Caponato's Notebook

If you are reading this, you already have a functioning Active Directory (AD) - Domain Controller (DC) infrastructure in your network with a minimum of one DC. For security reasons, it is now recommended to install an additional DC in your AD.

You have already installed necessary Samba binaries as per this guide.

This article demonstrates how to add a Domain Controller to an existing Samba Active Directory. The designated name for the new Domain Controller is dc2.mad.caponato.es with the IP address of 192.168.0.3. Its hostname and hosts file have already been configured (see preparing your server).

systemctl stop samba-ad-dc.service

rm /run/samba/*.tdb \
/run/samba/*.ldb \
/var/lib/samba/*.tdb \
/var/lib/samba/*.ldb \
/var/cache/samba/*.tdb \
/var/cache/samba/*.ldb \
/var/lib/samba/private/*.tdb \
/var/lib/samba/private/*.ldb
 
mv /etc/samba/smb.conf /etc/samba/smb.conf.bak
mv /etc/krb5.conf /etc/krb5.conf.bak

Use the address of a working DC (DC1 provisioned earlier, 192.168.0.2), then a second server of your choice in case Samba fails. In this case Google's 8.8.8.8

nameserver 192.168.0.2
nameserver 8.8.8.8
search mad.caponato.es

rsync -a dc1:/etc/krb5.conf /etc/

Or else just use this:

[libdefaults]
  dns_lookup_realm = false
  dns_lookup_kdc = true
  default_realm = MAD.CAPONATO.ES

kinit administrator

Expected output:

Password for administrator@MAD.CAPONATO.ES:

klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@MAD.CAPONATO.ES
Valid starting       Expires              Service principal
09/16/2023 13:19:52  09/16/2023 23:19:52  krbtgt/MAD.CAPONATO.ES@MAD.CAPONATO.ES
renew until 09/17/2023 13:19:49

See Installing and configuring Chrony to work with a Samba DC.

samba-tool domain join mad.caponato.es DC -U "MAD\Administrator" --option="dns forwarder=1.1.1.1 8.8.8.8"

Edit /etc/resolv.conf so the first entry is this server, second entry is the other DC.

nameserver 192.168.0.3
nameserver 192.168.0.2
search mad.caponato.es

You may also go ahead and modify /etc/resolv.conf in the other DCs in a similar fashion. Let DCs have its own IP address as the first DNS server.

systemctl unmask samba-ad-dc.service
systemctl enable samba-ad-dc.service
systemctl mask smbd
systemctl mask nmbd
systemctl mask winbind
reboot

host -t SRV _ldap._tcp.mad.caponato.es.
host -t SRV _kerberos._udp.mad.caponato.es.
host -t A dc2.mad.caponato.es.

Expected output:

_ldap._tcp.mad.caponato.es has SRV record 0 100 389 dc1.caponato.es.
_ldap._tcp.mad.caponato.es has SRV record 0 100 389 dc2.caponato.es.

_kerberos._udp.mad.caponato.es has SRV record 0 100 88 dc1.caponato.es.
_kerberos._udp.mad.caponato.es has SRV record 0 100 88 dc2.caponato.es.

dc2.mad.caponato.es has address 192.168.0.3

Note reverse zone already created when the AD was provisioned. This is not needed and can be done from RSAT´s DNS tool in windows.

samba-tool dns add 192.168.0.2 0.168.192.in-addr.arpa 3 PTR dc2.mad.caponato.es -U "MAD\Administrator"

Expected output:

Password for [MAD\Administrator]:
Record added successfully

smbclient -L localhost -N

Expected output:

Anonymous login successful

Sharename       Type      Comment
---------       ----      -------
sysvol          Disk      
netlogon        Disk      
IPC$            IPC       IPC Service (Samba 4.18.6-Debian)
SMB1 disabled -- no workgroup available

See checking AD replication.

See this article to sync Sysvol folders (and why this needs to be done on a regular basis).

See this article to sync idmap.ldb between DCs (and why this needs to be done on a regular basis).

This has already been done as per the “Sync idmap.ldb” procedure, above.

If you need to share files, set up a file server. Do not use a DC as a file server.

From now on, your network DNS servers must be the domain controller(s). Make sure you declare these DCs in your DHCP server.

See this article for some ideas.

Caponato's Samba notebook. Start here or else Main menu