User Tools

Site Tools


join_samba4_as_additional_dc

Join Samba4 as additional Domain Controller

Samba4 has the ability to join an existing Active Directory domain as an additional domain controller. The process of joining a Samba4 server to an existing domain is a bit different to provisioning a new domain. This process is the equivalent of the 'dcpromo' command on Windows Servers.

This HOWTO will assume you had configured and installed Samba in the default location of '/usr/local/samba'. It assumes you are joining Samba to an existing domain called 'samdom.example.com'.

Please note that the following steps are the same regardless of whether you are joining Samba to an existing Windows based domain or an existing Samba based domain.

Before you install Samba4, follow the steps in Requeriments and then read the instrucctions in Install Samba4 wiki page. If you choose BIND as DNS backend, instead of the internal DNS, then you, of course, have to finish this before you continue. Depending on your needs, you can have different backends on each of your DC.

Prerequisites

  • The domain must be at least at forest functional level „2003 native“ (not interim!), to join a Samba DC.
  • The forests schema must be maximum at version 47 (Server 2008 R2). If your forest is Samba driven, the schema version is 47. Only if you have Windows DCs, this has to be checked, by running on a Windows DC:
dsquery * “CN=Schema,CN=Configuration,DC=Root-Domäne” -Scope Base -attr objectVersion

For the rest of this HowTo we assume that:

Installation Directory:           /usr/local/samba/ (per default, if you use SerNet pacakages isn't the same!)
Server Hostname (primary DC):     redtic-ad1
Server Hostname (additional DC):  redtic-ad2
DNS Domain Name:                  redtic.uclv.cu (This will also be your realm)
NT4 Domain Name:                  redtic
IP Address:                       10.12.112.85
Server Role:                      DC

Getting ready for joining Samba as a DC to an existing domain

You should remove any existing smb.conf in '/usr/local/samba/etc/' and the content in '/usr/local/samba/private/'. For Sernet Packages the locations are: '/etc/samba/smb.conf' and '/var/lib/samba/private'

Verify /etc/hosts

Verify that the local hostname isn't resolved to 127.0.0.1 in /etc/hosts:

127.0.0.1      localhost.localdomain       localhost
10.12.112.85   redtic-ad2.redtic.uclv.cu   redtic-ad2

If the local hostname is resolved to 127.0.0.1, Samba would use this IP for the various DC DNS entries. This would prevent clients from reaching this Domain Controller!

DNS resolving

Configure the host, you want to join as an additional Domain Controller, to use a DNS server that is able to resolve zones from the Active Directory. On Linux and Unixes, this is typically done by adding a „nameserver“ and „search domain“ entry to to /etc/resolv.conf:

domain redtic.uclv.cu
search redtic.uclv.cu
nameserver 10.12.112.84 #redtic-ad1's IP

Consult your distributions documentation for configuring the usage of a DNS server. To verify a correct name resolution, try resolving the hostname of one of your existing Domain Controllers:

# host -t A redtic-ad1.redtic.uclv.cu
redtic-ad1.redtic.uclv.cu has address 10.12.112.84

Kerberos

Be sure, that you have your setup your existing domain correctly as your default realm in /etc/krb5.conf with the following options:

 [libdefaults]
   dns_lookup_realm = false
   dns_lookup_kdc = true
   default_realm = REDTIC.UCLV.CU

You should then test to make sure that DNS and kerberos are setup correctly to point at your existing domain controller. Test that it is all working by trying a kinit as a domain administration:

 # kinit administrator
 # klist

Joining the existing domain as a DC

Before you start the joining, make yourself familiar with the parameters and options of „samba-tool domain join“:

# samba-tool domain join --help 

Expecially the following two options are required, if your future Domain Controllers have multiple NICs. Because „samba-tool“ would auto-choose one of the IPv4/IPv6 addresses, if multiple where found, it might be necessary to bind Samba to the desired interfaces using:

--option="interfaces=lo eth0" --option="bind interfaces only=yes"

To join run the following command as root:

 # samba-tool domain join redtic.uclv.cu DC -Uadministrator --realm=redtic.uclv.cu

Since Samba4 rc2 the internal DNS server is default. If you want to join this or a higher version with using BIND as DNS backend, use the following command:

 # samba-tool domain join redtic.uclv.cu DC -Uadministrator --realm=redtic.uclv.cu --dns-backend=BIND9_DLZ

At the end you can see a similar output:

 Joined domain REDTIC.UCLV.CU (SID S-1-5-21-3345338216-3359172960-946406909) as a DC

Now you have joined your Samba4 server to your existing domain.

Then add the following options to your smb.conf inside the [global] sections:

 # Log level
 log level = 3

 # Disable CUPS errors
 printing = bsd
 printcap name = /dev/null

 # DNS Forwarders, uncomment if you are using internal DNS
 # dns forwarder = YOUR-FORWARDER's-IP

Check required DNS entries of the new host

Before you start Samba, you should check, if the new DCs DNS entries are set correctly during joining. This doesn't currently work 100% and have to be done manually in that case, specially if you join Samba4 ad additional DC in Samba4 Domain.

From the new host, try to resolve its hostname:

 # host -t A redtic-ad2.redtic.uclv.cu.

If this fails, you have to add the A record by hand. Run on your existing DC:

 # samba-tool dns add IP-of-your-DNS-server redtic.uclv.cu DC2-name A IP-of-the-DC-you-had-joined -Uadministrator

Also you should check, if the objectGUID is resolvable to the new hostname. For that, run

 # ldbsearch -H /usr/local/samba/private/sam.ldb '(invocationid=*)' --cross-ncs objectguid

For Sernet packages:

 # ldbsearch -H /var/lib/samba/private/sam.ldb '(invocationid=*)' --cross-ncs objectguid

For example, '737506d0-bfe6-40c8-815d-08c3dff7a67f' is the objectGUID of the new DC, we'll query with the following command:

 # host -t CNAME 737506d0-bfe6-40c8-815d-08c3dff7a67f._msdcs.redtic.uclv.cu.

This should output you the alias (CNAME) of this entry pointing to your new DC name. If this record is also missing, you have to add it, too:

 # samba-tool dns add IP-of-your-DNS _msdcs.redtic.uclv.cu 737506d0-bfe6-40c8-815d-08c3dff7a67f CNAME redtic-ad2.redtic.uclv.cu -Uadministrator

Configure DNS Server

Follow the steps in configure DNS Server.

Now is time to put a “nameserver” entry of your new DC in your '/etc/resolv.conf'. Example:

 nameserver 10.12.112.85 #redtic-ad2's IP

Starting Samba

You start Samba as a DC in the same way that you start it as a normal server, just follow the instructions in Starting Samba in Samba4 Active Directory Domain Controller.

To save the output on a screen and a file log:

 # samba -i M single -d2 | tee ~/samba4.log

If you are using SerNet packages, you should create this directory before type the above command:

 mkdir -p /var/run/samba

Checking replication process

You should then check that replication between the Windows DC and the Samba DC is working correctly by using:

 # samba-tool drs showrepl

Another way to check that replication is working correctly between your two domain controllers, try adding a user on the Samba DC using either the Samba command line tools, or the Windows GUI admin tools. Then check that the user shows up within a few seconds on your Windows domain controller. Similarly, try modifying a user on the Windows domain controller and check that the modifies show up correctly on the Samba server

Checking DDNS updates are working

To check if DNS updates are working:

 # samba_dnsupdate --verbose --all-names

SysVol replication

Currently the replication of the SysVol share isn't implemented. If you make any changes on that share, you have to keep the shares on all your DCs in sync manually (e. g. with an rsync cronjob). An example way how to achieve this, you can find in the SysVol Replication Howto.

FSMO role transfer

You can transfer FSMO roles from an existing DC to a Samba AD DC, by seizing them from your Samba AD machine:

 # samba-tool fsmo seize --role=....

You can seize all five roles: rid, schema, naming, pdc and infrastructure (you can use “–role=all” to seize all at once).

Known issues and ways to fix/workaround


If after join Samba4 as second domain controllers you receive the following error in the second DC in the logs file o after running manually “samba_dnsupdate –verbose”:

/usr/sbin/samba_dnsupdate: update failed: NOTAUTH
/usr/sbin/samba_dnsupdate: update failed: NOTAUTH
/usr/sbin/samba_dnsupdate: update failed: NOTAUTH
/usr/sbin/samba_dnsupdate: update failed: NOTAUTH
/usr/sbin/samba_dnsupdate: update failed: NOTAUTH
/usr/sbin/samba_dnsupdate: update failed: NOTAUTH

To solve the above, in the second DC (recently joined) put like dns server the DC1's IP address, ie: /etc/resolv.conf

search yourdomain.com
nameserver ip-of-dc2
nameserver ip-of-dc1

Finally restart Samba o run:

# samba_dnsupdate --verbose

No you can see that all record are added successfully!!!

A note on DNS updates


Samba4 has the ability to automatically update a Windows or Bind9 DNS server with the correct set of DNS entries when it becomes a domain controller.

The way the automatic DNS updates works is that Samba regularly (every 10 minutes) calls out to the samba_dnsupdate script that is installed along with Samba. That script reads a template file of DNS names to update in the DNS zone from /usr/local/samba/private/dns_update_list.

The contents of this file look like this:

 A                                                        ${DNSDOMAIN} $IP
 A                                                        ${HOSTNAME} $IP
 CNAME ${NTDSGUID}._msdcs.${DNSDOMAIN}                    ${HOSTNAME}
 SRV _kerberos._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 88
 SRV _ldap._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN}     ${HOSTNAME} 389
 SRV _kerberos._tcp.dc._msdcs.${DNSDOMAIN}                ${HOSTNAME} 88
 SRV _ldap._tcp.dc._msdcs.${DNSDOMAIN}                    ${HOSTNAME} 389
 SRV _ldap._tcp.${DOMAINGUID}.domains._msdcs.${DNSDOMAIN} ${HOSTNAME} 389
 SRV _ldap._tcp.${SITE}._sites.gc._msdcs.${DNSDOMAIN}     ${HOSTNAME} 3268
 SRV _ldap._tcp.gc._msdcs.${DNSDOMAIN}                    ${HOSTNAME} 3268
 SRV _ldap._tcp.pdc._msdcs.${DNSDOMAIN}                   ${HOSTNAME} 389
 SRV _gc._tcp.${SITE}._sites.${DNSDOMAIN}                 ${HOSTNAME} 3268
 SRV _kerberos._tcp.${SITE}._sites.${DNSDOMAIN}           ${HOSTNAME} 88
 SRV _ldap._tcp.${SITE}._sites.${DNSDOMAIN}            ${HOSTNAME} 389
 SRV _gc._tcp.${DNSDOMAIN}                                ${HOSTNAME} 3268
 SRV _kerberos._tcp.${DNSDOMAIN}                          ${HOSTNAME} 88
 SRV _kpasswd._tcp.${DNSDOMAIN}                           ${HOSTNAME} 464
 SRV _ldap._tcp.${DNSDOMAIN}                              ${HOSTNAME} 389
 SRV _kerberos._udp.${DNSDOMAIN}                          ${HOSTNAME} 88
 SRV _kpasswd._udp.${DNSDOMAIN}                           ${HOSTNAME} 464

at runtime, Samba will substitute the variables in this file, and call out to the bind9 nsupdate command using the -g option to enable TSIG-GSS DNS updates. It will only make updates for DNS names that it detects are not currently correctly set.

You can add your own names to dns_update_list list if you want, and Samba will add those on the DNS server. You may also choose not to use TSIG-GSS and instead use a fixed DNS key setup in another bind9 server. To do that you will need to modify the 'nsupdate' command that Samba runs, which is settable using the “nsupdate command” smb.conf option. The default is “/usr/bin/nsupdate -g”

The $IP entries for A records are replaced with the IP interface addresses that Samba detects at runtime, based on the “interfaces=” smb.conf option.

FAQ


Message: “Failed to find our own NTDS Settings invocationId in the ldb!” during joining

Check if you have an existing smb.conf and remove it befor joining.

Message: Warning: No NC replicated for Connection!

When Samba registers for replication, there are a couple of flags that aren't correctly set. That's what the DRS command shows: They are not set. It's pretty harmless and you can ignore this warning.

join_samba4_as_additional_dc.txt · Last modified: 2020/04/10 17:38 (external edit)