This blog posting is the second in a series that will help you to prepare for the new version 3.0 of the LPIC-3 Mixed Environments exam. Active Directory is one of the major topics on LPI’s LPIC-3 Mixed Environments exam. While preparing tof the exam, you should not just understand the concepts, but actually implement an Active Directory domain using Samba 4.
First of all, focus on the architecture and the various components of Active Directory. This is not easy, since Active Directory integrates various services such as DNS, LDAP, Kerberos, and CIFS, along with a very specific layout of the contents served through these components. Microsoft offers a long, but comprehensive read on the Active Directory Architecture. Don’t worry about the age of that document: the principles are still the same and it is one of the few places where you can get all of the information about the topic in a single document.
After you have worked through the dry theory, it’s time to design your very own Active Directory. In a production environment, your first step will be to name the directory. The Samba wiki has some great advice on Active Directory Naming. For your studies, consider just going ahead with ad.example.com or something similar.
Now that you have chosen a name for your domain, set up your first domain controller. We have already covered the setup of the virtual machine (VM) in last week’s post. Now is the time to log into your first domain controller and work through the guide for Setting up Samba as an Active Directory Domain Controller. Enable the RFC2307 schema and make sure you perform all the tests described in the guide. Remember that you’ve used the Samba packages of your Linux distribution, so you can most likely use systemctl to start the Samba services.
After your first domain controller passes all tests, log into the second domain controller VM and join it as a second domain controller. Remember to review the various types of SysVol replication and set up unidirectional rsync replication. Also make sure all your computers’ clocks are in sync.
Once you’ve confirmed that your directory replication works well, it is time for the first regular member. Boot up your Windows VM and join the machine to our domain. Once it is rebooted, use your domain’s administrator account to sign into the VM.
Now you can populate the domain. Create a couple of user accounts, as well as security groups containing some of your new users. Try to create accounts for some of your colleagues and group them according to their departments, or create accounts for your family members and some groups for their favorite hobbies. Use both samba-tool user and samba-tool group on one of your domain controllers as well as Active Directory Users and Computers utility on your Windows machine. Confirm that your user accounts work correctly by using these accounts to sign into the Windows machine.
Make sure also to review what happened underneath the hood: Find your user accounts in your domain’s LDAP tree, then review the objects’ attributes and how they relate to groups. On the Windows side, ADSI Edit and LDP allow you to access these objects. Don’t forget to do some practice on the Linux command line using ldbsearch, too. Adding RFC2307 attributes to your users and groups is a great chance to do so. The Samba wiki holds instruction for both the graphical interface on the Windows client and the cool ldbmodify command-line technique.
The next big step is joining the file server to the domain. Again, the Samba wiki explains all the steps for setting up Samba as a Domain Member. As you work through this guide, remember to use the ad mapping backend. Take some time to really understand ID mapping in Samba, including the various backends.
Once the server is joined into the domain, create a simple write file share and place a file there using the Windows client. Check the ownership of the file and try adding more files using other domain users. Finally, configure PAM Authentication to allow domain users to log into your server and try to log into your file server using one of your domain users.
Topic 302 contains some more aspects that are important. One of them is DNS management, which offers you a chance to revisit your LPIC-3 DNS skills. Create some DNS records in your Active Directory and use dig to confirm their existence. You should also take a closer look at FSMO roles and running a standalone Samba server with local user management.
We’ve covered a lot of material this week and worked through a lot of extensive resources. However, we’re not done yet. The exam objectives contain some options, tools, and aspects you must be aware of in your exam. Take your time to carefully review the exam objectives and research anything you’re not certain about. With the materials covered today, you have a fully functional lab environment that you can use for your own studies. Next week we are going to extend this setup even further by going into the details of the share configuration on our file server.