[Samba] Joining a new Samba AD DC

Mark Foley mfoley at novatec-inc.com
Sun Jul 23 19:40:59 UTC 2023 

On Sun Jul 16 04:21:55 2023 Rowland Penny via samba <samba at lists.samba.org> wrote:

> On 16/07/2023 07:10, Mark Foley via samba wrote:
> > I am planning up upgrading my AD/DC from Samba version 4.8.2 to the most recent
> > version in my Slackware distro which is currently 4.15.13.
> > 
> > In previous threads in this maillist I was advised that the best route to
> > achieve this was to add a 2nd domain controller, then promote that one and
> > demote the original. I'm in the process of setting up a 2nd DC to that end.

> > 
> > 2) The next thing the wiki doc says to do is to provision the DC. Will doing so
> > on this 2nd DC interfer with the current/primary DC?
>
> I think you may be following the wrong instructions, the page you linked 
> to is for provisioning the first DC in a new domain.
> Have you read this wiki page:
>
> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
>
> It is only possible to provision one DC in a domain (you actually create 
> the domain and then automatically join the first DC during the process), 
> after that you join extra DCs to the domain.

Thanks, I'm now referencing your suggested wiki. 

Question 1: That wiki says:

  Configuring the /etc/resolv.conf

  Set the DNS server IP and AD DNS domain in your /etc/resolv.conf. For example:

  nameserver 10.99.0.1
  search samdom.example.com

Is the nameserver as shown supposed to be the primary/current AD/DC? Currently,
the AD/DC is 192.168.0.2 and in that host's resolv.conf the nameserver IP is set
to itself. In this joined DC, should the nameserver be the primary/current AD/DC
or itself (192.168.0.7)?

Question 2: After setting krb5.conf per the wiki, the test command do not work:

# kinit Administrator
Password for Administrator at hprs.local: 
kinit: KDC reply did not match expectations while getting initial credentials

# klist
klist: No credentials cache found (filename: /tmp/krb5cc_0)

Does something have to be running first? Note that samba is installed, but not
running.

(I'm leaving the following question in this thread for the future as the join of
a DC to and existing AD domain does not mention it, but I still have questions.)

> > My current DC was provisioned with --dns-backend=BIND9_FLATFILE. The wiki doc
> > says "do NOT use BIND9_FLATFILE, it is not supported and will be removed in a
> > future Samba version." Given that this machine will be the AD/DC for a dozen
> > Windows 10/11 workstations, What would be the recommended alternative
> > dns-backend?
>
> You have a choice of two:
>
> You can use the Samba internal dns server, which will require little or 
> no extra setup, see here:
>
> https://wiki.samba.org/index.php/Samba_Internal_DNS_Back_End
>
> Or you can use Bind9, which requires setting up correctly, see here:
>
> https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End
>
> I cannot recommend using Bind9 with flatfiles, it wasn't ever really 
> supported (it was only meant for early versions of Bind9 that didn't 
> have bind_dlz, these are now EOL) and really should have been removed by 
> now. Using Bind9 with flatfiles was formaly deprecated when 4.11.0 was 
> released in September 2019 and the 'rndc command' smb.conf parameter 
> that it relies on was removed when 4.12.0 was released in March 2020.
>
> Rowland

More information about the samba mailing list