diff --git a/ad-server/handlers/main.yml b/ad-server/handlers/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..ac970bdda6f6891d3b16fb065a4eee38015a94f4
--- /dev/null
+++ b/ad-server/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+# file: roles/ad-auth/handlers/main.yml
+
+- name: restart samba-ad-dc server
+ service: name=samba-ad-dc state=restarted
+
diff --git a/ad-server/tasks/main.yml b/ad-server/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..8c2cd44382d9492ffced35ab938d0b0167ac6a82
--- /dev/null
+++ b/ad-server/tasks/main.yml
@@ -0,0 +1,82 @@
+---
+# file: roles/ad-server/tasks/main.yml
+
+- name: ensure ad-server is installed
+ apt: name=samba state=latest
+ tags:
+ - packages
+ - ad-server
+
+- name: ensure winbind is for some reasons installed
+ apt: name=samba state=latest
+ tags:
+ - packages
+ - ad-server
+
+- name: figure out if domain is provisioned
+ stat: path=/var/lib/samba/sysvol/{{ domain }}
+ register: domain_provisioned
+ tags:
+ - ad-server
+ - domain-provision
+
+
+- name: ensure smb.conf is absent for provision
+ file: path=/etc/samba/smb.conf state=absent
+ when: domain_provisioned.stat.exists == False
+ tags:
+ - ad-server
+ - domain-provision
+
+- name: get admin password for SAMBA
+ local_action: pass name="samba-admin" state=present generate=20 store=FSMPI_PASSWORD_STORE_DIR limit=yes
+ register: adminpass
+ when: domain_provisioned.stat.exists == False
+ tags:
+ - ad-server
+ - domain-provision
+ - password
+
+
+# provision smb-domain. passwords will be selected at random and safed to /root/smb-provision.log)
+# TODO: Evaluate if internal DNS-backend is powerful enough for usecase otherwise bind9 is needed
+
+- name: ensure domain is provisioned
+ shell: samba-tool domain provision --use-rfc2307 --domain={{ smb_domain }} --server-role=dc --host-name={{ ansible_hostname }} --realm={{ REALM }} --dns-backend=None --adminpass={{ adminpass.password }} 2> /root/smb-provision.log
+ when: domain_provisioned.stat.exists == False
+ tags:
+ - ad-server
+ - domain-provision
+
+- name: ensure smb.conf is correct
+ template: src=smb.conf.j2 dest=/etc/samba/smb.conf owner=root group=root mode=0644
+ notify: restart samba-ad-dc server
+ tags:
+ - ad-server
+ - config
+
+- name: ensure smbd is stopped and disabled
+ service: name=smbd state=stopped enabled=no
+ tags:
+ - ad-server
+ - service
+
+- name: ensure nmbd is stopped and disabled
+ service: name=nmbd state=stopped enabled=no
+ tags:
+ - ad-server
+ - service
+
+#- name: ensure samba-ad-dc unit is running, enabled and not masked
+# systemd: name=samba-ad-dc masked=no state=running enabled=yes
+- debug:
+ msg: "Ensure samba-ad-dc unit is not masked. This functionality will come in ansible 2.2, you should refactor this role"
+
+- name: ensure samba-ad-dc is running and enabled
+ service: name=samba-ad-dc state=running enabled=yes
+ tags:
+ - ad-server
+ - service
+
+
+- meta: flush_handlers
diff --git a/ad-server/templates/smb.conf.j2 b/ad-server/templates/smb.conf.j2
new file mode 100644
index 0000000000000000000000000000000000000000..32827e119c49871c380e982c9a2ef522b0555f89
--- /dev/null
+++ b/ad-server/templates/smb.conf.j2
@@ -0,0 +1,31 @@
+
+# Global parameters
+[global]
+ workgroup = {{ smb_domain }}
+ realm = {{ REALM }}
+ netbios name = {{ ansible_hostname }}
+ server role = active directory domain controller
+ idmap_ldb:use rfc2307 = yes
+ idmap config uid : range = 10000-20000
+ idmap config gid : range = 10000-20000
+ template shell = /bin/bash
+ template homedir = /home/%U
+ registry shares = no
+
+ username map = /etc/samba/usermap.map
+
+ kdc:service ticket lifetime = {{ service_ticket_lifetime }}
+ kdc:user ticket lifetime = {{ user_ticket_lifetime }}
+ kdc:renewal lifetime = {{ renewal_lifetime }}
+
+
+
+[netlogon]
+ path = /var/lib/samba/sysvol/{{ domain }}/scripts
+ read only = No
+
+[sysvol]
+ path = /var/lib/samba/sysvol
+ read only = No
+
+