Difference between revisions of "Joining a Windows Server 2012 / 2012 R2 DC to a Samba AD"

m (Fixed link)
(Updated guide to include latest steps and information.)
Line 1: Line 1:
 
= Introduction =
 
= Introduction =
  
Samba 4.5 introduces support for the directory schemas 56 (Windows Server 2012) and 67 (Windows Server 2012 R2). However, you cannot join the first Windows Server 2012 or 2012 R2 domain controller (DC) directly to a Samba Active Directory (AD), because it uses the Windows management instrumentation (WMI) protocol for several tasks during the process. To work around, you require a Windows Server 2008 or 2008 R2 DC in the domain to join the first 2012 or 2012 R2 DC. After the first DC with this Windows Server version is joined and the directory schema updated, you can this one as replication partner when you join other Windows 2012 or 2012 R2 DCs.
+
Samba supports Active Directory (AD) schema version 56 and 67. This enables you to join Windows Server 2012 and 2012 R2 to your Samba AD. However, you cannot join the first Windows Server 2012 or 2012 R2 domain controller (DC) directly, because the process uses the Windows management instrumentation (WMI) protocol for several tasks. To work around the problem, you require a Windows Server 2008 or 2008 R2 DC in the domain to join the first 2012 or 2012 R2 DC. After the first Windows Server 2012 or 2012 R2 DC was joined, you can this one as replication partner when joining further Windows DCs.
  
 
{{Imbox
 
{{Imbox
| type = note
+
| type = important
| text = Windows Server 2012 and 2012 R2 as a DC, and the directory schemas 56 and 67 are experimental.<br /> If you encounter a bug, please report at https://bugzilla.samba.org.
+
| text = The support for Windows Server 2012 and 2012 R2 DCs, including the directory schemas 56 and 67, is experimental. Please report bugs an incompatibilites. For details, see [[Bug Reporting]].
 
}}
 
}}
  
Line 25: Line 25:
 
= Requirements and Known Limitations =
 
= Requirements and Known Limitations =
  
* All Samba DCs must run 4.5.0 or later. For details about updating Samba, see [[Updating_Samba|Updating Samba]].
+
* All Samba DCs must run 4.6 or later. For details about updating Samba, see [[Updating_Samba|Updating Samba]].
  
* Windows Server 2012 and 2012 R2 requires the Windows management instrumentation (WMI) protocol during the join, and for the forest and domain preparation. Samba currently does not support this protocol. Thus you must have an existing Windows domain controller (DC) with WMI support in your domain. For example, you can a Windows Server 2008 or 2008 R2 DC as replication partner during the join. For further information, see [[Joining_a_Windows_Server_2008_/_2008_R2_DC_to_a_Samba_AD|Joining a Windows Server 2008 / 2008 R2 DC to a Samba AD]].
+
* Windows Server 2012 and 2012 R2 requires the Windows management instrumentation (WMI) protocol during the join, and for the forest and domain preparation. Samba currently does not support this protocol. Therefore you must run a Windows domain controller (DC) with WMI support in your domain. For example, you can a Windows Server 2008 or 2008 R2 DC as replication partner during the join.
 +
 
 +
* The Windows Server 2008 or 2008 R2 host used for the initial replication must provide a <code>Sysvol</code> share. For details, see [[Enabling the Sysvol Share on a Windows DC]].
 +
: If the <code>Sysvol</code> share is missing, joining a Windows Server 2012 or 2012 R2 DC fails.
  
  
Line 75: Line 78:
 
* Schema Master
 
* Schema Master
 
* Infrastructure Master
 
* Infrastructure Master
 +
* PDC Emulator
  
 
For details about transfering FSMO roles, see [[Transferring_and_Seizing_FSMO_Roles#Windows_FSMO_Role_Management|Transferring and Seizing FSMO Roles]].
 
For details about transfering FSMO roles, see [[Transferring_and_Seizing_FSMO_Roles#Windows_FSMO_Role_Management|Transferring and Seizing FSMO Roles]].
Line 82: Line 86:
 
{{Imbox
 
{{Imbox
 
| type = important
 
| type = important
| text = Forest and domain preparation fails if a Samba DC holds one or both of the previous mentioned roles when you join the first Windows Server 2012 or 2012 R2 DC.
+
| text = Forest and domain preparation fails if a Samba DC holds one to three of the previous mentioned roles when you join the first Windows Server 2012 or 2012 R2 DC.
 
}}
 
}}
  
Line 139: Line 143:
 
* Verify your settings and click <code>Next</code> to start the prerequisite check.
 
* Verify your settings and click <code>Next</code> to start the prerequisite check.
  
* Windows runs some prerequisites checks. If any errors are displayed, fix them before you continue. Click <code>Install</code>.
+
* Windows runs some prerequisites checks. If errors are displayed, fix them before you continue. Click <code>Install</code>.
  
* The DC promotions begins.
+
* Windows promotes the server to a DC. If it is the first Windows Server 2012 or 2012 R2 DC, the forest and domain schema is automatically updated.
 
 
: If this is the first Windows Server 2012 or 2012 R2 DC in your AD forest:
 
 
: {{Imbox
 
: {{Imbox
 
| type = warning
 
| type = warning
| text = This step breaks the AD directory replication! For more details, see [[#Warning|Warning]].
+
| text = This step breaks the AD directory replication! For details, see [[#Warning|Warning]].
 
}}
 
}}
: The installation wizard is only able to run the AD forest preparation. The domain preparation step fails. To work around:
 
 
:* Log in using the domain administrator account to your existing Windows Server 2008 or 2008 R2 installation that owns the <code>Schema Master</code> and the <code>Infrastructure Master</code> flexible single master operation (FSMO) role.
 
 
:* Insert the Windows Server 2012 or Windows 2012 R2 installation DVD.
 
 
:* Open a command line and change to the <code>support\adprep</code> folder on the installation DVD. For example, if you DVD drive is <code>D</code>:
 
 
> D:
 
> cd support\adprep\
 
 
:* Start the domain preparation:
 
 
> adprep /domainprep
 
 
:* You see the following message if the preparation succeeds:
 
 
Adprep successfully updated the domain-wide information.
 
 
:* Restart the [[#Joining_the_Windows_Server_to_the_Domain|Joining the Windows Server to the Domain]] process.
 
  
 
* If the wizard completes successfully, the Windows server is restarted automatically.
 
* If the wizard completes successfully, the Windows server is restarted automatically.
Line 205: Line 187:
  
 
Samba currently does not support the DFS-R protocol required for Sysvol replication. Please manually synchronise the content between domain controllers (DC) or use a workaround such as [[Robocopy_based_SysVol_replication_workaround|Robocopy-based Sysvol Replication]].
 
Samba currently does not support the DFS-R protocol required for Sysvol replication. Please manually synchronise the content between domain controllers (DC) or use a workaround such as [[Robocopy_based_SysVol_replication_workaround|Robocopy-based Sysvol Replication]].
 +
 +
 +
 +
 +
 +
= Troubleshooting =
 +
 +
== Error: <code>This operation is only allowed for the Primary Domain Controller of the domain</code> ==
 +
 +
Windows displays this error if it fails to access the <code>Sysvol</code> on the Windows Server 2008 or 2008 R2 replication partner. For details, see [[Enabling the Sysvol Share on a Windows DC]].
  
  

Revision as of 15:21, 18 May 2017

Introduction

Samba supports Active Directory (AD) schema version 56 and 67. This enables you to join Windows Server 2012 and 2012 R2 to your Samba AD. However, you cannot join the first Windows Server 2012 or 2012 R2 domain controller (DC) directly, because the process uses the Windows management instrumentation (WMI) protocol for several tasks. To work around the problem, you require a Windows Server 2008 or 2008 R2 DC in the domain to join the first 2012 or 2012 R2 DC. After the first Windows Server 2012 or 2012 R2 DC was joined, you can this one as replication partner when joining further Windows DCs.



Warning



Requirements and Known Limitations

  • All Samba DCs must run 4.6 or later. For details about updating Samba, see Updating Samba.
  • Windows Server 2012 and 2012 R2 requires the Windows management instrumentation (WMI) protocol during the join, and for the forest and domain preparation. Samba currently does not support this protocol. Therefore you must run a Windows domain controller (DC) with WMI support in your domain. For example, you can a Windows Server 2008 or 2008 R2 DC as replication partner during the join.
If the Sysvol share is missing, joining a Windows Server 2012 or 2012 R2 DC fails.



Network Configuration

  • Click the Start button, search for View network connections, and open the search entry.
  • Right-click to your network adapter and select Properties.
  • Configure the IP settings:
  • Assign a static IP address, enter the subnet mask, and default gateway.
  • Enter the IP of a DNS server that is able to resolve the Active Directory (AD) DNS zone.
  • Click OK to save the settings.



Date and Time Settings

Active Directory uses Kerberos for authentication. Kerberos requires that the domain member and the domain controllers (DC) are having a synchronous time. If the difference exceeds 5 minutes (default), the client is not able to access domain resources for security reasons.

Before you join the domain, check the time configuration:

  • Open the Control Panel.
  • Navigate to Clock, Language and Region.
  • Click Date and Time.
  • Verify the date, time, and time zone settings. Adjust the settings, if necessary.
  • Click OK to save the changes.



FSMO Roles

When you join the first Windows Server 2012 or 2012 R2 host as a domain controller (DC) to an Active Directory (AD), the directory schema of the forest and domain is updated. You must run this process on an existing Windows 2008 or 2008 R2 domain controller (DC) that owns the following flexible single master operation (FSMO) roles:

  • Schema Master
  • Infrastructure Master
  • PDC Emulator

For details about transfering FSMO roles, see Transferring and Seizing FSMO Roles.

After the forest and domain schema was updated, you can optionally transfer the FSMO roles back to a Samba DC.



Installing the Active Directory Domain Services

  • Start the Server Manager.
  • Click Add roles and features.
  • Select Role-based or feature-based installation and click Next.
  • Click Select a server from the server pool and select the local Windows Server from the list. Click Next.
  • Select Active Directory Domain Services, including all dependencies. Click Next.
  • You do not need to select any additional features. Click Next.
  • Start the installation.
  • Click Close.



Joining the Windows Server to the Domain

  • Log in to your Windows Server 2012 or 2012 installation using the local administrator account.
  • Start the Server Manager.
  • Click the notifier icon on the top navigation bar and click Promote this server to a domain controller.
Join Win2012R2 Server Manager Post Deployment.png
  • Select Add a domain controller to an existing domain, enter the Samba Active Directory (AD) domain name and credentials that are enabled to join a domain controller (DC) to the domain, like the domain administrator account. Click Next.
  • Select the options to enable on the new DC and enter the directory services restore mode (DSRM) password. It is required to boot the Windows DC in safe-mode to restore or repair the AD in case of problems. Click Next.
Join Win2012R2 DS Wizzard Page2.png
  • If you enabled the DNS server option in the previous step, you may see a note, that a delegation for this DNS server cannot be created. Click Next.
  • Samba currently does not support schema replication using the Windows management instrumentation (WMI) protocol. For this reason, select an existing Windows Domain Controller in the domain as replication source and click Next.
Join Win2012R2 DS Wizzard Page3.png
  • Set the folders for the AD database, log files and the Sysvol folder. Click Next.
  • Click Next to confirm the operations, Windows is going to perform.
  • Verify your settings and click Next to start the prerequisite check.
  • Windows runs some prerequisites checks. If errors are displayed, fix them before you continue. Click Install.
  • Windows promotes the server to a DC. If it is the first Windows Server 2012 or 2012 R2 DC, the forest and domain schema is automatically updated.
  • If the wizard completes successfully, the Windows server is restarted automatically.



Verifying Directory Replication

See Displaying the Replication Statuses on a Windows DC.



The Sysvol Share

Enabling the Sysvol Share

If you used a Samba domain controller (DC) as replication partner, the Sysvol share is not enabled. For details how to verify and enable the share, see Enabling the Sysvol Share on a Windows DC.


Sysvol Replication

Samba currently does not support the DFS-R protocol required for Sysvol replication. Please manually synchronise the content between domain controllers (DC) or use a workaround such as Robocopy-based Sysvol Replication.



Troubleshooting

Error: This operation is only allowed for the Primary Domain Controller of the domain

Windows displays this error if it fails to access the Sysvol on the Windows Server 2008 or 2008 R2 replication partner. For details, see Enabling the Sysvol Share on a Windows DC.