Provision your Active Directory on a new DC
These instructions provide a basic guide for provisioning your Active Directory using Samba. For more detailed explanations, please consult the official Samba wiki pages.
This guide will provision Samba as an AD-DC with internal DNS and RFC 2307 extensions, (which are part of the standard schema, no need for '--use-rfc2307' while provisioning, despite what you may find elsewhere).
The Domain Controller is named dc1.mad.caponato.es and has an IP address of 192.168.0.2.
Relevant software packages already installed, its hostname and hosts file have already been configured (see Preparing your server).
If you require guidance on installing additional DCs, please refer to the additional DC section. It is important to note that this how-to should never be used for installing an additional DC.
Make sure Samba is stopped.
systemctl stop samba-ad-dc.service
Remove all old databases and config files.
rm /run/samba/*.tdb \ /run/samba/*.ldb \ /var/lib/samba/*.tdb \ /var/lib/samba/*.ldb \ /var/cache/samba/*.tdb \ /var/cache/samba/*.ldb \ /var/lib/samba/private/*.tdb \ /var/lib/samba/private/*.ldb mv /etc/samba/smb.conf /etc/samba/smb.conf.bak mv /etc/krb5.conf /etc/krb5.conf.bak
Configure the time service.
See Installing and configuring Chrony to work with a Samba DC.
Provision your Samba AD (in this case DNS forwarders are 1.1.1.1 and 8.8.8.8).
samba-tool domain provision --server-role=dc --dns-backend=SAMBA_INTERNAL --realm=MAD.CAPONATO.ES --domain=MAD --adminpass=Passw0rd --option="dns forwarder=8.8.8.8 1.1.1.1"
I say again: Do not use '–use-rfc2307' Learn why you should not use --use-rfc2307 when provisioning even if you are using rfc2307 attributes.
Once your AD has been provisioned, copy your newly generated Kerberos config file to /etc/.
cp /var/lib/samba/private/krb5.conf /etc/
Please note, some people recommend having only the following lines in the Kerberos config:
[libdefaults] dns_lookup_realm = false dns_lookup_kdc = true default_realm = MAD.CAPONATO.ES
Reconfigure your /etc/resolv.conf file.
With your own address first, then a second server of your choice in case Samba fails. In this case, Google's 8.8.8.8.
nameserver 192.168.0.2 nameserver 8.8.8.8 search mad.caponato.es
Unmask and enable Samba AD DC service, disable other Samba services, and reboot.
Samba, acting as an AD-DC, will start whatever services it needs on its own, so let's mask other startup scripts.
systemctl unmask samba-ad-dc && systemctl enable samba-ad-dc systemctl mask smbd && systemctl mask nmbd && systemctl mask winbind reboot
Verify DNS is working correctly.
host -t SRV _ldap._tcp.mad.caponato.es. _ldap._tcp.mad.caponato.es has SRV record 0 100 389 dc1.caponato.es. host -t SRV _kerberos._udp.mad.caponato.es. _kerberos._udp.mad.caponato.es has SRV record 0 100 88 dc1.caponato.es. host -t A dc1.mad.caponato.es. dc1.mad.caponato.es has address 192.168.0.2
Create DNS reverse zone for your network, and your DC1's PTR record.
This step is not required but nice to have. This can also be done from the DNS tool in Windows's RSAT DNS tool.
samba-tool dns zonecreate 192.168.0.2 0.168.192.in-addr.arpa -U "MAD\Administrator" Password for [MAD\Administrator]: Zone 0.168.192.in-addr.arpa created successfully samba-tool dns add 192.168.0.2 0.168.192.in-addr.arpa 2 PTR dc1.mad.caponato.es -U "MAD\Administrator" Password for [MAD\Administrator]: Record added successfully
Test Kerberos.
kinit administrator Password for administrator@MAD.CAPONATO.ES: Warning: Your password will expire in 41 days on Tue 14 Aug 2023 07:06:17 PM CET klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator@MAD.CAPONATO.ES Valid starting Expires Service principal 09/16/2023 13:19:52 09/16/2023 23:19:52 krbtgt/MAD.CAPONATO.ES@MAD.CAPONATO.ES renew until 09/17/2023 13:19:49
Test Samba.
smbclient -L localhost -N Anonymous login successful Sharename Type Comment --------- ---- ------- sysvol Disk netlogon Disk IPC$ IPC IPC Service (Samba 4.18.6-Debian) SMB1 disabled -- no workgroup available
Congratulations: You have a working AD DC installation!
An AD is easier to manage with RSAT tools for Windows. See installing Windows RSAT tools.
If you need to share files, set up a file server. Do not use a DC as a file server.
Remember to update your DNS servers in DHCP.
From now on, your network's DNS servers must be the DCs. Ensure you declare this DC as DNS first server in your DHCP configuration.
Optional: Installing Microsoft's ADMX templates for your GPOs.
You do not need this if you configure GPO from a Windows workstation via RSAT.
If you plan on using Group Policy Objects (GPOs) in your Active Directory (AD), you will need to install the latest Microsoft ADMX templates on your first domain controller. These templates will be replicated to any other domain controllers you have via SysVol replication.
This process should be performed again if configuring a new item from the GPO tree that is not included in older ADMX definitions.
Download the latest here:
Administrative Templates files based on the operating system version
Currently, I am utilising the Administrative Templates (.admx) for Windows 10 2022 Update (22H2). (I recommend using the English version.) Download this file into your DC and rename it to templates.msi.
apt-get update && apt-get install msitools # If not installed. msiextract templates.msi samba-tool gpo admxload -U Administrator --admx-dir=/path/to/extracted/msi/Program\ Files/Microsoft\ Group\ Policy/Windows\ 10\ October\ 2022\ Update\ \(22H2\)/PolicyDefinitions/