I would like to inquire if it is possible to have separate nodes in NS8 for Samba services. Specifically, I am interested in having one dedicated node solely responsible for providing Active Directory services, while another node would handle File Sharing tasks. Currently, I have observed that file sharing is only possible when an internal Samba DC (Domain Controller) is configured.
Is there a way to achieve this separation of Samba nodes within NS8? I would greatly appreciate any guidance or suggestions you can provide.
I would like to separate the ADDC from the File Server too. Would be nice to have such a feature looking at the new Nethserver version working with different nodes.
This is what I normally would do in a pure Windows Server environment: DCs in their own VLAN and the file servers in their own VLAN. Traffic is allowed between VLANs based on bare minimum required (read: firewall rules / exceptions).
Sounds like a great concept to load your firewall…
→ A single file server request results in at least 4 (probably more) data-streams over the firewall including routing…
Client Auth to AD
Client request to FS
Auth from FS to AD
Client gets response from FS
And as practically all Windows traffic needs to be passed by the firewall, there’s not really any advantage in this, except for much more overhead!
Add to this that most firewalls are not AD-traffic cogniscient (They don’t understand or can’t evaluate if that specific user out of that specific group has permissions to request XY from any server or AD)…
I do however agree in middle or larger environments to use one or several dedicated ADs!
But also ONLY virtualized, anything else is time wasting!
The main idea is to have one and small VM, running AD, which is the heart of the infrastructure. It must just run, more segregated from the rest of the systems (which I frequently re-configure) the better. I want to have separate VM-s for each core function of our network, that can be independently managed.
Some intranet and ERP webservers
router is already separate hardware based, which is also providing VPN.
I have everything running on proxmox and can restore small peaces of the infrastructure quickly and efficiently. And also move quickly to other proxmox machine.
BTW, is there any plan to also support RADIUS in NS? I have currently manually configured in NS7. It is providing WiFi (WPA2 Enterprise) and VPN authentication to my Ubiquiti router
There is normally a performance trade off - but we build networks where the backbone is at least 10G.
My point is that 10G networks are becoming more and more affordable. Have a look at TP-Link. I bet the Cisco’s and Aruba’s of this world see TP-Link catching up when they look in their rearview mirror
This means that we want to apply solutions for large networks more and more often to small networks.
For example, we are currently setting up a network for a foundation. We use Pico PCs with 10G interfaces (LAN) as router/firewall and TP-Link switches with 10G interfaces (SFP+). We have no problem with traffic between VLANs. For larger networks we use 19" SuperMicro servers as a router/firewall (that’s a lot of CPU power and 10G connectivity).
We use PacketFence (https://www.packetfence.org/) for authentication on switch ports and SSIDs. This is a PacketFence cluster which uses AD for authentication. You can also run PacketFence as a single server - but we found a cluster more reliable.