In the previous post, we installed Ubuntu in a VirtualBox VM. Now it’s time to install SAMBA and configure the domain controller.

Download and install SAMBA ^

First, obtain the latest sources in Ubuntu with these commands:

$ sudo apt-get update
$ sudo apt-get upgrade

Next, you’ll need to install several libraries and packages. However, they can all be installed with one line of code:

$ sudo apt-get install attr build-essential libacl1-dev libldap2-dev libattr1-dev libgnutls-dev libblkid-dev libpopt-dev libreadline-dev libpam0g-dev libbsd-dev libcups2-dev python-dev python-dnspython gdb pkg-config dnsutils attr krb5-user docbook-xsl acl ntp

Install SAMBA prerequisite packages

Install SAMBA prerequisite packages

During package installation, Kerberos will display a few pink screens and ask to configure Kerberos Authentication and define the Default Kerberos version 5 realm and the Server Name and Administrative server. Use upper-case characters, as Kerberos will have fewer problems:


Administrative server for Kerberos realm: DC1.TESTDOMAIN.COM

Kerberos servers for your realm

Kerberos servers for your realm

DNS is important and required to set up our domain controller with SAMBA, so ensure that the default Ethernet interface has a static IP address assigned. To assign a static IP address, edit the file /etc/network/interfaces with vi or nano. You can use the following command to edit the file:

$ sudo vi /etc/network/interfaces

Your interfaces file should look similar to the following:

Internface configuration

Interface configuration

Notice that during the installation of our domain controller, two dns-nameservers are listed in our interfaces file ( and Once we have the domain controller running, we’ll remove the secondary upstream DNS server, as SAMBA could have problems identifying its own DNS services. Also, provide the domain name when defining the dns-search variable.

Now provide /etc/hostname with your hostname (DC1). The following screenshot demonstrates how the file will look after editing, commenting, and setting the hostname. After editing the hostname configuration file, it should return the correct name when issuing the command $ hostname.

Configure hostname and display output

Configure hostname and display output

Kerberos requires that the NTP (or Network Time Protocol) is accurate and synced with time servers. In this case, we’ll synchronize NTP with servers. First, stop the ntp service, set the date/time with the ntpdate command, and then start the ntp service again with the following commands:

$ sudo service ntp stop$ sudo ntpdate -B$ sudo service ntp start

The output will look similar to the following screenshot:

Synchronize ntp service with

Synchronize ntp service with

The acl and attr packages were installed earlier, and now we need to add some additional options to /etc/fstab to extend the attributes of our ext4 file system partition located at the root /. According to Wikipedia:

“The fstab file typically lists all available disk partitions and other types of file systems and data sources that are not necessarily disk-based, and indicates how they are to be initialized or otherwise integrated into the larger file system structure.”

Below are two screenshots. The first is the original file, and the second is the file after editing. As always, it’s best to save a copy of the original file before editing. We’ll include the following options for our ext4 / partition, separated by commas:


Original fstab file:

fstab original configuration

fstab original configuration

Here’s how the fstab file looks after editing:

fstab edited configuration

fstab edited configuration

Because we’ve edited the way our file system initializes system partitions, we’ll restart the virtual machine to complete the options integration. This is quickly accomplished with the command:

$ sudo shutdown -r now

Configure SAMBA server as domain controller ^

At this point, we’re ready to configure SAMBA as a domain controller. Because we added the SAMBA file server component during the original Ubuntu operating system install, we can now run our SAMBA configuration utility SAMBA-tool. If you missed installing the SAMBA file utility during your initial system setup, get the Software selection tool again issuing the command:

$ sudo tasksel

If you do use tasksel, select SAMBA file server. Press enter.

When SAMBA is installed, we want to first remove the default smb.conf file located at /etc/samba/smb.conf. When we run SAMBA-tool, the smb.conf file will regenerate. Do this by entering the command:

$ sudo rm /etc/samba/smb.conf

Now we issue the following command to set up SAMBA with a 2008 R2 Forest Functional level:

$ sudo samba-tool domain provision --function-level=2008_R2 --interactive

The first request will be for us to provide the realm. I’ll enter my realm, TESTDOMAIN.COM (which is the FQDN for our domain), and press enter:


Now enter the netbios name for our domain name [TESTDOMAIN]. This is our default, so we can just press enter.


Our Server Role will be a domain controller [dc]. Again, this is the default. We can simply hit enter.

Server Role (dc, member, standalone) [dc]:

Press enter again to confirm that we want the default DNS backend to use SAMBA_INTERNAL, which will add DNS entries for computers when they are joined to the domain.


The DNS forwarder IP address is the address used when a DNS entry cannot be found on our own DNS server. I like to use my own default gateway,, for the forwarder, but you can use Google’s public DNS server

DNS Forwarder IP Address

DNS forwarder IP address (write 'none' to disable forwarding) []:

We’ll now be prompted to enter the Administrator (Domain admin) password for our domain. Use a long and complex password; if this part fails due to a weak password, it’ll be a difficult problem to rectify.

Administrator password:
 Retype password:
 SAMBA-tool configuration

If everything is correct, the SAMBA-tool will build the structure and directories for your domain. The output will look similar to the following:

SAMBA-tool domain build output

SAMBA-tool domain build output

Modifying the permissions of the default netlogon and sysvol share directories is the last configuration change to make before we can start adding computers to our domain. To do this, edit the newly-generated /etc/samba/smb.conf file to include 0700 and 0644 permissions for both directories.

Add the following lines under the [netlogon] and [sysvol] groups:

create mask = 0700
directory mask = 0644

Your edited file will look similar to the following screenshot:

smb.conf mask permissions

smb.conf mask permissions

After completing the SAMBA installation, go back and edit the /etc/network/interfaces file to remove your second upstream server ( from the dns-nameservers group. Restart your new domain controller one final time, and the server will be ready to accept computers into the domain. Use the following command:

$ sudo reboot

Join a Windows workstation to the new domain ^

After the domain controller has completed its reboot, Windows workstations can join the domain. For Windows 7, you’ll need Windows 7 Pro or Ultimate. For Windows 8 and Windows 10, you’ll want at least the Professional version.

In Windows 10, right-click on the start menu, and click System.

Windows 10 system settings

Windows 10 system settings

Under Computer settings, click Change Settings and then the Change button. Enter the name of your domain (, and click OK.

System properties and join domain

System properties and join domain

If you receive the following error, it means the workstation you’re trying to join either isn’t able to ping the IP address of the domain controller and/or you need to explicitly set the DNS entry in TCP/IP V4 to include your domain controller’s IP address:

An Active Directory Domain Controller (AD DC) for the domain “” could not be contacted.

Once your Windows workstation can contact the domain controller, you’ll be greeted with a prompt to authenticate. Type in the user name (Administrator) and the password you provided during the SAMBA-tools setup. Click OK, and your workstation will now be a member of the domain.

Welcome to the domain

Welcome to the domain

You’ll be prompted to restart the workstation. After the reboot, log on to the domain with your username (Administrator) and password. You can now use Active Directory Users and Computers (ADUC) as well as other administrative tools to configure a domain and set up user accounts, GPO’s, and home directories.

  1. Anonymous 6 years ago

    There is a typo in part of editing fstab file.
    It says "user_xttr", but in fact it is "user_xattr" (the picture is correct)



  2. Nury Sword 5 years ago

    Hi, after installation I get this error:

    An Active Directory Domain Controller (AD DC) for the domain “” could not be contacted.

    Client can ping the server. Client has DNS set up done correctly pointing to AD server.

    Can bind DNS and AD internal DNS survive at the same time? I see Bind service running as well.

    Thanks for your help.


    • Author

      I would try the following:
      1. Make sure the time is set correctly on the client.
      2. Double-check the IP address and DNS addresses on the Server and the Client. Try adding the 2nd DNS upstream address if you had removed it.
      3. Make sure DNS is set correctly on the router and there are no firewall issues; put the client and server on a switch, not on separate router ports.
      4. Try stopping the bind service temporarily with the command 'service named stop' or '/etc/init.d/named stop'
      5. Start over with a new samba vm server & client!


  3. Sayantan 4 years ago

    acl and attr options , are they required for LVM partitions as well?


Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2021


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account