Adding a Windows AD to your Samba Active Directory domain
This documentation is intended for system administrators that need an MS-AD domain controller in their Samba-AD domain for technical reasons (Azure-Sync, etc.).
Hint
Since version 4.12, Samba-AD manages a 2012R2 schema level but still with a functional level in 2008R2. It is therefore possible to join a Windows Server 2012R2 configured in 2008R2 functional level with a Samba-AD domain as an AD.
Warning
As of 2024-09-18, Samba-AD does not allow to join a MSAD 2016 or 2019.
Microsoft Active Directory 2012R2
Preparing your Samba-AD for the future junction
Backup the Samba-AD because irreversible changes will be made;
Upgrade Samba to its latest 4.12 version;
Install the required dependencies to join the Windows Server:
# RedHat8 and derived distributions yum install patch python36-markdown # Debian apt install patch python3-markdown
Then run the following commands, these will join the 2012R2 in your domain:
samba-tool domain schemaupgrade samba-tool domain functionalprep --function-level=2012_R2 --forest-prep --domain-prep
Check the directory database:
samba-tool dbcheck --cross-ncs --fix --yes
Hint
It is possible that errors appear when launching the command the first time, just run it a second time.
An attribute is missing in Samba that will generate error messages in the command dcdiag. To solve the problem, recreate two attributes
msDS-SDReferenceDomain in the ``cn=configurationpartition that point to therootDNof the Active Directory. To do this you can run the following script on the Samba-AD server:# -*- coding: utf-8 -*- from samba.auth import system_session from samba.credentials import Credentials from samba.samdb import SamDB import optparse import samba.getopt as options parser = optparse.OptionParser("/etc/samba/smb.conf") sambaopts = options.SambaOptions(parser) lp = sambaopts.get_loadparm() domaine = sambaopts._lp.get('realm').lower() creds = Credentials() creds.guess(lp) samdbloc = SamDB(session_info=system_session(),credentials=creds, lp=lp) listdn = list(samdbloc.search(base='cn=partitions,' + str(samdbloc.get_config_basedn()), expression=('(|(dnsroot=ForestDnsZones.%s)(dnsroot=DomainDnsZones.%s))' % (domaine,domaine) ))) for dn in listdn: if not 'msDS-SDReferenceDomain' in dn : ldif_data = u"""dn: %s changetype: modify replace: msDS-SDReferenceDomain msDS-SDReferenceDomain: %s""" % (dn['dn'],str(samdbloc.get_root_basedn())) print(ldif_data) samdbloc.modify_ldif(ldif_data)
Preparing and joining the Microsoft Active Directory 2012R2
Note
It is recommended to use an English version of Windows Server for infrastructure services. This allows you to have logs in English and feel less lonely when searching on the Internet.
If not already done, set the server to a fixed IP and configure the DNS redirector to point to the main AD;
Install the Active Directory components. In a PowerShell console run the following commands:
Install-WindowsFeature AD-Domain-Services Add-WindowsFeature RSAT-ADLDS Add-WindowsFeature RSAT-ADDS-Tools Add-WindowsFeature RSAT-DNS-Server Add-WindowsFeature RSAT-DFS-Mgmt-Con Add-WindowsFeature GPMC
Now that the role is installed, promote the server to AD and set it up;
Note
The following command will open a popup that will ask for the Domain Admins credentials to join the server (in graphical mode), then the credentials for the AD restore mode (in text mode).
Note
Of course modify the values Credential, DomainName, SiteName and ReplicationSourceDC.
There is a back quote (`) character at the end of each line. Do not remove it or PowerShell will interpret this command as multiple commands.
Install-ADDSDomainController ` -Credential (Get-Credential "MYDOMAIN\Administrator") ` -DomainName 'mydomain.lan' ` -SiteName 'Default-First-Site-Name' ` -ReplicationSourceDC srvads.mydomain.lan ` -CreateDnsDelegation:$false ` -DatabasePath 'C:\Windows\NTDS' ` -InstallDns:$true ` -LogPath 'C:\Windows\NTDS' ` -NoGlobalCatalog:$false ` -SysvolPath 'C:\Windows\SYSVOL' ` -NoRebootOnCompletion:$true ` -Force:$true
Note
At this stage, the Windows Active Directory is properly attached to the domain. However, some options need to be adjusted on the sysvol, DNS and NTP parts.
Force the activation of the Sysvol directory on the MS-AD:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" -Name "SysvolReady" -Value "1"
Copy the contents of the
SYSVOLfrom the Samba-AD server. To do this, in a file explorer, type\\srvads\\sysvol, then go to the folder corresponding to your domain name (for example ad.mydomain.lan) and copyPoliciesandScriptsintoC:windowsSYSVOLdomain(but not the domain name). After the copy we will have these two directories:C:windowsSYSVOLdomainPolicies;C:windowsSYSVOLdomainScripts;
Note
There is a link from C:\windows\SYSVOL\sysvol\ad.mydomain.lan to C:\windows\SYSVOL\domain.
Restart the MS-AD server:
shutdown -r -t 0
Reverse DNS servers on the network card. The primary DNS server must be itself (
127.0.0.1), and the secondary DNS server is the Samba-AD server (Microsoft does the opposite when joining).In the DNS console, change the DNS redirector to the network recursor (by default Windows sets the first domain controller as the recursor when joining).
The change the NTP configuration in the MS-AD registry:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Parameters" -Name "Type" -Value "NTP"
Then restart the NTP service with a command prompt on the MS-AD server:
net stop w32time net start w32time
Finally, update the DNS and Kerberos configuration of the Samba-AD server by updating the information about the new Windows server. To do this, modify the files
/etc/hosts,/etc/resolv.confand/etc/krb5.conf;
Warning
Samba does not support DFS-R or FRS protocols.
Therefore, it will be necessary to manually synchronize the SYSVOL directory each time a GPO is created or modified.
Windows 2016 and Windows 2019
Currently, Samba versions 4.12 and later do not support joining an Active Directory 2016 or 2019. It will be done partially with samba 4.20.