sudo apt update && sudo apt upgrade -y
sudo hostnamectl set-hostname ad1
sudo nano /etc/hosts

Add the following line replacing the IP with the Principal AD-DC’s IP: ad0.test.local ad0

Define a static IP to the secondary AD-DC:

        -           # Primary DC
  renderer: networkd
  version: 2

Apply, reboot, and test the domain resolution.

sudo netplan apply
sudo reboot
ping test.local

Verify the time in both AD and AD2, if necessary adjust using a common NTP server.


sudo apt-get install samba krb5-user krb5-config winbind libpam-winbind libnss-winbind -y

Answer the domain in UPPER CASE:


Verify the settings by requesting a Kerberos ticket for the domain administrator using kinit command:

kinit [email protected]

Join the AD DC as a Domain Controller:

sudo systemctl stop samba-ad-dc smbd nmbd winbind
sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.initial
sudo samba-tool domain join test.local DC -U "administrator"

Edit /etc/samba/smb.conf and append:

dns forwarder =
idmap_ldb:use rfc2307 = yes

   template shell = /bin/bash
   winbind use default domain = true
   winbind offline logon = false
   winbind nss info = rfc2307
        winbind enum users = yes
        winbind enum groups = yes


sudo systemctl unmask samba-ad-dc
sudo systemctl start samba-ad-dc
sudo samba-tool drs showrepl
sudo mv /etc/krb5.conf /etc/krb5.conf.initial
sudo ln -s /var/lib/samba/private/krb5.conf /etc/
sudo kinit administrator

If everything went well validate the domain services:

sudo host test.local
sudo host -t SRV _kerberos._udp.test.local
sudo host -t SRV _ldap._tcp.rcnd.local
sudo samba-tool user create TestUser

On the Principal AD look for the new user:

sudo samba-tool user list | grep TestUser

You can also list users and groups with the following commands:

wbinfo -u
wbinfo -g