====== Join Samba4 as additional Domain Controller ====== Samba4 has the ability to join an existing Active Directory domain as an additional domain controller. The process of joining a Samba4 server to an existing domain is a bit different to provisioning a new domain. This process is the equivalent of the 'dcpromo' command on Windows Servers. This HOWTO will assume you had configured and installed Samba in the default location of '/usr/local/samba'. It assumes you are joining Samba to an existing domain called 'samdom.example.com'. Please note that the following steps are the same regardless of whether you are joining Samba to an existing Windows based domain or an existing Samba based domain. Before you install Samba4, follow the steps in [[requeriments|Requeriments]] and then read the instrucctions in [[install_samba4|Install Samba4]] wiki page. If you choose BIND as DNS backend, instead of the internal DNS, then you, of course, have to finish this before you continue. Depending on your needs, you can have different backends on each of your DC. //For the rest of this HowTo we assume that:// Installation Directory: /usr/local/samba/ (per default, if you use SerNet pacakages isn't the same!) Server Hostname (primary DC): redtic-ad1 Server Hostname (additional DC): redtic-ad2 DNS Domain Name: redtic.uclv.cu (This will also be your realm) NT4 Domain Name: redtic IP Address: 10.12.112.85 Server Role: DC ===== Getting ready for joining Samba as a DC to an existing domain ===== * You should remove any existing smb.conf in '/usr/local/samba/etc/' and the content in '/usr/local/samba/private/'. For Sernet Packages the locations are: '/etc/samba/smb.conf' and '/var/lib/samba/private' * Be sure, that you have your setup your existing domain correctly as your default realm in /etc/krb5.conf with the following options: [libdefaults] dns_lookup_realm = true dns_lookup_kdc = true default_realm = REDTIC.UCLV.CU * Check your DNS config (/etc/resolv.conf) is pointing to the DC you want join. domain redtic.uclv.cu search redtic.uclv.cu nameserver 10.12.112.84 #redtic-ad1's IP * You should then test to make sure that DNS and kerberos are setup correctly to point at your existing domain controller. Test that it is all working by trying a kinit as a domain administration: # kinit administrator # klist ===== Joining the existing domain as a DC ===== To join run the following command as root: # samba-tool domain join redtic.uclv.cu DC -Uadministrator --realm=redtic.uclv.cu Since Samba4 rc2 the internal DNS server is default. If you want to join this or a higher version with using BIND as DNS backend, use the following command: # samba-tool domain join redtic.uclv.cu DC -Uadministrator --realm=redtic.uclv.cu --dns-backend=BIND9_DLZ At the end you can see a similar output: Joined domain REDTIC.UCLV.CU (SID S-1-5-21-3345338216-3359172960-946406909) as a DC Now you have joined your Samba4 server to your existing domain. Then add the following options to your smb.conf inside the [global] sections: # Log level log level = 3 # Disable Printing printing = bsd # DNS Forwarders, if you are using internal DNS dns forwarder = YOUR-FORWARDER's-IP Finally create a empty file '/etc/printcap' # touch /etc/printcap ===== Check required DNS entries of the new host ===== Before you start Samba, you should check, if the new DCs DNS entries are set correctly during joining. This doesn't currently work 100% and have to be done manually in that case, specially if you join Samba4 ad additional DC in Samba4 Domain. From the new host, try to resolve its hostname: # host -t A redtic-ad2.redtic.uclv.cu. If this fails, you have to add the A record by hand. Run on your existing DC: # samba-tool dns add IP-of-your-DNS-server redtic.uclv.cu DC2-name A IP-of-the-DC-you-had-joined -Uadministrator Also you should check, if the objectGUID is resolvable to the new hostname. For that, run # ldbsearch -H /usr/local/samba/private/sam.ldb '(invocationid=*)' --cross-ncs objectguid For Sernet packages: # ldbsearch -H /var/lib/samba/private/sam.ldb '(invocationid=*)' --cross-ncs objectguid For example, '737506d0-bfe6-40c8-815d-08c3dff7a67f' is the objectGUID of the new DC, we'll query with the following command: # host -t CNAME 737506d0-bfe6-40c8-815d-08c3dff7a67f._msdcs.redtic.uclv.cu. This should output you the alias (CNAME) of this entry pointing to your new DC name. If this record is also missing, you have to add it, too: # samba-tool dns add IP-of-your-DNS _msdcs.redtic.uclv.cu 737506d0-bfe6-40c8-815d-08c3dff7a67f CNAME redtic-ad2.redtic.uclv.cu -Uadministrator Now is time to put a "nameserver" entry of your new DC in your '/etc/resolv.conf'. Example: nameserver 10.12.112.85 #redtic-ad2's IP ===== Starting Samba ===== You start Samba as a DC in the same way that you start it as a normal server, just follow the instructions in [[samba4_as_ad_dc#starting_samba|Starting Samba]] in [[samba4_as_ad_dc|Samba4 Active Directory Domain Controller]]. To save the output on a screen and a file log: # samba -i M single -d2 | tee ~/samba4.log If you are using SerNet packages, you should create this directory before type the above command: mkdir -p /var/run/samba ==== Checking replication process ==== You should then check that replication between the Windows DC and the Samba DC is working correctly by using: # samba-tool drs showrepl Another way to check that replication is working correctly between your two domain controllers, try adding a user on the Samba DC using either the Samba command line tools, or the Windows GUI admin tools. Then check that the user shows up within a few seconds on your Windows domain controller. Similarly, try modifying a user on the Windows domain controller and check that the modifies show up correctly on the Samba server ==== Checking DDNS updates are working ==== To check if DNS updates are working: # samba_dnsupdate --verbose --all-names ===== SysVol replication ===== Currently the replication of the SysVol share isn't implemented. If you make any changes on that share, you have to keep the shares on all your DCs in sync manually (e. g. with an rsync cronjob). An example way how to achieve this, you can find in the [[Sysvol_replication|SysVol Replication Howto]]. ===== FSMO role transfer ===== You can transfer FSMO roles from an existing DC to a Samba AD DC, by seizing them from your Samba AD machine: # samba-tool fsmo seize --role=.... You can seize all five roles: rid, schema, naming, pdc and infrastructure (you can use "--role=all" to seize all at once). ====== A note on DNS updates ====== ---- Samba4 has the ability to automatically update a Windows or Bind9 DNS server with the correct set of DNS entries when it becomes a domain controller. The way the automatic DNS updates works is that Samba regularly (every 10 minutes) calls out to the samba_dnsupdate script that is installed along with Samba. That script reads a template file of DNS names to update in the DNS zone from /usr/local/samba/private/dns_update_list. The contents of this file look like this: A ${DNSDOMAIN} $IP A ${HOSTNAME} $IP CNAME ${NTDSGUID}._msdcs.${DNSDOMAIN} ${HOSTNAME} SRV _kerberos._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 88 SRV _ldap._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389 SRV _kerberos._tcp.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 88 SRV _ldap._tcp.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389 SRV _ldap._tcp.${DOMAINGUID}.domains._msdcs.${DNSDOMAIN} ${HOSTNAME} 389 SRV _ldap._tcp.${SITE}._sites.gc._msdcs.${DNSDOMAIN} ${HOSTNAME} 3268 SRV _ldap._tcp.gc._msdcs.${DNSDOMAIN} ${HOSTNAME} 3268 SRV _ldap._tcp.pdc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389 SRV _gc._tcp.${SITE}._sites.${DNSDOMAIN} ${HOSTNAME} 3268 SRV _kerberos._tcp.${SITE}._sites.${DNSDOMAIN} ${HOSTNAME} 88 SRV _ldap._tcp.${SITE}._sites.${DNSDOMAIN} ${HOSTNAME} 389 SRV _gc._tcp.${DNSDOMAIN} ${HOSTNAME} 3268 SRV _kerberos._tcp.${DNSDOMAIN} ${HOSTNAME} 88 SRV _kpasswd._tcp.${DNSDOMAIN} ${HOSTNAME} 464 SRV _ldap._tcp.${DNSDOMAIN} ${HOSTNAME} 389 SRV _kerberos._udp.${DNSDOMAIN} ${HOSTNAME} 88 SRV _kpasswd._udp.${DNSDOMAIN} ${HOSTNAME} 464 at runtime, Samba will substitute the variables in this file, and call out to the bind9 nsupdate command using the -g option to enable TSIG-GSS DNS updates. It will only make updates for DNS names that it detects are not currently correctly set. You can add your own names to dns_update_list list if you want, and Samba will add those on the DNS server. You may also choose not to use TSIG-GSS and instead use a fixed DNS key setup in another bind9 server. To do that you will need to modify the 'nsupdate' command that Samba runs, which is settable using the "nsupdate command" smb.conf option. The default is "/usr/bin/nsupdate -g" The $IP entries for A records are replaced with the IP interface addresses that Samba detects at runtime, based on the "interfaces=" smb.conf option. ====== FAQ ====== ---- **//Message: "Failed to find our own NTDS Settings invocationId in the ldb!" during joining//** Check if you have an existing smb.conf and remove it befor joining. **//Message: Warning: No NC replicated for Connection!//** When Samba registers for replication, there are a couple of flags that aren't correctly set. That's what the DRS command shows: They are not set. It's pretty harmless and you can ignore this warning.