[Samba] Joining a new Samba AD DC
Mark Foley
mfoley at novatec-inc.com
Sun Jul 23 19:40:59 UTC 2023
On Sun Jul 16 04:21:55 2023 Rowland Penny via samba <samba at lists.samba.org> wrote:
> On 16/07/2023 07:10, Mark Foley via samba wrote:
> > I am planning up upgrading my AD/DC from Samba version 4.8.2 to the most recent
> > version in my Slackware distro which is currently 4.15.13.
> >
> > In previous threads in this maillist I was advised that the best route to
> > achieve this was to add a 2nd domain controller, then promote that one and
> > demote the original. I'm in the process of setting up a 2nd DC to that end.
> >
> > 2) The next thing the wiki doc says to do is to provision the DC. Will doing so
> > on this 2nd DC interfer with the current/primary DC?
>
> I think you may be following the wrong instructions, the page you linked
> to is for provisioning the first DC in a new domain.
> Have you read this wiki page:
>
> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
>
> It is only possible to provision one DC in a domain (you actually create
> the domain and then automatically join the first DC during the process),
> after that you join extra DCs to the domain.
Thanks, I'm now referencing your suggested wiki.
Question 1: That wiki says:
Configuring the /etc/resolv.conf
Set the DNS server IP and AD DNS domain in your /etc/resolv.conf. For example:
nameserver 10.99.0.1
search samdom.example.com
Is the nameserver as shown supposed to be the primary/current AD/DC? Currently,
the AD/DC is 192.168.0.2 and in that host's resolv.conf the nameserver IP is set
to itself. In this joined DC, should the nameserver be the primary/current AD/DC
or itself (192.168.0.7)?
Question 2: After setting krb5.conf per the wiki, the test command do not work:
# kinit Administrator
Password for Administrator at hprs.local:
kinit: KDC reply did not match expectations while getting initial credentials
# klist
klist: No credentials cache found (filename: /tmp/krb5cc_0)
Does something have to be running first? Note that samba is installed, but not
running.
(I'm leaving the following question in this thread for the future as the join of
a DC to and existing AD domain does not mention it, but I still have questions.)
> > My current DC was provisioned with --dns-backend=BIND9_FLATFILE. The wiki doc
> > says "do NOT use BIND9_FLATFILE, it is not supported and will be removed in a
> > future Samba version." Given that this machine will be the AD/DC for a dozen
> > Windows 10/11 workstations, What would be the recommended alternative
> > dns-backend?
>
> You have a choice of two:
>
> You can use the Samba internal dns server, which will require little or
> no extra setup, see here:
>
> https://wiki.samba.org/index.php/Samba_Internal_DNS_Back_End
>
> Or you can use Bind9, which requires setting up correctly, see here:
>
> https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End
>
> I cannot recommend using Bind9 with flatfiles, it wasn't ever really
> supported (it was only meant for early versions of Bind9 that didn't
> have bind_dlz, these are now EOL) and really should have been removed by
> now. Using Bind9 with flatfiles was formaly deprecated when 4.11.0 was
> released in September 2019 and the 'rndc command' smb.conf parameter
> that it relies on was removed when 4.12.0 was released in March 2020.
>
> Rowland
More information about the samba
mailing list