Setup FreeNAS as Primary Domain Controller

[erez]

Dear Forum Members,

Can anyone please point me to a step by step guide on how to setup FreeNAS as a domain controller? Whilst in general the FreeNAS documentation is fantastic, I am struggling to achieve this. (Ideally i would like to manage all user permissions using only FreeNAS without the need for a separate machine to act as a domain controller)

Thanks in advance.

 

[anodos]

Dear Forum Members,

Can anyone please point me to a step by step guide on how to setup FreeNAS as a domain controller? Whilst in general the FreeNAS documentation is fantastic, I am struggling to achieve this. (Ideally i would like to manage all user permissions using only FreeNAS without the need for a separate machine to act as a domain controller)

Thanks in advance.

Samba documentation advises against using the same samba instance as a DC and file server.

 

[erez]

Dear Anodos,
Thank you for your prompt response. As correctly advised, I also noticed above on the Samba Documentation, however at the same time section 11.4 of the FreeNAS documentation states "FreeNAS® can be configured to act either as the domain controller for a network or to join an existing Active Directory network as a domain controller." I therefore assumed this functionality was already built in? however I am somewhat confused by the domain controller settings depicted within the same section and how to correctly configure above. I was really hoping there would be a documented example somewhere?

Your kind assistance is greatly appreciated.
Thank you.

 

[anodos]

Do you have an existing domain or are you creating a new one? Are you planning to use your freenas server only as a DC or are you planning to use it to serve files as well?

 

[Mirfster]

Samba documentation advises against using the same samba instance as a DC and file server.

Did not know that... Hmm... Gonna watch this thread now.

 

[erez]

Dear Anodos,
We currently have a domain which is managed by an external IT service provider as a service, thus I am contractually unable to utilize existing infrastructure. I am looking at building a network in parallel with either FreeNAS or TrueNAS acting as both file server and domain controller, then slowly migrating users across until eventually I can cut away from our current IT provider. I am hoping to find some guidance using the forum, however at the same time I also contacted IX-Systems and requested for assistance. If we can simplify our requirements to fit within a single device it would be ideal.

 

[anodos]

Dear Anodos,
We currently have a domain which is managed by an external IT service provider as a service, thus I am contractually unable to utilize existing infrastructure. I am looking at building a network in parallel with either FreeNAS or TrueNAS acting as both file server and domain controller, then slowly migrating users across until eventually I can cut away from our current IT provider. I am hoping to find some guidance using the forum, however at the same time I also contacted IX-Systems and requested for assistance. If we can simplify our requirements to fit within a single device it would be ideal.

IMHO, consolidating the domain controller and file server to a single device is bad design decision. If something goes wrong with your DC you want to either (1) have a second DC on your network and automatically failover or (2) be able to quickly revert the DC to its last working state. The best way to acheive (2) is to run the DC in a VM. The resource requirements for the DC role are minimal. Personally, I only run windows server domain controllers in VMs and allocate 1 core, 1GB RAM, and probably 60GB hard drive space to them (and this is probably overkill). Running a separate samba instance in a FreeNAS jail (using vimage) could probably be a decent solution. Unfortunately, if you do this you'll have to configure it from the CLI (the samba project has a wiki entry on setting up a DC). If I were contemplating running a samba DC in a production environment, I'd probably consider (1) a robust virtualization platform like esxi or xenserver and (2) a stable linux distrubtion (debian or Centos) utilizing the sernet samba packages.

Of course, I defer to iXsystems regarding running a freenas server as a DC and fileserver simultaneously, since they will be the ones supporting it if you buy a TrueNAS system. TrueNAS support is very good and I highly recommend going that route in any case. iX can probably also connect you with contractors if you need help with the actual migration.

 

[Mirfster]

Just out of curiosity, if you had:

1. FreeNas as the VM Host
2. VM Instance of a machine running as a DC
3. FreeNas is a member of said DC
4. FreeNas as the File Share

Would you not see some issues/errors with FreeNas coming up (since it is the VM Host) prior to the VM DC starting up? Or am I just over thinking this?

 

[anodos]

Just out of curiosity, if you had:

1. FreeNas as the VM Host
2. VM Instance of a machine running as a DC
3. FreeNas is a member of said DC
4. FreeNas as the File Share

Would you not see some issues/errors with FreeNas coming up (since it is the VM Host) prior to the VM DC starting up? Or am I just over thinking this?

I think it'd be no more of an issue than if you booted up the FreeNAS server configured as an AD member with the DC down. DNS wouldn't work on the FreeNAS box till the DC jail has started and you'd have to restart the directory service on the host side once the jail is fully running (so that samba will join up with the DC).

 

[Mirfster]

True. I may try to run this scenario to see how things go. Would be nice to consolidate, but I would need to run it for a while before recommending it.

 

[anodos]

True. I may try to run this scenario to see how things go. Would be nice to consolidate, but I would need to run it for a while before recommending it.

I ran a server 2012R2 DC instance inside virtualbox on a FreeNAS system for about a year. The DC was the second on my domain so I never really got to test what happens when a member server that's a VM host comes up before a DC. All said and done, it was stable but virtualbox is mostly terrible.

 

[Mirfster]

May try it with a VirtualBox instance of SME Server (CentOs based) as a single DC to test. Perhaps, it may be better with FreeNas 10. But I digress, don't want to divert the OPs original question.

 

[erez]

Dear Anodos and Mirfster,
Thank you both for your responses and most valuable opinions. It is also very comforting and encouraging to hear IX has such great support. In any event we will end up purchasing either a certified FreeNAS server or a TrueNAS as we greatly value reliability. I have setup a meeting early next week to discuss our requirements with IX and will certainly keep you informed of their recommendations. Meanwhile I plan to follow your guidance and attempt to place a DC inside a FreeNAS VM to see if it works. I am still curious though as to section 11.4 in the FreeNAS documentation mentioned above and will consult with IX on the correct interpretation of it.

Thank you both for your assistance and guidance.
Erez.

 

[erez]

Hi Guys,

Okay... had a long conversation with IX-Systems and both TrueNAS and FreeNAS can act as primary domain controllers. Apparently the setup is covered in the documentation. I am waiting on a quote from IX for above but in the meantime will dig into the literature to try and find some answers.

p.s. - in TrueNAS jails are disabled... just something to consider.

Will keep you posted.
Best regards,
Erez.

 

[Mirfster]

TrueNAS jails are disabled... just something to consider.

Interesting..

Did they say anything regarding a single TrueNas as a DC and File Server?

Thanks for keeping us posted.

 

[erez]

Hi All,

Apologies for delayed response. Had to wait until we clarified with IX-Systems. So according to them, I do not need to run the DC inside a jail/VM. TrueNAS and FreeNAS have a service that can be enabled and will allow it to act as Domain Controller as well as not interfering with it as a File Server. I will experiment with this on a cheap test box and let you know how I go.

 

[Mirfster]

Woot! I like the sound of that. Will try to find some time to do some experimenting myself; but will have to be later on (got a lot of irons in the fire as is). :)

 

[anodos]

Hi All,

Apologies for delayed response. Had to wait until we clarified with IX-Systems. So according to them, I do not need to run the DC inside a jail/VM. TrueNAS and FreeNAS have a service that can be enabled and will allow it to act as Domain Controller as well as not interfering with it as a File Server. I will experiment with this on a cheap test box and let you know how I go.
View attachment 10798

Great to hear!

 

[Mr Splat]

Hi erez, and associated respondents. I'm glad I found this thread as I'm also interested in getting my FreeNAS box to act as the PDC for my network. A few months ago I was attempting to set one up on a RaspberryPi running on ArchLinux (I am mainly a tinkerer and I'm on a tiny network) and failed fairly miserably. I have both the Arch guide and Samba guide bookmarked to the hilt but considering that my FreeNAS box is on 24/7, is attached to an UPS, and has a 64gb ssd for storing its system dataset; it'd be fantastic to be able to be able to configure it to act as the Domain Controller. Maybe I will then have another go at configuring a RaspberryPi, but this time as a secondary controller...

I don't have a spare FreeNAS box sitting about to experiment with myself but I might go look through those guides again and see if I can bring myself to have a go on my main box (with anything important backed up obviously)

I will keep an eye on this thread in case you come back with any updates, Good Luck!

 

[erez]

Hi All,

OK i got my FreeNAS to act as a primary domain controller, however whilst I can log into the domain as administrator, I am having some issues connecting RSAT to it. so now trying to get RSAT to work so i can add users. My settings are as follows:

<step 1>
\Services\Domain Controller Settings:
-Realm: DC.EXAMPLE.COM
-Domain: DC.EXAMPLE
-Server Role: active directory domain controller
-DNS Forwarder: 192.168.1.2 <-- *this is the IP i set in Network tab
-Domain Forest Level: 2008_R2
-Administrator Password: strongpass
-Kerbos Realm: DC.EXAMPLE.COM <-- *you dont need to set this. its done automatically when pressing ok

<step 2>
\Directory\Directory Services\Kerberos Realms
-Realm: DC.EXAMPLE.COM
-KDC: NAS.DC.EXAMPLE.COM
-Admin Server: NAS.DC.EXAMPLE.COM
-Password Server: NAS.DC.EXAMPLE.COM

<step 3>
\Directory\Directory Services\Active Directory
-Domain Name (DNS/Realm-Name): DC.EXAMPLE.COM
-Domain Account Name: Administrator
-NetBIOS Name: NAS
-Kerberos Realm: DC.EXAMPLE.COM

<step 4>
\Directory\Directory Services\LDAP
-Hostname: NAS
-Bind password: strongpass