Adding additional domain controllers to a Samba4 forest using TKL

Taylor Hammerling's picture

I'm hoping someone has some experience with this and can lend their expertise.

I have set up the first domain controller in our new forest, and it is working great.  I would like to add another DC for fault tolerance/load balancing.  When I spin up another TKL Samba4 appliance, it automatically has me go thru the initial setup, which creates another new forest.  How would I go about using TKL Samba4 14.1 to add a second DC to an existing forest?

Thanks in advance for any help you can provide!

Taylor

Taylor Hammerling's picture

I have two DCs, DC1 and DC2.
DC1 is up and running and happy.  I am trying to bring DC2 into the fold as a secondary domain controller

I deployed the OVA out to an esx host in our COLO, ran through the initial configuration on boot, then
following the steps here,

https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Activ...

I ran this command on DC2

samba-tool domain join samdom.example.com DC -U"SAMDOM\administrator" --dns-backend=SAMBA_INTERNAL

and DC2 tried to join it's own domain (it found itself)  which is not what I wanted.
So then I edited /etc/resolv.conf and removed the line that included itself as a DNS server.

I then re-ran the samba-tool domain join command.  DC2 then properly joined the domain, and showed up in AD users and computers.  It still didn't seem right though.  When I tried to change domain controllers to DC2 in AD users and computers it's status is "Unavailable".  I'm not sure if this is because it was already part of it's own domain before I joined it to the domain DC1 is in, or if it has to do with missing DNS entries.

Per this page
https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record

There are two DNS records that do not get created by Samba4 which must be created by hand for everything to work properly.  I verified that DC2 had an appropriate A record, but it did not have an objectGUID CNAME record.  I tried to perform the steps to create the objectGUID CNAME record, but unfortunately ldbsearch isn't available on the SAMBA4 14.1 TKL box, and I'm not sure how to install it yet...

Any thoughts or suggestions would be much appreciated!

Taylor

Jeremy Davis's picture

In a prefect world, our Domain Controller appliance should support easily changing it's function (e.g. your scenario of adding it to an existing domain). Unfortunately, we haven't got that far yet...

Our philosophy is that easy things should be simple and hard things should be possible. So for more advanced configuration, as you've discovered, some work on your end is required... (Until we make it easier) If you keep in mind that under the hood TurnKey is Debian (v14.x = Debian Jessie) hopefully you should be able to find relevant info online. FWIW Debian Jessie has Samba 4.2 packaged.

Regarding 'ldbsearch', TBH I hadn't come across that one before, but I did a search for Debian packages containing the file "ldbsearch" and found that the package you want to install is called ldb-tools.

You can install it like this:

apt-get update
apt-get install ldb-tools

Once you get this working, if you could please post the steps required so then we can look to add that functionality to the DC appliance in the future.

Taylor Hammerling's picture

Thanks Jeremy!  I'm not 100% I will get it working.  I've spent a pretty good deal of time on it, and it's not really a need to have.

If I do get it working, I'll definitely let you guys know how I did it!

Taylor

Taylor Hammerling's picture

I am now trying to recreate the OVA with a modified VMDK.  My thought is that I can modify the domain-controller.py script so that it joins the domain as a DC on first boot instead of creating a new domain as a DC.  Might work, worth a try!

Jeremy Davis's picture

Especially if you can get it working via a tweaked domain-controller.py script.

If/when we have that working, probably what we'd look to do is to make it so you can choose the role on first boot. I.e. choose new domain as per current script; or choose joining an existing domain.

Speaking of the current domain-controller.py script, really we should pull out the shell commands and put them in a separate (bash) script. Then we'd only need to call the shell once, rather than the multiple individual lines invoking shell commands.

Perhaps we should plan to do that for the v14.2 release of the DC appliance. Actually, ideally I'd also like to tweak the fileserver firstboot script, to allow it to also join an existing domain. Currently it uses the older Samba3/WinNT (i.e. not AD) style domain config so adding that to an existing domain is non-trivial.

Taylor Hammerling's picture

I don't have a way to mount a VMDK with write access.  Instead I decided to deploy the OVA, boot it up and when it asks for a root password, ctrl+alt+F1 to drop to a shell.  From there I can login as root (no password) and monkey around with the domain-controller.py script.

Taylor Hammerling's picture

I got it working!  There are only two things that need to be done specifically differently when adding a DC to an existing domain using the TKL 14.1 SAMBA4 OVA.

1) the domain-controller.py script needs to be modified so that the DC joins the existing domain instead of provisioning a new domain
2) DNS entries need to be created for DC2

Please see below for my step by step instructions for setting up two domain controllers on the same domain using TKL 14.1 SAMBA4 OVA.


DC1 Install process - 
    Download the latest OVA from https://www.turnkeylinux.org/domain-controller
    import the OVA into your esx server
    power on the VM
    Go thru the initial setup process, entering the realm, domain and passwords when prompted
    Skip Initialize Hub Services (TKLBAM and dynamic dns)
    enter your notification email address for the “System Notifications and Critical Security Alerts” prompt
    select “Install” at the Security Updates prompt
    reboot after security updates have finished, the server will boot into the “DC1 appliance services” screen
    select “Advanced Menu” at the “DC1 appliance services” screen
    select “Quit”, confirm your desire to quit and drop down to a shell
    run apt-get install winbind, answer “y” to any questions to confirm your desire to install
    once the install completes, run shutdown -r now, the server will restart and boot into the “DC1 appliance services” screen
    select “Advanced Menu” at the “DC1 appliance services” screen
    select “Networking” at the “Advanced Menu” Screen
    select “StaticIP” at the “eth0 configuration” screen
    change the values to be as follows (bogus values indicated)
        IP : 172.18.6.240 
        SM : 255.255.0.0 
        GW : 172.18.0.1 
        NS1: 10.6.1.240 
        NS2: 172.18.0.1 
    because we changed the IP address, we need to re-run the domain provision inithook run
        /usr/lib/inithooks/bin/domain-controller.py 
        at a root prompt (you can either go advanced menu → quit to drop into a command prompt, or SSH into the box)
    enter all the same invormation you entered the first time the script ran.
    
Workstation setup -
    On a windows workstation, ensure that the first DNS server is the IP of DC1, then add the workstation to the domain
    Once on the domain, install RSAT tools so you can manage Active directory users and computers and DNS
    
DC2 Install Process -
    Download the latest OVA from https://www.turnkeylinux.org/domain-controller
    import the OVA into your esx server
    power on the VM
    Go thru the initial setup process, entering the realm, domain and passwords when prompted
    Skip Initialize Hub Services (TKLBAM and dynamic dns)
    enter your notification email address for the “System Notifications and Critical Security Alerts” prompt
    select “Install” at the Security Updates prompt
    reboot after security updates have finished, the server will boot into the “DC1 appliance services” screen 
        (default name is DC1, we are about to change it!)
    select “Advanced Menu” at the “DC1 appliance services” screen
    select “Quit”, confirm your desire to quit and drop down to a shell
    change the name of the server by editing /etc/hostname
    run apt-get update
    run apt-get install winbind, answer “y” to any questions to confirm your desire to install
    once the install completes, run shutdown -r now, the server will restart and boot into the “DC2 appliance services” screen
    select “Advanced Menu” at the “DC2 appliance services” screen
    select “Networking” at the “Advanced Menu” Screen
    select “StaticIP” at the “eth0 configuration” screen
    change the values to be as follows (bogus values indicated)
        IP : 10.6.1.240 
        SM : 255.255.255.0 
        GW : 10.6.1.1 
        NS1: 172.18.6.240 
        NS2: 172.18.0.1 
    because we changed the IP address, we need to re-run the domain provision inithook, but first we need to 
    modify the line in /usr/lib/inithooks/bin/domain-controller.py which normally provisions a new AD environment to instead join the %domainname% domain 
    Change the line from 
        system('samba-tool domain provision –realm {REALM} –domain {DOMAIN} –adminpass {ADMIN_PASSWORD} –server-role=dc –use-rfc2307 –option=“dns forwarder = 8.8.8.8”'.format(REALM = realm, DOMAIN = domain, ADMIN_PASSWORD = admin_password)) 
    to 
        system('samba-tool domain join tcsbasys.com DC -U“tcsbasys.com\\administrator” –dns-backend=SAMBA_INTERNAL') 
    run /usr/lib/inithooks/bin/domain-controller.py at a root prompt (you can either go advanced menu → quit to drop into a command prompt, or SSH into the box)
    provide the administrator password when asked
    Run shutdown -r now
    Ensure DC has appropriate DNS records 
        only the A record and the objectGUID CNAME are required to get replication working, but I think it may be best to include _ldap and _kerberos entries for DC2. From a windows workstation that is joined to the domain and has RSAT installed on it, open DNS and add the following records.
        <*> %domainname%
            Name = DC2, Type = A, Data = %IP Address of DC2%
        <*>_msdcs.tcsbasys.com
            Name = %NTDS DNS Alias (find by right clicking DC2 in Active Directory Users and Computers, select properties then click on the NTDS Settings button)%, Type = CNAME, Data = dc2.%domainname%
            <*> dc
                <*> _sites
                    <*> Default-First-Site-Name
                        <*> _tcp
                            Name = _kerberos, Type = SRV, Data = [0][100][88]dc2.%domainname%
                            Name = _ldap, Type = SRV, Data = [0][100][389]dc2.%domainname%
                <*> _tcp
                    Name = _kerberos, Type = SRV, Data = [0][100][88]dc2.%domainname%
                    Name = _ldap, Type = SRV, Data = [0][100][389]dc2.%domainname%
            <*> domains
                <*> %someGUID%
                    <*> _tcp
                        Name = _ldap, Type = SRV, Data = [0][100][389]dc2.%domainname%
            <*> gc
                <*> _sites
                    <*> Default-First-Site-Name
                        <*> _tcp
                            Name = _ldap, Type = SRV, Data = [0][100][3268]dc2.%domainname%
                <*> _tcp
                    Name = _ldap, Type = SRV, Data = [0][100][3268]dc2.%domainname%
            <*> pdc
                <*> _tcp
                    Name = _ldap, Type = SRV, Data = [0][100][389]dc2.%domainname%
    Once this is done, you should have two domain controllers that are happily syncing away.
    you can check their syncing by running 'samba-tool rds showrepl'
    Give it a good 20 minutes before you check, I'm not sure how often replication happens in SAMBA4.  In a true MS environment it's every 15 minutes.
Jeremy Davis's picture

Thanks so much for testing that out and documenting how to get it working! I have added a new feature request to our Issue Tracker.

I'll aim to include that in the next release. Also we'll fix the bug where windbind needs to be installed.

Taylor Hammerling's picture

It should be noted, there is a bug in pre 4.3 samba which effects replication / surviving the loss of a DC.

We lost the disk that our DC1 was on, and I thought "no biggie, I'll just spin up a new DC1, join it to the domain, everything will be peachy".  Unfortunately this bug prevents the domain and forest DNS infrastructure FSMO roles from being properly transfered or seized, which makes for a MESSED UP setup when the first DC you created goes buh-bye.

I highly recommend that anyone who follows my directions above should do so on samba v4.3 or later. 

I had to add stretch main into my sources.list in order to be able to upgrade the samba that comes with the TKL appliance.

Hope this helps someone else :)

Taylor

Jeremy Davis's picture

That sounds like a real pain! We're currently working on v15.0 which should be released sometime early next year.

I guess in the meantime, a good backup of your first server would be a solid insurance policy?!

Post new comment