How to join Linux server into Active Directory on SBS 2008 network

Here is the setup that I have currently on my network.

• Microsoft Small Business Server 2008 Premium- main Domain Controller
• Few Microsoft Windows Server 2008 Standard and Microsoft Windows Server 2003 SP2
• 3 Linux servers (Red Hat Enterprise Server 4 and 5 – one of them is already in AD) and GNU Linux Debian 6

Note: Red Hat Enterprise Server 5 is already joined to the domain but it was done the hard way by making a lot of modifications on SBS as well as on RH ES5 and playing with Kerberos setups = not fun 🙁

Main goal is to join my new server the GNU Linux Debian 6 to the domain and become a member server so users can use SSO (Single Sign On) across the domain without hassle.

What will we need to accomplish this goal?

• on the Debian box you will need to make few changes in these 3 main files in order to complete successful join into domain

1. /etc/hosts
2. /etc/resolv.conf
3. /etc/nsswitch.conf

• you will need to download recently updated likewise-open 6 file from Beyondtrust

Here are the steps how to join now the Linux Debian 6 or any LINUX server into Active Directory domain on Microsoft Windows Small Business server 2008 Premium network:

• AD domain name: mybusiness.local
• DC IP Address: 10.0.4.2
• Linux server name: linux3
• now log on to your Linux server and change to root
• make these changes in hosts, resolv.conf and nsswitch.conf files as you see bellow

#your hosts file should have
127.0.0.1 localhost
127.0.0.1 linux3
127.0.0.1 linux3.mybusiness.local

#your resolv.conf file should have
nameserver 10.0.4.2
domain mybusiness.local

#your nsswitch.conf should have
(scrolldown)
hosts: dns files

To make sure you are ready and can connect/join domain run these commands:

root@linux3#$ host mybusiness.local
You should get: mybusiness.local has address 10.0.4.2

root@linux3#$ nslookup mybusiness.local
You should get:
Server: 10.0.4.2
Address: 10.0.4.2#53
Name: mybusiness.local
Address: 10.0.4.2

root@linux3#$ ping mybusiness.local
you should be able to ping the server successfully

Once you have made all the changes and you get replies and domain is resolving, download the LikeWiseOpen–6 tool from the Beyondtrust site, you will need to create an account if you do not have it – hey, it is FREE They have few packages .deb, .rpm or tarball based on your distribution. Since my is Debian, I have grabbed the proper .deb file and once downloaded I had to change permissions so I could install it on the box.

•  in my case I have downloaded = LikeWiseOpen-6.0.0.8398.i386.deb to my Download folder
• before you can install it you have to change permissions
• once done just execute and follow up the steps — few times type in yes to agree and it will be done

     root@linux3#$ cd Downloads
     root@linux3#$ chmod a+x LikeWiseOpen-6.0.0.8398.i386.deb.sh
     root@linux3#$ sh LikeWiseOpen-6.0.0.8398.i386.deb.sh

If all is good once you run this command ( I preferred the command line instead of GUI ) you should see the message that your server has successfully joined your domain and you are required to reboot the server to apply the changes and get sync with the Active Directory domain.

if you have used GUI:

if you used CLI as I did:

root@linux3# cd /opt/likewise/bin
root#linux3# domainjoin-cli join --assumeDefaultDomain yes mybusiness.local Administrator
Joining to AD domain: mybusiness.local
With Computer DNS name: linux3.mybusiness.local
Administrator@mybusiness.local's password:********************
SUCCESS

First time I have logged back as the local user and run these commands to confirm that the GNU Debian Linux 6 server is now member of domain and I can use the domain credentials for users. All the tools are in /opt/likewise/bin provided by LikeWiseOpen.

lw-get-status
pwd
whoa
lw-get-dc-name mybusiness.local

You will see the confirmation that you are indeed now using Active Directory credentials.

In case you are getting this error message:

20111006152006:ERROR:Lsass Error [ERROR_BAD_NET_NAME]
Network name not found.. Failure to lookup a domain name ending in “.local” may be the result of configuring the local system’s hostname resolution (or equivalent) to use Multi-cast DNS.

Please refer to the Likewise manual at http://www.likewise.com/resources/documentation_library/manuals/open/likewise-open-guide.html#ConfigNsswitch for more information.
Stack Trace:
/builder/src-buildserver/BT-Platform-6.0/src/linux/domainjoin/domainjoin-cli/src/main.c:981
/builder/src-buildserver/BT-Platform-6.0/src/linux/domainjoin/domainjoin-cli/src/main.c:514
/builder/src-buildserver/BT-Platform-6.0/src/linux/domainjoin/libdomainjoin/src/djmodule.c:332
/builder/src-buildserver/BT-Platform-6.0/src/linux/domainjoin/libdomainjoin/src/djauthinfo.c:860
/builder/src-buildserver/BT-Platform-6.0/src/linux/domainjoin/libdomainjoin/src/djauthinfo.c:1309

You will need to fix this by:

• deleting all mybusiness.local  reference from hosts file
• and make sure you comment out the original hosts: line in etc/nsswitch.conf and replace with hosts: dns
• now rerun the domainjoin-cli command and you should be successful 🙂

If you are interested in other options, there are few different ways to do this – very similar to LikeWiseOpen.

• Manual setup and configuration on Windows server and Linux – kerberos (too much work)
• using LikeWiseOpen tool
• using Centrify Suite tool
• using Quest Identity and Access Management tool

Good luck with your servers and I hope this helped you one way or another. In case you have any questions or suggestions, drop a line in the comments bellow.