Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 453
  • Last Modified:

Samba 4 (on a NAS) as Domain Controller across two sites

I have a client with two offices. One has about 30 users and the other about 15.
They have Server 2003 at one site and a workgroup at the other. All Win 7 and Win 8.
They only use basic file/printer sharing.
I'm contemplating using a NAS running Samba 4 as a domain controller and doing away with Server 2003.
I would install a NAS at each site and a VPN between sites.
99% of the files they need to access will be on the local NAS. Occasionally they will need to access a document on the remote NAS. I don't want to replicate data between the NAS's.
Should I have both sites on the same domain or two separate domains?
Should both sites be on the same subnet or different subnets?
Should I set up one NAS at the Active Domain Controller and the other as a Secondary Domain Controller?
What NAS devices should I consider for this?
If anyone has actually done this I would be interested in hearing about your experience.
  • 2
  • 2
1 Solution
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
I'll be curious to see what other responses you receive to this question.  I very well may learn something new today.  Domain controllers provide several network services beyond common file access, not the least of which is a distributed common authentication method.  I believe there are NAS devices which can host an LDAP compatible directory, but I don't believe it'll be Active Directory, and that may be sufficient for your need in this case.  Or, because it sounds like your users really only consume file/print resources ... you may be able to get away with just the native directory built into each of the two NAS devices.  (Of course, in those rare cases where users need to access files in their 'non-native' NAS device, they'd need a second set of credentials.)  The point is, to provide Active Directory, or Active Directory type services... I think you'll need more than Samba.

When you start down the path of actual Active Directory, my first thought would be to look at Windows Server Essentials.  At that point, I start to look for NAS devices which might run Windows Server Essentials natively, and to my surprise I discover that Western Digital does offer such a box as does Thecus.  Unfortunately, I can't say that I have any experience with these boxes... this has all been a learning experience for me.  I'm not certain these NAS boxes will be less expensive than general purpose servers with storage and Windows Server 2012 R2 Std licenses.

What I can do today, is look at the specific questions in a more general manner:
> Should I have both sites on the same domain or two separate domains?
If you bother to go to the effort of installing Active Directory, I would tend to want the systems in the same domain.  That's kinda the point for me... to give the users a single set of credentials.  That said, if you go down the path of Windows Server Essentials, it has to be THE domain controller with all the FSMO roles, so you may not get a choice.
> Should both sites be on the same subnet or different subnets?
Connecting two sites with a VPN, I'd definitely have two different subnets.  (The only reason I'd try to bridge two sites with a common subnet is if you have some very specific product that can't be routed.  I haven't seen one of those since the early 1990s.)
> Should I set up one NAS at the Active Domain Controller and the other as a Secondary Domain Controller?
Domain Controllers are all active, and maintain a set of loosely coupled, distributed databases... which is one of the reasons I advocate having more than one domain controller in a domain -- each will maintain it's own set of the directory data.
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
More readings, and I've found what you already know -- Samba 4.0 can act as a Windows Server domain controller.  (I might suggest including some Linux topic areas to pull in some Samba experts.)  What I do see in the documentation suggests that it isn't recommend using the same system as both a DC and File server.  Given that, you might want to consider repurposing the old server as the DC, and acquiring a NAS that supports joining a domain.
Given this revelation, I'd still recommend putting a DC in each of the two locations, defining each with a different subnet and a separate site within Active Directory.  (That said, having the two DCs in the same domain will cause some cross site replication of AD objects... but I assume your prohibition was against file replication between locations.)
akbAuthor Commented:
Thanks for your detailed reply Rich.

Windows Server Essentials is something I considered briefly. Unfortunately it has a maximum of 25 users. I have 30 users at one site and 15 at the other. I also need room for expanding that number.

Authentication is the primary role I'm looking for. Data storage is only secondary. I already have several NAS devices so maybe I should look at using a dedicated Samba 4 NAS as an AD controller and use my existing NAS's for data storage - they do support joining a domain.

I'm not worried about cross site replication of AD objects, I just don't want file replication between sites.
akbAuthor Commented:
I ended up going with two Server 2012 systems.
I wasn't willing to take the risk of using the NAS boxes between two sites.
In the meanwhile, I have used a QNAP at a small customer's site (10 users) as an AD controller. It works beautifully.
Thanks for your detailed input Rich W.

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now