Lubuntu 16.04 -- How to Join Microsoft AD domain by using Power Broker Identity Service Open Edition.

In general, we know the linux platform join to Microsoft AD domain by using the Samba package. But the related process need to be done very much. Wether has the alternative package can do the same action?
The following introduction will express that the Lubuntu 16.04 join the Active Directory domain by using the Power Broker Identity Service Open Edition.

AD Environment

*MS Windows Server 2016 Domain Name: corpnet.lab
*Domain admin username: administrator
*Domain user username: test1

Linux Environment

*Linux Platform: Lubuntu 16.04 x64

*Linux admain username: davidwa

[pre-requisite]
**Update Lubuntu

$ sudo apt update

$ sudo apt dist-upgrade

For launch PBIS GUI, we need to install the following package.

$ sudo apt install libglade2-0

$ sudo apt install ssh

[Install PBIS software]

To download the latest stable version of the pbis-open file based on the self-platform from GitHun as https://github.com/BeyondTrust/pbis-open/releases

In the terminal shell, switch to the download path as cd ~/Downloads and set the executable permission by run sudo chmod +x pbis-open-***.linux.x86_64.deb.sh command

To install the pbis-open package by run sudo ./pbis-open-***.linux.x86_64.deb.sh command

[Use PBIS-Open Package to join the workstation to the Windows Domain]

After installing,it will pop up a dialog about domain join windows. If not, then later enter sudo /opt/pbis/bin/domainjoin-gui command to show a GUI-based domain join tool as well. (# 1)

When prompted for a password supply the appropriate credentials,

we will receive a "SUCCESS" prompt when finished and automatically set the FQDN in the /etc/hosts file.(# 2)

On Lubuntu/Ubuntu computer, we will swith to the location of the domain join command-line utility and execute the command for joining the current machine into an AD domain. (# 3)

$ cd /opt/pbis/bin/

$ sudo domainjoin-cli join "DomainFQDNName" "DomainAdminAccount"

or

$ sudo domainjoin-cli join "DomainFQDNName" "DomainAdminUPNAccount"

*where

"DomainFQDNName" = the FQDN of the Microsoft Active Directory domain as ad.com

"DomainAdminAccount" = domainuser  with the permission that join computer to domain

"DomainAdminUPNAccount" = domainuser@domainFQDNname

EXAMPLE:

$ sudo su

$ domainjoin-cli join corpnet.lab administrator

[Set-up default configuration for domain users]

To set the PBIS environment for all domain users that will be logon the system.
$ sudo /opt/pbis/bin/config UserDomainPrefix LAB

$ sudo /opt/pbis/bin/config AssumeDefaultDomain true

$ sudo /opt/pbis/bin/config LoginShellTemplate /bin/bash

$ sudo /opt/pbis/bin/config HomeDirTemplate %H/%U

$ sudo /opt/pbis/bin/config RequireMembershipOf "LAB\\domain^users"

$ sudo /opt/pbis/bin/ad-cache --delete-all

$ sudo /opt/pbis/bin/update-dns

*where

LAB = Domain Name

domain^users = Domain Users Security Group

[Integrade with Samba]
If we want to use a Linux Samba server that is integrated with AD using PBIS

$ sudo apt install samba

$ sudo /opt/pbis/bin/samba-interop-install --install

[Disable local resolver]
Note that starting from Ubuntu 14.04 NetworkManager has a local resolver which needs to be disabled

$ sudo nano /etc/NetworkManager/NetworkManager.conf

Find the line that states the following:

dns=dnsmasq

Replace it with:

#dns=dnsmasq

[Confiure PAM authentication]
From a terminal:

$ sudo nano /etc/pam.d/common-session

Find the line that states the following:

session optional pam_lsass.so

Replace it with:

session [success=ok default=ignore] pam_lsass.so

$ sudo pam-auth-update --force

enable “Create home directory on login”

[Edit the lightdm configuration file]

For Ubuntu, edit the lightdm configuration file

$ sudo nano /usr/share/lightdm/lightdm.conf.d/50-unity-greeter.conf

and append the following lines:

allow-guest=false

greeter-show-manual-login=true

For Lubuntu, edit the lightdm configuration file will be:

$ sudo nano /usr/share/lightdm/lightdm.conf.d/60-lightdm-gtk-greeter.conf

and append the following lines:

allow-guest=false

greeter-show-manual-login=true

[Add AD Domain user to sudoers file]

If we want to give them sudo privileges, we can add any domain users and/or groups to the sudoers file.

From a terminal, edit /etc/sudoers with the following entries

$ sudo nano /etc/sudoers

and append the following lines:

"DomainUserAccount" ALL=(ALL:ALL) ALL

%"DomainName"\\"Domain Users Security Group" ALL=(ALL) ALL

EXAMPLE:

test1 ALL=(ALL:ALL) ALL

%LAB\\domain^users ALL=(ALL) ALL

restart computer

$ sudo restart

[Verify function]
**logon domain user

$ id "Domain Account"

or

$ id "Domain Name"\\"Domain Account"

**Login linux account

$ su - "Domain Account"

Until now, we make sure that this linux platform has already successfully join into the AD domain.

Reference:

(# 1)   If no install "libglade2-0" by executing sudo apt install libglade2-0, we cannot launch the pbis-open gui and will get error message as follows:

(# 2) If want to join a Linux computer to the domain without changing the /etc/hosts file, we can run the following command as

# sudo su

# /opt/pbis/bin/domainjoin-cli join --disable hostname

(# 3) If we don't install/enable SSH daemon, maybe need to disable ssh module when join the AD domain.

$ sudo domainjoin-cli join --disable ssh "DomainFQDNName" "DomainAdminAccount"

or

$ sudo domainjoin-cli join --disable ssh "DomainFQDNName" "DomainAdminUPNAccount"

* The command usage refer to http://manpages.ubuntu.com/manpages/precise/man8/domainjoin-cli.8.html

Install the Exchange Server 2010 on organization without any existing Exchange system (part 1 of 3)

In an AD Forest, there is no any existing Exchange system as 2000, 2003 or 2007 in the production so that we will prepare a new environment for Exchange 2010. To deploy Exchange 2010 to an AD, we need to do some checklist & prerequisite prior to introduce the first Exchange 2010 to the environment.
What is that?
There is three steps need to be performed.
         Prepare Schema
         Prepare AD
         Prepare Domain

Prepare Schema
The account log on an 64-bit DC computer hosting the Schema Master role(#1) and verify the forest functional level(#2) is set to Windows Server 2003 or higher, the operation system of all DCs are Windows Server 2003(or a later O.S. as Windows Server 2008 or the above) with Service Pack 1 or later.

Before execute the Setup /PrepareSchema command, please confirm what right will do it because this account will be a member of the both the Schema Admins group and Enterprise Admins group.

If the above check is ready, we can insert & mount Exchange 2010 source image and prepare the AD Schema now. For realizing AD replication status, we can use the repadmin.exe(#3) tool to get the replication state or trigger the replication. Specially, run this command will be on before and after Prepare the AD Schema.

After Prepare Schema finish, there is new ms-Exch… object in Schema NC and the value of rangeUpper attribute of ms-Exch-Schema-Version-Pt object in Schema NC set 14622 if we view it on any DCs by ADSIEdit tool.

Prepare AD
Once the Exchange Schema has propagated into the organization, we need to run the Setup /PrepareAD /OrganizationName:<ByYouDecide> command. Due to never exist Exchange System in the production, we have to specify the name of Exchange Organization so that need to add /OrganizationName parameter.

After Prepare AD finish, it will create the related Exchange containers or objects as Microsoft Exchange Security Groups, Microsoft Exchange System Objects and so on if view it in Domain NC or Configuration NC by ADSIEdit tool.
It also set the value of objectVersion attribute of Organization container in Configuration NC to 12640
and the value of objectVersion attribute of Microsoft Exchange System Objects container in Domain NC is 12639.

Prepare DomainThe final step is preparing Domain for hosting Exchange 2010 so that we need to run the Setup /PrepareDomain command for specific domain or Setup /PrepareAllDomains command for all domains.
If you want to run Setup /PrepareAllDomains command, the account right must be a member of the Enterprise Admins group.
As to run Setup/ PrepareDomain command, the account right must be a member of the Domain Admins groups and Exchange Organization Administrators group.

Until now, we have already finished configuring the AD Environment for Exchange Server 2010. In next article, we will continue to configure the Server for hosting Exchange Server 2010.

Comment(#1) How to know which computer is Schema Master role?
By running the command dsquery server –hasfsmo schema from a command prompt

By selecting Operations Master to view it after run the command regsvr32 schmmgmt.dll

(#2) How to know what is the forest function level?By selecting Raise domain functional level to view it

(#3) How to use repadmin.exe tool?By executing repadmin /replsummary to summarize the replication state and health of a forest.
By executing repadmin /queue to display task waiting in the replication queue
By executing repadmin /showrepl /all to display all replication partners


<<<   Install the Exchange Server 2010 on organization without any existing Exchange system (part 3 of 3)

Install the Exchange Server 2010 on organization without any existing Exchange system (part 2 of 3)   >>>

Account Lockout (part 4 of 4)

In the previous article --- Account Lockout (part 1 of 4), I ever enable NETLOGON record function by the command “nltest /dbflag:0x2080ffff” so that its behavior will be recorded on C:\Windows\Debug\netlogon.log
Or add registry entity DBFlag on “HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters”
In the moment, I will use nlparse.exe this utility to analyze netlogon.log
Open nlparse.exe by Run as administrator The error message will show up and tell us that component ‘comdlg32.ocx’ or one of its dependencies not correctly registered.
Search the related information about this error message by Google and find we can directly download VB6 Common Control comdlg32.ocx from this URL http://activex.microsoft.com/controls/vb6/comdlg32.CAB

After download finish, double-click comdlg32.CAB this file next to copy comdlg32.ocx to C:\Windows\SysWOW64\Open command prompt by Run as Administrator, execute “regsvr32 c:\Windows\SysWOW64\comdlg32.ocx” to register cmdlg32.If it success, please run nlparse.exe again so that Netlogon-Parse GUI will show up normally now.
Click Open button
Expand C:\Windows\debug folder and select netlogon.log this file next to click Open button
Enable 0xC000006A (no any record if authentication is Kerberos) and 0xC0000234 check box next to click Open button
You will see the message as “C:\Windows\debug\netlogon.log Done!”
Under this folder C:\Windows\debug, there are generated two file with extension format as txt and csv.
Now you can open these file to realize who is locked by which computer.

Reference：
(1). Support Statement for Visual Basic 6.0 on Windows Vista, Windows Server 2008, Windows 7, and Windows 8
(2). If O.S. is 32bit, please copy comdlg32.ocx to C:\Windows\System32\(3). If the debug finish, please remember to disable NETLOGON record by command “nltest /dbflag:0x0” and restart netlogon service so that avoid the disk space overload.

<<<   Account Lockout (part 3 of 4)

Account Lockout (part 1 of 4)   >>>