Adding a Windows AD to your Samba Active Directory domain

This documentation is intended for system administrators that need an MS-AD domain controller in their Samba-AD domain for technical reasons (Azure-Sync, etc.).

Hint

Since version 4.12, Samba-AD manages a 2012R2 schema level but still with a functional level in 2008R2. It is therefore possible to join a Windows Server 2012R2 configured in 2008R2 functional level with a Samba-AD domain as an AD.

Warning

As of 2024-12-18, Samba-AD does not allow to join a MSAD 2016 or 2019.

Microsoft Active Directory 2012R2

Preparing your Samba-AD for the future junction

  • Backup the Samba-AD because irreversible changes will be made;

  • Upgrade Samba to its latest 4.12 version;

  • Install the required dependencies to join the Windows Server:

    # RedHat8 and derived distributions
    yum install patch python36-markdown
    # Debian
    apt install patch python3-markdown
    
  • Then run the following commands, these will join the 2012R2 in your domain:

    samba-tool domain schemaupgrade
    samba-tool domain functionalprep --function-level=2012_R2 --forest-prep --domain-prep
    
  • Check the directory database:

    samba-tool dbcheck --cross-ncs --fix --yes
    

Hint

It is possible that errors appear when launching the command the first time, just run it a second time.

  • An attribute is missing in Samba that will generate error messages in the command dcdiag. To solve the problem, recreate two attributes msDS-SDReferenceDomain in the ``cn=configuration partition that point to the rootDN of the Active Directory. To do this you can run the following script on the Samba-AD server:

    # -*- coding: utf-8 -*-
    from samba.auth import system_session
    from samba.credentials import Credentials
    from samba.samdb import SamDB
    import optparse
    import samba.getopt as options
    
    parser = optparse.OptionParser("/etc/samba/smb.conf")
    sambaopts = options.SambaOptions(parser)
    
    lp = sambaopts.get_loadparm()
    domaine = sambaopts._lp.get('realm').lower()
    
    creds = Credentials()
    creds.guess(lp)
    
    samdbloc = SamDB(session_info=system_session(),credentials=creds, lp=lp)
    listdn = list(samdbloc.search(base='cn=partitions,' + str(samdbloc.get_config_basedn()), expression=('(|(dnsroot=ForestDnsZones.%s)(dnsroot=DomainDnsZones.%s))' % (domaine,domaine) )))
    
    for dn in listdn:
        if not 'msDS-SDReferenceDomain' in dn :
            ldif_data = u"""dn: %s
    changetype: modify
    replace: msDS-SDReferenceDomain
    msDS-SDReferenceDomain: %s""" % (dn['dn'],str(samdbloc.get_root_basedn()))
            print(ldif_data)
            samdbloc.modify_ldif(ldif_data)
    

Preparing and joining the Microsoft Active Directory 2012R2

Note

It is recommended to use an English version of Windows Server for infrastructure services. This allows you to have logs in English and feel less lonely when searching on the Internet.

  • If not already done, set the server to a fixed IP and configure the DNS redirector to point to the main AD;

  • Install the Active Directory components. In a PowerShell console run the following commands:

    Install-WindowsFeature AD-Domain-Services
    Add-WindowsFeature RSAT-ADLDS
    Add-WindowsFeature RSAT-ADDS-Tools
    Add-WindowsFeature RSAT-DNS-Server
    Add-WindowsFeature RSAT-DFS-Mgmt-Con
    Add-WindowsFeature GPMC
    
  • Now that the role is installed, promote the server to AD and set it up;

    Note

    The following command will open a popup that will ask for the Domain Admins credentials to join the server (in graphical mode), then the credentials for the AD restore mode (in text mode).

    Note

    Of course modify the values Credential, DomainName, SiteName and ReplicationSourceDC.

    There is a back quote (`) character at the end of each line. Do not remove it or PowerShell will interpret this command as multiple commands.

    Install-ADDSDomainController  `
      -Credential (Get-Credential "MYDOMAIN\Administrator") `
      -DomainName 'mydomain.lan' `
      -SiteName 'Default-First-Site-Name' `
      -ReplicationSourceDC srvads.mydomain.lan `
      -CreateDnsDelegation:$false  `
      -DatabasePath 'C:\Windows\NTDS' `
      -InstallDns:$true  `
      -LogPath 'C:\Windows\NTDS' `
      -NoGlobalCatalog:$false `
      -SysvolPath 'C:\Windows\SYSVOL'  `
      -NoRebootOnCompletion:$true  `
      -Force:$true
    

    Note

    At this stage, the Windows Active Directory is properly attached to the domain. However, some options need to be adjusted on the sysvol, DNS and NTP parts.

  • Force the activation of the Sysvol directory on the MS-AD:

    Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" -Name "SysvolReady" -Value "1"
    
  • Copy the contents of the SYSVOL from the Samba-AD server. To do this, in a file explorer, type \\srvads\\sysvol, then go to the folder corresponding to your domain name (for example ad.mydomain.lan) and copy Policies and Scripts into C:windowsSYSVOLdomain (but not the domain name). After the copy we will have these two directories:

    • C:windowsSYSVOLdomainPolicies;

    • C:windowsSYSVOLdomainScripts;

Note

There is a link from C:\windows\SYSVOL\sysvol\ad.mydomain.lan to C:\windows\SYSVOL\domain.

  • Restart the MS-AD server:

    shutdown -r -t 0
    
  • Reverse DNS servers on the network card. The primary DNS server must be itself (127.0.0.1), and the secondary DNS server is the Samba-AD server (Microsoft does the opposite when joining).

  • In the DNS console, change the DNS redirector to the network recursor (by default Windows sets the first domain controller as the recursor when joining).

  • The change the NTP configuration in the MS-AD registry:

    Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Parameters" -Name "Type" -Value  "NTP"
    
  • Then restart the NTP service with a command prompt on the MS-AD server:

    net stop w32time
    net start w32time
    
  • Finally, update the DNS and Kerberos configuration of the Samba-AD server by updating the information about the new Windows server. To do this, modify the files /etc/hosts, /etc/resolv.conf and /etc/krb5.conf;

Warning

Samba does not support DFS-R or FRS protocols.

Therefore, it will be necessary to manually synchronize the SYSVOL directory each time a GPO is created or modified.

Windows 2016 and Windows 2019

Currently, Samba versions 4.12 and later do not support joining an Active Directory 2016 or 2019. It will be done partially with samba 4.20.