Create Samba Active Directory server using Debian Bullseye.
Preparations
Update package index.
$ sudo apt update
Upgrade operating system.
$ sudo apt upgrade
Ensure that hostname is defined.
$ sudo hostnamectl --static set-hostname ad.octocat.lab
Inspect hosts file which should be in its initial state.
$ cat /etc/hosts
127.0.0.1 localhost #10.10.10.10 ad.octocat.lab ad # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters
Ensure that systemd-resolved service is disabled.
$ systemctl status systemd-resolved.service
● systemd-resolved.service - Network Name Resolution
Loaded: loaded (/lib/systemd/system/systemd-resolved.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:systemd-resolved.service(8)
man:org.freedesktop.resolve1(5)
https://www.freedesktop.org/wiki/Software/systemd/writing-network-configuration-managers
https://www.freedesktop.org/wiki/Software/systemd/writing-resolver-clients
DNS resolver should point to DNS server that will be used later as a forwarder.
$ cat /etc/resolv.conf
nameserver 10.10.0.1
Samba AD server should have a static IP address assigned.
$ cat /etc/network/interfaces
# This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). source /etc/network/interfaces.d/* # The loopback network interface auto lo iface lo inet loopback
$ cat /etc/network/interfaces.d/eth0
auto eth0
iface eth0 inet static
address 10.10.10.10
netmask 255.255.0.0
gateway 10.10.0.1
These steps will save you time later.
Install NTP service
Install chrony NTP daemon.
$ sudo apt install chrony
Disable chrony service as it will be configured later.
$ sudo systemctl disable --now chrony
Install DNS service
Install bind9 DNS daemon.
$ sudo apt install bind9
Disable bind service as it will be configured later.
$ sudo systemctl disable --now bind
Install Samba AD service
Install required Samba and Kerberos packages.
$ sudo DEBIAN_FRONTEND=noninteractive apt-get install -y samba smbclient winbind krb5-user krb5-config
Reading package lists... Done Building dependency tree... Done Reading state information... Done The following additional packages will be installed: attr dirmngr gnupg gnupg-l10n gnupg-utils gpg gpg-agent gpg-wks-client gpg-wks-server gpgconf gpgsm ibverbs-providers libarchive13 libassuan0 libavahi-client3 libavahi-common-data libavahi-common3 libboost-iostreams1.74.0 libboost-thread1.74.0 libcephfs2 libcups2 libgfapi0 libgfrpc0 libgfxdr0 libglusterfs0 libgpgme11 libgssrpc4 libibverbs1 libkadm5clnt-mit12 libkadm5srv-mit12 libkdb5-10 libksba8 libldb2 libnl-3-200 libnl-route-3-200 libnpth0 libnspr4 libnss3 libpython3.9 librados2 librdmacm1 libsmbclient libtalloc2 libtdb1 libtevent0 liburing1 libwbclient0 libyaml-0-2 pinentry-curses python3-cffi-backend python3-cryptography python3-dnspython python3-gpg python3-ldb python3-markdown python3-pygments python3-requests-toolbelt python3-samba python3-talloc python3-tdb python3-yaml samba-common samba-common-bin samba-dsdb-modules samba-libs samba-vfs-modules tdb-tools Suggested packages: dbus-user-session pinentry-gnome3 tor parcimonie xloadimage scdaemon krb5-k5tls lrzip cups-common krb5-doc pinentry-doc python-cryptography-doc python3-cryptography-vectors python3-sniffio python3-trio python-markdown-doc python-pygments-doc ttf-bitstream-vera ctdb ldb-tools smbldap-tools ufw heimdal-clients cifs-utils libnss-winbind libpam-winbind The following NEW packages will be installed: attr dirmngr gnupg gnupg-l10n gnupg-utils gpg gpg-agent gpg-wks-client gpg-wks-server gpgconf gpgsm ibverbs-providers krb5-config krb5-user libarchive13 libassuan0 libavahi-client3 libavahi-common-data libavahi-common3 libboost-iostreams1.74.0 libboost-thread1.74.0 libcephfs2 libcups2 libgfapi0 libgfrpc0 libgfxdr0 libglusterfs0 libgpgme11 libgssrpc4 libibverbs1 libkadm5clnt-mit12 libkadm5srv-mit12 libkdb5-10 libksba8 libldb2 libnl-3-200 libnl-route-3-200 libnpth0 libnspr4 libnss3 libpython3.9 librados2 librdmacm1 libsmbclient libtalloc2 libtdb1 libtevent0 liburing1 libwbclient0 libyaml-0-2 pinentry-curses python3-cffi-backend python3-cryptography python3-dnspython python3-gpg python3-ldb python3-markdown python3-pygments python3-requests-toolbelt python3-samba python3-talloc python3-tdb python3-yaml samba samba-common samba-common-bin samba-dsdb-modules samba-libs samba-vfs-modules smbclient tdb-tools winbind 0 upgraded, 72 newly installed, 0 to remove and 0 not upgraded. Need to get 44.6 MB of archives. After this operation, 149 MB of additional disk space will be used. [...]
Ensure that Samba services are disabled.
$ sudo systemctl disable --now samba-ad-dc.service smbd.service nmbd.service winbind.service
Remove default configuration.
$ sudo unlink /etc/samba/smb.conf
$ sudo unlink /etc/krb5.conf
Configure Samba Ad service
Provision Samba Active Direcotry.
$ sudo samba-tool domain provision --realm OCTOCAT.LAB \
--domain OCTOCAT \
--server-role dc \
--dns-backend BIND9_DLZ \
--adminpass oct0passwOrd \
--use-rfc2307 \
--option="interfaces=lo eth0" \
--option="bind interfaces only=yes"
INFO 2021-09-30 14:08:32,340 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2122: Looking up IPv4 addresses INFO 2021-09-30 14:08:32,340 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2139: Looking up IPv6 addresses WARNING 2021-09-30 14:08:32,341 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2146: No IPv6 address will be assigned INFO 2021-09-30 14:08:32,547 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2290: Setting up share.ldb INFO 2021-09-30 14:08:32,556 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2294: Setting up secrets.ldb INFO 2021-09-30 14:08:32,570 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2299: Setting up the registry INFO 2021-09-30 14:08:32,597 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2302: Setting up the privileges database INFO 2021-09-30 14:08:32,615 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2305: Setting up idmap db INFO 2021-09-30 14:08:32,631 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2312: Setting up SAM db INFO 2021-09-30 14:08:32,634 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #897: Setting up sam.ldb partitions and settings INFO 2021-09-30 14:08:32,634 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #909: Setting up sam.ldb rootDSE INFO 2021-09-30 14:08:32,636 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1322: Pre-loading the Samba 4 and AD schema Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs INFO 2021-09-30 14:08:32,680 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1400: Adding DomainDN: DC=octocat,DC=lab INFO 2021-09-30 14:08:32,695 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1432: Adding configuration container INFO 2021-09-30 14:08:32,708 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1447: Setting up sam.ldb schema INFO 2021-09-30 14:08:34,461 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1465: Setting up sam.ldb configuration data INFO 2021-09-30 14:08:34,558 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1506: Setting up display specifiers INFO 2021-09-30 14:08:35,791 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1514: Modifying display specifiers and extended rights INFO 2021-09-30 14:08:35,816 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1521: Adding users container INFO 2021-09-30 14:08:35,817 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1527: Modifying users container INFO 2021-09-30 14:08:35,818 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1530: Adding computers container INFO 2021-09-30 14:08:35,819 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1536: Modifying computers container INFO 2021-09-30 14:08:35,820 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1540: Setting up sam.ldb data INFO 2021-09-30 14:08:35,913 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1570: Setting up well known security principals INFO 2021-09-30 14:08:35,942 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1584: Setting up sam.ldb users and groups INFO 2021-09-30 14:08:36,026 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1592: Setting up self join Repacking database from v1 to v2 format (first record CN=FRS-Replica-Set-Type,CN=Schema,CN=Configuration,DC=octocat,DC=lab) Repack: re-packed 10000 records so far Repacking database from v1 to v2 format (first record CN=siteLinkBridge-Display,CN=419,CN=DisplaySpecifiers,CN=Configuration,DC=octocat,DC=lab) Repacking database from v1 to v2 format (first record CN=RpcServices,CN=System,DC=octocat,DC=lab) INFO 2021-09-30 14:08:36,928 pid:458 /usr/lib/python3/dist-packages/samba/provision/sambadns.py #1143: Adding DNS accounts INFO 2021-09-30 14:08:36,937 pid:458 /usr/lib/python3/dist-packages/samba/provision/sambadns.py #1177: Creating CN=MicrosoftDNS,CN=System,DC=octocat,DC=lab INFO 2021-09-30 14:08:36,949 pid:458 /usr/lib/python3/dist-packages/samba/provision/sambadns.py #1190: Creating DomainDnsZones and ForestDnsZones partitions INFO 2021-09-30 14:08:36,974 pid:458 /usr/lib/python3/dist-packages/samba/provision/sambadns.py #1195: Populating DomainDnsZones and ForestDnsZones partitions Repacking database from v1 to v2 format (first record DC=ad,DC=octocat.lab,CN=MicrosoftDNS,DC=DomainDnsZones,DC=octocat,DC=lab) Repacking database from v1 to v2 format (first record DC=_kerberos._tcp.dc,DC=_msdcs.octocat.lab,CN=MicrosoftDNS,DC=ForestDnsZones,DC=octocat,DC=lab) INFO 2021-09-30 14:08:37,291 pid:458 /usr/lib/python3/dist-packages/samba/provision/sambadns.py #1276: See /var/lib/samba/bind-dns/named.conf for an example configuration include file for BIND INFO 2021-09-30 14:08:37,291 pid:458 /usr/lib/python3/dist-packages/samba/provision/sambadns.py #1278: and /var/lib/samba/bind-dns/named.txt for further documentation required for secure DNS updates INFO 2021-09-30 14:08:37,344 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2026: Setting up sam.ldb rootDSE marking as synchronized INFO 2021-09-30 14:08:37,346 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2031: Fixing provision GUIDs INFO 2021-09-30 14:08:37,902 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2364: A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf INFO 2021-09-30 14:08:37,902 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2366: Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink! INFO 2021-09-30 14:08:37,972 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2096: Setting up fake yp server settings INFO 2021-09-30 14:08:38,017 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #489: Once the above files are installed, your Samba AD server will be ready to use INFO 2021-09-30 14:08:38,018 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #494: Server Role: active directory domain controller INFO 2021-09-30 14:08:38,018 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #495: Hostname: ad INFO 2021-09-30 14:08:38,018 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #496: NetBIOS Domain: OCTOCAT INFO 2021-09-30 14:08:38,018 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #497: DNS Domain: octocat.lab INFO 2021-09-30 14:08:38,018 pid:458 /usr/lib/python3/dist-packages/samba/provision/__init__.py #498: DOMAIN SID: S-1-5-21-3581266272-3984212215-1130392956
Alter DNS resolver to point to this server.
$ cat << EOF | sudo tee /etc/resolv.conf search octocat.lab nameserver 10.10.10.10 EOF
Copy Kerberos configuration.
$ sudo cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
Display initial Kerberos configuration.
$ cat /etc/krb5.conf
[libdefaults]
default_realm = OCTOCAT.LAB
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
OCTOCAT.LAB = {
default_domain = octocat.lab
}
[domain_realm]
ad = OCTOCAT.LAB
Create a link to a keytab file.
$ sudo ln -s /var/lib/samba/private/secrets.keytab /etc/krb5.keytab
List keytab contents.
$ sudo klist -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 HOST/ad@OCTOCAT.LAB 1 HOST/ad.octocat.lab@OCTOCAT.LAB 1 AD$@OCTOCAT.LAB 1 HOST/ad@OCTOCAT.LAB 1 HOST/ad.octocat.lab@OCTOCAT.LAB 1 AD$@OCTOCAT.LAB 1 HOST/ad@OCTOCAT.LAB 1 HOST/ad.octocat.lab@OCTOCAT.LAB 1 AD$@OCTOCAT.LAB
Display Samba configuration.
$ cat /etc/samba/smb.conf
# Global parameters
[global]
bind interfaces only = Yes
interfaces = lo eth0
dns forwarder = 10.10.0.1
netbios name = AD
realm = OCTOCAT.LAB
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
workgroup = OCTOCAT
idmap_ldb:use rfc2307 = yes
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[netlogon]
path = /var/lib/samba/sysvol/octocat.lab/scripts
read only = No
Ensure that DNS forwarder is defined.
Configure NTP service
Determine ntp_signd socket location.
$ sudo samba -b | grep NTP_SIGND_SOCKET_DIR
NTP_SIGND_SOCKET_DIR: /var/lib/samba/ntp_signd
Create directory if it does not exist.
$ sudo mkdir /var/lib/samba/ntp_signd
Set proper permissions.
$ sudo chgrp _chrony /var/lib/samba/ntp_signd
$ sudo chmod 750 /var/lib/samba/ntp_signd
Delete default pool.
$ sudo sed -i -e "/\# Use Debian vendor zone./,+2d" /etc/chrony/chrony.con
Define Debian NTP pool as a source.
$ cat << EOF | sudo tee /etc/chrony/sources.d/debian-pool.sources pool 0.debian.pool.ntp.org iburst pool 1.debian.pool.ntp.org iburst pool 2.debian.pool.ntp.org iburst pool 3.debian.pool.ntp.org iburst EOF
Create a server configuration.
$ cat << EOF | sudo tee /etc/chrony/conf.d/server.conf bindaddress 10.10.10.10 allow 10.10.0.1/16 ntpsigndsocket /var/lib/samba/ntp_signd EOF
Use Unix domain command socket for command and monitoring access.
$ cat << EOF | sudo tee /etc/chrony/conf.d/cmd.conf bindcmdaddress /var/run/chrony/chronyd.sock cmdport 0 EOF
Enable service.
$ sudo systemctl enable --now chrony
Configure DNS service
Determine Samba configuration directory for BIND.
$ sudo smbd -b | grep BINDDNS
BINDDNS_DIR: /var/lib/samba/bind-dns
Determinae BIND version.
$ sudo named -v
BIND 9.16.15-Debian (Stable Release) <id:4469e3e>
Ensure that proper database version is used.
$ sudo cat /var/lib/samba/bind-dns/named.conf
# This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen support.
#
# This file should be included in your main BIND configuration file
#
# For example with
# include "/var/lib/samba/bind-dns/named.conf";
#
# This configures dynamically loadable zones (DLZ) from AD schema
# Uncomment only single database line, depending on your BIND version
#
dlz "AD DNS Zone" {
# For BIND 9.8.x
# database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9.so";
# For BIND 9.9.x
# database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";
# For BIND 9.10.x
# database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so";
# For BIND 9.11.x
# database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";
# For BIND 9.12.x
# database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_12.so";
# For BIND 9.14.x
# database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_14.so";
# For BIND 9.16.x
database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_16.so";
};
Include these dynamically loadable zones.
$ sudo cat /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named. // // Please read /usr/share/doc/bind9/README.Debian.gz for information on the // structure of BIND configuration files in Debian, *BEFORE* you customize // this configuration file. // // If you are just adding zones, please do that in /etc/bind/named.conf.local include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; include "/var/lib/samba/bind-dns/named.conf";
Ensure that Kerberos keytab is provided for DNS updates.
$ cat /etc/bind/named.conf.options
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
listen-on-v6 { any; };
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
};
Enable DNS server.
$ sudo systemctl enable --now named
Start Samba AD service
Unmask samba-ad-dc service.
$ sudo systemctl unmask samba-ad-dc.service
Start and enable samba-ad-dc service.
$ sudo systemctl enable --now samba-ad-dc.service
Inspect service status.
$ systemctl status samba-ad-dc.service
● samba-ad-dc.service - Samba AD Daemon
Loaded: loaded (/lib/systemd/system/samba-ad-dc.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2021-09-30 14:13:44 CEST; 12s ago
Docs: man:samba(8)
man:samba(7)
man:smb.conf(5)
Main PID: 743 (samba)
Status: "samba: ready to serve connections..."
Tasks: 56 (limit: 1105)
Memory: 165.9M
CPU: 5.246s
CGroup: /system.slice/samba-ad-dc.service
├─743 samba: root process
├─744 samba: tfork waiter process(745)
├─745 samba: task[s3fs] pre-fork master
├─746 samba: tfork waiter process(747)
├─747 samba: task[rpc] pre-fork master
├─748 samba: tfork waiter process(750)
├─749 samba: tfork waiter process(752)
├─750 samba: task[nbt] pre-fork master
├─751 samba: tfork waiter process(753)
├─752 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
├─753 samba: task[wrepl] pre-fork master
├─754 samba: tfork waiter process(756)
├─755 samba: tfork waiter process(758)
├─756 samba: task[ldap] pre-fork master
├─757 samba: tfork waiter process(760)
├─758 samba: task[rpc] pre-forked worker(0)
├─759 samba: tfork waiter process(764)
├─760 samba: task[cldap] pre-fork master
├─761 samba: tfork waiter process(762)
├─762 samba: task[kdc] pre-fork master
├─763 samba: tfork waiter process(766)
├─764 samba: task[rpc] pre-forked worker(1)
├─765 samba: tfork waiter process(769)
├─766 samba: task[drepl] pre-fork master
├─767 samba: tfork waiter process(770)
├─768 samba: tfork waiter process(773)
├─769 samba: task[rpc] pre-forked worker(2)
├─770 samba: task[winbindd] pre-fork master
├─771 samba: tfork waiter process(775)
├─772 samba: tfork waiter process(777)
├─773 samba: task[kdc] pre-forked worker(0)
├─774 samba: tfork waiter process(778)
├─775 samba: task[ntp_signd] pre-fork master
├─776 samba: tfork waiter process(780)
├─777 samba: task[rpc] pre-forked worker(3)
├─778 /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
├─779 samba: tfork waiter process(782)
├─780 samba: task[kcc] pre-fork master
├─781 samba: tfork waiter process(784)
├─782 samba: task[kdc] pre-forked worker(1)
├─783 samba: tfork waiter process(785)
├─784 samba: task[dnsupdate] pre-fork master
├─785 samba: task[kdc] pre-forked worker(2)
├─786 samba: tfork waiter process(787)
├─787 samba: task[kdc] pre-forked worker(3)
├─794 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
├─795 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
├─796 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
├─798 samba: tfork waiter process(799)
├─799 samba: task[ldap] pre-forked worker(0)
├─800 samba: tfork waiter process(801)
├─801 samba: task[ldap] pre-forked worker(1)
├─802 samba: tfork waiter process(803)
├─803 samba: task[ldap] pre-forked worker(2)
├─804 samba: tfork waiter process(805)
└─805 samba: task[ldap] pre-forked worker(3)
Post installation steps
List DNS zones.
$ samba-tool dns zonelist ad -U administrator Password for [OCTOCAT\administrator]: *********
2 zone(s) found pszZoneName : octocat.lab Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE ZoneType : DNS_ZONE_TYPE_PRIMARY Version : 50 dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED pszDpFqdn : DomainDnsZones.octocat.lab pszZoneName : _msdcs.octocat.lab Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE ZoneType : DNS_ZONE_TYPE_PRIMARY Version : 50 dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED pszDpFqdn : ForestDnsZones.octocat.lab
Create a reverse DNS zone.
$ samba-tool dns zonecreate -U administrator ad.octocat.lab 10.10.in-addr.arpa Password for [OCTOCAT\administrator]: *********
Zone 10.10.in-addr.arpa created successfully
List DNS zones.
$ samba-tool dns zonelist ad.octocat.lab -U administrator Password for [OCTOCAT\administrator]: *********
3 zone(s) found pszZoneName : octocat.lab Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE ZoneType : DNS_ZONE_TYPE_PRIMARY Version : 50 dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED pszDpFqdn : DomainDnsZones.octocat.lab pszZoneName : 10.10.in-addr.arpa Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE ZoneType : DNS_ZONE_TYPE_PRIMARY Version : 50 dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED pszDpFqdn : DomainDnsZones.octocat.lab pszZoneName : _msdcs.octocat.lab Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE ZoneType : DNS_ZONE_TYPE_PRIMARY Version : 50 dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED pszDpFqdn : ForestDnsZones.octocat.lab
Check DNS entry.
$ dig ad.octocat.lab +short
10.10.10.10
Display machine account details.
$ net ads info
LDAP server: 10.10.10.10 LDAP server name: ad.octocat.lab Realm: OCTOCAT.LAB Bind Path: dc=OCTOCAT,dc=LAB LDAP port: 389 Server time: Thu, 30 Sep 2021 20:33:23 CEST KDC server: 10.10.10.10 Server time offset: 0 Last machine account password change: Thu, 30 Sep 2021 14:08:36 CEST
Perform CLDAP query to get information about domain controller.
$ net ads lookup
Information for Domain Controller: 10.10.10.10
Response Type: LOGON_SAM_LOGON_RESPONSE_EX
GUID: 6b95767e-3fc5-4660-aed6-1ee5f55b9365
Flags:
Is a PDC: yes
Is a GC of the forest: yes
Is an LDAP server: yes
Supports DS: yes
Is running a KDC: yes
Is running time services: yes
Is the closest DC: yes
Is writable: yes
Has a hardware clock: yes
Is a non-domain NC serviced by LDAP server: no
Is NT6 DC that has some secrets: no
Is NT6 DC that has all secrets: yes
Runs Active Directory Web Services: no
Runs on Windows 2012 or later: no
Forest: octocat.lab
Domain: octocat.lab
Domain Controller: ad.octocat.lab
Pre-Win2k Domain: OCTOCAT
Pre-Win2k Hostname: AD
Server Site Name: Default-First-Site-Name
Client Site Name: Default-First-Site-Name
NT Version: 5
LMNT Token: ffff
LM20 Token: ffff
Installation complete.