Samba4 has the ability to join an existing Active Directory domain as an additional domain controller. The process of joining a Samba4 server to an existing domain is a bit different to provisioning a new domain. This process is the equivalent of the 'dcpromo' command on Windows Servers.
This HOWTO will assume you had configured and installed Samba in the default location of '/usr/local/samba'. It assumes you are joining Samba to an existing domain called 'samdom.example.com'.
Please note that the following steps are the same regardless of whether you are joining Samba to an existing Windows based domain or an existing Samba based domain.
Before you install Samba4, follow the steps in Requeriments and then read the instrucctions in Install Samba4 wiki page. If you choose BIND as DNS backend, instead of the internal DNS, then you, of course, have to finish this before you continue. Depending on your needs, you can have different backends on each of your DC.
dsquery * “CN=Schema,CN=Configuration,DC=Root-Domäne” -Scope Base -attr objectVersion
For the rest of this HowTo we assume that:
Installation Directory: /usr/local/samba/ (per default, if you use SerNet pacakages isn't the same!) Server Hostname (primary DC): redtic-ad1 Server Hostname (additional DC): redtic-ad2 DNS Domain Name: redtic.uclv.cu (This will also be your realm) NT4 Domain Name: redtic IP Address: 10.12.112.85 Server Role: DC
You should remove any existing smb.conf in '/usr/local/samba/etc/' and the content in '/usr/local/samba/private/'. For Sernet Packages the locations are: '/etc/samba/smb.conf' and '/var/lib/samba/private'
Verify that the local hostname isn't resolved to 127.0.0.1 in /etc/hosts:
127.0.0.1 localhost.localdomain localhost 10.12.112.85 redtic-ad2.redtic.uclv.cu redtic-ad2
If the local hostname is resolved to 127.0.0.1, Samba would use this IP for the various DC DNS entries. This would prevent clients from reaching this Domain Controller!
Configure the host, you want to join as an additional Domain Controller, to use a DNS server that is able to resolve zones from the Active Directory. On Linux and Unixes, this is typically done by adding a „nameserver“ and „search domain“ entry to to /etc/resolv.conf:
domain redtic.uclv.cu search redtic.uclv.cu nameserver 10.12.112.84 #redtic-ad1's IP
Consult your distributions documentation for configuring the usage of a DNS server. To verify a correct name resolution, try resolving the hostname of one of your existing Domain Controllers:
# host -t A redtic-ad1.redtic.uclv.cu redtic-ad1.redtic.uclv.cu has address 10.12.112.84
Be sure, that you have your setup your existing domain correctly as your default realm in /etc/krb5.conf with the following options:
[libdefaults] dns_lookup_realm = false dns_lookup_kdc = true default_realm = REDTIC.UCLV.CU
You should then test to make sure that DNS and kerberos are setup correctly to point at your existing domain controller. Test that it is all working by trying a kinit as a domain administration:
# kinit administrator # klist
Before you start the joining, make yourself familiar with the parameters and options of „samba-tool domain join“:
# samba-tool domain join --help
Expecially the following two options are required, if your future Domain Controllers have multiple NICs. Because „samba-tool“ would auto-choose one of the IPv4/IPv6 addresses, if multiple where found, it might be necessary to bind Samba to the desired interfaces using:
--option="interfaces=lo eth0" --option="bind interfaces only=yes"
To join run the following command as root:
# samba-tool domain join redtic.uclv.cu DC -Uadministrator --realm=redtic.uclv.cu
Since Samba4 rc2 the internal DNS server is default. If you want to join this or a higher version with using BIND as DNS backend, use the following command:
# samba-tool domain join redtic.uclv.cu DC -Uadministrator --realm=redtic.uclv.cu --dns-backend=BIND9_DLZ
At the end you can see a similar output:
Joined domain REDTIC.UCLV.CU (SID S-1-5-21-3345338216-3359172960-946406909) as a DC
Now you have joined your Samba4 server to your existing domain.
Then add the following options to your smb.conf inside the [global] sections:
# Log level log level = 3 # Disable CUPS errors printing = bsd printcap name = /dev/null # DNS Forwarders, uncomment if you are using internal DNS # dns forwarder = YOUR-FORWARDER's-IP
Before you start Samba, you should check, if the new DCs DNS entries are set correctly during joining. This doesn't currently work 100% and have to be done manually in that case, specially if you join Samba4 ad additional DC in Samba4 Domain.
From the new host, try to resolve its hostname:
# host -t A redtic-ad2.redtic.uclv.cu.
If this fails, you have to add the A record by hand. Run on your existing DC:
# samba-tool dns add IP-of-your-DNS-server redtic.uclv.cu DC2-name A IP-of-the-DC-you-had-joined -Uadministrator
Also you should check, if the objectGUID is resolvable to the new hostname. For that, run
# ldbsearch -H /usr/local/samba/private/sam.ldb '(invocationid=*)' --cross-ncs objectguid
For Sernet packages:
# ldbsearch -H /var/lib/samba/private/sam.ldb '(invocationid=*)' --cross-ncs objectguid
For example, '737506d0-bfe6-40c8-815d-08c3dff7a67f' is the objectGUID of the new DC, we'll query with the following command:
# host -t CNAME 737506d0-bfe6-40c8-815d-08c3dff7a67f._msdcs.redtic.uclv.cu.
This should output you the alias (CNAME) of this entry pointing to your new DC name. If this record is also missing, you have to add it, too:
# samba-tool dns add IP-of-your-DNS _msdcs.redtic.uclv.cu 737506d0-bfe6-40c8-815d-08c3dff7a67f CNAME redtic-ad2.redtic.uclv.cu -Uadministrator
Follow the steps in configure DNS Server.
Now is time to put a “nameserver” entry of your new DC in your '/etc/resolv.conf'. Example:
nameserver 10.12.112.85 #redtic-ad2's IP
You start Samba as a DC in the same way that you start it as a normal server, just follow the instructions in Starting Samba in Samba4 Active Directory Domain Controller.
To save the output on a screen and a file log:
# samba -i M single -d2 | tee ~/samba4.log
If you are using SerNet packages, you should create this directory before type the above command:
mkdir -p /var/run/samba
You should then check that replication between the Windows DC and the Samba DC is working correctly by using:
# samba-tool drs showrepl
Another way to check that replication is working correctly between your two domain controllers, try adding a user on the Samba DC using either the Samba command line tools, or the Windows GUI admin tools. Then check that the user shows up within a few seconds on your Windows domain controller. Similarly, try modifying a user on the Windows domain controller and check that the modifies show up correctly on the Samba server
To check if DNS updates are working:
# samba_dnsupdate --verbose --all-names
Currently the replication of the SysVol share isn't implemented. If you make any changes on that share, you have to keep the shares on all your DCs in sync manually (e. g. with an rsync cronjob). An example way how to achieve this, you can find in the SysVol Replication Howto.
You can transfer FSMO roles from an existing DC to a Samba AD DC, by seizing them from your Samba AD machine:
# samba-tool fsmo seize --role=....
You can seize all five roles: rid, schema, naming, pdc and infrastructure (you can use “–role=all” to seize all at once).
If after join Samba4 as second domain controllers you receive the following error in the second DC in the logs file o after running manually “samba_dnsupdate –verbose”:
/usr/sbin/samba_dnsupdate: update failed: NOTAUTH /usr/sbin/samba_dnsupdate: update failed: NOTAUTH /usr/sbin/samba_dnsupdate: update failed: NOTAUTH /usr/sbin/samba_dnsupdate: update failed: NOTAUTH /usr/sbin/samba_dnsupdate: update failed: NOTAUTH /usr/sbin/samba_dnsupdate: update failed: NOTAUTH
To solve the above, in the second DC (recently joined) put like dns server the DC1's IP address, ie: /etc/resolv.conf
search yourdomain.com nameserver ip-of-dc2 nameserver ip-of-dc1
Finally restart Samba o run:
# samba_dnsupdate --verbose
No you can see that all record are added successfully!!!
Samba4 has the ability to automatically update a Windows or Bind9 DNS server with the correct set of DNS entries when it becomes a domain controller.
The way the automatic DNS updates works is that Samba regularly (every 10 minutes) calls out to the samba_dnsupdate script that is installed along with Samba. That script reads a template file of DNS names to update in the DNS zone from /usr/local/samba/private/dns_update_list.
The contents of this file look like this:
A ${DNSDOMAIN} $IP A ${HOSTNAME} $IP CNAME ${NTDSGUID}._msdcs.${DNSDOMAIN} ${HOSTNAME} SRV _kerberos._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 88 SRV _ldap._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389 SRV _kerberos._tcp.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 88 SRV _ldap._tcp.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389 SRV _ldap._tcp.${DOMAINGUID}.domains._msdcs.${DNSDOMAIN} ${HOSTNAME} 389 SRV _ldap._tcp.${SITE}._sites.gc._msdcs.${DNSDOMAIN} ${HOSTNAME} 3268 SRV _ldap._tcp.gc._msdcs.${DNSDOMAIN} ${HOSTNAME} 3268 SRV _ldap._tcp.pdc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389 SRV _gc._tcp.${SITE}._sites.${DNSDOMAIN} ${HOSTNAME} 3268 SRV _kerberos._tcp.${SITE}._sites.${DNSDOMAIN} ${HOSTNAME} 88 SRV _ldap._tcp.${SITE}._sites.${DNSDOMAIN} ${HOSTNAME} 389 SRV _gc._tcp.${DNSDOMAIN} ${HOSTNAME} 3268 SRV _kerberos._tcp.${DNSDOMAIN} ${HOSTNAME} 88 SRV _kpasswd._tcp.${DNSDOMAIN} ${HOSTNAME} 464 SRV _ldap._tcp.${DNSDOMAIN} ${HOSTNAME} 389 SRV _kerberos._udp.${DNSDOMAIN} ${HOSTNAME} 88 SRV _kpasswd._udp.${DNSDOMAIN} ${HOSTNAME} 464
at runtime, Samba will substitute the variables in this file, and call out to the bind9 nsupdate command using the -g option to enable TSIG-GSS DNS updates. It will only make updates for DNS names that it detects are not currently correctly set.
You can add your own names to dns_update_list list if you want, and Samba will add those on the DNS server. You may also choose not to use TSIG-GSS and instead use a fixed DNS key setup in another bind9 server. To do that you will need to modify the 'nsupdate' command that Samba runs, which is settable using the “nsupdate command” smb.conf option. The default is “/usr/bin/nsupdate -g”
The $IP entries for A records are replaced with the IP interface addresses that Samba detects at runtime, based on the “interfaces=” smb.conf option.
Message: “Failed to find our own NTDS Settings invocationId in the ldb!” during joining
Check if you have an existing smb.conf and remove it befor joining.
Message: Warning: No NC replicated for Connection!
When Samba registers for replication, there are a couple of flags that aren't correctly set. That's what the DRS command shows: They are not set. It's pretty harmless and you can ignore this warning.