Samba: Join an additional Domain Controller to Samba Active Directory


These steps describes to join an additional Domain Controller to your previously builted Active Directory. Also first ensure you have a timeserver running in your network. If not I described to install and configure ntp for Linux in this post. ntpd can run on the same machine as samba.

Also configure a static IP Address. In this example

Base System is Linux Debian 9 stretch

Active Directory domain: franken.local

Install packages. Kerberos REALM: FRANKEN.LOCAL (Uppercase Domain name), Kerberos-Server and Administration Server: frankendc1.franken.local. Kerberos Parameter whould be overwritten later…

root@debdev: ~ # apt-get update && apt-get upgrade && apt-get -y install samba attr dnsutils net-tools smbclient krb5-user krb5-config winbind libpam-winbind libnss-winbind libpam-krb5 

Disable lecacy samba daemons

root@frankendc1: ~ # systemctl stop smbd nmbd winbind
root@frankendc1: ~ # systemctl disable smbd nmbd winbind

Set your hostname and reboot

root@debdev2: ~ # hostnamectl set-hostname frankendc2
root@debdev2: ~ # reboot

Move or delete to default smb.conf file

root@frankendc2: ~ # mv /etc/samba/smb.conf /etc/samba/

Create a new /etc/resolv.conf with your Active Directory domain in the search list and the static IP of the first Domain Controller as DNS Server

search franken.local

Check name resolution and connection

root@frankendc2: ~ # nslookup franken.local

Name:   franken.local
Name:   franken.local

root@frankendc2: ~ # nslookup frankendc1.franken.local

Name:   frankendc1.franken.local
Name:   frankendc1.franken.local

root@frankendc2: ~ # ping frankendc1.franken.local
PING franken.local ( 56(84) bytes of data.
64 bytes from ( icmp_seq=1 ttl=64 time=0.202 ms

Configure kerberos to use the existing Active Directory. Copy the krb5.conf from frankendc1

root@frankendc2: ~# scp root@frankendc1.franken.local:/etc/krb5.conf /etc

And get a kerberos ticket for the Active Directory.

root@frankendc2: ~# kinit administrator@FRANKEN.LOCAL
Warning: Your password will expire in 41 days on Fri Nov 29 22:19:41 2018

Join the domain

Enable Samba

root@frankendc1: ~ # systemctl unmask samba-ad-dc
root@frankendc1: ~ # systemctl start samba-ad-dc
root@frankendc1: ~ # systemctl enable samba-ad-dc

Note: This command line uses your Hostname as DC Hostname

root@frankendc2: ~ # samba-tool domain join franken.local DC --dns-backend=SAMBA_INTERNAL
Partition[DC=ForestDnsZones,DC=franken,DC=local] objects[18/18] linked_values[0/0]
Committing SAM database
Sending DsReplicaUpdateRefs for all the replicated partitions
Setting isSynchronized and dsServiceName
Setting up secrets database
Joined domain FRANKEN (SID S-1-5-21-2606902105-126693256-2254647617) as a DC

Check replication. Warning: No NC replicated for Connection! can be ignored

root@frankendc2:~# samba-tool drs showrepl
DSA Options: 0x00000001
DSA object GUID: 8114c3d2-42a9-4947-a632-2fed6e324fe1
DSA invocationId: 1b324895-a661-48ce-9095-30cbbeef8047


        Default-First-Site-Name\FRANKENDC1 via RPC
                DSA object GUID: 60393ae0-dd77-4f62-9e8c-46a9e467fbdf
                Last attempt @ Fri Oct 19 12:14:35 2018 CEST was successful
                0 consecutive failure(s).
                Last success @ Fri Oct 19 12:14:35 2018 CEST

Compare Objects between 2 Domain controllers

root@frankendc2:~# samba-tool ldapcmp ldap://frankendc1.franken.local ldap://frankendc2.franken.local 

* Comparing [DOMAIN] context...

* Objects to be compared: 263

* Result for [DOMAIN]: SUCCESS

* Comparing [CONFIGURATION] context...

* Objects to be compared: 1615


Configure sysvol (not implemented by samba yet) replication. Login to frankendc1 and install rsyncd

root@frankendc1:~# apt-get install rsync

Create a file /etc/rsyncd.conf. Adjust the path to the sysvol folder (see /etc/samba/smb.conf)

path = /var/lib/samba/sysvol/
comment = Samba Sysvol Share
uid = root
gid = root
read only = yes
auth users = sysvol-replication
secrets file = /etc/samba/rsyncd-sysvol.secret

Then create the /etc/samba/rsyncd-sysvol.secret file with the User sysvol-replication and its password separated by colon


and set permissions

chmod 500 /etc/samba/rsyncd-sysvol.secret

Set RSYNC_ENABLE=true in /etc/default/rsync
Start rsyncd

root@frankendc1:~# systemctl enable rsync
root@frankendc1:~# systemctl start rsync

Install rsync and also create the /etc/samba/rsyncd-sysvol.secret file on the other DCs with only the password it it


Then try to access the sysvol folder

root@frankendc2: ~# rsync  rsync://sysvol-replication@frankendc1.franken.local:/SysVol
drwxrwx---          4,096 2018/10/18 23:17:21 .
drwxrwx---          4,096 2018/10/18 23:17:31 Policies
drwxrwx---          4,096 2018/10/18 22:19:24 franken.local

And try to get the whole sysvol

root@frankendc2: ~# rsync --dry-run -XAavz --delete-after --password-file=/etc/samba/rsyncd-sysvol.secret rsync://sysvol-replication@frankendc1.franken.local:/SysVol /var/lib/samba/sysvol/  
receiving file list ... done

And if successful. Add an cronjob (without the –dry-run parameter) which polls the sysvol folder every 5 minutes

root@frankendc2: ~# crontab -e

*/5 * * * * rsync -XAavz --delete-after --password-file=/etc/samba/rsyncd-sysvol.secret rsync://sysvol-replication@frankendc1.franken.local:/SysVol /var/lib/samba/sysvol/


Advertisment to support

Time limit is exhausted. Please reload CAPTCHA.

Original Theme by Schiy · Powered by WordPress