Joining a Samba DC to an Existing Active Directory: Difference between revisions

From SambaWiki
m (→‎FAQ: UID/GID issue for built-in groups)
mNo edit summary
 
(125 intermediate revisions by 8 users not shown)
Line 1: Line 1:
= Introduction =
= Samba4 joining a domain as a DC =


Running one domain controller (DC) is sufficient for a working Active Directory (AD) forest. However, for redundancy and load balancing reasons, you should add further DCs to your AD forest. Joining an additional Samba DC to an existing AD differs from provisioning the first DC in a forest. If you set up a new AD forest, see [[Setting_up_Samba_as_an_Active_Directory_Domain_Controller|Setting up Samba as an Active Directory Domain Controller]].
As of Samba4 alpha11, Samba4 has the ability to join an existing Active Directory domain as an additional domain controller. The process of joining a Samba4 server to an existing domain is a bit different to provisioning a new domain. This process is the equivalent of the 'dcpromo' command on Windows servers.


{{Imbox
This HOWTO will assume you had configured and installed Samba in the default location of /usr/local/samba. It assumes you are joining Samba to an existing domain called 'samdom.example.com'.
| type = warning
| text = Do not provision a Computer as a Samba AD DC, then try to join it to an existing AD domain. This will not work, you only need to run the <code>samba-tool domain join</code> command to join a Computer to the existing AD domain.
}}


{{Imbox
Please note that the following steps are the same regardless of whether you are joining Samba to an existing Windows based domain or an existing Samba based domain.
| type = warning
| text = If you are joining a Samba as a DC to an existing Windows AD domain that was provisioned as a Windows 2003 (or earlier) DC, you must ensure that it is running a domain integrated DNS server. This dns server must be configured with 2008 behaviour.
}}


{{Imbox
| type = note
| text = An NT4 domain uses only one Primary Domain Controller (PDC) and optionally additional Backup Domain Controllers (BDC). In an AD forest, there is no difference between DCs, except for the [[Flexible_Single-Master_Operations_(FSMO)_Roles|FSMO roles]]. Use only the term "domain controller" or "DC" when you talk about AD to avoid any possibility of confusion.
}}




== Getting ready for joining Samba as a DC to an existing domain ==


* You need to install Samba as a DC, as described in the [[Samba_AD_DC_HOWTO|Samba AD DC HowTo]], but don't do the provision/classicupgrade step. If you choose [[DNS_Backend_BIND|BIND as DNS backend]], instead of the internal DNS, then you, of course, have to finish this before you continue. Depending on your needs, you can have different backends on each of your DC.


* You should remove any existing smb.conf in /usr/local/samba/etc/.


= Preparing the Installation =
* Be sure, that you have your setup your existing domain correctly as your default realm in /etc/krb5.conf with the following options:

For details, see [[Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Preparing_the_Installation|Preparing the Installation]] in the [[Setting_up_Samba_as_an_Active_Directory_Domain_Controller|Setting up Samba as an Active Directory Domain Controller]] documentation.





= Installing Samba =

For details, see [[Installing_Samba|Installing Samba]].

{{Imbox
| type = note
| text = Install a maintained Samba version. For details, see [[Samba_Release_Planning|Samba Release Planning]].
}}





= Preparing the Host for Joining the Domain =

== Local DNS server ==

By default, the first Domain Controller (DC) in a forest runs a DNS server for Active Directory (AD)-based zones. For redundancy reasons it is recommended to run multiple DCs acting as a DNS server in a network. If you consider providing a DNS service on the new DC:

* For the <code>BIND9_DLZ</code> back end, see [[BIND9_DLZ_DNS_Back_End|BIND9_DLZ DNS Back End]]. Finish this task before you start the Samba DC service.
* For the internal DNS no further actions are required.



== Configuring DNS ==

{{Imbox
| type = note
| text = The 'nameserver' you set in '/etc/resolv.conf' should be another AD DC, otherwise the join could have difficulty finding a KDC.
}}

{{Imbox
| type = note
| text = If you are joining a new DC the 'nameserver' you set in '/etc/resolv.conf' must be another AD DC, otherwise the join will not be work. Once the new join has succeeded, you need to change the 'nameserver' to the new DCs ipaddress, do not use '127.0.0.1' or any other IP.
}}


For details, see [[Linux_and_Unix_DNS_Configuration|Linux and Unix DNS Configuration]].





== Kerberos ==

Set the following settings in your Kerberos client configuration file <code>/etc/krb5.conf</code>:


[libdefaults]
[libdefaults]
dns_lookup_realm = true
dns_lookup_realm = false
dns_lookup_kdc = true
dns_lookup_kdc = true
default_realm = SAMDOM.EXAMPLE.COM
default_realm = SAMDOM.EXAMPLE.COM


To verify the settings use the <code>kinit</code> command to request a Kerberos ticket for the domain administrator:
* You should then test to make sure that DNS and kerberos are setup correctly to point at your existing domain controller. Test that it is all working by trying a kinit as a domain administration:


# kinit administrator
# kinit administrator
Password: XXXXXXXX
Password for administrator@SAMDOM.EXAMPLE.COM:


To list Kerberos tickets:
* klist should should give you an output like the following:


# klist
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@samdom.example.com
Default principal: administrator@SAMDOM.EXAMPLE.COM
Valid starting Expires Service principal
Valid starting Expires Service principal
11/11/12 17:29:51 11/12/12 03:29:51 krbtgt/samdom.example.com@samdom.example.com
24.09.2015 19:56:55 25.09.2015 05:56:55 krbtgt/SAMDOM.EXAMPLE.COM@SAMDOM.EXAMPLE.COM
renew until 11/12/12 17:29:49
renew until 25.09.2015 19:56:53


* Once all that is setup you can move on to the join domain step.






== Joining the existing domain as a DC ==


= Configuring Time Synchronisation =
* Make sure, that your /etc/resolv.conf contains at least one „nameserver“ entry, pointing to a DNS, that can resolve your Samba AD zone(s). Example:


Kerberos requires a synchronised time on all domain members. For further details and how to set up the <code>ntpd</code> service, see [[Time_Synchronisation|Time Synchronisation]].
nameserver 10.99.0.1


* Run the following command as root:


# bin/samba-tool domain join samdom.example.com DC -Uadministrator --realm=samdom.example.com


:Since samba4 rc2 the internal DNS server is default. If you want to join this or a higher version with using [[DNS_Backend_BIND|BIND as DNS backend]], use the following command:


# bin/samba-tool domain join samdom.example.com DC -Uadministrator --realm=samdom.example.com --dns-backend=BIND9_DLZ


= Joining the Active Directory as a Domain Controller =
* During the join, you should see a set of debug messages about replicating the domains content, like this:


To join the domain <code>samdom.example.com</code> as a domain controller (DC) that additionally acts as a DNS server using the Samba internal DNS:
Partition[CN=Configuration,DC=samba,DC=example,DC=com] objects[1614/1614] linked_values[28/0]


There are three authentication methods you can use, Username & Password or two kerberos methods (the kerberos methods depend on running <code>kinit</code> as an admin user).
* At the end, you will see a message like this:


Username & Password:
Joined domain SAMBA (SID S-1-5-21-3565189888-2228146013-2029845409) as a DC
# samba-tool domain join samdom.example.com DC -U"SAMDOM\administrator"


Or:
* Now you have joined your Samba4 server to your existing domain.
# samba-tool domain join samdom.example.com DC -k yes


Or:
# samba-tool domain join samdom.example.com DC --use-krb5-ccache=/tmp/krb5cc_0


Using any of the above, should result in output similar to this:


Finding a writeable DC for domain 'samdom.example.com'
== Check required DNS entries of the new host ==
Found DC dc1.samdom.example.com
Password for [SAMDOM\administrator]:
workgroup is SAMDOM
realm is samdom.example.com
Adding CN=DC2,OU=Domain Controllers,DC=samdom,DC=example,DC=com
Adding CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
Adding CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
Adding SPNs to CN=DC2,OU=Domain Controllers,DC=samdom,DC=example,DC=com
Setting account password for DC2$
Enabling account
Calling bare provision
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Provision OK for domain DN DC=samdom,DC=example,DC=com
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com] objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com] objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com] objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com] objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[402/1618] linked_values[0/0]
Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[804/1618] linked_values[0/0]
Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[1206/1618] linked_values[0/0]
Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[1608/1618] linked_values[0/0]
Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[1618/1618] linked_values[42/0]
Replicating critical objects from the base DN of the domain
Partition[DC=samdom,DC=example,DC=com] objects[100/100] linked_values[23/0]
Partition[DC=samdom,DC=example,DC=com] objects[386/286] linked_values[23/0]
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=samdom,DC=example,DC=com
Partition[DC=DomainDnsZones,DC=samdom,DC=example,DC=com] objects[44/44] linked_values[0/0]
Replicating DC=ForestDnsZones,DC=samdom,DC=example,DC=com
Partition[DC=ForestDnsZones,DC=samdom,DC=example,DC=com] objects[19/19] linked_values[0/0]
Committing SAM database
Sending DsReplicaUpdateRefs for all the replicated partitions
Setting isSynchronized and dsServiceName
Setting up secrets database
Joined domain SAMDOM (SID S-1-5-21-469703510-2364959079-1506205053) as a DC


See the <code>samba-tool domain join --help</code> command's output for further information.
* Before you start samba, you should check, if the new DCs DNS entries are set correctly during joining. This doesn't currently work 100% and have to be done manually in that case.


Other parameters frequently used with the <code>samba-tool domain join</code> command:
* From the new host, try to resolve its hostname:


* <code>--dns-backend=NAMESERVER-BACKEND</code>: Use the supplied DNS server backend. Valid options are <code>SAMBA_INTERNAL</code> or <code>BIND9_DLZ</code>, unless you want to use Bind9, there is no need to supply this option.
# host -t A dc2.samdom.example.com.
:: If you use the internal DNS server, you will not be asked for a forwarder and the one in /etc/resolv.conf will not be obtained automatically. You must supply one with <code>--option="dns forwarder=forwarder_ipaddress"</code>.
* <code>--site=SITE</code>: Directly join the host as DC to a specific [[Active_Directory_Sites|Active Directory Site]].


* <code>--option="interfaces=lo eth0" --option="bind interfaces only=yes"</code>: If your server has multiple network interfaces, use these options to bind Samba to the specified interfaces. This enables the <code>samba-tool</code> command to register the correct LAN IP address in the directory during the join.
:If this fails, you have to add the A record by hand. Run on your existing DC:


{{Imbox
# samba-tool dns add IP-of-your-DNS-server samdom.example.com DC2 A IP-of-the-DC-you-had-joined -Uadministrator
| type = note
| text = If the other DCs are Samba DCs and were provisioned with <code>--use-rfc2307</code>, you Should add <code>--option='idmap_ldb:use rfc2307 = yes'</code> to the join command
}}


* Also you should check, if the objectGUID is resolvable to the new hostname. For that, run


# ldbsearch -H /usr/local/samba/private/sam.ldb '(invocationid=*)' --cross-ncs objectguid


:to find out the objectGUID of the new server. The command should give you an output like


# record 1
dn: CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=example,DC=com
objectGUID: 737506d0-bfe6-40c8-815d-08c3dff7a67f
...


= Starting the Samba Service =
:In this case, 737506d0-bfe6-40c8-815d-08c3dff7a67f is the objectGUID of the new DC, we'll query with the following command:


To start the <code>samba</code> Samba Active Directory (AD) domain controller (DC) service manually, enter:
# host -t CNAME 737506d0-bfe6-40c8-815d-08c3dff7a67f._msdcs.samdom.example.com.


# samba
:This should output you the alias (CNAME) of this entry pointing to your new DC name.
:If this record is also missing, you have to add it, too:


Samba does not provide System V init scripts, <code>systemd</code>, <code>upstart</code>, or other services configuration files.
# samba-tool dns add IP-of-your-DNS _msdcs.samdom.example.com 737506d0-bfe6-40c8-815d-08c3dff7a67f CNAME DC2.samdom.example.com -Uadministrator
* If you installed Samba using packages, use the script or service configuration file included in the package to start Samba.
* If you built Samba, see [[Managing_the_Samba_AD_DC_Service|Managing the Samba AD DC Service]].


:If you are running BIND as DNS backend and still can't resolve the new added DNS entries, see [[DNS_Backend_BIND#New_added_DNS_entries_are_not_resolvable|BIND DNS backend: New added DNS entries are not resolvable]].


* Now it's time to put a „nameserver“ entry of your new DC in your /etc/resolv.conf (if you don't have joined the new DC with „--dns-backend=none“). Example:


nameserver 10.99.0.2


It should be noted that although DNS replication is active, additional DNS configurations such as forwarders are not copied. See [[Samba_AD_DC_HOWTO#Configure_DNS|Configure DNS]] for more details.


= Verifying the DNS Entries =
== Starting Samba ==


{{Imbox
You start samba as a DC in the same way that you start it as a normal
| type = note
server, just run the command 'samba' from the sbin directory of your
| text = Once the join has succeeded You should change the first nameserver in /etc/resolv.conf to the new DC's ipaddress. This will aid in the creation of the required dns records not created by the join.
installation.
}}


If you join a Samba DC that runs Samba 4.7.0 and later, <code>samba-tool</code> will create the required initial DNS entries automatically. To manually create these records on an earlier version, see [[Verifying_and_Creating_a_DC_DNS_Record|Verifying and Creating a DC DNS Record]]. Once Samba starts, the <code>samba_dnsupdate</code> script should create all the other required DNS entries.
When you first start Samba as a new DC in an existing Windows domain,
you may find errors messages like these in the samba log file:


UpdateRefs failed with WERR_DS_DRA_BAD_NC/NT code 0xc00020f8 for 5344d0a6-78a1-4758be69-66d933f1123._msdcs.samdom.example.com CN=RID Manager$,CN=System,DC=samba,DC=example,DC=com


This is caused by the Windows domain controller that haven't yet run its
Knowledge Consistency Checker (KCC), which means it has not yet created
connections to the new Samba DC.


To fix this, you can either run "repadmin /kcc" on the Windows DC as
an administrator, or you can use the samba-tool command to do the same
thing, like this:


# samba-tool drs kcc -Uadministrator windowsdc.samdom.example.com


= Configuring the BIND9_DLZ DNS Back End =
You should then check that replication between the Windows DC and the
Samba DC is working correctly by using:


If you selected the <code>BIND9_DLZ</code> DNS back end during the domain join, set up the BIND configuration. For details, see [[BIND9_DLZ_DNS_Back_End|BIND9_DLZ DNS Back End]].
# samba-tool drs showrepl
Default-First-Site-Name\DC2
DSA Options: 0x00000001
DSA object GUID: 737506d0-bfe6-40c8-815d-08c3dff7a67f
DSA invocationId: eb242434-ca7e-4da7-9b1d-b289ba1922e9
==== INBOUND NEIGHBORS ====
DC=samba,DC=example,DC=com
Default-First-Site-Name\DC1 via RPC
DSA object GUID: 25e33532-42f2-4082-b9f4-072f9108b565
Last attempt @ Sun Nov 11 18:02:02 2012 CET was successful
0 consecutive failure(s).
Last success @ Sun Nov 11 18:02:02 2012 CET
CN=Configuration,DC=samba,DC=example,DC=com
Default-First-Site-Name\DC1 via RPC
DSA object GUID: 25e33532-42f2-4082-b9f4-072f9108b565
Last attempt @ Sun Nov 11 18:02:02 2012 CET was successful
0 consecutive failure(s).
Last success @ Sun Nov 11 18:02:02 2012 CET
.....






== Testing Directory Replication ==


To check that replication is working correctly between your two domain
controllers, try adding a user on the Samba DC using either the Samba
command line tools, or the Windows GUI admin tools. Then check that
the user shows up within a few seconds on your Windows domain
controller.


= Built-in User & Group ID Mappings =
Similarly, try modifying a user on the Windows domain controller and
{{:SysVol replication (DFS-R)}}
check that the modifies show up correctly on the Samba server




To use a Sysvol Replication workaround, all domain controllers (DC) must use the same ID mappings for built-in users and groups.


By default, a Samba DC stores the user & group IDs in 'xidNumber' attributes in 'idmap.ldb'. Because of the way 'idmap.ldb' works, you cannot guarantee that each DC will use the same ID for a given user or group. To ensure that you do use the same IDs, you must:
===ldapcmp===


* Create a hot-backup of the <code>/usr/local/samba/private/idmap.ldb</code> file on the existing DC:
You may wish to use [[Samba4/ldapcmp|ldapcmp]] to verify that the same data
is being served from all domain controllers.


# tdbbackup -s .bak /usr/local/samba/private/idmap.ldb


: This creates a backup file <code>/usr/local/samba/private/idmap.ldb.bak</code>.


* Move the backup file to the <code>/usr/local/samba/private/</code> folder on the new joined DC and remove the <code>.bak</code> suffix to replace the existing file.
== A Note on SysVol replication ==


* Run <code>net cache flush</code> on the new DC.
Currently the replication of the SysVol share isn't implemented. If you make any changes
on that share, you have to keep the shares on all your DCs in sync manually (e. g. with an rsync cronjob).
An example way how to achieve this, you can find in the [[SysVol_Replication|SysVol Replication Howto]].


* You will now need to sync Sysvol to the new DC.
== Note if you AD DC is Samba ==


* Reset the Sysvol folder's file system access control lists (ACL) on the new DC:
There are UID/GID issue for the built-in Users/Groups on sysvol when our DC are Samba
As we have yet a method to replicate the UID/GID from the existing Samba DC.
Please try the following


# samba-tool ntacl sysvolreset
# Stop All Samba AD DC
# copy the /var/lib/samba/private/idmap.ldb to the new Samba AD DC
# restart Samba AD DC


== Report your success/failure! ==


Samba4 as a replicating domain controller is still developing rapidly,
and we like to hear from users about their successes and
failures. While Samba4 is still in rc state we would encourage
you to report both your successes and failures to the samba-technical
mailing list on http://lists.samba.org


Please be aware that Samba4 is not complete, so you should deploy it
carefully until it is ready for production.




= Verifying Directory Replication =


After the domain controller (DC) has been started, the knowledge consistency checker (KCC) on the Samba DC creates replication agreements to other DCs in the Active Directory (AD) forest. It can take up to 15 minutes until the KCC creates the auto-generated replication connections.


For details about how to verify that the directory replication works correctly, see [[Verifying the Directory Replication Statuses]].


{{Imbox
= FSMO role transfer =
| type = note
| text = To optimize replication latency and cost, the KCC in Samba 4.5 and later no longer creates a fully-meshed replication topology between all DCs. For further details, see [[The Samba KCC]].
}}


You can transfer FSMO roles from an existing DC to a [[Samba_AD_DC_HOWTO|Samba AD DC]], by seizing them from your Samba AD machine:


# samba-tool fsmo seize --role=....


You can seize all five roles: rid, schema, naming, pdc and infrastructure (you can use "--role=all" to seize all at once).


'''Note:''' The role seizing function was broken in the past ([https://bugzilla.samba.org/show_bug.cgi?id=9461 Bug report 9461]). This was fixed in 4.0.10/4.1.0. If you are running an affected version, you should consider upgrading first!


= Starting BIND =


Before you start the BIND daemon, verify that the DNS directory partitions have been successfully replicated:


# samba-tool drs showrepl
...
==== INBOUND NEIGHBORS ====
...
DC=DomainDnsZones,DC=samdom,DC=example,DC=com
Default-First-Site-Name\DC1 via RPC
DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
Last attempt @ Thu Sep 24 20:08:45 2015 CEST was successful
0 consecutive failure(s).
Last success @ Thu Sep 24 20:08:45 2015 CEST
...
DC=ForestDnsZones,DC=samdom,DC=example,DC=com
Default-First-Site-Name\DC1 via RPC
DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
Last attempt @ Thu Sep 24 20:08:45 2015 CEST was successful
0 consecutive failure(s).
Last success @ Thu Sep 24 20:08:45 2015 CEST


If the replication works correctly, start the BIND service. See your distribution's documentation for information how to start a service.


= A note on DNS updates =


As of Samba4 alpha12 Samba4 has the ability to automatically update a
Windows or bind9 DNS server with the correct set of DNS entries when
it becomes a domain controller.


For this to work correctly between Samba and Windows you may find that
you need a set of 5 patches to bind9. Those patches are located in the
examples/bind9-patches directory of the Samba4 source tree. The
patches have been submitted to the bind9 developers and will be
incorporated in the future release of bind, but in the meantime you
should be able to build bind9 yourself from sources and apply the
patches.


The way the automatic DNS updates works is that Samba regularly (every
10 minutes) calls out to the samba_dnsupdate script that is installed
along with Samba. That script reads a template file of DNS names to
update in the DNS zone from /usr/local/samba/private/dns_update_list.


= Testing your Samba AD DC =
The contents of this file look like this:


== Verifying the File Server ==
A ${DNSDOMAIN} $IP
A ${HOSTNAME} $IP
CNAME ${NTDSGUID}._msdcs.${DNSDOMAIN} ${HOSTNAME}
SRV _kerberos._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 88
SRV _ldap._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389
SRV _kerberos._tcp.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 88
SRV _ldap._tcp.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389
SRV _ldap._tcp.${DOMAINGUID}.domains._msdcs.${DNSDOMAIN} ${HOSTNAME} 389
SRV _ldap._tcp.${SITE}._sites.gc._msdcs.${DNSDOMAIN} ${HOSTNAME} 3268
SRV _ldap._tcp.gc._msdcs.${DNSDOMAIN} ${HOSTNAME} 3268
SRV _ldap._tcp.pdc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389
SRV _gc._tcp.${SITE}._sites.${DNSDOMAIN} ${HOSTNAME} 3268
SRV _kerberos._tcp.${SITE}._sites.${DNSDOMAIN} ${HOSTNAME} 88
SRV _ldap._tcp.${SITE}._sites.${DNSDOMAIN} ${HOSTNAME} 389
SRV _gc._tcp.${DNSDOMAIN} ${HOSTNAME} 3268
SRV _kerberos._tcp.${DNSDOMAIN} ${HOSTNAME} 88
SRV _kpasswd._tcp.${DNSDOMAIN} ${HOSTNAME} 464
SRV _ldap._tcp.${DNSDOMAIN} ${HOSTNAME} 389
SRV _kerberos._udp.${DNSDOMAIN} ${HOSTNAME} 88
SRV _kpasswd._udp.${DNSDOMAIN} ${HOSTNAME} 464


For details, see [[Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Verifying_the_File_Server|Verifying the File Server]] in the [[Setting_up_Samba_as_an_Active_Directory_Domain_Controller|Setting up Samba as an Active Directory Domain Controller]] documentation.
at runtime, Samba will substitute the variables in this file, and call
out to the bind9 nsupdate command using the -g option to enable
TSIG-GSS DNS updates. It will only make updates for DNS names that it
detects are not currently correctly set.


You can add your own names to dns_update_list list if you want, and
Samba will add those on the DNS server. You may also choose not to use
TSIG-GSS and instead use a fixed DNS key setup in another bind9
server. To do that you will need to modify the 'nsupdate' command that
Samba runs, which is settable using the "nsupdate command" smb.conf
option. The default is "/usr/bin/nsupdate -g"



The $IP entries for A records are replaced with the IP interface addresses that Samba detects at runtime,
== Testing the Local DNS Server ==
based on the "interfaces=" smb.conf option.

Skip this step if you selected <code>--dns-backend=NONE</code> during the join.

Query the local DNS server to resolve the domain name <code>samdom.example.com</code>:

# host -t A samdom.example.com localhost
Using domain server:
Name: localhost
Address: 127.0.0.1#53
Aliases:
samdom.example.com has address 10.99.0.1
samdom.example.com has address 10.99.0.2

The local DNS resolves the domain name to the IP addresses of all domain controllers (DC).

In case you receive no or a different result, review this documentation and check:
* the system log files,
* the Samba log files,
* the BIND log files, if the <code>BIND9_DLZ</code> is used.



== Verifying Kerberos ==

For details, see [[Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Verifying_Kerberos|Verifying Kerberos]] in the [[Setting_up_Samba_as_an_Active_Directory_Domain_Controller|Setting up Samba as an Active Directory Domain Controller]] documentation.





= DNS Configuration on Domain Controllers =

The DNS configuration on domain controllers (DC) is important, because if it is unable to locate other DCs the replication will fail.

Set the local IP of the DC as the primary name server. For example:

On the new joined DC, use the local <code>10.99.0.2</code> IP as primary <code>nameserver</code> entry:

nameserver 10.99.0.2
search samdom.example.com









= Configuring Winbindd on a Samba AD DC =


''Optional''. For details, see [[Configuring_Winbindd_on_a_Samba_AD_DC|Configuring Winbindd on a Samba AD DC]].
= Joining a domain as a RODC (Status for a work in progress) =


For the TODO list see [http://wiki.samba.org/index.php/Samba4_DRS_TODO_List#Support_RODC Support RODC TODO]


'''Main features implemented'''


* Joining as a RODC to Windows DC


To do that one should do a samba-tool join (or samba-tool domain join), something like this:


= Using the Domain Controller as a File Server =
sudo bin/samba-tool join win.dev RODC -U Administrator --password=%password --target-dir=/home/ant/prefix.win/


For details, see [[Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Using_the_Domain_Controller_as_a_File_Server|Using the Domain Controller as a File Server]].
or (for newer versions of Samba):


sudo bin/samba-tool domain join win.dev RODC -U Administrator --password=%password --targetdir=/home/ant/prefix.win/


* Preloading users for RODC


Users' passwords are not cached by default in a RODC environment.
To accomplish that, one should perform the following actions:


# Add desired users to the "Allowed RODC Password Replication Group"
# Add trusted sources to the "Password Replication Policy" under RODC properties
# You must preload users in your RODC with
sudo /bin/samba-tool rodc preload myuser --server=myserver.mydomain.com


= Sysvol Replication =
* Added support for RODC FAS


Samba currently does not automatically replicate Sysvol, you must use some other form of replication. For community supported workarounds, see [[SysVol_replication_(DFS-R)|Sysvol Replication]].
* Added support for unidirectional replication


{{Imbox
* Added support for read-only database
| type = note
| text = If there are more than the default GPOs in Sysvol on the other DC(s), you must sync Sysvol to the new DC, <code>samba-tool ntacl sysvolreset</code> will throw an error if you do not.
}}


'''Main features in the TODO list'''


* Support Administrator role separation


* Support Credential caching


* Join Windows as a RODC in Samba4 domain - blocked by kerberos tgt stuff.


= Testing the Directory Replication =


To test that the directory replication works correctly, add for example a user on an existing DC and verify that it shows up automatically on the newly joined DC.


Optionally use the <code>ldapcmp</code> utility to compare two directories. For details, see [[Samba-tool_ldapcmp|samba-tool ldapcmp]].




= FAQ =


== Message: "Failed to find our own NTDS Settings invocationId in the ldb!" during joining ==


Check if you have an existing <tt>smb.conf</tt> and remove it befor joining.


= Troubleshooting =


For further details, see [[Samba_AD_DC_Troubleshooting|Samba AD DC Troubleshooting]].


== Message: Warning: No NC replicated for Connection! ==


When Samba registers for replication, there are a couple of flags that aren't correctly set. That's what the DRS command shows: They are not set. It's pretty harmless and you can ignore this warning.




== Question: UID/GID mapping between DCs for the built-in users/groups are different, Why? ==


----
If both your DC are Samba, there are current issues with UID/GID mapping between DCs for the built-in groups who own files and directories under sysvol.<br>
[[Category:Active Directory]]
As we have no method at the moment to replicate the UID/GID from the existing Samba DCs, please try the following:
[[Category:Domain Control]]
#. Stop All Samba AD DC
#. Copy the /var/lib/samba/private/idmap.ldb to the new Samba AD DC
#. Restart Samba AD DC

Latest revision as of 10:26, 26 September 2023

Introduction

Running one domain controller (DC) is sufficient for a working Active Directory (AD) forest. However, for redundancy and load balancing reasons, you should add further DCs to your AD forest. Joining an additional Samba DC to an existing AD differs from provisioning the first DC in a forest. If you set up a new AD forest, see Setting up Samba as an Active Directory Domain Controller.



Preparing the Installation

For details, see Preparing the Installation in the Setting up Samba as an Active Directory Domain Controller documentation.



Installing Samba

For details, see Installing Samba.



Preparing the Host for Joining the Domain

Local DNS server

By default, the first Domain Controller (DC) in a forest runs a DNS server for Active Directory (AD)-based zones. For redundancy reasons it is recommended to run multiple DCs acting as a DNS server in a network. If you consider providing a DNS service on the new DC:

  • For the BIND9_DLZ back end, see BIND9_DLZ DNS Back End. Finish this task before you start the Samba DC service.
  • For the internal DNS no further actions are required.


Configuring DNS


For details, see Linux and Unix DNS Configuration.



Kerberos

Set the following settings in your Kerberos client configuration file /etc/krb5.conf: 

[libdefaults]
    dns_lookup_realm = false
    dns_lookup_kdc = true
    default_realm = SAMDOM.EXAMPLE.COM

To verify the settings use the kinit command to request a Kerberos ticket for the domain administrator: 

# kinit administrator
Password for administrator@SAMDOM.EXAMPLE.COM:

To list Kerberos tickets: 

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@SAMDOM.EXAMPLE.COM

Valid starting       Expires              Service principal
24.09.2015 19:56:55  25.09.2015 05:56:55  krbtgt/SAMDOM.EXAMPLE.COM@SAMDOM.EXAMPLE.COM
	renew until 25.09.2015 19:56:53



Configuring Time Synchronisation

Kerberos requires a synchronised time on all domain members. For further details and how to set up the ntpd service, see Time Synchronisation.



Joining the Active Directory as a Domain Controller

To join the domain samdom.example.com as a domain controller (DC) that additionally acts as a DNS server using the Samba internal DNS:

There are three authentication methods you can use, Username & Password or two kerberos methods (the kerberos methods depend on running kinit as an admin user).

Username & Password: 

# samba-tool domain join samdom.example.com DC -U"SAMDOM\administrator"

Or: 

# samba-tool domain join samdom.example.com DC -k yes

Or: 

# samba-tool domain join samdom.example.com DC --use-krb5-ccache=/tmp/krb5cc_0

Using any of the above, should result in output similar to this: 

Finding a writeable DC for domain 'samdom.example.com'
Found DC dc1.samdom.example.com
Password for [SAMDOM\administrator]:
workgroup is SAMDOM
realm is samdom.example.com
Adding CN=DC2,OU=Domain Controllers,DC=samdom,DC=example,DC=com
Adding CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
Adding CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
Adding SPNs to CN=DC2,OU=Domain Controllers,DC=samdom,DC=example,DC=com
Setting account password for DC2$
Enabling account
Calling bare provision
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Provision OK for domain DN DC=samdom,DC=example,DC=com
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com] objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com] objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com] objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com] objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[402/1618] linked_values[0/0]
Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[804/1618] linked_values[0/0]
Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[1206/1618] linked_values[0/0]
Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[1608/1618] linked_values[0/0]
Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[1618/1618] linked_values[42/0]
Replicating critical objects from the base DN of the domain
Partition[DC=samdom,DC=example,DC=com] objects[100/100] linked_values[23/0]
Partition[DC=samdom,DC=example,DC=com] objects[386/286] linked_values[23/0]
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=samdom,DC=example,DC=com
Partition[DC=DomainDnsZones,DC=samdom,DC=example,DC=com] objects[44/44] linked_values[0/0]
Replicating DC=ForestDnsZones,DC=samdom,DC=example,DC=com
Partition[DC=ForestDnsZones,DC=samdom,DC=example,DC=com] objects[19/19] linked_values[0/0]
Committing SAM database
Sending DsReplicaUpdateRefs for all the replicated partitions
Setting isSynchronized and dsServiceName
Setting up secrets database
Joined domain SAMDOM (SID S-1-5-21-469703510-2364959079-1506205053) as a DC

See the samba-tool domain join --help command's output for further information.

Other parameters frequently used with the samba-tool domain join command:

  • --dns-backend=NAMESERVER-BACKEND: Use the supplied DNS server backend. Valid options are SAMBA_INTERNAL or BIND9_DLZ, unless you want to use Bind9, there is no need to supply this option.
If you use the internal DNS server, you will not be asked for a forwarder and the one in /etc/resolv.conf will not be obtained automatically. You must supply one with --option="dns forwarder=forwarder_ipaddress".
  • --option="interfaces=lo eth0" --option="bind interfaces only=yes": If your server has multiple network interfaces, use these options to bind Samba to the specified interfaces. This enables the samba-tool command to register the correct LAN IP address in the directory during the join.



Starting the Samba Service

To start the samba Samba Active Directory (AD) domain controller (DC) service manually, enter: 

# samba

Samba does not provide System V init scripts, systemd, upstart, or other services configuration files.

  • If you installed Samba using packages, use the script or service configuration file included in the package to start Samba.
  • If you built Samba, see Managing the Samba AD DC Service.



Verifying the DNS Entries

If you join a Samba DC that runs Samba 4.7.0 and later, samba-tool will create the required initial DNS entries automatically. To manually create these records on an earlier version, see Verifying and Creating a DC DNS Record. Once Samba starts, the samba_dnsupdate script should create all the other required DNS entries.



Configuring the BIND9_DLZ DNS Back End

If you selected the BIND9_DLZ DNS back end during the domain join, set up the BIND configuration. For details, see BIND9_DLZ DNS Back End.



Built-in User & Group ID Mappings

Samba in its current state doesn't support SysVol replication via DFS-R (Distributed File System Replication) or the older FRS (File Replication Service) used in Windows Server 2000/2003 for Sysvol replication.

We Currently advise administrators to use one of the following workarounds:



To use a Sysvol Replication workaround, all domain controllers (DC) must use the same ID mappings for built-in users and groups.

By default, a Samba DC stores the user & group IDs in 'xidNumber' attributes in 'idmap.ldb'. Because of the way 'idmap.ldb' works, you cannot guarantee that each DC will use the same ID for a given user or group. To ensure that you do use the same IDs, you must:

  • Create a hot-backup of the /usr/local/samba/private/idmap.ldb file on the existing DC:
# tdbbackup -s .bak /usr/local/samba/private/idmap.ldb
This creates a backup file /usr/local/samba/private/idmap.ldb.bak.
  • Move the backup file to the /usr/local/samba/private/ folder on the new joined DC and remove the .bak suffix to replace the existing file.
  • Run net cache flush on the new DC.
  • You will now need to sync Sysvol to the new DC.
  • Reset the Sysvol folder's file system access control lists (ACL) on the new DC:
# samba-tool ntacl sysvolreset



Verifying Directory Replication

After the domain controller (DC) has been started, the knowledge consistency checker (KCC) on the Samba DC creates replication agreements to other DCs in the Active Directory (AD) forest. It can take up to 15 minutes until the KCC creates the auto-generated replication connections.

For details about how to verify that the directory replication works correctly, see Verifying the Directory Replication Statuses.



Starting BIND

Before you start the BIND daemon, verify that the DNS directory partitions have been successfully replicated: 

# samba-tool drs showrepl
...
==== INBOUND NEIGHBORS ====
...
DC=DomainDnsZones,DC=samdom,DC=example,DC=com
	Default-First-Site-Name\DC1 via RPC
		DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
		Last attempt @ Thu Sep 24 20:08:45 2015 CEST was successful
		0 consecutive failure(s).
		Last success @ Thu Sep 24 20:08:45 2015 CEST
...
DC=ForestDnsZones,DC=samdom,DC=example,DC=com
	Default-First-Site-Name\DC1 via RPC
		DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
		Last attempt @ Thu Sep 24 20:08:45 2015 CEST was successful
		0 consecutive failure(s).
		Last success @ Thu Sep 24 20:08:45 2015 CEST

If the replication works correctly, start the BIND service. See your distribution's documentation for information how to start a service.



Testing your Samba AD DC

Verifying the File Server

For details, see Verifying the File Server in the Setting up Samba as an Active Directory Domain Controller documentation.


Testing the Local DNS Server

Skip this step if you selected --dns-backend=NONE during the join.

Query the local DNS server to resolve the domain name samdom.example.com: 

# host -t A samdom.example.com localhost
Using domain server:
Name: localhost
Address: 127.0.0.1#53
Aliases:

samdom.example.com has address 10.99.0.1
samdom.example.com has address 10.99.0.2

The local DNS resolves the domain name to the IP addresses of all domain controllers (DC).

In case you receive no or a different result, review this documentation and check:

  • the system log files,
  • the Samba log files,
  • the BIND log files, if the BIND9_DLZ is used.


Verifying Kerberos

For details, see Verifying Kerberos in the Setting up Samba as an Active Directory Domain Controller documentation.



DNS Configuration on Domain Controllers

The DNS configuration on domain controllers (DC) is important, because if it is unable to locate other DCs the replication will fail.

Set the local IP of the DC as the primary name server. For example:

On the new joined DC, use the local 10.99.0.2 IP as primary nameserver entry: 

nameserver 10.99.0.2
search samdom.example.com



Configuring Winbindd on a Samba AD DC

Optional. For details, see Configuring Winbindd on a Samba AD DC.



Using the Domain Controller as a File Server

For details, see Using the Domain Controller as a File Server.



Sysvol Replication

Samba currently does not automatically replicate Sysvol, you must use some other form of replication. For community supported workarounds, see Sysvol Replication.



Testing the Directory Replication

To test that the directory replication works correctly, add for example a user on an existing DC and verify that it shows up automatically on the newly joined DC.

Optionally use the ldapcmp utility to compare two directories. For details, see samba-tool ldapcmp.



Troubleshooting

For further details, see Samba AD DC Troubleshooting.



Retrieved from "https://wiki.samba.org/index.php?title=Joining_a_Samba_DC_to_an_Existing_Active_Directory&oldid=19079"