You are here
Domain Controller
This documentation page provides Information related to the TurnKey Linux Domain Controller appliance. The current version of this doc was updated specifically with TurnKey version 18.x, but should remain compatible with newer versions.
TurnKey's Domain-Controller (DC) appliance uses Samba4 to provide or connect to a Microsoft Active Directory domain. However, it's important to know that the current appliance is a fairly bare-bones AD server. It is provided as a "better starting point" for those that wish to use Samba4 as an AD DC but is far from being feature complete.
Please provide feedback and/or problems regarding this doc page via the TurnKey Forums (requires free TurnKey Lnux website user account). Alternatively documentation bugs can be reported via our consolidated TurnKey Linux issue tracker.
Compatibility with Windows Server
If creating a new AD domain where all members will be Samba4 a Windows Server 2008R2 AD schema will be used by default. Everything should "just work" and you can skip straight to the TKL DC first launch info.
Joining a Samba4 AD DC member to an existing AD domain with Windows Server AD schema up to 2012R2 AD will work without problems, but does require some preparation. Running Samba in an AD domain with a higher schema is also possible but should be considered work in progress and incomplete. For newer AD schema versions, a specific AD schema upgrade process is required. Please see the Samba documentation for use with AD 2012 schema and higher.
If you join a TurnKey server with an AD schema of higher than 2008R2, please report back if you were successful or not and any relevant details. Feedback and info can be posted on the TurnKey Forums. Alternatively documentation bugs can be reported via our consolidated TurnKey Linux issue tracker
Initial TurnKey Domain Controller setup
Permanently assign an IP to your domain-controller:
- If your DHCP server is compatible, configure an IP lease for you DC that does not expire; or
- Set a static IP. You can use TurnKey's built in Confconsole tool to do this. Then re-run the domain provision process via CLI:
- Re-run the TurnKey firstboot scrip (as root):
/usr/lib/inithooks/bin/domain-controller.py
- Alternatively, the samba-tool command can be used directly
- If running your DC on AWS (e.g. TurnKey Hub) then connect an "Elastic IP" (AWS equivalent of a static IP). Rerun the firstboot script as above
Create the DNS reverse lookup zone and PTR records (optional):
example details:
hostname: dc1
domain/realm: domain.lan
ip address: 192.168.1.50
# Substitute $ADMIN_PASS for the administrator password # the 1.168.192 is from the "network IP" (backwards) i.e. this example is for 192.168.1.x samba-tool dns zonecreate dc1 1.168.192.in-addr.arpa \ --username=administrator --password="$ADMIN_PASS" # as above but 50 is from the IP i.e. 192.168.1.50 samba-tool dns add dom-controller 1.168.192.in-addr.arpa 192.168.1.50 PTR dc1.domain.lan \ --username=administrator --password="$ADMIN_PASS"
Adjust DNS forwarder (optional):
By default, the DNS forwarder is set to Google Public DNS (8.8.8.8) in the SMB config file: /etc/samba/smb.conf.
To forward non DC related DNS requests edit /etc/samba/smb.conf and adjust the field that is currently "dns forwarder = 8.8.8.8",to your desired DNS server.
Join Windows OS members to your AD:
To join a Windows Desktop or Windows Server to your Samba AD domain, please see the Samba join Windows member documentation page.
Administer your AD - Use RSAT
For most administration tasks of your AD use RSAT (Remote Server Administration Tools). RSAT is only available on Windows Pro/Enterprise editions and must be done on a PC that is a member of your AD. Before you can do that, it must be installed/enabled prior to use. Please note that RSAT can be only be done on Pro/Enterprise versions of Windows.
Some simple administration tasks, such as adding new AD/Samba users can be done on your TurnKey Domain Controller. Via a terminal (e.g. SSH client) use the command-line tool; samba-tool. Please see the Samba Wiki - Add Users to Samba AD for more details.
Backups
Currently TKLBAM will only include the general configuration of your Domain Controller, plus any files stored on the server. However, it will not include all the AD domain information. We hope to include optional support for backing up the full AD domain information in the future.
If you wish to include the AD databases in your TKLBAM backup, please create a TKLBAM hook script to backup and restore the AD databases. Please see the Samba AD DC backup/restore documentation page for details on the process required.
Note: if you have multiple AD DCs (recommended best practice) then rather than restore from backup; just rejoin the server to the domain. Restoring a backup to a server that is already a member of a domain will likely cause DB corruption and/or multiple identical domain objects.
General best practice recommendations
Running AD DC in a container
For best experience it is recommended that TurnKey Domain Controller is run within a "proper" VM (or bare metal; rather than within a LXC or Docker container). However, Samba4 should generally function ok within a "privileged" container (although no guarantees that there will be no issues). Some functionality may work within a "unprivileged" container, but strange unexpected issues will likely occur, including (but not limited to) failures when running 'samba-tool'. "Nesting" is also required - which has security implications for your host, hence why a full VM is recommended for the desired guest/host separation.
General DC Notes
In production it is recommended that you have a minimum of 2 domain controllers in an AD domain.
File storage/fileserver
Samba advise against using a (Samba4) domain controller as a fileserver as well. Instead it is recommended that you create a dedicated fileserver (as a domain member server). The current TurnKey fileserver appliance is NOT useful for this with it's default config. See notes on the Samba wiki on setting up a member server: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
Please note, that the TurnKey Fileserver appliance includes the same version of Sambas as the DC appliance, but is configured as "stand-alone" by default. You are welcome to reconfigure it to join an existing domain and that should work fine. Please post on the forums if you do that and would like to share your experience and/or need a hand.
Further domain configuration e.g. DNS
As noted above, Samba recommend using Microsoft RSAT (from within a Windows workstation) to do additional AD (Samba4) configuration.
Realm/TLD
For production usage it is recommended to use a domain name that you have registered with a domain registrar as the realm. If you plan to use a domain that you already own (e.g. "example.com") as your realm then add a unique subdomain to avoid potential problems (e.g. "ad.example.com")
Do not use ".local" realms/tlds as they can conflict with Apple (bonjour) and zeroconf type networked devices.
See also MS documentation: http://technet.microsoft.com/en-us/library/cc726016%28v=ws.10%29.aspx/
Integration with LDAP
Samba4 includes it's own custom AD user database. As a general rule, you should just use this built-in service. However, there is some limited support for integration with LDAP. For more info, please see these Samba Wiki links:
Features to be added to TurnKey DOmain-Controller in the future:
-
Option to provision a fileserver AD member server
- not yet sure on how this will be implemented...
- see "Best Practice" notes below
-
Support for Roaming Profiles(?)
- will require AD member fileserver
-
Configuration of PTR records for domain controller
- strictly speaking they're not required but would be good
- documentation on including a DHCP server