Adding a Windows 2019 DC to Your Samba Domain

zduygu

Duygu Ölmez

Posted on January 23, 2022

Adding a Windows 2019 DC to Your Samba Domain

Adding a Windows 2019 DC to Your Samba Domain

In this document MSAD 2016 or 2019 joins a Samba-AD with version 4.15.

This documentation is intended for system administrators that need an MS-AD domain controller in their Samba-AD domain for technical reasons (Azure-Sync, etc.).


Hint

Since version 4.12, Samba-AD manages a 2012R2 schema level but still with a functional level in 2008R2. It is therefore possible to join a Windows Server 2012R2 configured in 2008R2 functional level with a Samba-AD domain as an AD.



Important

Since version 4.12, Samba-AD manages a 2012R2 schema level but still with a functional level in 2008R2. It is therefore possible to join a Windows Server 2012R2 configured in 2008R2 functional level with a Samba-AD domain as an AD.


Microsoft Active Directory 2019

Preparing your Samba-AD for the future junction

  • Backup the Samba-AD because irreversible changes will be made;
  • Upgrade Samba to its latest 4.15 version;
  • Install the required dependencies to join the Windows Server:
# RedHat8 and derived distributions
yum install python3-markdown
# Debian
apt install python3-markdown
Enter fullscreen mode Exit fullscreen mode
  • Then run the following commands, these will join the MS Server 2019 in your domain:
samba-tool domain schemaupgrade
samba-tool domain functionalprep --function-level=2012_R2 --forest-prep --domain-prep
Enter fullscreen mode Exit fullscreen mode
  • Set schema version to 2019
priv=$(smbd -b | grep -i private_dir | cut -d : -f 2 | xargs)
defaultNamingContext=$(ldbsearch -H ldap://127.0.0.1 -s base -b "" defaultNamingContext | grep defaultNamingContext | cut -d : -f 2 | xargs)
schemaNamingContext=$(ldbsearch -H ldap://127.0.0.1 -s base -b "" schemaNamingContext | grep schema | cut -d : -f 2 | xargs)
ldbedit -e "sed -i 's/objectVersion:.*/objectVersion: 88/g'" -H $priv/sam.ldb '(objectClass=dMD)' -b $schemaNamingContext
Enter fullscreen mode Exit fullscreen mode
  • Check the directory database:
samba-tool dbcheck --cross-ncs --fix --yes  --reset-well-known-acls 
Enter fullscreen mode Exit fullscreen mode

☑️Note

It is possible that errors appear when launching the command the first time, just run it a second time.


  • Enable schema updates in Samba AD:
if grep -q "dsdb:schema update allowed" /etc/samba/smb.conf; then     
    sed -i '/dsdb:schema update allowed=true/d' /etc/samba/smb.conf
fi
sed -i '/global/a dsdb:schema update allowed=true' /etc/samba/smb.conf
systemctl restart samba-ad-dc
Enter fullscreen mode Exit fullscreen mode

Preparing and joining the Microsoft Active Directory 2019


☑️Note

It is recommended to use an English version of Windows Server for infrastructure services. This allows you to have logs in English and feel less lonely when searching on the Internet.


  • If not already done, set the server to a fixed IP and configure the DNS redirector to point to the main AD;

  • Force the activation of the Sysvol directory on the MS-AD:

  Set-ItemProperty -Path "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters"  -Name "SysVolReady" -Value  0
  Restart-Computer
Enter fullscreen mode Exit fullscreen mode
  • Install the Active Directory components. In a PowerShell console run the following commands:
Install-WindowsFeature AD-Domain-Services
Add-WindowsFeature RSAT-ADLDS
Add-WindowsFeature RSAT-ADDS-Tools
Add-WindowsFeature RSAT-DNS-Server
Add-WindowsFeature RSAT-DFS-Mgmt-Con
Add-WindowsFeature GPMC
Enter fullscreen mode Exit fullscreen mode
  • Now that the role is installed, promote the server to AD and set it up;

☑️Note

The following command will open a popup that will ask for the Domain Admins credentials to join the server (in graphical mode), then the credentials for the AD restore mode (in text mode).



☑️Note

  • If not already done, synchronize the time between MS-AD domain controller in their Samba-AD domain with the following command:
w32tm /config /syncfromflags:manual /manualpeerlist:”NTP Server” /reliable:yes /update
w32tm /resync /force
Enter fullscreen mode Exit fullscreen mode


☑️Note

Of course modify the values Credential, DomainName, SiteName and ReplicationSourceDC.

There is a back quote character at the end of each line. Do not remove it or PowerShell will interpret this command as multiple commands.

Install-ADDSDomainController  `
   -Credential (Get-Credential "MIGRATE\Administrator") `
   -DomainName 'migrate.lab' `
   -SiteName 'Default-First-Site-Name' `
   -ReplicationSourceDC smb-adds01.migrate.lab `
   -CreateDnsDelegation:$false  `
   -DatabasePath 'C:\Windows\NTDS' `
   -InstallDns:$true  `
   -LogPath 'C:\Windows\NTDS' `
   -NoGlobalCatalog:$false `
   -SysvolPath 'C:\Windows\SYSVOL'  `
   -NoRebootOnCompletion:$true  `
   -Force:$true
Restart-Computer
Enter fullscreen mode Exit fullscreen mode

☑️Note

At this stage, the Windows Active Directory is properly attached to the domain. However, some options need to be adjusted on the sysvol, DNS and NTP parts.


  • Force the activation of the Sysvol directory on the MS-AD:
  Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" -Name "SysvolReady" -Value "1"
Enter fullscreen mode Exit fullscreen mode
  • Copy the contents of the SYSVOL from the Samba-AD server. To do this, in a file explorer, type \\srvads\\sysvol, then go to the folder corresponding to your domain name (for example ad.mydomain.lan) and copy Policies and Scripts into C:windowsSYSVOLdomain (but not the domain name). After the copy we will have these two directories:

    • C:windowsSYSVOLdomainPolicies;
    • C:windowsSYSVOLdomainScripts;

⚠️Warning

Samba does not support DFS-R or FRS protocols.

Therefore, it will be necessary to manually synchronize the SYSVOL directory each time a GPO is created or modified.



☑️Note

There is a link from C:\windows\SYSVOL\sysvol\ad.mydomain.lan to C:\windows\SYSVOL\domain.


  • Restart the MS-AD server:
  shutdown -r -t 0
Enter fullscreen mode Exit fullscreen mode
  • Reverse DNS servers on the network card. The primary DNS server must be itself (127.0.0.1), and the secondary DNS server is the Samba-AD server (Microsoft does the opposite when joining)

  • In the DNS console, change the DNS redirector to the network recursor (by default Windows sets the first domain controller as the recursor when joining).

  • The change the NTP configuration in the MS-AD registry:

  Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Parameters" -Name "Type" -Value  "NTP"
Enter fullscreen mode Exit fullscreen mode
  • Then restart the NTP service with a command prompt on the MS-AD server:
  net stop w32time
  net start w32time
Enter fullscreen mode Exit fullscreen mode
  • Finally, update the DNS and Kerberos configuration of the Samba-AD server by updating the information about the new Windows server. To do this, modify the files /etc/hosts, /etc/resolv.conf and /etc/krb5.conf;

Final Checks


  • Check the directory database in Samba-AD server:
samba-tool dbcheck --cross-ncs --fix --yes  --reset-well-known-acls 
Enter fullscreen mode Exit fullscreen mode

Image description
Image description

💖 💪 🙅 🚩
zduygu
Duygu Ölmez

Posted on January 23, 2022

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related