The documentation shows the steps on how to install and deploy a Domain Controller on a Debian 12 host. Virtualization was done by KVM (1 x vCPU, 1 Gb RAM, 12Gb SSD), this documentation does not cover the steps to set up and run a dedicated host.
The SAMBA project provides very good and thoughtful documentation with the necessary steps to get a Domain Controller up and running
Introduction - Setting_up_Samba_as_an_Active_Directory_Domain_Controller
NOTE: The documentation uses "samdom.example.com" as the DC's primary domain. Since I am resident in Latvia. NIC (the domain registar for .lv) provides a free second level domain (*.id.lv) for every private person, and I will be using dc01.domain.id.lv in my case.
Follow the steps in the SAMBA documentation:
- Install distribution (Debian) specific packages:
apt-get update && apt-get install acl attr samba winbind libpam-winbind libnss-winbind krb5-config krb5-user dnsutils python3-setproctitle smbclient ldb-tools python3-cryptography
- Install
chronyas the NTP server
apt-get update && apt-get install chrony
- Set up the Chrony NTP server followed by the documentation here - Configuring Time Synchronisation on a DC with chrony
NOTE: The "ntp_signd" directory has to be manually created in /var/lib/samba/ with the required permissions as per documentation
- Set a static IP address to your DC's network interface. I am using systemd-networkd as the network manager. Debian Wiki tutorial - SystemdNetworkd
- Edit the
/etc/hostsfile and add the fully-qualified domain name and the short host name of the DC
127.0.0.1 localhost
192.168.99.1 debian-dc01.dc01.domain.lv debian-dc01
- Stop all SAMBA related services, in case they are running
systemctl stop samba winbind nmbd smbd
- Remove any existing configuration files for SAMBA -
smb.confand*.tdband*.ldbfiles - Reference - Provision a SAMBA Active Directory host in Interactive Mode - Reference
# samba-tool domain provision --use-rfc2307 --interactive
Realm: dc01.domain.id.lv
Domain: dc01
Server Role: dc
DNS backend: SAMBA_INTERNAL
DNS forwarder IP address: 8.8.8.8 (You can set up more than one in smb.conf)
Administrator password: SuperP4ss
...
- Disable
systemd-resolvedservice and create a static/etc/resolv.conffile cotaining only the following entries, as SAMBA now will be the DNS resolver:
search dc01.domain.id.lv
nameserver 127.0.0.1
- Copy the created SAMBA Kerberos configuration file Reference:
cp -av /var/lib/samba/private/krb5.conf /etc/krb5.conf
- Activate SAMBA AD DC service Reference
# systemctl mask smbd nmbd winbind
# systemctl disable smbd nmbd winbind
# systemctl unmask samba-ad-dc
# systemctl enable samba-ad-dc
- Reboot the DC
- Optionaly - Create a DNS reverse zone Reference
- Verify that File Server is operational and verify that AD DNS is working correctly and Kerberos is working as intended Reference1 Reference2 Reference3
- If there are issues, follow the guidelines here - Samba_AD_DC_Troubleshooting