TurnKey Linux Virtual Appliance Library

Domain Controller

Information related to the TurnKey Linux Domain Controller appliance

Notes for DC v14.0

As of v14.0 TurnKey's domain-controller (DC) appliance uses Samba4 to provide a Microsoft Active Directory domain.

However, the current v14.0 appliance is a bare-bones AD server. It is provided as a "better starting point" for those that wish to use Samba4 as an AD DC but is far from being feature complete.

Steps that need to be taken when first launched:

  • Set a static IP on your domain-controller
    • easiest via confconsole
    • if not using the DHCP assigned IP please re-run the domain provision inithook - copy/paste the following into commandline:
  • (optional) Create the DNS reverse lookup zone and PTR records.
    example details:
    hostname: dc1
    domain/realm: domain.lan
    ip address:

    # Substitute $ADMIN_PASS for the administrator password 
    # the 1.168.192 is from the "network IP" (backwards) i.e. this example is for 192.168.1.x
    samba-tool dns zonecreate dc1 1.168.192.in-addr.arpa \
        --username=administrator --password="$ADMIN_PASS"
    # as above but 50 is from the IP i.e.
    samba-tool dns add dom-controller 1.168.192.in-addr.arpa PTR dc1.domain.lan \
        --username=administrator --password="$ADMIN_PASS"
  • (optional) Adjust DNS forwarder in /etc/samba/smb.conf
    • currently hardcoded to Google DNS (
      edit /etc/samba/smb.conf and adjust the field that is currently "dns forwarder ="
For how to join a Windows Desktop to a AD domain see the Samba Wiki: https://wiki.samba.org/index.php/Joining_a_Windows_client_to_a_domain

Features to be added in the future:

  • Option to provision a fileserver AD member server
    • not yet sure on how this will be implemented...
    • see "Best Practice" notes below
  • Support for Roaming Profiles(?)
    • will require AD member fileserver
  • Configuration of PTR records for domain controller
    • strictly speaking they're not required but would be good
  • documentation on including a DHCP server


Currently TKLBAM won't properly backup a domain. If you wish to use TKLBAM hooks to script it there is info on the Samba Wiki: https://wiki.samba.org/index.php/Backup_and_restore_an_Samba_AD_DC

Note: if you have multiple AD DCs then rather than restore from backup; just rejoin the server to the domain. Restoring a backup to a server that is already a member of a domain will likely cause DB corruption and/or multiple identical domain objects.

General best practice recommendations

General DC Notes

In production it is recommended that you have a minimum of 2 domain controllers in an AD domain.

File storage/fileserver

Samba advise against using a (Samba4) domain controller as a fileserver as well. Instead it is recommended that you create a dedicated fileserver (as a domain member server). The current TurnKey fileserver appliance is NOT useful for this. See notes on the Samba wiki on setting up a member server: https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server

Further domain configuration e.g. DNS

Samba recommend using Microsoft tools (from within a Windows workstation) to do additional AD (Samba4) configuration.


For production usage it is recommended to use a domain name that you have registered with a domain registrar as the realm. If you plan to use a domain that you already own (e.g. "example.com") as your realm then add a unique subdomain to avoid potential problems (e.g. "ad.example.com")

Do not use ".local" realms/tlds as they can conflict with Apple (bonjour) and zeroconf type networked devices.

See also MS documentation: http://technet.microsoft.com/en-us/library/cc726016%28v=ws.10%29.aspx/


Guest's picture

Not Samba 4

Note that this appliance gives you samba 3.6.6, not samba 4. So if you're looking for a full Active Directory replacement, this is not it.

Jeremy Davis's picture

As noted...

As noted in the Quick start guide...

I would anticipate that the next major revision of TurnKey appliances (v14.x) with Samba (i.e. Domain Controller and Fileserver) will utilise Samba4, but we'll have to wait and see. They will be some time away (at least 6 months, possibly longer)...

If you'd like to help develop a Samba4 appliance then that would be awesome! Have a look at TKLDev and go from there. If you have any questions then please feel free to post in the forums.

Guest's picture

Any update?

Any update on a samba 4 version of this supporting AD? Doesn't seem like windows 10 machines will join the domain.

Guest's picture

would be great, if there is

would be great, if there is some update in the near future. waiting for news...

Russell Alphey's picture

Turnkey Domain Controller v14.1 doesn't work

I couldn't get my Win 7 64 machines to connect to my v13 PDC, so I grabbed v14.1...and nothing can connect to it. I don't think Samba is even starting properly, configuration tests show that th edomain doesn't even appear to be there.


Guest's picture

+1 Nothing can join

+1 on that. Nothing can join domain and the error I get when trying to start samba ad service is something like "has the domain been provisioned?"


Guest's picture


Ok, got it to work.

1. Once installed, login to the web interface.

2. Goto System->Software Packages

3. Select Package from APT and click Search APT.

4. Search for Winbind

5. Install and reboot.


You will then see Samba services running and domain will be available.

Guest's picture

Fix - part 2

Sorry, I forgot to mention. After you reboot, you have to run the domain py script


Jeremy Davis's picture

Thanks Llyod

Thanks very much for posting your fix. It sounds like we need to tweak and rebuild it. I'm not sure but I'm suspecting that something within a security update has broken something (as noted elsewhere I tested it myself previously and all was well).

I know that Debian upgraded the version of Samba in the repos (to v4.2.x) since our last release. Generally they avoid that (as it often breaks things) but they had no real alternative as upstream were no longer supporting the previous version (v4.1.x) and the security patches were massive (apparently over 200 files needed patching) so would have been prone to error anyway.

The only thing that surprises me is that installing WinBind fixes it. WinBind should not be required for a Samba4 DC. In fact AFAIK it only applies to NT domains and non-domain networked Win machines. Although in fairness I don't use Windows much any more (only for testing TurnKey Samba based appliances).

The other possibilities that come to mind are that installing WinBind resolves some other issue when it installs/updates dependencies? Or perhaps it works around an issue introduced by a recent Windows update.

Regardless, thanks for providing the workaround. I have noted it on our Issue Tracker.

Guest's picture

I can't join the domain at

I can't join the domain at all. it shows a loging and password window but after 30s of waiting to log into the domain it will say the follow error occurred to join "DOMAIN" The spicified domain either does not exist or could not be reached.

Guest's picture

adding a user

How do you add a user?

Guest's picture

got it working

got this working now and managed to get roaming profiles to work to... Thing I notice is that each user is not getting a UID without actually creating their UID and same with groups. The other big thing was yes you create the profile share in samba but you need to add the share to AD.