Joining a Samba DC to an Existing Active Directory

From SambaWiki

Introduction

As well as the ability to join an Active Directory as a Member Server, it is also possible to join as a Domain Controller.

The process of joining a Samba server to an existing domain is a bit different to provisioning a new domain. This process is the equivalent of the 'dcpromo' command on Windows servers.

Please note that the following steps are the same - regardless of whether you are joining Samba to an existing Windows based domain or an existing Samba based domain.


Server information

This documentation uses the following configuration/settings:

Existing DC in the domain:
Hostname:                      DC1
IP:                            10.99.0.1
DC is also a DNS server:       yes

Domain information:
DNS Domain Name:               samdom.example.com
NT4 Domain Name (NETBIOS):     SAMDOM
Kerberos Realm:                SAMDOM.EXAMPLE.COM
Domain Administrator:          Administrator
Domain Administrator Password: passw0rd

DC additionally joined to the domain:
Hostname:                      DC2
IP Address:                    10.99.0.2
Installation Directory:        /usr/local/samba/


Versions

This HowTo is frequently updated to reflect the latest changes. Please see the Samba Release Planning for more specifics.

Please review the release notes for the version you have installed. It may contain important information, not yet reflected in this HowTo.



Installation

Different ways to install

Always check the OS Requirements for dependencies and recommendations.

You have a few options to install Samba:

  • Install binary distribution packages. Make sure, that you use a recent Samba installation with Active Directory Domain Controller capabilities!


Paths

Take care when running Samba commands, if you also have a previous version of Samba installed! To avoid inadvertently running the wrong version of a program, you should consider putting the „/usr/local/samba/bin/“ and „/usr/local/samba/sbin/“ directories at the beginning of your $PATH variable.

You can see what version of Samba and client tools, if any, is in your „$PATH“ variable by running:

# samba -V
# smbclient -V



Preparing the host for the domain join

Local DNS server

By default, the first Domain Controller in a domain automatically acts as a DNS server for AD based zones. For failover reasons, it is recommended to have at least two DC's providing AD DNS services.

If you plan to join the additional Domain Controller with BIND as the DNS backend, you have to setup BIND as AD backend first. If you use the internal or use no local DNS, no further steps are required.

Verify /etc/hosts

Verify that the local hostname isn't resolved to 127.0.0.1 in /etc/hosts:

127.0.0.1   localhost.localdomain    localhost   DC2.samdom.example.com   DC2
10.99.0.2   DC2.samdom.example.com   DC2

If the local hostname is resolved to 127.0.0.1, Samba would use this IP for the various DC DNS entries. This would prevent clients from reaching this Domain Controller!


DNS resolving

Configure the host, you want to join as an additional Domain Controller, to use a DNS server that is able to resolve zones from the Active Directory. On Linux and Unixes, this is typically done by adding a „nameserver“ and „search domain“ entry to to /etc/resolv.conf:

nameserver 10.99.0.1
search samdom.example.com

Consult your distributions documentation for configuring the usage of a DNS server.

To verify a correct name resolution, try resolving the hostname of one of your existing Domain Controllers:

# host -t A DC1.samdom.example.com
DC1.samdom.example.com has address 10.99.0.1

Kerberos

  • Add the following content to /etc/krb5.conf:
[libdefaults]
    dns_lookup_realm = true
    dns_lookup_kdc = true
    default_realm = SAMDOM.EXAMPLE.COM
  • Verify the correct Kerberos setup by obtaining a ticket:
# kinit administrator
Password for administrator@SAMDOM.EXAMPLE.COM:

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@SAMDOM.EXAMPLE.COM

Valid starting       Expires              Service principal
09.11.2014 17:34:09  10.11.2014 03:34:09   krbtgt/SAMDOM.EXAMPLE.COM@SAMDOM.EXAMPLE.COM
        renew until 10.11.2014 17:34:07



Join the existing domain as a Domain Controller

Before you start the joining, make yourself familiar with the parameters and options of „samba-tool domain join“:

# samba-tool domain join --help 

Expecially the following two options are required, if your future Domain Controllers have multiple NICs. Because „samba-tool“ would auto-choose one of the IPv4/IPv6 addresses, if multiple where found, it might be necessary to bind Samba to the desired interfaces using

--option="interfaces=lo eth0" --option="bind interfaces only=yes"

Join the existing domain (parameter explanation below):

# samba-tool domain join samdom.example.com DC -Uadministrator --realm=samdom.example.com --dns-backend=BIND9_DLZ
Finding a writeable DC for domain 'samdom.example.com'
Found DC dc1.samdom.example.com
Password for [WORKGROUP\administrator]: passw0rd
workgroup is SAMDOM
realm is samdom.example.com
checking sAMAccountName
Adding CN=DC2,OU=Domain Controllers,DC=samdom,DC=example,DC=com
Adding CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
Adding CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
Adding SPNs to CN=DC2,OU=Domain Controllers,DC=samdom,DC=example,DC=com
Setting account password for DC2$
Enabling account
Adding DNS account CN=dns-DC2,CN=Users,DC=samdom,DC=example,DC=com with dns/ SPN
Setting account password for dns-DC2
Calling bare provision
No IPv6 address will be assigned
Provision OK for domain DN DC=samdom,DC=example,DC=com
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com] objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com] objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com] objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com] objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[402/1618] linked_values[0/0]
Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[804/1618] linked_values[0/0]
Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[1206/1618] linked_values[0/0]
Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[1608/1618] linked_values[0/0]
Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[1618/1618] linked_values[28/0]
Replicating critical objects from the base DN of the domain
Partition[DC=samdom,DC=example,DC=com] objects[98/98] linked_values[23/0]
Partition[DC=samdom,DC=example,DC=com] objects[395/297] linked_values[23/0]
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=samdom,DC=example,DC=com
Partition[DC=DomainDnsZones,DC=samdom,DC=example,DC=com] objects[41/41] linked_values[0/0]
Replicating DC=ForestDnsZones,DC=samdom,DC=example,DC=com
Partition[DC=ForestDnsZones,DC=samdom,DC=example,DC=com] objects[19/19] linked_values[0/0]
Partition[DC=ForestDnsZones,DC=samdom,DC=example,DC=com] objects[38/19] linked_values[0/0]
Committing SAM database
Sending DsReplicateUpdateRefs for all the replicated partitions
Setting isSynchronized and dsServiceName
Setting up secrets database
Joined domain SAMDOM (SID S-1-5-21-469703510-2364959079-1506205053) as a DC

Parameter explanations:

  • Domain: AD Domain Name
  • Server Role: „DC“ for Domain Controller
  • Username: Account that is allowed to join new Domain Controllers. Typically it is the Domain Administrator.
  • Realm: Kerberos Realm
  • DNS backend: You have to choose whether to use the Internal DNS server (SAMBA_INTERNAL), BIND9 (BIND9_DLZ) or no DNS backend (NONE). The Internal DNS is the default and the best choice for simple DNS requirements. It doesn't need any further action. For complex DNS requirements, BIND9_DLZ is recommended. Don't use BIND9_FLATFILE! It's not documented or supported! See DNS Backend BIND for further information about using BIND. The DNS backend choice made during the provisioning isn't permanent. It can be changed afterwards.
  • Site: If you have setup Active Directory Sites, it's possible, to directly join a new DC into a specified AD site.

Check DNS entries

For a successful setup and failover purposes, it is required, that all important DNS records are added to the DNS zones. A bug causes, that two records can be missing. Check Bug #10928, to see, if it's fixed in the meantime and in the version you're running.


Resolve the A record of the new joined Domain Controller

# host -t A DC2.samdom.example.com.
DC2.samdom.example.com has address 10.99.0.2

If the record could not be resolved to its IP, you will receive the following output instead:

# host -t A DC2.samdom.example.com.
Host DC2.samdom.example.com. not found: 3(NXDOMAIN)

In this case, you have to add the record manually to the AD DNS zone:

# samba-tool dns add DC1 samdom.example.com DC2 A 10.99.0.2 -Uadministrator
Password for [SAMDOM\administrator]: passw0rd
Record added successfully

Re-check afterwards again!


Resolve the objectGUID CNAME record of the new joined Domain Controller

  • First, you have to find out the objectGUID of the new joined Domain Controller:
# ldbsearch -H /usr/local/samba/private/sam.ldb '(invocationId=*)' --cross-ncs objectguid
# record 1
dn: CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
objectGUID: df4bdd8c-abc7-4779-b01e-4dd4553ca3e9

# record 2
dn: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
objectGUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f

# returned 2 records
# 2 entries
# 0 referrals
  • Query the CNAME of the objectGUID in the _msdcs.samdom.example.com zone. It must be an alias to the hostname of the new joined DC:
# host -t CNAME df4bdd8c-abc7-4779-b01e-4dd4553ca3e9._msdcs.samdom.example.com.
df4bdd8c-abc7-4779-b01e-4dd4553ca3e9._msdcs.samdom.example.com is an alias for DC2.samdom.example.com.
  • If the record could not be resolved, you will receive:
# host -t CNAME df4bdd8c-abc7-4779-b01e-4dd4553ca3e9._msdcs.samdom.example.com.
Host df4bdd8c-abc7-4779-b01e-4dd4553ca3e9._msdcs.samdom.example.com. not found: 3(NXDOMAIN)
  • In this case, you have to add the record manually to the AD DNS zone:
# samba-tool dns add DC1 _msdcs.samdom.example.com df4bdd8c-abc7-4779-b01e-4dd4553ca3e9 CNAME DC2.samdom.example.com -Uadministrator
Password for [SAMDOM\administrator]: passw0rd
Record added successfully
  • Re-check afterwards again!



Adaptations for the BIND DNS backend

This step can be skipped, if the DC was joined with SAMBA_INTERNAL or without DNS backend.


Workaround: Fix keytab permissions

This workaround is required, until Bug #10881 is solved for the version of Samba you're running!

Fix permissions on the 'dns.keytab' file, to allow BIND to read this file:

# chmod 640 /usr/local/samba/private/dns.keytab
# chgrp named /usr/local/samba/private/dns.keytab

Note: If you use Samba packages (Distro or from other sources), make sure, that the account BIND uses, is able to reach the dns.keytab file. Some package installations set to strong permissions on the folders.

Otherwise, BIND will not able to update your zone(s)! One of the results is, that 'samba_dnsupdate' can't add e. g. the important DNS entries, that clients use, to locate the new DC. In case of an failure of your other DC, domain logons using your new DC wouldn't be possible!


Enable the BIND9_DLZ module, suitable to the BIND version

Make sure, that the correct BIND9_DLZ module for your BIND version is enabled in /usr/local/samba/private/named.conf. Uncomment the module for your BIND version and comment the other:

dlz "AD DNS Zone" {
    # For BIND 9.8.0
    database "dlopen /usr/local/samba/lib/bind9/dlz_bind9.so";

    # For BIND 9.9.0
    # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_9.so";
};

The example above enables the module for BIND 9.8.x (default).



GID mappings of built-in groups

There are current issues with GID mappings of built-in groups. The GIDs of groups owning files and directories on in the sysvol folder may differ between Domain Controllers. Currently Samba doesn't provide a replication of these GIDs.

Use the following workaround, if you encounter any problems:

  • Shutdown Samba on the new joined Domain Controller.
  • Create a hot-backup of idmap.ldb on the first Domain Controller:
# tdbbackup -s .bak /usr/local/samba/private/idmap.ldb
  • Move the backup file „/usr/local/samba/private/idmap.ldb.bak“ to "/usr/local/samba/private" on the newly joined Domain Controller and remove the .bak suffix, this will replace the original file.
  • Start Samba on the new joined Domain Controller again.
  • Reset the ACLs on the local sysvol folder of the new joined Domain Controller:
# samba-tool ntacl sysvolreset



Start Samba

To start the Samba Active Directory Domain Controller in „standard“ mode, which is suitable for production use, run

# samba

Samba doesn't yet have init scripts included. You can find examples on the Samba Init-Script page.




Directory replication

A few minutes after you have started Samba, connections with other DC will be established automatically.

# samba-tool drs showrepl
Default-First-Site-Name\DC2
DSA Options: 0x00000001
DSA object GUID: df4bdd8c-abc7-4779-b01e-4dd4553ca3e9
DSA invocationId: 8e30d69f-c20f-4744-9833-5b050e611375

==== INBOUND NEIGHBORS ====

CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com
        Default-First-Site-Name\DC1 via RPC
                DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
                Last attempt @ Sun Nov  9 19:56:07 2014 CET was successful
                0 consecutive failure(s).
                Last success @ Sun Nov  9 19:56:07 2014 CET

DC=DomainDnsZones,DC=samdom,DC=example,DC=com
        Default-First-Site-Name\DC1 via RPC
                DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
                Last attempt @ Sun Nov  9 19:56:06 2014 CET was successful
                0 consecutive failure(s).
                Last success @ Sun Nov  9 19:56:06 2014 CET

CN=Configuration,DC=samdom,DC=example,DC=com
        Default-First-Site-Name\DC1 via RPC
                DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
                Last attempt @ Sun Nov  9 19:56:07 2014 CET was successful
                0 consecutive failure(s).
                Last success @ Sun Nov  9 19:56:07 2014 CET

DC=ForestDnsZones,DC=samdom,DC=example,DC=com
        Default-First-Site-Name\DC1 via RPC
                DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
                Last attempt @ Sun Nov  9 19:56:07 2014 CET was successful
                0 consecutive failure(s).
                Last success @ Sun Nov  9 19:56:07 2014 CET

DC=samdom,DC=example,DC=com
         Default-First-Site-Name\DC1 via RPC
                DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
                Last attempt @ Sun Nov  9 19:56:13 2014 CET was successful
                0 consecutive failure(s).
                Last success @ Sun Nov  9 19:56:13 2014 CET

==== OUTBOUND NEIGHBORS ====

CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com
        Default-First-Site-Name\DC1 via RPC
                DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

DC=DomainDnsZones,DC=samdom,DC=example,DC=com
        Default-First-Site-Name\DC1 via RPC
                DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

CN=Configuration,DC=samdom,DC=example,DC=com
        Default-First-Site-Name\DC1 via RPC
                DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

DC=ForestDnsZones,DC=samdom,DC=example,DC=com
        Default-First-Site-Name\DC1 via RPC
                DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

DC=samdom,DC=example,DC=com
        Default-First-Site-Name\DC1 via RPC
                DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

==== KCC CONNECTION OBJECTS ====

Connection --
        Connection name: 5745d481-1d26-48f4-ab65-273263e28a45
        Enabled        : TRUE
        Server DNS name : DC1.samdom.example.com
        Server DN name  : CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
                TransportType: RPC
                options: 0x00000001
Warning: No NC replicated for Connection!

Depending on your replication settings - if defined - it may take a few minutes until all connections are established. So please be patient! On the long shot that the outbound connections aren't established automatically - even not after several minutes - you can force the replication (generally not necessary!). See samba-tool drs replicate.

Note about the„Warning: No NC replicated for Connection!“ line: It can be safely ignored. See FAQ: Message: Warning: No NC replicated for Connection!




Start BIND

Please check (samba-tool drs showrepl), that the DC=ForestDnsZones,DC=samdom,DC=example,DC=com and DC=DomainDnsZones,DC=samdom,DC=example,DC=com partitions are already replicated!

If so, it's time to start BIND now, if you're having a BIND9_DLZ backend.



/etc/resolv.conf on the new Domain Controller

If the DNS on your new Domain Controller is working, you should think about adding it to /etc/resolv.conf.

As a best practice, you should never have just one nameserver entry in Domain Controllers /etc/resolv.conf! Because if it will fail, this DC isn't able to resolve AD zones any more. This would cause several other services, that rely on DNS like directory replication, to fail.

So always rely on at least two DNS server, that are able to resolve AD DNS zones:

nameserver 10.99.0.2
nameserver 10.99.0.1
search samdom.example.com



SysVol replication

Currently replication of the SysVol share isn't implemented. If you make any changes on that share, you have to keep them in sync on all your Domain Controllers. An example, how to achieve this automatically, is provided in the SysVol Replication documentation.



Testing directory replication

To check that replication is working correctly between your two domain controllers, try adding/modifying e. g. a user on one DC using either the Samba command line tools or the Windows GUI admin tools. Then check that the changes shows up within a few seconds on the other Domain Controller.


ldapcmp

You may wish to use samba-tool ldapcmp to verify that the same data is being served from all Domain Controllers.