You are here
Domain Controller
Information related to the TurnKey Linux Domain Controller appliance
Notes for TurnKey Domain-Controller v15.x/v16.x/v17.x
Note: at the time of writing, v17.0 is still under development so the full feature set is as yet unconfirmed.
Recent versions of TurnKey's Domain-Controller (DC) appliance uses Samba4 to provide a Microsoft Active Directory domain.
However, it should be noted that the current appliance is a fairly bare-bones AD server. It is provided as a "better starting point" for those that wish to use Samba4 as an AD DC but is far from being feature complete.
Compatibility with Windows Server
Please note that Samba4 is not compatible with the latest Windows Server AD Schema. This should not be a problem if all your Domain Controllers use Samba. However, if you wish to join to an existing AD domain, please check the Windows AD schema to confirm it is compatible with Samba. TurnKey Linux uses the version of Samba packaged by Debian. In v16.x that is 4.9 and in v17.x will be 4.13.
Windows 2008R2 AD schema (or below) should be supported out of the box (although there may be some 2008R2 related edge case bugs still apparent in v16.x). However, you may be able to upgrade to Windows Server 2012 AD schema support (should be possible in TurnKey v17.x - unconfirmed in v16.x) or perhaps even higher (requires specific workaround).
If you try this, please be sure to post feedback (either confirming that it works, or the issues that you hit if it doesn't) in the TurnKey Forums.
Steps that need to be taken when first launched:
-
Set a static IP on your domain-controller
- If running on AWS (e.g. TurnKey Hub) then connect an "Elastic IP" (AWS equivalent of a static IP).
- Otherwise; easiest via confconsole
-
if not using the DHCP assigned IP please re-run the domain provision inithook - copy/paste the following into commandline:
/usr/lib/inithooks/bin/domain-controller.py
-
(optional) Create the DNS reverse lookup zone and PTR records.
example details:
hostname: dc1
domain/realm: domain.lan
ip address: 192.168.1.50
# Substitute $ADMIN_PASS for the administrator password # the 1.168.192 is from the "network IP" (backwards) i.e. this example is for 192.168.1.x samba-tool dns zonecreate dc1 1.168.192.in-addr.arpa \ --username=administrator --password="$ADMIN_PASS" # as above but 50 is from the IP i.e. 192.168.1.50 samba-tool dns add dom-controller 1.168.192.in-addr.arpa 192.168.1.50 PTR dc1.domain.lan \ --username=administrator --password="$ADMIN_PASS" -
(optional) Adjust DNS forwarder in /etc/samba/smb.conf
-
currently hardcoded to Google DNS (8.8.8.8)
edit /etc/samba/smb.conf and adjust the field that is currently "dns forwarder = 8.8.8.8"
-
currently hardcoded to Google DNS (8.8.8.8)
To join a Windows Desktop to a Samba AD domain see the Samba Wiki: https://wiki.samba.org/index.php/Joining_a_Windows_client_to_a_domain
Administer your AD: install RSAT
To administer your AD please install Microsoft RSAT (Remote Server Administration Tools) onto a Windows member of your Domain. Note RSAT should already be pre-installed in the latest versions of Windows 10.
Some simple administration tasks, such as adding new AD/Samba users; can be completed via samba-tool from your TurnKey Domain-Controller commandline. For more info please see the Samba Wiki - Add Users to Samba AD.
Features to be added in the future:
-
Option to provision a fileserver AD member server
- not yet sure on how this will be implemented...
- see "Best Practice" notes below
-
Support for Roaming Profiles(?)
- will require AD member fileserver
-
Configuration of PTR records for domain controller
- strictly speaking they're not required but would be good
- documentation on including a DHCP server
Backups
Currently TKLBAM won't properly backup a domain. If you wish to use TKLBAM hooks to script it there is info on the Samba Wiki: https://wiki.samba.org/index.php/Backup_and_restore_an_Samba_AD_DC
Note: if you have multiple AD DCs then rather than restore from backup; just rejoin the server to the domain. Restoring a backup to a server that is already a member of a domain will likely cause DB corruption and/or multiple identical domain objects.
General best practice recommendations
Running AD DC in a container
For best experience it is recommended that TurnKey Domain Controller is run within a "proper" VM (or bare metal; rather than within a LXC or Docker container). However, Samba4 should generally function ok within a "privileged" container (although no guarantees that there will be no issues). Some functionality may work within a "unprivileged" container, but strange unexpected issues will likely occur, including (but not limited to) failures when running 'samba-tool'.
General DC Notes
In production it is recommended that you have a minimum of 2 domain controllers in an AD domain.
File storage/fileserver
Samba advise against using a (Samba4) domain controller as a fileserver as well. Instead it is recommended that you create a dedicated fileserver (as a domain member server). The current TurnKey fileserver appliance is NOT useful for this with it's default config. See notes on the Samba wiki on setting up a member server: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
Please note, that the TurnKey Fileserver appliance includes the same version of Sambas as the DC appliance, but is configured as "stand-alone" by default. You are welcome to reconfigure it to join an existing domain and that should work fine. Please post on the forums if you do that and would like to share your experience and/or need a hand.
Further domain configuration e.g. DNS
As noted above, Samba recommend using Microsoft RSAT (from within a Windows workstation) to do additional AD (Samba4) configuration.
Realm/TLD
For production usage it is recommended to use a domain name that you have registered with a domain registrar as the realm. If you plan to use a domain that you already own (e.g. "example.com") as your realm then add a unique subdomain to avoid potential problems (e.g. "ad.example.com")
Do not use ".local" realms/tlds as they can conflict with Apple (bonjour) and zeroconf type networked devices.
See also MS documentation: http://technet.microsoft.com/en-us/library/cc726016%28v=ws.10%29.aspx/
Integration with LDAP
Samba4 includes it's own custom AD user database. As a general rule, you should just use this built-in service. However, there is some limited support for integration with LDAP. For more info, please see these Samba Wiki links: