Samba4 joining a domain as a DC

As of Samba4 alpha11, Samba4 now has the ability to join an existing Active Directory domain as an additional domain controller. The process of joining a Samba4 server to an existing domain is a bit different to provisioning a new domain. This process is the equivalent of the 'dcpromo' command on Windows servers.

This HOWTO will assume you configured and installed Samba in the default location of /usr/local/samba. It assumes you are joining Samba to an existing domain called 'samba.example.com'.

Getting ready for joining Samba as a DC to an exiting domain

You need to build Samba4 as usual, but don't do the provision step. You should remove any existing smb.conf in /usr/local/samba/etc/smb.conf

You should have your Windows domain setup correctly as your default realm in /etc/krb5.conf, and you should have these options setup in /etc/krb5.conf:

[libdefaults]
 dns_lookup_realm = true
 dns_lookup_kdc = true
 default_realm = SAMBA.EXAMPLE.COM

You should then test to make sure that DNS and kerberos are setup correctly to point at your existing Windows DC. Test that it is all working by trying a kinit as a domain administration:

kinit administrator
Password: XXXXXXXX

Once all that is setup you can move on to the main domain join step

Joining the Windows domain as a DC

Run the following command as root:

bin/net vampire samba.example.com -Uadministrator --realm=samba.example.com

It should show a set of debug messages about replicating the domain contents, like this:

Partition[CN=Configuration,DC=sample,DC=example,DC=com] objects[1596] linked_values[1]

then it will show a message like this:

mark ROOTDSE with isSynchronized=TRUE
Vampired domain VSOFS8 (S-1-5-21-2848215498-2472035911-1947525656)

at this point you have joined your Samba4 server to the Windows domain.