Difference between revisions of "Samba4 Administration"
From Stadm
Jump to navigationJump to searchLine 15: | Line 15: | ||
**Last Note: RUN this command on LIMBO!!, you want to pull your data, not push it | **Last Note: RUN this command on LIMBO!!, you want to pull your data, not push it | ||
rsync --dry-run -XAavz --delete-after root@rumba:/usr/local/samba/var/locks/sysvol/ /usr/local/samba/var/locks/sysvol/ | rsync --dry-run -XAavz --delete-after root@rumba:/usr/local/samba/var/locks/sysvol/ /usr/local/samba/var/locks/sysvol/ | ||
− | + | *that was the dry run version, it will only tell you what files it will overwrite/write if run without the dry-run option, once you have seen the dry-run output and want to copy those files run: | |
rsync -XAavz --delete-after root@rumba:/usr/local/samba/var/locks/sysvol/ /usr/local/samba/var/locks/sysvol/ | rsync -XAavz --delete-after root@rumba:/usr/local/samba/var/locks/sysvol/ /usr/local/samba/var/locks/sysvol/ | ||
+ | |||
==Creating Users== | ==Creating Users== | ||
*users can be created in two ways: | *users can be created in two ways: |
Revision as of 14:27, 24 October 2014
Contents
Managing Domain
- To Manage, Add Users, change settings, edit GPO's, view DNS entires, etc. for the domain it should be done from a Windows 7 or Higher, or Server 2012 or higher Computer
- Any computer on the Domain can manage the domain controller(rumba), as long as you are an Administrator to the Domain and have RSAT installed(see below)
- Because there are two domain controllers you want to make sure you are making your changes to rumba and not limbo
- Any GPO edits will have to be manually rsynced to limbo(you want to make your changes on rumba)
- This can and will be scripted, at the moment not enough testing has been done to ensure the script will not mess up the GPO's(basically the SYSVOL folder) which can lead to corruption and a huge headache if there are no recent backups
- How to rsync: run this command, its a dry run, ensure those are the changes and files that want to me rsynced over
- This as an IMPORTANT reminder: rsync --options SOURCE DESTINATION
- Do not mess up the SOURCE and DESTINATION addresses, this will cause corruption
- Last Note: RUN this command on LIMBO!!, you want to pull your data, not push it
rsync --dry-run -XAavz --delete-after root@rumba:/usr/local/samba/var/locks/sysvol/ /usr/local/samba/var/locks/sysvol/
- that was the dry run version, it will only tell you what files it will overwrite/write if run without the dry-run option, once you have seen the dry-run output and want to copy those files run:
rsync -XAavz --delete-after root@rumba:/usr/local/samba/var/locks/sysvol/ /usr/local/samba/var/locks/sysvol/
Creating Users
- users can be created in two ways:
- they can be done through the gui provided by RSAT(Remote Service Administration Tools) to add users into Active Directory (AD)
- simply click new user in the appropriate OU (organizational unit) and enter in name,username and password
- User UID can be changed or specified using modXid script on AD server
- to create user into AD using terminal use samba-tool
samba-tool user add USERNAME
- UID can be specified at creation using command line, use:
samba-tool user add USERNAME --uid-number=UIDNUMBER
Changing XID
- uid and gid for users in samab are translated from the users windows SID using idmap
- idmap stores its database locally which contains the mappings
- a script
GPO Office
- admx files must be downloaded for each version of microsoft office that clients use(office 2007, 2010, etc.)
- run a "gpudate \force" if you dont see them appear in group policy editor
- once placed in policyDefinitions under sysvol GPO may be applied to that specific version of office
- User Configuration->Administrative Templates ->"Microsoft Office [version]" ->Privacy->Trust Center
- enable the "Disable opt-in..", disable "Enable Customer Experience..." and "Automatically receive small.."
- must be done for every version of office clients are running(annoying pop up messages when office starts if this is not set)
GPO Windows Update
- locate a copy of wuau.adm and install into PolicyDefinitions
- Windows update group policy should be set up on a per machine bases(GPO applied to Machines not Users)
- Computer Configuration ->Policies-> Administrative Templates ->Windows Components->Windows Update
Configure Automatic Update: Enabled Allow non-administrators to receive update notifications: enabled Allow Automatic Updates Immediate installations: enabled No auto-restart with logged in users: enabled Reschedule Automatic Updates scheduled installation: enabled
GPO Network, Firewall, Remote Desktop Connections
- GPO for RDC are in two locations
- Computer Configuration->Policies->Administrative Templates->Network->Network Connections->Windows Firewall-> Domain Profile
Windows Firewall:Allow inbound Remote Desktop conneciotns
- limit to subnets of eri and vpn
Windows Firewall: Allow ICMP exceptions: Enabled
- check Allow inbound echo Request
- Computer Configuration->Policies->Administrative Templates->Windows Components->Remote Desktop Connection Host->Connections
Allow users to connect remotely using Remote Desktop Services: enabled
- to allow specific users/group login:
- Computer Configuration->Policies->Windows Settings->Security Settings->Restricted Groups
- create Remote Desktop Users group if not created, add users manually into group or add an entire group to allow Remote Desktop Connections
- DNS suffix search list
- Computer Configuration->Policies->Administrative Templates => Netowrk => DNS client => DNS suffix search list
- Enabled: mydomain.edu, name.mydomain.edu
Profile Version for Windows Server 2012
- If you are using roaming profiles and using any of the following operating Systems you must enable the .V3 extension on roaming profiles
- Operating systems: Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012
- Link: http://technet.microsoft.com/en-us/library/jj649079.aspx
- Basically you install an update from Microsoft and edit a registry key so that Windows Server 2012 will pick up the profile with the .V3 extension instead of .V2 which is used for Windows 7