FreeNAS 11 as AD Domain Controller

[CPP-IT]

* A note about my background may help in structuring responses to the question*

My background/schooling is Art/Design, so my original role was Web/Graphic Design. I have a joy of technology, and as such have been roped into becoming IT/SysAdmin for the office.

The company I work for is growing, we have over 30 active Windows (7) workstations going at any given day. As this number continues to go up I have to manage these and the Debian Linux file server.

To consolidate my work load and make life easier/nicer I working to transition to FreeNAS, and then add Active Directory to our network to make managing all the desktops easier.

I'm very new to BSD & FreeNAS, heck even Linux management is fairly recent.

== The Question ==

What is the experience of running AD as Domain Controller on FreeNAS?
If a stand alone FreeBSD box as the DC is better I would be ok with that too.

 

[Nick2253]

I would strongly recommend that you do not use FreeNAS as your domain controller. If you were doing something for home, you might get away with doing it. But especially in a business environment, I would steer away from combining too many services in one box.

I know the licenses are expensive, but the best way to manage a domain is with a Windows Server domain controller. However, from my experience, if you're at a point where the licensing costs are a problem, you're usually small enough that maintaining everything through a domain is unnecessary. I've worked with companies in the past that have 100+ workstations that have done everything in workgroups. For them, there was really no need to manage everything with a domain. Each workstation was set up using a standard procedure, including some batch files, and there was really no need to centralize credentials, since the data the company was generating was either sensitive to one or two people (and appropriate accounts could be maintained directly on the NAS), or it was open for everyone. Don't fall into the trap of building up IT infrastructure for the sake of IT infrastructure: make sure you're actually adding value.

If you're dead set on putting everything on a central authentication server, you're dead set on having Windows workstations, and you're dead set against a Windows server, then I would set up a Linux server with Samba to serve as your domain controller. As a newbie, you'll find a lot more resources (guides, examples, tips) on getting things working for Linux, especially Debian/Ubuntu or CentOS, than you'll find with FreeBSD. I'm not saying that one is better than the other, only that the community and userbase for Linux (and especially Debian/Ubuntu and CentOS) is undoubtedly larger.

Personally, I do everything I can with CentOS or RHEL, both at home and at work. The only exceptions are appliances (like FreeNAS and pfSense) that are based on a different OS, or Windows (clients, and the servers needed to support the AD infrastructure). The particular value of CentOS/RHEL is the incredibly long support lifetime: 10 years! This means that once we get a server set up and working, I can count on security fixes for a long time without worrying about changing features that will break things.

 

[CPP-IT]

I would strongly recommend that you do not use FreeNAS as your domain controller. ... I would steer away from combining too many services in one box.

Fair. I definitely don't want too many eggs in the one basket.

Don't fall into the trap of building up IT infrastructure for the sake of IT infrastructure: make sure you're actually adding value.

Indeed! Yet another reason to I ask before implementation. ;)

If you're dead set on putting everything on a central authentication server, you're dead set on having Windows workstations, and you're dead set against a Windows server, ...

I'm not 'dead set' against anything. We have a number of apps that will not run on non-Windows OS. There is a possibility of getting a 'spare' Windows server license, so it's definitely not off the table.

As a newbie, you'll find a lot more resources (guides, examples, tips) on getting things working for Linux, especially Debian/Ubuntu or CentOS, ...

Your point is well made though about considering the available community. I'll keep it in mind. I lean FreeBSD - as it agrees with my software philosophies. That said I'm not against other good solutions.

I've worked with companies in the past that have 100+ workstations that have done everything in workgroups.

This is interesting. Could you expand on this?

 

[Nick2253]

This is interesting. Could you expand on this?

The company's line-of-business software ran in AIX, and was accessed via a terminal. PCs were installed initially only for email capability (and the business software was accessed via a terminal emulator). And the email was provided by a third-party service. Over the years, the infrastructure requirements never really changed: PCs were used for email, the occasional spreadsheet, and a terminal emulator. This company only went to AD in the late 2000s when the platform their line-of-business software was written in updated to support a graphical client (which required a Windows server and AD authentication to work).

 

[CPP-IT]

@Nick2253 Thanks for the details!

For us we have a piece of vital software that is Windows only, it runs on Windows server and only has Windows as a target for its client. So, we're tied to MS no matter what. So having some means of orchestrating changes, in a Windows-y way is good.

As such I am looking for better ways to allow the less technical people in the call center access to what they need, but protect them and the data from accidents. I also wish to offer the company managers & owners a "simple" way to manage the users if I'm out of the office.

I understand setting up and running AD is non-trivial, but once it's working it should allow for a fairly straight path for adding new work stations or users.

I could be over thinking this, but I know none of my users have any interest in becoming *nix users/admins.