How to run an Active Directory Domain Controller for Free
Using Samba in Linux to save on Windows Server Licensing costs
I have been running Samba since it’s early days (pre-year 2000). I have used it to replace an aging Novell IPX/SPX server. From the get-go, I was amazed how stable and maintenance free it has been. It was a set-and-forget, and it ran for years.
At that time, Samba had a very experimental support for the Windows Domain. I ran it in our little network in the office, but it wasn’t really good. There was a lot of hacking involved, and there are many things that didn’t work well with the Windows clients.
Fast forward 20 years later, Windows Domain has become Active Directory and is the de-facto AAA service for the corporate network. Microsoft has also successfully implemented AD on the cloud, with Office 365, Azure and Microsoft 365 services supporting SSO for computers, networks, web applications, and what-not.
However, for our small business, we find that the investment for a Windows Server and the associated CAL (Client Access Licenses) too high for an Active Directory deployment. The price tag starts at around a thousand USD for a small network, and can be a lot more as the number of users increase. Most SMEs therefore do without Active Directory, and manage their network manually. They will miss out on the centralized administration and the security benefits of AD.
It is therefore great to know that over the same period, Samba has grew from an experiential bud of a Windows Domain support into a beautiful flower of an Active Directory implementation. So much so that Amazon Web Services is now charging users to use a “Simple AD” Directory type, based on Samba.
I have then since deployed Samba as an Active Directory controller on our company network and happy to report that it has retained the set-and-forget feature from the past. It has been chugging along for more than 6 months, only requiring 1–2 reboots between then and now for Ubuntu updates.
So what are the benefits of running Samba as an AD setup:
- You don’t pay anything for the SW
- It is relatively easy to setup
- It is very stable. If you didn’t any problems upon setup, it is most likely to continue running for some time
- You can continue to use Windows tools to do almost all Active Directory tasks (i.e. the Samba/Linux layer is invisible in day-to-day work)
The last point is quite important for me. As this is ultimately a Windows environment, it does make important sense that tasks such as Adding / Deleting PCs and Users, Resetting passwords, changing permissions, Group Policies, etc must be done from a Windows interface.
After setting up Samba/Linux largely from the command line (not too difficult I guarantee — as we just need to follow the steps), once everything is setup from the backend, we just “forget” about the setup, and turn to a Windows machine for further tasks.
The RSAT tools (Remote Server Administration Tools) is freely downloadable from Microsoft and can be installed on any Windows PC in the domain.
It contains tools such as the “Active Directory Users and Computers”, to administer users and computers, as well as the Group Policy Editor (GPO Editor) to create / change your GPOs.
In another post, I will detail how exactly to setup a Samba server in Ubuntu Linux, add a Windows server into the domain, and then use RSAT to administer the domain as you would in a normal Windows Server-hosted one.
In short, we get all the cost benefits of running Linux and Open Source Software, without sacrificing the convenience and usability of maintaining the domains from a Windows environment. The best of both worlds; you can have the cake and eat it too!