You are here
Taylor Hammerling - Wed, 2017/02/22 - 16:15
I'm hoping someone has some experience with this and can lend their expertise.
I have set up the first domain controller in our new forest, and it is working great. I would like to add another DC for fault tolerance/load balancing. When I spin up another TKL Samba4 appliance, it automatically has me go thru the initial setup, which creates another new forest. How would I go about using TKL Samba4 14.1 to add a second DC to an existing forest?
Thanks in advance for any help you can provide!
Taylor
Forum:
progress...
I have two DCs, DC1 and DC2.
DC1 is up and running and happy. I am trying to bring DC2 into the fold as a secondary domain controller
I deployed the OVA out to an esx host in our COLO, ran through the initial configuration on boot, then
following the steps here,
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Activ...
I ran this command on DC2
and DC2 tried to join it's own domain (it found itself) which is not what I wanted.
So then I edited /etc/resolv.conf and removed the line that included itself as a DNS server.
I then re-ran the samba-tool domain join command. DC2 then properly joined the domain, and showed up in AD users and computers. It still didn't seem right though. When I tried to change domain controllers to DC2 in AD users and computers it's status is "Unavailable". I'm not sure if this is because it was already part of it's own domain before I joined it to the domain DC1 is in, or if it has to do with missing DNS entries.
Per this page
https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record
There are two DNS records that do not get created by Samba4 which must be created by hand for everything to work properly. I verified that DC2 had an appropriate A record, but it did not have an objectGUID CNAME record. I tried to perform the steps to create the objectGUID CNAME record, but unfortunately ldbsearch isn't available on the SAMBA4 14.1 TKL box, and I'm not sure how to install it yet...
Any thoughts or suggestions would be much appreciated!
Taylor
I'm no Samba expert, but shouldn't be too hard
Our philosophy is that easy things should be simple and hard things should be possible. So for more advanced configuration, as you've discovered, some work on your end is required... (Until we make it easier) If you keep in mind that under the hood TurnKey is Debian (v14.x = Debian Jessie) hopefully you should be able to find relevant info online. FWIW Debian Jessie has Samba 4.2 packaged.
Regarding 'ldbsearch', TBH I hadn't come across that one before, but I did a search for Debian packages containing the file "ldbsearch" and found that the package you want to install is called ldb-tools.
You can install it like this:
Once you get this working, if you could please post the steps required so then we can look to add that functionality to the DC appliance in the future.
Danke!
Thanks Jeremy! I'm not 100% I will get it working. I've spent a pretty good deal of time on it, and it's not really a need to have.
If I do get it working, I'll definitely let you guys know how I did it!
Taylor
Latest update
I am now trying to recreate the OVA with a modified VMDK. My thought is that I can modify the domain-controller.py script so that it joins the domain as a DC on first boot instead of creating a new domain as a DC. Might work, worth a try!
If you can get it working, please let us know.
If/when we have that working, probably what we'd look to do is to make it so you can choose the role on first boot. I.e. choose new domain as per current script; or choose joining an existing domain.
Speaking of the current domain-controller.py script, really we should pull out the shell commands and put them in a separate (bash) script. Then we'd only need to call the shell once, rather than the multiple individual lines invoking shell commands.
Perhaps we should plan to do that for the v14.2 release of the DC appliance. Actually, ideally I'd also like to tweak the fileserver firstboot script, to allow it to also join an existing domain. Currently it uses the older Samba3/WinNT (i.e. not AD) style domain config so adding that to an existing domain is non-trivial.
can't mount VMDK with write access
I don't have a way to mount a VMDK with write access. Instead I decided to deploy the OVA, boot it up and when it asks for a root password, ctrl+alt+F1 to drop to a shell. From there I can login as root (no password) and monkey around with the domain-controller.py script.
Hooray!!!
I got it working! There are only two things that need to be done specifically differently when adding a DC to an existing domain using the TKL 14.1 SAMBA4 OVA.
1) the domain-controller.py script needs to be modified so that the DC joins the existing domain instead of provisioning a new domain
2) DNS entries need to be created for DC2
Please see below for my step by step instructions for setting up two domain controllers on the same domain using TKL 14.1 SAMBA4 OVA.
Awesome work!
I'll aim to include that in the next release. Also we'll fix the bug where windbind needs to be installed.
BUG REPORT!!!
It should be noted, there is a bug in pre 4.3 samba which effects replication / surviving the loss of a DC.
We lost the disk that our DC1 was on, and I thought "no biggie, I'll just spin up a new DC1, join it to the domain, everything will be peachy". Unfortunately this bug prevents the domain and forest DNS infrastructure FSMO roles from being properly transfered or seized, which makes for a MESSED UP setup when the first DC you created goes buh-bye.
I highly recommend that anyone who follows my directions above should do so on samba v4.3 or later.
I had to add stretch main into my sources.list in order to be able to upgrade the samba that comes with the TKL appliance.
Hope this helps someone else :)
Taylor
Thanks for that warning Taylor!
I guess in the meantime, a good backup of your first server would be a solid insurance policy?!
Add new comment