How to configure Samba 4 as Secondary Domain Controller


I have written one more article with the steps to configure FreeIPA server and client which can also act as an alternate to Microsoft Active Directory. And since FreeIPA is a GUI based, it can be a better alternative then Samba4.

I started reading Samba4 Join a DC article with a belief that it shows the steps required to configure a backup domain controller for our PDC in Samba 4. (Please correct me if I am wrong).

But when I studied in depth I came to the conclusion that it was guiding us to create a secondary domain controller and not a backup dc.

Still I tried to configure the same using the steps as provided on that article and as to my belief I ended up configuring a secondary dc rather than a backup dc.

NOTE: This article guides you to configure secondary domain controller rather than a primary domain controller.

But still I would like to show the steps which I followed and the fix to errors which I faced while configuring the same.
Primary DC: 192.168.1.6
Hostname: test.example.com

Secondary DC: 192.168.1.5
Hostname: test1.example.com
So let me assume that you already have a working primary dc. It can be Samba 4 or Windows Server 2008 AD.

Before you start always make sure to check the pre-requisites

On the primary domain controller (test.example.com)
Verify the entry of kerberos config file is as shown below on your PDC
[root@test ~]# cat /etc/krb5.conf
[libdefaults]
        default_realm = EXAMPLE.COM
        dns_lookup_realm = true
        dns_lookup_kdc = true
Update your resolv.conf with the address of your DNS server which should be your PDC as for me

[root@test ~]# cat /etc/resolv.conf
search example.com
nameserver 192.168.1.6
On the secondary domain controller (test1.example.com)
Update your resolv.conf with the DNS server as used in your PDC (Primary Domain Controller)
[root@test1 ~]# cat /etc/resolv.conf
search example.com
nameserver 192.168.1.6
To prepare a SDC(Secondary Domain Controller) you will have to configure Samba 4.1 in your current server as well. These are the steps you need to do. You can follow the below article for configuring Samba 4.1
Samba 4.1 as Active Directory

  1. Download Samba 4.1
  2. Configure
  3. make && make install
  4. Remove /usr/local/samba/etc/smb.conf file
IMPORTANT NOTE:
Do not run the provision step for Samba 4.1

Run the below command as root

[root@test1 samba-4.1.4]# samba-tool domain join example.com DC -Uadministrator --realm=example.com
Finding a writeable DC for domain 'example.com'
Found DC test.example.com
Password for [EXAMPLEadministrator]: [Give your PDC password]
NO DNS zone information found in source domain, not replicating DNS
workgroup is EXAMPLE
realm is example.com
checking sAMAccountName
Adding CN=TEST1,OU=Domain Controllers,DC=example,DC=com
Adding CN=TEST1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
Adding CN=NTDS Settings,CN=TEST1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
Adding SPNs to CN=TEST1,OU=Domain Controllers,DC=example,DC=com
Setting account password for TEST1$
Enabling account
Calling bare provision
No IPv6 address will be assigned
ldb: module schema_load initialization failed : No such object
ldb: module rootdse initialization failed : No such object
ldb: module samba_dsdb initialization failed : No such object
ldb: Unable to load modules for /usr/local/samba/private/sam.ldb: (null)
samdb_connect failed
VFS connect failed!
Join failed - cleaning up
checking sAMAccountName
Deleted CN=TEST1,OU=Domain Controllers,DC=example,DC=com
Deleted CN=NTDS Settings,CN=TEST1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
Deleted CN=TEST1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -ProvisioningError: Your filesystem or build does not support posix ACLs, which s3fs requires.  Try the mounting the filesystem with the 'acl' option.
File "/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/__init__.py", line 175, in _run
return self.run(*args, **kwargs)
File "/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/domain.py", line 552, in run
machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
File "/usr/local/samba/lib/python2.6/site-packages/samba/join.py", line 1172, in join_DC
ctx.do_join()
File "/usr/local/samba/lib/python2.6/site-packages/samba/join.py", line 1076, in do_join
ctx.join_provision()
File "/usr/local/samba/lib/python2.6/site-packages/samba/join.py", line 727, in join_provision
use_ntvfs=ctx.use_ntvfs, dns_backend=ctx.dns_backend)
File "/usr/local/samba/lib/python2.6/site-packages/samba/provision/__init__.py", line 2052, in provision
raise ProvisioningError("Your filesystem or build does not support posix ACLs, which s3fs requires.  Try the mounting the filesystem with the 'acl' option.")

In the first attempt I got the above error

Error:
Your filesystem or build does not support posix ACLs, which s3fs requires.  Try the mounting the filesystem with the 'acl' option."
There are two solutions for this

Solution 1:
Your filesystem does not supports acl so you will have to remount your fs with acl, user_xattr parameter

Make sure these two rpms are installed in your server
[root@test ~]# rpm -qa|grep libattr
libattr-2.4.44-7.el6.i686
libattr-devel-2.4.44-7.el6.i686

[root@test ~]# rpm -qa|grep libacl
libacl-2.2.49-6.el6.i686
libacl-devel-2.2.49-6.el6.i686

Secondly remount your filesystem (For me my root partition is /dev/mapper/VolGroup-root. Make necessary changes as per your partition)

# mount -o remount,acl,user_xattr /dev/mapper/VolGroup-root
For making permanent changes update your fstab file
# cat /etc/fstab
/dev/mapper/VolGroup-root     /      ext4    defaults,
acl,user_xattr     1 1

NOTE: Since this is something which you are making change in the kernel so the kernel has to boot to take the changes affect. Reboot your system and try again

Solution 2:
Use an extra parameter --use-ntvfs to skip the above work in case it is a production server as you will not be allowed to reboot a prod server.

[root@test1 ~]# samba-tool domain join example.com DC -Uadministrator --realm=example.com --use-ntvfs
Finding a writeable DC for domain 'example.com'
Found DC test.example.com
Password for [EXAMPLEadministrator]: [Give your PDC password]
NO DNS zone information found in source domain, not replicating DNS
workgroup is EXAMPLE
realm is example.com
checking sAMAccountName
Adding CN=TEST1,OU=Domain Controllers,DC=example,DC=com
Adding CN=TEST1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
Adding CN=NTDS Settings,CN=TEST1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
Adding SPNs to CN=TEST1,OU=Domain Controllers,DC=example,DC=com
Setting account password for TEST1$
Enabling account
Calling bare provision
No IPv6 address will be assigned
Provision OK for domain DN DC=example,DC=com
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=example,DC=com] objects[402/1653] linked_values[0/0]
Partition[CN=Configuration,DC=example,DC=com] objects[804/1653] linked_values[0/0]
Partition[CN=Configuration,DC=example,DC=com] objects[1206/1653] linked_values[0/0]
Partition[CN=Configuration,DC=example,DC=com] objects[1608/1653] linked_values[0/0]
Partition[CN=Configuration,DC=example,DC=com] objects[1653/1653] linked_values[20/0]
Replicating critical objects from the base DN of the domain
Partition[DC=example,DC=com] objects[98/98] linked_values[23/0]
Partition[DC=example,DC=com] objects[394/296] linked_values[23/0]
Done with always replicated NC (base, config, schema)
Committing SAM database
Sending DsReplicateUpdateRefs for all the replicated partitions
Setting isSynchronized and dsServiceName
Setting up secrets database
Joined domain EXAMPLE (SID S-1-5-21-2036099725-333104617-2937475635) as a DC
As you see above we have successfully joined our PDC as a SDC.

Now next step is to make sure your hostname for SDC is resolvable on the DNS

On DNS server (192.168.1.6)
[root@test ~]# nslookup test1.example.con
Server:         192.168.1.6
Address:        192.168.1.6#53

** server can't find test1.example.con: NXDOMAIN

As you see currently our hostname for SDC is not resolvable so lets make an entry for the same on your samba4 dns server
[root@test ~]# vi /usr/local/samba/private/dns/example.com.zone
(Make an entry in last line)
test1           IN A    192.168.1.5
Save and exit

Restart the named services
[root@test ~]# service named restart
Stopping named: .                                          
[  OK  ]
Starting named:                                            [  OK  ]

Now retry to resolve the hostname

[root@test1 ~]# nslookup test1.example.com
Server:         192.168.1.6
Address:        192.168.1.6#53

Name:   test1.example.com
Address: 192.168.1.5

So we are good to move to the next step now

Verify if the objectGUID is resolvable to the new hostname, Run the below command

[root@test1 ~]# ldbsearch -H /usr/local/samba/private/sam.ldb '(invocationid=*)' --cross-ncs objectguid
# record 1
dn: CN=NTDS Settings,CN=TEST,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
objectGUID: 74b975bc-c25c-4ce7-9773-fe3f6eb1b903

record 2
dn: CN=NTDS Settings,CN=TEST1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
objectGUID: 607bc2dc-0754-49e3-aa37-9be403d0cc33

Here my objectUID for test1.example.com is record2 which is 607bc2dc-0754-49e3-aa37-9be403d0cc33
Now this objectUID should resolve using the below command

[root@test ~]# host -t CNAME 607bc2dc-0754-49e3-aa37-9be403d0cc33._msdcs.example.com.
Host 607bc2dc-0754-49e3-aa37-9be403d0cc33._msdcs.example.com. not found: 3(NXDOMAIN)

But since there is no DNS entry for the same it is not getting resolved.

You can update your DNS record using the below command

# samba-tool dns add IP-of-your-DNS _msdcs.samdom.example.com 607bc2dc-0754-49e3-aa37-9be403d0cc33 CNAME test1.example.com -Uadministrator

But for me unfortunately the above command was throwing error so I had to manually update the DNS CNAME record.

So In case you are also facing the same issue follow the below steps to manually update your zone file in DNS

[root@test ~]# vi /usr/local/samba/private/dns/example.com.zone
Make a new entry at the last line of the file
607bc2dc-0754-49e3-aa37-9be403d0cc33._msdcs.example.com. IN CNAME test1

[root@test ~]# service named restart
Stopping named: .                                         
 [  OK  ]
Starting named:                                            [  OK  ]

Now again retry to run the below command
[root@test ~]# host -t CNAME 607bc2dc-0754-49e3-aa37-9be403d0cc33._msdcs.example.com.
607bc2dc-0754-49e3-aa37-9be403d0cc33._msdcs.example.com is an alias for test1.example.com.
Well that fixed one of our problem so moving to the next step
Finally update the IP of your SDC in your resolv.conf of the same server which for our case is 192.168.1.5

[root@test1 ~]# cat /etc/resolv.conf
search example.com
nameserver 192.168.1.6
nameserver 192.168.1.5

Starting Samba

You have to follow the same step to start samba as used in PDC

# samba
[root@test1 ~]# ps -ef | grep samba
root      2957     1  0 11:06 ?        00:00:00 samba
root      2958  2957  0 11:06 ?        00:00:00 samba
root      2959  2957  0 11:06 ?        00:00:03 samba
root      2960  2957  0 11:06 ?        00:00:00 samba
root      2961  2957  0 11:06 ?        00:00:00 samba
root      2962  2957  0 11:06 ?        00:00:01 samba
root      2963  2957  0 11:06 ?        00:00:00 samba
root      2964  2957  0 11:06 ?        00:00:00 samba
root      2965  2958  0 11:06 ?        00:00:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
root      2966  2957  0 11:06 ?        00:00:00 samba
root      2967  2957  0 11:06 ?        00:00:00 samba
root      2968  2957  0 11:06 ?        00:00:00 samba
root      2969  2957  0 11:06 ?        00:00:00 samba
root      2970  2957  0 11:06 ?        00:00:00 samba
root      2973  2965  0 11:06 ?        00:00:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
root      3524  2703  0 11:18 pts/0    00:00:00 grep samba
# kinit administrator@EXAMPLE.COM
Password for administrator@EXAMPLE.COM:
[Give password for Administrator]
Warning: Your password will expire in 41 days on Mon Mar 31 13:44:36 2014

Now it is time to see if the replication is working for both the domain controllers. So that if you make any change on one of the dc the same should reflect on the other dc.
To verify the same run the below command
[root@test1 ~]# samba-tool drs showrepl
Failed to connect host 192.168.1.5 on port 135 - NT_STATUS_CONNECTION_REFUSED
Failed to connect host 192.168.1.5 (test1.example.com) on port 135 - NT_STATUS_CONNECTION_REFUSED.
ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to test1.example.com failed - drsException: DRS connection to test1.example.com failed: (-1073741258, 'The connection was refused')
  File "/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/drs.py", line 39, in drsuapi_connect
    (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) = drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
  File "/usr/local/samba/lib/python2.6/site-packages/samba/drs_utils.py", line 54, in drsuapi_connect
    raise drsException("DRS connection to %s failed: %s" % (server, e))
Now first time when I ran this command I got the above error so I did a little bit of dug up to look out for possible reason

[root@test1 ~]# cat /var/log/messages | grep 135

Feb 17 15:15:58 test samba[1207]: Failed to connect host 192.168.1.6 on port 135 - NT_STATUS_CONNECTION_REFUSED
Feb 17 15:15:58 test samba[1207]: Failed to connect host 192.168.1.6 (74b975bc-c25c-4ce7-9773-fe3f6eb1b903._msdcs.example.com) on port 135 - NT_STATUS_CONNECTION_REFUSED.
Then just to be sure
[root@test1 ~]# telnet localhost 135
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1:
Connection refused

Then I checked my selinux which was in enforcing mode.
[root@test1 ~]# cat /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

Change it to disabled state and reboot the system
Now retry the same

[root@test1 ~]# telnet localhost 135
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.

Escape character is '^]'.
^]
telnet> quit
Connection closed.
So now port 135 is in listening state
Also check the below link to configure iptable rules for your Samba 4.1
Again I ran the below command
[root@test1 ~]# samba-tool drs showrepl
Default-First-Site-NameTEST1
DSA Options: 0x00000001
DSA object GUID: 607bc2dc-0754-49e3-aa37-9be403d0cc33
DSA invocationId: 7899d780-9c0c-4cfc-adae-ba8c63790cf0

==== INBOUND NEIGHBORS ====

ERROR(runtime): DsReplicaGetInfo of type 0 failed - (-1073610723, 'NT_STATUS_RPC_PROTOCOL_ERROR')

Next time I was getting the above error
Error:
NT_STATUS_RPC_PROTOCOL_ERROR

Solution:
It looked like my samba services were not started properly when I checked the running processes. So I restarted my samba services and everything worked fine then
[root@test1 ~]# samba-tool drs showrepl
Default-First-Site-NameTEST1
DSA Options: 0x00000001
DSA object GUID: 607bc2dc-0754-49e3-aa37-9be403d0cc33
DSA invocationId: 7899d780-9c0c-4cfc-adae-ba8c63790cf0
==== INBOUND NEIGHBORS ====
DC=example,DC=com
Default-First-Site-NameTEST via RPC
DSA object GUID: 74b975bc-c25c-4ce7-9773-fe3f6eb1b903
Last attempt @ Tue Feb 18 10:59:58 2014 IST failed, result 2 (WERR_BADFILE)
1 consecutive failure(s).
Last success @ Tue Feb 18 10:35:58 2014 IST
CN=Configuration,DC=example,DC=com
Default-First-Site-NameTEST via RPC
DSA object GUID: 74b975bc-c25c-4ce7-9773-fe3f6eb1b903
Last attempt @ Tue Feb 18 10:59:58 2014 IST failed, result 2 (WERR_BADFILE)
1 consecutive failure(s).
Last success @ Tue Feb 18 10:35:57 2014 IST
CN=Schema,CN=Configuration,DC=example,DC=com
Default-First-Site-NameTEST via RPC
DSA object GUID: 74b975bc-c25c-4ce7-9773-fe3f6eb1b903
Last attempt @ Tue Feb 18 10:59:58 2014 IST failed, result 2 (WERR_BADFILE)
1 consecutive failure(s).
Last success @ Tue Feb 18 10:35:53 2014 IST
==== OUTBOUND NEIGHBORS ====
==== KCC CONNECTION OBJECTS ====
Connection --
Connection name: 77f4ad2e-ddca-4584-8d8c-7efbd1f7d93c
Enabled        : TRUE
Server DNS name : test.example.com
Server DN name  : CN=NTDS Settings,CN=TEST,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
TransportType: RPC
options: 0x00000001
So, all looks good to verify our configuration.

On Windows client machine

Open the Active Directory User management console
You should be connected to the domain example.com
Click on Action and select "Change Domain Controller" as shown below
Here you should be able to see your available domain controllers and their status as shown below for my case both my dc are online.

You can switch to either dc using these steps
Now I tried to add a user on SDC(test1.example.com) using CLI
[root@test1 ~]# samba-tool user add test
New Password:
Retype Password:
User 'test' created successfully

[root@test1 ~]# samba-tool user list
Administrator
dns-test
krbtgt
Guest
test


On PDC (test.example.com)
[root@test ~]# samba-tool user list
Administrator
dns-test
krbtgt
Guest
test
So the same user appeared on my PDC as well so our replication is working good. The same you can test from either domain controller.

But again as I had told in the beginning of this article this is NOT a backup domain controller, it is a secondary domain controller. I am waiting for Samba 4 developers to come up with a backup domain controller option as well.
Please let me know your success and failures.

28 thoughts on “How to configure Samba 4 as Secondary Domain Controller”

  1. Hello,
    Getting error while adding SDC
    root@srv-03:~# /usr/local/samba/bin/samba-tool domain join syed.local DC -UAdministrator –realm=syed.local
    Finding a writeable DC for domain 'syed.local'
    Found DC SRV-01.syed.local
    Password for [WORKGROUPAdministrator]:
    Failed to bind – LDAP client internal error: NT_STATUS_INVALID_PARAMETER
    Failed to connect to 'ldap://SRV-01.syed.local' with backend 'ldap': (null)
    ERROR(ldb): uncaught exception – None

    Reply
  2. Hello Syed,
    It would be hard to guess the right place to look for. But you can start with checking all the pre-requisites, time sync between server/client, kerberos setting etc
    Thanks
    Deepak

    Reply
  3. A BDC can be pushed to become a PDC in case any failure occurs on the latter. But in the above case the SDC is using the DNS server of the primary domain server and in case of failure the DNS will stop working making it unable to connect the PDC.
    An SDC like this can be used for reducing high loads where multiple users are simultaneously accessing the PDC but not as a backup domain controller.

    Reply
  4. In that case the speed depends on the WAN link speed and also on many other factors as no. of concurrent connections, usage etc.
    You can configure a SDC on the remote location with the users/groups as per the office branch. So that the logon authentication requests can be taken care locally instead of routing the traffic over WAN.

    Reply
  5. Hi
    iam trying in ubuntu 14.0 server with samba4 with windows 2008 R2 DC. I need this Samba4 to act as additional DC for user authentications. When i try this command samba-tool join domain as dc, it starts the replication of schemas and last i get this error,
    Failed to apply records: failed to find GUID for (null) invalid DN syntax
    Failed to commit objects: WERR_GENERAL_Failure
    Join Failed – Cleaning up
    Errr type exceptions : uncaught exception – Failed to process chunk: NT_Status_Unsucessful.
    what could be the reason??

    Reply
  6. I am not very sure about the error but through the little info I found on web it says this error generally pops up if your AD is also running an exchange server.

    Reply
  7. so if my AD has an Exchange, Samba4 is not compatible to run ?
    If yes, atleast can i use my Ubuntu as ldap server without samba just for User authentication serivces for my firewall logins?
    If DC is not possible, i wish to have a local DNS & LDAP server for Firewall authentication. Else my remote location firewall looks everytime my local Windows DC for user authentication.

    Reply
  8. Yeah because as from what i found Samba 4 doesnot have any schemas for Exchange Server.
    For Centralized authentication purpose you can use NIS or LDAP server, anyone you are comfortable with as I have not worked on LDAP so I don't have much of an experience but NIS works good and you can find plenty of documents for its configuration/troubleshooting as compared to LDAP.

    Reply
  9. Good night from Brazil!
    This works for me fine eith dns internals! but…
    How I do to replicate sysvol and netlogon directories betwen PDC and SDC (or BDC) into samba 4?
    Gracefully

    Reply
  10. Hi there,
    When the PDC is down and not working anymore you can seize all the fsmo roles to the SDC to make it primary. On both servers bind must be running.
    wiki.samba.org/index.php/Flexible_Single-Master_Operations_(FSMO)_roles
    Cheers from switzerland

    Reply
  11. Hi there,
    I had the same problem like you. Since I has transfered all the fsmo roles to the sdc and then back to the pdc (while both running), I can now do the task which not affected by the fsmo roles (like create a new user and login with it) while the pdc is not running.
    cheers

    Reply
  12. Apologies for the late reply
    I believe the sysvol and netlogon policies are also replicated simultaneously. Any how to assign GPO using SDC you will have to switch the domain controller and while doing that in my case I see all the policies are replicated on both the controllers

    Reply
  13. Well that brought a smile on my face early morning, Let me give it a try and will update my results on a new article if everything goes fine
    Thanks a ton mate.
    Cheers

    Reply
  14. There is an additional step:
    for every svr record on your dns, which points to your pdc ie. dc1…, you have to manually create an additional one for your sdc ie. dc2… this can be done through the dns console, available in the windows rsat Tools.
    Hope this helps you..
    Cheers

    Reply
  15. Well the sdc worked fine with transferring of fsmo roles but the DNS part is confusing as you see I have sonfigured my PDC with BIND and not SAMBA_INTERNAL so in case my PDC goes down the dns would also not work anymore
    How are we going to overcome that?

    Reply
  16. I also use BIND on both DCs. In "/etc/bind/named.conf" add "/var/lib/samba/private/named.conf;" on both servers. Maybe you have another samba path. I use the current debian distribution with sernet samba.
    You can download my documentation here (I will remove it in 20 days):
    dropbox.com/s/2ucqf6a65ibaq0u/Linux-HA-AD-Domain.pdf?dl=0
    You can also create the SRV records with the samba-tool:
    wiki.samba.org/index.php/DNS_Administration

    Reply
  17. Yeah that makes more sense, ultimately even I had tried the same way using both the DC with BIND. I thought using Samba Internal might work differently but any how we will need DNS on the SDC as well.
    samba-toll can only be used to update the records if you are using SAMBA_INTERNAL else if we are using backend DNS as BIND then we need to manually update the records in the config file.
    So seems like basically we will have to create a replica of DNS as on PDC for the SDC to properly function
    There are still few things for me to do R&D, will surely go through your doc.
    Thanks

    Reply
  18. Hello, I have made a short movie.. In my environment the replication of the dns is working.
    dropbox.com/s/aevs1kgyy2phb0u/24-11-_2014_22-38-32.mp4?dl=0

    Reply
  19. Hey m really sorry, I had been running a lil busy lately so couldn't get time to go through your document. BTW Thanks a ton for the video.

    Reply
  20. Are you sure an fstab change is a kernel change requiring a reboot? Once you've remounted it and adjusted fstab so subsequent mounts keep the desired config, that's usually it. If that's changed, I'd love to hear it.
    Maybe resist recommending The Most Unfriendly editor-like app in the world, in a howto. Your intended audience for a how-to doc lacks the neck-beard and proud martyr complex required to persevere with something as unusable as vi. I've had decades of good results from simply recommending anything else.

    Reply
  21. Thanks for your comment, I agree fstab changes does not mandatorily requires a reboot unless you are changing/adding some special attributes which would require a reboot. Although adding/removing new partitions can be updated by "mount -a" but I don't think assigning new attributes like acl, quota will work without a reboot, please correct me if I am wrong.
    which editor would you recommend instead of vi?

    Reply
  22. Hi Deepak,
    Great article, but you have mentioned like
    "On the primary domain controller (test.example.com)
    Verify the entry of kerberos config file is as shown below on your PDC
    [root@test ~]# cat /etc/krb5.conf"
    Assuming that the PDC is a windows machine how would this workout, where would the krb5 config file be, this only works if the PDC is also a Linux machine and not windows.
    Is this correct or am I missing something here.

    Reply
  23. Good article and right to the point. I don’t know if this is really the best place to ask but do you folks have any thoughts on where to employ some professional writers? Thanks in advance

    Reply
  24. Hi
    Try:
    1- SELINUX=enforcing
    2- semanage port -a -t smbd_port_t -p tcp 135
    3- semanage port -a -t smbd_port_t -p udp 135
    4- Make sure SAMBA starts up with your system. (I had to restart SAMBA, until I realized that it did not start automatically)
    5- reboot
    6-samba-tool drs showrepl
    In my SDC/BDC work fine

    Reply

Leave a Comment