Domain Controller

Information related to the TurnKey Linux Domain Controller appliance

Notes for TurnKey Domain-Controller v14.x/v15.x/v16.x

Recent versions of TurnKey's Domain-Controller (DC) appliance uses Samba4 to provide a Microsoft Active Directory domain.

However, it should be noted that the current appliance is a fairly bare-bones AD server. It is provided as a "better starting point" for those that wish to use Samba4 as an AD DC but is far from being feature complete.

Steps that need to be taken when first launched:

  • Set a static IP on your domain-controller
    • If running on AWS (e.g. TurnKey Hub) then connect an "Elastic IP" (AWS equivalent of a static IP).
    • Otherwise; easiest via confconsole
    • if not using the DHCP assigned IP please re-run the domain provision inithook - copy/paste the following into commandline:
      /usr/lib/inithooks/bin/domain-controller.py
  • (optional) Create the DNS reverse lookup zone and PTR records.
    example details:
    hostname: dc1
    domain/realm: domain.lan
    ip address: 192.168.1.50
     
    # Substitute $ADMIN_PASS for the administrator password 
    # the 1.168.192 is from the "network IP" (backwards) i.e. this example is for 192.168.1.x
    samba-tool dns zonecreate dc1 1.168.192.in-addr.arpa \
        --username=administrator --password="$ADMIN_PASS"
    
    # as above but 50 is from the IP i.e. 192.168.1.50
    samba-tool dns add dom-controller 1.168.192.in-addr.arpa 192.168.1.50 PTR dc1.domain.lan \
        --username=administrator --password="$ADMIN_PASS"
           
  • (optional) Adjust DNS forwarder in /etc/samba/smb.conf
    • currently hardcoded to Google DNS (8.8.8.8)
      edit /etc/samba/smb.conf and adjust the field that is currently "dns forwarder = 8.8.8.8"

To join a Windows Desktop to a Samba AD domain see the Samba Wiki: https://wiki.samba.org/index.php/Joining_a_Windows_client_to_a_domain

Administer your AD: install RSAT

To administer your AD please install Microsoft RSAT (Remote Server Administration Tools) onto a Windows member of your Domain. Note RSAT should already be pre-installed in the latest versions of Windows 10.

Some simple administration tasks, such as adding new AD/Samba users; can be completed via samba-tool from your TurnKey Domain-Controller commandline. For more info please see the Samba Wiki - Add Users to Samba AD.

Features to be added in the future:

  • Option to provision a fileserver AD member server
    • not yet sure on how this will be implemented...
    • see "Best Practice" notes below
  • Support for Roaming Profiles(?)
    • will require AD member fileserver
  • Configuration of PTR records for domain controller
    • strictly speaking they're not required but would be good
  • documentation on including a DHCP server

Backups

Currently TKLBAM won't properly backup a domain. If you wish to use TKLBAM hooks to script it there is info on the Samba Wiki: https://wiki.samba.org/index.php/Backup_and_restore_an_Samba_AD_DC

Note: if you have multiple AD DCs then rather than restore from backup; just rejoin the server to the domain. Restoring a backup to a server that is already a member of a domain will likely cause DB corruption and/or multiple identical domain objects.

General best practice recommendations

Running AD DC in a container

For best experience it is recommended that TurnKey Domain Controller is run within a "proper" VM (or bare metal; rather than within a LXC or Docker container). However, Samba4 should generally function ok within a "privileged" container (although no guarantees that there will be no issues). Some functionality may work within a "unprivileged" container, but strange unexpected issues will likely occur, including (but not limited to) failures when running 'samba-tool'.

General DC Notes

In production it is recommended that you have a minimum of 2 domain controllers in an AD domain.

File storage/fileserver

Samba advise against using a (Samba4) domain controller as a fileserver as well. Instead it is recommended that you create a dedicated fileserver (as a domain member server). The current TurnKey fileserver appliance is NOT useful for this with it's default config. See notes on the Samba wiki on setting up a member server: https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server

Please note, that the TurnKey Fileserver appliance includes the same version of Sambas as the DC appliance, but is configured as "stand-alone" by default. You are welcome to reconfigure it to join an existing domain and that should work fine. Please post on the forums if you do that and would like to share your experience and/or need a hand.

Further domain configuration e.g. DNS

As noted above, Samba recommend using Microsoft RSAT (from within a Windows workstation) to do additional AD (Samba4) configuration.

Realm/TLD

For production usage it is recommended to use a domain name that you have registered with a domain registrar as the realm. If you plan to use a domain that you already own (e.g. "example.com") as your realm then add a unique subdomain to avoid potential problems (e.g. "ad.example.com")

Do not use ".local" realms/tlds as they can conflict with Apple (bonjour) and zeroconf type networked devices.

See also MS documentation: http://technet.microsoft.com/en-us/library/cc726016%28v=ws.10%29.aspx/

Integration with LDAP

Samba4 includes it's own custom AD user database. As a general rule, you should just use this built-in service. However, there is some limited support for integration with LDAP. For more info, please see these Samba Wiki links: