Great Lynx Designs

Step-by-Step Setup for a Small, Production-Critical Environment

Purpose

This runbook documents the procedural steps required to provision a Linux-based Samba Active Directory Domain Controller (AD DC) suitable for a small but production-critical environment.

It is intended as an operational guide, not a conceptual explanation. Architectural reasoning, historical context, and diagnostic philosophy are documented elsewhere in the Infrastructure Notebook.

Scope and Assumptions

This runbook assumes:

  • A single Samba AD Domain Controller
  • A small internal network (single site)
  • Samba acting as the authoritative DNS server for the domain
  • Windows 11 clients as first-class domain members
  • No multi-domain trusts or forests
  • No custom LDAP schema extensions

This runbook does not cover:

  • Multi-DC replication
  • Forest trusts
  • Hybrid Azure AD
  • Advanced Group Policy management

Tested Environment (Fill In)

(Populate this once confirmed)

  • Linux distribution: ___________________
  • Samba version: ___________________
  • Windows client version: Windows 11 (______)
  • Network type: wired LAN

Step 0: Host Preparation (Do Not Skip)

  1. Assign a static IP address to the server.
  2. Set a stable hostname (avoid clever or role-based names).
  3. Confirm the hostname resolves correctly:
    • hostname
    • hostname -f
  4. Ensure no existing Samba, Kerberos, or LDAP services are running from prior experiments.

Design rule:
Identity infrastructure assumes naming and addressing do not change.

Step 1: Time Synchronization

Kerberos authentication depends on accurate time.

  1. Install and enable a time synchronization service (chrony or ntpd).
  2. Verify the system clock is correct.
  3. Ensure the server is configured to act as a reliable time source for domain members.

Operational note:
Time issues often present as “bad credentials” or “domain trust failures.”

Step 2: Install Required Packages

Install the following categories of packages:

  • Samba (with AD DC support)
  • Kerberos client utilities
  • DNS testing utilities
  • ACL and extended attribute tools
  • Time synchronization service

Avoid partial installs. Samba AD DC expects a complete identity stack.

Step 3: Domain Provisioning

Provision the domain using Samba’s domain provisioning tooling.

During provisioning, you will define:

  • DNS domain name (internal, non-public)
  • Kerberos realm (typically uppercase domain)
  • NetBIOS domain name (short, uppercase)
  • DNS backend (internal Samba DNS recommended)

Provisioning creates:

  • Domain directory database
  • Kerberos realm configuration
  • DNS zones and SRV records
  • Initial administrative accounts

Important:
Provisioning is a one-time, foundational action.
Treat naming decisions as permanent.

Step 4: DNS Configuration

After provisioning:

  1. Configure the server to use itself as the primary DNS resolver for the domain.
  2. Configure external DNS forwarding for non-domain queries.
  3. Verify SRV records exist for:
    • LDAP
    • Kerberos
  4. Confirm the domain name resolves correctly.

Rule of thumb:
If DNS is wrong, everything else will lie to you.

Step 5: Start and Enable Services

  1. Start the Samba AD DC service.
  2. Enable it at boot.
  3. Verify the service is running without errors.

Do not start legacy Samba services intended for file servers.

Step 6: Firewall Configuration

Allow inbound traffic from the internal network for:

  • DNS (53 TCP/UDP)
  • Kerberos (88 TCP/UDP)
  • LDAP (389 TCP/UDP)
  • SMB/CIFS (445 TCP)
  • Kerberos password change (464 TCP/UDP)
  • RPC services (as required)

Restrict access to the local subnet whenever possible.

Step 7: Pre-Client Validation

Before joining any Windows systems, verify:

  • Domain info is readable
  • DNS SRV records resolve
  • Kerberos authentication works
  • LDAP queries return results

If validation fails here, do not proceed to client joins.

Status

This runbook reflects a baseline Samba AD DC provisioning process.
Revise if domain scope or architecture changes.