• Installare pacchetti

apt install samba krb5-user krb5-config winbind libpam-winbind libnss-winbind

• Confgurare Kerberos:

vi /etc/krb5.conf

[libdefaults]
    default_realm = EXAMPLE.COM
    dns_lookup_kdc = true
    dns_lookup_realm=false

• Impostare un DNS di un altro DC:

sudoedit /etc/resolv.conf

nameserver 192.168.1.111

• Impostare hostname:

sudoedit /etc/hosts

192.168.1.112  mydc02.example.com mydc02

• Verificare hostname locale:

hostname -f

mydc02.example.com

• Riavviare:

sudo reboot

• Test autenticazione

kinit administrator@EXAMPLE.COM

klist

• Fermare tutti i servizi samba:

systemctl stop smbd.service 
systemctl stop nmbd.service 
systemctl stop winbind.service 
systemctl stop samba-ad-dc.service 

• Verificare:

 ps ax | egrep "samba|smbd|nmbd|winbindd"

• Rinominare il file di configurazione:

mv $(smbd -b | grep "CONFIGFILE" | tr -s ' '| cut -f 3 --delimiter=' ') $(smbd -b | grep "CONFIGFILE" | tr -s ' '| cut -f 3 --delimiter=' ').old

• Verificare

ls /etc/samba

• Eliminare i vecchi DB:

for DIR in $(smbd -b | egrep "LOCKDIR|STATEDIR|CACHEDIR|PRIVATE_DIR" | tr -s ' '| cut -f 3 --delimiter=' '); do echo CLEANING $DIR; cd $DIR; find . -name \*.tdb -exec /bin/rm -f '{}' \;; find . -name \*.ldb -exec /bin/rm -f '{}' \;; done

• Abilitare daemon:

sudo systemctl unmask samba-ad-dc
sudo systemctl enable samba-ad-dc

• Fare Join:

samba-tool domain join example.com  DC -k yes

• Impostare come DNS se stessi:

sudoedit /etc/resolv.conf

nameserver 192.168.1.112

• Setup ID mapping:

vi /etc/samba/smb.conf

[global]
    dns forwarder = 8.8.8.8
    idmap_ldb:use rfc2307 = yes
    template shell = /bin/bash
    winbind use default domain = true
    winbind offline logon = false
    winbind nss info = rfc2307
    winbind enum users = yes
    winbind enum groups = yes

• Impostare configurazione kerberos:

cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
cat /etc/krb5.conf

• Restart and enable daemons:

systemctl disable smbd nmbd winbind
systemctl enable samba-ad-dc

systemctl restart samba-ad-dc

• Forzare DNS update:

samba_dnsupdate --use-samba-tool --verbose

• Verificare che il DC sia presente in

host example.com

• Installare chrony

apt install chrony ntpdate -y

• Fare sync manuale

ntpdate -bu pool.ntp.org

• Configurare chrony aggiungendo le righe:

vi /etc/chrony/chrony.conf

allow 192.168.0.0/24
ntpsigndsocket  /var/lib/samba/ntp_signd

• Impostare permission:

chown root:_chrony /var/lib/samba/ntp_signd/
chmod 750 /var/lib/samba/ntp_signd/

• Abilitare e restartare:

systemctl enable chrony
systemctl restart chrony

• Verificare:

journalctl -u chrony.service -f

Se ci sono Dc in altre subnet (sedi remote), bisogna, con il tool Windows "Active Directory Sites and Services"

• Definire i Sites
• Spostare i Dc nei relativi sites
• Definire le Subnet associandole ai relativi Sies
• Fare da ogni Dc

samba_dnsupdate --use-samba-tool --verbose

• Verify replication:

samba-tool drs showrepl

• This warning is ok:

 Warning: No NC replicated for Connection!

• Verify Kerberos authentication

kinit administrator
klist

• Impostare il dominio per i test:

export DOMAIN=example.com

• Verify DNS records of DCs:

host $DOMAIN | sort

example.com has address 192.168.1.111
example.com has address 192.168.1.120

• Verify DNS records of KDCs:

host -t SRV _kerberos._udp.$DOMAIN | sort

_kerberos._udp.ad.metrica.it has SRV record 0 100 88 metdc01.ad.metrica.it.
_kerberos._udp.ad.metrica.it has SRV record 0 100 88 metdc02.ad.metrica.it.

• Verify DNS records of LDAPs:

host -t SRV _ldap._tcp.$DOMAIN | sort

_ldap._tcp.ad.metrica.it has SRV record 0 100 389 metdc01.ad.metrica.it.
_ldap._tcp.ad.metrica.it has SRV record 0 100 389 metdc02.ad.metrica.it.

• If DNS records are missing (*[SambaMissing DNS entry after "domain join"]), try:

samba_dnsupdate --use-samba-tool --verbose 

• Verify user sync:

# metdc02
samba-tool user create test_user

# metdc01
samba-tool user list | grep test_user
samba-tool user delete test_user

# metdc02
samba-tool user list | grep test_user

• Add mydc02 as secondary Nameserver in DHCP config

• OPTIONAL: Setup DHCP redundancy

• Eventualmente vedere Synchronizing SYSVOLs between multiple domain controllers — Samba-AD 4.19 documentation
• All GPO edits should be made only on the first DC that owns FMSO Roles
• The script must be run on this DC that owns the FMSO Roles.
• To start the process of SysVol replication, first generate a SSH key on the first Samba AD DC and transfer the key to the second DC by issuing the below commands.

ssh-keygen -t RSA  
ssh-copy-id root@metdc02.ad.metrica.it
ssh root@metdc02.ad.metrica.it cat .ssh/authorized_keys

• Creare lo script di sync:

cat > /usr/local/sbin/samba-sysvol-sync <<'EOFile'
#!/bin/bash
echo "Start sysvol sync"
# Check if this is FMSO owner
NUMBER=$(samba-tool fsmo show | grep -i $(hostname) | wc -l)
if [ "$NUMBER" -ne 7 ]
then
	echo "This is not the FMSO Owner DC. Aborting sysvol replication"  1>&2
	exit 127
fi


# get samba domain:
DOMAIN=$(cat /etc/samba/smb.conf | grep realm| tr -d ' ' | cut -f 2 --delimiter='=' |  tr "[:upper:]" "[:lower:]")
echo "DOMAIN is $DOMAIN"

# get list of DCs
DCS=$(ldbsearch -H /var/lib/samba/private/sam.ldb '(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))' dn  | grep -v "CN=Configuration,DC" | grep CN | cut -f 2 --delimiter='=' | cut -f 1 --delimiter=',' | tr "[:upper:]" "[:lower:]" | grep -v $(hostname))
# https://serverfault.com/questions/432572/what-is-correct-objectclass-for-domain-controller-objects

echo "DCs are:"
echo $DCS

echo "Resetting local sysvol ACL"
/usr/bin/samba-tool ntacl sysvolreset

# Backup idmap.ldb
echo "Backup idmap.ldb"
tdbbackup -s .bak /var/lib/samba/private/idmap.ldb

for DC in $DCS
do
	echo "Copy idmap.ldb.bak to ${DC}.${DOMAIN}"
	scp -q /var/lib/samba/private/idmap.ldb.bak ${DC}.${DOMAIN}:/var/lib/samba/private/idmap.ldb
	echo "Run net cache flush on ${DC}.${DOMAIN}"
	ssh ${DC}.${DOMAIN} /usr/bin/net cache flush
	echo "Syncing sysvol to ${DC}.${DOMAIN}"
	rsync -a --quiet --delete-after /var/lib/samba/sysvol/ ${DC}.${DOMAIN}:/var/lib/samba/sysvol/
	echo "Resetting sysvol acl on ${DC}.${DOMAIN}"
	ssh ${DC}.${DOMAIN} /usr/bin/samba-tool ntacl sysvolreset
done
echo "End of sysvol sync"
EOFile

chmod 755 /usr/local/sbin/samba-sysvol-sync

• Run the script

/usr/local/sbin/samba-sysvol-sync

• On second DC, verify that GP policies are present:

ls /var/lib/samba/sysvol/ad.metrica.it/Policies/

• Enable scheduled sync:

cat > /etc/cron.d/samba-sysvol-sync <<EOFile
*/5 * * * * root /usr/local/sbin/samba-sysvol-sync | systemd-cat -t samba-sysvol-sync
EOFile

• Per vedere cosa logga:

journalctl -t samba-sysvol-sync -f

• Join an Additional Ubuntu DC to Samba4 AD DC for FailOver Replication - Part 5
• Joining a Samba DC to an Existing Active Directory - SambaWiki
• Installing and configuring a secondary Samba-AD on Debian — Samba-AD 4.16 documentation
• Samba 4 Additional Domain Controller for failover Replication on CentOS 7
• Samba: Join an additional Domain Controller to Samba Active Directory
• Setup SysVol Replication Across Two Samba4 AD DC with Rsync - Part 6

• Rsync based SysVol replication workaround - SambaWiki