[Samba] Joining a new Samba AD DC

Mark Foley mfoley at novatec-inc.com
Tue Jul 25 18:33:31 UTC 2023 

On Jul 24 13:30:11 2023 Rowland Penny via samba <samba at lists.samba.org> wrote:

> > Did you also sync Sysvol ?
> > On a newly joined DC, there is very little in sysvol, it needs to be 
> > synced from a DC that holds all the GPO's.
>
> The wiki says, "You will now need to sync Sysvol to the new DC." I thought then
> sysvolreset was that. Is there a wiki/howto on how to sync Sysvol?

To "sync Sysvol to the new DC", can I just rsync from the current DC to the new
DC?

rsync -tvr /var/lib/samba/sysvol/ DC1://var/lib/samba/sysvol

or tar the old sysvol and untar on the new DC?

sysvol has ACLs and ATTRs that I don't think 
>
> > On 24/07/2023 17:46, Mark Foley via samba wrote:
> > > I removed the new computer from the domain and deleted the smb.conf file. I then
> > > did:
> > > 
> > > samba-tool domain join hprs.local DC --option='idmap_ldb:use rfc2307 = yes' -U Administrator
>
> [deleted]
>
> > It sounds like you now have a DC :-)
>
> > > Note that I did not specify any --dns-backend.  I hope that's OK as I
> > > provisioned with --dns-backend=BIND9_FLATFILE on the original/current DC.  I do
> > > have LAN members not part of the domain that need to have DNS service, so I may
> > > have to redo this later.
> >
> > If you didn't specify a dns backend, then the default internal dns 
> > server will be used.
> >
> > > Under "Verifying the DNS Entries" I did change the 1st IP in resolv.conf to be this new host's
> > > IP, but that didn't work -- couldn't see any other host, so I reverted back to
> > > the original DC's IP. However, that's not working either, even after a reboot. I
> > > switched back to the new DC's IP and rebooted. Again, not working. So, something
> > > is wrong with the DNS setup.
> >
> > The dns problem is probably because there are no records in AD, you need 
> > to either transfer the records from the flat files (you will probably 
> > have to create the reverse zone) or let your Windows computers create 
> > them in AD.
>
> OK, I'll look at that after the sync Sysvol. On the original DC, that machine
> was already the DNS w/o Samba with all the named.conf, zones, etc. configured.
> It was easy to adapt that to the then supported --dns-backend=BIND9_FLATFILE. I
> think I can research this a bit and sort it out.
>
> [deleted]
>
> > > Next I ran 'net cache flush' on the new DC; seemed to work (no error).
> > > 
> > > Next 'samba-tool ntacl sysvolreset', but I had a problem with that:
> > > 
> > > # samba-tool ntacl sysvolreset
> > > set_nt_acl_conn: init_files_struct failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
>
> [deleted]
>
> > > What did I do wrong? Note that samba is not yet running.
> >
> > Did you also sync Sysvol ?
> > On a newly joined DC, there is very little in sysvol, it needs to be 
> > synced from a DC that holds all the GPO's.
>
> The wiki says, "You will now need to sync Sysvol to the new DC." I thought then
> sysvolreset was that. Is there a wiki/howto on how to sync Sysvol?
>
> > ... it is just that Debian (and Debian base distros, 
> > Ubuntu for instance) has been the goto distro for a Samba AD DC since 
> > Samba 4.0.0 and there is a lot of Knowledge out there. I run two Samba 
> > AD DCs on Raspberry pi OS (Debian based), so I can vouch that it works well.
> >
> > Rowland
>
> Wow, on a Raspberry pi, eh? That's impressive for a Raspberry! I may be the only
> one running this on Slackware. However, I don't really think the actual setup is
> much different by distro other than certainly what Samba version it supports.
> Slackware tends to lag, on purpose -- let others be the delta-tester. I hope this
> exercise does't prove me wrong.
>
> Thanks --Mark
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list