Hostname: dc1
Network: 172.16.141.0/24
IP Address : 172.16.141.115
Subnet Mask: 255.255.255.0
Gateway: 172.16.141.1
DNS: 8.8.8.8,9.9.9.9
sudo user: kedar

Hostname: dc2
Network: 172.16.141.0/24
IP Address : 172.16.141.116
Subnet Mask: 255.255.255.0
Gateway: 172.16.141.1
DNS: 8.8.8.8,9.9.9.9
sudo user: kedar

Domain: corp.atez.world
AD: Samba 4.19.5
DNS: Bind9 9.18
OS: Ubuntu 24.04

What is this 'How To'

This how to is the summary document of implementing Samba Active Directory. It outlines the various aspects of implementing the domain controller, steps on what will be done and how it will be done. Before reading the instructions on how to install Primary Domain controller and Secondary Domain controller, read this article thoroughly. Follow nomenclature and architecture that will be used. Below are the links to actual technical instructions on how to install Samba Domain controller and Bind9 as DNS backend. Do not skip this article and jump to installing Primary AD and Additional AD. Installation will fail

• Pre-requisites on both domain controllers
• Instructions for installing the Primary Domain Controller
• Instructions for installing the Additional Domain Controller

Before you proceed

The Active Directory domain used here is corp.atez.world. The TLD - atez.world is not owned by us nor is the sub-domain corp.atez.world. This is used only for demonstration and required dns entries for this domain have already been done to the host file to make the domain and any subdomains reachable on the network. This domain may be owned by someone else and we do not know who it is and we are not linked to them. Services configured for this domain or sub-domain are not reachable on internet for the servers on which these services are configured. Someone else may do similar configurations and make them available on internet. But we are not responsible for the same as we do not own the domain.

Introduction

• We shall be configuring Active Directory primary domain controller, a secondary Active Directory Domain Controller and using Bind9_DLZ as a DNS backend in place of Samba's internal DNS server.
• Bind9_DLZ server has several benefits and this 'How-To' is the place to discuss that, however, one important advantage is that the DNS can be configured as forward only, recursive, and in authoritative mode.
• Both VMs are fully patched and the user 'kedar' used in this 'How-To' has sudo privileges.

Main Steps

Both Servers

• Install pre-requisites
• Make changes to host files
• Disable systemd-resolved
• Configure Chrony NTP server
• For detailed commands and configurations click here

On dc1

• Make changes to resolv.conf and netplan <interface>
• Install Samba
• Disable Samba and allied services
• Move the original samba file and let Samba provisioning create a new one
• Provision Samba
  • Choose the realm as CORP.ATEZ.WORLD
  • DNS backend as : Bind9_DLZ
• Generate SSL Certs as TLS will be enabled by default
• Make changes to Samba Config File
• Configure Bind9 by making changes to 3 files
  • /etc/bind/named.conf.options
  • /etc/bind/named.conf.local
  • /etc/default/named
• Make changes to
  • /etc/resolv.conf
  • /etc/netplan/<interface>
• Make changes to kerberos files (krb5)
• Prepare to Start Samba AD and Bind9 services
  • unmask samba
  • Start Samba service and bind 9 service
  • Enable Samba Service and bind9 service to start after reboot
  • Check status of Samba and bind9
• Run Validations to check if AD is working and DNS is working
• For detailed commands and configurations click here

On dc2

• Make changes to resolv.conf and netplan <interface>
• Install Samba
• Disable Samba and allied services
• Move the original samba file and let Samba provisioning create a new one
• Domain join Samba to the primary domain controller
  • Choose the realm as CORP.ATEZ.WORLD
  • DNS backend as : Bind9_DLZ
• Generate SSL Certs as TLS will be enabled by default
• Make changes to Samba Config File
• Configure Bind9 by making changes to 3 files
  • /etc/bind/named.conf.options
  • /etc/bind/named.conf.local
  • /etc/default/named
• Make changes to
  • /etc/resolv.conf (Add ip addresses of both AD servers)
  • /etc/netplan/<interface> (Add name servers as both AD servers
• Make changes to kerberos files (krb5)
• Prepare to Start Samba AD and Bind9 services
  • unmask samba
  • Start Samba service and bind 9 service
  • Enable Samba Service and bind9 service to start after reboot
  • Check status of Samba and bind9
• Run Validations to check if AD is working and DNS is working
• For detailed commands and configurations click here

Conclusion

• A fully functional Samba based Active Directory is setup and ready to be used in production. You may need to add some hardening rules and enabling firewall and allowing only certain ports for communication
• Bind9 DLZ is a fully functional Bind9 server having the ability to run in recursive and forward only mode as per configuration
• Windows RSAT tool can be used to manage the AD and DNS remotely as if it was a windows Active Directory server

References

• Samba wiki - https://wiki.samba.org/index.php/Main_Page
• Samba AD on Ubuntu - https://documentation.ubuntu.com/server/how-to/samba/provision-samba-ad-controller/
• Samba Tool Manual - https://manpages.ubuntu.com/manpages/noble/man8/samba-tool.8.html