In this part of the Samba4 AD DC infrastructure series we will talk on how join a Windows 10 machine into a Samba4 realm and how to administer the domain from a Windows 10 workstation.
Once a Windows 10 system has been joined to Samba4 AD DC we can create, remove or disable domain users and groups, we can create new Organizational Units, we can create, edit and manage domain policy or we can manage Samba4 domain DNS service.
All of the above functions and other complex tasks concerning domain administration can be achieved via any modern Windows platform with the help of RSAT – Microsoft Remote Server Administration Tools.
Requirements
- Create an AD Infrastructure with Samba4 on Ubuntu 16.04 – Part 1
- Manage Samba4 AD Infrastructure from Linux Command Line – Part 2
- Manage Samba4 AD Domain Controller DNS and Group Policy from Windows – Part 4
Step 1: Configure Domain Time Synchronization
1. Before starting to administer Samba4 ADDC from Windows 10 with the help of RSAT tools, we need to know and take care of a crucial piece of service required for an Active Directory and this service refers to accurate time synchronization.
Time synchronization can be offered by NTP daemon in most of the Linux distributions. The default maximum time period discrepancy an AD can support is about 5 minutes.
If the divergence time period is greater than 5 minutes you should start experience various errors, most important concerning AD users, joined machines or share access.
To install Network Time Protocol daemon and NTP client utility in Ubuntu, execute the below command.
$ sudo apt-get install ntp ntpdate
2. Next, open and edit NTP configuration file and replace the default NTP pool server list with a new list of NTP servers which are geographically located near your current physical equipment location.
The list of NTP servers can be obtained by visiting official NTP Pool Project webpage http://www.pool.ntp.org/en/.
$ sudo nano /etc/ntp.conf
Comment the default server list by adding a # in front of each pool line and add the below pool lines with your proper NTP servers as illustrated on the below screenshot.
pool 0.ro.pool.ntp.org iburst pool 1.ro.pool.ntp.org iburst pool 2.ro.pool.ntp.org iburst # Use Ubuntu's ntp server as a fallback. pool 3.ro.pool.ntp.org
3. Now, don’t close the file yet. Move to the top at the file and add the below line after the driftfile statement. This setup allows the clients to query the server using AD signed NTP requests.
ntpsigndsocket /var/lib/samba/ntp_signd/
4. Finally, move to the bottom of the file and add the below line, as illustrated on the below screenshot, which will allow network clients only to query the time on the server.
restrict default kod nomodify notrap nopeer mssntp
5. When finished, save and close the NTP configuration file and grant NTP service with the proper permissions in order to read the ntp_signed directory.
This is the system path where Samba NTP socket is located. Afterwards, restart NTP daemon to apply changes and verify if NTP has open sockets in your system network table using netstat command combined with grep filter.
$ sudo chown root:ntp /var/lib/samba/ntp_signd/ $ sudo chmod 750 /var/lib/samba/ntp_signd/ $ sudo systemctl restart ntp $ sudo netstat –tulpn | grep ntp
Use the ntpq command line utility to monitor NTP daemon along with the -p flag in order to print a summary of peers state.
$ ntpq -p
Step 2: Troubleshoot NTP Time Issues
6. Sometimes the NTP daemon gets stuck in calculations while trying to synchronize time with an upstream ntp server peer, resulting the following error messages when manually trying to force time synchronization by running ntpdate utility on a client side:
# ntpdate -qu adc1 ntpdate[4472]: no server suitable for synchronization found
when using ntpdate command with -d flag.
# ntpdate -d adc1.tecmint.lan Server dropped: Leap not in sync
7. To circumvent this issue, use the following trick to solve the problem: On the server, stop the NTP service and use the ntpdate client utility to manually force time synchronization with an external peer using the -b flag as shown below:
# systemctl stop ntp.service # ntpdate -b 2.ro.pool.ntp.org [your_ntp_peer] # systemctl start ntp.service # systemctl status ntp.service
8. After the time has been accurately synchronized, start the NTP daemon on the server and verify from the client side if the service is ready to serve time for local clients by issuing the following command:
# ntpdate -du adc1.tecmint.lan [your_adc_server]
By now, NTP server should work as expected.
Step 3: Join Windows 10 into Realm
9. As we saw in our previous tutorial, Samba4 Active Directory can be managed from command line using samba-tool utility interface which can be accessed directly from server’s VTY console or remotely connected through SSH.
Other, more intuitively and flexible alternative, would be to manage our Samba4 AD Domain Controller via Microsoft Remote Server Administration Tools (RSAT) from a Windows workstation integrated into the domain. These tools are available in almost all modern Windows systems.
The process of joining Windows 10 or older versions of Microsoft OS into Samba4 AD DC is very simple. First, make sure that your Windows 10 workstation has the correct Samba4 DNS IP address configured in order to query the proper realm resolver.
Open Control panel -> Network and Internet -> Network and Sharing Center -> Ethernet card -> Properties -> IPv4 -> Properties -> Use the following DNS server addresses and manually place Samba4 AD IP Address to the network interface as illustrated in the below screenshots.
Here, 192.168.1.254 is the IP Address of Samba4 AD Domain Controller responsible for DNS resolution. Replace the IP Address accordingly.
10. Next, apply the network settings by hitting on OK button, open a Command Prompt and issue a ping against the generic domain name and Samba4 host FQDN in order to test if the realm is reachable through DNS resolution.
ping tecmint.lan ping adc1.tecmint.lan
11. If the resolver correctly responds to Windows client DNS queries, then, you need to assure that the time is accurately synchronized with the realm.
Open Control Panel -> Clock, Language and Region -> Set Time and Date -> Internet Time tab -> Change Settings and write your domain name on Synchronize with and Internet time server field.
Hit on Update Now button to force time synchronization with the realm and hit OK to close the window.
12. Finally, join the domain by opening System Properties -> Change -> Member of Domain, write your domain name, hit OK, enter your domain administrative account credentials and hit OK again.
A new pop-up window should open informing you’re a member of the domain. Hit OK to close the pop-up window and reboot the machine in order to apply domain changes.
The below screenshot will illustrate these steps.
13. After restart, hit on Other user and logon to Windows with a Samba4 domain account with administrative privileges and you should be ready to move to the next step.
Step 4: Administer Samba4 AD DC with RSAT
14. Microsoft Remote Server Administration Tools (RSAT), which will be further used to administer Samba4 Active Directory, can be downloaded from the following links, depending on your Windows version:
- Windows 10: https://www.microsoft.com/en-us/download/details.aspx?id=45520
- Windows 8.1: http://www.microsoft.com/en-us/download/details.aspx?id=39296
- Windows 8: http://www.microsoft.com/en-us/download/details.aspx?id=28972
- Windows 7: http://www.microsoft.com/en-us/download/details.aspx?id=7887
Once the update standalone installer package for Windows 10 has been downloaded on your system, run the installer, wait for the installation to finish and restart the machine to apply all updates.
After reboot, open Control Panel -> Programs (Uninstall a Program) -> Turn Windows features on or off and check all Remote Server Administration Tools.
Click OK to start the installation and after the installation process finishes, restart the system.
15. To access RSAT tools go to Control Panel -> System and Security -> Administrative Tools.
The tools can also be found in the Administrative tools menu from start menu. Alternatively, you can open Windows MMC and add Snap-ins using the File -> Add/Remove Snap-in menu.
The most used tools, such as AD UC, DNS and Group Policy Management can be launched directly from Desktop by creating shortcuts using Send to feature from menu.
16. You can verify RSAT functionality by opening AD UC and list domain Computers (newly joined windows machine should appear in the list), create a new Organizational Unit or a new user or group.
Verify if the users or groups had been properly created by issuing wbinfo command from Samba4 server side.
That’s it! On the next part of this topic we will cover other important aspects of a Samba4 Active Directory which can be administered via RSAT, such as, how to manage DNS server, add DNS records and create a reverse DNS lookup zone, how to manage and apply domain policy and how to create an interactive logon banner for your domain users.
Hello,
I’m stuck on Step 10. When I run ping, I get these errors:
C:\Users\Juston Griggs> ping relic.goneoweb.lanPing request could not find host relic.goneoweb.lan. Please check the name and try again.
C:\Users\Juston Griggs>ping goneoweb.lanPing request could not find host goneoweb.lan. Please check the name and try again.
but I can successfully ping just “relic”
C:\Users\Juston Griggs>ping relicPing statistics for 10.16.24.16:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
So I’m stuck on what might have gone wrong. Any suggestions?
Thanks!
Hello,
I tried to make the samba traffic encrypted by putting this
smb encrypt = requiredat the GLOBAL section. Everything is fine except when I tried to launch rsat, request can’t be done with the error.Hello,
Me and my friend have exactly the same problem. When we try to join the domain we have that error “The join operation was not successful. This could be because an existing computer account having name “XXX” was previously created using a different set of credentials.
Use a different computer name or contact your administrator to remove any stale conflicting account. The error was: Access is denied” Can u help us with that? Tried to reinstall like 5 times and always the same error.
Cheers
How to make client windows can access home folder automatically when they are login using another computer.
Thank you (^_^)
Somehow dns queries do not resolve on client. nslookup returns result but when pinging or browsing, no website is resolving.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\>nslookup gmail.com 50.56.168.192.in-addr.arpa primary name server = nobody.invalid responsible mail addr = nobody.invalid serial = 1 refresh = 3600 (1 hour) retry = 1200 (20 mins) expire = 604800 (7 days) default TTL = 10800 (3 hours) explanation.invalid text = "Blocking is mandated by standards, see references on https://www.iana.o rg/assignments/locally-served-dns-zones/locally-served-dns-zones.xhtml" (root) ??? unknown type 41 ??? Server: UnKnown Address: 192.168.56.50 Non-authoritative answer: Name: gmail.com Addresses: 2404:6800:4003:c02::53 74.125.130.17 74.125.130.18 74.125.130.19 74.125.130.83 C:\>ping gmail.comPing request could not find host gmail.com. Please check the name and try again.
Hi, it’s a very good tutorial you have done such a great job.
I have an issue to join my samba ad dc on active directory, I can log into my windows computer join to the domain with my administrator user and password but i have nothing in my active directory “username and password not correct” error. Can everyone help me ?
Just a heads-up, but for Windows 10 October Update RSAT is no longer a separate download, but part of the “Manage optional features” in Windows Settings.
Thank you for your outstanding tutorial.
I have windows 10 pro build 1709. After I installed RSAT package and reboot, I opened Control Panel -> Programs (Uninstall a Program) -> Turn Windows features on or off. But Remote Server Administration Tools was not listed. What does this mean?
Thank you.
Hi there, I have the same problem with Windows 10. RSAT can read the domain users, policies, etc can make some changes to it but I can not create new users, groups, etc. When I try to issue New > User for example, it does nothing and does not print any errors…
Can you create or manage user in any way from samba command line?
Hi there Matei, thank you for your reply.
It turns out that this is an issue related to the Windows client that can be solved by updating the Windows build :-) . I found a similar post on reddit.
https://www.reddit.com/r/sysadmin/comments/581p54/samba_4_rsat_windows_10_cannot_add_anything/
Thank you anyway! Excellent tutorial!
I Have a problem with active directory domain controller in CentOS 7 with samba.
I do the provisioning to domain and all step appear without error. I can join one Windows 10 user as Administrator. I installed RSAT for windows 10 and can load the domain configuration but can not manage the domain. If I want to add a new user or administrative unit, do not do it. It is as if the user does not have privileges to perform the task. Any idea for the issue?
Hi Cezar,
Thank you for the reply. I have tried up many times and found that the windows machine is communicating with ldap server using ping and ssh from putty but when i try to join the windows enterprise/professional edition then i am getting error indicating that the server is not able to communicate.
Any idea how to resolve.
Check the firewall policy on the host machine? Maybe a firewall blocks specific samba ports.
Hi,
It is working fine for single subnet but when i am trying to work on multiple subnets then the windows systems are not able to contact the pdc server.
My testing network is 192.168.1.0/24 and working environment is 192.168.2.0/24 and 192.168.4.0/24.
I am able to connect to the machine in the 192.168.1.0/24 network but i am unable to connect from 192.168.2.0 & 192.168.4.0.
How to resolve this. Can any one help me.
It has no importance in what network your servers are located as long as they are reachable. Make sure the routers have no block policies enabled and all domain traffic is allowed to pass through them. Check domain ports to pass routers. Can you at least ping the domain from other networks? DNS resolution works also?
Hello,
I have a problem when try to join to domain and show a message “The network resource or device specified is no longer available”.