Before starting, a couple of things should be noted:

the network ip range, gateway and netmask
the ip addresses of the DNS servers
the domain name of the network
reserve a hostname (for AD and/or DNS)
you will need an AD administrator account
the ip adresses of the current domain controllers

in this example, the values used are:

172.20.0.0/16 (255.255.0.0), the gateway is at 172.20.254.254
Dns servers are at 172.20.1.1 and 172.20.1.2
domain name: domain.local. The email domain name is domain.public
admin account: administrator with password adminpass
dc's are located at: 172.20.1.1 and 172.20.1.2
the interface on the freebsd machine for the network will be em0
this host will be called fileserver1

Install a freebsd system as usual, with an extra user that is member of wheel.
No kernel source needed, but the ports have to be installed and updated!

package install

#pkg install perl
#cd /usr/ports/net/samba
#make install clean
-- select: LDAP, ADS, WINBIND, ACL_SUPPORT, SYSLOG, DNSUPDATE and POPT

rc.conf

#nano /etc/rc.conf

-- enter the lines below

ifconfig_em0="172.20.1.3/16"
hostname="fileserver1.domain.local"
defaultrouter="172.20.254.254"

sshd_enable="YES"
ntpdate_enable="YES"
ntpdate_hosts="172.20.1.1"   # sync time with dc's, NOT public
dumpdev="NO"
samba_enable="YES"
winbindd_enable="YES" # required to set yes seperate

resolv.conf

#nano /etc/resolv.conf

search domain.local
nameserver 172.20.1.1
nameserver 172.20.1.2

sysctl.conf

#nano /etc/sysctl.conf

kern.maxfiles=16384
kern.maxfilesperproc=16384

hosts

#nano /etc/hosts
-- add the line to this file:
127.0.0.1 localhost.domain.local localhost 172.20.1.3 fileserver1.domain.local fileserver1

To set the correct timezone, a symlink has to be made to a valid timezone file to /etc/localtime.
These files can be found in: /usr/share/zoneinfo. Here we use /usr/share/zoneinfo/Europe/Amsterdam

timezone

#ln -s /usr/local/share/zoneinfo/Europe/Amsterdam /etc/localtime
#ntpdate -4b 172.20.1.1

windows uses kerberos 5 for it's logins etc. so we have to set things up right for using it:

krb5.conf

#nano /etc/krb5.conf

[libdefaults]
default_realm=DOMAIN.LOCAL
[domain_realm]
.domain.local=DOMAIN.LOCAL
[realms]
ICTOPUSBV.COM = {
        kdc = dc1.domain.local
}
[logging]
default = SYSLOG:INFO:LOCAL7

once this file is made, we can test to see if we can login using the administrator account and verify kerberos working:

Testing kerberos

#kinit administrator
administrator@DOMAIN.LOCAL's Password: adminpass

#klist
Credentials cache: FILE:/tmp/krb5cc_1001
	Principal: administrator@DOMAIN.LOCAL
	
  Issued           Expires          Principal
Feb 12 09:57:57  Feb 12 19:57:57  krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL

As seen with klist, the principal is the administartor account and we have a valid login.

First, let's make some storage folders. On what filesystem doesn't matter here. ZFS would be nice to have!

Storage

#mkdir -p /datastore/dfs
#mkdir -p /datastore/homes
#mkdir -p /datastore/backups
#mkdir -p /datastore/filestore

And then we make a samba config file:

samba.conf

#nano /usr/local/etc/samba.conf

[global]
 workgroup = DOMAIN
 realm = DOMAIN.LOCAL
 preferred master = No
 server string = fileserver1
 security = ADS
 encrypt passwords = yes
# log level = 3
# log file = /var/log/samba/%m
 max log size = 50
 winbind enum users =Yes
 winbind enum groups = Yes
 winbind use default domain = Yes
 winbind nested groups = Yes
 winbind separator = +
 idmap uid = 10000-20000
 idmap gid = 10000-20000
 template shell = /bin/bash
 template primary group = "Domain Users"
 load printers = No
 disable spoolss = Yes
# local master = No
 admin users = "@DOMAIN+Domain Admins"
 host msdfs = Yes

[dfs]
 path = /datastore/dfs
 msdfs root = Yes

[homes]
 comment = Home directories
 valid users = %S
 read only = No
 writeable = Yes
 browsable = No
 path = /datastore/homes/%S

[backups$]
	comment = Backups systeembeheer
  valid users = @DOMAIN+Administrators
  writable = Yes
  browseable = Yes
  path = /datastore/backups

[filestore]
	comment = All the files for users
	valid users = %S
	read only = No
	writeable = Yes
	browsable = Yes
	path = /datastore/filestore
	
-- store the file and start samba:
#service samba start
-- or use old style:
#/usr/local/etc/rc.d/samba start

Once samba is up and running with no errors, we add this server to the active directory:

active directory join

#net ads join -U administrator
Enter administrator's password: adminpass
Using short domain name -- DOMAIN
Joined 'fileserver1' to realm 'domain.local'

#net ads info
LDAP server: 172.20.1.1
LDAP server name: dc1.domain.local
REALM: DOMAIN.LOCAL
Bind Path: dc=DOMAIN,dc=LOCAL
LDAP port: 389
Server time: xxxxxxxxxx
KDC server: 172.20.1.1
server time offset: 0

If you receive the above, it means our server is joined in the active directory!
To verify this, login op either DC of the domain and go to the 'computers' folder in the root of AD. It should have the fileserver1 object.
From there, you can move it where you like according to your AD setup.

To verify that this user can 'see' the groups and users in the domain:

active directory join

#wbinfo -u
-- listing of all the found users in the domain is done. If not, something is wrong.

#wbinfo -g
-- listing of all the found groups in the domain. If not, something is wrong.

If something is wrong, check your logfiles, they probably will tell you why it can't find any groups or users.
Once all is working, it's time to tell the system how to use these users and groups by configuring nsswitch:

nsswitch.conf

#nano /etc/nsswitch.conf

group: files winbind
group_compat: nis
hosts: files dns wins
networks: files
shadow: files winbind
passwd: files winbind
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files winbind

Note: we still are using the groups and passwd files also! This way, whenever something is wrong with AD we can still login to the system using the local usernames and passwords, including root!
You can check if things are ok using:

nsswitch.conf

#getent passwd
-- list of the content of /etc/passwd
-- list of all the users of AD, starting at uid 10000 and gid 100006

#getent group
-- list of the content of /etc/groups
-- list of the groups in AD, starting at gid 10006

In general on freebsd you can assign permissions and ownership by using chown and chmod. This doesn't change but the usernames and groups are defined a little different:

ownership

#chown -R "administrator":"Domain admins" /datastore/backups

The use of CHMOD is the same as usual on a freebsd system.

In windows, there is a thing called DFS service, meaning a distributed filesystem. We can imitate this by creating special symlinks in a folder. We have made /datastore/dfs before and set this in the samba configuration as a DFS root.
First thing to do is to make sure that the shared folders which are targetted are available on the server(s). Then add dfs symlinks like so:

DFS symlinks

#cd /datastore/dfs
#ln -s 'msdfs:fileserver1:\backups' backups
#ln -s 'msdfs:DC1:\shared$' shared
#ln -s 'msdfs:fileserver1:\filestore,msdfs:fileserver2:\filestore1' filestore

As you can see on the last line, it is possible to reference 2 shares on 2 different servers. These folders have to be kept in sync and the clients will be loadbalanced over these 2 shares.
The syncing is a matter beyond the scope of this document, there are several ways to accomplish this.