[Samba] recommendations for new AD with samba as backup DC

Mikel Pérez io at mikelpr.com
Thu Jan 25 22:36:16 UTC 2024


Hey Stefan :^)

well, I had moved a year ago from a previous samba deployment to Windows
Server 2019 because on the samba deploy GPOs wouldn't get applied and RDP
and some random things like compmgmt.msc wouldn't authenticate but I
decided to have faith on it again and they're working this time :D really
happy about it as taking care of a Linux install is much easier

I've found some oddities tho like Local Policies doesn't show at all
under Computer Configuration -> Windows Settings -> Security Settings on
RSAT's Group Policy tool on Windows. in this case I was trying to set the
Ctrl+Alt+Del policy, I ended up adding it as a registry set
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\DisableCAD but if there's a way to have
everything available I'd love to know

Thanks for the suggestion!


On Sat, 20 Jan 2024 at 05:38, Stefan Kania via samba <samba at lists.samba.org>
wrote:
>
> Hi
>
> you don't need a Windows-DC it's much better and easier if you set up
> both DCs with the same OS. 4.19 comes with FL 2016 (if you need it). The
> GPOs work absolutely the same as with a windows DC. You can use RSAT to
> do it.
>
> Stefan
>
> Am 19.01.24 um 22:07 schrieb Mikel Pérez via samba:
> > I'm about to deploy a new directory since I had only one Windows
> > Server 2019 DC and its storage died out (specifically, a block/page
> > where part of ntdis.dit happened to be stored because I was able to
> > rescue everything else. amazing)
> >
> > Anyways, this time around I definitely need to have a backup DC. I
> > planned to have Windows be the primary DC and samba be the backup. I
> > wanted to know what precautions should I take,
> > - I saw that samba is still being prepared for functional level 2016
> > and schema 2019, is this still the case? should I instead provision
> > the domain as 2012R2 or 2008R2?
> > - should I instead have the samba one be the primary DC?
> >
> > I never got GPOs working on a domain with just one samba DC as primary
> > even with a heimdal build (and the MIT one had weird issues when
> > authenticating on other machines for RDP) so I do need a windows
> > server DC and I'm guessing it has to be the primary DC.
> >
> > I'd love to know before I spend time in vain setting up a new forest
> > based on bad decisions that I have to tear down and recreate after
> > finding out I made mistakes :')
> >
> > Thanks in advance <3
> >
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba


More information about the samba mailing list