Adding a Samba-AD in a Microsoft Active Directory domain

This documentation can be used to migrate an existing MS-AD domain to a Samba-AD domain.

Hint

Samba 4.12 supports MSAD 2012 schema but with a 2008R2 forest level. It is therefore necessary to downgrade the schema level if it is in 2012R2 level. The 2012R2 level includes silos, claims and FAST kerberos. If you are not using these advanced features, then there is no problem to downgrade to 2008R2 level.

Warning

Samba 4.12 does not support 2016 schema level at the moment.

• Show the current forest level;

  Get-ADDomain | fl Name,DomainMode
  Get-ADForest | fl Name,ForestMode
  

• If the functional level is 2012R2 it should be downgraded to 2008R2;

  Set-ADForestMode -Identity mydomain.lan -ForestMode Windows2008R2Forest
  Set-ADDomainMode -Identity mydomain.lan -ForestMode Windows2008R2Forest
  

• Then prepare the Samba virtual machine according to the following recommendations, then instantiate the domain controller as a secondary domain controller;

• After joining, check that the DNS entries of the new domain controller have been created;

  samba_dnsupdate --verbose
  

• Add the address of the Samba-AD controller to the network card of the Windows machine as a secondary DNS server;

• Check that the replications are running correctly on the Samba side with the following command line:

  samba-tool drs showrepl
  

• Check that the replications are running correctly on the Windows side with the following command line:

  repadmin /showrepl