Create Samba Active Directory server using Debian Bullseye.
Preparations
Update package index.
$ sudo apt update
Upgrade operating system.
$ sudo apt upgrade
Ensure that hostname is defined.
$ sudo hostnamectl --static set-hostname ad.octocat.lab
Inspect hosts file which should be in its initial state.
$ cat /etc/hosts
127.0.0.1 localhost #10.10.10.10 ad.octocat.lab ad # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters
Ensure that systemd-resolved service is disabled.
$ systemctl status systemd-resolved.service
● systemd-resolved.service - Network Name Resolution Loaded: loaded (/lib/systemd/system/systemd-resolved.service; disabled; vendor preset: enabled) Active: inactive (dead) Docs: man:systemd-resolved.service(8) man:org.freedesktop.resolve1(5) https://www.freedesktop.org/wiki/Software/systemd/writing-network-configuration-managers https://www.freedesktop.org/wiki/Software/systemd/writing-resolver-clients
DNS resolver should point to DNS server that will be used later as a forwarder.
$ cat /etc/resolv.conf
nameserver 10.10.0.1
Samba AD server should have a static IP address assigned.
$ cat /etc/network/interfaces
# This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). source /etc/network/interfaces.d/* # The loopback network interface auto lo iface lo inet loopback
$ cat /etc/network/interfaces.d/eth0
auto eth0 iface eth0 inet static address 10.10.10.10 netmask 255.255.0.0 gateway 10.10.0.1
These steps will save you time later.
Install NTP service
Install chrony
NTP daemon.
$ sudo apt install chrony
Disable chrony
service as it will be configured later.
$ sudo systemctl disable --now chrony
Install DNS service
Install bind9
DNS daemon.
$ sudo apt install bind9
Disable bind
service as it will be configured later.
$ sudo systemctl disable --now bind
Install Samba AD service
Install required Samba and Kerberos packages.
$ sudo DEBIAN_FRONTEND=noninteractive apt-get install -y samba smbclient winbind krb5-user krb5-config
Reading package lists... Done Building dependency tree... Done Reading state information... Done The following additional packages will be installed: attr dirmngr gnupg gnupg-l10n gnupg-utils gpg gpg-agent gpg-wks-client gpg-wks-server gpgconf gpgsm ibverbs-providers libarchive13 libassuan0 libavahi-client3 libavahi-common-data libavahi-common3 libboost-iostreams1.74.0 libboost-thread1.74.0 libcephfs2 libcups2 libgfapi0 libgfrpc0 libgfxdr0 libglusterfs0 libgpgme11 libgssrpc4 libibverbs1 libkadm5clnt-mit12 libkadm5srv-mit12 libkdb5-10 libksba8 libldb2 libnl-3-200 libnl-route-3-200 libnpth0 libnspr4 libnss3 libpython3.9 librados2 librdmacm1 libsmbclient libtalloc2 libtdb1 libtevent0 liburing1 libwbclient0 libyaml-0-2 pinentry-curses python3-cffi-backend python3-cryptography python3-dnspython python3-gpg python3-ldb python3-markdown python3-pygments python3-requests-toolbelt python3-samba python3-talloc python3-tdb python3-yaml samba-common samba-common-bin samba-dsdb-modules samba-libs samba-vfs-modules tdb-tools Suggested packages: dbus-user-session pinentry-gnome3 tor parcimonie xloadimage scdaemon krb5-k5tls lrzip cups-common krb5-doc pinentry-doc python-cryptography-doc python3-cryptography-vectors python3-sniffio python3-trio python-markdown-doc python-pygments-doc ttf-bitstream-vera ctdb ldb-tools smbldap-tools ufw heimdal-clients cifs-utils libnss-winbind libpam-winbind The following NEW packages will be installed: attr dirmngr gnupg gnupg-l10n gnupg-utils gpg gpg-agent gpg-wks-client gpg-wks-server gpgconf gpgsm ibverbs-providers krb5-config krb5-user libarchive13 libassuan0 libavahi-client3 libavahi-common-data libavahi-common3 libboost-iostreams1.74.0 libboost-thread1.74.0 libcephfs2 libcups2 libgfapi0 libgfrpc0 libgfxdr0 libglusterfs0 libgpgme11 libgssrpc4 libibverbs1 libkadm5clnt-mit12 libkadm5srv-mit12 libkdb5-10 libksba8 libldb2 libnl-3-200 libnl-route-3-200 libnpth0 libnspr4 libnss3 libpython3.9 librados2 librdmacm1 libsmbclient libtalloc2 libtdb1 libtevent0 liburing1 libwbclient0 libyaml-0-2 pinentry-curses python3-cffi-backend python3-cryptography python3-dnspython python3-gpg python3-ldb python3-markdown python3-pygments python3-requests-toolbelt python3-samba python3-talloc python3-tdb python3-yaml samba samba-common samba-common-bin samba-dsdb-modules samba-libs samba-vfs-modules smbclient tdb-tools winbind 0 upgraded, 72 newly installed, 0 to remove and 0 not upgraded. Need to get 44.6 MB of archives. After this operation, 149 MB of additional disk space will be used. [...]
Ensure that Samba services are disabled.
$ sudo systemctl disable --now samba-ad-dc.service smbd.service nmbd.service winbind.service
Remove default configuration.
$ sudo unlink /etc/samba/smb.conf
$ sudo unlink /etc/krb5.conf
Configure Samba Ad service
Provision Samba Active Direcotry.
$ sudo samba-tool domain provision --realm OCTOCAT.LAB \ --domain OCTOCAT \ --server-role dc \ --dns-backend BIND9_DLZ \ --adminpass oct0passwOrd \ --use-rfc2307 \ --option="interfaces=lo eth0" \ --option="bind interfaces only=yes"
INFO 2021-09-30 14:08:32,340 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2122: Looking up IPv4 addresses INFO 2021-09-30 14:08:32,340 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2139: Looking up IPv6 addresses WARNING 2021-09-30 14:08:32,341 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2146: No IPv6 address will be assigned INFO 2021-09-30 14:08:32,547 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2290: Setting up share.ldb INFO 2021-09-30 14:08:32,556 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2294: Setting up secrets.ldb INFO 2021-09-30 14:08:32,570 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2299: Setting up the registry INFO 2021-09-30 14:08:32,597 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2302: Setting up the privileges database INFO 2021-09-30 14:08:32,615 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2305: Setting up idmap db INFO 2021-09-30 14:08:32,631 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2312: Setting up SAM db INFO 2021-09-30 14:08:32,634 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #897: Setting up sam.ldb partitions and settings INFO 2021-09-30 14:08:32,634 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #909: Setting up sam.ldb rootDSE INFO 2021-09-30 14:08:32,636 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1322: Pre-loading the Samba 4 and AD schema Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs INFO 2021-09-30 14:08:32,680 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1400: Adding DomainDN: DC=octocat,DC=lab INFO 2021-09-30 14:08:32,695 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1432: Adding configuration container INFO 2021-09-30 14:08:32,708 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1447: Setting up sam.ldb schema INFO 2021-09-30 14:08:34,461 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1465: Setting up sam.ldb configuration data INFO 2021-09-30 14:08:34,558 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1506: Setting up display specifiers INFO 2021-09-30 14:08:35,791 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1514: Modifying display specifiers and extended rights INFO 2021-09-30 14:08:35,816 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1521: Adding users container INFO 2021-09-30 14:08:35,817 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1527: Modifying users container INFO 2021-09-30 14:08:35,818 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1530: Adding computers container INFO 2021-09-30 14:08:35,819 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1536: Modifying computers container INFO 2021-09-30 14:08:35,820 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1540: Setting up sam.ldb data INFO 2021-09-30 14:08:35,913 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1570: Setting up well known security principals INFO 2021-09-30 14:08:35,942 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1584: Setting up sam.ldb users and groups INFO 2021-09-30 14:08:36,026 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1592: Setting up self join Repacking database from v1 to v2 format (first record CN=FRS-Replica-Set-Type,CN=Schema,CN=Configuration,DC=octocat,DC=lab) Repack: re-packed 10000 records so far Repacking database from v1 to v2 format (first record CN=siteLinkBridge-Display,CN=419,CN=DisplaySpecifiers,CN=Configuration,DC=octocat,DC=lab) Repacking database from v1 to v2 format (first record CN=RpcServices,CN=System,DC=octocat,DC=lab) INFO 2021-09-30 14:08:36,928 pid:458 /usr/lib/python3/dist-packages/samba/provision/sambadns.py #1143: Adding DNS accounts INFO 2021-09-30 14:08:36,937 pid:458 /usr/lib/python3/dist-packages/samba/provision/sambadns.py #1177: Creating CN=MicrosoftDNS,CN=System,DC=octocat,DC=lab INFO 2021-09-30 14:08:36,949 pid:458 /usr/lib/python3/dist-packages/samba/provision/sambadns.py #1190: Creating DomainDnsZones and ForestDnsZones partitions INFO 2021-09-30 14:08:36,974 pid:458 /usr/lib/python3/dist-packages/samba/provision/sambadns.py #1195: Populating DomainDnsZones and ForestDnsZones partitions Repacking database from v1 to v2 format (first record DC=ad,DC=octocat.lab,CN=MicrosoftDNS,DC=DomainDnsZones,DC=octocat,DC=lab) Repacking database from v1 to v2 format (first record DC=_kerberos._tcp.dc,DC=_msdcs.octocat.lab,CN=MicrosoftDNS,DC=ForestDnsZones,DC=octocat,DC=lab) INFO 2021-09-30 14:08:37,291 pid:458 /usr/lib/python3/dist-packages/samba/provision/sambadns.py #1276: See /var/lib/samba/bind-dns/named.conf for an example configuration include file for BIND INFO 2021-09-30 14:08:37,291 pid:458 /usr/lib/python3/dist-packages/samba/provision/sambadns.py #1278: and /var/lib/samba/bind-dns/named.txt for further documentation required for secure DNS updates INFO 2021-09-30 14:08:37,344 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2026: Setting up sam.ldb rootDSE marking as synchronized INFO 2021-09-30 14:08:37,346 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2031: Fixing provision GUIDs INFO 2021-09-30 14:08:37,902 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2364: A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf INFO 2021-09-30 14:08:37,902 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2366: Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink! INFO 2021-09-30 14:08:37,972 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2096: Setting up fake yp server settings INFO 2021-09-30 14:08:38,017 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #489: Once the above files are installed, your Samba AD server will be ready to use INFO 2021-09-30 14:08:38,018 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #494: Server Role: active directory domain controller INFO 2021-09-30 14:08:38,018 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #495: Hostname: ad INFO 2021-09-30 14:08:38,018 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #496: NetBIOS Domain: OCTOCAT INFO 2021-09-30 14:08:38,018 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #497: DNS Domain: octocat.lab INFO 2021-09-30 14:08:38,018 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #498: DOMAIN SID: S-1-5-21-3581266272-3984212215-1130392956
Alter DNS resolver to point to this server.
$ cat << EOF | sudo tee /etc/resolv.conf search octocat.lab nameserver 10.10.10.10 EOF
Copy Kerberos configuration.
$ sudo cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
Display initial Kerberos configuration.
$ cat /etc/krb5.conf
[libdefaults] default_realm = OCTOCAT.LAB dns_lookup_realm = false dns_lookup_kdc = true [realms] OCTOCAT.LAB = { default_domain = octocat.lab } [domain_realm] ad = OCTOCAT.LAB
Create a link to a keytab file.
$ sudo ln -s /var/lib/samba/private/secrets.keytab /etc/krb5.keytab
List keytab contents.
$ sudo klist -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 HOST/ad@OCTOCAT.LAB 1 HOST/ad.octocat.lab@OCTOCAT.LAB 1 AD$@OCTOCAT.LAB 1 HOST/ad@OCTOCAT.LAB 1 HOST/ad.octocat.lab@OCTOCAT.LAB 1 AD$@OCTOCAT.LAB 1 HOST/ad@OCTOCAT.LAB 1 HOST/ad.octocat.lab@OCTOCAT.LAB 1 AD$@OCTOCAT.LAB
Display Samba configuration.
$ cat /etc/samba/smb.conf
# Global parameters [global] bind interfaces only = Yes interfaces = lo eth0 dns forwarder = 10.10.0.1 netbios name = AD realm = OCTOCAT.LAB server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = OCTOCAT idmap_ldb:use rfc2307 = yes [sysvol] path = /var/lib/samba/sysvol read only = No [netlogon] path = /var/lib/samba/sysvol/octocat.lab/scripts read only = No
Ensure that DNS forwarder is defined.
Configure NTP service
Determine ntp_signd
socket location.
$ sudo samba -b | grep NTP_SIGND_SOCKET_DIR
NTP_SIGND_SOCKET_DIR: /var/lib/samba/ntp_signd
Create directory if it does not exist.
$ sudo mkdir /var/lib/samba/ntp_signd
Set proper permissions.
$ sudo chgrp _chrony /var/lib/samba/ntp_signd
$ sudo chmod 750 /var/lib/samba/ntp_signd
Delete default pool.
$ sudo sed -i -e "/\# Use Debian vendor zone./,+2d" /etc/chrony/chrony.con
Define Debian NTP pool as a source.
$ cat << EOF | sudo tee /etc/chrony/sources.d/debian-pool.sources pool 0.debian.pool.ntp.org iburst pool 1.debian.pool.ntp.org iburst pool 2.debian.pool.ntp.org iburst pool 3.debian.pool.ntp.org iburst EOF
Create a server configuration.
$ cat << EOF | sudo tee /etc/chrony/conf.d/server.conf bindaddress 10.10.10.10 allow 10.10.0.1/16 ntpsigndsocket /var/lib/samba/ntp_signd EOF
Use Unix domain command socket for command and monitoring access.
$ cat << EOF | sudo tee /etc/chrony/conf.d/cmd.conf bindcmdaddress /var/run/chrony/chronyd.sock cmdport 0 EOF
Enable service.
$ sudo systemctl enable --now chrony
Configure DNS service
Determine Samba configuration directory for BIND.
$ sudo smbd -b | grep BINDDNS
BINDDNS_DIR: /var/lib/samba/bind-dns
Determinae BIND version.
$ sudo named -v
BIND 9.16.15-Debian (Stable Release) <id:4469e3e>
Ensure that proper database version is used.
$ sudo cat /var/lib/samba/bind-dns/named.conf
# This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen support. # # This file should be included in your main BIND configuration file # # For example with # include "/var/lib/samba/bind-dns/named.conf"; # # This configures dynamically loadable zones (DLZ) from AD schema # Uncomment only single database line, depending on your BIND version # dlz "AD DNS Zone" { # For BIND 9.8.x # database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9.so"; # For BIND 9.9.x # database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so"; # For BIND 9.10.x # database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so"; # For BIND 9.11.x # database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so"; # For BIND 9.12.x # database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_12.so"; # For BIND 9.14.x # database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_14.so"; # For BIND 9.16.x database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_16.so"; };
Include these dynamically loadable zones.
$ sudo cat /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named. // // Please read /usr/share/doc/bind9/README.Debian.gz for information on the // structure of BIND configuration files in Debian, *BEFORE* you customize // this configuration file. // // If you are just adding zones, please do that in /etc/bind/named.conf.local include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; include "/var/lib/samba/bind-dns/named.conf";
Ensure that Kerberos keytab is provided for DNS updates.
$ cat /etc/bind/named.conf.options
options { directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. // forwarders { // 0.0.0.0; // }; //======================================================================== // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys //======================================================================== dnssec-validation auto; listen-on-v6 { any; }; tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; };
Enable DNS server.
$ sudo systemctl enable --now named
Start Samba AD service
Unmask samba-ad-dc
service.
$ sudo systemctl unmask samba-ad-dc.service
Start and enable samba-ad-dc
service.
$ sudo systemctl enable --now samba-ad-dc.service
Inspect service status.
$ systemctl status samba-ad-dc.service
● samba-ad-dc.service - Samba AD Daemon Loaded: loaded (/lib/systemd/system/samba-ad-dc.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2021-09-30 14:13:44 CEST; 12s ago Docs: man:samba(8) man:samba(7) man:smb.conf(5) Main PID: 743 (samba) Status: "samba: ready to serve connections..." Tasks: 56 (limit: 1105) Memory: 165.9M CPU: 5.246s CGroup: /system.slice/samba-ad-dc.service ├─743 samba: root process ├─744 samba: tfork waiter process(745) ├─745 samba: task[s3fs] pre-fork master ├─746 samba: tfork waiter process(747) ├─747 samba: task[rpc] pre-fork master ├─748 samba: tfork waiter process(750) ├─749 samba: tfork waiter process(752) ├─750 samba: task[nbt] pre-fork master ├─751 samba: tfork waiter process(753) ├─752 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground ├─753 samba: task[wrepl] pre-fork master ├─754 samba: tfork waiter process(756) ├─755 samba: tfork waiter process(758) ├─756 samba: task[ldap] pre-fork master ├─757 samba: tfork waiter process(760) ├─758 samba: task[rpc] pre-forked worker(0) ├─759 samba: tfork waiter process(764) ├─760 samba: task[cldap] pre-fork master ├─761 samba: tfork waiter process(762) ├─762 samba: task[kdc] pre-fork master ├─763 samba: tfork waiter process(766) ├─764 samba: task[rpc] pre-forked worker(1) ├─765 samba: tfork waiter process(769) ├─766 samba: task[drepl] pre-fork master ├─767 samba: tfork waiter process(770) ├─768 samba: tfork waiter process(773) ├─769 samba: task[rpc] pre-forked worker(2) ├─770 samba: task[winbindd] pre-fork master ├─771 samba: tfork waiter process(775) ├─772 samba: tfork waiter process(777) ├─773 samba: task[kdc] pre-forked worker(0) ├─774 samba: tfork waiter process(778) ├─775 samba: task[ntp_signd] pre-fork master ├─776 samba: tfork waiter process(780) ├─777 samba: task[rpc] pre-forked worker(3) ├─778 /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground ├─779 samba: tfork waiter process(782) ├─780 samba: task[kcc] pre-fork master ├─781 samba: tfork waiter process(784) ├─782 samba: task[kdc] pre-forked worker(1) ├─783 samba: tfork waiter process(785) ├─784 samba: task[dnsupdate] pre-fork master ├─785 samba: task[kdc] pre-forked worker(2) ├─786 samba: tfork waiter process(787) ├─787 samba: task[kdc] pre-forked worker(3) ├─794 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground ├─795 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground ├─796 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground ├─798 samba: tfork waiter process(799) ├─799 samba: task[ldap] pre-forked worker(0) ├─800 samba: tfork waiter process(801) ├─801 samba: task[ldap] pre-forked worker(1) ├─802 samba: tfork waiter process(803) ├─803 samba: task[ldap] pre-forked worker(2) ├─804 samba: tfork waiter process(805) └─805 samba: task[ldap] pre-forked worker(3)
Post installation steps
List DNS zones.
$ samba-tool dns zonelist ad -U administrator Password for [OCTOCAT\administrator]: *********
2 zone(s) found pszZoneName : octocat.lab Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE ZoneType : DNS_ZONE_TYPE_PRIMARY Version : 50 dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED pszDpFqdn : DomainDnsZones.octocat.lab pszZoneName : _msdcs.octocat.lab Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE ZoneType : DNS_ZONE_TYPE_PRIMARY Version : 50 dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED pszDpFqdn : ForestDnsZones.octocat.lab
Create a reverse DNS zone.
$ samba-tool dns zonecreate -U administrator ad.octocat.lab 10.10.in-addr.arpa Password for [OCTOCAT\administrator]: *********
Zone 10.10.in-addr.arpa created successfully
List DNS zones.
$ samba-tool dns zonelist ad.octocat.lab -U administrator Password for [OCTOCAT\administrator]: *********
3 zone(s) found pszZoneName : octocat.lab Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE ZoneType : DNS_ZONE_TYPE_PRIMARY Version : 50 dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED pszDpFqdn : DomainDnsZones.octocat.lab pszZoneName : 10.10.in-addr.arpa Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE ZoneType : DNS_ZONE_TYPE_PRIMARY Version : 50 dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED pszDpFqdn : DomainDnsZones.octocat.lab pszZoneName : _msdcs.octocat.lab Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE ZoneType : DNS_ZONE_TYPE_PRIMARY Version : 50 dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED pszDpFqdn : ForestDnsZones.octocat.lab
Check DNS entry.
$ dig ad.octocat.lab +short
10.10.10.10
Display machine account details.
$ net ads info
LDAP server: 10.10.10.10 LDAP server name: ad.octocat.lab Realm: OCTOCAT.LAB Bind Path: dc=OCTOCAT,dc=LAB LDAP port: 389 Server time: Thu, 30 Sep 2021 20:33:23 CEST KDC server: 10.10.10.10 Server time offset: 0 Last machine account password change: Thu, 30 Sep 2021 14:08:36 CEST
Perform CLDAP query to get information about domain controller.
$ net ads lookup
Information for Domain Controller: 10.10.10.10 Response Type: LOGON_SAM_LOGON_RESPONSE_EX GUID: 6b95767e-3fc5-4660-aed6-1ee5f55b9365 Flags: Is a PDC: yes Is a GC of the forest: yes Is an LDAP server: yes Supports DS: yes Is running a KDC: yes Is running time services: yes Is the closest DC: yes Is writable: yes Has a hardware clock: yes Is a non-domain NC serviced by LDAP server: no Is NT6 DC that has some secrets: no Is NT6 DC that has all secrets: yes Runs Active Directory Web Services: no Runs on Windows 2012 or later: no Forest: octocat.lab Domain: octocat.lab Domain Controller: ad.octocat.lab Pre-Win2k Domain: OCTOCAT Pre-Win2k Hostname: AD Server Site Name: Default-First-Site-Name Client Site Name: Default-First-Site-Name NT Version: 5 LMNT Token: ffff LM20 Token: ffff
Installation complete.