f0ea120b60cc
               Last attempt @ Sat Dec 20 10:34:26 2014 CET was successful
               0 consecutive failure(s).
               Last success @ Sat Dec 20 10:34:26 2014 CET

CN=Configuration,DC=samdom,DC=example,DC=com
       Default-First-Site-Name\Win2008R2DC via RPC
               DSA object GUID: dfaec3fb-7546-4153-ba01-605e5efa27f9
               Last attempt @ Sat Dec 20 10:34:21 2014 CET was successful
               0 consecutive failure(s).
               Last success @ Sat Dec 20 10:34:21 2014 CET

CN=Configuration,DC=samdom,DC=example,DC=com
       Default-First-Site-Name\Win2012R2DC via RPC
               DSA object GUID: fb03f58b-1654-4a02-8e11-f0ea120b60cc
               Last attempt @ Sat Dec 20 10:34:21 2014 CET was successful
               0 consecutive failure(s).
               Last success @ Sat Dec 20 10:34:21 2014 CET

==== KCC CONNECTION OBJECTS ====

Connection --
       Connection name: f55bce90-d458-400a-a4ca-801c3e64bef3
       Enabled        : TRUE
       Server DNS name : Win2008R2DC.samdom.example.com
       Server DN name  : CN=NTDS Settings,CN=Win2008R2DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
               TransportType: RPC
               options: 0x00000001
Warning: No NC replicated for Connection!
Connection --
	Connection name: fb03f58b-1654-4a02-8e11-f0ea120b60cc
	Enabled        : TRUE
	Server DNS name : Win2012R2DC.samdom.example.com
	Server DN name  : CN=NTDS Settings,CN=Win2012R2DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
		TransportType: RPC
		options: 0x00000001
Warning: No NC replicated for Connection!

It can take several minutes until all connections are established. If the connections on existing Samba DCs to the Windows DC are not established within 15 minutes, start the replication manually. For details, see samba-tool drs replicate.

If you are seeing the warning No NC replicated for Connection!, see FAQ: Warning: No NC replicated for Connection!.


Testing the Directory Replication

To test that the directory replication works correctly, add for example a user on an existing DC and verify that it shows up automatically on the new promoted Windows DC.



The Sysvol Share

During the join, Windows tries to replicate the Sysvol directory content from an existing domain controller (DC). Samba currently does not support the DFS-R protocol. For this reason, the new DC may not show a Sysvol share. To enable the share:

  • Save the following content to a plain text file named Win-Create-Sysvol-Share.reg using a text editor like "Notepad" or "Editor" (not Word/Wordpad/OpenOffice/LibreOffice/etc.):
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]

"SysvolReady"=dword:00000001
  • Log in using an account that is member of the local Administrators group.
  • Double-click the file to import it to the Windows registry.
  • Reboot to take the changes effect.


Sysvol replication

Samba currently does not support the DFS-R protocol required for Sysvol replication. Please manually synchronise the content between DC or use a workaround like Robocopy-based Sysvol Replication.