[Samba] Setting up Backup AD DC

Norbert Hanke norbert.hanke at gmx.ch
Fri Oct 30 14:21:57 UTC 2020

On 29.10.2020 18:27, Tom Diehl via samba wrote:
> On Thu, 29 Oct 2020, Rowland penny via samba wrote:
>> On 29/10/2020 14:43, Marco Shmerykowsky via samba wrote:
>>>  I want to setup a backup AD DC and have a few quick
>>>  (possibly dumb) questions:
>> No, you just want to add another DC
>>>  1) Is this link the best reference to the procedure to
>>>     create the backup AD DC?
>>>  ->
>>>  https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
>> It is a good start, then ask any questions here.
>>>  2) What is considered the best samba option of
>>>     the 3 listed for Sysvol Replication under the Subsection
>>>     titled "Built-in User & Group ID Mappings" in the
>>>     link provided above?
>> This is very subjective, if you ask 100 Samba users 'which is best',
>> you will probably get about 150 different answers :-D
>>>  3) Does the backup and the primary need to run the
>>>     same version of samba?
>> I think you mean 'Does the DC with all the FSMO roles and any other
>> DC need to run the same version of Samba' , to which the answer would
>> be:
>> Ideally yes, but different versions will work together, just don't
>> try to use something like 4.1.x and 4.12.x together, it may work, but
>> I would bet there will be problems.
> Maybe I am missing something, but what is the secure way to run an
> automated
> backup on recent versions of samba? Can samba-tool domain backup be
> made to use
> kerberos so I do not need to store an admin password in an unencrypted
> file?
> Regards,
With Kerberos you need to have an [unencrypted] keytab file. Of course
that is better than a password in a file, but it's not fundamentally
different. The keytab content is just harder to spell than a password.


More information about the samba mailing list