• Installare pacchetti

apt install samba krb5-user krb5-config winbind libpam-winbind libnss-winbind

• Confgurare Kerberos:

vi /etc/krb5.conf

[libdefaults]
  default_realm = EXAMPLE.COM
  dns_lookup_kdc = true
  dns_lookup_realm=false

• Impostare un DNS di un altro DC:

sudoedit /etc/resolv.conf

nameserver 192.168.1.111

• Impostare hostname:

sudoedit /etc/hosts

192.168.1.112  mydc02.example.com mydc02

• Verificare hostname locale:

hostname -f

mydc02.example.com

• Riavviare:

sudo reboot

• Test autenticazione

kinit administrator@example.com

klist

• Fermare tutti i servizi samba:

systemctl stop smbd.service 
systemctl stop nmbd.service 
systemctl stop winbind.service 
systemctl stop samba-ad-dc.service 

• Verificare:

 ps ax | egrep "samba|smbd|nmbd|winbindd"

• Rinominare il file di configurazione:

mv $(smbd -b | grep "CONFIGFILE" | tr -s ' '| cut -f 3 --delimiter=' ') $(smbd -b | grep "CONFIGFILE" | tr -s ' '| cut -f 3 --delimiter=' ').old

• Verificare

ls /etc/samba

• Eliminare i vecchi DB:

for DIR in $(smbd -b | egrep "LOCKDIR|STATEDIR|CACHEDIR|PRIVATE_DIR" | tr -s ' '| cut -f 3 --delimiter=' '); do echo CLEANING $DIR; cd $DIR; find . -name \*.tdb -exec /bin/rm -f '{}' \;; find . -name \*.ldb -exec /bin/rm -f '{}' \;; done

• Abilitare daemon:

sudo systemctl unmask samba-ad-dc
sudo systemctl enable samba-ad-dc

• Fare Join:

samba-tool domain join example.com  DC -k yes

• Impostare come DNS se stessi:

sudoedit /etc/resolv.conf

nameserver 192.168.1.112

• Setup ID mapping:

vi /etc/samba/smb.conf

[global]
    dns forwarder = 8.8.8.8
    idmap_ldb:use rfc2307 = yes
    template shell = /bin/bash
    winbind use default domain = true
    winbind offline logon = false
    winbind nss info = rfc2307
    winbind enum users = yes
    winbind enum groups = yes

• Restart and enable daemons:

systemctl disable smbd nmbd winbind
systemctl enable samba-ad-dc

systemctl restart samba-ad-dc

• Installare chrony

apt install chrony ntpdate -y

• Fare sync manuale

ntpdate -bu pool.ntp.org

• Configurare chrony aggiungendo le righe:

vi /etc/chrony/chrony.conf

allow 192.168.0.0/24
ntpsigndsocket  /var/lib/samba/ntp_signd

• Impostare permission:

chown root:_chrony /var/lib/samba/ntp_signd/
chmod 750 /var/lib/samba/ntp_signd/

• Abilitare e restartare:

systemctl enable chrony
systemctl restart chrony

• Verificare:

journalctl -u chrony.service -f

• Verify replication:

samba-tool drs showrepl

• This warning is ok:

 Warning: No NC replicated for Connection!

• Adapt Kerberos config:

mv /etc/krb5.conf /etc/krb5.conf.initial
ln -s /var/lib/samba/private/krb5.conf /etc/
cat /etc/krb5.conf

• Verify Kerberos authentication

kinit administrator
klist

• Verify DNS records:

host ad.metrica.it

ad.metrica.it has address 192.168.1.111
ad.metrica.it has address 192.168.1.120

host -t SRV _kerberos._udp.ad.metrica.it  # UDP Kerberos SRV record

_kerberos._udp.ad.metrica.it has SRV record 0 100 88 metdc01.ad.metrica.it.
_kerberos._udp.ad.metrica.it has SRV record 0 100 88 metdc02.ad.metrica.it.

host -t SRV _ldap._tcp.ad.metrica.it  # TCP LDAP SRV record

_ldap._tcp.ad.metrica.it has SRV record 0 100 389 metdc01.ad.metrica.it.
_ldap._tcp.ad.metrica.it has SRV record 0 100 389 metdc02.ad.metrica.it.

• If DNS records are missing (*[Samba Missing DNS entry after "domain join"]), try:

samba_dnsupdate --verbose

• If this fails, try

samba_dnsupdate --use-samba-tool

• Verify user sync:

# metdc02
samba-tool user create test_user

# metdc01
samba-tool user list | grep test_user
samba-tool user delete test_user

# metdc02
samba-tool user list | grep test_user

• Add mydc02 as secondary Nameserver in DHCP config

• OPTIONAL: Setup DHCP redundancy

• This method ensures GPO objects consistency across domain controllers, but has one huge drawback. It works only in one direction because rsync will transfer all changes from the source DC to the destination DC when synchronizing GPO directories.

• Objects which no longer exist on the source will be deleted from the destination as well. In order to limit and avoid any conflicts, all GPO edits should be made only on the first DC.

• To start the process of SysVol replication, first generate a SSH key on the first Samba AD DC and transfer the key to the second DC by issuing the below commands.

ssh-keygen -t RSA  
ssh-copy-id root@metdc02.ad.metrica.it
ssh root@metdc02.ad.metrica.it cat .ssh/authorized_keys

rsync -XAavz --chmod=775 --delete-after  --progress --stats  \
   /var/lib/samba/sysvol/ \
   root@metdc02.ad.metrica.it:/var/lib/samba/sysvol/ \
  --dry-run

• If the simulation process works as expected, run the rsync command again without the --dry-run option in order to actually replicate GPO objects across your domain controllers.

rsync -XAavz --chmod=775 --delete-after  --progress --stats  \
   /var/lib/samba/sysvol/ \
   root@metdc02.ad.metrica.it:/var/lib/samba/sysvol/

• On second DC, verofy that GP policies are present:

ls /var/lib/samba/sysvol/ad.metrica.it/Policies/

• Enable scheduled sync:

cat > /etc/cron.d/samba-sysvol-replication <<EOFile
*/5 * * * * root rsync -XAavz --chmod=775 --delete-after  --progress --stats  /var/lib/samba/sysvol/ root@gapsrv03.ad.gapartners.eu:/var/lib/samba/sysvol/ > /var/log/samba/samba-sysvol-replication.log 2>&1
EOFile

• Check su dc01 e dc2:

 samba-tool ntacl sysvolcheck

• Fix the DB ACL on GPO and VFS ACL errors

 samba-tool ntacl sysvolreset

• Join an Additional Ubuntu DC to Samba4 AD DC for FailOver Replication - Part 5
• Joining a Samba DC to an Existing Active Directory - SambaWiki
• Installing and configuring a secondary Samba-AD on Debian — Samba-AD 4.16 documentation
• Samba 4 Additional Domain Controller for failover Replication on CentOS 7
• Samba: Join an additional Domain Controller to Samba Active Directory
• Setup SysVol Replication Across Two Samba4 AD DC with Rsync - Part 6

• Rsync based SysVol replication workaround - SambaWiki