Joining a Samba DC to an Existing Active Directory: Difference between revisions
Mmuehlfeld (talk | contribs) (Updated some section titles, linked two verifying steps from the "Setting up Samba as an Active Directory Domain Controller" documentation that makes sense to test on additional DCs as well) |
m (typo) |
||
(29 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
= Introduction = |
= Introduction = |
||
Running one domain controller (DC) is sufficient for a working Active Directory (AD) forest. However, for |
Running one domain controller (DC) is sufficient for a working Active Directory (AD) forest. However, for redundancy and load balancing reasons, you should add further DCs to your AD forest. Joining an additional Samba DC to an existing AD differs from provisioning the first DC in a forest. If you set up a new AD forest, see [[Setting_up_Samba_as_an_Active_Directory_Domain_Controller|Setting up Samba as an Active Directory Domain Controller]]. |
||
{{Imbox |
|||
| type = warning |
|||
| text = Do not provision a Computer as a Samba AD DC, then try to join it to an existing AD domain. This will not work, you only need to run the <code>samba-tool domain join</code> command to join a Computer to the existing AD domain. |
|||
}} |
|||
{{Imbox |
|||
| type = warning |
|||
| text = If you are joining a Samba as a DC to an existing Windows AD domain that was provisioned as a Windows 2003 (or earlier) DC, you must ensure that it is running a domain integrated DNS server. This dns server must be configured with 2008 behaviour. |
|||
}} |
|||
{{Imbox |
{{Imbox |
||
Line 28: | Line 38: | ||
| text = Install a maintained Samba version. For details, see [[Samba_Release_Planning|Samba Release Planning]]. |
| text = Install a maintained Samba version. For details, see [[Samba_Release_Planning|Samba Release Planning]]. |
||
}} |
}} |
||
== Using the Correct Paths to Samba Commands == |
|||
If you built Samba, add the directories containing the commands to the beginning of your <code>$PATH</code> variable. For example: |
|||
export PATH=/usr/local/samba/bin/:/usr/local/samba/sbin/:$PATH |
|||
To permanently update your <code>$PATH</code>, see your distribution's documentation. |
|||
Line 47: | Line 47: | ||
== Local DNS server == |
== Local DNS server == |
||
By default, the first Domain Controller (DC) in a forest runs a DNS server for Active Directory (AD)-based zones. For |
By default, the first Domain Controller (DC) in a forest runs a DNS server for Active Directory (AD)-based zones. For redundancy reasons it is recommended to run multiple DCs acting as a DNS server in a network. If you consider providing a DNS service on the new DC: |
||
* For the <code>BIND9_DLZ</code> back end, see [[BIND9_DLZ_DNS_Back_End|BIND9_DLZ DNS Back End]]. Finish this task before you start the Samba DC service. |
* For the <code>BIND9_DLZ</code> back end, see [[BIND9_DLZ_DNS_Back_End|BIND9_DLZ DNS Back End]]. Finish this task before you start the Samba DC service. |
||
Line 54: | Line 54: | ||
== |
== Configuring DNS == |
||
For details, see [[Linux_and_Unix_DNS_Configuration|Linux and Unix DNS Configuration]]. |
|||
AD uses DNS in the background, such as locating other DCs and services. Thus configure your host to use a DNS server that is able to resolve the AD DNS zones. |
|||
{{Imbox |
|||
Set the DNS server IP and AD DNS domain in your <code>/etc/resolv.conf</code>. For example: |
|||
| type = note |
|||
| text = The 'nameserver' you set in '/etc/resolv.conf' must be an AD DC, otherwise the join will not be able to find the KDC. |
|||
nameserver 10.99.0.1 |
|||
}} |
|||
search samdom.example.com |
|||
Some utilities, such as NetworkManager can overwrite manual changes in that file. Consult your distribution's documentation for information about how to configure name resolution permanently. |
|||
To verify the DNS settings, try resolving the host name of one of your existing Domain Controllers. For example: |
|||
# host -t A DC1.samdom.example.com |
|||
DC1.samdom.example.com has address 10.99.0.1 |
|||
Line 95: | Line 88: | ||
24.09.2015 19:56:55 25.09.2015 05:56:55 krbtgt/SAMDOM.EXAMPLE.COM@SAMDOM.EXAMPLE.COM |
24.09.2015 19:56:55 25.09.2015 05:56:55 krbtgt/SAMDOM.EXAMPLE.COM@SAMDOM.EXAMPLE.COM |
||
renew until 25.09.2015 19:56:53 |
renew until 25.09.2015 19:56:53 |
||
= Configuring Time Synchronisation = |
|||
Kerberos requires a synchronised time on all domain members. For further details and how to set up the <code>ntpd</code> service, see [[Time_Synchronisation|Time Synchronisation]]. |
|||
Line 104: | Line 105: | ||
To join the domain <code>samdom.example.com</code> as a domain controller (DC) that additionally acts as a DNS server using the Samba internal DNS: |
To join the domain <code>samdom.example.com</code> as a domain controller (DC) that additionally acts as a DNS server using the Samba internal DNS: |
||
There are three authentication methods you can use, Username & Password or two kerberos methods (the kerberos methods depend on running <code>kinit</code> as an admin user). |
|||
# samba-tool domain join samdom.example.com DC -U"SAMDOM\administrator" --dns-backend=SAMBA_INTERNAL |
|||
Username & Password: |
|||
# samba-tool domain join samdom.example.com DC -U"SAMDOM\administrator" |
|||
Or: |
|||
# samba-tool domain join samdom.example.com DC -k yes |
|||
Or: |
|||
# samba-tool domain join samdom.example.com DC --krb5-ccache=/tmp/krb5cc_0 |
|||
Using any of the above, should result in output similar to this: |
|||
Finding a writeable DC for domain 'samdom.example.com' |
Finding a writeable DC for domain 'samdom.example.com' |
||
Found DC dc1.samdom.example.com |
Found DC dc1.samdom.example.com |
||
Line 160: | Line 173: | ||
Other parameters frequently used with the <code>samba-tool domain join</code> command: |
Other parameters frequently used with the <code>samba-tool domain join</code> command: |
||
* <code>--dns-backend=NAMESERVER-BACKEND</code>: Use the supplied DNS server backend. Valid options are <code>SAMBA_INTERNAL</code> or <code>BIND9_DLZ</code>, unless you want to use Bind9, there is no need to supply this option. |
|||
:: If you use the internal DNS server, you will not be asked for a forwarder and the one in /etc/resolv.conf will not be obtained automatically. You must supply one with <code>--option="dns forwarder=forwarder_ipaddress"</code>. |
|||
* <code>--site=SITE</code>: Directly join the host as DC to a specific [[Active_Directory_Sites|Active Directory Site]]. |
* <code>--site=SITE</code>: Directly join the host as DC to a specific [[Active_Directory_Sites|Active Directory Site]]. |
||
* <code>--option="interfaces=lo eth0" --option="bind interfaces only=yes"</code>: If your server has multiple network interfaces, use these options to bind Samba to the specified interfaces. This enables the <code>samba-tool</code> command to register the correct LAN IP address in the directory during the join. |
* <code>--option="interfaces=lo eth0" --option="bind interfaces only=yes"</code>: If your server has multiple network interfaces, use these options to bind Samba to the specified interfaces. This enables the <code>samba-tool</code> command to register the correct LAN IP address in the directory during the join. |
||
{{Imbox |
|||
| type = note |
|||
| text = If the other DCs are Samba DCs and were provisioned with <code>--use-rfc2307</code>, you Should add <code>--option='idmap_ldb:use rfc2307 = yes'</code> to the join command |
|||
}} |
|||
Line 170: | Line 191: | ||
= Verifying the DNS Entries = |
= Verifying the DNS Entries = |
||
If you join a Samba DC that runs Samba 4.7 and later, <code>samba-tool</code> created all required DNS entries automatically. To manually create the records on an earlier version, see [[Verifying_and_Creating_a_DC_DNS_Record|Verifying and Creating a DC DNS Record]]. |
|||
{{Imbox |
|||
| type = important |
|||
| text = Do not skip this step. If the DNS entries are missing, the directory replication fails. |
|||
}} |
|||
Line 189: | Line 205: | ||
= Built-in |
= Built-in User & Group ID Mappings = |
||
{{:SysVol replication (DFS-R)}} |
|||
Samba currently does not support Sysvol replication. If you plan to use a [[SysVol_replication_(DFS-R)|Sysvol Replication]] workaround, you have to ensure that all domain controllers (DC) use the same GID mappings for built-in groups: |
|||
To use a Sysvol Replication workaround, all domain controllers (DC) must use the same ID mappings for built-in users and groups. |
|||
* Create a hot-backup of the <code>/usr/local/samba/private/idmap.ldb</code> file a existing DC: |
|||
By default, a Samba DC stores the user & group IDs in 'xidNumber' attributes in 'idmap.ldb'. Because of the way 'idmap.ldb' works, you cannot guarantee that each DC will use the same ID for a given user or group. To ensure that you do use the same IDs, you must: |
|||
* Create a hot-backup of the <code>/usr/local/samba/private/idmap.ldb</code> file on the existing DC: |
|||
# tdbbackup -s .bak /usr/local/samba/private/idmap.ldb |
# tdbbackup -s .bak /usr/local/samba/private/idmap.ldb |
||
Line 200: | Line 220: | ||
* Move the backup file to the <code>/usr/local/samba/private/</code> folder on the new joined DC and remove the <code>.bak</code> suffix to replace the existing file. |
* Move the backup file to the <code>/usr/local/samba/private/</code> folder on the new joined DC and remove the <code>.bak</code> suffix to replace the existing file. |
||
* Run <code>net cache flush</code> on the new DC. |
|||
* You will now need to sync Sysvol to the new DC. |
|||
* Reset the Sysvol folder's file system access control lists (ACL) on the new DC: |
* Reset the Sysvol folder's file system access control lists (ACL) on the new DC: |
||
Line 217: | Line 241: | ||
Samba does not provide System V init scripts, <code>systemd</code>, <code>upstart</code>, or other services configuration files. |
Samba does not provide System V init scripts, <code>systemd</code>, <code>upstart</code>, or other services configuration files. |
||
* If you installed Samba using packages, use the script or service configuration file included in the package to start Samba. |
* If you installed Samba using packages, use the script or service configuration file included in the package to start Samba. |
||
* If you built Samba, see [[Managing_the_Samba_AD_DC_Service|Managing the Samba AD DC Service]]. |
|||
* If you built Samba, see your distribution's documentation for how to create a script or configuration to start services. For user-created example System V init scripts, see [[Samba_AD_Init_Script_Examples|Samba AD Init Script Examples]]. |
|||
Line 223: | Line 247: | ||
= Directory Replication = |
= Verifying Directory Replication = |
||
After the domain controller (DC) has been started, the knowledge consistency checker (KCC) on the Samba DC creates replication agreements to other DCs in the Active Directory (AD) forest. It can take up to 15 minutes until the KCC creates the auto-generated replication connections. |
|||
For details about how to verify that the directory replication works correctly, see [[Verifying the Directory Replication Statuses]]. |
|||
{{Imbox |
|||
# samba-tool drs showrepl |
|||
| type = note |
|||
Default-First-Site-Name\DC2 |
|||
| text = To optimize replication latency and cost, the KCC in Samba 4.5 and later no longer creates a fully-meshed replication topology between all DCs. For further details, see [[The Samba KCC]]. |
|||
DSA Options: 0x00000001 |
|||
}} |
|||
DSA object GUID: c14a774f-9732-4ec2-b9fa-2156c95c4e48 |
|||
DSA invocationId: 7bdb135c-6868-4dd9-9460-33dea4b6b87b |
|||
==== INBOUND NEIGHBORS ==== |
|||
CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com |
|||
Default-First-Site-Name\DC1 via RPC |
|||
DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f |
|||
Last attempt @ Thu Sep 24 20:08:46 2015 CEST was successful |
|||
0 consecutive failure(s). |
|||
Last success @ Thu Sep 24 20:08:46 2015 CEST |
|||
DC=DomainDnsZones,DC=samdom,DC=example,DC=com |
|||
Default-First-Site-Name\DC1 via RPC |
|||
DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f |
|||
Last attempt @ Thu Sep 24 20:08:45 2015 CEST was successful |
|||
0 consecutive failure(s). |
|||
Last success @ Thu Sep 24 20:08:45 2015 CEST |
|||
CN=Configuration,DC=samdom,DC=example,DC=com |
|||
Default-First-Site-Name\DC1 via RPC |
|||
DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f |
|||
Last attempt @ Thu Sep 24 20:08:46 2015 CEST was successful |
|||
0 consecutive failure(s). |
|||
Last success @ Thu Sep 24 20:08:46 2015 CEST |
|||
DC=ForestDnsZones,DC=samdom,DC=example,DC=com |
|||
Default-First-Site-Name\DC1 via RPC |
|||
DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f |
|||
Last attempt @ Thu Sep 24 20:08:45 2015 CEST was successful |
|||
0 consecutive failure(s). |
|||
Last success @ Thu Sep 24 20:08:45 2015 CEST |
|||
DC=samdom,DC=example,DC=com |
|||
Default-First-Site-Name\DC1 via RPC |
|||
DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f |
|||
Last attempt @ Thu Sep 24 20:08:45 2015 CEST was successful |
|||
0 consecutive failure(s). |
|||
Last success @ Thu Sep 24 20:08:45 2015 CEST |
|||
==== OUTBOUND NEIGHBORS ==== |
|||
CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com |
|||
Default-First-Site-Name\DC1 via RPC |
|||
DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f |
|||
Last attempt @ NTTIME(0) was successful |
|||
0 consecutive failure(s). |
|||
Last success @ NTTIME(0) |
|||
DC=DomainDnsZones,DC=samdom,DC=example,DC=com |
|||
Default-First-Site-Name\DC1 via RPC |
|||
DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f |
|||
Last attempt @ NTTIME(0) was successful |
|||
0 consecutive failure(s). |
|||
Last success @ NTTIME(0) |
|||
CN=Configuration,DC=samdom,DC=example,DC=com |
|||
Default-First-Site-Name\DC1 via RPC |
|||
DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f |
|||
Last attempt @ NTTIME(0) was successful |
|||
0 consecutive failure(s). |
|||
Last success @ NTTIME(0) |
|||
DC=ForestDnsZones,DC=samdom,DC=example,DC=com |
|||
Default-First-Site-Name\DC1 via RPC |
|||
DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f |
|||
Last attempt @ NTTIME(0) was successful |
|||
0 consecutive failure(s). |
|||
Last success @ NTTIME(0) |
|||
DC=samdom,DC=example,DC=com |
|||
Default-First-Site-Name\DC1 via RPC |
|||
DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f |
|||
Last attempt @ NTTIME(0) was successful |
|||
0 consecutive failure(s). |
|||
Last success @ NTTIME(0) |
|||
==== KCC CONNECTION OBJECTS ==== |
|||
Connection -- |
|||
Connection name: fb03f58b-1654-4a02-8e11-f0ea120b60cc |
|||
Enabled : TRUE |
|||
Server DNS name : DC1.samdom.example.com |
|||
Server DN name : CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com |
|||
TransportType: RPC |
|||
options: 0x00000001 |
|||
Warning: No NC replicated for Connection! |
|||
It can take several minutes until all connections are established. If the connections on existing Samba DCs to the Windows DC are not established within 15 minutes, start the replication manually. For details, see [[Samba-tool_drs_replicate|samba-tool drs replicate]]. |
|||
If you see the warning <code>No NC replicated for Connection!</code>, see [[FAQ#What_does_Warning:_No_NC_replicated_for_Connection.21_Mean.3F|FAQ: What does Warning: No NC replicated for Connection! Means]]. |
|||
Line 328: | Line 262: | ||
= Starting |
= Starting BIND = |
||
Before you start the BIND daemon, verify that the DNS directory partitions have been replicated: |
Before you start the BIND daemon, verify that the DNS directory partitions have been successfully replicated: |
||
# samba-tool drs showrepl |
# samba-tool drs showrepl |
||
Line 350: | Line 284: | ||
Last success @ Thu Sep 24 20:08:45 2015 CEST |
Last success @ Thu Sep 24 20:08:45 2015 CEST |
||
If the replication |
If the replication works correctly, start the BIND service. See your distribution's documentation for information how to start a service. |
||
Line 398: | Line 332: | ||
= DNS Configuration on Domain Controllers = |
= DNS Configuration on Domain Controllers = |
||
The DNS configuration on domain controllers (DC) is important, because if it is unable to locate other DCs the replication will fail. |
The DNS configuration on domain controllers (DC) is important, because if it is unable to locate other DCs the replication will fail. |
||
Set the local IP of |
Set the local IP of the DC as the primary name server. For example: |
||
On the new joined DC, use |
On the new joined DC, use the local <code>10.99.0.2</code> IP as primary <code>nameserver</code> entry: |
||
nameserver 10.99.0. |
nameserver 10.99.0.2 |
||
nameserver 10.99.0.2 # IP of the new joined DC as secondary entry |
|||
search samdom.example.com |
search samdom.example.com |
||
If you are running more than two DCs, you can configure the IPs in crosswise direction. |
|||
= Configuring Winbindd on a Samba AD DC = |
|||
''Optional''. For details, see [[Configuring_Winbindd_on_a_Samba_AD_DC|Configuring Winbindd on a Samba AD DC]]. |
|||
= Configuring Time Synchronisation = |
|||
Kerberos requires a synchronised time on all domain members. For further details and how to set up the <code>ntpd</code> service, see [[Time_Synchronisation|Time Synchronisation]]. |
|||
= Using the Domain Controller as a File Server = |
|||
For details, see [[Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Using_the_Domain_Controller_as_a_File_Server|Using the Domain Controller as a File Server]]. |
|||
Line 424: | Line 363: | ||
= Sysvol Replication = |
= Sysvol Replication = |
||
Samba currently does not |
Samba currently does not automatically replicate Sysvol, you must use some other form of replication. For community supported workarounds, see [[SysVol_replication_(DFS-R)|Sysvol Replication]]. |
||
{{Imbox |
|||
| type = note |
|||
| text = If there are more than the default GPOs in Sysvol on the other DC(s), you must sync Sysvol to the new DC, <code>samba-tool ntacl sysvolreset</code> will throw an error if you do not. |
|||
}} |
|||
Line 443: | Line 387: | ||
For further details, see [[Samba_AD_DC_Troubleshooting|Samba AD DC Troubleshooting]]. |
For further details, see [[Samba_AD_DC_Troubleshooting|Samba AD DC Troubleshooting]]. |
||
---- |
|||
[[Category:Active Directory]] |
|||
[[Category:Domain Control]] |
Revision as of 11:01, 15 July 2022
Introduction
Running one domain controller (DC) is sufficient for a working Active Directory (AD) forest. However, for redundancy and load balancing reasons, you should add further DCs to your AD forest. Joining an additional Samba DC to an existing AD differs from provisioning the first DC in a forest. If you set up a new AD forest, see Setting up Samba as an Active Directory Domain Controller.
Do not provision a Computer as a Samba AD DC, then try to join it to an existing AD domain. This will not work, you only need to run the samba-tool domain join command to join a Computer to the existing AD domain. |
If you are joining a Samba as a DC to an existing Windows AD domain that was provisioned as a Windows 2003 (or earlier) DC, you must ensure that it is running a domain integrated DNS server. This dns server must be configured with 2008 behaviour. |
An NT4 domain uses only one Primary Domain Controller (PDC) and optionally additional Backup Domain Controllers (BDC). In an AD forest, there is no difference between DCs, beside the FSMO roles. Use only the term "domain controller" or "DC" when you talk about AD to avoid any possibility of confusion. |
Preparing the Installation
For details, see Preparing the Installation in the Setting up Samba as an Active Directory Domain Controller documentation.
Installing Samba
For details, see Installing Samba.
Install a maintained Samba version. For details, see Samba Release Planning. |
Preparing the Host for Joining the Domain
Local DNS server
By default, the first Domain Controller (DC) in a forest runs a DNS server for Active Directory (AD)-based zones. For redundancy reasons it is recommended to run multiple DCs acting as a DNS server in a network. If you consider providing a DNS service on the new DC:
- For the
BIND9_DLZ
back end, see BIND9_DLZ DNS Back End. Finish this task before you start the Samba DC service. - For the internal DNS no further actions are required.
Configuring DNS
For details, see Linux and Unix DNS Configuration.
The 'nameserver' you set in '/etc/resolv.conf' must be an AD DC, otherwise the join will not be able to find the KDC. |
Kerberos
Set the following settings in your Kerberos client configuration file /etc/krb5.conf
:
[libdefaults] dns_lookup_realm = false dns_lookup_kdc = true default_realm = SAMDOM.EXAMPLE.COM
To verify the settings use the kinit
command to request a Kerberos ticket for the domain administrator:
# kinit administrator Password for administrator@SAMDOM.EXAMPLE.COM:
To list Kerberos tickets:
# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator@SAMDOM.EXAMPLE.COM Valid starting Expires Service principal 24.09.2015 19:56:55 25.09.2015 05:56:55 krbtgt/SAMDOM.EXAMPLE.COM@SAMDOM.EXAMPLE.COM renew until 25.09.2015 19:56:53
Configuring Time Synchronisation
Kerberos requires a synchronised time on all domain members. For further details and how to set up the ntpd
service, see Time Synchronisation.
Joining the Active Directory as a Domain Controller
To join the domain samdom.example.com
as a domain controller (DC) that additionally acts as a DNS server using the Samba internal DNS:
There are three authentication methods you can use, Username & Password or two kerberos methods (the kerberos methods depend on running kinit
as an admin user).
Username & Password:
# samba-tool domain join samdom.example.com DC -U"SAMDOM\administrator"
Or:
# samba-tool domain join samdom.example.com DC -k yes
Or:
# samba-tool domain join samdom.example.com DC --krb5-ccache=/tmp/krb5cc_0
Using any of the above, should result in output similar to this:
Finding a writeable DC for domain 'samdom.example.com' Found DC dc1.samdom.example.com Password for [SAMDOM\administrator]: workgroup is SAMDOM realm is samdom.example.com Adding CN=DC2,OU=Domain Controllers,DC=samdom,DC=example,DC=com Adding CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com Adding CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com Adding SPNs to CN=DC2,OU=Domain Controllers,DC=samdom,DC=example,DC=com Setting account password for DC2$ Enabling account Calling bare provision Looking up IPv4 addresses Looking up IPv6 addresses No IPv6 address will be assigned Setting up share.ldb Setting up secrets.ldb Setting up the registry Setting up the privileges database Setting up idmap db Setting up SAM db Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE Pre-loading the Samba 4 and AD schema A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf Provision OK for domain DN DC=samdom,DC=example,DC=com Starting replication Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com] objects[402/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com] objects[804/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com] objects[1206/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com] objects[1550/1550] linked_values[0/0] Analyze and apply schema objects Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[402/1618] linked_values[0/0] Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[804/1618] linked_values[0/0] Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[1206/1618] linked_values[0/0] Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[1608/1618] linked_values[0/0] Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[1618/1618] linked_values[42/0] Replicating critical objects from the base DN of the domain Partition[DC=samdom,DC=example,DC=com] objects[100/100] linked_values[23/0] Partition[DC=samdom,DC=example,DC=com] objects[386/286] linked_values[23/0] Done with always replicated NC (base, config, schema) Replicating DC=DomainDnsZones,DC=samdom,DC=example,DC=com Partition[DC=DomainDnsZones,DC=samdom,DC=example,DC=com] objects[44/44] linked_values[0/0] Replicating DC=ForestDnsZones,DC=samdom,DC=example,DC=com Partition[DC=ForestDnsZones,DC=samdom,DC=example,DC=com] objects[19/19] linked_values[0/0] Committing SAM database Sending DsReplicaUpdateRefs for all the replicated partitions Setting isSynchronized and dsServiceName Setting up secrets database Joined domain SAMDOM (SID S-1-5-21-469703510-2364959079-1506205053) as a DC
See the samba-tool domain join --help
command's output for further information.
Other parameters frequently used with the samba-tool domain join
command:
--dns-backend=NAMESERVER-BACKEND
: Use the supplied DNS server backend. Valid options areSAMBA_INTERNAL
orBIND9_DLZ
, unless you want to use Bind9, there is no need to supply this option.
- If you use the internal DNS server, you will not be asked for a forwarder and the one in /etc/resolv.conf will not be obtained automatically. You must supply one with
--option="dns forwarder=forwarder_ipaddress"
.
- If you use the internal DNS server, you will not be asked for a forwarder and the one in /etc/resolv.conf will not be obtained automatically. You must supply one with
--site=SITE
: Directly join the host as DC to a specific Active Directory Site.
--option="interfaces=lo eth0" --option="bind interfaces only=yes"
: If your server has multiple network interfaces, use these options to bind Samba to the specified interfaces. This enables thesamba-tool
command to register the correct LAN IP address in the directory during the join.
If the other DCs are Samba DCs and were provisioned with --use-rfc2307 , you Should add --option='idmap_ldb:use rfc2307 = yes' to the join command |
Verifying the DNS Entries
If you join a Samba DC that runs Samba 4.7 and later, samba-tool
created all required DNS entries automatically. To manually create the records on an earlier version, see Verifying and Creating a DC DNS Record.
Configuring the BIND9_DLZ DNS Back End
If you selected the BIND9_DLZ
DNS back end during the domain join, set up the BIND configuration. For details, see BIND9_DLZ DNS Back End.
Built-in User & Group ID Mappings
Samba in its current state doesn't support SysVol replication via DFS-R (Distributed File System Replication) or the older FRS (File Replication Service) used in Windows Server 2000/2003 for Sysvol replication.
We Currently advise administrators to use one of the following workarounds:
- Rsync based SysVol replication workaround (Samba DCs only): Quick setup, easy to configure.
- Bidirectional Rsync/Unison based SysVol replication workaround (Samba DCs only): More complex, requires third party script, each DC requires a cron job against each other DC
- Bidirectional Rsync/osync based SysVol replication workaround (Samba DCs only): More complex, requires third party script, each DC requires a cron job against each other DC
- Robocopy based SysVol replication workaround (Samba DCs -> Windows DCs): Quick set, easy to configure, uses MS robocopy
You need to sync idmap.ldb from the DC holding the PDC_Emulator FSMO role to all other DCS. This ensures that all DCs will use the same IDs. If you do not sync idmap.ldb , you can and will get different IDs on each DC. You need to sync idmap.ldb when you first join a new DC and then regularly, to ensure the IDs remain constant, you do not need to sync idmap.ldb every time you sync SysVol but as stated in the mailing list it should be done periodically. |
To use a Sysvol Replication workaround, all domain controllers (DC) must use the same ID mappings for built-in users and groups.
By default, a Samba DC stores the user & group IDs in 'xidNumber' attributes in 'idmap.ldb'. Because of the way 'idmap.ldb' works, you cannot guarantee that each DC will use the same ID for a given user or group. To ensure that you do use the same IDs, you must:
- Create a hot-backup of the
/usr/local/samba/private/idmap.ldb
file on the existing DC:
# tdbbackup -s .bak /usr/local/samba/private/idmap.ldb
- This creates a backup file
/usr/local/samba/private/idmap.ldb.bak
.
- Move the backup file to the
/usr/local/samba/private/
folder on the new joined DC and remove the.bak
suffix to replace the existing file.
- Run
net cache flush
on the new DC.
- You will now need to sync Sysvol to the new DC.
- Reset the Sysvol folder's file system access control lists (ACL) on the new DC:
# samba-tool ntacl sysvolreset
Starting the Samba Service
To start the samba
Samba Active Directory (AD) domain controller (DC) service manually, enter:
# samba
Samba does not provide System V init scripts, systemd
, upstart
, or other services configuration files.
- If you installed Samba using packages, use the script or service configuration file included in the package to start Samba.
- If you built Samba, see Managing the Samba AD DC Service.
Verifying Directory Replication
After the domain controller (DC) has been started, the knowledge consistency checker (KCC) on the Samba DC creates replication agreements to other DCs in the Active Directory (AD) forest. It can take up to 15 minutes until the KCC creates the auto-generated replication connections.
For details about how to verify that the directory replication works correctly, see Verifying the Directory Replication Statuses.
To optimize replication latency and cost, the KCC in Samba 4.5 and later no longer creates a fully-meshed replication topology between all DCs. For further details, see The Samba KCC. |
Starting BIND
Before you start the BIND daemon, verify that the DNS directory partitions have been successfully replicated:
# samba-tool drs showrepl ... ==== INBOUND NEIGHBORS ==== ... DC=DomainDnsZones,DC=samdom,DC=example,DC=com Default-First-Site-Name\DC1 via RPC DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f Last attempt @ Thu Sep 24 20:08:45 2015 CEST was successful 0 consecutive failure(s). Last success @ Thu Sep 24 20:08:45 2015 CEST ... DC=ForestDnsZones,DC=samdom,DC=example,DC=com Default-First-Site-Name\DC1 via RPC DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f Last attempt @ Thu Sep 24 20:08:45 2015 CEST was successful 0 consecutive failure(s). Last success @ Thu Sep 24 20:08:45 2015 CEST
If the replication works correctly, start the BIND service. See your distribution's documentation for information how to start a service.
Testing your Samba AD DC
Verifying the File Server
For details, see Verifying the File Server in the Setting up Samba as an Active Directory Domain Controller documentation.
Testing the Local DNS Server
Skip this step if you selected --dns-backend=NONE
during the join.
Query the local DNS server to resolve the domain name samdom.example.com
:
# host -t A samdom.example.com localhost Using domain server: Name: localhost Address: 127.0.0.1#53 Aliases: samdom.example.com has address 10.99.0.1 samdom.example.com has address 10.99.0.2
The local DNS resolves the domain name to the IP addresses of all domain controllers (DC).
In case you receive no or a different result, review this documentation and check:
- the system log files,
- the Samba log files,
- the BIND log files, if the
BIND9_DLZ
is used.
Verifying Kerberos
For details, see Verifying Kerberos in the Setting up Samba as an Active Directory Domain Controller documentation.
DNS Configuration on Domain Controllers
The DNS configuration on domain controllers (DC) is important, because if it is unable to locate other DCs the replication will fail.
Set the local IP of the DC as the primary name server. For example:
On the new joined DC, use the local 10.99.0.2
IP as primary nameserver
entry:
nameserver 10.99.0.2 search samdom.example.com
Configuring Winbindd on a Samba AD DC
Optional. For details, see Configuring Winbindd on a Samba AD DC.
Using the Domain Controller as a File Server
For details, see Using the Domain Controller as a File Server.
Sysvol Replication
Samba currently does not automatically replicate Sysvol, you must use some other form of replication. For community supported workarounds, see Sysvol Replication.
If there are more than the default GPOs in Sysvol on the other DC(s), you must sync Sysvol to the new DC, samba-tool ntacl sysvolreset will throw an error if you do not. |
Testing the Directory Replication
To test that the directory replication works correctly, add for example a user on an existing DC and verify that it shows up automatically on the newly joined DC.
Optionally use the ldapcmp
utility to compare two directories. For details, see samba-tool ldapcmp.
Troubleshooting
For further details, see Samba AD DC Troubleshooting.