Mixing Linux & Windows Server in a SMB



  • Hi Everyone,

    First post here, I'm doing some preliminary planning for a small business with 3 branches, each connected by VPN to the main branch. There are only about 10 employees per branch.

    They use 3rd party software for point of sale and inventory management. The software is M$ only and require M$ SQL server and Windows Server for their software to run. The licencing costs for those have proven very expensive for such a small company.

    Bandwidth restrictions have made me nervous about hosting active directory through the VPNs so I plan on setting up domain controllers and file servers at each branch.

    To save a few thousand dollars I was considering going with Linux for each one of theses branches. However, this would mean that the entire company then would have a mix of Linux and windows servers.

    This isn't a problem for me but if I were unavailable for some reason and another IT contractor had to step in I'm concerned I would be a mess to find someone with both Linux and Windows administration experience (it's a rural area).

    I'm also wondering if i'm underestimating the time and cost to get these Linux servers up and running and integrated with Server 2016.

    I know there are a lot of variables involved but I estimate the cost savings to be around $5,000 dollars with the Linux instead of windows at the branch stores.

    So which, in your opinion, is the better investment?



  • @cggart welcome to MangoLassi!



  • @cggart said in Mixing Linux & Windows Server in a SMB:

    Bandwidth restrictions have made me nervous about hosting active directory through the VPNs so I plan on setting up domain controllers and file servers at each branch.

    How tight is the bandwidth? AD needs effectively nothing. How many users do you have at each branch? Even a 64Kb/s line could service hundreds of users on AD without an issue.



  • @cggart said in Mixing Linux & Windows Server in a SMB:

    To save a few thousand dollars I was considering going with Linux for each one of theses branches.

    Obvious question: if you are willing to have any Linux, why not go all Linux (for AD at least?)



  • @scottalanmiller said in Mixing Linux & Windows Server in a SMB:

    @cggart said in Mixing Linux & Windows Server in a SMB:

    To save a few thousand dollars I was considering going with Linux for each one of theses branches.

    Obvious question: if you are willing to have any Linux, why not go all Linux (for AD at least?)

    I was about to ask what about using SAMBA for the AD Domain Controllers.



  • @scottalanmiller We could go all Linux but as I mentioned we are required to have windows for the 3rd party software at the main branch. The licencing was already in place and I figured we could just use windows since it was already there. However, we could use Linux for all of it.

    We have about 7Mb/s down and 2 Mb/s up i'm less concerned with the active directory as I am the file server and since we had a file server I figured having active directory on that same server would be a good idea. However, we could just have the file server at the remote branches and handle active directory through the central branch.



  • @cggart said in Mixing Linux & Windows Server in a SMB:

    This isn't a problem for me but if I were unavailable for some reason and another IT contractor had to step in I'm concerned I would be a mess to find someone with both Linux and Windows administration experience (it's a rural area).

    http://www.smbitjournal.com/2015/08/avoiding-local-service-providers/

    You don't want local people for Linux or Windows. Server work should never have a "local" consideration. Cabling, electrical work, physically putting machines on desks... sure. But even those things a remote company can potentially accommodate. But for work on servers you should never be working on the servers "in person" anyway, even if the consulting admin lives across the street you wouldn't want him physically in your shop.

    I need to pump out an article on why Linux is easier to hire than Windows and why needing Linux might make supporting Windows easier, but the theory is that Windows is the hardest thing to get serviced and the plethora of people and companies claiming to offer Windows services is so large that finding someone qualified and skilled is actually incredibly hard. Whereas finding someone to service Linux is actually, I believe, dramatically easier because the number of people claiming to do it is so much lower. Linux has a natural "you can't be bluffing" barring to it that Windows does not have (even people who have never seen Windows can click around and look semi-competent without knowing anything about how it works.)

    I think that adding Linux will likely have some transitional overhead but overall will make support easier for you, not harder.



  • @cggart said in Mixing Linux & Windows Server in a SMB:

    @scottalanmiller We could go all Linux but as I mentioned we are required to have windows for the 3rd party software at the main branch. The licencing was already in place and I figured we could just use windows since it was already there. However, we could use Linux for all of it.

    It might make very little difference in licensing if you need CALs already for all of the POS software. But if the CALs for that are not as broad as you need for AD, you might have a bit of savings by scaling back your Windows infrastructure.



  • @cggart said in Mixing Linux & Windows Server in a SMB:

    We have about 7Mb/s down and 2 Mb/s up i'm less concerned with the active directory as I am the file server and since we had a file server I figured having active directory on that same server would be a good idea. However, we could just have the file server at the remote branches and handle active directory through the central branch.

    That's how I would normally handle that. AD from central works really well. Local file servers are often needed. They use all the bandwidth.

    Linux fileservers are trivial to maintain. AD takes a bit more.



  • @scottalanmiller This actually makes a lot of rational sense but is counter intuitive for some reason. I guess I had a little too much of the M$ cool aid. I would love to see a write up your mentioned.

    Also, regarding have remote support, I agree. We live is such a rural area (literally a 5 hour drive to a town big enough to have a stop light). Once the network is in place getting support shouldn't be an issue we can just give the VPN credentials to a qualified sysAdmin any where in the world.



  • @cggart said in Mixing Linux & Windows Server in a SMB:

    I would be a mess to find someone with both Linux and Windows administration experience (it's a rural area).

    You don't want someone with both, you want a Windows expert and a Linux expert. Don't look to hire consulting generalists unless they are CIO level. For technical experts you want people who are focused. Better skills, lower cost.



  • @cggart said in Mixing Linux & Windows Server in a SMB:

    Also, regarding have remote support, I agree. We live is such a rural area (literally a 5 hour drive to a town big enough to have a stop light). That said I agree about the remote support.

    In the enterprise, a system admin is not expected to ever even see their servers. Admins work from home or from high rises or whatever - office spaces. Servers go in datacenters with tight security and clean rooms. So generally admins aren't in the same area, often not even the same state or country, as their servers. There's no reason for it. Even if they are in the same building you would not want the people who have logical access to the servers to be the same ones that have physical access; and vice versa.



  • @cggart said in Mixing Linux & Windows Server in a SMB:

    Once the network is in place getting support shouldn't be an issue we can just give the VPN credentials to a qualified sysAdmin any where in the world.

    Not VPN. Other methods like ScreenConnect, TeamViewer, SSH, etc. VPN is a security problem and should never be used for outsiders to connect in. They should never need it, and no one should want it. It exposes you to them and them to you. It's bad for everyone and very cumbersome.



  • @cggart said in Mixing Linux & Windows Server in a SMB:

    I'm also wondering if i'm underestimating the time and cost to get these Linux servers up and running and integrated with Server 2016.

    Linux AD only goes to 2008 R2. So if your forest is still 2008 R2, not a big deal. If it is 2012 or higher, you are out of luck for now.



  • @scottalanmiller I see so we are stuck with Windows then anyways. Intresting point you made about the VPN. I've worked some other small business and that is how support was administered. Now that I think about it it does give access to the entire network where the other options you listed limit it only to where it is needed. I suppose that's obvious just didn't occur to me for some reason.



  • Hey Scott, I just wanted to make sure that there were no other file servers out there that support active directory integration with Server 2016 right? The ONLY option for us (given that we are stuck with 2016 already ) is the use Microsoft products for our entire domain right? Every file server including FreeNAS and BSD will be unusable in our environment?



  • @cggart said in Mixing Linux & Windows Server in a SMB:

    Hey Scott, I just wanted to make sure that there were no other file servers out there that support active directory integration with Server 2016 right? The ONLY option for us (given that we are stuck with 2016 already ) is the use Microsoft products for our entire domain right? Every file server including FreeNAS and BSD will be unusable in our environment?

    All fileservers should work fine. Any AD integrated NAS or file server will work with 2016. You have zero Windows dependency.



  • @cggart said in Mixing Linux & Windows Server in a SMB:

    @scottalanmiller I see so we are stuck with Windows then anyways. Intresting point you made about the VPN. I've worked some other small business and that is how support was administered. Now that I think about it it does give access to the entire network where the other options you listed limit it only to where it is needed. I suppose that's obvious just didn't occur to me for some reason.

    Yup. General rule is fire any vendor that requests VPN.



  • @cggart said in Mixing Linux & Windows Server in a SMB:

    @scottalanmiller I see so we are stuck with Windows then anyways. Intresting point you made about the VPN. I've worked some other small business and that is how support was administered. Now that I think about it it does give access to the entire network where the other options you listed limit it only to where it is needed. I suppose that's obvious just didn't occur to me for some reason.

    I'm using ZeroTier (no bridging!) to get to the bastion hosts of the systems I manage. Very recommended, It's easy to use and IMHO much more secure and simple than obscure NAT forwarding through many routers etc.



  • @scottalanmiller

    Linux AD only goes to 2008 R2. So if your forest is still 2008 R2, not a big deal. If it is 2012 or higher, you are out of luck for now.

    I've been researching and have found a lot of posts stating 2012 DCs and 2008 DCs will work together. Provided the "functional level" is set to 2008.

    However , I found nothing regarding Linux & Windows Server 2016 AD support. Is there a reliable authority I can reference to determine what is or is not compatible or is this just trail and error?

    I did find one page, on the SAMBA wiki, saying "Joining a Windows Server 2012 or 2012 R2 DC to a Samba AD breaks the AD replication!" Was this what you were referring to?

    I've taken your word for it and moved on, but I would really like to understand why for my own benefit.

    Would you mind elaborating on why 2016 DC wont play ball with a Linux DC, and why Linux file server will authenticate with a 2016 DC just fine?

    Is it that there is some new features in 2016 DC that aren't available in 2008 DC that Windows 10+ clients might be expecting?



  • @Francesco-Provino said in Mixing Linux & Windows Server in a SMB:

    @cggart said in Mixing Linux & Windows Server in a SMB:

    @scottalanmiller I see so we are stuck with Windows then anyways. Intresting point you made about the VPN. I've worked some other small business and that is how support was administered. Now that I think about it it does give access to the entire network where the other options you listed limit it only to where it is needed. I suppose that's obvious just didn't occur to me for some reason.

    I'm using ZeroTier (no bridging!) to get to the bastion hosts of the systems I manage. Very recommended, It's easy to use and IMHO much more secure and simple than obscure NAT forwarding through many routers etc.

    But is the same at VPN - so where is the security there?



  • @cggart said in Mixing Linux & Windows Server in a SMB:

    @scottalanmiller

    Linux AD only goes to 2008 R2. So if your forest is still 2008 R2, not a big deal. If it is 2012 or higher, you are out of luck for now.

    I've been researching and have found a lot of posts stating 2012 DCs and 2008 DCs will work together. Provided the "functional level" is set to 2008.

    However , I found nothing regarding Linux & Windows Server 2016 AD support. Is there a reliable authority I can reference to determine what is or is not compatible or is this just trail and error?

    I did find one page, on the SAMBA wiki, saying "Joining a Windows Server 2012 or 2012 R2 DC to a Samba AD breaks the AD replication!" Was this what you were referring to?

    Exactly - this is why you are limited to 2008 level of AD

    Would you mind elaborating on why 2016 DC wont play ball with a Linux DC, and why Linux file server will authenticate with a 2016 DC just fine?

    Actually, if the function level of your 2016 Server is 2008 or lower, you will be able to use Linux DCs, but if it's higher, you're out of luck.

    Is it that there is some new features in 2016 DC that aren't available in 2008 DC that Windows 10+ clients might be expecting?

    No, Windows 10 isn't the issue here. It's that MS has updated features that the Linux community hasn't added for the required compatibility yet.



  • @Dashrender Thanks for the reply. So how does this affect a simple Linux file server?

    It isn't a domain controller just present on the domain and using active directory for authentication. Are there any "features" that 2012+ active directory has that will cause issues?

    Scott said it was fine, but I just want to understand exactly why.

    I'm hesitant to deploy a Linux server into production without knowing for sure that server 2016 has changed something in a protocol or schema that is going to cause major issues...



  • @cggart said in Mixing Linux & Windows Server in a SMB:

    @Dashrender Thanks for the reply. So how does this affect a simple Linux file server?

    It isn't a domain controller just present on the domain and using active directory for authentication. Are there any "features" that 2012+ active directory has that will cause issues?

    Scott said it was fine, but I just want to understand exactly why.

    I'm hesitant to deploy a Linux server into production without knowing for sure that server 2016 has changed something in a protocol or schema that is going to cause major issues...

    It doesn't affect member systems.



  • @scottalanmiller said in Mixing Linux & Windows Server in a SMB:

    It doesn't affect member systems.

    Right, AD has all kinds of extra stuff in it. A member server is just authentication. As long as Linux Samba supports the same authentication protocols you'll be good to go.



  • @scottalanmiller @Dashrender

    Thanks guys
    I understand the outstanding SAMBA bug doesn't' affect member systems, just replication between DCs.

    I guess what i'm struggling with, being my first time setting this up and all, is the lack of an official list of supported clients/hosts from either from Microsoft or from the dev teams responsible for the Linux implementation of LDAP, Kerberos, Winbind, SAMBA....

    Microsoft does list some supported operating systems for Server 2012 and "later". From which XP was recently removed.

    However, I can't find anything on the Linux side other than that SAMBA bug with replication between DCs. I'm just trying to establish why Scott and others are so confident in Linux client support for ALL Windows DC functional levels.

    I'm guessing that its either:

    • A ) Client/member support just isn't, and wont be, an issue because the protocols used ( Kerberos, LDAP, and so on) havn't/wont change from version to version of Windows.

    • B ) The devs behind the Linux integration always keep these protocols up to date.

    I'm also assuming that you guys, and others, have tested this in production and in the lab and confirmed for yourselves there aren't any issues.

    I'm in the process of doing that myself at my home lab. I've just been out of the loop, and am just now catching up. I haven't seen how client support has/hasn't changed over there years which makes me a little wary.

    Your two cents would be much appreciated. Sorry for not be more articulate in the first place.



  • @cggart said in Mixing Linux & Windows Server in a SMB:

    @scottalanmiller @Dashrender

    Thanks guys
    I understand the outstanding SAMBA bug doesn't' affect member systems, just replication between DCs.

    Which bug is that?



  • @cggart said in Mixing Linux & Windows Server in a SMB:

    However, I can't find anything on the Linux side other than that SAMBA bug with replication between DCs. I'm just trying to establish why Scott and others are so confident in Linux client support for ALL Windows DC functional levels.

    Why do you assume a problem? This is how Linux works all day, every day. Literally millions of installations do this constantly. It's not just Linux, it's every non-Windows OS except for Mac (which doesn't work well) uses Samba. There is no "Linux side" here, first of all, it is an application question about Samba, nothing to do with Linux itself. You have no reason to question this, Samba has worked for 17 years without an issue.

    And what bug are you referring to?

    This is one of those "I've assumed a problem that doesn't exist, now can't find documentation proving that it doesn't." Of course you can't, there is no problem to even be looking for. Why would someone have documentation that says otherwise?



  • @cggart said in Mixing Linux & Windows Server in a SMB:

    I'm guessing that its either:

    • A ) Client/member support just isn't, and wont be, an issue because the protocols used ( Kerberos, LDAP, and so on) havn't/wont change from version to version of Windows.

    • B ) The devs behind the Linux integration always keep these protocols up to date.

    These are both true.



  • @cggart said in Mixing Linux & Windows Server in a SMB:

    I'm also assuming that you guys, and others, have tested this in production and in the lab and confirmed for yourselves there aren't any issues.

    The entire NAS market depends on this, the degree of testing is pretty extreme.


Log in to reply