[Samba] Joining a new Samba AD DC

Sun Jul 16 08:21:08 UTC 2023

On 16/07/2023 07:10, Mark Foley via samba wrote:
> I am planning up upgrading my AD/DC from Samba version 4.8.2 to the most recent
> version in my Slackware distro which is currently 4.15.13.
> 
> In previous threads in this maillist I was advised that the best route to
> achieve this was to add a 2nd domain controller, then promote that one and
> demote the original. I'm in the process of setting up a 2nd DC to that end.

If you only have one DC, I strongly urge you to run at least two for 
safety sake.

> 
> I thought I ask questions as I encounter issues, and I've got a couple right
> off.
> 
> 1) The howto doc https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Preparing_the_Installation,
> at the very beginning says,
> 
>    "Verify that the /etc/hosts file on the DC correctly resolves the
>    fully-qualified domain name (FQDN) and short host name to the LAN IP address of
>    the DC. For example:
> 
>    127.0.0.1     localhost
>    10.99.0.1     DC1.samdom.example.com     DC1
> 
>    The host name and FQDN must not resolve to the 127.0.0.1 IP address or any
>    other IP address than the one used on the LAN interface of the DC."
> 
> The current DC (hostname MAIL) has it's /etc/host file set up as described above, but what
> about a 2nd DC? Right now, the machine I'm working on to be the 2nd DC (hostname
> DC1) uses dhcp and is statically assigned an IP by dhcpd running on MAIL.
> 
> Should the new secondary DC1 also have it's IP statically assigned and not use DHCP?

On the wiki page you have linked to, just above the part you have 
posted, it says this:

Set a static IP address on the DC and make the associated reservation on 
your router. Important: The Samba domain controller will become your DNS 
resolver for all domain-joined workstations. As a result it may be 
required to assign this IP address outside of your DHCP pool.

It is recommended that all Samba AD DCs have a fixed ipaddress, you 
would not want the IP of a DC to possibly change.

> 
> 2) The next thing the wiki doc says to do is to provision the DC. Will doing so
> on this 2nd DC interfer with the current/primary DC?

I think you may be following the wrong instructions, the page you linked 
to is for provisioning the first DC in a new domain.
Have you read this wiki page:

https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory

It is only possible to provision one DC in a domain (you actually create 
the domain and then automatically join the first DC during the process), 
after that you join extra DCs to the domain.

> 
> My current DC was provisioned with --dns-backend=BIND9_FLATFILE. The wiki doc
> says "do NOT use BIND9_FLATFILE, it is not supported and will be removed in a
> future Samba version." Given that this machine will be the AD/DC for a dozen
> Windows 10/11 workstations, What would be the recommended alternative
> dns-backend?

You have a choice of two:

You can use the Samba internal dns server, which will require little or 
no extra setup, see here:

https://wiki.samba.org/index.php/Samba_Internal_DNS_Back_End

Or you can use Bind9, which requires setting up correctly, see here:

https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End

I cannot recommend using Bind9 with flatfiles, it wasn't ever really 
supported (it was only meant for early versions of Bind9 that didn't 
have bind_dlz, these are now EOL) and really should have been removed by 
now. Using Bind9 with flatfiles was formaly deprecated when 4.11.0 was 
released in September 2019 and the 'rndc command' smb.conf parameter 
that it relies on was removed when 4.12.0 was released in March 2020.

Rowland