Domain Controller

Information related to the TurnKey Linux Domain Controller appliance

Notes for TurnKey Domain-Controller v15.x/v16.x/v17.x

Note: at the time of writing, v17.0 is still under development so the full feature set is as yet unconfirmed.

Recent versions of TurnKey's Domain-Controller (DC) appliance uses Samba4 to provide a Microsoft Active Directory domain.

However, it should be noted that the current appliance is a fairly bare-bones AD server. It is provided as a "better starting point" for those that wish to use Samba4 as an AD DC but is far from being feature complete.

Compatibility with Windows Server

Please note that Samba4 is not compatible with the latest Windows Server AD Schema. This should not be a problem if all your Domain Controllers use Samba. However, if you wish to join to an existing AD domain, please check the Windows AD schema to confirm it is compatible with Samba. TurnKey Linux uses the version of Samba packaged by Debian. In v16.x that is 4.9 and in v17.x will be 4.13.

Windows 2008R2 AD schema (or below) should be supported out of the box (although there may be some 2008R2 related edge case bugs still apparent in v16.x). However, you may be able to upgrade to Windows Server 2012 AD schema support (should be possible in TurnKey v17.x - unconfirmed in v16.x) or perhaps even higher (requires specific workaround).

If you try this, please be sure to post feedback (either confirming that it works, or the issues that you hit if it doesn't) in the TurnKey Forums.

Steps that need to be taken when first launched:

  • Set a static IP on your domain-controller
    • If running on AWS (e.g. TurnKey Hub) then connect an "Elastic IP" (AWS equivalent of a static IP).
    • Otherwise; easiest via confconsole
    • if not using the DHCP assigned IP please re-run the domain provision inithook - copy/paste the following into commandline:
  • (optional) Create the DNS reverse lookup zone and PTR records.
    example details:
    hostname: dc1
    domain/realm: domain.lan
    ip address:
    # Substitute $ADMIN_PASS for the administrator password 
    # the 1.168.192 is from the "network IP" (backwards) i.e. this example is for 192.168.1.x
    samba-tool dns zonecreate dc1 \
        --username=administrator --password="$ADMIN_PASS"
    # as above but 50 is from the IP i.e.
    samba-tool dns add dom-controller PTR dc1.domain.lan \
        --username=administrator --password="$ADMIN_PASS"
  • (optional) Adjust DNS forwarder in /etc/samba/smb.conf
    • currently hardcoded to Google DNS (
      edit /etc/samba/smb.conf and adjust the field that is currently "dns forwarder ="

To join a Windows Desktop to a Samba AD domain see the Samba Wiki:

Administer your AD: install RSAT

To administer your AD please install Microsoft RSAT (Remote Server Administration Tools) onto a Windows member of your Domain. Note RSAT should already be pre-installed in the latest versions of Windows 10.

Some simple administration tasks, such as adding new AD/Samba users; can be completed via samba-tool from your TurnKey Domain-Controller commandline. For more info please see the Samba Wiki - Add Users to Samba AD.

Features to be added in the future:

  • Option to provision a fileserver AD member server
    • not yet sure on how this will be implemented...
    • see "Best Practice" notes below
  • Support for Roaming Profiles(?)
    • will require AD member fileserver
  • Configuration of PTR records for domain controller
    • strictly speaking they're not required but would be good
  • documentation on including a DHCP server


Currently TKLBAM won't properly backup a domain. If you wish to use TKLBAM hooks to script it there is info on the Samba Wiki:

Note: if you have multiple AD DCs then rather than restore from backup; just rejoin the server to the domain. Restoring a backup to a server that is already a member of a domain will likely cause DB corruption and/or multiple identical domain objects.

General best practice recommendations

Running AD DC in a container

For best experience it is recommended that TurnKey Domain Controller is run within a "proper" VM (or bare metal; rather than within a LXC or Docker container). However, Samba4 should generally function ok within a "privileged" container (although no guarantees that there will be no issues). Some functionality may work within a "unprivileged" container, but strange unexpected issues will likely occur, including (but not limited to) failures when running 'samba-tool'.

General DC Notes

In production it is recommended that you have a minimum of 2 domain controllers in an AD domain.

File storage/fileserver

Samba advise against using a (Samba4) domain controller as a fileserver as well. Instead it is recommended that you create a dedicated fileserver (as a domain member server). The current TurnKey fileserver appliance is NOT useful for this with it's default config. See notes on the Samba wiki on setting up a member server:

Please note, that the TurnKey Fileserver appliance includes the same version of Sambas as the DC appliance, but is configured as "stand-alone" by default. You are welcome to reconfigure it to join an existing domain and that should work fine. Please post on the forums if you do that and would like to share your experience and/or need a hand.

Further domain configuration e.g. DNS

As noted above, Samba recommend using Microsoft RSAT (from within a Windows workstation) to do additional AD (Samba4) configuration.


For production usage it is recommended to use a domain name that you have registered with a domain registrar as the realm. If you plan to use a domain that you already own (e.g. "") as your realm then add a unique subdomain to avoid potential problems (e.g. "")

Do not use ".local" realms/tlds as they can conflict with Apple (bonjour) and zeroconf type networked devices.

See also MS documentation:

Integration with LDAP

Samba4 includes it's own custom AD user database. As a general rule, you should just use this built-in service. However, there is some limited support for integration with LDAP. For more info, please see these Samba Wiki links: