Install Nethserver as AD with linux and windows clients

Hi guys,
For the last two days I’ve been trying to install and configure NethServer (in short referred as NS).

Title : NethServer as Active Directory, Gateway, Web server
Version: 1.0
Author: Bogdan C.
Date: 16.05.2015

This document will describe in short how to create an infrastructure based on Nethserver as primary domain controller.
The clients will be:
One Microsoft (short MS) Windows 2012 server (or alternative MS machine)
One Linux Mint 17.1 machine.

The desired goal is to have both types of operating systems integrated with NS. So, each user from the domain will be able to log in onto each machine without any restriction, and access the resources allocated to his/her account not bounded by one architecture.

  • Roaming profiles
  • access to his/her shares independently on which type of machine it is using
  • default applications available on both machines Libre office, Thunderbird, Web browser, Multimedia, etc. (available for both Linux/Win).

Ex: If user “X” logs into the Linux machine
His home directory from the NS will be mounted to the linux machine
And if the user “X” has access to “public” share on NS, that share will be mounted in a folder to his home directory.

The same scenario should apply if the user is going to log in onto the windows machine

Below I’ll describe the setup steps and also the personal notes of what I think it should be added as options/features. :smile:

Warning! This is a long post and it is presented as a “How-to” step by step setup.
It is not relevant for all purposes and it is done for achieving a NS installation that will be Gateway, IDS, AD, mail, web server, proxy and web filter server for a set of Virtual machines and able to scale to a large number via VmWare network Switch connected to an Ethernet card.
(The same setup should be valid for a local network with physical machines)

**Prerequisites **
If you plan to do this in a virtual environment.

  • You should be familiar with VmWare or other virtualisation settings and concepts.
  • Also you should be able to set up a virtual machine (it’s really easy) and it will not be covered by this “How-to” since it is not in the scope. Only minor configurations will be provided when apropiate.
  • Read before (but not mandatory):
  • How to set up an ESX free server (or other virtualisation environment of your choosing),
  • How to set up a Virtual machine,
  • How to set up VmWare (or appropriate to your platform) networking for virtual machines,

Alternative to Virtual setup (with changes to comply accordingly to your setup where applicable)
You can do this with physical machines if you have enough of them and some common network equipment:
1 internet line
1 router (home grade is ok) to connect the NS to internet
1 switch to connect the 3 machines between them
Minimum 1 machine with Linux/Windows/OSx or other machine with a web browser to be able to configure the NS via web console (you can also use a tablet but it will be a pain :smile: )

Alternative Physical setup diagram:

Note: (the 2012 server is optional but it will be used in this setup as MS is set in real world. You can use a Win xp / Vista / Win7 machine as client instead of 2012)

First let me describe the setup.
Physical Hardware

1 Firewall / Router as internet Gateway for the LAN
1 Workstation with Linux mint
1 HP 110 ML G6 server

  • 16 GB
  • 2 x 160 hdd ESX install and Datastore for ISO’s
  • 1 x 1TB hdd Datastore for virtual machines hdd and files
  • 3 x 1 Gbs Nics

Vmware ESX 6 Hypervisor (can be also 5.0, 5.5, or other virtualisation setup XEN or Openstack or Proxmox VE, etc)

Definition for network
[VM network] - Virtual switch connected to real LAN via 1Gbps nic. IP 172.29.10.x; internet access
[VM internal network] - Virtual switch, used internally by the Virtual machines (bridged to a physical interface but not connected to anything yet)

  • VM Linux Mint : Already set up

    • 20 G hdd;
    • 1 Gbps eth0 [VM internal network]
  • VM Win 2012 srv: Already set up

    • 20G hdd;
    • 1 Gbps eth0 [VM internal network]
  • VM Nethserver 6.6

  • 20 G hdd

  • 1 Gbps eth0 [VM network]

  • 1 Gbps eth1 [VM internal network]

The Nethserver VM machine
After starting the installer, NS is asking what is the LAN (green) card, select eth1.
Then the installer presents the config for static IP configuration (IP; NM:; GW:; DNS: )
Hit [Next]

  • it should also present options to select RED interface and assign configuration for IP static / DHCP
    ** No option to automatically start DHCP on LAN (green) interface for clients
    *** No option to set root password by the user
    (the setup continues with graphical installer to show progress)
    **** Since no WAN (red) interface has been selected/configured, the installer does not check/bring updates before installing the software

Install is finished and the machine is rebooted.
Now we switch to the Linux mint machine to complete the setup.

Linux mint 17 VM
Since the NS is not giving any ip’s on the LAN (Green) interface we need to set up the mint machine network.
First open a terminal and type:

‘sudo ifconfig eth0 netmask’

This will enable eth0 and set network ip of the Mint machine in the same segment as the NS.
Open Firefox and add the ip address of the NS

User: root
Pass: Nethesis,1234

The first configuration wizard starts
Change the password to the root user

  • There is no mention about the complexity the password should have.
    Ex: Should contain minimum:
    1 Capital letter (A - Z)
    1 digit ( 0 - 9)
    1 symbol ( !@#$_,[]…)
    Minimum lenght 6 characters

After the password is set we set up the hostname and domain
Hostname: vm-netsh
Domain: vmdom

  • the domain field is ambiguous. It is not clearly if this will be internet domain (www / email) used by the server for webserver or local domain for AD

Then we select the timezone (Bucharest for my setup)
Then select the port to use for SSH (2222 or 2233 or whatever you want to use as ssh port in your organisation)
The last step is to send usage statistics (you select “yes” or “no” depending on your preferences, this will be valid only after you have set up RED interface)

The last page presents the steps that you have set up
Hit [Apply] and you see the tasks progress bar.

Then you are presented with the NETWORK submenu where you have your interfaces
eth0 xx:xx:xx:xx:xx:xx no role
eth1 xx:xx:xx:xx:xx:xx LAN (green) (Note, should be different from your physical router subnet IP address )

Hit [Edit] for eth0 and the form for this interface is presented
There is only one option in the ROLE field LAN (green). not possible to select RED

  • In here I try to set up the eth0 as RED to have access to internet but it is not possible
    ** if you select the Software center option the page will stay with the “loading” circle for some time and then throw errors regarding not being able to contact mirror lists repositories.
    This is a big problem since if you can’t set one interface to RED and configure it’s ip as STATIC/DHCP you can’t contact the software center.

Reboot the server so the Hostname / Domain and other settings to be applied. (not really necessary but better to be sure)

WORKAROUND for internet access:

Into vSphere Client switch to the VM-Nethsh machine console.
Log into the machine with the user root and password set by you in the initial config wizard (Nethesis,1234 is not valid anymore; you have change it in the initial config! )

  • It should be better if, on the login prompt, the ip and port should be presented (like vmware or pfsense or others Ex: use http://ip:980 in web browser to configure this machine)

after the login banner appears, type :

‘dhclient eth0’

Check that the eth0 has received ip configuration, type:

‘ifconfig eth0’

Test now that it can reach the internet, type :


see that we get “64 bytes from …”
Hit [CTRL + c]

Note: we can start update from cli now with ‘yum update’ and ‘yum upgrade’ but it is recommended to issue the upgrade from the web control pannel

Now exit from NS shell and return to linux mint machine.

In the webcontrol interface of NS go to [Status] -> [Dashboard]
Check that in the interfaces tab, the eth0 is up and has a green OK
** Missing RED interface settings will be setup latter in this document

Into the web interface go to the [Administration] -> [Software center] submenu
Now the NS has access to the repositories and it is getting the software lists.
Go to [Updates] tab
you see the list of updates available.
Hit [Download and install].
After the updates are finished the “Operation completed sucessfully” green banner appears, click the [Available] tab in the Software center.
Select / check the following:

[x] Backup - will be used to save data
[x] Basic Firewall
[x] DNS and DHCP server
[x] Email

  • [x] nethserver-roundcubemail
  • [x] unrar
  • should be split into [x] Email / [x] Webmail (if you select webmail will automatically check Email)
    [x] File server
  • [x] nethserver-samba-audit
    [x] Intrusion Prevention System
    [x] MySQL server (if you plan to use dynamic webpages Joomla Wordpress etc)
    [x] ownCloud
    [x] POP3 proxy (used to scan emails) * should be set as sub-option to Email
    [x] Statistics
  • [x] nethserver-collectd-web
  • [x] nethserver-cgp
    [x] Web filter
  • [x] nethserver-lightsquid
    [x] Webproxy
  • [x] nethserver-lightsquid
    [x] Webserver

Hit [Add] to complete
Check that everything is correct on the “Confirm system changes” summary page and then hit [Apply Changes]

Wait for the tasks to finish.

After the modules have been installed you should see two yellow banners:
“Change admin’s password” - - required to enable admin’s Samba account
“Enable backup” - - configuration of data backup (not set yet)

** Setting up the internet RED interface (now that we have basic firewall)

Go to [Configuration] -> [Network] submenu
Select [Edit] on the eth0 row
Set the role to: “Internet (red)”

Note: in this setup we get the ip address from our VmWare network switch that is connected to the physical Internet router.
if you have everything on physical machines (Alternative setup) you will get DHCP IP via the switch that connects your router to the eth0 of NS

Select first link “Change admin’s password”
You are then redirected to the [Management] -> [Users] submenu
You should see only one row with the admin details.
Select [Edit]
The page displays the user details in a formular

  • Note the username can’t be changed. It is good practice to rename the default ‘admin’ or ‘administrator’ account. Not possible here

Hit [Change password] button. The form to insert a new password is presented.
Enter the desired password for ‘admin’ user

  • Note, the same information of password complexity policy settings are missing here too.
  • Minimal password length 6
  • 1 Capital letter
  • 1 Digit
  • 1 Symbol

After you type the new password hit [Submit]

Now go to [Configuration] -> [DNS] -> [DNS Servers] tab (it is presented as default)
As primary DNS set the address of the NS lan address
As secondary DNS set the address of your internet lan router address

*We use the ip of the NS as dns because it will be set as AD server.

  • it is not clear that this will be set by default when it is configured as AD server so we specify manually to use itself as primary DNS

Hit [Submit]

Go to [Hosts] tab
Hit [CREATE NEW] button

in the Hostname field enter the NS hostname.domain that you set in the initial config wizard “vm-netsh.vmdom”
Hostname: “vm-netsh.vmdom”
(we used vm-netsh so we enter that one and the domain)

In the IP address field enter :
IP address:

in the description field enter what you want to describe this entry. (Ex: NethServer static dns entry)
Description: NethServer static dns entry

Hit [Submit]
After the settings are applied go to [Configuration] -> [DHCP] submenu

Check the box to enable DHCP on the eth1 so that the clients of the virtual-internal network will receive IP’s and dns settings from the NS.

[x] eth 1 - green

In the IP range set
IP range Start:
IP range End:

(this should be sufficent for most setups )

  • no other options are available for DHCP settings (pxe, bootp, ntp options etc)
  • in the DHCP if it is already enabled you should see the DHCP server settings.

Hit [Submit]

Optional step.
We can set the static entries for our two virtual machines. Linux Mint and Windows server.

Go to [IP reservation] tab,
Hit [Create new]

In the hostname set: vm-ws2012 (this is the hostname for the windows server machine)
In the MAC Address set: xx:xx:xx:xx:xx (enter the mac address of the network interface from your windows machine)
in the IP address enter:

  • The MAC address field, a helper check function should convert mac addresses entered with “-” or without a separator to desired format :slight_smile: xx-xx-xx-xx-xx to be converted at submit to xx:xx:xx:xx:xx Useful when you copy-paste from different sources

Hit [Submit]

Redo the same for your linux virtual machine
Enter Hostname (as set in the linux machine)
Mac address: yy:yy:yy:yy:yy (copy this from Linux mint, just type ‘ifconfig eth0’ and then copy HWaddr)
IP address:
Description: Linux Mint Virtual machine

hit [Submit]

** Optional step 2 **
After this you can have static entries in the DNS for the other two machines: Linux Mint and Windows Server.
Remember to put in hostname field the correct hostname set also in the machine OS (write down their hostnames on a paper) Also remember to put the domain after the hostname hostname.domain
And match the IP with the one you have on those machines or you set in the IP reservation from DHCP

After the tasks are applied you should now have two entries in the IP reservation tab;

Now we set up NS to be AD,
for this go to [Configuration] - > [Windows Network] submenu

On the Server role in Windows network you have 3 options. Since we want the NS to be a Active Directory server we select [Primary Domain Controller]
Then you sould see the Domain field set with “VMDOM” as set by the initial config wizard
(enable roaming profiles if you will need them for your users)

Hit [Submit]

  • After the NS is set up as AD, on this page the LDAP settings should be visible.
    This information is useful and needed to configure connections for different tools like Apache LDAP editor and other tools

Wait for the tasks to be applied.

Now we make sure that anything from NS lan is permited to reach the server:

Go to: [Gateway] -> [Firewall rules]

Hit [Create rule at bottom]
see that rule is Enabled,
Action: Accept
Source : click Source and select Role green
Destination: Any
Service: Any
Description: Anything from Lan side accepted.

Hit [Submit]

Note: this rule is defined in this setup for general purpose. You should carefully make your own rules according to the security that you need in your own environment (for example add rules to accept HTTP, HTTPS or FTP etc. and then add a last rule to deny anything else)
The rules are applied from TOP to bottom. So if you add a deny for anything at the top you will not be able to access NS anymore

  • A rule to always allow access to Webconfig from LAN should be added in the firewall by default. Also, you should not to be able to remove this rule. (anti lockout)

Hit [Submit]
Then hit [Apply Changes] to confirm

Wait for the task to be applied

Go to [Security] -> [Trusted networks]
Add a new rule by pushing [Create New]

Network address:
Network Mask:
Description VMDOM-Network

Hit [Submit]
Wait for the task to finish.

Go to [Configuration] -> [Backup (configuration)]
Hit [Backup Now]

  • An option to download the backup file is necessary to be able to save it in another location (DRP DRS site)

Now we reboot the NS to make sure that everything get’s applied and works.
Go to [Shutdown]
select Reboot and then hit [Shutdown the system]

  • the submit button should reflect the desired action (Reboot or Poweroff) otherwise it can confuse some users :smile:

After the NS machine reboots return to Dashboard.

Now we must reboot the other two machines to make them obtain the DHCP ip addresses assigned to them and other domain settings

Reboot the Linux mint host (this will make the machine get the DHCP / DNS settings from NS)
After the Linux Mint machine reboots log on into it and check that it got the correct settings:
Open a terminal and type:

‘ifconfig eth0’

You should see that it got the address set by you in dhcp IP reservation (if you set up one in optional step)
now to see that it gets the NS information type:

‘ping vm-netsh’

you should see that it get’s the correct hostname and domain:

PING vm-netsh.vmdom ( 56(84) bytes of data.
64 bytes from vm-netsh.vmdom ( icmp_seq=1 ttl=64 time=0.082 ms
64 bytes from vm-netsh.vmdom ( icmp_seq=2 ttl=64 time=0.102 ms

hit [CTRL + C] to stop

You can also see if the linux machine obtains information regarding the windows machine
to test this we enquire the DNS about the windows machine, type:

‘nslookup vm-ws2012’

and you should receive:


Name: vm-ws2012.vmdom

This means that the NS DNS is responding to queries for the hostnames set by us.

Finally let’s see that we get Internet access from our linux mint machine trough NS. Type:


You should see that you get reply for ping

64 bytes from ( icmp_seq=1 ttl=64 time=2.402 ms

hit [CTRL + C]

Now let’s get the Windows machine ready.
Reboot the Windows 2012 host (this will make the machine get the DHCP / DNS settings from NS)

Login as Administrator

Go to [Start]
Then click on [Control Panel]
Select and click on [Windows Firewall]

Check that windows Firewall is turned OFF !
If it is ON, click on [Turn Windows Firewall on or off] link from the right side
Then check the “Turn off Windows Firewall” option in both Private and Public sections.
Click [OK]

Next we see that the time is set to the same value as NS.

Return to [Control Panel]

Select [Date and Time] link
Click on the [Internet Time] tab
Then Click the [Change settings] button

Confirm that the check-box “Synchronize with an internet time server” is checked
In the “Server” field type the hostname of our NethServer: vm-netsh
Click on [Update now] button

This should configure the clock from windows machine to be the same as the NS.
Hit [OK]

Let’s Join the Win server to our vmdom domain

First start Firefox or Chrome (if do not have those browsers installed now it is a good time to install them :smile: )
in Firefox or Chrome, open the NS webcontrol page. or http://vm-netsh:980

Go to [Configuration] -> [Windows network] submenu
Click on the [Client registry settings]

From that page right-click on the Win7samba.reg link and select [Save as]
After it is downloaded go to [Start] menu from windows and type: “regedit” hit [Enter] after

In the “Registry Editor” go to [File] menu, select [Import…]
Go to the location that you have saved the previous registry file and select it (if you do not see the file check the selection “All Files” from the extension box.

Select the “win7samba.reg” file and then Click [Open] button.

A message box that confirms the registry key has been imported should appear.

Then close the “Registry Editor”
Close Firefox/Chrome browser.

Click on [Server Manager] icon from the taskbar.
After the Server manager window appears go to [Local Server]
On the right side of the window click the [workgroup] link

The “System Properties” window should appear.
Go to the [Change] button that is on the right side and click on it

Now the “Computer Name/Domain Changes” windows has appeared.

On the bottom side you see “Member of” and you have two options Domain and Workgroup (this is selected by default)
Click and select the Domain button
On the field enter: vmdom
Click [OK]

A “Windows Security” box apears asking for credentials.
We use the SAMBA admin account to join the server into the domain

Enter the name: ‘admin’ ( without the quotes :smile:)
Enter password: set by you for that user

Hit [OK]

A message with “Welcome to VMDOM domain” should confirm that you joined sucessfully
This should join the Windows machine into the domain

  • if Any error message appear take not of them and double-check your steps.

Reboot the Win2012 server.

After the machine reboots login with your domain admin account.
if you see VM-WS2012\ under the user name select “other user” and enter your Samba admin credentials

Make sure that under the user login form the VMDOM is specified

After you have sucessfully loged in open Firefox/Chrome to NS webcontrol page

Now we need to populate our Active Directory with users and Groups.

Go to [Management] -> [Groups] submenu
Hit [Create new] button

In “Group name” field enter: dom-users
In “Description” field enter your desired description (Ex: “Normal domain users” )

Hit [Submit]

  • Add as many groups as you see fit

Let’s add some more users into the domain
Go to [Management] -> [Users] submenu
Hit [Create new]

In User name enter the desired login name that the user will use to login to the domain.
Complete the “First name” field with desired information"
Complete the “Last name” field with desired information"

in the [Groups] field type dom and then select the previous create group “dom-users”
Also you can add the Domain admins group if you desire

NOTE: Be very carefoul with assigning group membership to users.
Hit [Submit]

You will see the user you just created under the admin user. But it is grey and has a key right to his username.
This means that the user is disabled and does not have a password.

Click on [Edit] for the user you just selected
In the user properties click on [Change password] button
Enter the new password for that user

  • The complexity warning required for the password is missing :smile:
  • Minimal password length
  • Capital letter
  • Digit
  • Symbol

NOTE: the password has an expiration date!
You can tweak this from the NS cli (read the docs)

*Add as many users as you see fit

Log out of NS webconsole and also from Win Server and test your new user created account.

If everything went well (and I’m sure it did :blush: ) you have logged in with a domain user from NS into a Win2012 server.

TODO: Join the Linux Mint machine to NS LDAP server
TODO: Use Apache LDAP explorer to configure / tweak LDAP
TODO: create scripts for WINDOWS / LINUX to automount the shared folders from NS that they have permission to access.

  • automatic generation of automount.xml and login.cmd for LDAP users from NS when you create/update a share or user :smile:

If you have any questions, tips, tweaks that you consider it will improve this “How-to”, please add and I’ll add them to this document.

Best regards


Ehi man that’s a huge work if you don’t mind I want to suggest you some improvements:

  • could you replace some long instructions with a screenshot?

For example, in place of an instruction like this you can add a screen with this Trusted Networks already filled out

Go to [Security] -> [Trusted networks]
Add a new rule by pushing [Create New]

Network address:
Network Mask:
Description VMDOM-Network

I’m used to using a chrome extension like “Awesome screenshot”

  • Another advice, could you put some titles and split it into several paragraphs? Like configure NethServer Network, configure DHCP, join PDC by windows client ecc…

Thanks a lot, hope this helps


Hi Alessio,
:smile: I was also thinking that some screenshots will be more appealing, but there are none because I had 2 constrains.
First all of this was done on the vSphere client and i had a lot of switching back and forward between consoles and second, it is a little difficult to have all this edited and also edit the screens.

I’ll try to add printscreens :smile: and also continue the how-to because is not yet finished
still to do - Joining the linux client to AD, but i’m stuck at connecting to LDAP of NS to explore it and joining the machine.
(maybe you can give me some info. because i did not succeded with the docs.)

I agree with you that it had to be split into sections. :smile:
I’ve done it in one session and this is why is not so properly formated

I hope the V 1.1 of the document will look better.
Anyway thanks for the comments, this is the stuff that makes things better (constructive points and suggestions for improvement)



Excellent! Looking forward to your improvements! :+1:

Did it work with windows 7,8 and 10? I have lot of issues when using samba
as a domain server on that versions.

well it worked with 2012 server. I’ve used the registry key for win7 so I suppose it should work with win7 at least :smile:


Good info… thanks for sharing…
I have this question from so long…may be it sounds silly…
Can we replace Windows AD Server with AD on Linux?
WIll I be able to manage windows machines using this Linux AD server?
If yes, any limitations?
I have Windows server running as AD Server for 300 desktops, just to manage users. With lot of space and RAM. So, I want to replace it with Linux to make that hardware more usable with other apps.

Well managing the AD tree is what i’m trying to do right now.
First I need to be able to connect to LDAP. I’m trying with APACHE Directory studio ( but until now i could not connect to it :frowning: I miss the information required to connect to LDAP.

So, Ii can’t say for sure that you can manage the computers from SAMBA AD. One thing for sure is that you do not have GPOs like in SAMBA 4 yet
If anyoane has success with connecting to LDAP please share so we can make progress with this HOW-TO :smile:


Thisis a fantastik HowTo. With this I should be able to do it on my own and I am a newbie :smile:

I found a small mistake as fare as I tested it.

To get the webcontrol page a https connection is necessary.

1 Like

@Ctek might be happy to hear this :wink:
Good work!

Anyway long instructions are great for us easily copy text in some situations. Hard to find the right pics/text mix :smile:

@Ctek Thanks a lot for taking the time to write this. Community’s guides like this one are really demystifying these tasks. It would take me days to find and understand how to do what you explain here, you made it clear. I’ve not yet finished to read it but thank you again for this step-by-step tutorial, you really take us by the hand “come with me, I’ll show you how easy it is” :wink: Luv it

just read this howto now…

please, @all, be aware that NS can act only as DC in NT style, not in AD style…

it can be part of an AD domain

IMO this should be clearly visible in above howto.

Sure, if you need data to copy/paste then I suggest using the discourse code snippet while you are describing an operation by web UI a screenshot fits better.

Hi FenyX, Thank you for your words and I hope that this HOW-TO it helped you.
Please take into account that it is not yet finished due to the lack of time :frowning:

And also what Stefano (Zamboni) sayed is true. It is a Domain controller as NT not Active Directory.

Maybe we will have time to perfect this soon :smiley:

Best regards

1 Like

Right, and screenshots make it look less impressive to beginners, hehe. Like a breath taking between text blocks.:slight_smile:


Why this stuff is not in the wiki yet?

Put it in howto ht_application :wink:

That’s a super HowTo.
It MUST definitely go on Wiki!

1 Like

7 posts were split to a new topic: Configure NethServer and pfSense in the same network

Anyone has a minimal idea of how to do that?

i am newbi and this is my 1st post after long time as sr.

i want use NS as AD in our school.

  1. does NS sso support moodle? (enroll user from ns database)
  2. mikrotik as router and NS just for AD. so our server have 1NIC. how about the configuration?