Difference between revisions of "Joining a Samba DC to an Existing Active Directory"

m (typofix Getting ready for joining Samba as a DC to an exiting domain)
m (/* added warning about dns server)
 
(153 intermediate revisions by 12 users not shown)
Line 1: Line 1:
= Samba4 joining a domain as a DC =
+
= Introduction =
  
As of Samba4 alpha11, Samba4 now has the ability to join an existing
+
Running one domain controller (DC) is sufficient for a working Active Directory (AD) forest. However, for failover and load balancing reasons, you should add further DCs to your AD forest. Joining an additional Samba DC to an existing AD differs from provisioning the first DC in a forest. If you set up a new AD forest, see [[Setting_up_Samba_as_an_Active_Directory_Domain_Controller|Setting up Samba as an Active Directory Domain Controller]].
Active Directory domain as an additional domain controller. The
 
process of joining a Samba4 server to an existing domain is a bit
 
different to provisioning a new domain. This process is the equivalent
 
of the 'dcpromo' command on Windows servers.
 
  
This HOWTO will assume you configured and installed Samba in the
+
{{Imbox
default location of /usr/local/samba. It assumes you are joining Samba
+
| type = warning
to an existing domain called 'samba.example.com'.
+
| text = Do not provision a Computer as a Samba AD DC, then try to join it to an existing AD domain. This will not work, you only need to run the <code>samba-tool domain join</code> command to join a Computer to the existing AD domain.  
 +
}}
  
Note that some of the features mentioned in this HOWTO are only
+
{{Imbox
available in versions of Samba4 later than alpha12, or using a git
+
| type = warning
checkout from February 26th 2010 or later.
+
| text = If you are joining a Samba as a DC to an existing Windows AD domain that was provisioned as a Windows 2003 (or earlier) DC, you must ensure that it is running a domain integrated DNS server. This dns server must be configured with 2008 behaviour.
 +
}}
  
Also note that the following steps are the same regardless of whether
+
{{Imbox
you are joining Samba to an existing Windows based domain or an
+
| type = note
existing Samba based domain.
+
| text = An NT4 domain uses only one Primary Domain Controller (PDC) and optionally additional Backup Domain Controllers (BDC). In an AD forest, there is no difference between DCs, beside the [[Flexible_Single-Master_Operations_(FSMO)_Roles|FSMO roles]]. Use only the term "domain controller" or "DC" when you talk about AD to avoid any possibility of confusion.
 +
}}
  
== Getting ready for joining Samba as a DC to an existing domain ==
 
  
You need to build Samba4 as usual, but don't do the provision step. You should remove any existing smb.conf in /usr/local/samba/etc/smb.conf
 
  
You should have your existing domain setup correctly as your default realm in /etc/krb5.conf, and you should have these options setup in /etc/krb5.conf:
+
 
 +
 
 +
= Preparing the Installation =
 +
 
 +
For details, see [[Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Preparing_the_Installation|Preparing the Installation]] in the [[Setting_up_Samba_as_an_Active_Directory_Domain_Controller|Setting up Samba as an Active Directory Domain Controller]] documentation.
 +
 
 +
 
 +
 
 +
 
 +
 
 +
= Installing Samba =
 +
 
 +
For details, see [[Installing_Samba|Installing Samba]].
 +
 
 +
{{Imbox
 +
| type = note
 +
| text = Install a maintained Samba version. For details, see [[Samba_Release_Planning|Samba Release Planning]].
 +
}}
 +
 
 +
 
 +
 
 +
 
 +
 
 +
= Preparing the Host for Joining the Domain =
 +
 
 +
== Local DNS server ==
 +
 
 +
By default, the first Domain Controller (DC) in a forest runs a DNS server for Active Directory (AD)-based zones. For failover reasons it is recommended to run multiple DCs acting as a DNS server in a network. If you consider providing a DNS service on the new DC:
 +
 
 +
* For the <code>BIND9_DLZ</code> back end, see [[BIND9_DLZ_DNS_Back_End|BIND9_DLZ DNS Back End]]. Finish this task before you start the Samba DC service.
 +
* For the internal DNS no further actions are required.
 +
 
 +
 
 +
 
 +
== Configuring DNS ==
 +
 
 +
For details, see [[Linux_and_Unix_DNS_Configuration|Linux and Unix DNS Configuration]].
 +
 
 +
{{Imbox
 +
| type = note
 +
| text = The 'nameserver' you set in '/etc/resolv.conf' must be an AD DC, otherwise the join will not be able to find the KDC.
 +
}}
 +
 
 +
 
 +
 
 +
== Kerberos ==
 +
 
 +
Set the following settings in your Kerberos client configuration file <code>/etc/krb5.conf</code>:
  
 
  [libdefaults]
 
  [libdefaults]
  dns_lookup_realm = true
+
    dns_lookup_realm = false
  dns_lookup_kdc = true
+
    dns_lookup_kdc = true
  default_realm = SAMBA.EXAMPLE.COM
+
    default_realm = SAMDOM.EXAMPLE.COM
 +
 
 +
To verify the settings use the <code>kinit</code> command to request a Kerberos ticket for the domain administrator:
 +
 
 +
# kinit administrator
 +
Password for administrator@SAMDOM.EXAMPLE.COM:
 +
 
 +
To list Kerberos tickets:
 +
 
 +
# klist
 +
Ticket cache: FILE:/tmp/krb5cc_0
 +
Default principal: administrator@SAMDOM.EXAMPLE.COM
 +
 +
Valid starting      Expires              Service principal
 +
24.09.2015 19:56:55  25.09.2015 05:56:55  krbtgt/SAMDOM.EXAMPLE.COM@SAMDOM.EXAMPLE.COM
 +
renew until 25.09.2015 19:56:53
 +
 
 +
 
 +
 
 +
 
 +
 
 +
= Joining the Active Directory as a Domain Controller =
 +
 
 +
To join the domain <code>samdom.example.com</code> as a domain controller (DC) that additionally acts as a DNS server using the Samba internal DNS:
 +
 
 +
There are three authentication methods you can use, Username & Password or two kerberos methods (the kerberos methods depend on running <code>kinit</code> as an admin user).
 +
 
 +
Username & Password:
 +
# samba-tool domain join samdom.example.com DC -U"SAMDOM\administrator"
 +
 
 +
Or:
 +
# samba-tool domain join samdom.example.com DC -k yes
 +
 
 +
Or:
 +
# samba-tool domain join samdom.example.com DC --krb5-ccache=/tmp/krb5cc_0
 +
 
 +
Using any of the above, should result in output similar to this:
 +
 
 +
Finding a writeable DC for domain 'samdom.example.com'
 +
Found DC dc1.samdom.example.com
 +
Password for [SAMDOM\administrator]:
 +
workgroup is SAMDOM
 +
realm is samdom.example.com
 +
Adding CN=DC2,OU=Domain Controllers,DC=samdom,DC=example,DC=com
 +
Adding CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
 +
Adding CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
 +
Adding SPNs to CN=DC2,OU=Domain Controllers,DC=samdom,DC=example,DC=com
 +
Setting account password for DC2$
 +
Enabling account
 +
Calling bare provision
 +
Looking up IPv4 addresses
 +
Looking up IPv6 addresses
 +
No IPv6 address will be assigned
 +
Setting up share.ldb
 +
Setting up secrets.ldb
 +
Setting up the registry
 +
Setting up the privileges database
 +
Setting up idmap db
 +
Setting up SAM db
 +
Setting up sam.ldb partitions and settings
 +
Setting up sam.ldb rootDSE
 +
Pre-loading the Samba 4 and AD schema
 +
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
 +
Provision OK for domain DN DC=samdom,DC=example,DC=com
 +
Starting replication
 +
Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com] objects[402/1550] linked_values[0/0]
 +
Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com] objects[804/1550] linked_values[0/0]
 +
Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com] objects[1206/1550] linked_values[0/0]
 +
Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com] objects[1550/1550] linked_values[0/0]
 +
Analyze and apply schema objects
 +
Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[402/1618] linked_values[0/0]
 +
Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[804/1618] linked_values[0/0]
 +
Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[1206/1618] linked_values[0/0]
 +
Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[1608/1618] linked_values[0/0]
 +
Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[1618/1618] linked_values[42/0]
 +
Replicating critical objects from the base DN of the domain
 +
Partition[DC=samdom,DC=example,DC=com] objects[100/100] linked_values[23/0]
 +
Partition[DC=samdom,DC=example,DC=com] objects[386/286] linked_values[23/0]
 +
Done with always replicated NC (base, config, schema)
 +
Replicating DC=DomainDnsZones,DC=samdom,DC=example,DC=com
 +
Partition[DC=DomainDnsZones,DC=samdom,DC=example,DC=com] objects[44/44] linked_values[0/0]
 +
Replicating DC=ForestDnsZones,DC=samdom,DC=example,DC=com
 +
Partition[DC=ForestDnsZones,DC=samdom,DC=example,DC=com] objects[19/19] linked_values[0/0]
 +
Committing SAM database
 +
Sending DsReplicaUpdateRefs for all the replicated partitions
 +
Setting isSynchronized and dsServiceName
 +
Setting up secrets database
 +
Joined domain SAMDOM (SID S-1-5-21-469703510-2364959079-1506205053) as a DC
 +
 
 +
See the <code>samba-tool domain join --help</code> command's output for further information.
 +
 
 +
Other parameters frequently used with the <code>samba-tool domain join</code> command:
 +
 
 +
* <code>--dns-backend=NAMESERVER-BACKEND</code>: Use the supplied DNS server backend. Valid options are <code>SAMBA_INTERNAL</code> or <code>BIND9_DLZ</code>, unless you want to use Bind9, there is no need to supply this option.
 +
:: If you use the internal DNS server, you will not be asked for a forwarder and the one in /etc/resolv.conf will not be obtained automatically. You must supply one with <code>--option="dns forwarder=forwarder_ipaddress"</code>.
 +
 +
* <code>--site=SITE</code>: Directly join the host as DC to a specific [[Active_Directory_Sites|Active Directory Site]].
 +
 
 +
* <code>--option="interfaces=lo eth0" --option="bind interfaces only=yes"</code>: If your server has multiple network interfaces, use these options to bind Samba to the specified interfaces. This enables the <code>samba-tool</code> command to register the correct LAN IP address in the directory during the join.
 +
 
 +
{{Imbox
 +
| type = note
 +
| text = If the other DCs are Samba DCs and were provisioned with <code>--use-rfc2307</code>, you Should add <code>--option='idmap_ldb:use rfc2307 = yes'</code> to the join command
 +
}}
 +
 
 +
 
 +
 
 +
 
 +
 
 +
= Verifying the DNS Entries =
 +
 
 +
If you join a Samba DC that runs Samba 4.7 and later, <code>samba-tool</code> created all required DNS entries automatically. To manually create the records on an earlier version, see [[Verifying_and_Creating_a_DC_DNS_Record|Verifying and Creating a DC DNS Record]].
 +
 
 +
 
 +
 
 +
 
 +
 
 +
= Configuring the BIND9_DLZ DNS Back End =
 +
 
 +
If you selected the <code>BIND9_DLZ</code> DNS back end during the domain join, set up the BIND configuration. For details, see [[BIND9_DLZ_DNS_Back_End|BIND9_DLZ DNS Back End]].
 +
 
 +
 
 +
 
 +
 
 +
 
 +
= Built-in User & Group ID Mappings =
 +
{{:SysVol replication (DFS-R)}}
 +
 
 +
 
 +
To use a Sysvol Replication workaround, all domain controllers (DC) must use the same ID mappings for built-in users and groups.
 +
 
 +
By default, a Samba DC stores the user & group IDs in 'xidNumber' attributes in 'idmap.ldb'. Because of the way 'idmap.ldb' works, you cannot guarantee that each DC will use the same ID for a given user or group. To ensure that you do use the same IDs, you must:
 +
 
 +
* Create a hot-backup of the <code>/usr/local/samba/private/idmap.ldb</code> file on the existing DC:
 +
 
 +
# tdbbackup -s .bak /usr/local/samba/private/idmap.ldb
 +
 
 +
: This creates a backup file <code>/usr/local/samba/private/idmap.ldb.bak</code>.
 +
 
 +
* Move the backup file to the <code>/usr/local/samba/private/</code> folder on the new joined DC and remove the <code>.bak</code> suffix to replace the existing file.
 +
 
 +
* Run <code>net cache flush</code> on the new DC.
 +
 
 +
* You will now need to sync Sysvol to the new DC.
 +
 
 +
* Reset the Sysvol folder's file system access control lists (ACL) on the new DC:
 +
 
 +
# samba-tool ntacl sysvolreset
 +
 
 +
 
 +
 
  
You should then test to make sure that DNS and kerberos are setup
 
correctly to point at your existing domain controller. Test that it is
 
all working by trying a kinit as a domain administration:
 
  
kinit administrator
+
= Starting the Samba Service =
Password: XXXXXXXX
 
  
Once all that is setup you can move on to the main domain join step
+
To start the <code>samba</code> Samba Active Directory (AD) domain controller (DC) service manually, enter:
  
== Joining the existing domain as a DC ==
+
# samba
  
Run the following command as root:
+
Samba does not provide System V init scripts, <code>systemd</code>, <code>upstart</code>, or other services configuration files.
 +
* If you installed Samba using packages, use the script or service configuration file included in the package to start Samba.
 +
* If you built Samba, see [[Managing_the_Samba_AD_DC_Service|Managing the Samba AD DC Service]].
  
bin/net vampire samba.example.com -Uadministrator --realm=samba.example.com
 
  
It should show a set of debug messages about replicating the domain contents, like this:
 
  
Partition[CN=Configuration,DC=sample,DC=example,DC=com] objects[1596] linked_values[1]
 
  
then it will show a message like this:
 
  
mark ROOTDSE with isSynchronized=TRUE
+
= Verifying Directory Replication =
Vampired domain VSOFS8 (S-1-5-21-2848215498-2472035911-1947525656)
 
  
at this point you have joined your Samba4 server to the existing domain, and you are ready to start your Samba domain controller.
+
After the domain controller (DC) has been started, the knowledge consistency checker (KCC) on the Samba DC creates replication agreements to other DCs in the Active Directory (AD) forest. It can take up to 15 minutes until the KCC creates the auto-generated replication connections.
  
== Starting Samba ==
+
For details about how to verify that the directory replication works correctly, see [[Verifying the Directory Replication Statuses]].
  
You start samba as a DC in the same way that you start it as a normal server, just run the command 'samba'
+
{{Imbox
from the sbin directory of your installation.
+
| type = note
 +
| text = To optimize replication latency and cost, the KCC in Samba 4.5 and later no longer creates a fully-meshed replication topology between all DCs. For further details, see [[The Samba KCC]].
 +
}}
  
When you first start Samba as a new DC in an existing Windows domain,
 
you may find errors messages like these in the samba log file:
 
  
UpdateRefs failed with WERR_DS_DRA_BAD_NC/NT code 0xc00020f8 for 5344d0a6-78a1-4758be69-66d933f1123._msdcs.samba.example.com CN=RID Manager$,CN=System,DC=samba,DC=example,DC=com
 
  
This is caused by the Windows domain controller not yet having run its
 
Knowledge Consistency Checker (KCC) which means it has not yer created
 
connections to the new Samba DC.
 
  
To fix this, you can either run "repadmin /kcc" on the Windows DC as
 
an administrator, or you can use the Samba net command to do the same
 
thing, like this:
 
  
bin/net drs kcc -Uadministrator windowsdc.samba.example.com
+
= Starting BIND =
  
You should then check that replication between the Windows DC and the
+
Before you start the BIND daemon, verify that the DNS directory partitions have been successfully replicated:
Samba DC is working correctly by using the net drs showrepl command:
 
  
  Default-First-Site-Name\Windows
+
  # samba-tool drs showrepl
DSA Options: 0x00000001
+
  ...
Site Options: (none)
 
DSA object GUID: 794640f3-18cf-40ee-a211-a93992b67a64
 
DSA invocationID: 794640f3-18cf-40ee-a211-a93992b67a64
 
   
 
 
  ==== INBOUND NEIGHBORS ====
 
  ==== INBOUND NEIGHBORS ====
 +
...
 +
DC=DomainDnsZones,DC=samdom,DC=example,DC=com
 +
Default-First-Site-Name\DC1 via RPC
 +
DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
 +
Last attempt @ Thu Sep 24 20:08:45 2015 CEST was successful
 +
0 consecutive failure(s).
 +
Last success @ Thu Sep 24 20:08:45 2015 CEST
 +
...
 +
DC=ForestDnsZones,DC=samdom,DC=example,DC=com
 +
Default-First-Site-Name\DC1 via RPC
 +
DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
 +
Last attempt @ Thu Sep 24 20:08:45 2015 CEST was successful
 +
0 consecutive failure(s).
 +
Last success @ Thu Sep 24 20:08:45 2015 CEST
 +
 +
If the replication works correctly, start the BIND service. See your distribution's documentation for information how to start a service.
 +
 +
 +
 +
 +
 +
= Testing your Samba AD DC =
 +
 +
== Verifying the File Server ==
 +
 +
For details, see [[Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Verifying_the_File_Server|Verifying the File Server]] in the [[Setting_up_Samba_as_an_Active_Directory_Domain_Controller|Setting up Samba as an Active Directory Domain Controller]] documentation.
 +
 +
 +
 +
== Testing the Local DNS Server ==
 +
 +
Skip this step if you selected <code>--dns-backend=NONE</code> during the join.
 +
 +
Query the local DNS server to resolve the domain name <code>samdom.example.com</code>:
 +
 +
# host -t A samdom.example.com localhost
 +
Using domain server:
 +
Name: localhost
 +
Address: 127.0.0.1#53
 +
Aliases:
 
   
 
   
  DC=samba,DC=example,DC=com
+
  samdom.example.com has address 10.99.0.1
        Default-First-Site-Name\SAMBA via RPC
+
samdom.example.com has address 10.99.0.2
                DSA object GUID: 5344d0a6-78a1-4758-be69-b66d933f1123
+
 
                Last attempt @ Fri Feb 26 17:25:41 2010 EST was successful.
+
The local DNS resolves the domain name to the IP addresses of all domain controllers (DC).
                0 consecutive failure(s).
+
 
                Last success @ Fri Feb 26 17:25:41 2010 EST
+
In case you receive no or a different result, review this documentation and check:
+
* the system log files,
CN=Configuration,DC=samba,DC=example,DC=com
+
* the Samba log files,
        Default-First-Site-Name\SAMBA via RPC
+
* the BIND log files, if the <code>BIND9_DLZ</code> is used.
                DSA object GUID: 5344d0a6-78a1-4758-be69-b66d933f1123
+
 
                Last attempt @ Fri Feb 26 17:25:41 2010 EST was successful.
+
 
                0 consecutive failure(s).
+
 
                Last success @ Fri Feb 26 17:25:41 2010 EST
+
== Verifying Kerberos ==
   
+
 
  CN=Schema,CN=Configuration,DC=samba,DC=example,DC=com
+
For details, see [[Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Verifying_Kerberos|Verifying Kerberos]] in the [[Setting_up_Samba_as_an_Active_Directory_Domain_Controller|Setting up Samba as an Active Directory Domain Controller]] documentation.
        Default-First-Site-Name\SAMBA via RPC
+
 
                DSA object GUID: 5344d0a6-78a1-4758-be69-b66d933f1123
+
 
                Last attempt @ Fri Feb 26 17:25:41 2010 EST was successful.
+
 
                0 consecutive failure(s).
+
 
                Last success @ Fri Feb 26 17:25:41 2010 EST
+
 
 +
= DNS Configuration on Domain Controllers =
 +
 
 +
The DNS configuration on domain controllers (DC) is important, because if it is unable to locate other DCs the replication will fail.
 +
 
 +
Set the local IP of the DC as the primary name server. For example:
 +
 
 +
On the new joined DC, use the local <code>10.99.0.2</code> IP as primary <code>nameserver</code> entry:
 +
 
 +
  nameserver 10.99.0.2
 +
  search samdom.example.com
 +
 
 +
 
 +
 
 +
 
 +
 
 +
= Configuring Time Synchronisation =
 +
 
 +
Kerberos requires a synchronised time on all domain members. For further details and how to set up the <code>ntpd</code> service, see [[Time_Synchronisation|Time Synchronisation]].
 +
 
 +
 
 +
 
 +
 
 +
 
 +
= Configuring Winbindd on a Samba AD DC =
 +
 
 +
''Optional''. For details, see [[Configuring_Winbindd_on_a_Samba_AD_DC|Configuring Winbindd on a Samba AD DC]].
 +
 
 +
 
  
== Testing Replication ==
 
  
To check that replication is working correctly between your two domain
 
controllers, try adding a user on the Samba DC using either the Samba
 
command line tools, or the Windows GUI admin tools. Then check that
 
the user shows up within a few seconds on your Windows domain
 
controller.
 
  
Similarly, try modifying a user on the Windows domain controller and
+
= Using the Domain Controller as a File Server =
check that the modifies show up correctly on the Samba server
 
  
===ldapcmp===
+
For details, see [[Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Using_the_Domain_Controller_as_a_File_Server|Using the Domain Controller as a File Server]].
You may wish to use [[Samba4/ldapcmp|ldapcmp]] to verify that the same data is being served from all domain controllers.
 
  
== Report your success/failure! ==
 
  
Samba4 as a replicating domain controller is still developing rapidly,
 
and we like to hear from users about their successes and
 
failures. While Samba4 is still in alpha release we would encourage
 
you to report both your successes and failures to the samba-technical
 
mailing list on http://lists.samba.org
 
  
Please be aware that Samba4 is not complete, so you should deploy it
 
carefully until it is ready for a non-alpha release.
 
  
= A note on DNS updates =
 
  
As of Samba4 alpha12 Samba4 has the ability to automatically update a
+
= Sysvol Replication =
Windows or bind9 DNS server with the correct set of DNS entries when
 
it becomes a domain controller.
 
  
For this to work correctly between Samba and Windows you may find that
+
Samba currently does not automatically replicate Sysvol, you must use some other form of replication. For community supported workarounds, see [[SysVol_replication_(DFS-R)|Sysvol Replication]].
you need a set of 5 patches to bind9. Those patches are located in the
 
examples/bind9-patches directory of the Samba4 source tree. The
 
patches have been submitted to the bind9 developers and will be
 
incorporated in the future release of bind, but in the meantime you
 
should be able to build bind9 yourself from sources and apply the
 
patches.
 
  
The way the automatic DNS updates works is that Samba regularly (every
+
{{Imbox
10 minutes) calls out to the samba_dnsupdate script that is installed
+
| type = note
along with Samba. That script reads a template file of DNS names to
+
| text = If there are more than the default GPOs in Sysvol on the other DC(s), you must sync Sysvol to the new DC, <code>samba-tool ntacl sysvolreset</code> will throw an error if you do not.
update in the DNS zone from /usr/local/samba/private/dns_update_list.
+
}}
  
The contents of this file look like this:
 
  
A                                                        ${DNSDOMAIN} $IP
 
A                                                        ${HOSTNAME} $IP
 
CNAME ${NTDSGUID}._msdcs.${DNSDOMAIN}                    ${HOSTNAME}
 
SRV _kerberos._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 88
 
SRV _ldap._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN}    ${HOSTNAME} 389
 
SRV _kerberos._tcp.dc.dc._msdcs.${DNSDOMAIN}            ${HOSTNAME} 88
 
SRV _ldap._tcp.dc.dc._msdcs.${DNSDOMAIN}                ${HOSTNAME} 389
 
SRV _ldap._tcp.${DOMAINGUID}.domains._msdcs.${DNSDOMAIN} ${HOSTNAME} 389
 
SRV _ldap._tcp.${SITE}._sites.gc._msdcs.${DNSDOMAIN}    ${HOSTNAME} 3268
 
SRV _ldap._tcp.gc._msdcs.${DNSDOMAIN}                    ${HOSTNAME} 3268
 
SRV _ldap._tcp.pdc._msdcs.${DNSDOMAIN}                  ${HOSTNAME} 389
 
SRV _gc._tcp.${SITE}._sites.${DNSDOMAIN}                ${HOSTNAME} 3268
 
SRV _kerberos._tcp.${SITE}._sites.${DNSDOMAIN}          ${HOSTNAME} 88
 
SRV _ldap._tcp.${SITE}._sites.${DNSDOMAIN}         ${HOSTNAME} 389
 
SRV _gc._tcp.${DNSDOMAIN}                                ${HOSTNAME} 3268
 
SRV _kerberos._tcp.${DNSDOMAIN}                          ${HOSTNAME} 88
 
SRV _kpasswd._tcp.${DNSDOMAIN}                          ${HOSTNAME} 464
 
SRV _ldap._tcp.${DNSDOMAIN}                              ${HOSTNAME} 389
 
SRV _kerberos._udp.${DNSDOMAIN}                          ${HOSTNAME} 88
 
SRV _kpasswd._udp.${DNSDOMAIN}                          ${HOSTNAME} 464
 
  
at runtime, Samba will substitute the variables in this file, and call
 
out to the bind9 nsupdate command using the -g option to enable
 
TSIG-GSS DNS updates. It will only make updates for DNS names that it
 
detects are not currently correctly set.
 
  
You can add your own names to dns_update_list list if you want, and
 
Samba will add those on the DNS server. You may also choose not to use
 
TSIG-GSS and instead use a fixed DNS key setup in another bind9
 
server. To do that you will need to modify the 'nsupdate' command that
 
Samba runs, which is settable using the "nsupdate command" smb.conf
 
option. The default is "/usr/bin/nsupdate -g"
 
  
The $IP entries for A records are replaced with the IP interface addresses that Samba detects at runtime,
+
= Testing the Directory Replication =
based on the "interfaces=" smb.conf option.
 
  
 +
To test that the directory replication works correctly, add for example a user on an existing DC and verify that it shows up automatically on the newly joined DC.
  
= Samba4 joining a domain as a RODC (Status for a work in progress) =
+
Optionally use the <code>ldapcmp</code> utility to compare two directories. For details, see [[Samba-tool_ldapcmp|samba-tool ldapcmp]].
  
For the TODO list see [http://wiki.samba.org/index.php/Samba4_DRS_TODO_List#Support_RODC Support RODC TODO]
 
  
'''Main features implemented'''
 
  
* Joinining as a RODC to Windows DC
 
  
To do that one should do a net/vampire, the command line looks something like this:
 
  
sudo bin/net vampire -UAdministrator%password --target-dir=/home/ant/prefix.win/ --option="repl:rodc=true" win.dev
+
= Troubleshooting =
 
* Added support for RODC FAS
 
  
* Added support for unidirectional replication
+
For further details, see [[Samba_AD_DC_Troubleshooting|Samba AD DC Troubleshooting]].
  
* Added support for read-only database
 
  
'''Main features in the TODO list'''
 
  
* Support Administrator role separation
 
  
* Support Credential caching
 
  
* Join Windows as a RODC in Samba4 domain - blocked by kerberos tgt stuff.
+
----
 +
[[Category:Active Directory]]
 +
[[Category:Domain Control]]

Latest revision as of 09:35, 8 September 2019

Introduction

Running one domain controller (DC) is sufficient for a working Active Directory (AD) forest. However, for failover and load balancing reasons, you should add further DCs to your AD forest. Joining an additional Samba DC to an existing AD differs from provisioning the first DC in a forest. If you set up a new AD forest, see Setting up Samba as an Active Directory Domain Controller.



Preparing the Installation

For details, see Preparing the Installation in the Setting up Samba as an Active Directory Domain Controller documentation.



Installing Samba

For details, see Installing Samba.



Preparing the Host for Joining the Domain

Local DNS server

By default, the first Domain Controller (DC) in a forest runs a DNS server for Active Directory (AD)-based zones. For failover reasons it is recommended to run multiple DCs acting as a DNS server in a network. If you consider providing a DNS service on the new DC:

  • For the BIND9_DLZ back end, see BIND9_DLZ DNS Back End. Finish this task before you start the Samba DC service.
  • For the internal DNS no further actions are required.


Configuring DNS

For details, see Linux and Unix DNS Configuration.


Kerberos

Set the following settings in your Kerberos client configuration file /etc/krb5.conf:

[libdefaults]
    dns_lookup_realm = false
    dns_lookup_kdc = true
    default_realm = SAMDOM.EXAMPLE.COM

To verify the settings use the kinit command to request a Kerberos ticket for the domain administrator:

# kinit administrator
Password for administrator@SAMDOM.EXAMPLE.COM:

To list Kerberos tickets:

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@SAMDOM.EXAMPLE.COM

Valid starting       Expires              Service principal
24.09.2015 19:56:55  25.09.2015 05:56:55  krbtgt/SAMDOM.EXAMPLE.COM@SAMDOM.EXAMPLE.COM
	renew until 25.09.2015 19:56:53



Joining the Active Directory as a Domain Controller

To join the domain samdom.example.com as a domain controller (DC) that additionally acts as a DNS server using the Samba internal DNS:

There are three authentication methods you can use, Username & Password or two kerberos methods (the kerberos methods depend on running kinit as an admin user).

Username & Password:

# samba-tool domain join samdom.example.com DC -U"SAMDOM\administrator"

Or:

# samba-tool domain join samdom.example.com DC -k yes

Or:

# samba-tool domain join samdom.example.com DC --krb5-ccache=/tmp/krb5cc_0

Using any of the above, should result in output similar to this:

Finding a writeable DC for domain 'samdom.example.com'
Found DC dc1.samdom.example.com
Password for [SAMDOM\administrator]:
workgroup is SAMDOM
realm is samdom.example.com
Adding CN=DC2,OU=Domain Controllers,DC=samdom,DC=example,DC=com
Adding CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
Adding CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
Adding SPNs to CN=DC2,OU=Domain Controllers,DC=samdom,DC=example,DC=com
Setting account password for DC2$
Enabling account
Calling bare provision
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Provision OK for domain DN DC=samdom,DC=example,DC=com
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com] objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com] objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com] objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com] objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[402/1618] linked_values[0/0]
Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[804/1618] linked_values[0/0]
Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[1206/1618] linked_values[0/0]
Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[1608/1618] linked_values[0/0]
Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[1618/1618] linked_values[42/0]
Replicating critical objects from the base DN of the domain
Partition[DC=samdom,DC=example,DC=com] objects[100/100] linked_values[23/0]
Partition[DC=samdom,DC=example,DC=com] objects[386/286] linked_values[23/0]
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=samdom,DC=example,DC=com
Partition[DC=DomainDnsZones,DC=samdom,DC=example,DC=com] objects[44/44] linked_values[0/0]
Replicating DC=ForestDnsZones,DC=samdom,DC=example,DC=com
Partition[DC=ForestDnsZones,DC=samdom,DC=example,DC=com] objects[19/19] linked_values[0/0]
Committing SAM database
Sending DsReplicaUpdateRefs for all the replicated partitions
Setting isSynchronized and dsServiceName
Setting up secrets database
Joined domain SAMDOM (SID S-1-5-21-469703510-2364959079-1506205053) as a DC

See the samba-tool domain join --help command's output for further information.

Other parameters frequently used with the samba-tool domain join command:

  • --dns-backend=NAMESERVER-BACKEND: Use the supplied DNS server backend. Valid options are SAMBA_INTERNAL or BIND9_DLZ, unless you want to use Bind9, there is no need to supply this option.
If you use the internal DNS server, you will not be asked for a forwarder and the one in /etc/resolv.conf will not be obtained automatically. You must supply one with --option="dns forwarder=forwarder_ipaddress".
  • --option="interfaces=lo eth0" --option="bind interfaces only=yes": If your server has multiple network interfaces, use these options to bind Samba to the specified interfaces. This enables the samba-tool command to register the correct LAN IP address in the directory during the join.



Verifying the DNS Entries

If you join a Samba DC that runs Samba 4.7 and later, samba-tool created all required DNS entries automatically. To manually create the records on an earlier version, see Verifying and Creating a DC DNS Record.



Configuring the BIND9_DLZ DNS Back End

If you selected the BIND9_DLZ DNS back end during the domain join, set up the BIND configuration. For details, see BIND9_DLZ DNS Back End.



Built-in User & Group ID Mappings

Samba in its current state doesn't support SysVol replication via DFS-R (Distributed File System Replication) or the older FRS (File Replication Service) used in Windows Server 2000/2003 for Sysvol replication.

We Currently advise administrators to use one of the following workarounds:


To use a Sysvol Replication workaround, all domain controllers (DC) must use the same ID mappings for built-in users and groups.

By default, a Samba DC stores the user & group IDs in 'xidNumber' attributes in 'idmap.ldb'. Because of the way 'idmap.ldb' works, you cannot guarantee that each DC will use the same ID for a given user or group. To ensure that you do use the same IDs, you must:

  • Create a hot-backup of the /usr/local/samba/private/idmap.ldb file on the existing DC:
# tdbbackup -s .bak /usr/local/samba/private/idmap.ldb
This creates a backup file /usr/local/samba/private/idmap.ldb.bak.
  • Move the backup file to the /usr/local/samba/private/ folder on the new joined DC and remove the .bak suffix to replace the existing file.
  • Run net cache flush on the new DC.
  • You will now need to sync Sysvol to the new DC.
  • Reset the Sysvol folder's file system access control lists (ACL) on the new DC:
# samba-tool ntacl sysvolreset



Starting the Samba Service

To start the samba Samba Active Directory (AD) domain controller (DC) service manually, enter:

# samba

Samba does not provide System V init scripts, systemd, upstart, or other services configuration files.

  • If you installed Samba using packages, use the script or service configuration file included in the package to start Samba.
  • If you built Samba, see Managing the Samba AD DC Service.



Verifying Directory Replication

After the domain controller (DC) has been started, the knowledge consistency checker (KCC) on the Samba DC creates replication agreements to other DCs in the Active Directory (AD) forest. It can take up to 15 minutes until the KCC creates the auto-generated replication connections.

For details about how to verify that the directory replication works correctly, see Verifying the Directory Replication Statuses.



Starting BIND

Before you start the BIND daemon, verify that the DNS directory partitions have been successfully replicated:

# samba-tool drs showrepl
...
==== INBOUND NEIGHBORS ====
...
DC=DomainDnsZones,DC=samdom,DC=example,DC=com
	Default-First-Site-Name\DC1 via RPC
		DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
		Last attempt @ Thu Sep 24 20:08:45 2015 CEST was successful
		0 consecutive failure(s).
		Last success @ Thu Sep 24 20:08:45 2015 CEST
...
DC=ForestDnsZones,DC=samdom,DC=example,DC=com
	Default-First-Site-Name\DC1 via RPC
		DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
		Last attempt @ Thu Sep 24 20:08:45 2015 CEST was successful
		0 consecutive failure(s).
		Last success @ Thu Sep 24 20:08:45 2015 CEST

If the replication works correctly, start the BIND service. See your distribution's documentation for information how to start a service.



Testing your Samba AD DC

Verifying the File Server

For details, see Verifying the File Server in the Setting up Samba as an Active Directory Domain Controller documentation.


Testing the Local DNS Server

Skip this step if you selected --dns-backend=NONE during the join.

Query the local DNS server to resolve the domain name samdom.example.com:

# host -t A samdom.example.com localhost
Using domain server:
Name: localhost
Address: 127.0.0.1#53
Aliases:

samdom.example.com has address 10.99.0.1
samdom.example.com has address 10.99.0.2

The local DNS resolves the domain name to the IP addresses of all domain controllers (DC).

In case you receive no or a different result, review this documentation and check:

  • the system log files,
  • the Samba log files,
  • the BIND log files, if the BIND9_DLZ is used.


Verifying Kerberos

For details, see Verifying Kerberos in the Setting up Samba as an Active Directory Domain Controller documentation.



DNS Configuration on Domain Controllers

The DNS configuration on domain controllers (DC) is important, because if it is unable to locate other DCs the replication will fail.

Set the local IP of the DC as the primary name server. For example:

On the new joined DC, use the local 10.99.0.2 IP as primary nameserver entry:

nameserver 10.99.0.2
search samdom.example.com



Configuring Time Synchronisation

Kerberos requires a synchronised time on all domain members. For further details and how to set up the ntpd service, see Time Synchronisation.



Configuring Winbindd on a Samba AD DC

Optional. For details, see Configuring Winbindd on a Samba AD DC.



Using the Domain Controller as a File Server

For details, see Using the Domain Controller as a File Server.



Sysvol Replication

Samba currently does not automatically replicate Sysvol, you must use some other form of replication. For community supported workarounds, see Sysvol Replication.



Testing the Directory Replication

To test that the directory replication works correctly, add for example a user on an existing DC and verify that it shows up automatically on the newly joined DC.

Optionally use the ldapcmp utility to compare two directories. For details, see samba-tool ldapcmp.



Troubleshooting

For further details, see Samba AD DC Troubleshooting.