Difference between revisions of "Cool Solution - Join Samba 4 to an AD"

From Univention Wiki

Jump to: navigation, search
 
(3 intermediate revisions by 3 users not shown)
Line 1: Line 1:
{{Cool Solutions Disclaimer|Repository=no|UCS=3.0}}
+
{{Version|UCS=4.1}}
 +
{{#seo:
 +
|title={{#replace:{{#replace:{{#replace:{{#replace:{{FULLPAGENAME}}|'|'}}|&|&}}|"|"}}|Cool Solution - |}} - {{SITENAME}}
 +
<!--|description=-->
 +
}}
  
In many environments a Microsoft Active Directory domain exists which is to be included in a new UCS domain. While the preferred way is to setup the UCS AD Connector, the number of clients or needed Trusts might make it necessary to keep the IDs or a number of Microsoft Active Directory domain controller. This article describes how to connect Samba 4 to an existing Microsoft Active Directory domain controller (AD DC) to extend its domain.
+
With UCS 4.0 AD Member Mode is now a default product feature, which is fully implemented in our Univention Management Console (UMC). From now on there is a configuration assistant in the UMC.
  
== Important Notice ==
 
  
{{Logo Samba}}
+
You can find the step by step documentation here:
  
If until now UCS AD Connector was used to synchronize the AD domain with your UCS systems, additional steps have to be taken to ensure that the mapping is equal to the one used until now. The same applies, if you kept the same data in both systems manually until now.
+
[http://docs.univention.de/manual-4.0.html#ad-connector:ad-member-einrichtung UCS as a member of an Active Directory domain (UCS 4)]
  
If you have already have a working Samba 4 domain or have started setting up your installed UCS 3.0 domain controller Master (DC Master) without following this manual, you will need to reinstall your UCS DC Master to start with a clean LDAP directory.
+
[http://docs.univention.de/manual-3.2.html#ad-connector:ad-member-einrichtung UCS as a member of an Active Directory domain (UCS 3.2)]
 
 
The domain of the UCS domain controllers needs to be the same as the one of the Active Directory. If your primary domain is not the same as the AD's domain, additional steps have to be taken to rename the primary domain as well as the Kerberos realm. Both needs to be done before the installation of Samba 4.
 
 
 
== Prerequisites ==
 
 
 
Depending on the size of the environment we recommend 2-4 cores and 4-8 GB of RAM. Depending on the size of the environment you might as well want to consider using additional UCS DC Backup and UCS DC Slave servers for services such as Nagios or Mail and using the Master for the infrastructure management, including the Samba 4 connector only.
 
 
 
If you are already using multiple Microsoft Windows AD DCs, please ensure that all replication connections are working and that the RID master, the PDC emulator, the infrastructure master, the domain naming master and the schema master are online and reachable from the UCS domain controller. Also make sure that the DNS is functional on at least one DC.
 
 
 
== Preparations ==
 
 
 
=== Installation of a new UCS DC Master ===
 
 
 
If you are starting with a fresh UCS domain, please unselect Samba 4 from the software selection. Make sure that you have a working Internet connection to update the server after the installation. Please also make sure you update at least to UCS 3.0-1 errata 53.
 
 
 
=== Microsoft DNS ===
 
 
 
Open the DNS management Console and navigate to your forward and reverse lookup zones. For each of the zones open the Properties menu and change the Replication to the Windows 2000 Compatible mode.
 
 
 
== Installation of the needed Packages ==
 
 
 
Before starting the installation set
 
 
 
univention-config-registry set connector/s4/autostart=no
 
 
 
Then include the Cool Solutions repository. Afterwards install the <tt>univention-join-ad-domain</tt> package which will also install Samba 4 and the S4-Connector.
 
 
 
univention-install univention-join-ad-domain
 
 
 
At the end of the installation the DNS backend will be switched to Samba 4 which will result in an error which can be ignored at the moment.
 
 
 
After the installation excecute the join script
 
 
 
/usr/lib/univention-join-ad-domain/bin/univention-join-ad-domain
 
 
 
It will ask you for the IP address of an AD DNS server as well as for an AD Administrator account and its password.
 
 
 
After the script is successfully executed, restart the server to clear its cache
 
 
 
shutdown -r now
 
 
 
When the system has booted again, the Well Known Groups have to be synchronized between AD and LDAP. This is especially important if you are using a non English Active Directory. Furthermore, the user for the S4 synchronisation and the Kerberos keys for DDNS will be added. These steps are combined in a second script:
 
 
 
/usr/lib/univention-join-ad-domain/bin/univention-join-ad-domain-sync-ldap
 
 
 
It will again ask for an AD Administrator account and its password. If the S4 connector has not been assigned a RID yet, you might have to run the script twice.
 
 
 
Depending on the size of your Active Directory and your LDAP directory, the synchronization between the two might run for several hours before you are able to use all features.
 
 
 
== Known Issues ==
 
 
 
=== Sysvol shares ===
 
 
 
If editing the Sysvol shares make sure you only do so on a Microsoft Windows Server. The UCS servers will synchronize them from the Microsoft Windows Servers. It will not work the other way around.
 
 
 
In case you deactivate the original joined Samba 4 server you will need to install the univention-join-ad-domain package with
 
 
 
univention-install univention-join-ad-domain
 
 
 
and set the following variable
 
 
 
univention-config-registry set samba4/sysvolmaster=<Windows AD IP>
 
 
 
The same Variable needs to be changed if the Microsoft Windows Active Directory changes.
 
 
 
=== System Time ===
 
 
 
The setup only works if the system times are synchronized on all involved domain controllers. Therefore, it is advisable to set the time server to your UCS Master for your Microsoft Windows Systems as well as your UCS systems.
 
 
 
=== DNS Setup ===
 
 
 
In some cases the DNS records might be deleted due to wrong DNS setups on the Microsoft Active Directory. To set the DNS keys ensure you have done the preparations steps within this article before executing the following script:
 
/usr/share/univention-samba4/scripts/setup-dns-in-ucsldap.sh --dc --gc
 
  
 
[[Category:Samba 4 Howtos]]
 
[[Category:Samba 4 Howtos]]
 
[[Category:EN]]
 
[[Category:EN]]
 +
[[Category:Cool Solutions]]

Latest revision as of 14:00, 8 September 2017

Produktlogo UCS Version 4.1

With UCS 4.0 AD Member Mode is now a default product feature, which is fully implemented in our Univention Management Console (UMC). From now on there is a configuration assistant in the UMC.


You can find the step by step documentation here:

UCS as a member of an Active Directory domain (UCS 4)

UCS as a member of an Active Directory domain (UCS 3.2)

Personal tools