Domain structure recomendations


(Rob Bosch) #1

I would like to discuss what options there are and what would be considered 'best practice" in setting up NethServer with Samba4 DC in a situation with multiple locations.

Current situation:

  • Local LAN is at the office. Currently running Windows AD + Exchange on 2 Windows 2016 instances. Firewall/Gateway is done trhough pF-Sense. pF-Sense also provides OpenVPN access to the local LAN. The fileserver is FreeNAS. FreeNAS also hosts the 2 Windows 2016 VM’s
    Both pF-Sense and FreeNAS use a local userdatabase (so there are 3 sets of users: MS Active Directory, FreeNAS and pf-Sense)
  • Website is hosted in a DC.
  • I have access to DNS settings so I can add and change DNS records for the registered domain.

Exhange is currently configured with a pop3 connector fetching mail from an externally hosted mailserver (with limited amount of mailboxes and emailaddresses)

My idea of changing the current situation:
Instead of Windows 2016, switch to NethServer for both Samba4 AD account provider aswell as mail (SOGo) I could replace the Exchange server at the local LAN, but I would prefer to move the mailserver to a VPS in a DC in order to eliminate the restricted amount of (contracted) mailboxes.

Ideally I would like to reduce the amount of user databases, with a minimum of impact on the ICT environment.

So there are a few options:
Leave pF-Sense and FreeNAS as they are (leaving the user databases as they are), Replace the Windows 2016 AD server for NethServer with Samba4 Account provider. Move the mailserver to a DC so it can act as a full blown mailserver, so there is no limitation of mailboxes anymore.
For the local domain name I would use ad.company.com so the NethServer would be named: ns7.ad.company.com
Now the part to add the mailserver: I could opt for 2 scenario’s:

  • recreate the current situation and use a pop3 connector
  • move the mailserver to a DC
    Can the same (Samba4) userbase be used in both scenario’s? How should this be configured? Or would it be better/easier to configure the mailserver with a separate user database?

Lastly: would you let Pf-Sense and FreeNAS join the Samba4 domain? It would eliminate 2 user databases. This would reduce administration and possibly errors. On the other side, by changing the user databases for pF-Sense, would need to re-issue all OpenVPN certificates for all users.
BTW, we are talkin about 12 users and it is not likely this will explode in the near future, so it is a small network.

Looking forward to your comments and advices.


Mailserver, LDAP, external user accounts: what if
(Michael Kicks) #2

Why leave Windows 2016 server?


(James Nesbitt) #3

:money_with_wings:

Also, if you’re in the Linux frame of mind, why pollute it?


(James Nesbitt) #4

If you are able to get PfSense and FreeNAS to join the SAMBA domain or use an LDAP connector so that you only have 1 user database to manage, I would highly recommend that as it would make the long-term support management a whole lot easier.

What would be the pros and cons of moving the mailserver to a DC and letting it become a fully blown mailserver?


(Michael Kicks) #5

Tech consideration, not OS religion.
I’m assuming that licenses and CAL for Microsoft products are already payed, therefore why leave the product which is asset already into the structure?
This not means that the implementation of a different kind of structure can be made, but i would like to understand what’s the goal for this project and how Rob wants to get it.

Microsoft is far more reliable and stable product from Win 2008 R2, with a plenty of services into standard versions.


(Rob Bosch) #6

@pike: current situation is with windows server 2016. My preferred new situation is without Windows Server 2016…
I would like to concentrate on the discussion how to configure the new situation.

IMO the big advantage would be that the current mail contract can be terminated. There would not be a limited amount of mailboxes on a self hosted full blown mailserver.


(Markus Neuberger) #7

What about a local mailserver, why do you want to put it to a DC?

Yes, the DC mailserver could join the local AD over VPN.


(Michael Kicks) #8

@robb Samba4 and its future as AD DC is quite controversial. You already have AD with the most compatible software for Windows.
Therefore: why don’t take advantage on that?
Any installation of Nethserver could access via LDAP to the current AD structure.

  • VPN access
  • content filtering
  • mail and groupware
  • fileserver (FreeNAS in your ideas)

Next step is groupware: leaving exchange will relief the load of the server, but choosing SOGo or Webtop will be a downgrade for the client integration and capabilities, which currently may been been used by your environment.
SOGo has the downside for not being the officially supported by Nethesis, Webtop has the downside of no desktop client at all which could be also an advantage (needs only a modern webbrowser, therefore thin clients could do the trick instead of desktops)

Build from scratch the structure would lead me to totally different considerations, of course.


(Michael Kicks) #9

@robb evaluate than LDAP-connected Apps like WebTop, NextCloud, SOGo must contact LDAP server at every login

Any service outside the GREEN network who’s connecting to user database needs constant access to user list.


(Rob Bosch) #10

So, would it be wise to have a separate user base for (eny) external server?

How difficult would it be to configure a local mailserver? I presume some portforwarding is necessary? Also, both local and remote access to the mailserver should be possible. This might complicate things? I will need to use a proxy for SOGo.


(Markus Neuberger) #11

Not difficult, it’s enough to port forward web and mail server ports and maybe SSH ports for remote access.

SOGo uses the port forwarded ports so no reverse proxy is needed.