Commands for successful domain controller replication on Ubuntu / Samba4 / Zentyal

ubuntu samba active-directory samba4 zentyal-linux

9,974

Step 1: Verify the Kerberos configuration on the Primary Domain Controller (D/C).

$> cat /etc/krb5.conf
default_realm = yourdomain.com
dns_lookup_realm = true
dns_lookup_kdc = true

Step 2: Update /etc/resolv.conf with the address of your DNS Server (same as your Primary D/C.) Do this on your PDC.
```
$> cat /etc/resolv.conf
search yourdomain.com
nameserver XXX.XXX.XXX.XXX
```

Step 3: Update /etc/resolv.conf on your secondary D/C to point to your PDC.

$> echo "search yourdomain.com" >> /etc/resolv.conf
$> echo "nameserver XXX.XXX.XXX.XXX >> /etc/resolv.conf

Step 4: If your SMB version is 4.1, DO NOT RUN THIS COMMAND:

$ samba-tool domain join yourdomain.com DC \
    -Uadministrator --realm=yourdomain.com

Step 5: If the prior step caused an error, make sure you have the libattr and libacl packages, then remount your filesytem and update your /etc/fstabs for permanence. If that doesn't work, add the --use-ntvs parameter to the domain join command.

Step 6: Check resolution of domain.

$> nslookup sdc.yourdomain.com
Server: XXX.XXX.XXX.XXX
Address: XXX.XXX.XXX.XXX

From the PDC^^

If your SDC is not resolvable, add an entry to the file:
/usr/local/samba/private/dns/example.com.zone:

    sdc IN A XXX.XXX.XXX.XXX

Restart DNS:

$> service named restart

From the PDC:

$> nslookup sdc.example.com
Server: XXX.XXX.XXX.XXX
Address: XXX.XXX.XXX.XXX#XX

Verify objectGUID is resolvable to the new hostname for the SDC.

$> ldbsearch -H /usr/local/samba/private/sam.ldb '(invocationid=*)' \
    --cross-ncs object guid

dn: CN=NTDS Settings, CN=TEST, CN=SERVERS, 
    CN=Default-First-Site-Name,CN=Sites,CN=Configuration, DC=example.com,DC=com
objectGUID: XXXXXXXX-XXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
# ... Records 2
... SAME STUFF
... objectGUID ''-''-''-''-''-''-''

Update DNS record:

$>samba-tool dns add PDC-IP _msdcs.yourdomain.com $GUID CNAME \
    sdc.yourdomain.com --UAdministrator

Edit zone file to add GUID.

In file: /usr/local/samba/private/dns/yourdomain.com.zone:

$GUID. IN CNAME sdc

Restart NAMED

$> service named restart

Now try the command again:

$ host -t NAME $GUID._msdcs.example.com

Update your SDC /etc/resolv.conf to point to both itself and the PDC

### /etc/resolv.conf
search yourdomain.com
nameserver $PDC_IP
nameserver $SDC_IP

Start samba on the SDC.

9,974

Daniel

Updated on September 18, 2022

Comments

Daniel over 1 year
I have a Primary Domain Controller (PDC) and an Additional Domain Controller (ADC) running on two different machines at two different locations connected via a VPN. Both are running a version of Ubuntu with Samba4. I'm having trouble getting changes to replicate from DC to DC, but most of my trouble is only one way.

I have determined that the correct way to initiate a replication from PDC -> ADC is to send the following command FROM THE ADC:
```
sudo net rpc share migrate files sysvol \
    -k --destination=ADCserverName.companyname.local \
    -S PDCserverName.companyname.local --acls \
    -U "companyname\\AdminAccountName"
```
...and this works pretty well.

What is not working is my ADC -> PDC replication. And furthermore, I am not sure about what command I should issue FROM THE PDC to initiate an ADC -> PDC replication.

Would it be the EXACT SAME COMMAND with simply the --destination= and -S reversed?

Full disclosure: I'm running the two Domain Controllers on Zentyal Community Edition 3.5. I have tried getting help from the forum there: https://forum.zentyal.org/index.php?topic=23294.0 but the response so far has been zero. As I understand it Zentyal is merely a customized version of samba4 running on top of Ubuntu with a nice GUI. So I thought I might get a generic answer related to samba here.
- Daniel over 9 years
  
  Someone edited my post. The command is much easier to read, so thanks. I am curious why they edited "I am" to "I'm". I don't really care, it is just... such an irrelevant detail :)
Tyler Maginnis over 9 years

I appreciate moderator feedback. This teaches me how to answer questions more effectively.
Daniel over 9 years

Tyler, this is fantastic information. However, I think most of this is already handled by Zentyal's configuration. What I want to know is what is the command to manually initiate replication from ADC -> PDC (but I believe the command is sent from the PDC). Then, depending on what errors do or do not show up, I will start trying to hunt down where the problem lies using this wonderful tutorial.
Daniel over 9 years

Basically what I want to know is if this command should work FROM the PDC: sudo net rpc share migrate files sysvol \ -k --destination=PDCserverName.companyname.local \ -S ADCserverName.companyname.local --acls \ -U "companyname\\AdminAccountName"'
Daniel over 9 years

So, will this command work?
Tyler Maginnis over 9 years

Looks right to me.