Appendix D: Workarounds for Windows 11

The main goal of this document is to provide a workaround so Windows 11 machines can join to a Zentyal 7.0 domain controller. At this moment it is not possible due to the current bug reported in Samba, which can be found here [1].

Warning

Finally, Samba has fixed the bug in the current version as this [2] link indicates. So, it is no longer necessary to use the below workarounds, just keep your Zentyal server up-to-date.

There are two available workarounds, the choice must be done by the system administrator who manages the server. The workarounds are:

  1. Upgrade Samba to 4.16 from a third-party repository.
  2. Configure an additional server Ubuntu Server 22.10 as an additional domain controller.
[1]Samba bug: https://bugzilla.samba.org/show_bug.cgi?id=15197
[2]Fix de Samba: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1993934

Workaround 1 - Upgrade Samba

This option upgrades Samba from 4.13.16 to 4.16.6 from a third-party repository. More information about this workaround is here [3].

[3]Workaround information: https://lists.samba.org/archive/samba/2022-October/242377.html

Considerations

Below you have some considerations you must be aware of before choosing this option.

  1. The repository is not ours, so we do not have any control over it with the risks it implies.
  2. We did several tests on the domain controller module and all modules that depend on it to confirm the workaround stability, however, we cannot warranty 100% of the module stability and its dependencies.

Recommendations

Before implementing this workaround, there are a few high recommendations:

  1. The servers’ packages must be up-to-date.
  2. The server must be stable.
  3. If you have a testing environment, implement and test it there first.
  4. Do a backup of the server before implementing the workaround such as a snapshot in case the server is virtualized.
  5. Do several tests to confirm the stability of the domain after the workaround implementation.

Upgrade of Samba

Below are the actions we must do to implement this workaround.

  1. Download the repository GPG key:

    sudo gpg --keyserver keyring.debian.org --recv-key 6EE195D1886E8FFB810D4324457CE0A0804465C5
    sudo gpg --export 6EE195D1886E8FFB810D4324457CE0A0804465C5 | sudo tee /etc/apt/trusted.gpg.d/samba-mjt.key
    
  2. Create the repository configuration file /etc/apt/sources.list.d/samba.list with the following content:

    ## Third party repository
    ## http://www.corpit.ru/mjt/packages/samba
    ## https://lists.samba.org/archive/samba/2022-October/242377.html
    
    deb [signed-by=/etc/apt/trusted.gpg.d/samba-mjt.key] http://www.corpit.ru/mjt/packages/samba ubuntu-20.04-focal/samba-4.16/
    deb-src [signed-by=/etc/apt/trusted.gpg.d/samba-mjt.key] http://www.corpit.ru/mjt/packages/samba ubuntu-20.04-focal/samba-4.16/
    
  3. Check that we can get the information of the new repository:

    sudo apt update
    
  4. Increase the priority of the new repository, to do it, create a configuration file /etc/apt/preferences.d/samba-repository and add the following content:

    Package: *
    Pin: release o=mjt
    Pin-Priority: 900
    
  5. Check if the new version of Samba is available:

    sudo apt policy samba
    
       ## Example of its output
       samba:
          Instalados: 2:4.13.17~dfsg-0ubuntu1.20.04.1
          Candidato:  2:4.16.6+dfsg-3~focal
          Tabla de versión:
             2:4.16.6+dfsg-3~focal 900
                900 http://www.corpit.ru/mjt/packages/samba ubuntu-20.04-focal/samba-4.16/ Packages
          *** 2:4.13.17~dfsg-0ubuntu1.20.04.1 500
                500 http://es.archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
                500 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages
                100 /var/lib/dpkg/status
             2:4.11.6+dfsg-0ubuntu1 500
                500 http://es.archive.ubuntu.com/ubuntu focal/main amd64 Packages
    
  6. From the Zentyal administration interface, go to Software management -> System updates, update the list of packages, and update them.

    Upgrade of Samba packages

    Upgrade of Samba packages

  7. Remove the parameter –debug-stderr from the configuration file /usr/share/perl5/EBox/LDAP.pm:

    sudo sed -i 's#--debug-stderr##g' /usr/share/perl5/EBox/Ldap.pm
    
  8. Restart the domain controller module:

    sudo zs samba restart
    
  9. Once Samba is updated, check that all the modules are up and running and also, the following logs do not have any errors:

    • /var/log/zentyal/zentyal.log
    • /var/log/syslog
  10. Do several tests to confirm the stability of the domain controller module.

  11. Finally, try to join a Windows 11 computer to the domain controller so we can confirm the bug is fixed.

Workaround 2 - Additional domain controller

This option requires installing an additional server Ubuntu Server 22.10, configuring it as an additional domain controller, and finally, configure the network of the Windows 11 computers.

This option is safer than the other, however, it is more complex to implement. Furthermore, it requires a system administrator who has at least, minimum knowledge of Linux servers, especially Ubuntu.

Considerations

Be aware of the following considerations before doing any action:

  • All the Windows 11 machines must connect only with this Ubuntu 22.10 server, otherwise, the bug will affect them.

  • The GPOs sync must be configured manually between the domain controllers, here [4] is the workaround available from Samba.

  • A Windows 11 domain user can access their personal folder or a shared resource, however, it will need to use the FQDN of the Zentyal server, below are two examples:

    ## Her personal folder
    \\zentyal.zentyal-domain.lan\maria
    
    ## A shared resource
    \\zentyal.zentyal-domain.lan\devops
    
  • By default, the domain computers that use Ubuntu as a DNS server will not be able to reach the Internet because the firewall is not configured. This [5] link explains how to solve this behavior.

  • The ACL option must be enabled in the hard drives. A configuration example for the main disk in the /etc/fstab:

    /dev/disk/by-id/dm-uuid-LVM-WN6CO4cWWNIvzQffRXzBcyzSxkwcIiNJi3AaagcZkKMyz0SNwdIisJ65vFdIQFeT / ext4 defaults,usrquota,grpquota,acl 0 1
    
[4]GPO workaround: https://wiki.samba.org/index.php/Rsync_based_SysVol_replication_workaround
[5]Ubuntu as a router: https://kifarunix.com/configure-ubuntu-20-04-as-linux-router/

Recommendations

Our recommendations for this setup are:

  • Use Zentyal to manage the domain objects such as users, groups, etc.
  • Use this Ubuntu server only for Windows 11 machines.

Requirements

Below are the requirements you must fulfill before proceeding with this guide:

  1. The module Domain Controller must be installed and configured in Zentyal.
  2. The DNS domain must have the following records for Ubuntu Server:
  • A record of type A for the hostname of Ubuntu.
  • A record of type A for the IP address of Ubuntu in the domain.
  • A record of type NS for the domain that points to the Ubuntu hostname.

Environment

Below is the information that we will use in this document.

  • Ubuntu hostname: adc
  • Ubuntu IP: 192.168.170.200
  • Zentyal hostname: zentyal
  • Zentyal IP: 192.168.170.1
  • Domain: entyal-domain.lan
  • Domain administrator: admindc
  • Domain testing user: maria

Configuration of Ubuntu 22.10

  1. Download Ubuntu Server 22.10 ISO from here [16] .

  2. Install Ubuntu Server 22.10.

  3. Set the hostname:

    sudo hostnamectl set-hostname adc.zentyal-domain.lan
    
  4. Modify the configuration file /etc/hosts:

    127.0.0.1 localhost
    192.168.170.200 adc.zentyal-domain.lan adc
    
    # The following lines are desirable for IPv6 capable hosts
    ::1     ip6-localhost ip6-loopback
    fe00::0 ip6-localnet
    ff00::0 ip6-mcastprefix
    ff02::1 ip6-allnodes
    ff02::2 ip6-allrouters
    
  5. Ensure Samba is not installed and also, the Kerberos configuration file does not exist, here [17] we have more details:

    sudo dpkg -l | egrep -i samba
    sudo rm -f /etc/krb5.conf
    
  6. Install the required packages for Samba:

    sudo apt update
    sudo apt install \
      acl \
      attr \
      samba \
      samba-dsdb-modules \
      samba-vfs-modules \
      winbind \
      libpam-winbind \
      libnss-winbind \
      dnsutils \
      ldb-tools \
      libgssapi3-heimdal \
      libsasl2-modules-gssapi-heimdal \
      heimdal-clients
    

The answers to the questions are:

  • Default Kerberos version 5 realm: ZENTYAL-DOMAIN.LAN
  • Kerberos servers for your realm: adc.zentyal-domain.lan
  • Administrative server for your Kerberos realm: adc
  1. Install Bind9 as a DNS backend service as this [18] link explains:

    sudo apt install bind9 bind9utils
    
  2. Modify the configuration file /etc/default/named so the DNS service only listens for IPv4:

    OPTIONS="-u bind -4"
    
  3. Modify the Bind9 global configuration located at /etc/bind/named.conf.options:

    // Managing acls
    acl internals {
      127.0.0.0/8;
      192.168.170.0/24;
    };
    
    options {
      directory "/var/cache/bind";
      version "Go Away 0.0.7";
    
      notify no;
      empty-zones-enable no;
      auth-nxdomain yes;
    
      forwarders {
        8.8.8.8;
        8.8.4.4;
      };
    
      // If you only use IPv4.
      listen-on-v6 { none; };
      // listen on these ipnumbers.
      listen-on port 53 {
        192.168.170.200;
        127.0.0.1;
      };
    
      // Added Per Debian buster Bind9.
      // Due to : resolutionr: info: resolutionr priming query complete messages in the logs.
      // See: https://gitlab.isc.org/isc-projects/bind9/commit/4a827494618e776a78b413d863bc23badd14ea42
      minimal-responses yes;
    
      //  Add any subnets or hosts you want to allow to use this DNS server
      allow-query { "internals";  };
      allow-query-cache { "internals"; };
    
      allow-transfer { none; };
    
      //  Add any subnets or hosts you want to allow to use recursive queries
      recursion yes;
      allow-recursion {
        "internals";
      };
    
      // https://wiki.samba.org/index.php/Dns-backend_bind
      // DNS dynamic updates via Kerberos (optional, but recommended)
      tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
    };
    
  4. Check the configuration file syntax:

    sudo named-checkconf
    
  5. Enable the service and start it:

    sudo systemctl enable named
    sudo systemctl start named
    
  6. Do a DNS query to the localhost zone to confirm that the DNS service is working:

    ## Forward zone
    host -t A localhost 127.0.0.1
    
      ## An example of its output:
      Using domain server:
      Name: 127.0.0.1
      Address: 127.0.0.1#53
      Aliases:
    
      localhost has address 127.0.0.1
    
    ## Reverse zone
    host -t PTR 127.0.0.1 127.0.0.1
    
      ## An example of its output:
      Using domain server:
      Name: 127.0.0.1
      Address: 127.0.0.1#53
      Aliases:
    
      1.0.0.127.in-addr.arpa domain name pointer localhost.
    
  7. Add the following code in the configuration file /etc/bind/named.conf.local at the bottom:

    // Custom configuration for Samba DC
    //dlz "AD DNS Zone" {
    //  database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_18.so";
    //};
    
  8. Check the syntax again:

    sudo named-checkconf
    
  9. Modify the content of the configuration file /etc/krb5.conf as follows:

    [libdefaults]
      default_realm = ZENTYAL-DOMAIN.LAN
      dns_lookup_kdc = true
      dns_lookup_realm = false
      rdns = no
    
  10. Verify that we can get a Kerberos ticket:

    ## Get the ticket
    sudo kinit admindc
    
    ## List the ticket
    sudo klist
    
      ## An example of its output:
      Credentials cache: FILE:/tmp/krb5cc_0
            Principal: admindc@ZENTYAL-DOMAIN.LAN
    
      Issued                Expires               Principal
      Oct 26 10:24:51 2022  Oct 26 20:24:51 2022  krbtgt/ZENTYAL-DOMAIN.LAN@ZENTYAL-DOMAIN.LAN
    
  11. Install the NTP time service:

    sudo apt install ntp ntpdate
    
  12. Configure the NTP service by modifying the configuration file /etc/ntp.conf:

    # Local clock. Note that is not the "localhost" address!
    server 127.127.1.0
    fudge  127.127.1.0 stratum 10
    
    # Where to retrieve the time from
    server zentyal.zentyal-domain.lan     iburst prefer
    server adc.zentyal-domain.lan     iburst
    
    driftfile /var/lib/ntp/ntp.drift
    logfile   /var/log/ntp
    
    # Access control
    # Default restriction: Disallow everything
    restrict default ignore
    
    # No restrictions for "localhost"
    restrict 127.0.0.1
    
    # Enable the time sources only to only provide time to this host
    restrict zentyal.zentyal-domain.lan   mask 255.255.255.255    nomodify notrap nopeer noquery
    restrict adc.zentyal-domain.lan   mask 255.255.255.255    nomodify notrap nopeer noquery
    
    ## NOTE: This parameter is only for virtual machines only
    tinker panic 0
    
  13. Restart the NTP service to apply the changes:

    sudo systemctl restart ntp
    
  14. Set the timezone:

    sudo timedatectl set-timezone Europe/Madrid
    
  15. In the main Samba configuration file /etc/samba/smb.conf modify its content for the following:

    [global]
       workgroup = zentyal-domain
       realm = ZENTYAL-DOMAIN.LAN
       netbios name = adc
       server string = Ubuntu 22
       server role = dc
       server role check:inhibit = yes
       server services = -dns
       server signing = auto
       dsdb:schema update allowed = yes
       ldap server require strong auth = no
       drs:max object sync = 1200
    
       idmap_ldb:use rfc2307 = yes
    
       winbind enum users = yes
       winbind enum groups = yes
       template shell = /usr/bin/bash
       template homedir = /home/%U
    
       rpc server dynamic port range = 49152-65535
    
       interfaces = lo,enp0s9
       bind interfaces only = yes
    
       map to guest = Bad User
    
       log level = 3
       log file = /var/log/samba/samba.log
       max log size = 100000
    
    [netlogon]
       path = /var/lib/samba/sysvol/zentyal-domain.lan/scripts
       browseable = no
       read only = yes
    
    [sysvol]
       path = /var/lib/samba/sysvol
       read only = no
    
  16. Before joining the server, we must ensure that we can reach Zentyal:

    ping zentyal.zentyal-domain.lan
    
  17. Also, we must ensure that Zentyal’s firewall allows Ubuntu to use the Samba service. Below is an example:

Zentyal object for Ubuntu 22.10

Zentyal object for Ubuntu 22.10

Zentyal firewall for Ubuntu 22.10

Zentyal firewall for Ubuntu 22.10

  1. Now, we can join the Ubuntu Server 22.10 to the Zentyal domain controller:

    sudo samba-tool domain \
            join \
            zentyal-domain.lan \
            DC \
            --username='admindc' \
            --dns-backend=BIND9_DLZ \
            --workgroup='zentyal-domain' \
            --server='192.168.170.1'
    
    ## The latest message of the join process in case everything was successful
    
    INFO 2022-10-27 10:59:06,310 pid:1046 /usr/lib/python3/dist-packages/samba/join.py #1544: Joined domain ZENTYAL-DOMAIN (SID S-1-5-21-3507753539-3088741907-912681098) as a DC
    

Warning

In case of error, read the message carefully.

  1. After joining the Ubuntu Server 22.10, we need to do the following checks explained here [19]

    ## FQDN
    host -t A adc.zentyal-domain.lan
    
    ## An example of its output:
    adc.zentyal-domain.lan has address 192.168.170.200
    
    ## Get the objectGUID
    sudo ldbsearch -H /var/lib/samba/private/sam.ldb '(invocationId=*)' --cross-ncs objectguid
    
    ## An example of its output:
    # record 1
    dn: CN=NTDS Settings,CN=ZENTYAL,CN=Servers,CN=Default-First-Site-Name,  CN=Sites,CN=Configuration,DC=zentyal-domain,DC=lan
    objectGUID: f57dbf3e-c50c-45ff-8c1b-9bfe1c0c7607
    
    # record 2
    dn: CN=NTDS Settings,CN=ADC,CN=Servers,CN=Default-First-Site-Name,CN=Sites, CN=Configuration,DC=zentyal-domain,DC=lan
    objectGUID: 1593056e-3ded-469b-bcca-2358da389bb2
    
    # returned 2 records
    # 2 entries
    # 0 referrals
    
    ## Verify each objectGUID
    host -t CNAME 1593056e-3ded-469b-bcca-2358da389bb2._msdcs.zentyal-domain.lan
    
    ## An example of its output:
    1593056e-3ded-469b-bcca-2358da389bb2._msdcs.zentyal-domain.lan is an alias for ADC.zentyal-domain.lan.
    
    host -t CNAME f57dbf3e-c50c-45ff-8c1b-9bfe1c0c7607._msdcs.zentyal-domain.lan
    
    ## An example of its output:
    f57dbf3e-c50c-45ff-8c1b-9bfe1c0c7607._msdcs.zentyal-domain.lan is an alias for zentyal.zentyal-domain.lan.
    

Warning

The subdomain _msdcs is required in the objectGUID verification.

  1. Uncomment in the configuration file /etc/bind/named.conf.local the following lines:

    // Custom configuration for Samba DC
    dlz "AD DNS Zone" {
       database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_18.so";
    };
    
  2. Restart the DNS service:

    sudo systemctl restart named
    sudo systemctl status named
    
  3. Once the DNS service is up and running, we need to disable certain Samba services and active the correct ones:

    sudo systemctl stop smbd nmbd winbind
    sudo systemctl mask smbd nmbd winbind
    sudo systemctl disable smbd nmbd winbind
    
    sudo systemctl unmask samba-ad-dc
    sudo systemctl start samba-ad-dc
    sudo systemctl status samba-ad-dc
    
  4. Finally, it is recommended to do some replications checks in order to confirm the stability of the new additional domain controller:

  • Get the domain users and groups:

    sudo samba-tool user list
    sudo samba-tool group list
    
  • Get the replication status as this [20] explains:

    sudo samba-tool drs showrepl
    
       ## An example of its output:
       ==== INBOUND NEIGHBORS ====
    
       DC=DomainDnsZones,DC=zentyal-domain,DC=lan
       Default-First-Site-Name\ZENTYAL via RPC
          DSA object GUID: f57dbf3e-c50c-45ff-8c1b-9bfe1c0c7607
          Last attempt @ Thu Oct 27 11:07:35 2022 CEST was successful
          0 consecutive failure(s).
          Last success @ Thu Oct 27 11:07:35 2022 CEST
    
       CN=Schema,CN=Configuration,DC=zentyal-domain,DC=lan
       Default-First-Site-Name\ZENTYAL via RPC
          DSA object GUID: f57dbf3e-c50c-45ff-8c1b-9bfe1c0c7607
          Last attempt @ Thu Oct 27 11:07:35 2022 CEST was successful
          0 consecutive failure(s).
          Last success @ Thu Oct 27 11:07:35 2022 CEST
    
       DC=zentyal-domain,DC=lan
       Default-First-Site-Name\ZENTYAL via RPC
          DSA object GUID: f57dbf3e-c50c-45ff-8c1b-9bfe1c0c7607
          Last attempt @ Thu Oct 27 11:07:35 2022 CEST was successful
          0 consecutive failure(s).
          Last success @ Thu Oct 27 11:07:35 2022 CEST
    
       CN=Configuration,DC=zentyal-domain,DC=lan
       Default-First-Site-Name\ZENTYAL via RPC
          DSA object GUID: f57dbf3e-c50c-45ff-8c1b-9bfe1c0c7607
          Last attempt @ Thu Oct 27 11:07:35 2022 CEST was successful
          0 consecutive failure(s).
          Last success @ Thu Oct 27 11:07:35 2022 CEST
    
       DC=ForestDnsZones,DC=zentyal-domain,DC=lan
       Default-First-Site-Name\ZENTYAL via RPC
          DSA object GUID: f57dbf3e-c50c-45ff-8c1b-9bfe1c0c7607
          Last attempt @ Thu Oct 27 11:07:35 2022 CEST was successful
          0 consecutive failure(s).
          Last success @ Thu Oct 27 11:07:35 2022 CEST
    
       ==== OUTBOUND NEIGHBORS ====
    
       CN=Schema,CN=Configuration,DC=zentyal-domain,DC=lan
       Default-First-Site-Name\ZENTYAL via RPC
          DSA object GUID: f57dbf3e-c50c-45ff-8c1b-9bfe1c0c7607
          Last attempt @ NTTIME(0) was successful
          0 consecutive failure(s).
          Last success @ NTTIME(0)
    
       DC=zentyal-domain,DC=lan
       Default-First-Site-Name\ZENTYAL via RPC
          DSA object GUID: f57dbf3e-c50c-45ff-8c1b-9bfe1c0c7607
          Last attempt @ NTTIME(0) was successful
          0 consecutive failure(s).
          Last success @ NTTIME(0)
    
       CN=Configuration,DC=zentyal-domain,DC=lan
       Default-First-Site-Name\ZENTYAL via RPC
          DSA object GUID: f57dbf3e-c50c-45ff-8c1b-9bfe1c0c7607
          Last attempt @ NTTIME(0) was successful
          0 consecutive failure(s).
          Last success @ NTTIME(0)
    
       DC=ForestDnsZones,DC=zentyal-domain,DC=lan
       Default-First-Site-Name\ZENTYAL via RPC
          DSA object GUID: f57dbf3e-c50c-45ff-8c1b-9bfe1c0c7607
          Last attempt @ Thu Oct 27 11:07:25 2022 CEST was successful
          0 consecutive failure(s).
          Last success @ Thu Oct 27 11:07:25 2022 CEST
    
       ==== KCC CONNECTION OBJECTS ====
    
       Connection --
       Connection name: 79849241-81e9-4e1b-bad3-741533dcd6f1
       Enabled        : TRUE
       Server DNS name : zentyal.zentyal-domain.lan
       Server DN name  : CN=NTDS Settings,CN=ZENTYAL,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=zentyal-domain,DC=lan
          TransportType: RPC
          options: 0x00000001
       Warning: No NC replicated for Connection!
    
  • Create a test object such as a domain user in Zentyal and wait a minute to see if it was replicated. Below is an example of the crucial records of the log file /var/log/samba/samba.log related to the sync from Zentyal:

    ## Log file: /var/log/samba/samba.log
    [2022/10/27 11:12:44.473403,  3] ../../source4/dsdb/repl/drepl_service.c:207(_drepl_schedule_replication)
    _drepl_schedule_replication: forcing sync of partition (063be8a2-398b-498d-99d9-112be2bace60, DC=zentyal-domain,DC=lan, f57dbf3e-c50c-45ff-8c1b-9bfe1c0c7607._msdcs.zentyal-domain.lan)
    
    [2022/10/27 11:12:44.527349,  2] ../../source4/dsdb/repl/replicated_objects.c:1058(dsdb_replicated_objects_commit)
    Replicated 1 objects (0 linked attributes) for DC=zentyal-domain,DC=lan
    
  • Ensure that in the log file /var/log/syslog there are no errors related to Samba or DNS service on both servers.

[16]ISO Ubuntu Server 22.10: https://releases.ubuntu.com/22.10/ubuntu-22.10-live-server-amd64.iso
[17]Samba requirements: https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Only_Applicable_if_Samba_was_Previously_Installed
[18]DNS configuration: https://wiki.samba.org/index.php/Setting_up_a_BIND_DNS_Server#Installing_.26_Configuring_BIND_on_Debian_based_distros
[19]Verification of the critical DNS records: https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record
[20]Replication statuses: https://wiki.samba.org/index.php/Verifying_the_Directory_Replication_Statuses

Configuration of Windows 11

This section is going to show an example of how to join a Windows 11 computer to the domain and how to access any shared.

  1. The first and most important action to do is to configure the network.
Windows 11 network configuration

Windows 11 network configuration

Warning

Remember that the DNS server must be Ubuntu 22.10, so it can get Kerberos’ ticket, otherwise, it will fail because the Samba installed in Zentyal cannot provide that ticket due to the current bug.

  1. Then, we must ensure that the domain can be resolutiond through Ubuntu.
Windows 11 domain resolution

Windows 11 domain resolution

  1. After that, we can join the computer to the domain.
Windows 11 domain join

Windows 11 domain join

  1. Once the computer is joined to the domain, we will be able to log in with a domain user, just remember that the main DNS server must be Ubuntu.
Windows 11 login

Windows 11 login

  1. In case we want to access any shared folder such as the personal folder or some shared resource, we will need to use the Zentyal FQDN. Below is an example:
Windows 11 shares

Windows 11 shares

Troubleshooting

Below are the links that will help us in case of an issue during any of the above steps:

  • Main troubleshooting article [21].
  • DNS [22].
  • DNS DLZ [23].
  • ObejectGUID objects [24].
[21]Main troubleshooting article: https://wiki.samba.org/index.php/Samba_AD_DC_Troubleshooting
[22]DNS: https://wiki.samba.org/index.php/Linux_and_Unix_DNS_Configuration
[23]DNS DLZ: https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End#Troubleshooting
[24]ObejectGUID objects: https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record