Cool Solution - Join Samba 4 to an AD
From Univention Wiki
In many environments a Microsoft Active Directory domain exists which is to be included in a new UCS domain. While the preferred way is to setup the UCS AD Connector, the number of clients or needed Trusts might make it necessary to keep the IDs or a number of Microsoft Active Directory domain controller. This article describes how to connect Samba 4 to an existing Microsoft Active Directory domain controller (AD DC) to extend its domain.
If until now UCS AD Connector was used to synchronize the AD domain with your UCS systems, additional steps have to be taken to ensure that the mapping is equal to the one used until now. The same applies, if you kept the same data in both systems manually until now.
If you have already have a working Samba 4 domain or have started setting up your installed UCS 3.0 domain controller Master (DC Master) without following this manual, you will need to reinstall your UCS DC Master to start with a clean LDAP directory.
The domain of the UCS domain controllers needs to be the same as the one of the Active Directory. If your primary domain is not the same as the AD's domain, additional steps have to be taken to rename the primary domain as well as the Kerberos realm. Both needs to be done before the installation of Samba 4.
Depending on the size of the environment we recommend 2-4 cores and 4-8 GB of RAM. Depending on the size of the environment you might as well want to consider using additional UCS DC Backup and UCS DC Slave servers for services such as Nagios or Mail and using the Master for the infrastructure management, including the Samba 4 connector only.
If you are already using multiple Microsoft Windows AD DCs, please ensure that all replication connections are working and that the RID master, the PDC emulator, the infrastructure master, the domain naming master and the schema master are online and reachable from the UCS domain controller. Also make sure that the DNS is functional on at least one DC.
Installation of a new UCS DC Master
If you are starting with a fresh UCS domain, please unselect Samba 4 from the software selection. Make sure that you have a working Internet connection to update the server after the installation. Please also make sure you update at least to UCS 3.0-1 errata 53.
Open the DNS management Console and navigate to your forward and reverse lookup zones. For each of the zones open the Properties menu and change the Replication to the Windows 2000 Compatible mode.
Installation of the needed Packages
Before starting the installation set
univention-config-registry set connector/s4/autostart=no
Then include the Cool Solutions repository. Afterwards install the univention-join-ad-domain package which will also install Samba 4 and the S4-Connector.
At the end of the installation the DNS backend will be switched to Samba 4 which will result in an error which can be ignored at the moment.
After the installation excecute the join script
It will ask you for the IP address of an AD DNS server as well as for an AD Administrator account and its password.
After the script is successfully executed, restart the server to clear its cache
shutdown -r now
When the system has booted again, the Well Known Groups have to be synchronized between AD and LDAP. This is especially important if you are using a non English Active Directory. Furthermore, the user for the S4 synchronisation and the Kerberos keys for DDNS will be added. These steps are combined in a second script:
It will again ask for an AD Administrator account and its password. If the S4 connector has not been assigned a RID yet, you might have to run the script twice.
Depending on the size of your Active Directory and your LDAP directory, the synchronization between the two might run for several hours before you are able to use all features.
If editing the Sysvol shares make sure you only do so on a Microsoft Windows Server. The UCS servers will synchronize them from the Microsoft Windows Servers. It will not work the other way around.
In case you deactivate the original joined Samba 4 server you will need to install the univention-join-ad-domain package with
and set the following variable
univention-config-registry set samba4/sysvolmaster=<Windows AD IP>
The same Variable needs to be changed if the Microsoft Windows Active Directory changes.
The setup only works if the system times are synchronized on all involved domain controllers. Therefore, it is advisable to set the time server to your UCS Master for your Microsoft Windows Systems as well as your UCS systems.
In some cases the DNS records might be deleted due to wrong DNS setups on the Microsoft Active Directory. To set the DNS keys ensure you have done the preparations steps within this article before executing the following script:
/usr/share/univention-samba4/scripts/setup-dns-in-ucsldap.sh --dc --gc