[Samba] New Samba4 environment to replace existing Windows 2008R2 AD

Shelton, Gary Gary at empiricalonly.com
Thu Dec 9 16:32:11 UTC 2021 

Hello folks,
I have a client who is looking to retire their old 2008R2 AD
environment (a single server with the AD DC and file server roles).
It's been through a few upgrades (2003->2008->2008R2), and so the AD
is a bit of a mess. I've done some preliminary tests in adding a
Samba4 AD DC to the existing domain and there are a lot of little bits
of old AD schema still floating around and inevitably the Samba DC
stops syncing with the Windows server, logins are no longer
authenticated, etc. so we're going to set up a new AD from scratch. So
far, so good.

I have a couple of questions about deploying a Samba-only AD in a
production environment. The client network consists of about 60
workstations and virtual machines (all running Windows 10) so we all
understand the environment. Nothing fancy.

My questions:

  * Is it recommended to run multiple Samba AD DCs, like the typical
guidance for running Windows Server DCs? There are only about 35
users, so I don't see the need from a capacity standpoint.

   * If so, is it acceptable to use containers (LXC on Linux or jails
on FreeBSD) to run an AD DC and a file server on the same physical
host?

   * My initial design for the file server component is to use Debian
11 (Bullseye) hosts using btrfs on a hardware-backed RAID array
(presented as a single block device to Debian) for ACL and snapshot
support. I see that Samba's VFS has support for btrfs which started me
on this path. Is this a bad idea?

   * The network environment heavily uses ACLs for access-based
enumeration over many discrete files and directories. Will this be a
problem for either Samba or btrfs?

I've done several small-scale Samba4 AD installs, but not for clients
who so heavily used ABE/ACLs so I am hoping for some feedback from
folks who've worked with such setups.
I've got a few months for testing and I'm sure there will be quirks to
be ironed out, I'm just looking for experience from anyone who has
walked some of these paths before.

Thanks!

-- 
Gary S

More information about the samba mailing list