Difference between revisions of "Joining a Samba DC to an Existing Active Directory"

m (Join the existing domain as a Domain Controller)
m (/* moved time configuration up before the join command)
 
(106 intermediate revisions by 5 users not shown)
Line 1: Line 1:
 
= Introduction =
 
= Introduction =
  
As well as the ability to join an Active Directory as a [[Setup_a_Samba_AD_Member_Server|Member Server]], it is also possible to join as a Domain Controller.
+
Running one domain controller (DC) is sufficient for a working Active Directory (AD) forest. However, for redundacy and load balancing reasons, you should add further DCs to your AD forest. Joining an additional Samba DC to an existing AD differs from provisioning the first DC in a forest. If you set up a new AD forest, see [[Setting_up_Samba_as_an_Active_Directory_Domain_Controller|Setting up Samba as an Active Directory Domain Controller]].
  
The process of joining a Samba server to an existing domain is a bit different to [[Samba_AD_DC_HOWTO|provisioning a new domain]]. This process is the equivalent of the 'dcpromo' command on Windows servers.
+
{{Imbox
 +
| type = warning
 +
| text = Do not provision a Computer as a Samba AD DC, then try to join it to an existing AD domain. This will not work, you only need to run the <code>samba-tool domain join</code> command to join a Computer to the existing AD domain.  
 +
}}
  
Please note that the following steps are the same - regardless of whether you are joining Samba to an existing Windows based domain or an existing Samba based domain.
+
{{Imbox
 +
| type = warning
 +
| text = If you are joining a Samba as a DC to an existing Windows AD domain that was provisioned as a Windows 2003 (or earlier) DC, you must ensure that it is running a domain integrated DNS server. This dns server must be configured with 2008 behaviour.  
 +
}}
  
 +
{{Imbox
 +
| type = note
 +
| text = An NT4 domain uses only one Primary Domain Controller (PDC) and optionally additional Backup Domain Controllers (BDC). In an AD forest, there is no difference between DCs, beside the [[Flexible_Single-Master_Operations_(FSMO)_Roles|FSMO roles]]. Use only the term "domain controller" or "DC" when you talk about AD to avoid any possibility of confusion.
 +
}}
  
  
== Server information ==
 
  
This documentation uses the following configuration/settings:
 
  
'''Existing DC in the domain:'''
 
Hostname:                      DC1
 
IP:                            10.99.0.1
 
DC is also a DNS server:      yes
 
 
'''Domain information:'''
 
DNS Domain Name:              samdom.example.com
 
NT4 Domain Name (NETBIOS):    SAMDOM
 
Kerberos Realm:                SAMDOM.EXAMPLE.COM
 
Domain Administrator:          Administrator
 
Domain Administrator Password: passw0rd
 
 
'''DC additionally joined to the domain:'''
 
Hostname:                      DC2
 
IP Address:                    10.99.0.2
 
Installation Directory:        /usr/local/samba/
 
 
 
 
== Versions ==
 
 
This HowTo is frequently updated to reflect the latest changes. Please see the [[Samba_Release_Planning|Samba Release Planning]] for more specifics.
 
  
Please review the release notes for the version you have installed. It may contain important information, not yet reflected in this HowTo.
+
= Preparing the Installation =
  
 +
For details, see [[Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Preparing_the_Installation|Preparing the Installation]] in the [[Setting_up_Samba_as_an_Active_Directory_Domain_Controller|Setting up Samba as an Active Directory Domain Controller]] documentation.
  
  
  
  
= Installation =
 
  
== Different ways to install ==
+
= Installing Samba =
  
'''Always check the [[OS Requirements|OS Requirements]] for dependencies and recommendations.'''
+
For details, see [[Installing_Samba|Installing Samba]].
  
You have a few options to install Samba:
+
{{Imbox
 +
| type = note
 +
| text = Install a maintained Samba version. For details, see [[Samba_Release_Planning|Samba Release Planning]].
 +
}}
  
* [[Build_Samba|Build Samba]] yourself.
 
  
* Install [[Binary_Distribution_Packages|binary distribution packages]]. Make sure, that you use a recent Samba installation with Active Directory Domain Controller capabilities!
 
  
:* Install from [http://www.enterprisesamba.com/samba/ SerNet Enterprise Samba] package.
 
  
  
 
+
= Preparing the Host for Joining the Domain =
== Paths ==
 
 
 
Take care when running Samba commands, if you also have a previous version of Samba installed! To avoid inadvertently running the wrong version of a program, you should consider putting the „/usr/local/samba/bin/“ and „/usr/local/samba/sbin/“ directories at the <u>beginning of your $PATH variable</u>.
 
 
 
You can see what version of Samba and client tools, if any, is in your „$PATH“ variable by running:
 
 
 
# samba -V
 
# smbclient -V
 
 
 
 
 
 
 
 
 
= Preparing the host for the domain join =
 
  
 
== Local DNS server ==
 
== Local DNS server ==
  
By default, the first Domain Controller in a domain automatically acts as a DNS server for AD based zones. For failover reasons, it is recommended to have at least two DC's providing AD DNS services.
+
By default, the first Domain Controller (DC) in a forest runs a DNS server for Active Directory (AD)-based zones. For redundancy reasons it is recommended to run multiple DCs acting as a DNS server in a network. If you consider providing a DNS service on the new DC:
 
 
If you plan to join the additional Domain Controller with BIND as the DNS backend, you have to [[DNS_Backend_BIND|setup BIND as AD backend]] first. If you use the internal or use no local DNS, no further steps are required.
 
 
 
== Verify /etc/hosts ==
 
 
 
Verify that the local hostname isn't resolved to 127.0.0.1 in /etc/hosts:
 
 
 
127.0.0.1  localhost.localdomain    localhost  <strike>DC2.samdom.example.com  DC2</strike>
 
10.99.0.2  DC2.samdom.example.com  DC2
 
 
 
If the local hostname is resolved to 127.0.0.1, Samba would use this IP for the various DC DNS entries. This would prevent clients from reaching this Domain Controller!
 
  
 +
* For the <code>BIND9_DLZ</code> back end, see [[BIND9_DLZ_DNS_Back_End|BIND9_DLZ DNS Back End]]. Finish this task before you start the Samba DC service.
 +
* For the internal DNS no further actions are required.
  
  
== DNS resolving ==
 
  
Configure the host, you want to join as an additional Domain Controller, to use a DNS server that is able to resolve zones from the Active Directory. On Linux and Unixes, this is typically done by adding a „nameserver“ and „search domain“ entry to to /etc/resolv.conf:
+
== Configuring DNS ==
  
nameserver <u>10.99.0.1</u>
+
For details, see [[Linux_and_Unix_DNS_Configuration|Linux and Unix DNS Configuration]].
search samdom.example.com
 
  
Consult your distributions documentation for configuring the usage of a DNS server.
+
{{Imbox
 +
| type = note
 +
| text = The 'nameserver' you set in '/etc/resolv.conf' must be an AD DC, otherwise the join will not be able to find the KDC.  
 +
}}
  
To verify a correct name resolution, try resolving the hostname of one of your existing Domain Controllers:
 
  
# host -t A <u>DC1</u>.samdom.example.com
 
DC1.samdom.example.com has address 10.99.0.1
 
  
 
== Kerberos ==
 
== Kerberos ==
  
* Add the following content to /etc/krb5.conf:
+
Set the following settings in your Kerberos client configuration file <code>/etc/krb5.conf</code>:
  
 
  [libdefaults]
 
  [libdefaults]
     dns_lookup_realm = true
+
     dns_lookup_realm = false
 
     dns_lookup_kdc = true
 
     dns_lookup_kdc = true
 
     default_realm = SAMDOM.EXAMPLE.COM
 
     default_realm = SAMDOM.EXAMPLE.COM
  
* Verify the correct Kerberos setup by obtaining a ticket:
+
To verify the settings use the <code>kinit</code> command to request a Kerberos ticket for the domain administrator:
  
 
  # kinit administrator
 
  # kinit administrator
 
  Password for administrator@SAMDOM.EXAMPLE.COM:
 
  Password for administrator@SAMDOM.EXAMPLE.COM:
+
 
 +
To list Kerberos tickets:
 +
 
 
  # klist
 
  # klist
 
  Ticket cache: FILE:/tmp/krb5cc_0
 
  Ticket cache: FILE:/tmp/krb5cc_0
Line 122: Line 86:
 
   
 
   
 
  Valid starting      Expires              Service principal
 
  Valid starting      Expires              Service principal
  09.11.2014 17:34:09 10.11.2014 03:34:09  krbtgt/SAMDOM.EXAMPLE.COM@SAMDOM.EXAMPLE.COM
+
  24.09.2015 19:56:55 25.09.2015 05:56:55  krbtgt/SAMDOM.EXAMPLE.COM@SAMDOM.EXAMPLE.COM
        renew until 10.11.2014 17:34:07
+
renew until 25.09.2015 19:56:53
 +
 
 +
 
  
  
  
 +
= Configuring Time Synchronisation =
  
 +
Kerberos requires a synchronised time on all domain members. For further details and how to set up the <code>ntpd</code> service, see [[Time_Synchronisation|Time Synchronisation]].
  
= Join the existing domain as a Domain Controller =
 
  
Before you start the joining, make yourself familiar with the parameters and options of „samba-tool domain join“:
 
  
# samba-tool domain join --help
 
  
Expecially the following two options are required, if your future Domain Controllers have multiple NICs. Because „samba-tool“ would auto-choose one of the IPv4/IPv6 addresses, if multiple where found, it might be necessary to bind Samba to the desired interfaces using
 
  
--option="interfaces=lo eth0" --option="bind interfaces only=yes"
+
= Joining the Active Directory as a Domain Controller =
  
Join the existing domain (parameter explanation below):
+
To join the domain <code>samdom.example.com</code> as a domain controller (DC) that additionally acts as a DNS server using the Samba internal DNS:
 +
 
 +
There are three authentication methods you can use, Username & Password or two kerberos methods (the kerberos methods depend on running <code>kinit</code> as an admin user).
 +
 
 +
Username & Password:
 +
# samba-tool domain join samdom.example.com DC -U"SAMDOM\administrator"
 +
 
 +
Or:
 +
# samba-tool domain join samdom.example.com DC -k yes
 +
 
 +
Or:
 +
# samba-tool domain join samdom.example.com DC --krb5-ccache=/tmp/krb5cc_0
 +
 
 +
Using any of the above, should result in output similar to this:
  
# samba-tool domain join samdom.example.com DC -Uadministrator --realm=samdom.example.com --dns-backend=BIND9_DLZ
 
 
  Finding a writeable DC for domain 'samdom.example.com'
 
  Finding a writeable DC for domain 'samdom.example.com'
 
  Found DC dc1.samdom.example.com
 
  Found DC dc1.samdom.example.com
  Password for [WORKGROUP\administrator]: passw0rd
+
  Password for [SAMDOM\administrator]:
 
  workgroup is SAMDOM
 
  workgroup is SAMDOM
 
  realm is samdom.example.com
 
  realm is samdom.example.com
checking sAMAccountName
 
 
  Adding CN=DC2,OU=Domain Controllers,DC=samdom,DC=example,DC=com
 
  Adding CN=DC2,OU=Domain Controllers,DC=samdom,DC=example,DC=com
 
  Adding CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
 
  Adding CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
Line 154: Line 129:
 
  Setting account password for DC2$
 
  Setting account password for DC2$
 
  Enabling account
 
  Enabling account
Adding DNS account CN=dns-DC2,CN=Users,DC=samdom,DC=example,DC=com with dns/ SPN
 
Setting account password for dns-DC2
 
 
  Calling bare provision
 
  Calling bare provision
 +
Looking up IPv4 addresses
 +
Looking up IPv6 addresses
 
  No IPv6 address will be assigned
 
  No IPv6 address will be assigned
 +
Setting up share.ldb
 +
Setting up secrets.ldb
 +
Setting up the registry
 +
Setting up the privileges database
 +
Setting up idmap db
 +
Setting up SAM db
 +
Setting up sam.ldb partitions and settings
 +
Setting up sam.ldb rootDSE
 +
Pre-loading the Samba 4 and AD schema
 +
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
 
  Provision OK for domain DN DC=samdom,DC=example,DC=com
 
  Provision OK for domain DN DC=samdom,DC=example,DC=com
 
  Starting replication
 
  Starting replication
Line 169: Line 154:
 
  Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[1206/1618] linked_values[0/0]
 
  Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[1206/1618] linked_values[0/0]
 
  Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[1608/1618] linked_values[0/0]
 
  Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[1608/1618] linked_values[0/0]
  Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[1618/1618] linked_values[28/0]
+
  Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[1618/1618] linked_values[42/0]
 
  Replicating critical objects from the base DN of the domain
 
  Replicating critical objects from the base DN of the domain
  Partition[DC=samdom,DC=example,DC=com] objects[98/98] linked_values[23/0]
+
  Partition[DC=samdom,DC=example,DC=com] objects[100/100] linked_values[23/0]
  Partition[DC=samdom,DC=example,DC=com] objects[395/297] linked_values[23/0]
+
  Partition[DC=samdom,DC=example,DC=com] objects[386/286] linked_values[23/0]
 
  Done with always replicated NC (base, config, schema)
 
  Done with always replicated NC (base, config, schema)
 
  Replicating DC=DomainDnsZones,DC=samdom,DC=example,DC=com
 
  Replicating DC=DomainDnsZones,DC=samdom,DC=example,DC=com
  Partition[DC=DomainDnsZones,DC=samdom,DC=example,DC=com] objects[41/41] linked_values[0/0]
+
  Partition[DC=DomainDnsZones,DC=samdom,DC=example,DC=com] objects[44/44] linked_values[0/0]
 
  Replicating DC=ForestDnsZones,DC=samdom,DC=example,DC=com
 
  Replicating DC=ForestDnsZones,DC=samdom,DC=example,DC=com
 
  Partition[DC=ForestDnsZones,DC=samdom,DC=example,DC=com] objects[19/19] linked_values[0/0]
 
  Partition[DC=ForestDnsZones,DC=samdom,DC=example,DC=com] objects[19/19] linked_values[0/0]
Partition[DC=ForestDnsZones,DC=samdom,DC=example,DC=com] objects[38/19] linked_values[0/0]
 
 
  Committing SAM database
 
  Committing SAM database
  Sending DsReplicateUpdateRefs for all the replicated partitions
+
  Sending DsReplicaUpdateRefs for all the replicated partitions
 
  Setting isSynchronized and dsServiceName
 
  Setting isSynchronized and dsServiceName
 
  Setting up secrets database
 
  Setting up secrets database
 
  Joined domain SAMDOM (SID S-1-5-21-469703510-2364959079-1506205053) as a DC
 
  Joined domain SAMDOM (SID S-1-5-21-469703510-2364959079-1506205053) as a DC
  
<u>Parameter explanations:</u>
+
See the <code>samba-tool domain join --help</code> command's output for further information.
  
* Domain: AD Domain Name
+
Other parameters frequently used with the <code>samba-tool domain join</code> command:
  
* Server Role: „DC“ for Domain Controller
+
* <code>--dns-backend=NAMESERVER-BACKEND</code>: Use the supplied DNS server backend. Valid options are <code>SAMBA_INTERNAL</code> or <code>BIND9_DLZ</code>, unless you want to use Bind9, there is no need to supply this option.
 +
:: If you use the internal DNS server, you will not be asked for a forwarder and the one in /etc/resolv.conf will not be obtained automatically. You must supply one with <code>--option="dns forwarder=forwarder_ipaddress"</code>.
 +
 +
* <code>--site=SITE</code>: Directly join the host as DC to a specific [[Active_Directory_Sites|Active Directory Site]].
  
* Username: Account that is allowed to join new Domain Controllers. Typically it is the Domain Administrator.
+
* <code>--option="interfaces=lo eth0" --option="bind interfaces only=yes"</code>: If your server has multiple network interfaces, use these options to bind Samba to the specified interfaces. This enables the <code>samba-tool</code> command to register the correct LAN IP address in the directory during the join.
  
* Realm: Kerberos Realm
+
{{Imbox
 +
| type = note
 +
| text = If the other DCs are Samba DCs and were provisioned with <code>--use-rfc2307</code>, you Should add <code>--option='idmap_ldb:use rfc2307 = yes'</code> to the join command
 +
}}
  
* DNS backend: You have to choose whether to use the Internal DNS server (SAMBA_INTERNAL), BIND9 (BIND9_DLZ) or no DNS backend (NONE). The Internal DNS is the default and the best choice for simple DNS requirements. It doesn't need any further action. For complex DNS requirements, BIND9_DLZ is recommended. Don't use BIND9_FLATFILE! It's not documented or supported! See [[DNS_Backend_BIND|DNS Backend BIND]] for further information about using BIND. The DNS backend choice made during the provisioning isn't permanent. [[Changing_the_DNS_backend|It can be changed afterwards]].
 
  
* Site: If you have setup Active Directory Sites, it's possible, to directly join a new DC into a specified AD site.
 
  
= Check DNS entries =
 
  
For a successful setup and failover purposes, it is required, that all important DNS records are added to the DNS zones. A bug causes, that two records can be missing. Check [https://bugzilla.samba.org/show_bug.cgi?id=10928 Bug #10928], to see, if it's fixed in the meantime and in the version you're running.
 
  
 +
= Verifying the DNS Entries =
  
 +
If you join a Samba DC that runs Samba 4.7 and later, <code>samba-tool</code> created all required DNS entries automatically. To manually create the records on an earlier version, see [[Verifying_and_Creating_a_DC_DNS_Record|Verifying and Creating a DC DNS Record]].
  
== Resolve the A record of the new joined Domain Controller ==
 
  
# host -t A <u>DC2</u>.samdom.example.com.
 
<u>DC2</u>.samdom.example.com has address <u>10.99.0.2</u>
 
  
If the record could not be resolved to its IP, you will receive the following output instead:
 
  
# host -t A <u>DC2</u>.samdom.example.com.
 
Host DC2.samdom.example.com. not found: 3(NXDOMAIN)
 
  
In this case, you have to add the record manually to the AD DNS zone:
+
= Configuring the BIND9_DLZ DNS Back End =
  
# samba-tool dns add DC1 samdom.example.com <u>DC2</u> A <u>10.99.0.2</u> -Uadministrator
+
If you selected the <code>BIND9_DLZ</code> DNS back end during the domain join, set up the BIND configuration. For details, see [[BIND9_DLZ_DNS_Back_End|BIND9_DLZ DNS Back End]].
Password for [SAMDOM\administrator]: passw0rd
 
Record added successfully
 
  
Re-check afterwards again!
 
  
  
  
== Resolve the objectGUID CNAME record of the new joined Domain Controller ==
 
  
* First, you have to find out the objectGUID of the new joined Domain Controller:
+
= Built-in User & Group ID Mappings =
 +
{{:SysVol replication (DFS-R)}}
  
# ldbsearch -H /usr/local/samba/private/sam.ldb '(invocationId=*)' --cross-ncs objectguid
 
# record 1
 
dn: CN=NTDS Settings,CN=<u>DC2</u>,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
 
objectGUID: <u>df4bdd8c-abc7-4779-b01e-4dd4553ca3e9</u>
 
 
# record 2
 
dn: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
 
objectGUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
 
 
# returned 2 records
 
# 2 entries
 
# 0 referrals
 
  
* Query the CNAME of the objectGUID in the _msdcs.samdom.example.com zone. It must be an alias to the hostname of the new joined DC:
+
To use a Sysvol Replication workaround, all domain controllers (DC) must use the same ID mappings for built-in users and groups.
 +
 
 +
By default, a Samba DC stores the user & group IDs in 'xidNumber' attributes in 'idmap.ldb'. Because of the way 'idmap.ldb' works, you cannot guarantee that each DC will use the same ID for a given user or group. To ensure that you do use the same IDs, you must:
 +
 
 +
* Create a hot-backup of the <code>/usr/local/samba/private/idmap.ldb</code> file on the existing DC:
 +
 
 +
# tdbbackup -s .bak /usr/local/samba/private/idmap.ldb
 +
 
 +
: This creates a backup file <code>/usr/local/samba/private/idmap.ldb.bak</code>.
 +
 
 +
* Move the backup file to the <code>/usr/local/samba/private/</code> folder on the new joined DC and remove the <code>.bak</code> suffix to replace the existing file.
 +
 
 +
* Run <code>net cache flush</code> on the new DC.
  
# host -t CNAME <u>df4bdd8c-abc7-4779-b01e-4dd4553ca3e9</u>._msdcs.samdom.example.com.
+
* You will now need to sync Sysvol to the new DC.
df4bdd8c-abc7-4779-b01e-4dd4553ca3e9._msdcs.samdom.example.com is an alias for <u>DC2</u>.samdom.example.com.
 
  
:* If the record could not be resolved, you will receive:
+
* Reset the Sysvol folder's file system access control lists (ACL) on the new DC:
  
  # host -t CNAME <u>df4bdd8c-abc7-4779-b01e-4dd4553ca3e9</u>._msdcs.samdom.example.com.
+
  # samba-tool ntacl sysvolreset
Host df4bdd8c-abc7-4779-b01e-4dd4553ca3e9._msdcs.samdom.example.com. not found: 3(NXDOMAIN)
 
  
:* In this case, you have to add the record manually to the AD DNS zone:
 
  
# samba-tool dns add DC1 _msdcs.samdom.example.com <u>df4bdd8c-abc7-4779-b01e-4dd4553ca3e9</u> CNAME <u>DC2</u>.samdom.example.com -Uadministrator
 
Password for [SAMDOM\administrator]: passw0rd
 
Record added successfully
 
  
:* Re-check afterwards again!
 
  
  
 +
= Starting the Samba Service =
  
 +
To start the <code>samba</code> Samba Active Directory (AD) domain controller (DC) service manually, enter:
  
 +
# samba
  
= Adaptations for the BIND DNS backend =
+
Samba does not provide System V init scripts, <code>systemd</code>, <code>upstart</code>, or other services configuration files.
 +
* If you installed Samba using packages, use the script or service configuration file included in the package to start Samba.
 +
* If you built Samba, see [[Managing_the_Samba_AD_DC_Service|Managing the Samba AD DC Service]].
  
This step can be skipped, if the DC was joined with SAMBA_INTERNAL or without DNS backend.
 
  
  
  
== Workaround: Fix keytab permissions ==
 
  
This workaround is required, until [https://bugzilla.samba.org/show_bug.cgi?id=10881 Bug #10881] is solved for the version of Samba you're running!
+
= Verifying Directory Replication =
  
Fix permissions on the 'dns.keytab' file, to allow BIND to read this file:
+
After the domain controller (DC) has been started, the knowledge consistency checker (KCC) on the Samba DC creates replication agreements to other DCs in the Active Directory (AD) forest. It can take up to 15 minutes until the KCC creates the auto-generated replication connections.
  
# chmod 640 /usr/local/samba/private/dns.keytab
+
For details about how to verify that the directory replication works correctly, see [[Verifying the Directory Replication Statuses]].
# chgrp named /usr/local/samba/private/dns.keytab
 
  
''Note: If you use Samba packages (Distro or from other sources), make sure, that the account BIND uses, is able to reach the dns.keytab file. Some package installations set to strong permissions on the folders.''
+
{{Imbox
 +
| type = note
 +
| text = To optimize replication latency and cost, the KCC in Samba 4.5 and later no longer creates a fully-meshed replication topology between all DCs. For further details, see [[The Samba KCC]].
 +
}}
  
Otherwise, BIND will not able to update your zone(s)! One of the results is, that 'samba_dnsupdate' can't add e. g. the important DNS entries, that clients use, to locate the new DC. In case of an failure of your other DC, domain logons using your new DC wouldn't be possible!
 
  
  
  
== Enable the BIND9_DLZ module, suitable to the BIND version==
 
  
Make sure, that the correct BIND9_DLZ module for your BIND version is enabled in /usr/local/samba/private/named.conf. Uncomment the module for your BIND version and comment the other:
+
= Starting BIND =
  
dlz "AD DNS Zone" {
+
Before you start the BIND daemon, verify that the DNS directory partitions have been successfully replicated:
    # For BIND 9.8.0
 
    database "dlopen /usr/local/samba/lib/bind9/dlz_bind9.so";
 
 
    # For BIND 9.9.0
 
    # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_9.so";
 
};
 
  
The example above enables the module for BIND 9.8.x (default).
+
# samba-tool drs showrepl
 +
...
 +
==== INBOUND NEIGHBORS ====
 +
...
 +
DC=DomainDnsZones,DC=samdom,DC=example,DC=com
 +
Default-First-Site-Name\DC1 via RPC
 +
DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
 +
Last attempt @ Thu Sep 24 20:08:45 2015 CEST was successful
 +
0 consecutive failure(s).
 +
Last success @ Thu Sep 24 20:08:45 2015 CEST
 +
...
 +
DC=ForestDnsZones,DC=samdom,DC=example,DC=com
 +
Default-First-Site-Name\DC1 via RPC
 +
DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
 +
Last attempt @ Thu Sep 24 20:08:45 2015 CEST was successful
 +
0 consecutive failure(s).
 +
Last success @ Thu Sep 24 20:08:45 2015 CEST
  
 +
If the replication works correctly, start the BIND service. See your distribution's documentation for information how to start a service.
  
  
  
  
= GID mappings of built-in groups =
 
  
There are current issues with GID mappings of built-in groups. The GIDs of groups owning files and directories on in the sysvol folder may differ between Domain Controllers. Currently Samba doesn't provide a replication of these GIDs.
+
= Testing your Samba AD DC =
  
Use the following workaround, if you encounter any problems:
+
== Verifying the File Server ==
  
* Shutdown Samba on the new joined Domain Controller.
+
For details, see [[Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Verifying_the_File_Server|Verifying the File Server]] in the [[Setting_up_Samba_as_an_Active_Directory_Domain_Controller|Setting up Samba as an Active Directory Domain Controller]] documentation.
  
* Create a hot-backup of idmap.ldb on the first Domain Controller:
 
  
# tdbbackup -s .bak /usr/local/samba/private/idmap.ldb
 
  
* Move the backup file „/usr/local/samba/private/idmap.ldb.bak“ to "/usr/local/samba/private" on the newly joined Domain Controller and remove the .bak suffix, this will replace the original file.
+
== Testing the Local DNS Server ==
  
* Start Samba on the new joined Domain Controller again.
+
Skip this step if you selected <code>--dns-backend=NONE</code> during the join.
  
* Reset the ACLs on the local sysvol folder of the new joined Domain Controller:
+
Query the local DNS server to resolve the domain name <code>samdom.example.com</code>:
  
  # samba-tool ntacl sysvolreset
+
  # host -t A samdom.example.com localhost
 +
Using domain server:
 +
Name: localhost
 +
Address: 127.0.0.1#53
 +
Aliases:
 +
 +
samdom.example.com has address 10.99.0.1
 +
samdom.example.com has address 10.99.0.2
  
 +
The local DNS resolves the domain name to the IP addresses of all domain controllers (DC).
  
 +
In case you receive no or a different result, review this documentation and check:
 +
* the system log files,
 +
* the Samba log files,
 +
* the BIND log files, if the <code>BIND9_DLZ</code> is used.
  
  
  
= Start Samba =
+
== Verifying Kerberos ==
  
To start the Samba Active Directory Domain Controller in „standard“ mode, which is suitable for production use, run
+
For details, see [[Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Verifying_Kerberos|Verifying Kerberos]] in the [[Setting_up_Samba_as_an_Active_Directory_Domain_Controller|Setting up Samba as an Active Directory Domain Controller]] documentation.
  
# samba
 
  
Samba doesn't yet have init scripts included. You can find examples on the [[Samba4/InitScript|Samba Init-Script]] page.
 
  
  
  
 +
= DNS Configuration on Domain Controllers =
  
 +
The DNS configuration on domain controllers (DC) is important, because if it is unable to locate other DCs the replication will fail.
  
 +
Set the local IP of the DC as the primary name server. For example:
  
= Directory replication =
+
On the new joined DC, use the local <code>10.99.0.2</code> IP as primary <code>nameserver</code> entry:
  
A few minutes after you have started Samba, connections with other DC will be established automatically.
+
nameserver 10.99.0.2
 +
search samdom.example.com
  
# samba-tool drs showrepl
 
Default-First-Site-Name\DC2
 
DSA Options: 0x00000001
 
DSA object GUID: df4bdd8c-abc7-4779-b01e-4dd4553ca3e9
 
DSA invocationId: 8e30d69f-c20f-4744-9833-5b050e611375
 
 
==== INBOUND NEIGHBORS ====
 
 
CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com
 
        Default-First-Site-Name\DC1 via RPC
 
                DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
 
                Last attempt @ Sun Nov  9 19:56:07 2014 CET was successful
 
                0 consecutive failure(s).
 
                Last success @ Sun Nov  9 19:56:07 2014 CET
 
 
DC=DomainDnsZones,DC=samdom,DC=example,DC=com
 
        Default-First-Site-Name\DC1 via RPC
 
                DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
 
                Last attempt @ Sun Nov  9 19:56:06 2014 CET was successful
 
                0 consecutive failure(s).
 
                Last success @ Sun Nov  9 19:56:06 2014 CET
 
 
CN=Configuration,DC=samdom,DC=example,DC=com
 
        Default-First-Site-Name\DC1 via RPC
 
                DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
 
                Last attempt @ Sun Nov  9 19:56:07 2014 CET was successful
 
                0 consecutive failure(s).
 
                Last success @ Sun Nov  9 19:56:07 2014 CET
 
 
DC=ForestDnsZones,DC=samdom,DC=example,DC=com
 
        Default-First-Site-Name\DC1 via RPC
 
                DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
 
                Last attempt @ Sun Nov  9 19:56:07 2014 CET was successful
 
                0 consecutive failure(s).
 
                Last success @ Sun Nov  9 19:56:07 2014 CET
 
 
DC=samdom,DC=example,DC=com
 
          Default-First-Site-Name\DC1 via RPC
 
                DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
 
                Last attempt @ Sun Nov  9 19:56:13 2014 CET was successful
 
                0 consecutive failure(s).
 
                Last success @ Sun Nov  9 19:56:13 2014 CET
 
 
==== OUTBOUND NEIGHBORS ====
 
 
CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com
 
        Default-First-Site-Name\DC1 via RPC
 
                DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
 
                Last attempt @ NTTIME(0) was successful
 
                0 consecutive failure(s).
 
                Last success @ NTTIME(0)
 
 
DC=DomainDnsZones,DC=samdom,DC=example,DC=com
 
        Default-First-Site-Name\DC1 via RPC
 
                DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
 
                Last attempt @ NTTIME(0) was successful
 
                0 consecutive failure(s).
 
                Last success @ NTTIME(0)
 
 
CN=Configuration,DC=samdom,DC=example,DC=com
 
        Default-First-Site-Name\DC1 via RPC
 
                DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
 
                Last attempt @ NTTIME(0) was successful
 
                0 consecutive failure(s).
 
                Last success @ NTTIME(0)
 
 
DC=ForestDnsZones,DC=samdom,DC=example,DC=com
 
        Default-First-Site-Name\DC1 via RPC
 
                DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
 
                Last attempt @ NTTIME(0) was successful
 
                0 consecutive failure(s).
 
                Last success @ NTTIME(0)
 
 
DC=samdom,DC=example,DC=com
 
        Default-First-Site-Name\DC1 via RPC
 
                DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
 
                Last attempt @ NTTIME(0) was successful
 
                0 consecutive failure(s).
 
                Last success @ NTTIME(0)
 
 
==== KCC CONNECTION OBJECTS ====
 
 
Connection --
 
        Connection name: 5745d481-1d26-48f4-ab65-273263e28a45
 
        Enabled        : TRUE
 
        Server DNS name : DC1.samdom.example.com
 
        Server DN name  : CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
 
                TransportType: RPC
 
                options: 0x00000001
 
Warning: No NC replicated for Connection!
 
  
'''Depending on your replication settings - if defined - it may take a few minutes until all connections are established. So please be patient!''' On the long shot that the outbound connections aren't established automatically - even not after several minutes - you can force the replication (generally not necessary!). See [[Samba-tool_drs_replicate|samba-tool drs replicate]].
 
  
''Note about the„Warning: No NC replicated for Connection!“ line: It can be safely ignored. See [[FAQ#Message:_Warning:_No_NC_replicated_for_Connection.21|FAQ: Message: Warning: No NC replicated for Connection!]]''
 
  
  
 +
= Configuring Winbindd on a Samba AD DC =
  
 +
''Optional''. For details, see [[Configuring_Winbindd_on_a_Samba_AD_DC|Configuring Winbindd on a Samba AD DC]].
  
  
  
  
= Start BIND =
 
  
Please check (samba-tool drs showrepl), that the DC=ForestDnsZones,DC=samdom,DC=example,DC=com and  DC=DomainDnsZones,DC=samdom,DC=example,DC=com partitions are already replicated!
+
= Using the Domain Controller as a File Server =
  
If so, it's time to start BIND now, if you're having a BIND9_DLZ backend.
+
For details, see [[Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Using_the_Domain_Controller_as_a_File_Server|Using the Domain Controller as a File Server]].
  
  
Line 455: Line 361:
  
  
= /etc/resolv.conf on the new Domain Controller =
+
= Sysvol Replication =
  
If the DNS on your new Domain Controller is working, you should think about adding it to /etc/resolv.conf.
+
Samba currently does not automatically replicate Sysvol, you must use some other form of replication. For community supported workarounds, see [[SysVol_replication_(DFS-R)|Sysvol Replication]].
  
As a best practice, you should never have just one nameserver entry in Domain Controllers /etc/resolv.conf! Because if it will fail, this DC isn't able to resolve AD zones any more. This would cause several other services, that rely on DNS like directory replication, to fail.
+
{{Imbox
 +
| type = note
 +
| text = If there are more than the default GPOs in Sysvol on the other DC(s), you must sync Sysvol to the new DC, <code>samba-tool ntacl sysvolreset</code> will throw an error if you do not.
 +
}}
  
So always rely on at least two DNS server, that are able to resolve AD DNS zones:
 
  
nameserver 10.99.0.2
 
nameserver 10.99.0.1
 
search samdom.example.com
 
  
  
  
 +
= Testing the Directory Replication =
  
 +
To test that the directory replication works correctly, add for example a user on an existing DC and verify that it shows up automatically on the newly joined DC.
  
= SysVol replication =
+
Optionally use the <code>ldapcmp</code> utility to compare two directories. For details, see [[Samba-tool_ldapcmp|samba-tool ldapcmp]].
  
Currently replication of the SysVol share isn't implemented. If you make any changes
 
on that share, you have to keep them in sync on all your Domain Controllers. An example, how to achieve this automatically, is provided in the [[SysVol_Replication|SysVol Replication]] documentation.
 
  
  
  
  
 +
= Troubleshooting =
  
= Testing directory replication =
+
For further details, see [[Samba_AD_DC_Troubleshooting|Samba AD DC Troubleshooting]].
  
To check that replication is working correctly between your two domain controllers, try adding/modifying e. g. a user on one DC using either the Samba command line tools or the Windows GUI admin tools. Then check that the changes shows up within a few seconds on the other Domain Controller.
 
  
  
  
== ldapcmp ==
 
  
You may wish to use [[Samba-tool_ldapcmp|samba-tool ldapcmp]] to verify that the same data
+
----
is being served from all Domain Controllers.
+
[[Category:Active Directory]]
 +
[[Category:Domain Control]]

Latest revision as of 12:07, 12 February 2020

Introduction

Running one domain controller (DC) is sufficient for a working Active Directory (AD) forest. However, for redundacy and load balancing reasons, you should add further DCs to your AD forest. Joining an additional Samba DC to an existing AD differs from provisioning the first DC in a forest. If you set up a new AD forest, see Setting up Samba as an Active Directory Domain Controller.



Preparing the Installation

For details, see Preparing the Installation in the Setting up Samba as an Active Directory Domain Controller documentation.



Installing Samba

For details, see Installing Samba.



Preparing the Host for Joining the Domain

Local DNS server

By default, the first Domain Controller (DC) in a forest runs a DNS server for Active Directory (AD)-based zones. For redundancy reasons it is recommended to run multiple DCs acting as a DNS server in a network. If you consider providing a DNS service on the new DC:

  • For the BIND9_DLZ back end, see BIND9_DLZ DNS Back End. Finish this task before you start the Samba DC service.
  • For the internal DNS no further actions are required.


Configuring DNS

For details, see Linux and Unix DNS Configuration.


Kerberos

Set the following settings in your Kerberos client configuration file /etc/krb5.conf:

[libdefaults]
    dns_lookup_realm = false
    dns_lookup_kdc = true
    default_realm = SAMDOM.EXAMPLE.COM

To verify the settings use the kinit command to request a Kerberos ticket for the domain administrator:

# kinit administrator
Password for administrator@SAMDOM.EXAMPLE.COM:

To list Kerberos tickets:

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@SAMDOM.EXAMPLE.COM

Valid starting       Expires              Service principal
24.09.2015 19:56:55  25.09.2015 05:56:55  krbtgt/SAMDOM.EXAMPLE.COM@SAMDOM.EXAMPLE.COM
	renew until 25.09.2015 19:56:53



Configuring Time Synchronisation

Kerberos requires a synchronised time on all domain members. For further details and how to set up the ntpd service, see Time Synchronisation.



Joining the Active Directory as a Domain Controller

To join the domain samdom.example.com as a domain controller (DC) that additionally acts as a DNS server using the Samba internal DNS:

There are three authentication methods you can use, Username & Password or two kerberos methods (the kerberos methods depend on running kinit as an admin user).

Username & Password:

# samba-tool domain join samdom.example.com DC -U"SAMDOM\administrator"

Or:

# samba-tool domain join samdom.example.com DC -k yes

Or:

# samba-tool domain join samdom.example.com DC --krb5-ccache=/tmp/krb5cc_0

Using any of the above, should result in output similar to this:

Finding a writeable DC for domain 'samdom.example.com'
Found DC dc1.samdom.example.com
Password for [SAMDOM\administrator]:
workgroup is SAMDOM
realm is samdom.example.com
Adding CN=DC2,OU=Domain Controllers,DC=samdom,DC=example,DC=com
Adding CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
Adding CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
Adding SPNs to CN=DC2,OU=Domain Controllers,DC=samdom,DC=example,DC=com
Setting account password for DC2$
Enabling account
Calling bare provision
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Provision OK for domain DN DC=samdom,DC=example,DC=com
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com] objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com] objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com] objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com] objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[402/1618] linked_values[0/0]
Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[804/1618] linked_values[0/0]
Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[1206/1618] linked_values[0/0]
Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[1608/1618] linked_values[0/0]
Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[1618/1618] linked_values[42/0]
Replicating critical objects from the base DN of the domain
Partition[DC=samdom,DC=example,DC=com] objects[100/100] linked_values[23/0]
Partition[DC=samdom,DC=example,DC=com] objects[386/286] linked_values[23/0]
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=samdom,DC=example,DC=com
Partition[DC=DomainDnsZones,DC=samdom,DC=example,DC=com] objects[44/44] linked_values[0/0]
Replicating DC=ForestDnsZones,DC=samdom,DC=example,DC=com
Partition[DC=ForestDnsZones,DC=samdom,DC=example,DC=com] objects[19/19] linked_values[0/0]
Committing SAM database
Sending DsReplicaUpdateRefs for all the replicated partitions
Setting isSynchronized and dsServiceName
Setting up secrets database
Joined domain SAMDOM (SID S-1-5-21-469703510-2364959079-1506205053) as a DC

See the samba-tool domain join --help command's output for further information.

Other parameters frequently used with the samba-tool domain join command:

  • --dns-backend=NAMESERVER-BACKEND: Use the supplied DNS server backend. Valid options are SAMBA_INTERNAL or BIND9_DLZ, unless you want to use Bind9, there is no need to supply this option.
If you use the internal DNS server, you will not be asked for a forwarder and the one in /etc/resolv.conf will not be obtained automatically. You must supply one with --option="dns forwarder=forwarder_ipaddress".
  • --option="interfaces=lo eth0" --option="bind interfaces only=yes": If your server has multiple network interfaces, use these options to bind Samba to the specified interfaces. This enables the samba-tool command to register the correct LAN IP address in the directory during the join.



Verifying the DNS Entries

If you join a Samba DC that runs Samba 4.7 and later, samba-tool created all required DNS entries automatically. To manually create the records on an earlier version, see Verifying and Creating a DC DNS Record.



Configuring the BIND9_DLZ DNS Back End

If you selected the BIND9_DLZ DNS back end during the domain join, set up the BIND configuration. For details, see BIND9_DLZ DNS Back End.



Built-in User & Group ID Mappings

Samba in its current state doesn't support SysVol replication via DFS-R (Distributed File System Replication) or the older FRS (File Replication Service) used in Windows Server 2000/2003 for Sysvol replication.

We Currently advise administrators to use one of the following workarounds:



To use a Sysvol Replication workaround, all domain controllers (DC) must use the same ID mappings for built-in users and groups.

By default, a Samba DC stores the user & group IDs in 'xidNumber' attributes in 'idmap.ldb'. Because of the way 'idmap.ldb' works, you cannot guarantee that each DC will use the same ID for a given user or group. To ensure that you do use the same IDs, you must:

  • Create a hot-backup of the /usr/local/samba/private/idmap.ldb file on the existing DC:
# tdbbackup -s .bak /usr/local/samba/private/idmap.ldb
This creates a backup file /usr/local/samba/private/idmap.ldb.bak.
  • Move the backup file to the /usr/local/samba/private/ folder on the new joined DC and remove the .bak suffix to replace the existing file.
  • Run net cache flush on the new DC.
  • You will now need to sync Sysvol to the new DC.
  • Reset the Sysvol folder's file system access control lists (ACL) on the new DC:
# samba-tool ntacl sysvolreset



Starting the Samba Service

To start the samba Samba Active Directory (AD) domain controller (DC) service manually, enter:

# samba

Samba does not provide System V init scripts, systemd, upstart, or other services configuration files.

  • If you installed Samba using packages, use the script or service configuration file included in the package to start Samba.
  • If you built Samba, see Managing the Samba AD DC Service.



Verifying Directory Replication

After the domain controller (DC) has been started, the knowledge consistency checker (KCC) on the Samba DC creates replication agreements to other DCs in the Active Directory (AD) forest. It can take up to 15 minutes until the KCC creates the auto-generated replication connections.

For details about how to verify that the directory replication works correctly, see Verifying the Directory Replication Statuses.



Starting BIND

Before you start the BIND daemon, verify that the DNS directory partitions have been successfully replicated:

# samba-tool drs showrepl
...
==== INBOUND NEIGHBORS ====
...
DC=DomainDnsZones,DC=samdom,DC=example,DC=com
	Default-First-Site-Name\DC1 via RPC
		DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
		Last attempt @ Thu Sep 24 20:08:45 2015 CEST was successful
		0 consecutive failure(s).
		Last success @ Thu Sep 24 20:08:45 2015 CEST
...
DC=ForestDnsZones,DC=samdom,DC=example,DC=com
	Default-First-Site-Name\DC1 via RPC
		DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
		Last attempt @ Thu Sep 24 20:08:45 2015 CEST was successful
		0 consecutive failure(s).
		Last success @ Thu Sep 24 20:08:45 2015 CEST

If the replication works correctly, start the BIND service. See your distribution's documentation for information how to start a service.



Testing your Samba AD DC

Verifying the File Server

For details, see Verifying the File Server in the Setting up Samba as an Active Directory Domain Controller documentation.


Testing the Local DNS Server

Skip this step if you selected --dns-backend=NONE during the join.

Query the local DNS server to resolve the domain name samdom.example.com:

# host -t A samdom.example.com localhost
Using domain server:
Name: localhost
Address: 127.0.0.1#53
Aliases:

samdom.example.com has address 10.99.0.1
samdom.example.com has address 10.99.0.2

The local DNS resolves the domain name to the IP addresses of all domain controllers (DC).

In case you receive no or a different result, review this documentation and check:

  • the system log files,
  • the Samba log files,
  • the BIND log files, if the BIND9_DLZ is used.


Verifying Kerberos

For details, see Verifying Kerberos in the Setting up Samba as an Active Directory Domain Controller documentation.



DNS Configuration on Domain Controllers

The DNS configuration on domain controllers (DC) is important, because if it is unable to locate other DCs the replication will fail.

Set the local IP of the DC as the primary name server. For example:

On the new joined DC, use the local 10.99.0.2 IP as primary nameserver entry:

nameserver 10.99.0.2
search samdom.example.com



Configuring Winbindd on a Samba AD DC

Optional. For details, see Configuring Winbindd on a Samba AD DC.



Using the Domain Controller as a File Server

For details, see Using the Domain Controller as a File Server.



Sysvol Replication

Samba currently does not automatically replicate Sysvol, you must use some other form of replication. For community supported workarounds, see Sysvol Replication.



Testing the Directory Replication

To test that the directory replication works correctly, add for example a user on an existing DC and verify that it shows up automatically on the newly joined DC.

Optionally use the ldapcmp utility to compare two directories. For details, see samba-tool ldapcmp.



Troubleshooting

For further details, see Samba AD DC Troubleshooting.