Bryan Crotaz's picture

I've been struggling to set up a PDC in the AWS cloud.  I've got the turnkey appliance up and running but I can't see any docs on how to connect a Windows server to it.

I have set up a record in Route53 for the domain:

SRV record for _ldap._tcp.dc._msdcs.mydomain.tv: 1 1 389 54.226.208.189

When I set the windows domain to the same domain I've set up on the PDC I get this error:

DNS was successfully queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller for domain insm.tv:

The query was for the SRV record for _ldap._tcp.dc._msdcs.mydomain.tv

The following AD DCs were identified by the query:

54.226.208.189

Common causes of this error include:

- Host (A) records that map the name of the AD DCs to its IP addresses are missing or contain incorrect addresses.

- Active Directory Domain Controllers registered in DNS are not connected to the network or are not running.

For information about correcting this problem, click Help.

 

Forum: 
Tags: 
Jeremy Davis's picture

The TurnKey DC provides NT style domain via Samba3. Samba3 does not support full AD integration without installing additional components. To fully support AD integration (without installing and configuring additional components) Samba4 will need to be used... Hopefully yhat will become a reality in TKL v14, but isn't yet available.

There are some docs that may be relevant and worth a read:
http://www.turnkeylinux.org/docs/domain-controller/quickstart
http://www.turnkeylinux.org/docs/domain-controller/notes-ad-kerberos

Bryan Crotaz's picture

I'm looking for authentication of users, with groups and subdomains.  Is this possible with samba3?

Bryan Crotaz's picture

Got connection working (Win client now sees PDC).  Be careful with addressing in EC2 - public side addresses don't work with security groups.

Jeremy Davis's picture

In answer to your first question AFAIK sort-of... AFAIK NT style domains are not AD domains, by my understanding they are in effect workgroups. IIRC they NT style domains do handle users and groups but I've never used it like that, I have only used Samba3 for simple SMB/CIFS filesharing on a Win network, not actually a DC. So YMMV.

Also I would personally make sure that at least SMB/CIFS (i.e. fileshares) on your server is not publicly available. SMB is intended as a LAN protocol and is not secure over the internet. If you do need to use fileshares over the net then you will want to do so via a VPN tunnel.

TBH I'm not sure about authentication users and/or how AWS instance-to-instance communcations work, but if I were you I'd be looking at how you can make the communication between your servers as secure as possible. I've never done it, but AFAIK you can configure the AWS security profile (aka firewall) and allow only access between your servers on specific ports.

Add new comment