.. Reminder for header structure:        
  Parts (H1)          : #################### with overline
  Chapters (H2)       : ******************** with overline
  Sections (H3)       : ====================
  Subsections (H4)    : --------------------
  Subsubsections (H5) : ^^^^^^^^^^^^^^^^^^^^
  Paragraphs (H6)     : """""""""""""""""""""

.. |date| date::

.. meta::
  :description: Adding a Samba-AD in a Microsoft Active Directory domain
  :keywords: Samba-AD, documentation, MSAD

.. _samba_add_samba_to_windows_active_directory:

########################################################
Adding a Samba-AD in a Microsoft Active Directory domain
########################################################

This documentation can be used to migrate an existing MS-AD domain to a Samba-AD domain.

.. hint::

  Samba 4.12 supports MSAD 2012 schema but with a 2008R2 forest level.
  It is therefore necessary to downgrade the schema level if it is in 2012R2 level.
  The 2012R2 level includes silos, claims and FAST kerberos.
  If you are not using these advanced features, then there is no problem to downgrade to 2008R2 level.

.. warning::

  Samba 4.12 does not support 2016 schema level at the moment.

* Show the current forest level;

  .. code-block:: text

    Get-ADDomain | fl Name,DomainMode
    Get-ADForest | fl Name,ForestMode

* If the functional level is 2012R2 it should be downgraded to 2008R2;

  .. code-block:: text

    Set-ADForestMode -Identity mydomain.lan -ForestMode Windows2008R2Forest
    Set-ADDomainMode -Identity mydomain.lan -ForestMode Windows2008R2Forest

* Then prepare the Samba virtual machine according to :ref:`the following recommendations <server_prepare_redhat>`, then instantiate the domain controller as a :ref:`secondary domain controller <server_secondary_redhat>`;

* After joining, check that the DNS entries of the new domain controller have been created;

  .. code-block:: bash

    samba_dnsupdate --verbose

* Add the address of the Samba-AD controller to the network card of the Windows machine as a secondary DNS server;

* Check that the replications are running correctly on the Samba side with the following command line:

  .. code-block:: bash

    samba-tool drs showrepl

* Check that the replications are running correctly on the Windows side with the following command line:

  .. code-block:: text

     repadmin /showrepl