.. Reminder for header structure:        
  Parts (H1)          : #################### with overline
  Chapters (H2)       : ******************** with overline
  Sections (H3)       : ====================
  Subsections (H4)    : --------------------
  Subsubsections (H5) : ^^^^^^^^^^^^^^^^^^^^
  Paragraphs (H6)     : """""""""""""""""""""

.. |date| date::

.. meta::
  :description: Installing and configuring a secondary Samba-AD on Debian 
  :keywords: install, Debian, Samba-AD, documentation, secondary domain

.. _server_secondary_debian:

###########################################################
Installing and configuring a secondary Samba-AD on Debian
###########################################################

.. note::

  In this documentation, it is assumed:

  * That the main domain controller is called *srvads1*.

  * That the secondary domain controller is called *srvads2*.

  * That the domain is called *mydomain.lan*.

  * That the domain you would join is available (ping mydomain.lan / srvadsx.mydomain.lan should be ok). Please configure your /etc/resolv.conf before continue.

  In the instructions below, you will replace *mydomain.lan* with your own domain name and *srvads1* and *srvads2* with the machine names of your choice.

*****************************
Preparing the Virtual machine
*****************************

* On a 64-bit Debian, prepare the network configuration of the machine following the same :ref:`documentation as for a new domain controller <server_prepare_debian>`.

* For the file :file:`/etc/hosts`, modify it so that it contains the DNS resolution of the machine’s FQDN on its IP (i.e. not the localohst 127.0.0.1 line), specifying the long name then the short name:

.. code-block:: ini

  127.0.0.1      localhost
  192.168.1.12   srvads2.mydomain.lan srvads2

.. include:: samba_config_server-samba_config_server-server_install_samba_debian_repo.rst.inc

.. include:: samba_config_server-server_config_krb_secondary_server.rst.inc

**************************************************
Configuring Samba as a Secondary Domain Controller
**************************************************

* Remove the configuration file :file:`/etc/samba/smb.conf` which was automatically generated during package installation:

  .. code-block:: bash

    rm -f /etc/samba/smb.conf

* Join the Domain Controller as a member of the domain. Replace the values *mydomain.lan*, *MYDOMAIN.LAN* and *MYDOMAIN* with the values of your domain:

  .. code-block:: bash

    samba-tool domain join mydomain.lan DC -U administrator --realm=MYDOMAIN.LAN -W MYDOMAIN

* Modify the DNS to point to itself in :file:`/etc/resolv.conf`:

  .. code-block:: ini

    nameserver 127.0.0.1

* In :file:`/etc/samba/smb.conf`, add the DNS forwarder:

  .. code-block:: ini

    [global]
       ...
       dns forwarder = 8.8.8.8
       ...

* Activate the automatic start of the AD service:

  .. code-block:: bash

    systemctl disable winbind nmbd smbd
    systemctl mask winbind nmbd smbd
    systemctl unmask samba-ad-dc
    systemctl enable samba-ad-dc

* Point your Kerberos to the correct configuration file:

  .. hint::

    By default Samba-AD provisioning creates an example file ``krb5.conf`` in the directory :file:`/var/lib/samba/private`.

    This file is used by default by some Samba calls.

    It is best to replace it with a symbolic link to :file:`/etc/kbr5.conf` to avoid some side effects.

  .. code-block:: bash

    rm /var/lib/samba/private/krb5.conf
    ln -s /etc/krb5.conf /var/lib/samba/private/krb5.conf

* Restart Samba:

  .. code-block:: bash

    pkill -9 smbd
    pkill -9 nmbd
    pkill -9 winbindd
    systemctl restart samba-ad-dc

* Check that the DNS entries have been created:

  .. code-block:: bash

    samba_dnsupdate --verbose --use-samba-tool

******************
Configuring SYSVOL
******************

* Graphically, you can retrieve the content of :file:`\\\srvads\\sysvol` from *srvads1* and copy it to *srvads2* from a Windows workstation as Domain Administrator.
  Or with command lines, on *srvads2*, run: 

  .. code-block:: bash

    rsync -aP root@srvads1:/var/lib/samba/sysvol/ /var/lib/samba/sysvol/

* Then reset the :abbr:`ACL (Access Control List)` on SYSVOL, and check the ACLs (it should return nothing if OK):

  .. code-block:: bash

    samba-tool ntacl sysvolreset
    samba-tool ntacl sysvolcheck

.. hint::

  While waiting for the development of a DFS-R officially supported by Samba-team, Tranquil IT proposes the :ref:`tis-sysvolsync <samba_tis_sysvolsync>` tool to synchronize SYSVOL shares between Samba domain controllers.

*******************************
Validating the new installation
*******************************

* Check the status of the replications with :command:`samba-tool drs showrepl --summary`. The replicas may take a few minutes to set up. 
  
  Once the replicas are correct (5 *Inbound* replications and 5 *Outbound* replications), you can proceed to the following checks.

* Test the DNS connection from the :guilabel:`DNS Active Directory` console.

* Test the connection with the :guilabel:`Users and Computers Active Directory console`.

**********************
Configuring signed NTP
**********************

* Configure the :abbr:`NTP (Network Time Protocol)` by following the :ref:`NTP service configuration documentation with Samba <server_install_ntp_debian>`.

**********************
Configuring DNS hybrid
**********************

Before going into production, the internal Samba :abbr:`DNS (Domain Name Service)` must be replaced by the DNS hybrid.
To do this, follow the :ref:`documentation to integrate Samba with Bind9 on Debian <server_install_hybrid_dns_debian>`.

Great, if you have made it this far, then everything went well and you have a new operational secondary domain controller.
