Hi,
These steps describes to join an additional Domain Controller to your previously builted Active Directory. Also first ensure you have a timeserver running in your network. If not I described to install and configure ntp for Linux in this post. ntpd can run on the same machine as samba.
Also configure a static IP Address. In this example 192.168.254.7.
Base System is Linux Debian 9 stretch
Active Directory domain: franken.local
Install packages. Kerberos REALM: FRANKEN.LOCAL (Uppercase Domain name), Kerberos-Server and Administration Server: frankendc1.franken.local. Kerberos Parameter whould be overwritten later…
1 | root@debdev: ~ # apt-get update && apt-get upgrade && apt-get -y install samba attr dnsutils net-tools smbclient krb5-user krb5-config winbind libpam-winbind libnss-winbind libpam-krb5 |
Disable lecacy samba daemons
1 2 | root@frankendc1: ~ # systemctl stop smbd nmbd winbindroot@frankendc1: ~ # systemctl disable smbd nmbd winbind |
Set your hostname and reboot
1 2 | root@debdev2: ~ # hostnamectl set-hostname frankendc2root@debdev2: ~ # reboot |
Move or delete to default smb.conf file
1 | root@frankendc2: ~ # mv /etc/samba/smb.conf /etc/samba/smb.conf.org |
Create a new /etc/resolv.conf with your Active Directory domain in the search list and the static IP of the first Domain Controller as DNS Server
search franken.local
nameserver 192.168.254.6
Check name resolution and connection
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 | root@frankendc2: ~ # nslookup franken.localServer: 192.168.254.6Address: 192.168.254.6#53Name: franken.localAddress: 192.168.254.6Name: franken.localAddress: 192.168.254.6root@frankendc2: ~ # nslookup frankendc1.franken.localServer: 192.168.254.6Address: 192.168.254.6#53Name: frankendc1.franken.localAddress: 192.168.254.6Name: frankendc1.franken.localAddress: 192.168.254.6root@frankendc2: ~ # ping frankendc1.franken.localPING franken.local (192.168.254.6) 56(84) bytes of data.64 bytes from 192.168.254.6 (192.168.254.6): icmp_seq=1 ttl=64 time=0.202 ms |
Configure kerberos to use the existing Active Directory. Copy the krb5.conf from frankendc1
1 | root@frankendc2: ~# scp root@frankendc1.franken.local:/etc/krb5.conf /etc |
And get a kerberos ticket for the Active Directory.
1 2 | root@frankendc2: ~# kinit administrator@FRANKEN.LOCALWarning: Your password will expire in 41 days on Fri Nov 29 22:19:41 2018 |
Join the domain
Enable Samba
1 2 3 | root@frankendc1: ~ # systemctl unmask samba-ad-dcroot@frankendc1: ~ # systemctl start samba-ad-dcroot@frankendc1: ~ # systemctl enable samba-ad-dc |
Note: This command line uses your Hostname as DC Hostname
1 2 3 4 5 6 7 8 | root@frankendc2: ~ # samba-tool domain join franken.local DC --dns-backend=SAMBA_INTERNAL...Partition[DC=ForestDnsZones,DC=franken,DC=local] objects[18/18] linked_values[0/0]Committing SAM databaseSending DsReplicaUpdateRefs for all the replicated partitionsSetting isSynchronized and dsServiceNameSetting up secrets databaseJoined domain FRANKEN (SID S-1-5-21-2606902105-126693256-2254647617) as a DC |
Check replication. Warning: No NC replicated for Connection! can be ignored
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | root@frankendc2:~# samba-tool drs showreplDefault-First-Site-Name\FRANKENDC2DSA Options: 0x00000001DSA object GUID: 8114c3d2-42a9-4947-a632-2fed6e324fe1DSA invocationId: 1b324895-a661-48ce-9095-30cbbeef8047==== INBOUND NEIGHBORS ====DC=ForestDnsZones,DC=franken,DC=local Default-First-Site-Name\FRANKENDC1 via RPC DSA object GUID: 60393ae0-dd77-4f62-9e8c-46a9e467fbdf Last attempt @ Fri Oct 19 12:14:35 2018 CEST was successful 0 consecutive failure(s). Last success @ Fri Oct 19 12:14:35 2018 CEST..... |
Compare Objects between 2 Domain controllers
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | root@frankendc2:~# samba-tool ldapcmp ldap://frankendc1.franken.local ldap://frankendc2.franken.local * Comparing [DOMAIN] context...* Objects to be compared: 263* Result for [DOMAIN]: SUCCESS* Comparing [CONFIGURATION] context...* Objects to be compared: 1615* Result for [CONFIGURATION]: SUCCESS.... |
Configure sysvol (not implemented by samba yet) replication. Login to frankendc1 and install rsyncd
1 | root@frankendc1:~# apt-get install rsync |
Create a file /etc/rsyncd.conf. Adjust the path to the sysvol folder (see /etc/samba/smb.conf)
[SysVol]
path = /var/lib/samba/sysvol/
comment = Samba Sysvol Share
uid = root
gid = root
read only = yes
auth users = sysvol-replication
secrets file = /etc/samba/rsyncd-sysvol.secret
Then create the /etc/samba/rsyncd-sysvol.secret file with the User sysvol-replication and its password separated by colon
sysvol-replication:$y$VOls$ecretRepli
and set permissions
1 | chmod 500 /etc/samba/rsyncd-sysvol.secret |
Set RSYNC_ENABLE=true in /etc/default/rsync
Start rsyncd
1 2 | root@frankendc1:~# systemctl enable rsyncroot@frankendc1:~# systemctl start rsync |
Install rsync and also create the /etc/samba/rsyncd-sysvol.secret file on the other DCs with only the password it it
$y$VOls$ecretRepli
Then try to access the sysvol folder
1 2 3 4 5 | root@frankendc2: ~# rsync rsync://sysvol-replication@frankendc1.franken.local:/SysVolPassword:drwxrwx--- 4,096 2018/10/18 23:17:21 .drwxrwx--- 4,096 2018/10/18 23:17:31 Policiesdrwxrwx--- 4,096 2018/10/18 22:19:24 franken.local |
And try to get the whole sysvol
1 2 3 4 5 6 7 8 9 | root@frankendc2: ~# rsync --dry-run -XAavz --delete-after --password-file=/etc/samba/rsyncd-sysvol.secret rsync://sysvol-replication@frankendc1.franken.local:/SysVol /var/lib/samba/sysvol/ receiving file list ... done./Policies/Policies/PolicyDefinition/Policies/PolicyDefinition/de-DE/Policies/PolicyDefinition/en-US/franken.local/.... |
And if successful. Add an cronjob (without the –dry-run parameter) which polls the sysvol folder every 5 minutes
1 | root@frankendc2: ~# crontab -e |
*/5 * * * * rsync -XAavz --delete-after --password-file=/etc/samba/rsyncd-sysvol.secret rsync://sysvol-replication@frankendc1.franken.local:/SysVol /var/lib/samba/sysvol/
Michael