Joining a Samba DC to an Existing Active Directory: Difference between revisions

From SambaWiki
(Being more concrete what to clean up before starting over.)
m (/* added warning about dns server)
(44 intermediate revisions by 2 users not shown)
Line 1: Line 1:
= Introduction =
= Introduction =


Running one domain controller (DC) is sufficient for a working Active Directory (AD) forest. However, for failover and load balancing reasons you should add further DCs to your AD forest. Joining an additional Samba DC to an existing AD differs from provisioning the first DC in a forest. If you set up a new AD forest, see [[Setup_a_Samba_Active_Directory_Domain_Controller|Set up a Samba Active Directory Domain Controller]].
Running one domain controller (DC) is sufficient for a working Active Directory (AD) forest. However, for failover and load balancing reasons, you should add further DCs to your AD forest. Joining an additional Samba DC to an existing AD differs from provisioning the first DC in a forest. If you set up a new AD forest, see [[Setting_up_Samba_as_an_Active_Directory_Domain_Controller|Setting up Samba as an Active Directory Domain Controller]].


{{Imbox
{{Imbox
| type = note
| type = warning
| text = Do not provision a Computer as a Samba AD DC, then try to join it to an existing AD domain. This will not work, you only need to run the <code>samba-tool domain join</code> command to join a Computer to the existing AD domain.
| text = An NT4 domain uses only one Primary Domain Controller (PDC) and optionally additional Backup Domain Controllers (BDC). In an AD forest, there is no differences between DCs, beside the [[Flexible_Single-Master_Operations_(FSMO)_Roles|FSMO roles]]. Use only the term "domain controller" or "DC" when you talk about AD to avoid any possibility of confusion.
}}
}}


{{Imbox
| type = warning
| text = If you are joining a Samba as a DC to an existing Windows AD domain that was provisioned as a Windows 2003 (or earlier) DC, you must ensure that it is running a domain integrated DNS server. This dns server must be configured with 2008 behaviour.
}}


{{Imbox
| type = note
| text = An NT4 domain uses only one Primary Domain Controller (PDC) and optionally additional Backup Domain Controllers (BDC). In an AD forest, there is no difference between DCs, beside the [[Flexible_Single-Master_Operations_(FSMO)_Roles|FSMO roles]]. Use only the term "domain controller" or "DC" when you talk about AD to avoid any possibility of confusion.
}}






= Preconditions =


* Use a static IP address.


= Preparing the Installation =
* Verify that the host name in <code>/etc/resolv.conf</code> resolves to the network IP and not to <code>127.0.0.1</code> (localhost).


For details, see [[Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Preparing_the_Installation|Preparing the Installation]] in the [[Setting_up_Samba_as_an_Active_Directory_Domain_Controller|Setting up Samba as an Active Directory Domain Controller]] documentation.
127.0.0.1 localhost.localdomain localhost <s>DC2.samdom.example.com</s> <s>DC2</s>
10.99.0.2 DC2.samdom.example.com DC2


* If Samba was already configured on this host:
:* remove the existing <code>smb.conf</code> file. To list the path to the file:


# smbd -b | grep "CONFIGFILE"
CONFIGFILE: /usr/loacl/samba/etc/samba/smb.conf


:* all Samba databases, such as <code>*.tdb</code> and <code>*.ldb</code> files. To list the folders containing Samba databases:


## smbd -b | egrep "LOCKDIR|STATEDIR|CACHEDIR|PRIVATE_DIR"
LOCKDIR: /usr/local/samba/var/lock/
STATEDIR: /usr/local/samba/var/locks/
CACHEDIR: /usr/local/samba/var/cache/
PRIVATE_DIR: /usr/local/samba/private/


= Installing Samba =
* When joining a Windows Active Directory (AD), run the following tests on a Windows computer in the domain:


For details, see [[Installing_Samba|Installing Samba]].
:* Verify that the forest functional level meets the Samba requirements:


{{Imbox
> dsquery * "CN=Partitions,CN=Configuration,DC=samdom,DC=example,DC=com" -scope base -attr msDS-Behavior-Version
| type = note
msDS-Behavior-Version
| text = Install a maintained Samba version. For details, see [[Samba_Release_Planning|Samba Release Planning]].
4
}}

:: Minimum suported level: 2003 native (level 2)
:: Maximum suported level: 2008 R2 (level 4)

::* Downgrade the forest functional level to 2008 R2, if you are joining an AD with a higher level.

:* Verify that the directory schema meets the Samba requirements:

> dsquery * "CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com" -Scope Base -attr objectVersion
objectVersion
69

::Samba <= 4.4: Maximum supported forest schema: 47 (Server 2008 R2)
::Samba >= 4.5: Maximum supported forest schema: 69 (Server 2012 R2)





= Installation =

To install Samba:

* [[Build_Samba_from_Source|Build Samba From Source]]

* [[Distribution-specific_Package_Installation|Distribution-specific Package Installation]]

:Not all distributions currently provide packages with Active Directory (AD) domain controller (DC) support. For example, some distributions, such as Red Hat Enterprise Linux and Fedora, are based on MIT Kerberos, which is currently not supported by Samba. In this situation, compile Samba yourself or use packages with AD DC support.

* SerNet [http://www.samba.plus Samba+] or [http://www.samba.plus/older-packages/ Enterprise] packages



== Paths ==

If you built Samba yourself using the default directories, add the directories at the beginning of your <code>$PATH</code> variable:

export PATH=/usr/local/samba/bin/:/usr/local/samba/sbin/:$PATH

For information how to set the path variable permanently, see your distribution's documentation.




Line 93: Line 49:
By default, the first Domain Controller (DC) in a forest runs a DNS server for Active Directory (AD)-based zones. For failover reasons it is recommended to run multiple DCs acting as a DNS server in a network. If you consider providing a DNS service on the new DC:
By default, the first Domain Controller (DC) in a forest runs a DNS server for Active Directory (AD)-based zones. For failover reasons it is recommended to run multiple DCs acting as a DNS server in a network. If you consider providing a DNS service on the new DC:


* For the <code>BIND9_DLZ</code> back end, see [[Configuring_BIND9_DLZ_as_Back_End_for_Samba_AD|Configuring BIND9_DLZ as Back End for Samba AD]]. Finish this task before you start the Samba DC service.
* For the <code>BIND9_DLZ</code> back end, see [[BIND9_DLZ_DNS_Back_End|BIND9_DLZ DNS Back End]]. Finish this task before you start the Samba DC service.
* For the internal DNS no further actions are required.
* For the internal DNS no further actions are required.






== DNS Resolving ==
== Configuring DNS ==


For details, see [[Linux_and_Unix_DNS_Configuration|Linux and Unix DNS Configuration]].
AD uses DNS in the background, such as locating other DCs and services. Thus configure your host to use a DNS server that is able to resolve the AD DNS zones.


{{Imbox
Set the DNS server IP and AD DNS domain in your <code>/etc/resolv.conf</code>. For example:
| type = note

| text = The 'nameserver' you set in '/etc/resolv.conf' must be an AD DC, otherwise the join will not be able to find the KDC.
nameserver 10.99.0.1
}}
search samdom.example.com

Some utilities, such as NetworkManager can overwrite manual changes in that file. Consult your distribution's documentation for information about how to configure name resolution permanently.

To verify the DNS settings, try resolving the host name of one of your existing Domain Controllers. For example:

# host -t A DC1.samdom.example.com
DC1.samdom.example.com has address 10.99.0.1




Line 148: Line 97:
To join the domain <code>samdom.example.com</code> as a domain controller (DC) that additionally acts as a DNS server using the Samba internal DNS:
To join the domain <code>samdom.example.com</code> as a domain controller (DC) that additionally acts as a DNS server using the Samba internal DNS:


There are three authentication methods you can use, Username & Password or two kerberos methods (the kerberos methods depend on running <code>kinit</code> as an admin user).
# samba-tool domain join samdom.example.com DC -U"SAMDOM\administrator" --dns-backend=SAMBA_INTERNAL

Username & Password:
# samba-tool domain join samdom.example.com DC -U"SAMDOM\administrator"

Or:
# samba-tool domain join samdom.example.com DC -k yes

Or:
# samba-tool domain join samdom.example.com DC --krb5-ccache=/tmp/krb5cc_0

Using any of the above, should result in output similar to this:

Finding a writeable DC for domain 'samdom.example.com'
Finding a writeable DC for domain 'samdom.example.com'
Found DC dc1.samdom.example.com
Found DC dc1.samdom.example.com
Line 202: Line 163:
See the <code>samba-tool domain join --help</code> command's output for further information.
See the <code>samba-tool domain join --help</code> command's output for further information.


Other frequently used parameters for the <code>samba-tool domain join</code> command:
Other parameters frequently used with the <code>samba-tool domain join</code> command:


* <code>--dns-backend=NAMESERVER-BACKEND</code>: Use the supplied DNS server backend. Valid options are <code>SAMBA_INTERNAL</code> or <code>BIND9_DLZ</code>, unless you want to use Bind9, there is no need to supply this option.
* <code>--site=SITE</code>: Directly join the host as DC to a specific [[Active_Directory_Sites|Active Directory Sites]].
:: If you use the internal DNS server, you will not be asked for a forwarder and the one in /etc/resolv.conf will not be obtained automatically. You must supply one with <code>--option="dns forwarder=forwarder_ipaddress"</code>.
* <code>--site=SITE</code>: Directly join the host as DC to a specific [[Active_Directory_Sites|Active Directory Site]].


* <code>--option="interfaces=lo eth0" --option="bind interfaces only=yes"</code>: If your server has multiple network interfaces, use these options to bind Samba to the specified interfaces. This enables <code>samba-tool</code> to register the correct LAN IP address in the directory during the join.
* <code>--option="interfaces=lo eth0" --option="bind interfaces only=yes"</code>: If your server has multiple network interfaces, use these options to bind Samba to the specified interfaces. This enables the <code>samba-tool</code> command to register the correct LAN IP address in the directory during the join.


{{Imbox
| type = note
| text = If the other DCs are Samba DCs and were provisioned with <code>--use-rfc2307</code>, you Should add <code>--option='idmap_ldb:use rfc2307 = yes'</code> to the join command
}}








= Verify the DNS Entries =


= Verifying the DNS Entries =
See [[Verifying_and_Creating_a_DC_DNS_Record|Verifying and Creating a DC DNS Record]].


If you join a Samba DC that runs Samba 4.7 and later, <code>samba-tool</code> created all required DNS entries automatically. To manually create the records on an earlier version, see [[Verifying_and_Creating_a_DC_DNS_Record|Verifying and Creating a DC DNS Record]].
{{Imbox
| type = important
| text = Do not skip this step. If the DNS entries are missing, the directory replication fails.
}}




Line 225: Line 189:




= BIND9_DLZ DNS Back End =
= Configuring the BIND9_DLZ DNS Back End =


If you selected the <code>BIND9_DLZ</code> DNS back end during the domain join, set up the BIND configuration. For details, see [[Configuring_BIND9_DLZ_as_Back_End_for_Samba_AD|Configure BIND as Back End for Samba AD]].
If you selected the <code>BIND9_DLZ</code> DNS back end during the domain join, set up the BIND configuration. For details, see [[BIND9_DLZ_DNS_Back_End|BIND9_DLZ DNS Back End]].




Line 233: Line 197:




= Built-in Groups GID Mappings =
= Built-in User & Group ID Mappings =
{{:SysVol replication (DFS-R)}}


Samba currently does not support Sysvol replication. If you plan to use a [[SysVol_replication_(DFS-R)|Sysvol Replication]] workaround, you have to ensure that all domain controllers (DC) use the same GID mappings for built-in groups:


To use a Sysvol Replication workaround, all domain controllers (DC) must use the same ID mappings for built-in users and groups.
* Create a hot-backup of the <code>/usr/local/samba/private/idmap.ldb</code> file a existing DC:

By default, a Samba DC stores the user & group IDs in 'xidNumber' attributes in 'idmap.ldb'. Because of the way 'idmap.ldb' works, you cannot guarantee that each DC will use the same ID for a given user or group. To ensure that you do use the same IDs, you must:

* Create a hot-backup of the <code>/usr/local/samba/private/idmap.ldb</code> file on the existing DC:


# tdbbackup -s .bak /usr/local/samba/private/idmap.ldb
# tdbbackup -s .bak /usr/local/samba/private/idmap.ldb
Line 244: Line 212:


* Move the backup file to the <code>/usr/local/samba/private/</code> folder on the new joined DC and remove the <code>.bak</code> suffix to replace the existing file.
* Move the backup file to the <code>/usr/local/samba/private/</code> folder on the new joined DC and remove the <code>.bak</code> suffix to replace the existing file.

* Run <code>net cache flush</code> on the new DC.

* You will now need to sync Sysvol to the new DC.


* Reset the Sysvol folder's file system access control lists (ACL) on the new DC:
* Reset the Sysvol folder's file system access control lists (ACL) on the new DC:
Line 253: Line 225:




= Start Samba =
= Starting the Samba Service =


To start the Samba domain controller (DC), run:
To start the <code>samba</code> Samba Active Directory (AD) domain controller (DC) service manually, enter:


# samba
# samba


Samba does not provide System V init scripts, <code>systemd</code>, <code>upstart</code>, or other services configuration files.
Samba does not include start scripts. For examples, see [[Samba4/InitScript|Samba Init-Script]].
* If you installed Samba using packages, use the script or service configuration file included in the package to start Samba.
* If you built Samba, see [[Managing_the_Samba_AD_DC_Service|Managing the Samba AD DC Service]].




Line 265: Line 239:




= Directory Replication =
= Verifying Directory Replication =


A few minutes after the domain controller (DC) started, the connections with all other DCs are automatically established and the replication begins.
After the domain controller (DC) has been started, the knowledge consistency checker (KCC) on the Samba DC creates replication agreements to other DCs in the Active Directory (AD) forest. It can take up to 15 minutes until the KCC creates the auto-generated replication connections.


To verify the directory replication, run on a Samba DC:
For details about how to verify that the directory replication works correctly, see [[Verifying the Directory Replication Statuses]].


{{Imbox
# samba-tool drs showrepl
| type = note
Default-First-Site-Name\DC2
| text = To optimize replication latency and cost, the KCC in Samba 4.5 and later no longer creates a fully-meshed replication topology between all DCs. For further details, see [[The Samba KCC]].
DSA Options: 0x00000001
}}
DSA object GUID: c14a774f-9732-4ec2-b9fa-2156c95c4e48
DSA invocationId: 7bdb135c-6868-4dd9-9460-33dea4b6b87b
==== INBOUND NEIGHBORS ====
CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com
Default-First-Site-Name\DC1 via RPC
DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
Last attempt @ Thu Sep 24 20:08:46 2015 CEST was successful
0 consecutive failure(s).
Last success @ Thu Sep 24 20:08:46 2015 CEST
DC=DomainDnsZones,DC=samdom,DC=example,DC=com
Default-First-Site-Name\DC1 via RPC
DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
Last attempt @ Thu Sep 24 20:08:45 2015 CEST was successful
0 consecutive failure(s).
Last success @ Thu Sep 24 20:08:45 2015 CEST
CN=Configuration,DC=samdom,DC=example,DC=com
Default-First-Site-Name\DC1 via RPC
DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
Last attempt @ Thu Sep 24 20:08:46 2015 CEST was successful
0 consecutive failure(s).
Last success @ Thu Sep 24 20:08:46 2015 CEST
DC=ForestDnsZones,DC=samdom,DC=example,DC=com
Default-First-Site-Name\DC1 via RPC
DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
Last attempt @ Thu Sep 24 20:08:45 2015 CEST was successful
0 consecutive failure(s).
Last success @ Thu Sep 24 20:08:45 2015 CEST
DC=samdom,DC=example,DC=com
Default-First-Site-Name\DC1 via RPC
DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
Last attempt @ Thu Sep 24 20:08:45 2015 CEST was successful
0 consecutive failure(s).
Last success @ Thu Sep 24 20:08:45 2015 CEST
==== OUTBOUND NEIGHBORS ====
CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com
Default-First-Site-Name\DC1 via RPC
DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=DomainDnsZones,DC=samdom,DC=example,DC=com
Default-First-Site-Name\DC1 via RPC
DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
CN=Configuration,DC=samdom,DC=example,DC=com
Default-First-Site-Name\DC1 via RPC
DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=ForestDnsZones,DC=samdom,DC=example,DC=com
Default-First-Site-Name\DC1 via RPC
DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=samdom,DC=example,DC=com
Default-First-Site-Name\DC1 via RPC
DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
==== KCC CONNECTION OBJECTS ====
Connection --
Connection name: fb03f58b-1654-4a02-8e11-f0ea120b60cc
Enabled : TRUE
Server DNS name : DC1.samdom.example.com
Server DN name : CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!


It can take several minutes until all connections are established. If the connections on existing Samba DCs to the Windows DC are not established within 15 minutes, start the replication manually. For details, see [[Samba-tool_drs_replicate|samba-tool drs replicate]].


If you are seeing the warning "No NC replicated for Connection!", see [[FAQ#Message:_Warning:_No_NC_replicated_for_Connection.21|FAQ: Warning: No NC replicated for Connection!]].






= Starting BIND =


Before you start the BIND daemon, verify that the DNS directory partitions have been successfully replicated:

= Starting the BIND daemon =

Before you start the BIND daemon, verify that the DNS directory partitions have been replicated:


# samba-tool drs showrepl
# samba-tool drs showrepl
Line 392: Line 276:
Last success @ Thu Sep 24 20:08:45 2015 CEST
Last success @ Thu Sep 24 20:08:45 2015 CEST


If the replication is working, start the BIND daemon. See your distribution's documentation for information how to start a service.
If the replication works correctly, start the BIND service. See your distribution's documentation for information how to start a service.





= Testing your Samba AD DC =


== Verifying the File Server ==


For details, see [[Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Verifying_the_File_Server|Verifying the File Server]] in the [[Setting_up_Samba_as_an_Active_Directory_Domain_Controller|Setting up Samba as an Active Directory Domain Controller]] documentation.






= Testing the Local DNS =
== Testing the Local DNS Server ==


Skip this step if you selected <code>--dns-backend=NONE</code> during the join.
Skip this step if you selected <code>--dns-backend=NONE</code> during the join.
Line 413: Line 305:
samdom.example.com has address 10.99.0.2
samdom.example.com has address 10.99.0.2


The local DNS must answer with the IP addresses of all domain controllers (DC).
The local DNS resolves the domain name to the IP addresses of all domain controllers (DC).


In case you receive no or a different result, review this documentation and check:
In case you receive no or a different result, review this documentation and check:
Line 419: Line 311:
* the Samba log files,
* the Samba log files,
* the BIND log files, if the <code>BIND9_DLZ</code> is used.
* the BIND log files, if the <code>BIND9_DLZ</code> is used.



== Verifying Kerberos ==

For details, see [[Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Verifying_Kerberos|Verifying Kerberos]] in the [[Setting_up_Samba_as_an_Active_Directory_Domain_Controller|Setting up Samba as an Active Directory Domain Controller]] documentation.




Line 426: Line 324:
= DNS Configuration on Domain Controllers =
= DNS Configuration on Domain Controllers =


The DNS configuration on domain controllers (DC) is important, because if it is unable to locate other DCs the replication will fail. The following is a best practice for DNS configuration on domain controllers (DC):
The DNS configuration on domain controllers (DC) is important, because if it is unable to locate other DCs the replication will fail.


Set the local IP of a DC as secondary or tertiary <code>nameserver</code> entry in its <code>/etc/resolv.conf</code> file and use a different Active Directory (AD) DNS server IP from the forest as primary name server. For example:
Set the local IP of the DC as the primary name server. For example:


On the new joined DC, use the <code>10.99.0.1</code> IP of the existing DC as primary and the local <code>10.99.0.2</code> IP as secondary <code>nameserver</code> entry:
On the new joined DC, use the local <code>10.99.0.2</code> IP as primary <code>nameserver</code> entry:


nameserver 10.99.0.1
nameserver 10.99.0.2
nameserver 10.99.0.2 # IP of the new joined DC as secondary entry
search samdom.example.com
search samdom.example.com



If you are running more than two DCs, you can configure the IPs in crosswise direction.



= Configuring Time Synchronisation =

Kerberos requires a synchronised time on all domain members. For further details and how to set up the <code>ntpd</code> service, see [[Time_Synchronisation|Time Synchronisation]].





= Configuring Winbindd on a Samba AD DC =

''Optional''. For details, see [[Configuring_Winbindd_on_a_Samba_AD_DC|Configuring Winbindd on a Samba AD DC]].





= Using the Domain Controller as a File Server =

For details, see [[Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Using_the_Domain_Controller_as_a_File_Server|Using the Domain Controller as a File Server]].




Line 444: Line 363:
= Sysvol Replication =
= Sysvol Replication =


Samba currently does not support Sysvol replication. For unsupported workarounds, see [[SysVol_replication_(DFS-R)|Sysvol Replication]].
Samba currently does not automatically replicate Sysvol, you must use some other form of replication. For community supported workarounds, see [[SysVol_replication_(DFS-R)|Sysvol Replication]].

{{Imbox
| type = note
| text = If there are more than the default GPOs in Sysvol on the other DC(s), you must sync Sysvol to the new DC, <code>samba-tool ntacl sysvolreset</code> will throw an error if you do not.
}}




Line 452: Line 376:
= Testing the Directory Replication =
= Testing the Directory Replication =


To test that the directory replication works correctly, add for example a user on an existing DC and verify that it shows up automatically on the new joined DC.
To test that the directory replication works correctly, add for example a user on an existing DC and verify that it shows up automatically on the newly joined DC.


Optionally use the <code>ldapcmp</code> utility to compare two directories. For details, see [[Samba-tool_ldapcmp|samba-tool ldapcmp]].
Optionally use the <code>ldapcmp</code> utility to compare two directories. For details, see [[Samba-tool_ldapcmp|samba-tool ldapcmp]].
Line 462: Line 386:
= Troubleshooting =
= Troubleshooting =


For troubleshooting, see [[Samba_AD_DC_Troubleshooting|Samba AD DC Troubleshooting]].
For further details, see [[Samba_AD_DC_Troubleshooting|Samba AD DC Troubleshooting]].





----
[[Category:Active Directory]]
[[Category:Domain Control]]

Revision as of 09:35, 8 September 2019

Introduction

Running one domain controller (DC) is sufficient for a working Active Directory (AD) forest. However, for failover and load balancing reasons, you should add further DCs to your AD forest. Joining an additional Samba DC to an existing AD differs from provisioning the first DC in a forest. If you set up a new AD forest, see Setting up Samba as an Active Directory Domain Controller.



Preparing the Installation

For details, see Preparing the Installation in the Setting up Samba as an Active Directory Domain Controller documentation.



Installing Samba

For details, see Installing Samba.



Preparing the Host for Joining the Domain

Local DNS server

By default, the first Domain Controller (DC) in a forest runs a DNS server for Active Directory (AD)-based zones. For failover reasons it is recommended to run multiple DCs acting as a DNS server in a network. If you consider providing a DNS service on the new DC:

  • For the BIND9_DLZ back end, see BIND9_DLZ DNS Back End. Finish this task before you start the Samba DC service.
  • For the internal DNS no further actions are required.


Configuring DNS

For details, see Linux and Unix DNS Configuration.


Kerberos

Set the following settings in your Kerberos client configuration file /etc/krb5.conf:

[libdefaults]
    dns_lookup_realm = false
    dns_lookup_kdc = true
    default_realm = SAMDOM.EXAMPLE.COM

To verify the settings use the kinit command to request a Kerberos ticket for the domain administrator:

# kinit administrator
Password for administrator@SAMDOM.EXAMPLE.COM:

To list Kerberos tickets:

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@SAMDOM.EXAMPLE.COM

Valid starting       Expires              Service principal
24.09.2015 19:56:55  25.09.2015 05:56:55  krbtgt/SAMDOM.EXAMPLE.COM@SAMDOM.EXAMPLE.COM
	renew until 25.09.2015 19:56:53



Joining the Active Directory as a Domain Controller

To join the domain samdom.example.com as a domain controller (DC) that additionally acts as a DNS server using the Samba internal DNS:

There are three authentication methods you can use, Username & Password or two kerberos methods (the kerberos methods depend on running kinit as an admin user).

Username & Password:

# samba-tool domain join samdom.example.com DC -U"SAMDOM\administrator"

Or:

# samba-tool domain join samdom.example.com DC -k yes

Or:

# samba-tool domain join samdom.example.com DC --krb5-ccache=/tmp/krb5cc_0

Using any of the above, should result in output similar to this:

Finding a writeable DC for domain 'samdom.example.com'
Found DC dc1.samdom.example.com
Password for [SAMDOM\administrator]:
workgroup is SAMDOM
realm is samdom.example.com
Adding CN=DC2,OU=Domain Controllers,DC=samdom,DC=example,DC=com
Adding CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
Adding CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
Adding SPNs to CN=DC2,OU=Domain Controllers,DC=samdom,DC=example,DC=com
Setting account password for DC2$
Enabling account
Calling bare provision
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Provision OK for domain DN DC=samdom,DC=example,DC=com
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com] objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com] objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com] objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com] objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[402/1618] linked_values[0/0]
Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[804/1618] linked_values[0/0]
Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[1206/1618] linked_values[0/0]
Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[1608/1618] linked_values[0/0]
Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[1618/1618] linked_values[42/0]
Replicating critical objects from the base DN of the domain
Partition[DC=samdom,DC=example,DC=com] objects[100/100] linked_values[23/0]
Partition[DC=samdom,DC=example,DC=com] objects[386/286] linked_values[23/0]
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=samdom,DC=example,DC=com
Partition[DC=DomainDnsZones,DC=samdom,DC=example,DC=com] objects[44/44] linked_values[0/0]
Replicating DC=ForestDnsZones,DC=samdom,DC=example,DC=com
Partition[DC=ForestDnsZones,DC=samdom,DC=example,DC=com] objects[19/19] linked_values[0/0]
Committing SAM database
Sending DsReplicaUpdateRefs for all the replicated partitions
Setting isSynchronized and dsServiceName
Setting up secrets database
Joined domain SAMDOM (SID S-1-5-21-469703510-2364959079-1506205053) as a DC

See the samba-tool domain join --help command's output for further information.

Other parameters frequently used with the samba-tool domain join command:

  • --dns-backend=NAMESERVER-BACKEND: Use the supplied DNS server backend. Valid options are SAMBA_INTERNAL or BIND9_DLZ, unless you want to use Bind9, there is no need to supply this option.
If you use the internal DNS server, you will not be asked for a forwarder and the one in /etc/resolv.conf will not be obtained automatically. You must supply one with --option="dns forwarder=forwarder_ipaddress".
  • --option="interfaces=lo eth0" --option="bind interfaces only=yes": If your server has multiple network interfaces, use these options to bind Samba to the specified interfaces. This enables the samba-tool command to register the correct LAN IP address in the directory during the join.



Verifying the DNS Entries

If you join a Samba DC that runs Samba 4.7 and later, samba-tool created all required DNS entries automatically. To manually create the records on an earlier version, see Verifying and Creating a DC DNS Record.



Configuring the BIND9_DLZ DNS Back End

If you selected the BIND9_DLZ DNS back end during the domain join, set up the BIND configuration. For details, see BIND9_DLZ DNS Back End.



Built-in User & Group ID Mappings

Samba in its current state doesn't support SysVol replication via DFS-R (Distributed File System Replication) or the older FRS (File Replication Service) used in Windows Server 2000/2003 for Sysvol replication.

We Currently advise administrators to use one of the following workarounds:



To use a Sysvol Replication workaround, all domain controllers (DC) must use the same ID mappings for built-in users and groups.

By default, a Samba DC stores the user & group IDs in 'xidNumber' attributes in 'idmap.ldb'. Because of the way 'idmap.ldb' works, you cannot guarantee that each DC will use the same ID for a given user or group. To ensure that you do use the same IDs, you must:

  • Create a hot-backup of the /usr/local/samba/private/idmap.ldb file on the existing DC:
# tdbbackup -s .bak /usr/local/samba/private/idmap.ldb
This creates a backup file /usr/local/samba/private/idmap.ldb.bak.
  • Move the backup file to the /usr/local/samba/private/ folder on the new joined DC and remove the .bak suffix to replace the existing file.
  • Run net cache flush on the new DC.
  • You will now need to sync Sysvol to the new DC.
  • Reset the Sysvol folder's file system access control lists (ACL) on the new DC:
# samba-tool ntacl sysvolreset



Starting the Samba Service

To start the samba Samba Active Directory (AD) domain controller (DC) service manually, enter:

# samba

Samba does not provide System V init scripts, systemd, upstart, or other services configuration files.

  • If you installed Samba using packages, use the script or service configuration file included in the package to start Samba.
  • If you built Samba, see Managing the Samba AD DC Service.



Verifying Directory Replication

After the domain controller (DC) has been started, the knowledge consistency checker (KCC) on the Samba DC creates replication agreements to other DCs in the Active Directory (AD) forest. It can take up to 15 minutes until the KCC creates the auto-generated replication connections.

For details about how to verify that the directory replication works correctly, see Verifying the Directory Replication Statuses.



Starting BIND

Before you start the BIND daemon, verify that the DNS directory partitions have been successfully replicated:

# samba-tool drs showrepl
...
==== INBOUND NEIGHBORS ====
...
DC=DomainDnsZones,DC=samdom,DC=example,DC=com
	Default-First-Site-Name\DC1 via RPC
		DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
		Last attempt @ Thu Sep 24 20:08:45 2015 CEST was successful
		0 consecutive failure(s).
		Last success @ Thu Sep 24 20:08:45 2015 CEST
...
DC=ForestDnsZones,DC=samdom,DC=example,DC=com
	Default-First-Site-Name\DC1 via RPC
		DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
		Last attempt @ Thu Sep 24 20:08:45 2015 CEST was successful
		0 consecutive failure(s).
		Last success @ Thu Sep 24 20:08:45 2015 CEST

If the replication works correctly, start the BIND service. See your distribution's documentation for information how to start a service.



Testing your Samba AD DC

Verifying the File Server

For details, see Verifying the File Server in the Setting up Samba as an Active Directory Domain Controller documentation.


Testing the Local DNS Server

Skip this step if you selected --dns-backend=NONE during the join.

Query the local DNS server to resolve the domain name samdom.example.com:

# host -t A samdom.example.com localhost
Using domain server:
Name: localhost
Address: 127.0.0.1#53
Aliases:

samdom.example.com has address 10.99.0.1
samdom.example.com has address 10.99.0.2

The local DNS resolves the domain name to the IP addresses of all domain controllers (DC).

In case you receive no or a different result, review this documentation and check:

  • the system log files,
  • the Samba log files,
  • the BIND log files, if the BIND9_DLZ is used.


Verifying Kerberos

For details, see Verifying Kerberos in the Setting up Samba as an Active Directory Domain Controller documentation.



DNS Configuration on Domain Controllers

The DNS configuration on domain controllers (DC) is important, because if it is unable to locate other DCs the replication will fail.

Set the local IP of the DC as the primary name server. For example:

On the new joined DC, use the local 10.99.0.2 IP as primary nameserver entry:

nameserver 10.99.0.2
search samdom.example.com



Configuring Time Synchronisation

Kerberos requires a synchronised time on all domain members. For further details and how to set up the ntpd service, see Time Synchronisation.



Configuring Winbindd on a Samba AD DC

Optional. For details, see Configuring Winbindd on a Samba AD DC.



Using the Domain Controller as a File Server

For details, see Using the Domain Controller as a File Server.



Sysvol Replication

Samba currently does not automatically replicate Sysvol, you must use some other form of replication. For community supported workarounds, see Sysvol Replication.



Testing the Directory Replication

To test that the directory replication works correctly, add for example a user on an existing DC and verify that it shows up automatically on the newly joined DC.

Optionally use the ldapcmp utility to compare two directories. For details, see samba-tool ldapcmp.



Troubleshooting

For further details, see Samba AD DC Troubleshooting.