Add additional Domain Controller with Samba4

This tutorial will present in detail how to add an additional Domain Controller to an existing domain with Samba4 running on Linux CentOS 6.4.
Sernet packages are used.
Steps to set up the first Domain Controller are detailed in: https://folgaizer.wordpress.com/2013/12/12/samba4-on-centos-6-4/

Server name dc02
Domain name example.local
NetBIOS domain name EXAMPLE
Server IP Address 192.168.112.101
Server role Domain Controller
Domain level Windows 2008 R2
Existing Domain Controller name dc01
Existing Domain Controller IP Address 192.168.112.100

Do a minimal install of CentOS
Configure Networking
Update packages

yum update -y

Disable SELinux and reboot

sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
reboot

Install required packages

yum install -y bind bind-libs bind-utils bind-sdb \
  make gcc rpm-build libtool autoconf \
  openssl-devel libacl-devel libblkid-devel gnutls-devel \
  readlin e-devel python-devel gdb pkgconfig gtkhtml2 \
  policycoreutils-python libsemanage-python setools-libs-python \
  setools-libs krb5-libs krb5-workstation wget

Copy configuration files from DC01:

scp 192.168.112.100:/etc/krb5.conf  /etc
scp 192.168.112.100:/etc/resolv.conf  /etc
scp 192.168.112.100:/etc/sysconfig/iptables /etc/sysconfig
scp 192.168.112.100:/etc/yum.repos.d/sernet-samba-4.1.repo /etc/yum.repos.d/

Install sernet packages

cd
wget http://ftp.sernet.de/pub/sernet-build-key-1.1-4.noarch.rpm
rpm -i sernet-build-key-1.1-4.noarch.rpm
yum install -y sernet-samba sernet-samba-ad  sernet-samba-client

Initialize kerberos

kinit administrator
Password for administrator@EXAMPLE.LOCAL:
Warning: Your password will expire in 34 days on Thu Jan 23 07:49:54 2014

Join server to the domain

samba-tool domain join example.local DC -Uadministrator --realm=example.local
Finding a writeable DC for domain 'example.local'
Found DC dc01.example.local
Password for [WORKGROUP\administrator]:
workgroup is EXAMPLE
realm is example.local
checking sAMAccountName
Adding CN=DC02,OU=Domain Controllers,DC=example,DC=local
Adding CN=DC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=local
Adding CN=NTDS Settings,CN=DC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=local
Adding SPNs to CN=DC02,OU=Domain Controllers,DC=example,DC=local
Setting account password for DC02$
Enabling account
Calling bare provision
No IPv6 address will be assigned
Provision OK for domain DN DC=example,DC=local
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=local] objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=local] objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=local] objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=local] objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=example,DC=local] objects[402/1618] linked_values[0/0]
Partition[CN=Configuration,DC=example,DC=local] objects[804/1618] linked_values[0/0]
Partition[CN=Configuration,DC=example,DC=local] objects[1206/1618] linked_values[0/0]
Partition[CN=Configuration,DC=example,DC=local] objects[1608/1618] linked_values[0/0]
Partition[CN=Configuration,DC=example,DC=local] objects[1618/1618] linked_values[38/0]
Replicating critical objects from the base DN of the domain
Partition[DC=example,DC=local] objects[99/99] linked_values[23/0]
Partition[DC=example,DC=local] objects[371/272] linked_values[23/0]
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=example,DC=local
Partition[DC=DomainDnsZones,DC=example,DC=local] objects[42/42] linked_values[0/0]
Replicating DC=ForestDnsZones,DC=example,DC=local
Partition[DC=ForestDnsZones,DC=example,DC=local] objects[19/19] linked_values[0/0]
Partition[DC=ForestDnsZones,DC=example,DC=local] objects[38/19] linked_values[0/0]
Committing SAM database
Sending DsReplicateUpdateRefs for all the replicated partitions
Setting isSynchronized and dsServiceName
Setting up secrets database
Joined domain EXAMPLE (SID S-1-5-21-993608604-127119729-2347203374) as a DC

Edit sernet’s samba defaults

vi /etc/default/sernet-samba
# SAMBA_START_MODE defines how Samba should be started. Valid options are one of
#   "none"    to not enable it at all,
#   "classic" to use the classic smbd/nmbd/winbind daemons
#   "ad"      to use the Active Directory server (which starts the smbd on its own)
# (Be aware that you also need to enable the services/init scripts that
# automatically start up the desired daemons.)
SAMBA_START_MODE="ad"

# SAMBA_RESTART_ON_UPDATE defines if the the services should be restarted when
# the RPMs are updated. Setting this to "yes" effectively enables the
# functionality of the try-restart parameter of the init scripts.
SAMBA_RESTART_ON_UPDATE="no"

# NMBD_EXTRA_OPTS may contain extra options that are passed as additional
# arguments to the nmbd daemon
NMBD_EXTRA_OPTS=""

# WINBINDD_EXTRA_OPTS may contain extra options that are passed as additional
# arguments to the winbindd daemon
WINBINDD_EXTRA_OPTS=""

# SMBD_EXTRA_OPTS may contain extra options that are passed as additional
# arguments to the smbd daemon
SMBD_EXTRA_OPTS=""

# SAMBA_EXTRA_OPTS may contain extra options that are passed as additional
# arguments to the samba daemon
SAMBA_EXTRA_OPTS=""

# SAMBA_IGNORE_NSUPDATE_G defines whether the samba daemon should be started
# when 'nsupdate -g' is not available. Setting this to "yes" would mean that
# samba will be started even without 'nsupdate -g'. This will lead to severe
# problems without a proper workaround!
SAMBA_IGNORE_NSUPDATE_G="no"

Edit smb.conf and add the following lines

vi /etc/samba/smb.conf
# Global parameters
[global]
        workgroup = EXAMPLE
        realm = example.local
        netbios name = DC03
        server role = active directory domain controller
        server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, smb
        dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver, winreg, srvsvc
        idmap_ldb:use rfc2307 = yes

[netlogon]
        path = /var/lib/samba/sysvol/example.local/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

Start services

service sernet-samba-ad restart

With these steps your additional Domain Controller is ready.
You can verify replication adding object to one DC and checking that appears on the other

Install Samba4 on CentOS 6.4

This tutorial will present in detail how to install Samba4 running as a Domain Controller on Linux CentOS 6.4.
Sernet packages are used. Bind 9.8 is used as DNS backend

Server name dc01
Domain name example.local
NetBIOS domain name EXAMPLE
Server IP Address 192.168.112.100
Server role Domain Controller
Domain level Windows 2008 R2

Do a minimal install of CentOS
Configure Networking
Update packages

yum update -y

Disable SELinux and reboot

sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
reboot

Install required packages

yum install -y bind bind-libs bind-utils bind-sdb \
  make gcc rpm-build libtool autoconf \
  openssl-devel libacl-devel libblkid-devel gnutls-devel \
  readlin e-devel python-devel gdb pkgconfig gtkhtml2 \ 
  policycoreutils-python libsemanage-python setools-libs-python \
  setools-libs krb5-libs krb5-workstation wget

Add sernet repository

cd /etc/yum.repos.d/
wget https://<user>:<password>@download.sernet.de/packages/samba/4.1/centos/6/sernet-samba-4.1.repo
cd
wget http://ftp.sernet.de/pub/sernet-build-key-1.1-4.noarch.rpm
rpm -i sernet-build-key-1.1-4.noarch.rpm

Edit repo file with user and password provided by Sernet

vi /etc/yum.repos.d/sernet-samba-4.1.repo
[sernet-samba-4.1]
name=SerNet Samba 4.1 Packages (centos-6)
type=rpm-md
baseurl=https:///<user>:<password>@download.sernet.de/packages/samba/4.1/centos/6/
gpgcheck=1
gpgkey=https:///<user>:<password>@download.sernet.de/packages/samba/4.1/centos/6/repodata/repomd.xml.key
enabled=1

Install Sernet packages

yum install -y sernet-samba sernet-samba-ad  sernet-samba-client

Provision new domain:

samba-tool domain provision --use-rfc2307 --interactive \
     --function-level=2008_R2 --interactive --use-ntvfs
Realm [EXAMPLE.LOCAL]:
 Domain [EXAMPLE]:
 Server Role (dc, member, standalone) [dc]:
 DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: BIND9_DLZ
Administrator password: ********
Retype password: ********
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=example,DC=local
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=example,DC=local
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
See /var/lib/samba/private/named.conf for an example configuration include file for BIND
and /var/lib/samba/private/named.txt for further documentation required for secure DNS updates
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /var/lib/samba/private/krb5.conf
Setting up fake yp server settings
Once the above files are installed, your Samba4 server will be ready to use
Server Role:           active directory domain controller
Hostname:              dc01
NetBIOS Domain:        EXAMPLE
DNS Domain:            example.local
DOMAIN SID:            S-1-5-21-993608604-127119729-2347203374
mv /etc/krb5.conf /etc/krb5.conf.original
cp /var/lib/samba/private/krb5.conf /etc/krb5.conf

Edit named.conf and add include line with the conf file provided by samba

vi /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
        listen-on port 53 { 192.168.112.100; } ;
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { localhost; 192.168.112.0/24; };
        recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/var/lib/samba/private/named.conf"

+
Chnage group owner of the following files and dirs

chgrp named /var/lib/samba/private/named.conf
chgrp named  /var/lib/samba/private/

Edit sernet’s samba defaults

vi /etc/default/sernet-samba
# SAMBA_START_MODE defines how Samba should be started. Valid options are one of
#   "none"    to not enable it at all,
#   "classic" to use the classic smbd/nmbd/winbind daemons
#   "ad"      to use the Active Directory server (which starts the smbd on its own)
# (Be aware that you also need to enable the services/init scripts that
# automatically start up the desired daemons.)
SAMBA_START_MODE="ad"

# SAMBA_RESTART_ON_UPDATE defines if the the services should be restarted when
# the RPMs are updated. Setting this to "yes" effectively enables the
# functionality of the try-restart parameter of the init scripts.
SAMBA_RESTART_ON_UPDATE="no"

# NMBD_EXTRA_OPTS may contain extra options that are passed as additional
# arguments to the nmbd daemon
NMBD_EXTRA_OPTS=""

# WINBINDD_EXTRA_OPTS may contain extra options that are passed as additional
# arguments to the winbindd daemon
WINBINDD_EXTRA_OPTS=""

# SMBD_EXTRA_OPTS may contain extra options that are passed as additional
# arguments to the smbd daemon
SMBD_EXTRA_OPTS=""

# SAMBA_EXTRA_OPTS may contain extra options that are passed as additional
# arguments to the samba daemon
SAMBA_EXTRA_OPTS=""

# SAMBA_IGNORE_NSUPDATE_G defines whether the samba daemon should be started
# when 'nsupdate -g' is not available. Setting this to "yes" would mean that
# samba will be started even without 'nsupdate -g'. This will lead to severe
# problems without a proper workaround!
SAMBA_IGNORE_NSUPDATE_G="no"

Edit resolv.conf

vi /etc/resolv.conf
nameserver 192.168.112.100
domain example.local

Start services

service named restart
service sernet-samba-ad restart

With these steps your Domain Controller is ready. You can add clients to the domain.
In case of problems you can inspect logs:

Samba Logs:

tail -f  /var/log/samba/log.samba

Named logs:

tail -f /var/log/messages | grep named

Additional steps are required to allow DNS dynamic updates for the domain members.
Install pre-reqs & bind 9.8 SRPM

yum install -y libcap-devel libidn-devel libxml2-devel openldap-devel \
  postgresql-devel sqlite-devel  mysql-devel docbook-style-xsl libxslt
rpm -i http://vault.centos.org/6.4/updates/Source/SPackages/bind-9.8.2-0.17.rc1.el6_4.6.src.rpm
cd rpmbuild/

Edit spec file and delete following line:

vi SPECS/bind.spec
...
%if %{GSSTSIG}
  --with-gssapi=yes \
DELETE THIS LINE >>>>  --disable-isc-spnego \
...

Compile & install RPM

rpmbuild -bb SPECS/bind.spec
rpm -Uvh RPMS/x86_64/bind-9.8.2-0.17.rc1.el6.6.x86_64.rpm \
     RPMS/x86_64/bind-sdb-9.8.2-0.17.rc1.el6.6.x86_64.rpm \
     RPMS/x86_64/bind-utils-9.8.2-0.17.rc1.el6.6.x86_64.rpm \
     RPMS/x86_64/bind-libs-9.8.2-0.17.rc1.el6.6.x86_64.rpm

Restart named

service named restart

Force a name registration from a client

ipconfig /registerdns

Verify adding of record on the named log

tail -f /var/log/messages | grep named
Dec 12 09:30:34 dc01 named-sdb[4223]: samba_dlz: starting transaction on zone example.local
Dec 12 09:30:34 dc01 named-sdb[4223]: client 192.168.112.133#59735: update 'example.local/IN' denied
Dec 12 09:30:34 dc01 named-sdb[4223]: samba_dlz: cancelling transaction on zone example.local
Dec 12 09:30:34 dc01 named-sdb[4223]: samba_dlz: starting transaction on zone example.local
Dec 12 09:30:34 dc01 named-sdb[4223]: samba_dlz: allowing update of signer=w7virtual\$\@EXAMPLE.LOCAL name=W7VIRTUAL.example.local tcpaddr= type=AAAA key=1072-ms-7.19-2d6c1b.c1338974-632a-11e3-c8b6-5472454f4e14/160/0
Dec 12 09:30:34 dc01 named-sdb[4223]: samba_dlz: allowing update of signer=w7virtual\$\@EXAMPLE.LOCAL name=W7VIRTUAL.example.local tcpaddr= type=A key=1072-ms-7.19-2d6c1b.c1338974-632a-11e3-c8b6-5472454f4e14/160/0
Dec 12 09:30:34 dc01 named-sdb[4223]: samba_dlz: allowing update of signer=w7virtual\$\@EXAMPLE.LOCAL name=W7VIRTUAL.example.local tcpaddr= type=A key=1072-ms-7.19-2d6c1b.c1338974-632a-11e3-c8b6-5472454f4e14/160/0
Dec 12 09:30:34 dc01 named-sdb[4223]: client 192.168.112.133#61440: updating zone 'example.local/NONE': deleting rrset at 'W7VIRTUAL.example.local' AAAA
Dec 12 09:30:34 dc01 named-sdb[4223]: client 192.168.112.133#61440: updating zone 'example.local/NONE': deleting rrset at 'W7VIRTUAL.example.local' A
Dec 12 09:30:34 dc01 named-sdb[4223]: client 192.168.112.133#61440: updating zone 'example.local/NONE': adding an RR at 'W7VIRTUAL.example.local' A
Dec 12 09:30:35 dc01 named-sdb[4223]: samba_dlz: added W7VIRTUAL.example.local W7VIRTUAL.example.local.#0111200#011IN#011A#011192.168.112.133
Dec 12 09:30:35 dc01 named-sdb[4223]: samba_dlz: subtracted rdataset example.local 'example.local.#0113600#011IN#011SOA#011dc01.example.local. hostmaster.example.local. 1 900 600 86400 0'
Dec 12 09:30:35 dc01 named-sdb[4223]: samba_dlz: added rdataset example.local 'example.local.#0113600#011IN#011SOA#011dc01.example.local. hostmaster.example.local. 2 900 600 86400 0'
Dec 12 09:30:35 dc01 named-sdb[4223]: samba_dlz: committed transaction on zone example.local

Other facts:
Domain Management can be done with the Remote Server Management Tools
http://www.microsoft.com/en-us/download/details.aspx?id=7887