[Samba] New Samba4 environment to replace existing Windows 2008R2 AD

Rowland Penny rpenny at samba.org
Thu Dec 9 16:55:33 UTC 2021

On Thu, 2021-12-09 at 11:32 -0500, Shelton, Gary via samba wrote:
> Hello folks,
> I have a client who is looking to retire their old 2008R2 AD
> environment (a single server with the AD DC and file server roles).
> It's been through a few upgrades (2003->2008->2008R2), and so the AD
> is a bit of a mess. I've done some preliminary tests in adding a
> Samba4 AD DC to the existing domain and there are a lot of little
> bits
> of old AD schema still floating around and inevitably the Samba DC
> stops syncing with the Windows server, logins are no longer
> authenticated, etc. so we're going to set up a new AD from scratch.
> So
> far, so good.
> I have a couple of questions about deploying a Samba-only AD in a
> production environment. The client network consists of about 60
> workstations and virtual machines (all running Windows 10) so we all
> understand the environment. Nothing fancy.
> My questions:
>   * Is it recommended to run multiple Samba AD DCs, like the typical
> guidance for running Windows Server DCs? There are only about 35
> users, so I don't see the need from a capacity standpoint.

You will not see the point of multiple DC's, right up until one falls
over, then you will be glad you have more than one DC.

>    * If so, is it acceptable to use containers (LXC on Linux or jails
> on FreeBSD) to run an AD DC and a file server on the same physical
> host?

You can run Samba in VM's, but I personally wouldn't use jails and/or

>    * My initial design for the file server component is to use Debian
> 11 (Bullseye) hosts using btrfs on a hardware-backed RAID array
> (presented as a single block device to Debian) for ACL and snapshot
> support. I see that Samba's VFS has support for btrfs which started
> me
> on this path. Is this a bad idea?

I actually think this a good idea, by using Debian, you will be able to
use Louis Van Belle's Samba repo: https://apt.van-belle.nl/

>    * The network environment heavily uses ACLs for access-based
> enumeration over many discrete files and directories. Will this be a
> problem for either Samba or btrfs?

Fairly easy to set up, see the Samba wiki.

> I've done several small-scale Samba4 AD installs, but not for clients
> who so heavily used ABE/ACLs so I am hoping for some feedback from
> folks who've worked with such setups.

There are lots of people on here who run such setups, so you should get
plenty of help.

> I've got a few months for testing and I'm sure there will be quirks
> to
> be ironed out, I'm just looking for experience from anyone who has
> walked some of these paths before.

Testing is always best, you will find out what works and what doesn't
(though Samba is highly adaptable). It will give you chance to try
different ways of doing things, use the internal dns server or Bind9,
use RFC2307 attributes on the Unix domain members or use the winbind
'rid' backend instead.

The best thing to do is to read the Samba wiki:


Then come back with any questions.


More information about the samba mailing list