Additional domain controllers

How to add additional domain controllers to an existing domain in Linux


Install packages

pacman -Syu krb5 python-dnspython openresolv samba bind

Rename machine

Note

Windows NetBIOS names are limited to 15 characters (16-bytes)

/etc/hostname

arch-vm-dc

Setup network

Wired adapter using a static IP (NAT)

/etc/systemd/network/20-wired.network

[Match]
Name=enp1*

[Network]
Address=192.168.122.31/24
Gateway=192.168.122.1
DNS=192.168.122.30


chmod 644 /etc/systemd/network/20-wired.network
Tip

Second bridged wired adapter using DHCP for ssh access

/etc/systemd/network/21-wired.network

[Match]
Name=enp8*

[Network]
DHCP=yes

chmod 644 /etc/systemd/network/21-wired.network

Use local DNS server

Reconfigure resolvconf to use only localhost for DNS lookups.

/etc/resolv.conf.tail

# Samba configuration
search wildw1ng.local
nameserver 192.168.122.30

Set permissions

chmod 644 /etc/resolv.conf.tail

Regenerate the new file

resolvconf -u

System clock synchronization

read about systemd-timesyncd


Join an existing domain as a new Domain Controller

join-an-existing-domain-as-a-new-domain-controller

samba-tool domain join wildw1ng.local DC -U "WILDW1NG\Administrator"

Copy the krb5.conf:

cp /var/lib/samba/private/krb5.conf /etc/krb5.conf

/etc/krb5.conf

[libdefaults]
        default_realm = WILDW1NG.LOCAL
        dns_lookup_realm = false
        dns_lookup_kdc = true

[realms]
WILDW1NG.LOCAL = {
        default_domain = wildw1ng.local
}

[domain_realm]
        ARCH-VM-DC2 = WILDW1NG.LOCAL

chmod 644 /etc/krb5.conf

Copy the idmap

from existing domain controller machine

tdbbackup -s .bak /var/lib/samba/private/idmap.ldb

mv  /var/lib/samba/private/idmap.ldb.bak /home/wildw1ng/

chown wildw1ng:users idmap.ldb.bak

rsync -avhP ~/idmap.ldb.bak 192.168.122.33:/home/wildw1ng/

to new machine

mv ~/idmap.ldb.bak /var/lib/samba/private/idmap.ldb

chown root:root /var/lib/samba/private/idmap.ldb

chmod 600 /var/lib/samba/private/idmap.ldb
Note

If you intend to keep multiple DCs, you will need to automate this process going forward using one of the methods listed on the Samba website here.
This also applies to transferring the idmap from Windows DCs.


Enable services

systemctl enable named

systemctl enable samba

BIND9_DLZ DNS backend

samba_upgradedns --dns-backend=BIND9_DLZ

Restart named.service

systemctl restart named

Update DNS records

samba_dnsupdate --all-names --use-samba-tool --verbose

domain-controllers

read more…