I’m thinking about changing my lab a bit, two possibilities.
#1 buy a license for Windows Server 2025 from one of those shady key places.
#2 is build up a Samba based system on Debian or some flavor of BSD.
It looks like the current functional level of Samba 4.19.9 is 2016, which should be fine for my lab. It also appears to have an integrated DNS server. I’d have to build a DHCP server to go with. Needs to be a single box. Big question is relative ease of configuring this system, as well as ease of joining other computers to the domain.
Windows server I can get configured in about an hour with update installs and everything.
This may also hinder the process, it’s going to need to run on a mini-pc. Either a Mele Quieter2q (j4125) or a Quieter4c (n100). Server 2022 works fine on the 2q but want to move the 2q to a workstation function and put the 4c in it’s place. I’m tearing my lab apart again, Harvester will stay up, xcp will be moving to version 9 for some testing, Rancher in Docker is not yet built, Truenas just got cleared out and updated to 25.10.x
I’ll admit I don’t use windows in my environment, but I run a Univention UCS samba-based domain controller at my office and I’ve been thoroughly pleased with it. I use it as the source of truth for user authentication to my file server’s shared and for various web services. My understanding is that it has good support for group policy as well, though that’s not something I use. Might be worth checking out if you want a relatively simple to set up Debian-based system.
Thanks, I need to check out UCS. Samba does group policy by way of RSAT tools on a client, it just holds the catalog and pushes it out to the clients (from what I’ve read).
Samba AD here
I set it up for the company I work (30 accounts + 30 computers) and at the beginning this caused me a lot of headaches.
Because the information around are for old versions and - sometimes - even the official samba.org documentation is not well maintained and updated.
Anyway now I have two domain controller and a small windows 11 vm (I use it as a PAW) with RSAT tools.
I have rise the domain level to 2016.
It is stable and works with certs from my internal PKI and kerberos only (no NTLM).
DHCP as well as main DNS is from my UDM, all the requests for AD are forwarded to the AD’s DNS.
It was a nightmare, but the result paid the job (of course with WinServer 2 click and you are onboard but requires licenses cal etc and I am not happy about the cloud direction that MS is taking with azure, etc)
My set up is composed by
vm for DC-01
vm for DC-02
vm for certs to deploy via GPO
vm for root and intermediate certs
I followed the tranquil.it guide (I did some improvements) and I used their tool for SYSVOL sync since rsync wasn’t work fine for me.
For right now, I chickened out and put Server 2025 evaluation on it. Found some info to convert evaluation to full version, just need to buy a key when I know this hardware will be OK.
ok..
just a quick note, if you are wondering about power consumption Win Server will consume more power than 2 dc on debian
before set up everything I tested on 2 mini pc (hp elitedesk mini with i5 8500).
With samba the power consumption was 8W for mini pc with win server 18-25W each
I would believe that, especially for a bigger system. For my lab I’m generally only in the 2 to 3 percent CPU unless it is doing an update. I just don’t have the time to mess around and learn the ins and outs of Samba right now, it’s definitely not as straight forward. And definitely not just walk through a GUI to set it all up.
I spent a bunch of time on hold dealing with a pharmacy, I was able to get my AD DS, DHCP, and DNS functional in between speaking with people. And expediency won for this. Went through and spent another half an hour setting DHCP options and typing in DNS names and IPs for stuff that I’m rebuilding. Wish I was up to speed with it, but right now Windows got things working again.
XCP-ng 9 and continue with Harvester can proceed now. As well as replace the piece of AWOW garbage that I’m using for a secondary workstation (old AD mini-pc replaces it). $50 for a shady product key and I can make this “permanent” and stop fooling with rearming it every 6 months.
I followed this guide out of pure curiosity. The only thing I don’t have working properly is DNS. I only spent a little bit of time on it. I’m sure I missed a step but, everything looks right.
Can the most recent version set functional level to 2025 or just 2016? Not that important but trying to work with the higher level to learn any differences before I upgrade my domain up to 2025.
Check if everything is now 2016 sudo samba-tool domain level show
Should see the output like this:
Domain and forest function level for domain 'DC=techtest,DC=local'
Forest function level: (Windows) 2016
Domain function level: (Windows) 2016
Lowest function level of a DC: (Windows) 2016
@Greg_E
as far as I know there are no major differences between the 2025 and 2016 level, also the last time I checked even MS suggest to not use it because can cause problems since it was not stable (this few months ago)
With the latest samba you can go up to 2022 level, as I understood there are no advantages doing that
@xMAXIMUSx
I followed this Samba-AD documentation as a base but I have to add some modification since with samba 4.2x they changed some commands and other stuff (as I said most of the guides online are referring to the 4.9 o so..) also I added my PKI no NTLM etc.
Which DNS are you using?
If you want I can pass you my notes (are in Italian but the command are standard )
