Active Directory (AD) is a Microsoft technology that provides services within a Windows domain environment.
The AD services to be deployed are:
- [Domain Services](https://technet.microsoft.com/en-us/library/cc770946(v=ws.10).aspx)
- Certificate Services
- Rights Management Services
- Lightweight Directory Services
DNS resolution is a critical function for domain controllers and domain joined computers. To minimise the risk of authentication failures or inaccessible resources, it is good practice to use either a static IP address or deploy DHCP reservation.
This deployment requires installation of Samba from source, linked here. Samba4 requires Heimdal Kerberos implementation to deploy AD services. This implementation conflicts with the system supplied MIT Kerberos that ships with CentOS and RHEL.
This setup assumes a new domain setup.
After successful installation, we are first required to provision a new domain. Provisioning creates an AD database and is similar in function to dcpromo.exe in pre 2012 versions of Windows Server.
From terminal, we execute the following.
samba-tool domain provision --use-rfc2307 --interactive
A sample configuration is as shown.
Realm: CONTOSO.COM Domain: CONTOSO Server Role: dc DNS backend: SAMBA_INTERNAL Administrator password: P3ssw0rd_
Do note that the administrator password must meet password complexity requirements for Microsoft domain and local user accounts. The full set of requirements can be found here.
We can then start the Samba AD domain controller.
If initial configuration was successful, we can attempt to connect to the default netlogon share using the credentials created during provisioning.
The Kerberos protocol enables secure network authentication of clients and servers. A working configuration of Kerberos is created during the provisioning phase.
To verify that Kerberos is working, the kinit utility can be used to obtain a ticket.
kinit administrator@CONTOSO.COM Password for administrator@CONTOSO.COM: P3ssw0rd_
- The realm must always be specified in uppercase!
We then run klist to verify that Kerberos is working and has issued a ticket.
In a future post, we will deploy LDAP and a certificate authority in the context of AD services.
- Updated to include information on Kerberos.