Installing and configuring a secondary Samba-AD on Debian10


In this documentation, it is assumed:

  • that the main domain controller is called srvads1;

  • that the secondary domain controller is called srvads2;

  • that the domain is called mydomain.lan;

In the instructions below, you will replace mydomain.lan with your own domain name and srvads1 and srvads2 with the machine names of your choice.

Preparing the Virtual machine

  • on a 64-bit Debian10 base, prepare the network configuration of the machine following the same documentation as for a new domain controller.

  • for the file /etc/hosts, modify it so that it contains the DNS resolution of the machine’s FQDN on its IP (i.e. not the localohst line), specifying the long name then the short name:      localhost   srvads2.mydomain.lan srvads2

Retrieving the necessary packages

Tranquil IT’s DEBs are currently validated for Debian10.

The packages of the latest version validated by the engineering team at Tranquil IT can be downloaded from the url

When it will be necessary to migrate to the next version of Samba, you’ll just have to update the repository url like for example

For more comfort, you can define an apt repository and add our GPG public key :

wget -O tissamba-pubkey.gpg
sha256sum tissamba-pubkey.gpg
   bd0f7140edd098031fcb36106b24a6837b067f1c847f72cf262fa012f14ce2dd  tissamba-pubkey.gpg
apt-key add tissamba-pubkey.gpg
echo "deb $(lsb_release -c -s) main" > /etc/apt/sources.list.d/tissamba.list

Installing the packages

export DEBIAN_FRONTEND=noninteractive
apt-get update
apt-get install samba winbind libnss-winbind krb5-user smbclient ldb-tools python3-crypto

Configuring Kerberos

  • open /etc/krb5.conf, remove its contents and add:

      default_realm = MYDOMAIN.LAN
      dns_lookup_kdc = false
      MYDOMAIN.LAN = {
      kdc =
      kdc =


    It is necessary to respect the CAPITAL LETTERS and replace the 2 IPs by:

    • the IP of your srvrodc first, we can use localhost;

    • the IP of srvads as the second IP (ex;

  • reboot the host:

  • after rebooting, ensure that kerberos is properly configured and that you get a TGT:


    The default administrator is administrator in English (type the account password administrator, if it doesn’t return anything or you get a message about the password expiration, it’s ok).

    kinit administrator

Configuring Samba as a Secondary Domain Controller

  • remove the configuration file /etc/samba/smb.conf which was automatically generated during package installation:

    rm -f /etc/samba/smb.conf
  • join the Domain Controller as a member of the domain. Replace the values mydomain.lan, MYDOMAIN.LAN and MYDOMAIN with the values of your domain:

    samba-tool domain join mydomain.lan DC -U administrator --realm=MYDOMAIN.LAN -W MYDOMAIN
  • modify the DNS to point to itself in /etc/resolv.conf:

  • in /etc/samba/smb.conf, add the DNS forwarder:

       dns forwarder =
  • activate the automatic start of the AD service:

    systemctl unmask samba-ad-dc
    systemctl enable samba-ad-dc
    systemctl disable winbind nmbd smbd
    systemctl mask winbind nmbd smbd
  • point your Kerberos to the correct configuration file:


    By default Samba-AD provisioning creates an example file krb5.conf in the directory /var/lib/samba/private.

    This file is used by default by some Samba calls.

    It is best to replace it with a symbolic link to /etc/kbr5.conf to avoid some side effects.

    rm /var/lib/samba/private/krb5.conf
    ln -s /etc/krb5.conf /var/lib/samba/private/krb5.conf
  • restart Samba:

    pkill -9 smbd
    pkill -9 nmbd
    pkill -9 winbindd
    systemctl restart samba-ad-dc
  • check that the DNS entries have been created:

    samba_dnsupdate --verbose --use-samba-tool

Configuring SYSVOL

  • retrieve the contents of \srvads\sysvol and copy it to the new AD server from a windows workstation as Domain Administrator. On the secondary domain controller, run the command:

    rsync -aP root@srvads1:/var/lib/samba/sysvol/ /var/lib/samba/sysvol/
  • then check the ACL on SYSVOL, and if necessary reset the ACLs:

    samba-tool ntacl sysvolreset
    samba-tool ntacl sysvolcheck


While waiting for the development of a DFS-R officially supported by Samba- team, Tranquil IT proposes the tis-sysvolsync tool to synchronize SYSVOL shares between Samba domain controllers.

Validating the new installation

  • check the status of the replications with samba-tool drs showrepl. The replicas may take a few minutes to set up. Once the replicas are correct (5 Inbound replications and 5 Outbound replications), you can proceed to the following checks;

  • test the DNS connection from the DNS Active Directory console;

  • test the connection with the Users and Computers Active Directory console;

Configuring signed NTP

Configuring Bind-DLZ

Before going into production, the internal Samba DNS must be replaced by the Bind-DLZ module. To do this, follow the documentation to integrate Samba with Bind9.

Great, if you have made it this far, then everything went well and you have a new operational secondary domain controller.