Adding a Windows 2019 DC to Your Samba Domain
In this document MSAD 2016 or 2019 joins a Samba-AD with version 4.15.
This documentation is intended for system administrators that need an MS-AD domain controller in their Samba-AD domain for technical reasons (Azure-Sync, etc.).
❗Hint
Since version 4.12, Samba-AD manages a 2012R2 schema level but still with a functional level in 2008R2. It is therefore possible to join a Windows Server 2012R2 configured in 2008R2 functional level with a Samba-AD domain as an AD.
✅Important
Since version 4.12, Samba-AD manages a 2012R2 schema level but still with a functional level in 2008R2. It is therefore possible to join a Windows Server 2012R2 configured in 2008R2 functional level with a Samba-AD domain as an AD.
Microsoft Active Directory 2019
Preparing your Samba-AD for the future junction
- Backup the Samba-AD because irreversible changes will be made;
- Upgrade Samba to its latest 4.15 version;
- Install the required dependencies to join the Windows Server:
# RedHat8 and derived distributions
yum install python3-markdown
# Debian
apt install python3-markdown
- Then run the following commands, these will join the MS Server 2019 in your domain:
samba-tool domain schemaupgrade
samba-tool domain functionalprep --function-level=2012_R2 --forest-prep --domain-prep
- Set schema version to 2019
priv=$(smbd -b | grep -i private_dir | cut -d : -f 2 | xargs)
defaultNamingContext=$(ldbsearch -H ldap://127.0.0.1 -s base -b "" defaultNamingContext | grep defaultNamingContext | cut -d : -f 2 | xargs)
schemaNamingContext=$(ldbsearch -H ldap://127.0.0.1 -s base -b "" schemaNamingContext | grep schema | cut -d : -f 2 | xargs)
ldbedit -e "sed -i 's/objectVersion:.*/objectVersion: 88/g'" -H $priv/sam.ldb '(objectClass=dMD)' -b $schemaNamingContext
- Check the directory database:
samba-tool dbcheck --cross-ncs --fix --yes --reset-well-known-acls
☑️Note
It is possible that errors appear when launching the command the first time, just run it a second time.
- Enable schema updates in Samba AD:
if grep -q "dsdb:schema update allowed" /etc/samba/smb.conf; then
sed -i '/dsdb:schema update allowed=true/d' /etc/samba/smb.conf
fi
sed -i '/global/a dsdb:schema update allowed=true' /etc/samba/smb.conf
systemctl restart samba-ad-dc
Preparing and joining the Microsoft Active Directory 2019
☑️Note
It is recommended to use an English version of Windows Server for infrastructure services. This allows you to have logs in English and feel less lonely when searching on the Internet.
If not already done, set the server to a fixed IP and configure the DNS redirector to point to the main AD;
Force the activation of the Sysvol directory on the MS-AD:
Set-ItemProperty -Path "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" -Name "SysVolReady" -Value 0
Restart-Computer
- Install the Active Directory components. In a PowerShell console run the following commands:
Install-WindowsFeature AD-Domain-Services
Add-WindowsFeature RSAT-ADLDS
Add-WindowsFeature RSAT-ADDS-Tools
Add-WindowsFeature RSAT-DNS-Server
Add-WindowsFeature RSAT-DFS-Mgmt-Con
Add-WindowsFeature GPMC
- Now that the role is installed, promote the server to AD and set it up;
☑️Note
The following command will open a popup that will ask for the Domain Admins credentials to join the server (in graphical mode), then the credentials for the AD restore mode (in text mode).
☑️Note
- If not already done, synchronize the time between MS-AD domain controller in their Samba-AD domain with the following command:
w32tm /config /syncfromflags:manual /manualpeerlist:”NTP Server” /reliable:yes /update
w32tm /resync /force
☑️Note
Of course modify the values Credential, DomainName, SiteName and ReplicationSourceDC.
There is a back quote character at the end of each line. Do not remove it or PowerShell will interpret this command as multiple commands.
Install-ADDSDomainController `
-Credential (Get-Credential "MIGRATE\Administrator") `
-DomainName 'migrate.lab' `
-SiteName 'Default-First-Site-Name' `
-ReplicationSourceDC smb-adds01.migrate.lab `
-CreateDnsDelegation:$false `
-DatabasePath 'C:\Windows\NTDS' `
-InstallDns:$true `
-LogPath 'C:\Windows\NTDS' `
-NoGlobalCatalog:$false `
-SysvolPath 'C:\Windows\SYSVOL' `
-NoRebootOnCompletion:$true `
-Force:$true
Restart-Computer
☑️Note
At this stage, the Windows Active Directory is properly attached to the domain. However, some options need to be adjusted on the sysvol, DNS and NTP parts.
- Force the activation of the Sysvol directory on the MS-AD:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" -Name "SysvolReady" -Value "1"
-
Copy the contents of the
SYSVOL
from the Samba-AD server. To do this, in a file explorer, type\\srvads\\sysvol
, then go to the folder corresponding to your domain name (for example ad.mydomain.lan) and copyPolicies
andScripts
intoC:windowsSYSVOLdomain
(but not the domain name). After the copy we will have these two directories:- C:windowsSYSVOLdomainPolicies;
- C:windowsSYSVOLdomainScripts;
⚠️Warning
Samba does not support DFS-R or FRS protocols.
Therefore, it will be necessary to manually synchronize the SYSVOL
directory each time a GPO is created or modified.
☑️Note
There is a link from C:\windows\SYSVOL\sysvol\ad.mydomain.lan
to C:\windows\SYSVOL\domain
.
- Restart the MS-AD server:
shutdown -r -t 0
Reverse DNS servers on the network card. The primary DNS server must be itself (
127.0.0.1
), and the secondary DNS server is the Samba-AD server (Microsoft does the opposite when joining)In the DNS console, change the DNS redirector to the network recursor (by default Windows sets the first domain controller as the recursor when joining).
The change the NTP configuration in the MS-AD registry:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Parameters" -Name "Type" -Value "NTP"
- Then restart the NTP service with a command prompt on the MS-AD server:
net stop w32time
net start w32time
- Finally, update the DNS and Kerberos configuration of the Samba-AD server by updating the information about the new Windows server. To do this, modify the files
/etc/hosts
,/etc/resolv.conf
and/etc/krb5.conf
;
Final Checks
- Check the directory database in Samba-AD server:
samba-tool dbcheck --cross-ncs --fix --yes --reset-well-known-acls