# Add ns7 Samba Domain Controller to an existing Active Directory

For the time being, the server manager allows provisioning a new Samba Active Directory domain controller for a new domain. However we can also configure a Samba Domain Controller and join it to an existing Active Directory forest, by following the [official procedure from Samba wiki](

In NethServer 7 the Samba4 Domain Controller runs confined into a Linux Container and requires some additional steps to be configured; this is the discussion about [why Samba DC runs in a container](

## Experimental

This procedure is experimental and incomplete. It is not designed to work on production environments. It does not integrate with NethServer backup/restore procedure. According to Samba docs, a domain controller is never restored. A new controller is joined instead, as explained on

See this document to remove a domain controller from an AD domain:

Synchronize the ``sysvol`` share contents as explained (for instance) here:

## Prerequisites

install nethserver-dc

  yum install nethserver-dc

in server-manager, configure a green bridge interface (say br0), pick a free IP address from your LAN (say Then assign the bridge and IP to the nsdc container:

  config setprop nsdc IpAddress bridge br0 status enabled ProvisionType wikiadditionaldc

set the DNS domain name (Realm) and Netbios domain name (Workgroup) values

  config setprop sssd Realm SAMDOM.EXAMPLE.COM Workgroup SAMDOM

patch ``nethserver-dc-join`` action and write the join credentials to a special file:

  curl | patch -d / -u -p2
  echo -e 'adminuser\npassword' > /root/.joincredentials

follow the messages log in background

  tail -f /var/log/messages &

run manually the nethserver-dc-firststart action and follow the log…

  /etc/e-smith/events/actions/nethserver-dc-firststart ev

The nsdc container is created, by downloading additional RPMs then started. However the samba DC service cannot be started at this point – we implicitly disabled it when we set ``ProvisionType wikiadditionaldc`` – thus the action waits indefinitely. When the following lines appear in the log, stop the action by pressing ``Ctrl+Z``

  May 30 09:45:55 neth systemd-nspawn: CentOS Linux 7 (Core)
  May 30 09:45:55 neth systemd-nspawn: Kernel 3.10.0-514.el7.x86_64 on an x86_64
  May 30 09:46:09 neth kernel: br0: port 2(vb-nsdc) entered forwarding state

This is the stopped process:

  [root@neth ~]# ps f
  21440 pts/1    Ss     0:00 -bash
   1982 pts/1    S      0:00  \_ tail -f /var/log/messages
   1983 pts/1    T      0:00  \_ /usr/bin/perl -w /sbin/e-smith/signal-event nethserver-dc-save
   3459 pts/1    T      0:00  |   \_ /bin/bash /etc/e-smith/events/nethserver-dc-save/S95nethserver-dc-waitstart nethserver-dc-save
   3549 pts/1    T      0:00  |       \_ sleep 5
   3580 pts/1    R+     0:00  \_ ps f
   3519 pts/0    Ss+    0:00 /sbin/agetty --noclear --keep-baud console 115200 38400 9600 vt220
   3732 tty1     Ss+    0:00 -bash

install additional packages on nsdc (can be done later, too)

  yum -y --releasever=7 --installroot=/var/lib/machines/nsdc install vi iputils iproute bind-utils    

get a shell on nsdc:

  systemd-run -t -M nsdc /bin/bash

## Samba domain provision

From a nsdc shell, edit (vi) ``/etc/resolv.conf`` and add the IP of an existing domain controller (i.e. ````) as primary ``nameserver`` (ref. [Samba Wiki](


Refer to the Samba wiki for the ``samba-tool`` invocation:

This was my ``samba-tool`` invocation:

  samba-tool domain join DC -U'SAMDOM\administrator' --password=secretpass --dns-backend=SAMBA_INTERNAL --option="include = /etc/samba/smb.conf.include"

At the end of the procedure, run additional commands in nsdc shell:

  cp -av /var/lib/samba/private/krb5.conf /etc/krb5.conf

Exit from the container shell. From the host machine:

  expand-template  /var/lib/machines/nsdc/etc/resolv.conf
  systemctl stop nsdc
  systemctl start nsdc

To check the status of the container:

  systemctl status nsdc

To see the container system log:

  journalctl -M nsdc

## Join NethServer to its container

Now that nsdc is running with a Samba4 DC instance we can resume the join procedure. In the host machine:


In the “messages” log file a couple of errors occur, and can be ignored:

  [ERROR] UPN suffix update failed (LdapUri=ldaps://
  ERROR(exception): Failed to add members "VM8$" to group "Account Operators" - Unable to find "VM8$". Operation cancelled.

## Final checks

If everything is ok this should return a record

  getent passwd administrator

And this one too

  getent passwd administrator@$(hostname -d)

Verify replication works correctly. Get a nsdc shell then type:

  samba-tool drs showrepl

If there are failures, refer to this document:

## Discussion

  • howto/add_ns7_samba_domain_controller_to_existing_active_directory.txt
  • Last modified: 2017/10/02 06:51
  • by Davide Principi