Difference between revisions of "Joining a Samba DC to an Existing Active Directory"

From SambaWiki
m
(Complete rewrite and refresh of the 'Join as DC' documentation. It contains now more details, missing information, etc.)
Line 1: Line 1:
  +
= Introduction =
= Samba4 joining a domain as a DC =
 
   
  +
Byside the ability to join an Active Directory as a [[Setup_a_Samba_AD_Member_Server|Member Server]], it is possible to join as a Domain Controller, too.
As of Samba4 alpha11, Samba4 has the ability to join an existing Active Directory domain as an additional domain controller. The process of joining a Samba4 server to an existing domain is a bit different to provisioning a new domain. This process is the equivalent of the 'dcpromo' command on Windows servers.
 
   
  +
The process of joining a Samba server to an existing domain is a bit different to [[Samba_AD_DC_HOWTO|provisioning a new domain]]. This process is the equivalent of the 'dcpromo' command on Windows servers.
This HOWTO will assume you had configured and installed Samba in the default location of /usr/local/samba. It assumes you are joining Samba to an existing domain called 'samdom.example.com'.
 
   
Please note that the following steps are the same regardless of whether you are joining Samba to an existing Windows based domain or an existing Samba based domain.
+
Please note that the following steps are the same - regardless of whether you are joining Samba to an existing Windows based domain or an existing Samba based domain.
   
   
   
  +
== Server information ==
== Getting ready for joining Samba as a DC to an existing domain ==
 
   
  +
This documentation uses the following configuration/settings:
* You need to install Samba as a DC, as described in the [[Samba_AD_DC_HOWTO|Samba AD DC HowTo]], but don't do the provision/classicupgrade step. If you choose [[DNS_Backend_BIND|BIND as DNS backend]], instead of the internal DNS, then you, of course, have to install BIND before you continue. Depending on your needs, you can have different backends on each of your DC.
 
   
  +
'''Existing DC in the domain:'''
* You should remove any existing smb.conf in /usr/local/samba/etc/.
 
  +
Hostname: DC1
  +
IP: 10.99.0.1
  +
DC is also a DNS server: yes
  +
  +
'''Domain information:'''
  +
DNS Domain Name: samdom.example.com
  +
NT4 Domain Name (NETBIOS): SAMDOM
  +
Kerberos Realm: SAMDOM.EXAMPLE.COM
  +
Domain Administrator: Administrator
  +
Domain Administrator Password: passw0rd
  +
  +
'''DC additionally joined to the domain:'''
  +
Hostname: DC2
  +
IP Address: 10.99.0.2
  +
Installation Directory: /usr/local/samba/
   
* Be sure, that you have your setup your existing domain correctly as your default realm in /etc/krb5.conf with the following options:
 
   
[libdefaults]
 
dns_lookup_realm = true
 
dns_lookup_kdc = true
 
default_realm = SAMDOM.EXAMPLE.COM
 
   
  +
== Versions ==
* You should then test to make sure that DNS and kerberos are setup correctly to point at your existing domain controller. Test that it is all working by trying a kinit as a domain administration:
 
   
  +
This HowTo is frequently updated to reflect the latest changes. Please see the [[Samba_Release_Planning|Samba Release Planning]] for more specifics.
# kinit administrator
 
Password: XXXXXXXX
 
   
  +
Please review the release notes for the version you have installed. It may contain important information, not yet reflected in this HowTo.
* klist should should give you an output like the following:
 
   
# klist
 
Ticket cache: FILE:/tmp/krb5cc_0
 
Default principal: administrator@samdom.example.com
 
 
Valid starting Expires Service principal
 
11/11/12 17:29:51 11/12/12 03:29:51 krbtgt/samdom.example.com@samdom.example.com
 
renew until 11/12/12 17:29:49
 
   
* Once all that is setup you can move on to the join domain step.
 
   
   
   
  +
= Installation =
== Joining the existing domain as a DC ==
 
   
  +
== Different ways to install ==
* Make sure, that your /etc/resolv.conf contains at least one „nameserver“ entry, pointing to a DNS, that can resolve your Samba AD zone(s). Example:
 
   
  +
'''Always check the [[OS Requirements|OS Requirements]] for dependencies and recommendations.'''
nameserver 10.99.0.1
 
   
  +
You have a few options to install Samba:
* Run the following command as root:
 
   
  +
* [[Build_Samba|Build Samba]] by yourself.
# bin/samba-tool domain join samdom.example.com DC -Uadministrator --realm=samdom.example.com
 
   
  +
* Install [[Binary_Distribution_Packages|binary distribution packages]]. Make sure, that you use a recent Samba installation with Active Directory Domain Controller capabilities!
:Since samba4 rc2 the internal DNS server is default. If you want to join this or a higher version with using [[DNS_Backend_BIND|BIND as DNS backend]], use the following command:
 
   
  +
:* Install from [http://www.enterprisesamba.com/samba/ SerNet Enterprise Samba] package.
# bin/samba-tool domain join samdom.example.com DC -Uadministrator --realm=samdom.example.com --dns-backend=BIND9_DLZ
 
   
* During the join, you should see a set of debug messages about replicating the domains content, like this:
 
   
Partition[CN=Configuration,DC=samba,DC=example,DC=com] objects[1614/1614] linked_values[28/0]
 
   
  +
== Paths ==
* At the end, you will see a message like this:
 
   
  +
Take care when running Samba commands, if you also have a previous version of Samba installed! To avoid inadvertently running the wrong version of a program, you should consider putting the „/usr/local/samba/bin/“ and „/usr/local/samba/sbin/“ directories at the <u>beginning of your $PATH variable</u>.
Joined domain SAMBA (SID S-1-5-21-3565189888-2228146013-2029845409) as a DC
 
   
  +
You can see what version of Samba and client tools, if any, is in your „$PATH“ variable by running:
* Now you have joined your Samba4 server to your existing domain.
 
   
  +
# samba -V
  +
# smbclient -V
   
   
== Check required DNS entries of the new host ==
 
   
* Before you start samba, you should check, if the new DCs DNS entries are set correctly during joining. This doesn't currently work 100% and have to be done manually in that case.
 
   
* From the new host, try to resolve its hostname:
+
= Preparing the host for the domain join =
   
  +
== Local DNS server ==
# host -t A dc2.samdom.example.com.
 
   
  +
Per default, the first Domain Controller in a domain automatically acts as a DNS server for AD based zones. For failover reasons, it is recommended, to have at least two DCs, providing AD DNS services.
:If this fails, you have to add the A record by hand. Run on your existing DC:
 
   
  +
If you plan to join the additional Domain Controller with BIND as DNS backend, you have to [[DNS_Backend_BIND|setup BIND as AD backend]] first. For setups using the internal or no local DNS, no further steps have to be done.
# samba-tool dns add IP-of-your-DNS-server samdom.example.com DC2 A IP-of-the-DC-you-had-joined -Uadministrator
 
   
* Also you should check, if the objectGUID is resolvable to the new hostname. For that, run
 
   
# ldbsearch -H /usr/local/samba/private/sam.ldb '(invocationid=*)' --cross-ncs objectguid
 
   
  +
== DNS resolving ==
:to find out the objectGUID of the new server. The command should give you an output like
 
   
  +
Configure the host, you want to join as an additional Domain Controller, to use a DNS server, that is able to resolve zones from the Active Directory. On Linux and Unixes, this is typically done by adding a „nameserver“ and „search domain“ entry to to /etc/resolv.conf:
# record 1
 
dn: CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=example,DC=com
 
objectGUID: 737506d0-bfe6-40c8-815d-08c3dff7a67f
 
...
 
   
  +
nameserver <u>10.99.0.1</u>
:In this case, 737506d0-bfe6-40c8-815d-08c3dff7a67f is the objectGUID of the new DC, we'll query with the following command:
 
  +
search samdom.example.com
   
  +
Consult your distributions documentation for configuring the usage of a DNS server.
# host -t CNAME 737506d0-bfe6-40c8-815d-08c3dff7a67f._msdcs.samdom.example.com.
 
   
  +
To verify a correct name resolution, try resolving the hostname of one of your existing Domain Controllers:
:This should output you the alias (CNAME) of this entry pointing to your new DC name.
 
:If this record is also missing, you have to add it, too:
 
   
  +
# host -t A <u>DC1</u>.samdom.example.com
# samba-tool dns add IP-of-your-DNS _msdcs.samdom.example.com 737506d0-bfe6-40c8-815d-08c3dff7a67f CNAME DC2.samdom.example.com -Uadministrator
 
  +
DC1.samdom.example.com has address 10.99.0.1
   
:If you are running BIND as DNS backend and still can't resolve the new added DNS entries, see [[DNS_Backend_BIND#New_added_DNS_entries_are_not_resolvable|BIND DNS backend: New added DNS entries are not resolvable]].
 
   
* Now it's time to put a „nameserver“ entry of your new DC in your /etc/resolv.conf (if you didn't join the domain with „--dns-backend=none“). Example:
 
   
  +
== Kerberos ==
nameserver 10.99.0.2
 
   
  +
* Add the following content to /etc/krb5.conf:
It should be noted that although DNS replication is active, additional DNS configurations such as forwarders are not copied. See [[Samba_AD_DC_HOWTO#Configure_DNS|Configure DNS]] for more details.
 
   
  +
[libdefaults]
  +
dns_lookup_realm = true
  +
dns_lookup_kdc = true
  +
default_realm = SAMDOM.EXAMPLE.COM
   
  +
* Verify the correct Kerberos setup by obtaining a ticket:
   
  +
# kinit administrator
== Workaround: Fix Keytab permissions for BIND_DLZ ==
 
  +
Password for administrator@SAMDOM.EXAMPLE.COM:
  +
  +
# klist
  +
Ticket cache: FILE:/tmp/krb5cc_0
  +
Default principal: administrator@SAMDOM.EXAMPLE.COM
  +
  +
Valid starting Expires Service principal
  +
09.11.2014 17:34:09 10.11.2014 03:34:09 krbtgt/SAMDOM.EXAMPLE.COM@SAMDOM.EXAMPLE.COM
  +
renew until 10.11.2014 17:34:07
   
This workaround is required, until [https://bugzilla.samba.org/show_bug.cgi?id=10881 Bug #10881] is solved for the version of Samba you're running!
 
   
If you had provisioned your new DC with --dns-backend=BIND9_DLZ, you have to ensure, that BIND is able to read the 'dns.keytab' file
 
   
# chmod 640 /usr/local/samba/private/dns.keytab
 
# chgrp named /usr/local/samba/private/dns.keytab
 
   
Otherwise, BIND will not able to update your zone(s)! One of the results is, that 'samba_dnsupdate' can't add e. g. the import DNS entries, that clients use, to locate the DC. In case of an failure of your existing DC, domain logons using your new DC are not possible!
 
   
  +
= Join the existing domain as a Domain Controller =
   
  +
Before you start the joining, make yourself familiar with the parameters and options of „samba-tool domain join“:
   
  +
# samba-tool domain join --help
== Starting Samba ==
 
   
  +
Expecially the following two options are required, if your future Domain Controllers have multiple NICs. Because „samba-tool“ would auto-choose one of the IPv4/IPv6 addresses, if multiple where found, it might be necessary to bind Samba to the desired interfaces using
You start samba as a DC in the same way that you start it as a normal
 
server, just run the command 'samba' from the sbin directory of your
 
installation.
 
   
  +
--option="interfaces=lo eth0" --option="bind interfaces only=yes"
When you first start Samba as a new DC in an existing Windows domain,
 
you may find errors messages like these in the samba log file:
 
   
  +
Join the existing domain (parameter explanation below):
UpdateRefs failed with WERR_DS_DRA_BAD_NC/NT code 0xc00020f8 for 5344d0a6-78a1-4758be69-66d933f1123._msdcs.samdom.example.com CN=RID Manager$,CN=System,DC=samba,DC=example,DC=com
 
   
  +
# samba-tool domain join samdom.example.com DC -Uadministrator --realm=samdom.example.com --dns-backend=BIND9_DLZ
This is caused by the Windows domain controller that haven't yet run its
 
  +
Finding a writeable DC for domain 'samdom.example.com'
Knowledge Consistency Checker (KCC), which means it has not yet created
 
  +
Found DC dc1.samdom.example.com
connections to the new Samba DC.
 
  +
Password for [WORKGROUP\administrator]: passw0rd
  +
workgroup is SAMDOM
  +
realm is samdom.example.com
  +
checking sAMAccountName
  +
Adding CN=DC2,OU=Domain Controllers,DC=samdom,DC=example,DC=com
  +
Adding CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
  +
Adding CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
  +
Adding SPNs to CN=DC2,OU=Domain Controllers,DC=samdom,DC=example,DC=com
  +
Setting account password for DC2$
  +
Enabling account
  +
Adding DNS account CN=dns-DC2,CN=Users,DC=samdom,DC=example,DC=com with dns/ SPN
  +
Setting account password for dns-DC2
  +
Calling bare provision
  +
No IPv6 address will be assigned
  +
Provision OK for domain DN DC=samdom,DC=example,DC=com
  +
Starting replication
  +
Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com] objects[402/1550] linked_values[0/0]
  +
Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com] objects[804/1550] linked_values[0/0]
  +
Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com] objects[1206/1550] linked_values[0/0]
  +
Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com] objects[1550/1550] linked_values[0/0]
  +
Analyze and apply schema objects
  +
Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[402/1618] linked_values[0/0]
  +
Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[804/1618] linked_values[0/0]
  +
Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[1206/1618] linked_values[0/0]
  +
Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[1608/1618] linked_values[0/0]
  +
Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[1618/1618] linked_values[28/0]
  +
Replicating critical objects from the base DN of the domain
  +
Partition[DC=samdom,DC=example,DC=com] objects[98/98] linked_values[23/0]
  +
Partition[DC=samdom,DC=example,DC=com] objects[395/297] linked_values[23/0]
  +
Done with always replicated NC (base, config, schema)
  +
Replicating DC=DomainDnsZones,DC=samdom,DC=example,DC=com
  +
Partition[DC=DomainDnsZones,DC=samdom,DC=example,DC=com] objects[41/41] linked_values[0/0]
  +
Replicating DC=ForestDnsZones,DC=samdom,DC=example,DC=com
  +
Partition[DC=ForestDnsZones,DC=samdom,DC=example,DC=com] objects[19/19] linked_values[0/0]
  +
Partition[DC=ForestDnsZones,DC=samdom,DC=example,DC=com] objects[38/19] linked_values[0/0]
  +
Committing SAM database
  +
Sending DsReplicateUpdateRefs for all the replicated partitions
  +
Setting isSynchronized and dsServiceName
  +
Setting up secrets database
  +
Joined domain SAMDOM (SID S-1-5-21-469703510-2364959079-1506205053) as a DC
   
  +
<u>Parameter explanations:</u>
To fix this, you can either run "repadmin /kcc" on the Windows DC as
 
an administrator, or you can use the samba-tool command to do the same
 
thing, like this:
 
   
  +
* Domain: AD Domain Name
# samba-tool drs kcc -Uadministrator windowsdc.samdom.example.com
 
   
  +
* Server Role: „DC“ for Domain Controller
You should then check that replication between the Windows DC and the
 
Samba DC is working correctly by using:
 
   
  +
* Username: Account that is allowed to join new Domain Controllers. Typically it is among others the Domain Administrator.
# samba-tool drs showrepl
 
  +
 
  +
* Realm: Kerberos Realm
Default-First-Site-Name\DC2
 
  +
DSA Options: 0x00000001
 
  +
* DNS backend: You have to decide, to use the Internal DNS server (SAMBA_INTERNAL), BIND9 (BIND9_DLZ) or no DNS backend (NONE). The Internal DNS is default and the best choice for simple DNS requirements. It doesn't need any further actions. For complex DNS requirements, BIND9_DLZ is recommended. Don't use BIND9_FLATFILE! It's not documented and not supported! See [[DNS_Backend_BIND|DNS Backend BIND]] for further information about using BIND. The DNS backend choice made during the provisioning isn't permanent. [[Changing_the_DNS_backend|It can be changed afterwards]].
DSA object GUID: 737506d0-bfe6-40c8-815d-08c3dff7a67f
 
  +
DSA invocationId: eb242434-ca7e-4da7-9b1d-b289ba1922e9
 
  +
* Site: If you have setup Active Directory Sites, it's possible, to directly join a new DC into a specified AD site.
 
  +
==== INBOUND NEIGHBORS ====
 
  +
  +
  +
  +
  +
= Check DNS entries =
  +
  +
For a successful setup and failover purposes, it is required, that all important DNS records are added to the DNS zones. A bug causes, that two records can be missing. Check [https://bugzilla.samba.org/show_bug.cgi?id=10928 Bug #10928], to see, if it's fixed in the meantime and in the version you're running.
  +
  +
  +
  +
== Resolve the A record of the new joined Domain Controller ==
  +
  +
# host -t A <u>DC2</u>.samdom.example.com.
  +
<u>DC2</u>.samdom.example.com has address <u>10.99.0.2</u>
  +
  +
If the record could not be resolved to its IP, you will receive the following output instead:
  +
  +
# host -t A <u>DC2</u>.samdom.example.com.
  +
Host DC2.samdom.example.com. not found: 3(NXDOMAIN)
  +
  +
In this case, you have to add the record manually to the AD DNS zone:
  +
  +
# samba-tool dns add DC1 samdom.example.com <u>DC2</u> A <u>10.99.0.2</u> -Uadministrator
  +
Password for [SAMDOM\administrator]: passw0rd
  +
Record added successfully
  +
  +
Re-check afterwards again!
  +
  +
  +
  +
== Resolve the objectGUID CNAME record of the new joined Domain Controller ==
  +
  +
* First, you have to find out the objectGUID of the new joined Domain Controller:
  +
  +
# ldbsearch -H /usr/local/samba/private/sam.ldb '(invocationId=*)' --cross-ncs objectguid
  +
# record 1
  +
dn: CN=NTDS Settings,CN=<u>DC2</u>,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
  +
objectGUID: <u>df4bdd8c-abc7-4779-b01e-4dd4553ca3e9</u>
 
 
  +
# record 2
DC=samba,DC=example,DC=com
 
Default-First-Site-Name\DC1 via RPC
+
dn: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
  +
objectGUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
DSA object GUID: 25e33532-42f2-4082-b9f4-072f9108b565
 
Last attempt @ Sun Nov 11 18:02:02 2012 CET was successful
 
0 consecutive failure(s).
 
Last success @ Sun Nov 11 18:02:02 2012 CET
 
 
 
  +
# returned 2 records
CN=Configuration,DC=samba,DC=example,DC=com
 
  +
# 2 entries
Default-First-Site-Name\DC1 via RPC
 
  +
# 0 referrals
DSA object GUID: 25e33532-42f2-4082-b9f4-072f9108b565
 
Last attempt @ Sun Nov 11 18:02:02 2012 CET was successful
 
0 consecutive failure(s).
 
Last success @ Sun Nov 11 18:02:02 2012 CET
 
.....
 
   
  +
* Query the CNAME of the objectGUID in the _msdcs.samdom.example.com zone. It must be an alias to the hostname of the new joined DC:
   
  +
# host -t CNAME <u>df4bdd8c-abc7-4779-b01e-4dd4553ca3e9</u>._msdcs.samdom.example.com.
  +
df4bdd8c-abc7-4779-b01e-4dd4553ca3e9._msdcs.samdom.example.com is an alias for <u>DC2</u>.samdom.example.com.
   
  +
:* If the record could not be resolved, you will receive:
== Testing Directory Replication ==
 
   
  +
# host -t CNAME <u>df4bdd8c-abc7-4779-b01e-4dd4553ca3e9</u>._msdcs.samdom.example.com.
To check that replication is working correctly between your two domain
 
  +
Host df4bdd8c-abc7-4779-b01e-4dd4553ca3e9._msdcs.samdom.example.com. not found: 3(NXDOMAIN)
controllers, try adding a user on the Samba DC using either the Samba
 
command line tools, or the Windows GUI admin tools. Then check that
 
the user shows up within a few seconds on your Windows domain
 
controller.
 
   
  +
:* In this case, you have to add the record manually to the AD DNS zone:
Similarly, try modifying a user on the Windows domain controller and
 
check that the modifies show up correctly on the Samba server
 
   
  +
# samba-tool dns add DC1 _msdcs.samdom.example.com <u>df4bdd8c-abc7-4779-b01e-4dd4553ca3e9</u> CNAME <u>DC2</u>.samdom.example.com -Uadministrator
  +
Password for [SAMDOM\administrator]: passw0rd
  +
Record added successfully
   
  +
:* Re-check afterwards again!
   
===ldapcmp===
 
   
You may wish to use [[Samba4/ldapcmp|ldapcmp]] to verify that the same data
 
is being served from all domain controllers.
 
   
   
   
  +
= Adaptations for the BIND DNS backend =
== A Note on SysVol replication ==
 
   
  +
This step can be skipped, if the DC was joined with SAMBA_INTERNAL or without DNS backend.
Currently the replication of the SysVol share isn't implemented. If you make any changes
 
on that share, you have to keep the shares on all your DCs in sync manually (e. g. with an rsync cronjob).
 
An example way how to achieve this, you can find in the [[SysVol_Replication|SysVol Replication Howto]].
 
   
== If you have any existing AD DC which is Samba ==
 
   
There are current issues with UID/GID mapping between DCs for the built-in groups who own files and directories under sysvol.<br>
 
As we have no method at the moment to replicate the UID/GID from the existing Samba DCs, please try the following:
 
   
  +
== Workaround: Fix keytab permissions ==
# Stop All Samba AD DC
 
# copy the /var/lib/samba/private/idmap.ldb to the new Samba AD DC
 
# restart Samba AD DC
 
   
  +
This workaround is required, until [https://bugzilla.samba.org/show_bug.cgi?id=10881 Bug #10881] is solved for the version of Samba you're running!
== Report your success/failure! ==
 
   
  +
Fix permissions on the 'dns.keytab' file, to allow BIND to read this file:
Samba4 as a replicating domain controller is still developing rapidly,
 
and we like to hear from users about their successes and
 
failures. While Samba4 is still in rc state we would encourage
 
you to report both your successes and failures to the samba-technical
 
mailing list on http://lists.samba.org
 
   
  +
# chmod 640 /usr/local/samba/private/dns.keytab
Please be aware that Samba4 is not complete, so you should deploy it
 
  +
# chgrp named /usr/local/samba/private/dns.keytab
carefully until it is ready for production.
 
   
  +
Otherwise, BIND will not able to update your zone(s)! One of the results is, that 'samba_dnsupdate' can't add e. g. the important DNS entries, that clients use, to locate the new DC. In case of an failure of your other DC, domain logons using your new DC wouldn't be possible!
   
   
   
  +
== Enable the BIND9_DLZ module, suitable to the BIND version==
   
  +
Make sure, that the correct BIND9_DLZ module for your BIND version is enabled in /usr/local/samba/private/named.conf. Uncomment the module for your BIND version and comment the other:
= FSMO role transfer =
 
   
  +
dlz "AD DNS Zone" {
You can transfer FSMO roles from an existing DC to a [[Samba_AD_DC_HOWTO|Samba AD DC]], by seizing them from your Samba AD machine:
 
  +
# For BIND 9.8.0
  +
database "dlopen /usr/local/samba/lib/bind9/dlz_bind9.so";
  +
  +
# For BIND 9.9.0
  +
# database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_9.so";
  +
};
   
  +
The example above enables the module for BIND 9.8.x (default).
# samba-tool fsmo seize --role=....
 
   
You can seize all five roles: rid, schema, naming, pdc and infrastructure (you can use "--role=all" to seize all at once).
 
   
'''Note:''' The role seizing function was broken in the past ([https://bugzilla.samba.org/show_bug.cgi?id=9461 Bug report 9461]). This was fixed in 4.0.10/4.1.0. If you are running an affected version, you should consider upgrading first!
 
   
   
   
  +
= Start Samba =
   
  +
To start the Samba Active Directory Domain Controller in „standard“ mode, which is suitable for production use, run
   
  +
# samba
= A note on DNS updates =
 
   
  +
Samba doesn't yet have init scripts included. You can find examples on the [[Samba4/InitScript|Samba Init-Script]] page.
As of Samba4 alpha12 Samba4 has the ability to automatically update a
 
Windows or bind9 DNS server with the correct set of DNS entries when
 
it becomes a domain controller.
 
   
For this to work correctly between Samba and Windows you may find that
 
you need a set of 5 patches to bind9. Those patches are located in the
 
examples/bind9-patches directory of the Samba4 source tree. The
 
patches have been submitted to the bind9 developers and will be
 
incorporated in the future release of bind, but in the meantime you
 
should be able to build bind9 yourself from sources and apply the
 
patches.
 
   
The way the automatic DNS updates works is that Samba regularly (every
 
10 minutes) calls out to the samba_dnsupdate script that is installed
 
along with Samba. That script reads a template file of DNS names to
 
update in the DNS zone from /usr/local/samba/private/dns_update_list.
 
   
The contents of this file look like this:
 
   
A ${DNSDOMAIN} $IP
 
A ${HOSTNAME} $IP
 
CNAME ${NTDSGUID}._msdcs.${DNSDOMAIN} ${HOSTNAME}
 
SRV _kerberos._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 88
 
SRV _ldap._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389
 
SRV _kerberos._tcp.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 88
 
SRV _ldap._tcp.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389
 
SRV _ldap._tcp.${DOMAINGUID}.domains._msdcs.${DNSDOMAIN} ${HOSTNAME} 389
 
SRV _ldap._tcp.${SITE}._sites.gc._msdcs.${DNSDOMAIN} ${HOSTNAME} 3268
 
SRV _ldap._tcp.gc._msdcs.${DNSDOMAIN} ${HOSTNAME} 3268
 
SRV _ldap._tcp.pdc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389
 
SRV _gc._tcp.${SITE}._sites.${DNSDOMAIN} ${HOSTNAME} 3268
 
SRV _kerberos._tcp.${SITE}._sites.${DNSDOMAIN} ${HOSTNAME} 88
 
SRV _ldap._tcp.${SITE}._sites.${DNSDOMAIN} ${HOSTNAME} 389
 
SRV _gc._tcp.${DNSDOMAIN} ${HOSTNAME} 3268
 
SRV _kerberos._tcp.${DNSDOMAIN} ${HOSTNAME} 88
 
SRV _kpasswd._tcp.${DNSDOMAIN} ${HOSTNAME} 464
 
SRV _ldap._tcp.${DNSDOMAIN} ${HOSTNAME} 389
 
SRV _kerberos._udp.${DNSDOMAIN} ${HOSTNAME} 88
 
SRV _kpasswd._udp.${DNSDOMAIN} ${HOSTNAME} 464
 
   
at runtime, Samba will substitute the variables in this file, and call
 
out to the bind9 nsupdate command using the -g option to enable
 
TSIG-GSS DNS updates. It will only make updates for DNS names that it
 
detects are not currently correctly set.
 
   
  +
= Directory replication =
You can add your own names to dns_update_list list if you want, and
 
Samba will add those on the DNS server. You may also choose not to use
 
TSIG-GSS and instead use a fixed DNS key setup in another bind9
 
server. To do that you will need to modify the 'nsupdate' command that
 
Samba runs, which is settable using the "nsupdate command" smb.conf
 
option. The default is "/usr/bin/nsupdate -g"
 
   
  +
A few minutes after you have started Samba, connections with other DC will be established automatically.
The $IP entries for A records are replaced with the IP interface addresses that Samba detects at runtime,
 
based on the "interfaces=" smb.conf option.
 
   
  +
# samba-tool drs showrepl
  +
Default-First-Site-Name\DC2
  +
DSA Options: 0x00000001
  +
DSA object GUID: df4bdd8c-abc7-4779-b01e-4dd4553ca3e9
  +
DSA invocationId: 8e30d69f-c20f-4744-9833-5b050e611375
  +
  +
==== INBOUND NEIGHBORS ====
  +
  +
CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com
  +
Default-First-Site-Name\DC1 via RPC
  +
DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
  +
Last attempt @ Sun Nov 9 19:56:07 2014 CET was successful
  +
0 consecutive failure(s).
  +
Last success @ Sun Nov 9 19:56:07 2014 CET
  +
  +
DC=DomainDnsZones,DC=samdom,DC=example,DC=com
  +
Default-First-Site-Name\DC1 via RPC
  +
DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
  +
Last attempt @ Sun Nov 9 19:56:06 2014 CET was successful
  +
0 consecutive failure(s).
  +
Last success @ Sun Nov 9 19:56:06 2014 CET
  +
  +
CN=Configuration,DC=samdom,DC=example,DC=com
  +
Default-First-Site-Name\DC1 via RPC
  +
DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
  +
Last attempt @ Sun Nov 9 19:56:07 2014 CET was successful
  +
0 consecutive failure(s).
  +
Last success @ Sun Nov 9 19:56:07 2014 CET
  +
  +
DC=ForestDnsZones,DC=samdom,DC=example,DC=com
  +
Default-First-Site-Name\DC1 via RPC
  +
DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
  +
Last attempt @ Sun Nov 9 19:56:07 2014 CET was successful
  +
0 consecutive failure(s).
  +
Last success @ Sun Nov 9 19:56:07 2014 CET
  +
  +
DC=samdom,DC=example,DC=com
  +
Default-First-Site-Name\DC1 via RPC
  +
DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
  +
Last attempt @ Sun Nov 9 19:56:13 2014 CET was successful
  +
0 consecutive failure(s).
  +
Last success @ Sun Nov 9 19:56:13 2014 CET
  +
  +
==== OUTBOUND NEIGHBORS ====
  +
  +
CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com
  +
Default-First-Site-Name\DC1 via RPC
  +
DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
  +
Last attempt @ NTTIME(0) was successful
  +
0 consecutive failure(s).
  +
Last success @ NTTIME(0)
  +
  +
DC=DomainDnsZones,DC=samdom,DC=example,DC=com
  +
Default-First-Site-Name\DC1 via RPC
  +
DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
  +
Last attempt @ NTTIME(0) was successful
  +
0 consecutive failure(s).
  +
Last success @ NTTIME(0)
  +
  +
CN=Configuration,DC=samdom,DC=example,DC=com
  +
Default-First-Site-Name\DC1 via RPC
  +
DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
  +
Last attempt @ NTTIME(0) was successful
  +
0 consecutive failure(s).
  +
Last success @ NTTIME(0)
  +
  +
DC=ForestDnsZones,DC=samdom,DC=example,DC=com
  +
Default-First-Site-Name\DC1 via RPC
  +
DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
  +
Last attempt @ NTTIME(0) was successful
  +
0 consecutive failure(s).
  +
Last success @ NTTIME(0)
  +
  +
DC=samdom,DC=example,DC=com
  +
Default-First-Site-Name\DC1 via RPC
  +
DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
  +
Last attempt @ NTTIME(0) was successful
  +
0 consecutive failure(s).
  +
Last success @ NTTIME(0)
  +
  +
==== KCC CONNECTION OBJECTS ====
  +
  +
Connection --
  +
Connection name: 5745d481-1d26-48f4-ab65-273263e28a45
  +
Enabled : TRUE
  +
Server DNS name : DC1.samdom.example.com
  +
Server DN name : CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
  +
TransportType: RPC
  +
options: 0x00000001
  +
Warning: No NC replicated for Connection!
   
  +
'''Depending on your replication settings - if defined - it may take a few minutes until all connections are established. So please be patient!''' On the long shot that the outbound connections aren't established automatically - even not after several minutes - you can force the replication (generally not necessary!). See [[Samba-tool_drs_replicate|samba-tool drs replicate]].
   
  +
''Note about the„Warning: No NC replicated for Connection!“ line: It can be safely ignored. See [[FAQ#Message:_Warning:_No_NC_replicated_for_Connection.21|FAQ: Message: Warning: No NC replicated for Connection!]]''
   
   
= Joining a domain as a RODC (Status for a work in progress) =
 
   
For the TODO list see [http://wiki.samba.org/index.php/Samba4_DRS_TODO_List#Support_RODC Support RODC TODO]
 
   
'''Main features implemented'''
 
   
* Joining as a RODC to Windows DC
 
   
To do that one should do a samba-tool join (or samba-tool domain join), something like this:
 
   
  +
= Start BIND =
sudo bin/samba-tool join win.dev RODC -U Administrator --password=%password --target-dir=/home/ant/prefix.win/
 
  +
  +
Please check (samba-tool drs showrepl), that the DC=ForestDnsZones,DC=samdom,DC=example,DC=com and DC=DomainDnsZones,DC=samdom,DC=example,DC=com partitions are already replicated!
  +
  +
If so, it's time to start BIND now, if you're having a BIND9_DLZ backend.
  +
  +
  +
  +
  +
  +
= /etc/resolv.conf on the new Domain Controller =
  +
  +
If the DNS on your new Domain Controller is working, you should think about adding it to /etc/resolv.conf.
  +
  +
As a best practice, you should never have just one nameserver entry in Domain Controllers /etc/resolv.conf! Because if it will fail, this DC isn't able to resolve AD zones any more. This would cause several other services, that rely on DNS like directory replication, to fail.
  +
  +
So always rely on at least two DNS server, that are able to resolve AD DNS zones:
  +
  +
nameserver 10.99.0.2
  +
nameserver 10.99.0.1
  +
search samdom.example.com
  +
  +
   
or (for newer versions of Samba):
 
   
sudo bin/samba-tool domain join win.dev RODC -U Administrator --password=%password --targetdir=/home/ant/prefix.win/
 
   
  +
= SysVol replication =
* Preloading users for RODC
 
   
  +
Currently replication of the SysVol share isn't implemented. If you make any changes
Users' passwords are not cached by default in a RODC environment.
 
  +
on that share, you have to keep them in sync on all your Domain Controllers. An example, how to achieve this automatically, is provided in the [[SysVol_Replication|SysVol Replication]] documentation.
To accomplish that, one should perform the following actions:
 
   
# Add desired users to the "Allowed RODC Password Replication Group"
 
# Add trusted sources to the "Password Replication Policy" under RODC properties
 
# You must preload users in your RODC with
 
sudo /bin/samba-tool rodc preload myuser --server=myserver.mydomain.com
 
   
* Added support for RODC FAS
 
   
  +
== GID mappings of built-in groups ==
* Added support for unidirectional replication
 
   
  +
There are current issues with GID mappings of built-in groups. The GIDs of groups owning files and directories on in the sysvol folder may differ between Domain Controllers. Currently Samba doesn't provide a replication of these GIDs.
* Added support for read-only database
 
   
  +
Use the following workaround, if you encounter any problems:
'''Main features in the TODO list'''
 
   
  +
* Shutdown Samba on the new joined Domain Controller.
* Support Administrator role separation
 
   
  +
* Create a hot-backup of idmap.ldb on the Domain Controller, that was already there, before joining the new one:
* Support Credential caching
 
   
  +
# tdbbackup -s .bak /usr/local/samba/private/idmap.ldb
* Join Windows as a RODC in Samba4 domain - blocked by kerberos tgt stuff.
 
   
  +
* Move the backup file „/usr/local/samba/private/idmap.ldb.bak“ to the new joined Domain Controller and remove the .bak suffix.
   
  +
* Start Samba on the new joined Domain Controller again.
   
  +
* Reset the ACLs on the local sysvol folder of the new joined Domain Controller:
   
  +
# samba-tool ntacl sysvolreset
   
= FAQ =
 
   
== Message: "Failed to find our own NTDS Settings invocationId in the ldb!" during joining ==
 
   
Check if you have an existing <tt>smb.conf</tt> and remove it befor joining.
 
   
   
  +
= Testing directory replication =
   
  +
To check that replication is working correctly between your two domain controllers, try adding/modifying e. g. a user on one DC using either the Samba command line tools or the Windows GUI admin tools. Then check that the changes shows up within a few seconds on the other Domain Controller.
== Message: Warning: No NC replicated for Connection! ==
 
   
When Samba registers for replication, there are a couple of flags that aren't correctly set. That's what the DRS command shows: They are not set. It's pretty harmless and you can ignore this warning.
 
   
   
  +
== ldapcmp ==
== Question: UID/GID mapping between DCs for the built-in users/groups are different, Why? ==
 
   
  +
You may wish to use [[Samba-tool_ldapcmp|samba-tool ldapcmp]] to verify that the same data
If both your DC are Samba, there are current issues with UID/GID mapping between DCs for the built-in groups who own files and directories under sysvol.<br>
 
  +
is being served from all Domain Controllers.
As we have no method at the moment to replicate the UID/GID from the existing Samba DCs, please try the following:
 
#. Stop All Samba AD DC
 
#. Copy the /var/lib/samba/private/idmap.ldb to the new Samba AD DC
 
#. Restart Samba AD DC
 

Revision as of 23:39, 9 November 2014

Introduction

Byside the ability to join an Active Directory as a Member Server, it is possible to join as a Domain Controller, too.

The process of joining a Samba server to an existing domain is a bit different to provisioning a new domain. This process is the equivalent of the 'dcpromo' command on Windows servers.

Please note that the following steps are the same - regardless of whether you are joining Samba to an existing Windows based domain or an existing Samba based domain.


Server information

This documentation uses the following configuration/settings:

Existing DC in the domain:
Hostname:                      DC1
IP:                            10.99.0.1
DC is also a DNS server:       yes

Domain information:
DNS Domain Name:               samdom.example.com
NT4 Domain Name (NETBIOS):     SAMDOM
Kerberos Realm:                SAMDOM.EXAMPLE.COM
Domain Administrator:          Administrator
Domain Administrator Password: passw0rd

DC additionally joined to the domain:
Hostname:                      DC2
IP Address:                    10.99.0.2
Installation Directory:        /usr/local/samba/


Versions

This HowTo is frequently updated to reflect the latest changes. Please see the Samba Release Planning for more specifics.

Please review the release notes for the version you have installed. It may contain important information, not yet reflected in this HowTo.



Installation

Different ways to install

Always check the OS Requirements for dependencies and recommendations.

You have a few options to install Samba:

  • Install binary distribution packages. Make sure, that you use a recent Samba installation with Active Directory Domain Controller capabilities!


Paths

Take care when running Samba commands, if you also have a previous version of Samba installed! To avoid inadvertently running the wrong version of a program, you should consider putting the „/usr/local/samba/bin/“ and „/usr/local/samba/sbin/“ directories at the beginning of your $PATH variable.

You can see what version of Samba and client tools, if any, is in your „$PATH“ variable by running:

# samba -V
# smbclient -V



Preparing the host for the domain join

Local DNS server

Per default, the first Domain Controller in a domain automatically acts as a DNS server for AD based zones. For failover reasons, it is recommended, to have at least two DCs, providing AD DNS services.

If you plan to join the additional Domain Controller with BIND as DNS backend, you have to setup BIND as AD backend first. For setups using the internal or no local DNS, no further steps have to be done.


DNS resolving

Configure the host, you want to join as an additional Domain Controller, to use a DNS server, that is able to resolve zones from the Active Directory. On Linux and Unixes, this is typically done by adding a „nameserver“ and „search domain“ entry to to /etc/resolv.conf:

nameserver 10.99.0.1
search samdom.example.com

Consult your distributions documentation for configuring the usage of a DNS server.

To verify a correct name resolution, try resolving the hostname of one of your existing Domain Controllers:

# host -t A DC1.samdom.example.com
DC1.samdom.example.com has address 10.99.0.1


Kerberos

  • Add the following content to /etc/krb5.conf:
[libdefaults]
    dns_lookup_realm = true
    dns_lookup_kdc = true
    default_realm = SAMDOM.EXAMPLE.COM
  • Verify the correct Kerberos setup by obtaining a ticket:
# kinit administrator
Password for administrator@SAMDOM.EXAMPLE.COM:

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@SAMDOM.EXAMPLE.COM

Valid starting       Expires              Service principal
09.11.2014 17:34:09  10.11.2014 03:34:09   krbtgt/SAMDOM.EXAMPLE.COM@SAMDOM.EXAMPLE.COM
        renew until 10.11.2014 17:34:07



Join the existing domain as a Domain Controller

Before you start the joining, make yourself familiar with the parameters and options of „samba-tool domain join“:

# samba-tool domain join --help 

Expecially the following two options are required, if your future Domain Controllers have multiple NICs. Because „samba-tool“ would auto-choose one of the IPv4/IPv6 addresses, if multiple where found, it might be necessary to bind Samba to the desired interfaces using

--option="interfaces=lo eth0" --option="bind interfaces only=yes"

Join the existing domain (parameter explanation below):

# samba-tool domain join samdom.example.com DC -Uadministrator --realm=samdom.example.com --dns-backend=BIND9_DLZ
Finding a writeable DC for domain 'samdom.example.com'
Found DC dc1.samdom.example.com
Password for [WORKGROUP\administrator]: passw0rd
workgroup is SAMDOM
realm is samdom.example.com
checking sAMAccountName
Adding CN=DC2,OU=Domain Controllers,DC=samdom,DC=example,DC=com
Adding CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
Adding CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
Adding SPNs to CN=DC2,OU=Domain Controllers,DC=samdom,DC=example,DC=com
Setting account password for DC2$
Enabling account
Adding DNS account CN=dns-DC2,CN=Users,DC=samdom,DC=example,DC=com with dns/ SPN
Setting account password for dns-DC2
Calling bare provision
No IPv6 address will be assigned
Provision OK for domain DN DC=samdom,DC=example,DC=com
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com] objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com] objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com] objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com] objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[402/1618] linked_values[0/0]
Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[804/1618] linked_values[0/0]
Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[1206/1618] linked_values[0/0]
Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[1608/1618] linked_values[0/0]
Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[1618/1618] linked_values[28/0]
Replicating critical objects from the base DN of the domain
Partition[DC=samdom,DC=example,DC=com] objects[98/98] linked_values[23/0]
Partition[DC=samdom,DC=example,DC=com] objects[395/297] linked_values[23/0]
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=samdom,DC=example,DC=com
Partition[DC=DomainDnsZones,DC=samdom,DC=example,DC=com] objects[41/41] linked_values[0/0]
Replicating DC=ForestDnsZones,DC=samdom,DC=example,DC=com
Partition[DC=ForestDnsZones,DC=samdom,DC=example,DC=com] objects[19/19] linked_values[0/0]
Partition[DC=ForestDnsZones,DC=samdom,DC=example,DC=com] objects[38/19] linked_values[0/0]
Committing SAM database
Sending DsReplicateUpdateRefs for all the replicated partitions
Setting isSynchronized and dsServiceName
Setting up secrets database
Joined domain SAMDOM (SID S-1-5-21-469703510-2364959079-1506205053) as a DC

Parameter explanations:

  • Domain: AD Domain Name
  • Server Role: „DC“ for Domain Controller
  • Username: Account that is allowed to join new Domain Controllers. Typically it is among others the Domain Administrator.
  • Realm: Kerberos Realm
  • DNS backend: You have to decide, to use the Internal DNS server (SAMBA_INTERNAL), BIND9 (BIND9_DLZ) or no DNS backend (NONE). The Internal DNS is default and the best choice for simple DNS requirements. It doesn't need any further actions. For complex DNS requirements, BIND9_DLZ is recommended. Don't use BIND9_FLATFILE! It's not documented and not supported! See DNS Backend BIND for further information about using BIND. The DNS backend choice made during the provisioning isn't permanent. It can be changed afterwards.
  • Site: If you have setup Active Directory Sites, it's possible, to directly join a new DC into a specified AD site.



Check DNS entries

For a successful setup and failover purposes, it is required, that all important DNS records are added to the DNS zones. A bug causes, that two records can be missing. Check Bug #10928, to see, if it's fixed in the meantime and in the version you're running.


Resolve the A record of the new joined Domain Controller

# host -t A DC2.samdom.example.com.
DC2.samdom.example.com has address 10.99.0.2

If the record could not be resolved to its IP, you will receive the following output instead:

# host -t A DC2.samdom.example.com.
Host DC2.samdom.example.com. not found: 3(NXDOMAIN)

In this case, you have to add the record manually to the AD DNS zone:

# samba-tool dns add DC1 samdom.example.com DC2 A 10.99.0.2 -Uadministrator
Password for [SAMDOM\administrator]: passw0rd
Record added successfully

Re-check afterwards again!


Resolve the objectGUID CNAME record of the new joined Domain Controller

  • First, you have to find out the objectGUID of the new joined Domain Controller:
# ldbsearch -H /usr/local/samba/private/sam.ldb '(invocationId=*)' --cross-ncs objectguid
# record 1
dn: CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
objectGUID: df4bdd8c-abc7-4779-b01e-4dd4553ca3e9

# record 2
dn: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
objectGUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f

# returned 2 records
# 2 entries
# 0 referrals
  • Query the CNAME of the objectGUID in the _msdcs.samdom.example.com zone. It must be an alias to the hostname of the new joined DC:
# host -t CNAME df4bdd8c-abc7-4779-b01e-4dd4553ca3e9._msdcs.samdom.example.com.
df4bdd8c-abc7-4779-b01e-4dd4553ca3e9._msdcs.samdom.example.com is an alias for DC2.samdom.example.com.
  • If the record could not be resolved, you will receive:
# host -t CNAME df4bdd8c-abc7-4779-b01e-4dd4553ca3e9._msdcs.samdom.example.com.
Host df4bdd8c-abc7-4779-b01e-4dd4553ca3e9._msdcs.samdom.example.com. not found: 3(NXDOMAIN)
  • In this case, you have to add the record manually to the AD DNS zone:
# samba-tool dns add DC1 _msdcs.samdom.example.com df4bdd8c-abc7-4779-b01e-4dd4553ca3e9 CNAME DC2.samdom.example.com -Uadministrator
Password for [SAMDOM\administrator]: passw0rd
Record added successfully
  • Re-check afterwards again!



Adaptations for the BIND DNS backend

This step can be skipped, if the DC was joined with SAMBA_INTERNAL or without DNS backend.


Workaround: Fix keytab permissions

This workaround is required, until Bug #10881 is solved for the version of Samba you're running!

Fix permissions on the 'dns.keytab' file, to allow BIND to read this file:

# chmod 640 /usr/local/samba/private/dns.keytab
# chgrp named /usr/local/samba/private/dns.keytab

Otherwise, BIND will not able to update your zone(s)! One of the results is, that 'samba_dnsupdate' can't add e. g. the important DNS entries, that clients use, to locate the new DC. In case of an failure of your other DC, domain logons using your new DC wouldn't be possible!


Enable the BIND9_DLZ module, suitable to the BIND version

Make sure, that the correct BIND9_DLZ module for your BIND version is enabled in /usr/local/samba/private/named.conf. Uncomment the module for your BIND version and comment the other:

dlz "AD DNS Zone" {
    # For BIND 9.8.0
    database "dlopen /usr/local/samba/lib/bind9/dlz_bind9.so";

    # For BIND 9.9.0
    # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_9.so";
};

The example above enables the module for BIND 9.8.x (default).



Start Samba

To start the Samba Active Directory Domain Controller in „standard“ mode, which is suitable for production use, run

# samba

Samba doesn't yet have init scripts included. You can find examples on the Samba Init-Script page.




Directory replication

A few minutes after you have started Samba, connections with other DC will be established automatically.

# samba-tool drs showrepl
Default-First-Site-Name\DC2
DSA Options: 0x00000001
DSA object GUID: df4bdd8c-abc7-4779-b01e-4dd4553ca3e9
DSA invocationId: 8e30d69f-c20f-4744-9833-5b050e611375

==== INBOUND NEIGHBORS ====

CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com
        Default-First-Site-Name\DC1 via RPC
                DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
                Last attempt @ Sun Nov  9 19:56:07 2014 CET was successful
                0 consecutive failure(s).
                Last success @ Sun Nov  9 19:56:07 2014 CET

DC=DomainDnsZones,DC=samdom,DC=example,DC=com
        Default-First-Site-Name\DC1 via RPC
                DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
                Last attempt @ Sun Nov  9 19:56:06 2014 CET was successful
                0 consecutive failure(s).
                Last success @ Sun Nov  9 19:56:06 2014 CET

CN=Configuration,DC=samdom,DC=example,DC=com
        Default-First-Site-Name\DC1 via RPC
                DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
                Last attempt @ Sun Nov  9 19:56:07 2014 CET was successful
                0 consecutive failure(s).
                Last success @ Sun Nov  9 19:56:07 2014 CET

DC=ForestDnsZones,DC=samdom,DC=example,DC=com
        Default-First-Site-Name\DC1 via RPC
                DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
                Last attempt @ Sun Nov  9 19:56:07 2014 CET was successful
                0 consecutive failure(s).
                Last success @ Sun Nov  9 19:56:07 2014 CET

DC=samdom,DC=example,DC=com
         Default-First-Site-Name\DC1 via RPC
                DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
                Last attempt @ Sun Nov  9 19:56:13 2014 CET was successful
                0 consecutive failure(s).
                Last success @ Sun Nov  9 19:56:13 2014 CET

==== OUTBOUND NEIGHBORS ====

CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com
        Default-First-Site-Name\DC1 via RPC
                DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

DC=DomainDnsZones,DC=samdom,DC=example,DC=com
        Default-First-Site-Name\DC1 via RPC
                DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

CN=Configuration,DC=samdom,DC=example,DC=com
        Default-First-Site-Name\DC1 via RPC
                DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

DC=ForestDnsZones,DC=samdom,DC=example,DC=com
        Default-First-Site-Name\DC1 via RPC
                DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

DC=samdom,DC=example,DC=com
        Default-First-Site-Name\DC1 via RPC
                DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

==== KCC CONNECTION OBJECTS ====

Connection --
        Connection name: 5745d481-1d26-48f4-ab65-273263e28a45
        Enabled        : TRUE
        Server DNS name : DC1.samdom.example.com
        Server DN name  : CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
                TransportType: RPC
                options: 0x00000001
Warning: No NC replicated for Connection!

Depending on your replication settings - if defined - it may take a few minutes until all connections are established. So please be patient! On the long shot that the outbound connections aren't established automatically - even not after several minutes - you can force the replication (generally not necessary!). See samba-tool drs replicate.

Note about the„Warning: No NC replicated for Connection!“ line: It can be safely ignored. See FAQ: Message: Warning: No NC replicated for Connection!




Start BIND

Please check (samba-tool drs showrepl), that the DC=ForestDnsZones,DC=samdom,DC=example,DC=com and DC=DomainDnsZones,DC=samdom,DC=example,DC=com partitions are already replicated!

If so, it's time to start BIND now, if you're having a BIND9_DLZ backend.



/etc/resolv.conf on the new Domain Controller

If the DNS on your new Domain Controller is working, you should think about adding it to /etc/resolv.conf.

As a best practice, you should never have just one nameserver entry in Domain Controllers /etc/resolv.conf! Because if it will fail, this DC isn't able to resolve AD zones any more. This would cause several other services, that rely on DNS like directory replication, to fail.

So always rely on at least two DNS server, that are able to resolve AD DNS zones:

nameserver 10.99.0.2
nameserver 10.99.0.1
search samdom.example.com



SysVol replication

Currently replication of the SysVol share isn't implemented. If you make any changes on that share, you have to keep them in sync on all your Domain Controllers. An example, how to achieve this automatically, is provided in the SysVol Replication documentation.


GID mappings of built-in groups

There are current issues with GID mappings of built-in groups. The GIDs of groups owning files and directories on in the sysvol folder may differ between Domain Controllers. Currently Samba doesn't provide a replication of these GIDs.

Use the following workaround, if you encounter any problems:

  • Shutdown Samba on the new joined Domain Controller.
  • Create a hot-backup of idmap.ldb on the Domain Controller, that was already there, before joining the new one:
# tdbbackup -s .bak /usr/local/samba/private/idmap.ldb
  • Move the backup file „/usr/local/samba/private/idmap.ldb.bak“ to the new joined Domain Controller and remove the .bak suffix.
  • Start Samba on the new joined Domain Controller again.
  • Reset the ACLs on the local sysvol folder of the new joined Domain Controller:
# samba-tool ntacl sysvolreset



Testing directory replication

To check that replication is working correctly between your two domain controllers, try adding/modifying e. g. a user on one DC using either the Samba command line tools or the Windows GUI admin tools. Then check that the changes shows up within a few seconds on the other Domain Controller.


ldapcmp

You may wish to use samba-tool ldapcmp to verify that the same data is being served from all Domain Controllers.