Solved

Samba 4 (on a NAS) as Domain Controller across two sites

Posted on 2015-02-12
4
315 Views
Last Modified: 2015-04-24
I have a client with two offices. One has about 30 users and the other about 15.
They have Server 2003 at one site and a workgroup at the other. All Win 7 and Win 8.
They only use basic file/printer sharing.
I'm contemplating using a NAS running Samba 4 as a domain controller and doing away with Server 2003.
I would install a NAS at each site and a VPN between sites.
99% of the files they need to access will be on the local NAS. Occasionally they will need to access a document on the remote NAS. I don't want to replicate data between the NAS's.
Should I have both sites on the same domain or two separate domains?
Should both sites be on the same subnet or different subnets?
Should I set up one NAS at the Active Domain Controller and the other as a Secondary Domain Controller?
What NAS devices should I consider for this?
If anyone has actually done this I would be interested in hearing about your experience.
0
Comment
Question by:akb
  • 2
  • 2
4 Comments
 
LVL 29

Accepted Solution

by:
Rich Weissler earned 500 total points
ID: 40608026
I'll be curious to see what other responses you receive to this question.  I very well may learn something new today.  Domain controllers provide several network services beyond common file access, not the least of which is a distributed common authentication method.  I believe there are NAS devices which can host an LDAP compatible directory, but I don't believe it'll be Active Directory, and that may be sufficient for your need in this case.  Or, because it sounds like your users really only consume file/print resources ... you may be able to get away with just the native directory built into each of the two NAS devices.  (Of course, in those rare cases where users need to access files in their 'non-native' NAS device, they'd need a second set of credentials.)  The point is, to provide Active Directory, or Active Directory type services... I think you'll need more than Samba.

When you start down the path of actual Active Directory, my first thought would be to look at Windows Server Essentials.  At that point, I start to look for NAS devices which might run Windows Server Essentials natively, and to my surprise I discover that Western Digital does offer such a box as does Thecus.  Unfortunately, I can't say that I have any experience with these boxes... this has all been a learning experience for me.  I'm not certain these NAS boxes will be less expensive than general purpose servers with storage and Windows Server 2012 R2 Std licenses.

What I can do today, is look at the specific questions in a more general manner:
> Should I have both sites on the same domain or two separate domains?
If you bother to go to the effort of installing Active Directory, I would tend to want the systems in the same domain.  That's kinda the point for me... to give the users a single set of credentials.  That said, if you go down the path of Windows Server Essentials, it has to be THE domain controller with all the FSMO roles, so you may not get a choice.
> Should both sites be on the same subnet or different subnets?
Connecting two sites with a VPN, I'd definitely have two different subnets.  (The only reason I'd try to bridge two sites with a common subnet is if you have some very specific product that can't be routed.  I haven't seen one of those since the early 1990s.)
> Should I set up one NAS at the Active Domain Controller and the other as a Secondary Domain Controller?
Domain Controllers are all active, and maintain a set of loosely coupled, distributed databases... which is one of the reasons I advocate having more than one domain controller in a domain -- each will maintain it's own set of the directory data.
0
 
LVL 29

Expert Comment

by:Rich Weissler
ID: 40608270
More readings, and I've found what you already know -- Samba 4.0 can act as a Windows Server domain controller.  (I might suggest including some Linux topic areas to pull in some Samba experts.)  What I do see in the documentation suggests that it isn't recommend using the same system as both a DC and File server.  Given that, you might want to consider repurposing the old server as the DC, and acquiring a NAS that supports joining a domain.
Given this revelation, I'd still recommend putting a DC in each of the two locations, defining each with a different subnet and a separate site within Active Directory.  (That said, having the two DCs in the same domain will cause some cross site replication of AD objects... but I assume your prohibition was against file replication between locations.)
0
 
LVL 13

Author Comment

by:akb
ID: 40608761
Thanks for your detailed reply Rich.

Windows Server Essentials is something I considered briefly. Unfortunately it has a maximum of 25 users. I have 30 users at one site and 15 at the other. I also need room for expanding that number.

Authentication is the primary role I'm looking for. Data storage is only secondary. I already have several NAS devices so maybe I should look at using a dedicated Samba 4 NAS as an AD controller and use my existing NAS's for data storage - they do support joining a domain.

I'm not worried about cross site replication of AD objects, I just don't want file replication between sites.
0
 
LVL 13

Author Closing Comment

by:akb
ID: 40743361
I ended up going with two Server 2012 systems.
I wasn't willing to take the risk of using the NAS boxes between two sites.
In the meanwhile, I have used a QNAP at a small customer's site (10 users) as an AD controller. It works beautifully.
Thanks for your detailed input Rich W.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now