cggart

cggart

Hi Everyone,

First post here, I'm doing some preliminary planning for a small business with 3 branches, each connected by VPN to the main branch. There are only about 10 employees per branch.

They use 3rd party software for point of sale and inventory management. The software is M$ only and require M$ SQL server and Windows Server for their software to run. The licencing costs for those have proven very expensive for such a small company.

Bandwidth restrictions have made me nervous about hosting active directory through the VPNs so I plan on setting up domain controllers and file servers at each branch.

To save a few thousand dollars I was considering going with Linux for each one of theses branches. However, this would mean that the entire company then would have a mix of Linux and windows servers.

This isn't a problem for me but if I were unavailable for some reason and another IT contractor had to step in I'm concerned I would be a mess to find someone with both Linux and Windows administration experience (it's a rural area).

I'm also wondering if i'm underestimating the time and cost to get these Linux servers up and running and integrated with Server 2016.

I know there are a lot of variables involved but I estimate the cost savings to be around $5,000 dollars with the Linux instead of windows at the branch stores.

So which, in your opinion, is the better investment?

cggart

@Dashrender

I agree, but also understood Scott's point. I should have said "ignorant" instead of "inexperienced". I am both but one doesn't necessarily imply the other. Semantics!

I'm in a better place with this now, and want to say thank you both for being patient and giving the straight dope.

cggart

@Dashrender

I agree, but also understood Scott's point. I should have said "ignorant" instead of "inexperienced". I am both but one doesn't necessarily imply the other. Semantics!

I'm in a better place with this now, and want to say thank you both for being patient and giving the straight dope.

cggart

@scottalanmiller

Which bug is that?

I believe it is #11204

"Samba fails to replicate the Windows Server 2012 R2 directory schema (69) from a Windows 2008 R2 DC."

Why do you assume a problem?

I think this is rooted in my inexperience with SAMBA, and not having put in the work to gain confidence first hand. I have a little PTSD from working with open source projects in the past that were poorly tested/supported and issues never appeared until we were well into production. The community was in decline, and we ended up writing our own fixes at great expense, time and money.

However, not all software is created equal and the more research I do I see that SAMBA development has been pretty consistent and adoption/use has been as well. I know M$ has its own share of problems and you are at their mercy to fix the issues.

cggart

@scottalanmiller @Dashrender

Thanks guys
I understand the outstanding SAMBA bug doesn't' affect member systems, just replication between DCs.

I guess what i'm struggling with, being my first time setting this up and all, is the lack of an official list of supported clients/hosts from either from Microsoft or from the dev teams responsible for the Linux implementation of LDAP, Kerberos, Winbind, SAMBA....

Microsoft does list some supported operating systems for Server 2012 and "later". From which XP was recently removed.

However, I can't find anything on the Linux side other than that SAMBA bug with replication between DCs. I'm just trying to establish why Scott and others are so confident in Linux client support for ALL Windows DC functional levels.

I'm guessing that its either:

A ) Client/member support just isn't, and wont be, an issue because the protocols used ( Kerberos, LDAP, and so on) havn't/wont change from version to version of Windows.
B ) The devs behind the Linux integration always keep these protocols up to date.

I'm also assuming that you guys, and others, have tested this in production and in the lab and confirmed for yourselves there aren't any issues.

I'm in the process of doing that myself at my home lab. I've just been out of the loop, and am just now catching up. I haven't seen how client support has/hasn't changed over there years which makes me a little wary.

Your two cents would be much appreciated. Sorry for not be more articulate in the first place.

cggart

@Dashrender Thanks for the reply. So how does this affect a simple Linux file server?

It isn't a domain controller just present on the domain and using active directory for authentication. Are there any "features" that 2012+ active directory has that will cause issues?

Scott said it was fine, but I just want to understand exactly why.

I'm hesitant to deploy a Linux server into production without knowing for sure that server 2016 has changed something in a protocol or schema that is going to cause major issues...

cggart

@scottalanmiller

Linux AD only goes to 2008 R2. So if your forest is still 2008 R2, not a big deal. If it is 2012 or higher, you are out of luck for now.

I've been researching and have found a lot of posts stating 2012 DCs and 2008 DCs will work together. Provided the "functional level" is set to 2008.

However , I found nothing regarding Linux & Windows Server 2016 AD support. Is there a reliable authority I can reference to determine what is or is not compatible or is this just trail and error?

I did find one page, on the SAMBA wiki, saying "Joining a Windows Server 2012 or 2012 R2 DC to a Samba AD breaks the AD replication!" Was this what you were referring to?

I've taken your word for it and moved on, but I would really like to understand why for my own benefit.

Would you mind elaborating on why 2016 DC wont play ball with a Linux DC, and why Linux file server will authenticate with a 2016 DC just fine?

Is it that there is some new features in 2016 DC that aren't available in 2008 DC that Windows 10+ clients might be expecting?

cggart

Hey Scott, I just wanted to make sure that there were no other file servers out there that support active directory integration with Server 2016 right? The ONLY option for us (given that we are stuck with 2016 already ) is the use Microsoft products for our entire domain right? Every file server including FreeNAS and BSD will be unusable in our environment?

cggart

@scottalanmiller I see so we are stuck with Windows then anyways. Intresting point you made about the VPN. I've worked some other small business and that is how support was administered. Now that I think about it it does give access to the entire network where the other options you listed limit it only to where it is needed. I suppose that's obvious just didn't occur to me for some reason.

cggart

@scottalanmiller This actually makes a lot of rational sense but is counter intuitive for some reason. I guess I had a little too much of the M$ cool aid. I would love to see a write up your mentioned.

Also, regarding have remote support, I agree. We live is such a rural area (literally a 5 hour drive to a town big enough to have a stop light). Once the network is in place getting support shouldn't be an issue we can just give the VPN credentials to a qualified sysAdmin any where in the world.

cggart

@scottalanmiller We could go all Linux but as I mentioned we are required to have windows for the 3rd party software at the main branch. The licencing was already in place and I figured we could just use windows since it was already there. However, we could use Linux for all of it.

We have about 7Mb/s down and 2 Mb/s up i'm less concerned with the active directory as I am the file server and since we had a file server I figured having active directory on that same server would be a good idea. However, we could just have the file server at the remote branches and handle active directory through the central branch.

cggart