dc02

Secon DC (PDC) server DC01

On fabric server:

sudo virt-install --virt-type kvm --name dc02 \
  --location \
  https://deb.debian.org/debian/dists/bullseye/main/installer-amd64/ \
  --memory 1024 \
  --vcpus 1 \
  --disk pool=vmdisks,size=25,format=qcow2 \
  --network bridge=br0 \
  --hvm \
  --graphics none \
  --console pty,target_type=serial \
  --extra-args "console=ttyS0"

Configure Debian

Edit nano /etc/network/interfaces and set a static IP address:

# /etc/network/interfaces
source /etc/network/interfaces.d/*
auto lo
iface lo inet loopback
allow-hotplug ens2
iface ens2 inet static
  address 10.115.100.5/24
  gateway 10.115.100.1

# /etc/resolv.conf
search yourdomain.com
nameserver 10.115.100.4

Set the system language to English to make it easier to find problems in the logs:

apt install locales-all
localectl set-locale LANG=en_US.utf8
localectl status

Update Debian and install the necessary administration tools:

apt update
apt install wget sudo screen nmap telnet tcpdump rsync net-tools dnsutils htop \
apt-transport-https vim gnupg lsb-release

Create nano /etc/sudoers.d/10-nopasswd and add:

%emir ALL=(ALL) NOPASSWD: ALL

Configure VIM

Open nano /etc/vim/vimrc and replace all its contents with:

runtime! debian.vim
syntax on
set background=dark
au BufReadPost * if line("'\"") > 1 && line("'\"") <= line("$") | exe "normal! g'\"" | endif
filetype plugin indent on
set encoding=utf-8
set nobackup
set nowritebackup
set showcmd
set updatetime=300
set showmatch
set ignorecase
set smartcase
set incsearch
set tabstop=2
set softtabstop=2
set shiftwidth=2
set expandtab
if filereadable("/etc/vim/vimrc.local")
  source /etc/vim/vimrc.local
endif

Create users vim config file nano ~/.vimrcand add:

set mouse=
set nocompatible
set cursorline
set nocursorcolumn
set nowrap
set showmode
set hlsearch
set wildmenu
set wildmode=list:longest
set wildignore=*.docx,*.jpg,*.png,*.gif,*.pdf,*.pyc,*.exe,*.flv,*.img,*.xlsx

Reboot system and logon as regular user

In my case emir.

Set same vim user preferences as above for current user.

Samba AD

To make installation and configuration easier switch to root user sudo su

If You have Windows 11 22H2 or later clients You must upgrade samba to latest version. Edit vim /etc/apt/sources.list and add att bottom of file:

deb http://deb.debian.org/debian bullseye-backports main

Installing the packages

export DEBIAN_FRONTEND=noninteractive
apt update
apt -t bullseye-backports install samba winbind libnss-winbind krb5-user smbclient ldb-tools python3-cryptography
unset DEBIAN_FRONTEND

Configuring Kerberos

Open /etc/krb5.conf, remove its contents and add:

[libdefaults]
  default_realm = YOURDOMAIN.COM
  dns_lookup_kdc = false
  dns_lookup_realm=false
[realms]
  YOURDOMAIN.COM = {
  kdc = 127.0.0.1
  kdc = 10.115.100.4
  }

Reboot the host

After rebooting, ensure that kerberos is properly configured and that you get a TGT:

kinit administrator
klist

Configuring Samba as a Secondary Domain Controller

Remove the configuration file /etc/samba/smb.conf which was automatically generated during package installation:

sudo su
rm -f /etc/samba/smb.conf

Join the Domain Controller as a member of the domain.

samba-tool domain join yourdomain.com DC -U administrator --realm=YOURDOMAIN.COM -W YOURDOMAIN.COM

Modify the DNS to point to itself in /etc/resolv.conf:

search yourdomain.com
nameserver 127.0.0.1
nameserver 10.115.100.4

In /etc/samba/smb.conf, add the DNS forwarder:

[global]
   ...
   dns forwarder = 8.8.8.8
   ...

Activate the automatic start of the AD service:

systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc
systemctl disable winbind nmbd smbd
systemctl mask winbind nmbd smbd

By default Samba-AD provisioning creates an example file krb5.conf in the directory /var/lib/samba/private.

This file is used by default by some Samba calls.

It is best to replace it with a symbolic link to /etc/kbr5.conf to avoid some side effects.

rm /var/lib/samba/private/krb5.conf
ln -s /etc/krb5.conf /var/lib/samba/private/krb5.conf

Restart Samba:

pkill -9 smbd
pkill -9 nmbd
pkill -9 winbindd
systemctl restart samba-ad-dc

Check that the DNS entries have been created:

samba_dnsupdate --verbose --use-samba-tool

Install and configure NTP for Samba-AD

Install the packages NTP and choose a time server on the Internet:

apt install chrony
echo 'server 0.pool.ntp.org iburst' > /etc/chrony/sources.d/org-ntp-server.sources
echo 'server 1.pool.ntp.org iburst' >> /etc/chrony/sources.d/org-ntp-server.sources
echo 'server 2.pool.ntp.org iburst' >> /etc/chrony/sources.d/org-ntp-server.sources
echo 'allow 10.115.100.0/24' > /etc/chrony/conf.d/ad-dc.conf
echo 'ntpsigndsocket  /var/lib/samba/ntp_signd' >> /etc/chrony/conf.d/ad-dc.conf
echo 'hwclockfile /etc/adjtime' >> /etc/chrony/conf.d/ad-dc.conf
chronyc reload sources

Change the owner of the directory containing the samba socket used to authenticate the NTP service and restart NTP:

chgrp -R _chrony /var/lib/samba/ntp_signd
systemctl restart chrony

Bind-DLZ

Although Samba-AD comes by default with its own internal DNS server, it's recommended to use Bind-DLZ.

Install bind

For simplivity do sudo su

sudo apt install bind9 bind9utils

Edit vim /etc/bind/named.conf and add include "/var/lib/samba/bind-dns/named.conf";

Modify the options section of the file vim /etc/bind/named.conf.options (remember to modify the forwarder):

options {
  directory "/var/cache/bind";

  forwarders {
    172.31.1.13;
    172.31.1.15;
    172.31.1.44;
  };
  allow-transfer {
    172.31.1.13;
    172.31.1.15;
    172.31.1.44;
  };
  also-notify {
    172.31.1.13;
    172.31.1.15;
    172.31.1.44;
  };

  allow-query { any; };

  dnssec-validation no;

  auth-nxdomain no;    # conform to RFC1035
  listen-on-v6 { any; };

  tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";

  minimal-responses yes;
};

Disable IPv6 bind on the local network in vim /etc/default/named:

# run resolvconf?
RESOLVCONF=no

# startup options for the server
OPTIONS="-4 -u bind"

In vim /etc/samba/smb.conf, add the following line and comment the line dns forwarders:

# Global parameters
[global]
  server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
  idmap_ldb:use rfc2307 = yes
  dns zone transfer clients allow = 172.31.1.13, 172.31.1.15, 172.31.1.44
  netbios name = DC01
  realm = YOURDOMAIN.COM
  server role = active directory domain controller
  workgroup = YOURDOMAIN.COM

[sysvol]
  path = /var/lib/samba/sysvol
  read only = No

[netlogon]
  path = /var/lib/samba/sysvol/yourdomain.com/scripts
  read only = No

Create two directories in /var/lib/samba:

sudo mkdir -p /var/lib/samba/bind-dns/dns
sudo chmod 770 /var/lib/samba/bind-dns
sudo chown -R root:bind /var/lib/samba/bind-dns
sudo chmod -R g+w /var/lib/samba/bind-dns

Configure dynamic updates of DNS entries and restart the samba and bind services:

samba_upgradedns --dns-backend=BIND9_DLZ

Check named version named -v

BIND 9.16.37-Debian (Extended Support Version)

Edit the vim /var/lib/samba/bind-dns/named.conf file and uncomment the module for your BIND version. In my case it is:

database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_16.so";

systemctl restart samba-ad-dc
systemctl restart bind9

Ensure that it is the Bind server listening on port 53:

netstat -tapn | grep 53
  tcp     0    0 10.115.100.5:53    0.0.0.0:*    LISTEN      5291/named

Test local and recursive queries:

dig @localhost microsoft.com
dig @localhost dc01.yourdomain.com
dig -t SRV @localhost _ldap._tcp.yourdomain.com

Configuring SYSVOL

Set up a key pair for root on the destination server, and copy the public key to the source server:

Allow root login with ssh vim /etc/ssh/sshd_config on bothe servers and restart sshd service (this is just temporary):

# Add following line on the bottom. Will be removed leater.
PermitRootLogin yes

The first step is to create a key pair on the client machine (DC02):

ssh-keygen
ssh-copy-id -i ~/.ssh/id_rsa.pub root@dc01

Do the same on dc01

ssh-keygen
ssh-copy-id -i ~/.ssh/id_rsa.pub root@dc02

Retrieve the contents of \srvads\sysvol and copy it to the new AD server from secondary domain controller.

Run the command:

sudo -i
rsync -aP root@dc01:/var/lib/samba/sysvol/ /var/lib/samba/sysvol/

Remove PermitRootLogin yes from /etc/ssh/sshd_config on both servers and restart sshd.

Replication

Setup on the Domain Controller with the PDC Emulator FSMO role

Setup ssh Control

If the remote system enforces rate limits on incoming ssh connections, unison will fail if you try to run it this way. So we create the first ssh connection as a controlpath file in the location specified, all subsequent connections will reuse on the first connection.

mkdir ~/.ssh/ctl
cat << EOF > ~/.ssh/ctl/config
Host *
ControlMaster auto
ControlPath ~/.ssh/ctl/%h_%p_%r
ControlPersist 1
EOF

Setup Sysvolsync Log files

Do the following on DC1 so that you can check what happens during the sync. Please include this file into logrotate as the log size is not controlled.

touch /var/log/sysvol-sync.log
chmod 640 /var/log/sysvol-sync.log

Setup Unison defaults running parameters

Please run the following on DC1

install -o root -g root -m 0750 -d /root/.unison
cat << EOF > /root/.unison/default.prf
# Unison preferences file
# Roots of the synchronization
#
# copymax & maxthreads params were set to 1 for easier troubleshooting.
# Have to experiment to see if they can be increased again.
root = /var/lib/samba
# Note that 2 x / behind DC2, it is required
root = ssh://root@DC2//var/lib/samba 
# 
# Paths to synchronize
path = sysvol
#
#ignore = Path stats    ## ignores /var/www/stats
auto=true
batch=true
perms=0
rsync=true
maxthreads=1
retry=3
confirmbigdeletes=false
servercmd=/usr/bin/unison
copythreshold=0
copyprog = /usr/bin/rsync -XAavz --rsh='ssh -p 22' --inplace --compress
copyprogrest = /usr/bin/rsync -XAavz --rsh='ssh -p 22' --partial --inplace --compress
copyquoterem = true
copymax = 1
logfile = /var/log/sysvol-sync.log
EOF

Setup SysVol on DC2

Install unison apt install unison and run first test:

RUN THIS FROM DC01

/usr/bin/rsync -XAavz --log-file /var/log/sysvol-sync.log --delete-after -f"+ */" -f"- *" /var/lib/samba/sysvol root@DC02:/var/lib/samba  &&  /usr/bin/unison

Add to Crontab on DC1

*/5 * * * * /usr/bin/unison -silent

When you try to resync the folder

Warning: Please follow the steps below OR you can end up with an empty sysvol folder.

1. Disable Cron on DC1, like Add a "#" on the line with crontab -e
2. Check if rsync or unison are currently running in ps -aux if yes, wait for it to finish OR kill it (if it is zombie)
3. Remove the hash files on both DC1 and DC2 on /root/.unison
4. Now check your sysvol and resync
5. Confirm that everything is ok again
6. Re-enable the cron on DC1 again

TLS

Move certificates that we previously generated and copied from the CA server:

sudo mv ca.crt dc02.* /etc/samba/tls/
sudo chown root:root /etc/samba/tls/*
sudo cp /etc/samba/tls/ca.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates

Edit vim /etc/samba/smb.conf and add:

[global]
  ...
  tls enabled  = yes
  tls keyfile  = /etc/samba/tls/dc02.key
  tls certfile = /etc/samba/tls/dc02.crt
  tls cafile   = /etc/samba/tls/ca.crt
  ...

Restart Samba and check tls:

sudo systemctl restart samba-ad-dc.service
sudo openssl s_client -showcerts -connect dc02.yourdomain.com:636 -CAfile /etc/samba/tls/ca.crt