[Samba] promote existing domain member to "backup" domain controller

Wed Dec 7 15:21:07 UTC 2022

Hi,

I have a domain with single DC "site-ad" (samba 4.16)  and one domain 
member "backup" (samba 4.15). "backup" currently act as files and vm 
backup server.

This is my config on "site-ad":

[global]
     netbios name = SITE-AD
     realm = SITE.SAMDOM.COM
     server role = active directory domain controller
     workgroup = SAMDOM
     idmap_ldb:use rfc2307 = yes

     dns forwarder = 10.21.0.1
     bind interfaces only = yes
     interfaces = lo ifsrv

     tls keyfile  = /etc/easy-rsa/pki/private/site-ad.samdom.com.key
     tls certfile = /etc/easy-rsa/pki/issued/site-ad.samdom.com.crt
     tls cafile   = /etc/easy-rsa/pki/ca.crt

[sysvol]
     path = /var/lib/samba/sysvol
     read only = No

[netlogon]
     path = /var/lib/samba/sysvol/site.samdom.com/scripts
     read only = No

And current config on "backup":

[global]
security = ADS
workgroup = SAMDOM
realm = SITE.SAMDOM.COM

log file = /var/log/samba/%m.log
log level = 1

winbind enum users = yes
winbind enum groups = yes

winbind refresh tickets = Yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab

username map = /etc/samba/user.map

# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use a read-write-enabled back end, such as tdb.
idmap config * : backend = tdb
idmap config * : range = 3000-7999
# - You must set a DOMAIN backend configuration
# idmap config for the SAMDOM domain
idmap config SAMDOM:backend = ad
idmap config SAMDOM:schema_mode = rfc2307
idmap config SAMDOM:range = 10000-999999
idmap config SAMDOM:unix_nss_info = yes

vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes

# Template settings for login shell and home directory
template shell = /bin/bash
template homedir = /home/%U

Currently on "backup" smbd and winbind services are runnning.

I would like to promote domain member "backup" to domain controller, I 
am using internal dns server on "site-ad" and I want to use internal one 
on "backup" too.
I do not want AD users to login to "backup", it should act only as a 
backup DC.

Just to be sure, I have to do following steps on "backup":

- Stop and disable smb, winbind services

- Follow 
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory, 
but instead of:

samba-tool domain join samdom.example.com DC -U"SAMDOM\administrator"

the first step should be:

samba-tool domain dcpromo DC --option='idmap_ldb:use rfc2307 = yes'

- Remove all  lines below "realm" from smb.conf configuration, and 
disable smb, winbind service

- Enable and start samba service and check replication and dns.

I did not found a similar tutorial, so I would be very grateful any 
hints or steps that are wrong or missing.

Thanks,
Łukasz