If you are reading this, you already have a functioning Active Directory (AD) - Domain Controller (DC) infrastructure in your network with a minimum of one DC. For security reasons, it is now recommended to install an additional DC in your AD.
You have already installed necessary Samba binaries as per this guide.
This article demonstrates how to add a Domain Controller to an existing Samba Active Directory. The designated name for the new Domain Controller is dc2.mad.caponato.es with the IP address of 192.168.0.3. Its hostname and hosts file have already been configured (see preparing your server).
systemctl stop samba-ad-dc.service
rm /run/samba/*.tdb \ /run/samba/*.ldb \ /var/lib/samba/*.tdb \ /var/lib/samba/*.ldb \ /var/cache/samba/*.tdb \ /var/cache/samba/*.ldb \ /var/lib/samba/private/*.tdb \ /var/lib/samba/private/*.ldb mv /etc/samba/smb.conf /etc/samba/smb.conf.bak mv /etc/krb5.conf /etc/krb5.conf.bak
Use the address of a working DC (DC1 provisioned earlier, 192.168.0.2), then a second server of your choice in case Samba fails. In this case Google's 8.8.8.8
nameserver 192.168.0.2 nameserver 8.8.8.8 search mad.caponato.es
rsync -a dc1:/etc/krb5.conf /etc/
Or else just use this:
[libdefaults] dns_lookup_realm = false dns_lookup_kdc = true default_realm = MAD.CAPONATO.ES
kinit administrator
Expected output:
Password for administrator@MAD.CAPONATO.ES: klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator@MAD.CAPONATO.ES Valid starting Expires Service principal 09/16/2023 13:19:52 09/16/2023 23:19:52 krbtgt/MAD.CAPONATO.ES@MAD.CAPONATO.ES renew until 09/17/2023 13:19:49
See Installing and configuring Chrony to work with a Samba DC.
samba-tool domain join mad.caponato.es DC -U "MAD\Administrator" --option="dns forwarder=1.1.1.1 8.8.8.8"
Edit /etc/resolv.conf so the first entry is this server, second entry is the other DC.
nameserver 192.168.0.3 nameserver 192.168.0.2 search mad.caponato.es
You may also go ahead and modify /etc/resolv.conf in the other DCs in a similar fashion. Let DCs have its own IP address as the first DNS server.
systemctl unmask samba-ad-dc.service
systemctl enable samba-ad-dc.service
systemctl mask smbd
systemctl mask nmbd
systemctl mask winbind
reboot
host -t SRV _ldap._tcp.mad.caponato.es. host -t SRV _kerberos._udp.mad.caponato.es. host -t A dc2.mad.caponato.es.
Expected output:
_ldap._tcp.mad.caponato.es has SRV record 0 100 389 dc1.caponato.es. _ldap._tcp.mad.caponato.es has SRV record 0 100 389 dc2.caponato.es. _kerberos._udp.mad.caponato.es has SRV record 0 100 88 dc1.caponato.es. _kerberos._udp.mad.caponato.es has SRV record 0 100 88 dc2.caponato.es. dc2.mad.caponato.es has address 192.168.0.3
Note reverse zone already created when the AD was provisioned. This is not needed and can be done from RSAT´s DNS tool in windows.
samba-tool dns add 192.168.0.2 0.168.192.in-addr.arpa 3 PTR dc2.mad.caponato.es -U "MAD\Administrator"
Expected output:
Password for [MAD\Administrator]: Record added successfully
smbclient -L localhost -N
Expected output:
Anonymous login successful Sharename Type Comment --------- ---- ------- sysvol Disk netlogon Disk IPC$ IPC IPC Service (Samba 4.18.6-Debian) SMB1 disabled -- no workgroup available
See this article to sync Sysvol folders (and why this needs to be done on a regular basis).
See this article to sync idmap.ldb between DCs (and why this needs to be done on a regular basis).
This has already been done as per the “Sync idmap.ldb” procedure, above.
If you need to share files, set up a file server. Do not use a DC as a file server.
From now on, your network DNS servers must be the domain controller(s). Make sure you declare these DCs in your DHCP server.