Tranquil IT Forum

Hello,

I'm 19 years old and on a work-study contract (alternating work and study) in a TSRIT (2-year post-high school diploma) at the ENI computer science school.

I have a technology watch project: "Migration of a multi-site Active Directory infrastructure to Samba." I created a prototype using VMware Workstation. It involves:

- 3 Active Directory sites: France, Spain, and Germany (each in a different subnet, 10.0.1.X, 10.0.2.X, 10.0.3.X)

- The main site, "France," is a Debian VM with a DHCP server + DHCP Relay, and a router (3 interfaces in each subnet with port forwarding)

- 1 client PC for each site.

I also installed a VM running CentOS 7. Once everything was configured, I unfortunately couldn't join the domain (as a domain controller) despite multiple attempts.

After some searching, I haven't found an answer, so I'm asking you:
does Samba 4.7.4 support multisite?

Thanks in advance!

In this case, there's no concept of a "site" in the Active Directory sense. Just different IP subnets.

If the servers can see each other, there's no filtering, and the DNS is configured correctly, there's no reason for problems.

We manage domains with dozens of domain controllers, with well-configured AD Sites and Services. So yes, it works fine.

I think you should reread the documentation and check the IP, DNS, and routing settings.

Denis

Thank you for your reply. Yes, what I meant by "site" is, for example, a PC in the Germany subnet will authenticate to the Germany DC, etc.

For the initial DCs (the Windows infrastructure), I'm using Windows Server 2016, with a forest that was initially 2016. I downgraded it via PowerShell to 2008 R2. I understand that a forest with a functional level of 2012/2012R2 isn't fully supported. Is that correct?

Let's say we're using a Samba Active Directory infrastructure, with clients running Windows 10. To support the new GPOs on this OS, does importing the ADMX file containing these GPOs work?

Thank you for your help.

Hello sgelineau,

indeed, Samba4 does not support forest levels 2012 and above. Furthermore, you really shouldn't have a 2012 domain controller, because even if the forest and domain are 2008 R2, there are still things that Samba doesn't support (probably related to schemas).

With a bit of technical know-how, you can migrate a Windows 2012 or Windows 2016 server to a Samba-AD server. But you can't use the standard procedure, and it requires some scripting and a thorough understanding of what you're doing.

For Windows 10 support, it's possible to import schemas into Samba. In fact, Group Policy Objects (GPOs) are interpreted on the client side; Active Directory is mainly used to store GPO definitions, much like a file server. If you're using Windows 10 to manage your Samba4-AD, you'll have the same GPO definitions, and you'll be able to import other ADMX files.

Denis

Hello,

A recent and little-known resource that allows you to quickly find ADMX files and their corresponding values: https://getadmx.com/

Alexandre

Hello,

I'm going to rebuild my infrastructure on Windows Server 2008 R2. I'll get back to you if I encounter any further installation difficulties.

While I'm at it, if we only have Samba Active Directory servers that we manage using RSAT tools on a Windows client machine, do we need Client Access Licenses (CALs/LACs)?

Thank you for your help!

Sébastien

sgelineau wrote: ↑Jan 16, 2018 - 2:11 PM I'll take this opportunity to ask if we only have Samba Active Directory servers that we administer via RSAT tools on a Windows client machine, do we need a "client access license" (CAL/LAC)?

First, the necessary disclaimer: I am not a lawyer or legal expert, just a simple engineer trying to understand something, and the remarks below are my own interpretations after long hours of solitary reading on the Microsoft website and are provided of course without any guarantees.

CALs are required for access to services provided by servers and there are different types of CALs depending on the services accessed.

The "file" CAL, which is the most common and the one we're interested in here, allows you to connect to an SMB service. Even if you're in a workgroup, if you connect to an MS Windows Server 2012 in a workgroup, you need a CAL for that access. Basically, it doesn't have much to do with the domain, except that when you log on to a domain, you connect to the SYSVOL share, which is an SMB connection.

The "file" CAL also applies to a print server. Access to the connection spooler is also via the SMB protocol.

This "file" CAL is also valid for the WSUS server; the connection is made via HTTP, but the licensing specifies that if the connection to the IIS web server is authenticated (which is the case for WSUS because the Windows client authenticates to the WSUS server), a "file" CAL is required. There is an exemption for Windows Server 2003 Web Edition, but I don't think many people are running that yet.

So in summary, if you have a Samba-AD, a Samba file server, but no WSUS or Windows print server, then you don't need to buy CALs.

But if you have a Windows print server, you'll have to pay up. It's borderline in terms of European Commission antitrust laws because there aren't really any photocopier suppliers that support all their features on a print server other than Windows, but oh well.

And even if you have Linux or MAC clients, if they connect to a Windows file server, you'll have to pay.

For managing Windows updates, you can either use Windows Update or purchase another product on the market; there are more options: IBM BigFix, Dell Kace, etc. In fact, we've developed a proof of concept internally at TIS to integrate update management into WAPT Enterprise Edition. I hope to have time to finish this module and integrate it during the first half of 2018.

Good evening,

I finally managed to complete the migration, which, as a reminder, was "Migration of a Windows Server 2012 Multisite Active Directory domain to Samba 4." My infrastructure was running Windows Server 2012 R2. I downgraded the domain/forest functional level to 2008 R2, installed and integrated a Windows Server 2008 R2 as a domain controller. I then transferred the FSMO roles, forced replication (GPO, DNS, etc.) to the new server, and then downgraded the other domain controllers to domain members and subsequently removed them entirely from Active Directory. I was able to continue the migration without any problems from my single WS200R8 domain controller to two new Samba AD domain controllers (one for each "site," as in the initial infrastructure).

Thank you for all the information gathered above, as well as on your website and wiki.