We'll join a second DC to our all Ubuntu altea.site test domain. Unfortunately the wiki gets you only part of the way there.
Existing DC:
DC1 fqdn: palmera.altea.site
Active and running samba.
DC to be joined:
DC2 fqdn: geranio.altea.site
unprovisioned.
On DC2:
set the only DNS to the IP of palmera
Edit /etc/krb5.conf
[libdefaults]
default_realm = ALTEA.SITE
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
ALTEA.SITE = {
kdc = palmera.hh3.site:88
}
samba-tool domain join altea.site DC -UAdministrator --dns-backend=BIND9_DLZ --realm=ALTEA.SITE
Edit /etc/krb5.conf
Remove the [realms] section
Add the dns of DC2 as primary search on DC2 and as the secondary dns on DC1.
Do both DC's resolve?
sudo ldbsearch --url=/usr/local/samba/private/sam.ldb '(invocationid=*)' --cross-ncs objectguid
[sudo] password for steve:
# record 1
dn: CN=NTDS Settings,CN=GERANIO,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=altea,DC=site
objectGUID: 51755e44-0a78-4ab8-8206-b4ae8a09c172
# record 2
dn: CN=NTDS Settings,CN=PALMERA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=altea,DC=site
objectGUID: 37cb1209-7eef-4671-b38b-2a71c231a40b
host -t CNAME 51755e44-0a78-4ab8-8206-b4ae8a09c172._msdcs.altea.site
51755e44-0a78-4ab8-8206-b4ae8a09c172._msdcs.altea.site is an alias for geranio.altea.site.
host -t CNAME 37cb1209-7eef-4671-b38b-2a71c231a40b._msdcs.altea.site
37cb1209-7eef-4671-b38b-2a71c231a40b._msdcs.altea.site is an alias for palmera.altea.site.
If not, add the CNAME(s) to the _msdcs zone:
sudo samba-tool dns add geranio _msdcs.altea.site 51755e44-08-4ab8-8206-b4ae8a09c172 CNAME geranio.altea.site -UAdministrator
sync the builtin gpo stuff
Delete /usr/local/samba/private/idmap.ldb on DC2
Copy /usr/local/samba/private/idmap.ldb from DC1 to the same location on DC2
On DC2:
samba-tool ntacl sysvolreset
samba -i -d3
wait until activity ends.
Add the dns failover entries:
sudo samba-tool dns add geranio altea.site _ldap._tcp SRV "geranio.altea.site 389 0 100 " -UAdministrator
sudo samba-tool dns add geranio altea.site _kerberos._tcp SRV "geranio.altea.site 88 0 100 " -UAdministrator
sudo samba-tool dns add geranio altea.site _kerberos._udp SRV "geranio.altea.site 88 0 100 " -UAdministrator
kick-start the outbound replication:
samba-tool drs replicate palmera geranio dc=altea,dc=site
repeat for the remaining partitions:
Configuration
Schema
ForestDnsZones
DomainDnsZones
check that all partitions are being replicated:
both INBOUND NEIGHBORS and OUTBOUND NEIGHBORS must be present on BOTH DCs
1. DC1
sudo samba-tool drs showrepl
[sudo] password for steve:
Default-First-Site-Name\PALMERA
DSA Options: 0x00000001
DSA object GUID: 37cb1209-7eef-4671-b38b-2a71c231a40b
DSA invocationId: 93fa0553-a972-4107-ab83-4b60790660f9
==== INBOUND NEIGHBORS ====
DC=ForestDnsZones,DC=altea,DC=site
Default-First-Site-Name\GERANIO via RPC
DSA object GUID: 51755e44-0a78-4ab8-8206-b4ae8a09c172
Last attempt @ Wed Jun 18 13:18:25 2014 CEST was successful
0 consecutive failure(s).
Last success @ Wed Jun 18 13:18:25 2014 CEST
DC=DomainDnsZones,DC=altea,DC=site
Default-First-Site-Name\GERANIO via RPC
DSA object GUID: 51755e44-0a78-4ab8-8206-b4ae8a09c172
Last attempt @ Wed Jun 18 13:18:25 2014 CEST was successful
0 consecutive failure(s).
Last success @ Wed Jun 18 13:18:25 2014 CEST
DC=altea,DC=site
Default-First-Site-Name\GERANIO via RPC
DSA object GUID: 51755e44-0a78-4ab8-8206-b4ae8a09c172
Last attempt @ Wed Jun 18 13:18:25 2014 CEST was successful
0 consecutive failure(s).
Last success @ Wed Jun 18 13:18:25 2014 CEST
CN=Schema,CN=Configuration,DC=altea,DC=site
Default-First-Site-Name\GERANIO via RPC
DSA object GUID: 51755e44-0a78-4ab8-8206-b4ae8a09c172
Last attempt @ Wed Jun 18 13:18:29 2014 CEST was successful
0 consecutive failure(s).
Last success @ Wed Jun 18 13:18:29 2014 CEST
CN=Configuration,DC=altea,DC=site
Default-First-Site-Name\GERANIO via RPC
DSA object GUID: 51755e44-0a78-4ab8-8206-b4ae8a09c172
Last attempt @ Wed Jun 18 13:18:31 2014 CEST was successful
0 consecutive failure(s).
Last success @ Wed Jun 18 13:18:31 2014 CEST
==== OUTBOUND NEIGHBORS ====
DC=ForestDnsZones,DC=altea,DC=site
Default-First-Site-Name\GERANIO via RPC
DSA object GUID: 51755e44-0a78-4ab8-8206-b4ae8a09c172
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=DomainDnsZones,DC=altea,DC=site
Default-First-Site-Name\GERANIO via RPC
DSA object GUID: 51755e44-0a78-4ab8-8206-b4ae8a09c172
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=altea,DC=site
Default-First-Site-Name\GERANIO via RPC
DSA object GUID: 51755e44-0a78-4ab8-8206-b4ae8a09c172
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
CN=Schema,CN=Configuration,DC=altea,DC=site
Default-First-Site-Name\GERANIO via RPC
DSA object GUID: 51755e44-0a78-4ab8-8206-b4ae8a09c172
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
CN=Configuration,DC=altea,DC=site
Default-First-Site-Name\GERANIO via RPC
DSA object GUID: 51755e44-0a78-4ab8-8206-b4ae8a09c172
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
==== KCC CONNECTION OBJECTS ====
2. DC2:
samba-tool drs showrepl
[sudo] password for steve:
Default-First-Site-Name\GERANIO
DSA Options: 0x00000001
DSA object GUID: 51755e44-0a78-4ab8-8206-b4ae8a09c172
DSA invocationId: 0b9244b1-2821-4f78-8643-0ad08d4ddced
==== INBOUND NEIGHBORS ====
DC=altea,DC=site
Default-First-Site-Name\PALMERA via RPC
DSA object GUID: 37cb1209-7eef-4671-b38b-2a71c231a40b
Last attempt @ Wed Jun 18 13:18:32 2014 CEST was successful
0 consecutive failure(s).
Last success @ Wed Jun 18 13:18:32 2014 CEST
CN=Schema,CN=Configuration,DC=altea,DC=site
Default-First-Site-Name\PALMERA via RPC
DSA object GUID: 37cb1209-7eef-4671-b38b-2a71c231a40b
Last attempt @ Wed Jun 18 13:18:33 2014 CEST was successful
0 consecutive failure(s).
Last success @ Wed Jun 18 13:18:33 2014 CEST
CN=Configuration,DC=altea,DC=site
Default-First-Site-Name\PALMERA via RPC
DSA object GUID: 37cb1209-7eef-4671-b38b-2a71c231a40b
Last attempt @ Wed Jun 18 13:18:35 2014 CEST was successful
0 consecutive failure(s).
Last success @ Wed Jun 18 13:18:35 2014 CEST
DC=ForestDnsZones,DC=altea,DC=site
Default-First-Site-Name\PALMERA via RPC
DSA object GUID: 37cb1209-7eef-4671-b38b-2a71c231a40b
Last attempt @ Wed Jun 18 13:18:29 2014 CEST was successful
0 consecutive failure(s).
Last success @ Wed Jun 18 13:18:29 2014 CEST
DC=DomainDnsZones,DC=altea,DC=site
Default-First-Site-Name\PALMERA via RPC
DSA object GUID: 37cb1209-7eef-4671-b38b-2a71c231a40b
Last attempt @ Wed Jun 18 13:19:52 2014 CEST was successful
0 consecutive failure(s).
Last success @ Wed Jun 18 13:19:52 2014 CEST
==== OUTBOUND NEIGHBORS ====
DC=altea,DC=site
Default-First-Site-Name\PALMERA via RPC
DSA object GUID: 37cb1209-7eef-4671-b38b-2a71c231a40b
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
CN=Schema,CN=Configuration,DC=altea,DC=site
Default-First-Site-Name\PALMERA via RPC
DSA object GUID: 37cb1209-7eef-4671-b38b-2a71c231a40b
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
CN=Configuration,DC=altea,DC=site
Default-First-Site-Name\PALMERA via RPC
DSA object GUID: 37cb1209-7eef-4671-b38b-2a71c231a40b
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=ForestDnsZones,DC=altea,DC=site
Default-First-Site-Name\PALMERA via RPC
DSA object GUID: 37cb1209-7eef-4671-b38b-2a71c231a40b
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=DomainDnsZones,DC=altea,DC=site
Default-First-Site-Name\PALMERA via RPC
DSA object GUID: 37cb1209-7eef-4671-b38b-2a71c231a40b
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
==== KCC CONNECTION OBJECTS ====
If it works first time, get yourself a big cool beer and take that sly smile off your face!