Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Samba 4 (on a NAS) as Domain Controller across two sites

Posted on 2015-02-12
Medium Priority
Last Modified: 2015-04-24
I have a client with two offices. One has about 30 users and the other about 15.
They have Server 2003 at one site and a workgroup at the other. All Win 7 and Win 8.
They only use basic file/printer sharing.
I'm contemplating using a NAS running Samba 4 as a domain controller and doing away with Server 2003.
I would install a NAS at each site and a VPN between sites.
99% of the files they need to access will be on the local NAS. Occasionally they will need to access a document on the remote NAS. I don't want to replicate data between the NAS's.
Should I have both sites on the same domain or two separate domains?
Should both sites be on the same subnet or different subnets?
Should I set up one NAS at the Active Domain Controller and the other as a Secondary Domain Controller?
What NAS devices should I consider for this?
If anyone has actually done this I would be interested in hearing about your experience.
Question by:akb
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 30

Accepted Solution

Rich Weissler earned 2000 total points
ID: 40608026
I'll be curious to see what other responses you receive to this question.  I very well may learn something new today.  Domain controllers provide several network services beyond common file access, not the least of which is a distributed common authentication method.  I believe there are NAS devices which can host an LDAP compatible directory, but I don't believe it'll be Active Directory, and that may be sufficient for your need in this case.  Or, because it sounds like your users really only consume file/print resources ... you may be able to get away with just the native directory built into each of the two NAS devices.  (Of course, in those rare cases where users need to access files in their 'non-native' NAS device, they'd need a second set of credentials.)  The point is, to provide Active Directory, or Active Directory type services... I think you'll need more than Samba.

When you start down the path of actual Active Directory, my first thought would be to look at Windows Server Essentials.  At that point, I start to look for NAS devices which might run Windows Server Essentials natively, and to my surprise I discover that Western Digital does offer such a box as does Thecus.  Unfortunately, I can't say that I have any experience with these boxes... this has all been a learning experience for me.  I'm not certain these NAS boxes will be less expensive than general purpose servers with storage and Windows Server 2012 R2 Std licenses.

What I can do today, is look at the specific questions in a more general manner:
> Should I have both sites on the same domain or two separate domains?
If you bother to go to the effort of installing Active Directory, I would tend to want the systems in the same domain.  That's kinda the point for me... to give the users a single set of credentials.  That said, if you go down the path of Windows Server Essentials, it has to be THE domain controller with all the FSMO roles, so you may not get a choice.
> Should both sites be on the same subnet or different subnets?
Connecting two sites with a VPN, I'd definitely have two different subnets.  (The only reason I'd try to bridge two sites with a common subnet is if you have some very specific product that can't be routed.  I haven't seen one of those since the early 1990s.)
> Should I set up one NAS at the Active Domain Controller and the other as a Secondary Domain Controller?
Domain Controllers are all active, and maintain a set of loosely coupled, distributed databases... which is one of the reasons I advocate having more than one domain controller in a domain -- each will maintain it's own set of the directory data.
LVL 30

Expert Comment

by:Rich Weissler
ID: 40608270
More readings, and I've found what you already know -- Samba 4.0 can act as a Windows Server domain controller.  (I might suggest including some Linux topic areas to pull in some Samba experts.)  What I do see in the documentation suggests that it isn't recommend using the same system as both a DC and File server.  Given that, you might want to consider repurposing the old server as the DC, and acquiring a NAS that supports joining a domain.
Given this revelation, I'd still recommend putting a DC in each of the two locations, defining each with a different subnet and a separate site within Active Directory.  (That said, having the two DCs in the same domain will cause some cross site replication of AD objects... but I assume your prohibition was against file replication between locations.)
LVL 13

Author Comment

ID: 40608761
Thanks for your detailed reply Rich.

Windows Server Essentials is something I considered briefly. Unfortunately it has a maximum of 25 users. I have 30 users at one site and 15 at the other. I also need room for expanding that number.

Authentication is the primary role I'm looking for. Data storage is only secondary. I already have several NAS devices so maybe I should look at using a dedicated Samba 4 NAS as an AD controller and use my existing NAS's for data storage - they do support joining a domain.

I'm not worried about cross site replication of AD objects, I just don't want file replication between sites.
LVL 13

Author Closing Comment

ID: 40743361
I ended up going with two Server 2012 systems.
I wasn't willing to take the risk of using the NAS boxes between two sites.
In the meanwhile, I have used a QNAP at a small customer's site (10 users) as an AD controller. It works beautifully.
Thanks for your detailed input Rich W.

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question