.. Reminder for header structure:        
  Parts (H1)          : #################### with overline
  Chapters (H2)       : ******************** with overline
  Sections (H3)       : ====================
  Subsections (H4)    : --------------------
  Subsubsections (H5) : ^^^^^^^^^^^^^^^^^^^^
  Paragraphs (H6)     : """""""""""""""""""""

.. |date| date::

.. meta::
  :description: Installing and configuring a secondary Samba-AD on RedHat10 and derivatives
  :keywords: RedHat10, Samba-AD, documentation, secondary Domain Controller

.. _server_secondary_redhat:

##########################################################################
Installing and configuring a secondary Samba-AD on Redhat and derivatives
##########################################################################

.. note::

  In this documentation, it is assumed:

  * That the main domain controller is called *srvads1*.

  * That the secondary domain controller is called *srvads2*.

  * That the domain is called *mydomain.lan*.

 In the instructions below, you will replace *mydomain.lan* with your own domain name and *srvads1* and *srvads2* with the machine names of your choice.

* On a 64-bit RedHat10 (or derivative) base, prepare a clean network configuration by following :ref:`this documentation <server_prepare_redhat>`.

.. include:: samba_config_server-samba_config_server-server_install_samba_redhat_repo.rst.inc

***********************************
Finalizing your basic configuration
***********************************

* Change :file:`/etc/hostname` to contain the :abbr:`FQDN (Fully Qualified Domain Name)` name of the machine:

  .. code-block:: ini

    srvads2.mydomain.lan

* Modify :file:`/etc/hosts` so that it contains the :abbr:`DNS (Domain Name Service)` resolution of the machine's :abbr:`FQDN (Fully Qualified Domain Name)` on its IP (i.e. not 127.0.0.1), with the long name then the short name:

  .. code-block:: ini

    127.0.0.1      localhost
    192.168.1.12   srvads2.mydomain.lan srvads2

* Reboot the machine so that it takes its new name into account by doing a :command:`reboot`.

  .. note::

    a :command:`hostname -F /etc/hostname` does not seem to be enough for the samba script which still gets the old name ...

**********************************************
Joining the secondary controller to the domain
**********************************************

* Configure the DNS to point to a Windows or Samba domain controller in :file:`/etc/resolv.conf`:

  .. code-block:: ini

    search mydomain.lan
    nameserver 192.168.1.11

.. include:: samba_config_server-server_config_krb_secondary_server.rst.inc

Configuring Samba as a Secondary Domain Controller
==================================================

* Remove the configuration file :file:`/etc/samba/smb.conf` which was automatically generated during package installation:

  .. code-block:: bash

    rm -f /etc/samba/smb.conf

* Join *srvads2* as a member of the domain:

  .. code-block:: bash

    samba-tool domain join mydomain.lan DC -U administrator --realm=MYDOMAIN.LAN -W MYDOMAIN

* Modify the DNS to point to itself in :file:`/etc/resolv.conf`:

  .. code-block:: ini

    nameserver 127.0.0.1

* In :file:`/etc/samba/smb.conf`, add the DNS forwarder:

  .. code-block:: ini

    [global]
       ...
       dns forwarder = 8.8.8.8
       ...

* Activate the automatic start of the AD service:

  .. code-block:: bash

    systemctl enable samba
    systemctl disable winbind nmb smb
    systemctl mask winbind nmb smb

* Point your Kerberos to the correct configuration file:

  .. hint::

    By default Samba-AD provisioning creates an example file ``krb5.conf`` in the directory :file:`/var/lib/samba/private`.

    This file is used by default by some Samba calls.

    It is best to replace it with a symbolic link to :file:`/etc/kbr5.conf` to avoid some side effects.

  .. code-block:: bash

    rm /var/lib/samba/private/krb5.conf
    ln -s /etc/krb5.conf /var/lib/samba/private/krb5.conf

* Restart Samba:

  .. code-block:: bash

    systemctl restart samba

* Check that the DNS entries are correct:

  .. code-block:: bash

    samba_dnsupdate --verbose

* If there are still some *fails*, use this method which allows to bypass kerberos:
  
  .. code-block:: bash

    samba_dnsupdate --use-samba-tool

******************
Configuring SYSVOL
******************

* Graphically, you can retrieve the content of :file:`\\\srvads\\sysvol` from *srvads1* and copy it to *srvads2* from a Windows workstation as Domain Administrator.
  Or with command lines, on *srvads2*, run: 

  .. code-block:: bash

    rsync -aP root@srvads1:/var/lib/samba/sysvol/ /var/lib/samba/sysvol/

* Then reset the :abbr:`ACL (Access Control List)` on SYSVOL, and check the ACLs (it should return nothing if OK):

  .. code-block:: bash

    samba-tool ntacl sysvolreset
    samba-tool ntacl sysvolcheck

.. hint::

  While waiting for the development of a DFS-R officially supported by the Samba-team, Tranquil IT proposes the :ref:`tis-sysvolsync <samba_tis_sysvolsync>` tool to synchronize SYSVOL shares between Samba domain controllers.

*******************************
Validating the new installation
*******************************

* Test the DNS connection from the DNS Active Directory console from the :guilabel:`DNS Active Directory`.

* Test the connection from the :guilabel:`Users and Computers Active Directory`.

* Check the status of the replications:

  .. code-block:: bash

    samba-tool drs showrepl

**********************
Configuring signed NTP
**********************

* Configure the :abbr:`NTP (Network Time Protocol)` by following the :ref:`NTP service configuration documentation with Samba <server_install_ntp_redhat>`.

**********************
Configuring DNS hybrid
**********************

Before going into production, the internal Samba :abbr:`DNS (Domain Name Service)` must be replaced by the DNS hybrid.
To do this, follow the :ref:`documentation to integrate Samba with Bind9 on Redhat <server_install_hybrid_dns_redhat>`.

Great, if you have made it this far, then everything went well and you have a new operational secondary domain controller.
