Joining a Windows Server 2012 / 2012 R2 DC to a Samba AD

From SambaWiki
Revision as of 13:09, 10 April 2016 by Mmuehlfeld (talk | contribs) (Fix link, reformat page)
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Introduction

WARNING

Samba based AD currently doesn't support joining a Microsoft Windows 2012/2012R2 Server as a Domain Controller to a Samba Active Directory! Joining as a Member Server works. Follow the respective documentation.

This documentation describes the necessary steps and workarounds required for this task. Because of the missing 2012/2012R2 AD schema support in Samba, the join will break your installation!

This documentation is for research and debugging only, until all problems and limitations are fixed!

Only use this documentation in labs for testing purposes and not in production, because this process will break replication and the AD database!!!


KNOWN LIMITATIONS

  • Samba is shipped with AD schema version 47 (Windows Server 2008 R2). To join a newer version as DC, this schema has to be updated to 56 (Windows Server 2012) or 69 (Windows Server 2012 R2). The Samba AD database backend currently doesn't support all the changes introduced by the new schemas. This would lead to broken replication between Samba and Windows DCs for the affected directory partitions, this cannot be fixed at the moment! In simple words: A broken replication makes the AD inconsistent and will destroy your AD!
  • At least one Windows Server 2008 / 2008R2 DC is required in the domain, because 2012 replicates the AD content via WMI (Windows Management Instrumentation) from the Schema Master, this isn't implemented yet in Samba. This Windows DC must also have an accessible SysVol share, as 2012 syncronizes its content via DFS-R protocol („SysVol Replication“), which also isn't implemented in Samba yet.


Server information

This documentation uses the following configuration/settings:

Existing Samba DCs in the domain:
Domain Controllers:            DC1 (10.99.0.1), DC2 (10.99.0.2)
DCs act also as a DNS server:  yes

Existing Windows 2008R2 DC in the domain:
Domain Controller:             DC3 (10.99.0.3)

Domain information:
DNS Domain Name:               samdom.example.com
NT4 Domain Name (NETBIOS):     SAMDOM
DNS Servers:                   10.99.0.1, 10.99.0.2
Domain Administrator:          Administrator
Domain Administrator Password: passw0rd

DC additionally joined to the domain:
Hostname:                      DC4
IP Address:                    10.99.0.4
Operating System:              Microsoft Windows Server 2012 R2



Installation / Preparation

General

  • Install Windows Server 2012 / 2012 R2.


Date And Time Settings

Active Directory uses Kerberos for authentication, which relies on a fairly consistent time across the network. This makes it necessary, that, before you can join the client to the Domain, the time on the client does not differ more than 5 minutes (default setting in an AD) to your Domain Controller.

  • Search for „Network and Sharing Center“
Join Win2012R2 Search Date and time settings.png
  • Check your date, time and time zone settings.


Configure Network

  • Search for „Network and Sharing Center“
Join Win2012R2 Search Network Sharing Center.png
  • Click „Change adapter settings“
  • Right-click to your network connection and choose „properties“
  • Configure the IP properties. Make sure, that you use a DNS server, that is authoritative for your AD DNS domain!
Join Win2012R2 IP Configuration.png



FSMO Roles

As mentioned in the KNOWN LIMITATIONS section, joining a Windows Server 2012 / 2012 R2 requires an AD schema update. Because the Samba AD database backend doesn't support these changes yet, it's neccessary that the involed Schema Master (forest) and the Infrastructure Master (domain) FSMO role are hold by an already joined Windows 2008 / 2008 R2 DC. This allows the update to proceed, but will irrevocable break the replication with all Samba DCs! This is the main reason, why this documentation is not for usage in production environments!


Schema Master FSMO Role

This step is a workaround, because since Server 2012, the DC promotion process uses WMI (Windows Management Instrumentation), to retrieve data from the Schema Master.

See the documentation about Windows GUI tools, to transfer the Schema Master role.


Infrastructure Master FSMO Role

This workaround is required, because after updating the schema on the Schema Master of the forest, the Infrastructure Master is involved when preparing the domain for the new schema. Because after the schema update - what will break the replication with Samba DCs - it wouldn't be possible to do the preparation against a Samba DC any more.

See the documentation about Windows GUI tools, to transfer the Infrastructure Master role.



Installation: Active Directory Domain Services

The folling steps have to executed on the 2012 / 2012 R2 host, that should be joined as a DC later. Do this locally on this host or use RSAT on Windows 8 / 8.1 to execute the commands remotely.

  • Open the Server Manager
  • Click „Add roles and features“
File:Join Win2012R2 Server Manager.png
  • Choose „Role-based or feature-based installation“. Click „Next“.
  • „Select a server from the server pool“ and choose the Windows Server out of the list, where to install the AD DC features. Click „Next“.
  • Choose „Active Directory Domain Services“ from the list, including all dependencies. Click „Next“.
  • Add additional features, if wanted. Click „Next“.
  • Start the installation
  • Click „Close“, after the installation is finished.



Updating the schema

WARNING: This steps will break your Samba AD! Only do this in a lab environment for testing purposes!

The following steps have to be executed on the Windows 2008/2008 R2 DC, that owns the Schema Master and Infrastructure Master role:

  • Log into the existing 2008 / 2008 R2 DC, using an account, that is member of the universal groups „Schema Admins“ and „Enterprise Admins“.
  • Insert the Windows 2012 / 2012 R2 Installation DVD
  • Open a commandline and navigate into the following folder (assuming D: is your DVD drive with the 2012 / 2012 R2 installation DVD)
> D:
> cd support/adprep
File:Join Win2012R2 Adprep DVD.png
  • Start the forest preparation (schema update on forest level) by executing
> adprep.exe /forestprep
File:Join Win2012R2 Adprep Forestprep.png
A successful run should end with the message
Adprep successfully updated the forest-wide information.
After this step the replication between Windows and Samba DCs is broken!. On Samba DCs, this can be seen for all inbound connections from Windows DCs. Example:
# samba-tool drs showrepl
.....
CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com
        Default-First-Site-Name\DC3 via RPC
                DSA object GUID: 691da691-4996-49a0-b5d8-347111d4aa5d
                Last attempt @ Sat Dec 20 18:20:14 2014 CET failed, result 1359 (WERR_INTERNAL_ERROR)
                28 consecutive failure(s).
                Last success @ Sat Dec 20 18:15:14 2014 CET
  • Continue executing the domain preparation. There should be no output and only a success message:
File:Join Win2012R2 Adprep Domainprep.png
This step will fail, if the Infrastructure Master role wasn't transfered to a Windows host, before updating the schema. In the domain preparation, the Infrastructure Master is involeved. And because of the broken replication after preparing the forest, the changes won't reached the Samba DCs. That's why the domainprep step can't be executed against a Samba DC any more!



Promote Windows Server 2012 / 2012 R2 to a Domain Controller

The following steps are executed on the 2012 / 2012 R2 host, that should be joined as a DC to the domain:

  • In the Server Manager, click the notify icon, that indicates a outstanding „Post-deployment Configuration“ task and choose „Promote this server to a domain controller“.
Join Win2012R2 Server Manager Post Deployment.png
  • Select „Add a domain controller to an existing domain“, enter the domain name and credentials, that are allowed to join a DC to the domain. Afterwards click „Next“
File:Join Win2012R2 DS Wizzard Page1.png
  • Set the Domain Controller capabilities, site information and the Directory Service Restore Mode password. The DSRM passwort is used to boot the Windows DC in a safe-mode, to restore or repair the AD. We assume here, to install the new DC with „DNS server“ and „Global catalog“. To continue, choose „Next“.
Join Win2012R2 DS Wizzard Page2.png
  • If you receive a message, that a delegation for this DNS server cannot be created, ignore it and continue with „Next“.
  • Choose a Windows (!) Domain Controller to replicate from. This is necessary, because the schema is replicated via WMI and the SysVol content via FRS. Both is not supported by Samba yet. Click „Next“ to continue.
Join Win2012R2 DS Wizzard Page3.png
  • Adapt the folder locations, if desired. Click „Next“.
File:Join Win2012R2 DS Wizzard Page4.png
  • Review your settings. Click „Next“.
  • Windows executes some prerequisites checks. While warnings are Ok, any errors have to be solved, before you can continue. Click „Install“, to begin the DC promotion.
File:Join Win2012R2 DS Wizzard Page5.png
Notice: During the join of the first 2012 / 2012 R2 DC in a forest, the schema is updated, if it wasn't done before. The automatic update during the join would fail in a Samba / Windows mixed envionment. That's why we had updated the schema before.
  • The DC promotions begins. If the wizzard finishes its work successful, a message is shown for a short moment, before the new DC automatically reboots.
File:Join Win2012R2 DS Wizzard Page6.png
  • After the reboot, you can log into the new joined Windows Server 2012 / 2012 R2 Domain Controller.