sudo apt update && sudo apt upgrade -y sudo hostnamectl set-hostname ad1 sudo nano /etc/hosts
Add the following line replacing the IP with the Principal AD-DC’s IP:
10.0.0.1 ad0.test.local ad0
Define a static IP to the secondary AD-DC:
network:
ethernets:
eth0:
...
nameservers:
addresses:
- 10.0.0.1 # Primary DC
renderer: networkd
version: 2
Apply, reboot, and test the domain resolution.
sudo netplan apply sudo reboot ping test.local
Verify the time in both AD and AD2, if necessary adjust using a common NTP server.
Install:
sudo apt-get install samba krb5-user krb5-config winbind libpam-winbind libnss-winbind -y
Answer the domain in UPPER CASE:
TEST.LOCAL
Verify the settings by requesting a Kerberos ticket for the domain administrator using kinit command:
kinit [email protected] klist
Join the AD DC as a Domain Controller:
sudo systemctl stop samba-ad-dc smbd nmbd winbind sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.initial sudo samba-tool domain join test.local DC -U "administrator"
Edit /etc/samba/smb.conf and append:
dns forwarder = 8.8.8.8
idmap_ldb:use rfc2307 = yes
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = false
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
Then:
sudo systemctl unmask samba-ad-dc sudo systemctl start samba-ad-dc sudo samba-tool drs showrepl sudo mv /etc/krb5.conf /etc/krb5.conf.initial sudo ln -s /var/lib/samba/private/krb5.conf /etc/ sudo kinit administrator
If everything went well validate the domain services:
sudo host test.local sudo host -t SRV _kerberos._udp.test.local sudo host -t SRV _ldap._tcp.rcnd.local sudo samba-tool user create TestUser
On the Principal AD look for the new user:
sudo samba-tool user list | grep TestUser
You can also list users and groups with the following commands:
wbinfo -u wbinfo -g