• VMware

    Learn about VMware virtualization for its products like vsphere ESX and ESXi, vCenter Server, VMware View, VMware P2V and many more

  • Linux

    Step by step configuration tutorials for many of the Linux services like DNS, DHCP, FTP, Samba4 etc including many tips and tricks in Red Hat Linux.

  • Database

    Learn installation and configuration of databases like Oracle, My SQL, Postgresql, etc including many other related tutorials in Linux.

  • Life always offers you a second chance ... Its called tomorrow !!!

    Tuesday, February 18, 2014

    How to configure Samba 4 as Secondary Domain Controller

    I started reading Samba4 Join a DC article with a belief that it shows the steps required to configure a backup domain controller for our PDC in Samba 4. (Please correct me if I am wrong).

    But when I studied in depth I came to the conclusion that it was guiding us to create a secondary domain controller and not a backup dc.

    Still I tried to configure the same using the steps as provided on that article and as to my belief I ended up configuring a secondary dc rather than a backup dc.

    NOTE: This article guides you to configure secondary domain controller rather than a primary domain controller.

    But still I would like to show the steps which I followed and the fix to errors which I faced while configuring the same.
    Primary DC: 192.168.1.6
    Hostname: test.example.com

    Secondary DC: 192.168.1.5
    Hostname: test1.example.com

    So let me assume that you already have a working primary dc. It can be Samba 4 or Windows Server 2008 AD.

    Before you start always make sure to check the pre-requisites

    On the primary domain controller (test.example.com)
    Verify the entry of kerberos config file is as shown below on your PDC
    [root@test ~]# cat /etc/krb5.conf
    [libdefaults]
            default_realm = EXAMPLE.COM
            dns_lookup_realm = true
            dns_lookup_kdc = true

    Update your resolv.conf with the address of your DNS server which should be your PDC as for me
    [root@test ~]# cat /etc/resolv.conf
    search example.com
    nameserver 192.168.1.6

    On the secondary domain controller (test1.example.com)
    Update your resolv.conf with the DNS server as used in your PDC (Primary Domain Controller)
    [root@test1 ~]# cat /etc/resolv.conf
    search example.com
    nameserver 192.168.1.6

    To prepare a SDC(Secondary Domain Controller) you will have to configure Samba 4.1 in your current server as well. These are the steps you need to do. You can follow the below article for configuring Samba 4.1
    Samba 4.1 as Active Directory
    1. Download Samba 4.1
    2. Configure
    3. make && make install
    4. Remove /usr/local/samba/etc/smb.conf file
    IMPORTANT NOTE:
    Do not run the provision step for Samba 4.1
    Run the below command as root
    [root@test1 samba-4.1.4]# samba-tool domain join example.com DC -Uadministrator --realm=example.com
    Finding a writeable DC for domain 'example.com'
    Found DC test.example.com
    Password for [EXAMPLE\administrator]: [Give your PDC password]
    NO DNS zone information found in source domain, not replicating DNS
    workgroup is EXAMPLE
    realm is example.com
    checking sAMAccountName
    Adding CN=TEST1,OU=Domain Controllers,DC=example,DC=com
    Adding CN=TEST1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
    Adding CN=NTDS Settings,CN=TEST1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
    Adding SPNs to CN=TEST1,OU=Domain Controllers,DC=example,DC=com
    Setting account password for TEST1$
    Enabling account
    Calling bare provision
    No IPv6 address will be assigned
    ldb: module schema_load initialization failed : No such object
    ldb: module rootdse initialization failed : No such object
    ldb: module samba_dsdb initialization failed : No such object
    ldb: Unable to load modules for /usr/local/samba/private/sam.ldb: (null)
    samdb_connect failed
    VFS connect failed!
    Join failed - cleaning up
    checking sAMAccountName
    Deleted CN=TEST1,OU=Domain Controllers,DC=example,DC=com
    Deleted CN=NTDS Settings,CN=TEST1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
    Deleted CN=TEST1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
    ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -ProvisioningError: Your filesystem or build does not support posix ACLs, which s3fs requires.  Try the mounting the filesystem with the 'acl' option.
    File "/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
    File "/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/domain.py", line 552, in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
    File "/usr/local/samba/lib/python2.6/site-packages/samba/join.py", line 1172, in join_DC
    ctx.do_join()
    File "/usr/local/samba/lib/python2.6/site-packages/samba/join.py", line 1076, in do_join
    ctx.join_provision()
    File "/usr/local/samba/lib/python2.6/site-packages/samba/join.py", line 727, in join_provision
    use_ntvfs=ctx.use_ntvfs, dns_backend=ctx.dns_backend)
    File "/usr/local/samba/lib/python2.6/site-packages/samba/provision/__init__.py", line 2052, in provision
    raise ProvisioningError("Your filesystem or build does not support posix ACLs, which s3fs requires.  Try the mounting the filesystem with the 'acl' option.")
    In the first attempt I got the above error
    Error:
    Your filesystem or build does not support posix ACLs, which s3fs requires.  Try the mounting the filesystem with the 'acl' option."
    There are two solutions for this

    Solution 1:
    Your filesystem does not supports acl so you will have to remount your fs with acl, user_xattr parameter

    Make sure these two rpms are installed in your server
    [root@test ~]# rpm -qa|grep libattr
    libattr-2.4.44-7.el6.i686
    libattr-devel-2.4.44-7.el6.i686

    [root@test ~]# rpm -qa|grep libacl
    libacl-2.2.49-6.el6.i686
    libacl-devel-2.2.49-6.el6.i686

    Secondly remount your filesystem (For me my root partition is /dev/mapper/VolGroup-root. Make necessary changes as per your partition)
    # mount -o remount,acl,user_xattr /dev/mapper/VolGroup-root
    For making permanent changes update your fstab file
    # cat /etc/fstab
    /dev/mapper/VolGroup-root     /      ext4    defaults,
    acl,user_xattr     1 1

    NOTE: Since this is something which you are making change in the kernel so the kernel has to boot to take the changes affect. Reboot your system and try again

    Solution 2:
    Use an extra parameter --use-ntvfs to skip the above work in case it is a production server as you will not be allowed to reboot a prod server.
    [root@test1 ~]# samba-tool domain join example.com DC -Uadministrator --realm=example.com --use-ntvfs
    Finding a writeable DC for domain 'example.com'
    Found DC test.example.com
    Password for [EXAMPLE\administrator]: [Give your PDC password]
    NO DNS zone information found in source domain, not replicating DNS
    workgroup is EXAMPLE
    realm is example.com
    checking sAMAccountName
    Adding CN=TEST1,OU=Domain Controllers,DC=example,DC=com
    Adding CN=TEST1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
    Adding CN=NTDS Settings,CN=TEST1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
    Adding SPNs to CN=TEST1,OU=Domain Controllers,DC=example,DC=com
    Setting account password for TEST1$
    Enabling account
    Calling bare provision
    No IPv6 address will be assigned
    Provision OK for domain DN DC=example,DC=com
    Starting replication
    Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[402/1550] linked_values[0/0]
    Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[804/1550] linked_values[0/0]
    Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[1206/1550] linked_values[0/0]
    Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[1550/1550] linked_values[0/0]
    Analyze and apply schema objects
    Partition[CN=Configuration,DC=example,DC=com] objects[402/1653] linked_values[0/0]
    Partition[CN=Configuration,DC=example,DC=com] objects[804/1653] linked_values[0/0]
    Partition[CN=Configuration,DC=example,DC=com] objects[1206/1653] linked_values[0/0]
    Partition[CN=Configuration,DC=example,DC=com] objects[1608/1653] linked_values[0/0]
    Partition[CN=Configuration,DC=example,DC=com] objects[1653/1653] linked_values[20/0]
    Replicating critical objects from the base DN of the domain
    Partition[DC=example,DC=com] objects[98/98] linked_values[23/0]
    Partition[DC=example,DC=com] objects[394/296] linked_values[23/0]
    Done with always replicated NC (base, config, schema)
    Committing SAM database
    Sending DsReplicateUpdateRefs for all the replicated partitions
    Setting isSynchronized and dsServiceName
    Setting up secrets database
    Joined domain EXAMPLE (SID S-1-5-21-2036099725-333104617-2937475635) as a DC
    As you see above we have successfully joined our PDC as a SDC.

    Now next step is to make sure your hostname for SDC is resolvable on the DNS

    On DNS server (192.168.1.6)
    [root@test ~]# nslookup test1.example.con
    Server:         192.168.1.6
    Address:        192.168.1.6#53

    ** server can't find test1.example.con: NXDOMAIN

    As you see currently our hostname for SDC is not resolvable so lets make an entry for the same on your samba4 dns server
    [root@test ~]# vi /usr/local/samba/private/dns/example.com.zone
    (Make an entry in last line)
    test1           IN A    192.168.1.5
    Save and exit

    Restart the named services
    [root@test ~]# service named restart
    Stopping named: .                                          
    [  OK  ]
    Starting named:                                            [  OK  ]

    Now retry to resolve the hostname
    [root@test1 ~]# nslookup test1.example.com
    Server:         192.168.1.6
    Address:        192.168.1.6#53

    Name:   test1.example.com
    Address: 192.168.1.5

    So we are good to move to the next step now

    Verify if the objectGUID is resolvable to the new hostname, Run the below command
    [root@test1 ~]# ldbsearch -H /usr/local/samba/private/sam.ldb '(invocationid=*)' --cross-ncs objectguid
    # record 1
    dn: CN=NTDS Settings,CN=TEST,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
    objectGUID: 74b975bc-c25c-4ce7-9773-fe3f6eb1b903

    record 2
    dn: CN=NTDS Settings,CN=TEST1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
    objectGUID: 607bc2dc-0754-49e3-aa37-9be403d0cc33
    Here my objectUID for test1.example.com is record2 which is 607bc2dc-0754-49e3-aa37-9be403d0cc33

    Now this objectUID should resolve using the below command
    [root@test ~]# host -t CNAME 607bc2dc-0754-49e3-aa37-9be403d0cc33._msdcs.example.com.
    Host 607bc2dc-0754-49e3-aa37-9be403d0cc33._msdcs.example.com. not found: 3(NXDOMAIN)

    But since there is no DNS entry for the same it is not getting resolved.

    You can update your DNS record using the below command
    # samba-tool dns add IP-of-your-DNS _msdcs.samdom.example.com 607bc2dc-0754-49e3-aa37-9be403d0cc33 CNAME test1.example.com -Uadministrator
    But for me unfortunately the above command was throwing error so I had to manually update the DNS CNAME record.

    So In case you are also facing the same issue follow the below steps to manually update your zone file in DNS
    [root@test ~]# vi /usr/local/samba/private/dns/example.com.zone
    Make a new entry at the last line of the file
    607bc2dc-0754-49e3-aa37-9be403d0cc33._msdcs.example.com. IN CNAME test1

    [root@test ~]# service named restart
    Stopping named: .                                         
     [  OK  ]
    Starting named:                                            [  OK  ]

    Now again retry to run the below command
    [root@test ~]# host -t CNAME 607bc2dc-0754-49e3-aa37-9be403d0cc33._msdcs.example.com.
    607bc2dc-0754-49e3-aa37-9be403d0cc33._msdcs.example.com is an alias for test1.example.com.
    Well that fixed one of our problem so moving to the next step

    Finally update the IP of your SDC in your resolv.conf of the same server which for our case is 192.168.1.5
    [root@test1 ~]# cat /etc/resolv.conf
    search example.com
    nameserver 192.168.1.6
    nameserver 192.168.1.5


    Starting Samba

    You have to follow the same step to start samba as used in PDC
    # samba

    [root@test1 ~]# ps -ef | grep samba
    root      2957     1  0 11:06 ?        00:00:00 samba
    root      2958  2957  0 11:06 ?        00:00:00 samba
    root      2959  2957  0 11:06 ?        00:00:03 samba
    root      2960  2957  0 11:06 ?        00:00:00 samba
    root      2961  2957  0 11:06 ?        00:00:00 samba
    root      2962  2957  0 11:06 ?        00:00:01 samba
    root      2963  2957  0 11:06 ?        00:00:00 samba
    root      2964  2957  0 11:06 ?        00:00:00 samba
    root      2965  2958  0 11:06 ?        00:00:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
    root      2966  2957  0 11:06 ?        00:00:00 samba
    root      2967  2957  0 11:06 ?        00:00:00 samba
    root      2968  2957  0 11:06 ?        00:00:00 samba
    root      2969  2957  0 11:06 ?        00:00:00 samba
    root      2970  2957  0 11:06 ?        00:00:00 samba
    root      2973  2965  0 11:06 ?        00:00:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
    root      3524  2703  0 11:18 pts/0    00:00:00 grep samba

    # kinit administrator@EXAMPLE.COM
    Password for administrator@EXAMPLE.COM:
    [Give password for Administrator]
    Warning: Your password will expire in 41 days on Mon Mar 31 13:44:36 2014

    Now it is time to see if the replication is working for both the domain controllers. So that if you make any change on one of the dc the same should reflect on the other dc.

    To verify the same run the below command
    [root@test1 ~]# samba-tool drs showrepl
    Failed to connect host 192.168.1.5 on port 135 - NT_STATUS_CONNECTION_REFUSED
    Failed to connect host 192.168.1.5 (test1.example.com) on port 135 - NT_STATUS_CONNECTION_REFUSED.
    ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to test1.example.com failed - drsException: DRS connection to test1.example.com failed: (-1073741258, 'The connection was refused')
      File "/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/drs.py", line 39, in drsuapi_connect
        (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) = drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
      File "/usr/local/samba/lib/python2.6/site-packages/samba/drs_utils.py", line 54, in drsuapi_connect
        raise drsException("DRS connection to %s failed: %s" % (server, e))

    Now first time when I ran this command I got the above error so I did a little bit of dug up to look out for possible reason
    [root@test1 ~]# cat /var/log/messages | grep 135

    Feb 17 15:15:58 test samba[1207]:
    Failed to connect host 192.168.1.6 on port 135 - NT_STATUS_CONNECTION_REFUSED
    Feb 17 15:15:58 test samba[1207]: Failed to connect host 192.168.1.6 (74b975bc-c25c-4ce7-9773-fe3f6eb1b903._msdcs.example.com) on port 135 - NT_STATUS_CONNECTION_REFUSED.

    Then just to be sure
    [root@test1 ~]# telnet localhost 135
    Trying ::1...
    telnet: connect to address ::1: Connection refused
    Trying 127.0.0.1...
    telnet: connect to address 127.0.0.1:
    Connection refused

    Then I checked my selinux which was in enforcing mode.
    [root@test1 ~]# cat /etc/selinux/config

    # This file controls the state of SELinux on the system.
    # SELINUX= can take one of these three values:
    #     enforcing - SELinux security policy is enforced.
    #     permissive - SELinux prints warnings instead of enforcing.
    #     disabled - No SELinux policy is loaded.
    SELINUX=disabled
    # SELINUXTYPE= can take one of these two values:
    #     targeted - Targeted processes are protected,
    #     mls - Multi Level Security protection.
    SELINUXTYPE=targeted

    Change it to disabled state and reboot the system
    Now retry the same
    [root@test1 ~]# telnet localhost 135
    Trying ::1...
    telnet: connect to address ::1: Connection refused
    Trying 127.0.0.1...
    Connected to localhost.

    Escape character is '^]'.
    ^]
    telnet> quit
    Connection closed.
    So now port 135 is in listening state

    Also check the below link to configure iptable rules for your Samba 4.1

    Again I ran the below command
    [root@test1 ~]# samba-tool drs showrepl
    Default-First-Site-Name\TEST1
    DSA Options: 0x00000001
    DSA object GUID: 607bc2dc-0754-49e3-aa37-9be403d0cc33
    DSA invocationId: 7899d780-9c0c-4cfc-adae-ba8c63790cf0

    ==== INBOUND NEIGHBORS ====

    ERROR(runtime): DsReplicaGetInfo of type 0 failed - (-1073610723, 'NT_STATUS_RPC_PROTOCOL_ERROR')
    Next time I was getting the above error

    Error:
    NT_STATUS_RPC_PROTOCOL_ERROR

    Solution:
    It looked like my samba services were not started properly when I checked the running processes. So I restarted my samba services and everything worked fine then
    [root@test1 ~]# samba-tool drs showrepl
    Default-First-Site-Name\TEST1
    DSA Options: 0x00000001
    DSA object GUID: 607bc2dc-0754-49e3-aa37-9be403d0cc33
    DSA invocationId: 7899d780-9c0c-4cfc-adae-ba8c63790cf0
    
    ==== INBOUND NEIGHBORS ====
    
    DC=example,DC=com
    Default-First-Site-Name\TEST via RPC
    DSA object GUID: 74b975bc-c25c-4ce7-9773-fe3f6eb1b903
    Last attempt @ Tue Feb 18 10:59:58 2014 IST failed, result 2 (WERR_BADFILE)
    1 consecutive failure(s).
    Last success @ Tue Feb 18 10:35:58 2014 IST
    
    CN=Configuration,DC=example,DC=com
    Default-First-Site-Name\TEST via RPC
    DSA object GUID: 74b975bc-c25c-4ce7-9773-fe3f6eb1b903
    Last attempt @ Tue Feb 18 10:59:58 2014 IST failed, result 2 (WERR_BADFILE)
    1 consecutive failure(s).
    Last success @ Tue Feb 18 10:35:57 2014 IST
    
    CN=Schema,CN=Configuration,DC=example,DC=com
    Default-First-Site-Name\TEST via RPC
    DSA object GUID: 74b975bc-c25c-4ce7-9773-fe3f6eb1b903
    Last attempt @ Tue Feb 18 10:59:58 2014 IST failed, result 2 (WERR_BADFILE)
    1 consecutive failure(s).
    Last success @ Tue Feb 18 10:35:53 2014 IST
    
    ==== OUTBOUND NEIGHBORS ====
    
    ==== KCC CONNECTION OBJECTS ====
    
    Connection --
    Connection name: 77f4ad2e-ddca-4584-8d8c-7efbd1f7d93c
    Enabled        : TRUE
    Server DNS name : test.example.com
    Server DN name  : CN=NTDS Settings,CN=TEST,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
    TransportType: RPC
    options: 0x00000001
    So, all looks good to verify our configuration.

    On Windows client machine

    Open the Active Directory User management console

    You should be connected to the domain example.com
    Click on Action and select "Change Domain Controller" as shown below

    Here you should be able to see your available domain controllers and their status as shown below for my case both my dc are online.

    You can switch to either dc using these steps

    Now I tried to add a user on SDC(test1.example.com) using CLI
    [root@test1 ~]# samba-tool user add test
    New Password:
    Retype Password:
    User 'test' created successfully

    [root@test1 ~]# samba-tool user list
    Administrator
    dns-test
    krbtgt
    Guest
    test

    On PDC (test.example.com)
    [root@test ~]# samba-tool user list
    Administrator
    dns-test
    krbtgt
    Guest
    test
    So the same user appeared on my PDC as well so our replication is working good. The same you can test from either domain controller.

    But again as I had told in the beginning of this article this is NOT a backup domain controller, it is a secondary domain controller. I am waiting for Samba 4 developers to come up with a backup domain controller option as well.

    Please let me know your success and failures.

    27 comments:

    1. Hello,
      Getting error while adding SDC

      root@srv-03:~# /usr/local/samba/bin/samba-tool domain join syed.local DC -UAdministrator --realm=syed.local
      Finding a writeable DC for domain 'syed.local'
      Found DC SRV-01.syed.local
      Password for [WORKGROUP\Administrator]:
      Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
      Failed to connect to 'ldap://SRV-01.syed.local' with backend 'ldap': (null)
      ERROR(ldb): uncaught exception - None

      ReplyDelete
      Replies
      1. Hello Syed,

        It would be hard to guess the right place to look for. But you can start with checking all the pre-requisites, time sync between server/client, kerberos setting etc

        Thanks
        Deepak

        Delete
    2. Can you please explain the difference between a back-up and a secondary domain controller?

      ReplyDelete
      Replies
      1. A BDC can be pushed to become a PDC in case any failure occurs on the latter. But in the above case the SDC is using the DNS server of the primary domain server and in case of failure the DNS will stop working making it unable to connect the PDC.

        An SDC like this can be used for reducing high loads where multiple users are simultaneously accessing the PDC but not as a backup domain controller.

        Delete
      2. Great i want to reduce network traffic over a wan link
        the PDC is always available but on a slow connection

        Delete
      3. In that case the speed depends on the WAN link speed and also on many other factors as no. of concurrent connections, usage etc.

        You can configure a SDC on the remote location with the users/groups as per the office branch. So that the logon authentication requests can be taken care locally instead of routing the traffic over WAN.

        Delete
      4. Hi there,

        When the PDC is down and not working anymore you can seize all the fsmo roles to the SDC to make it primary. On both servers bind must be running.

        https://wiki.samba.org/index.php/Flexible_Single-Master_Operations_(FSMO)_roles

        Cheers from switzerland

        Delete
      5. Hi there,

        I had the same problem like you. Since I has transfered all the fsmo roles to the sdc and then back to the pdc (while both running), I can now do the task which not affected by the fsmo roles (like create a new user and login with it) while the pdc is not running.

        cheers

        Delete
      6. Well that brought a smile on my face early morning, Let me give it a try and will update my results on a new article if everything goes fine

        Thanks a ton mate.

        Cheers

        Delete
      7. There is an additional step:

        for every svr record on your dns, which points to your pdc ie. dc1..., you have to manually create an additional one for your sdc ie. dc2... this can be done through the dns console, available in the windows rsat Tools.

        Hope this helps you..

        Cheers

        Delete
      8. Well the sdc worked fine with transferring of fsmo roles but the DNS part is confusing as you see I have sonfigured my PDC with BIND and not SAMBA_INTERNAL so in case my PDC goes down the dns would also not work anymore

        How are we going to overcome that?

        Delete
      9. I also use BIND on both DCs. In "/etc/bind/named.conf" add "/var/lib/samba/private/named.conf;" on both servers. Maybe you have another samba path. I use the current debian distribution with sernet samba.

        You can download my documentation here (I will remove it in 20 days):
        https://www.dropbox.com/s/2ucqf6a65ibaq0u/Linux-HA-AD-Domain.pdf?dl=0

        You can also create the SRV records with the samba-tool:
        https://wiki.samba.org/index.php/DNS_Administration

        Delete
      10. Yeah that makes more sense, ultimately even I had tried the same way using both the DC with BIND. I thought using Samba Internal might work differently but any how we will need DNS on the SDC as well.

        samba-toll can only be used to update the records if you are using SAMBA_INTERNAL else if we are using backend DNS as BIND then we need to manually update the records in the config file.

        So seems like basically we will have to create a replica of DNS as on PDC for the SDC to properly function

        There are still few things for me to do R&D, will surely go through your doc.

        Thanks

        Delete
      11. Hello, I have made a short movie.. In my environment the replication of the dns is working.
        https://www.dropbox.com/s/aevs1kgyy2phb0u/24-11-_2014_22-38-32.mp4?dl=0

        Delete
      12. Hey m really sorry, I had been running a lil busy lately so couldn't get time to go through your document. BTW Thanks a ton for the video.

        Delete
    3. Hi
      iam trying in ubuntu 14.0 server with samba4 with windows 2008 R2 DC. I need this Samba4 to act as additional DC for user authentications. When i try this command samba-tool join domain as dc, it starts the replication of schemas and last i get this error,

      Failed to apply records: failed to find GUID for (null) invalid DN syntax
      Failed to commit objects: WERR_GENERAL_Failure
      Join Failed - Cleaning up
      Errr type exceptions : uncaught exception - Failed to process chunk: NT_Status_Unsucessful.

      what could be the reason??

      ReplyDelete
      Replies
      1. I am not very sure about the error but through the little info I found on web it says this error generally pops up if your AD is also running an exchange server.

        Delete
    4. so if my AD has an Exchange, Samba4 is not compatible to run ?

      If yes, atleast can i use my Ubuntu as ldap server without samba just for User authentication serivces for my firewall logins?

      If DC is not possible, i wish to have a local DNS & LDAP server for Firewall authentication. Else my remote location firewall looks everytime my local Windows DC for user authentication.

      ReplyDelete
      Replies
      1. Yeah because as from what i found Samba 4 doesnot have any schemas for Exchange Server.

        For Centralized authentication purpose you can use NIS or LDAP server, anyone you are comfortable with as I have not worked on LDAP so I don't have much of an experience but NIS works good and you can find plenty of documents for its configuration/troubleshooting as compared to LDAP.

        Delete
    5. Good night from Brazil!

      This works for me fine eith dns internals! but...

      How I do to replicate sysvol and netlogon directories betwen PDC and SDC (or BDC) into samba 4?

      Gracefully

      ReplyDelete
      Replies
      1. Apologies for the late reply

        I believe the sysvol and netlogon policies are also replicated simultaneously. Any how to assign GPO using SDC you will have to switch the domain controller and while doing that in my case I see all the policies are replicated on both the controllers

        Delete
      2. sysvol replication:
        https://wiki.samba.org/index.php/SysVol_Replication

        Delete
    6. Are you sure an fstab change is a kernel change requiring a reboot? Once you've remounted it and adjusted fstab so subsequent mounts keep the desired config, that's usually it. If that's changed, I'd love to hear it.

      Maybe resist recommending The Most Unfriendly editor-like app in the world, in a howto. Your intended audience for a how-to doc lacks the neck-beard and proud martyr complex required to persevere with something as unusable as vi. I've had decades of good results from simply recommending anything else.

      ReplyDelete
      Replies
      1. Thanks for your comment, I agree fstab changes does not mandatorily requires a reboot unless you are changing/adding some special attributes which would require a reboot. Although adding/removing new partitions can be updated by "mount -a" but I don't think assigning new attributes like acl, quota will work without a reboot, please correct me if I am wrong.

        which editor would you recommend instead of vi?

        Delete
    7. Hi Deepak,

      Great article, but you have mentioned like

      "On the primary domain controller (test.example.com)
      Verify the entry of kerberos config file is as shown below on your PDC
      [root@test ~]# cat /etc/krb5.conf"

      Assuming that the PDC is a windows machine how would this workout, where would the krb5 config file be, this only works if the PDC is also a Linux machine and not windows.

      Is this correct or am I missing something here.

      ReplyDelete
    8. Good article and right to the point. I don’t know if this is really the best place to ask but do you folks have any thoughts on where to employ some professional writers? Thanks in advance

      ReplyDelete