Can you run Active Directory on a non-Windows server?

Question

I administer a network of 10 workstations for a small non-profit (also, I'm very inexperienced, forgive me if it's a silly question), and everything has been managed so far as if they were home PCs used by multiple persons, on some workstations a handful of employees even share a single user.

I'm considering introducing Active Directory for managing the user accounts, but we currently don't have a Windows server. A couple of Synology disk stations have been bought, and I'm wondering if I can deploy AD on it? Or is a Windows Server OS necessary for that?

Search results I've found all speak of "integrating" a Linux server or disk station into an AD domain, not using it as a domain controller.

Samba has support for being installed as AD server. I am not sure how complex such Samba based domains/forests can get. — Robert, Feb 12 '21 at 20:21
Please keep in mind that in order for the AD to be useful your _workstations_ have to meet certain criteria: 1) they have to run Windows and 2) the "flavour" of that Windows must be at least "Pro" (in terms of Windows 10) or "Professional" (for Windows 7). Machines running systems of lesser grades won't be able to "join" your AD, and making resource sharing (such as organizing file shares) won't be different compared to hosting them on any Windows (or non-Windows running [SAMBA](https://samba.org)) machines. — kostix, Feb 13 '21 at 13:50
Depending on your budget, it may be worth investigating Azure AD. It can run in a mode that allows computers to be registered, user accounts configured and some light management etc or you can run it in full "Domain Services" mode. — Matthew Steeples, Feb 14 '21 at 14:52
In case anyone is interested, we ended up subscribing to MS365 Business Premium, meaning that I now use Azure AD to manage users across devices. DSM is not at all involved in user management. — Ben Opp, Oct 23 '21 at 13:11

score 12 · Accepted Answer · answered Feb 12 '21 at 20:29

You cannot really run Active Directory on non-Windows servers. You can run Samba, which is a semi-compatible open source product. On Synology, they call this "Synology Directory Server". Specs here : https://www.synology.com/en-us/dsm/software_spec/directory_server

Whether or not the specs and limitations meet your needs are for you to evaluate.

I'm all in favor of people learning by doing, but it might be worthwhile to engage a local consultant to help you do this. Think of the risk to your small non-profit employer if you get it wrong and cause data loss, or get it wrong and want to re-do it a couple of times. I'm not suggesting that you farm it out and be hands-off, you should definitely structure the engagement as a ride-along so you get to learn as the project is worked on.

-1 for that last paragraph, I don't think it's helpful to OP or anyone else reading this, otherwise that disclaimer would have to go on every answer on this site. — Segfault, Feb 14 '21 at 18:47
Meh. Our site does say it's for sysadmin professionals, whereas OP admitted to being very inexperienced. I said that it might be worthwhile, and I stand by that for anyone this new to the profession when tackling a project like this. — mfinni, Feb 15 '21 at 19:29

score 9 · Answer 2 · answered Feb 13 '21 at 07:56

I played with this. I also used a Samba4 DC in a production environment as a "backup" DC (a "primary" was Windows Server).

It works. It also was (3 years ago) somewhat buggy. You'll get all sorts of different glitches in corner cases, like group policies and so on. Some problems in our case were probably due to a fact Samba4 was a "backup" DC and it wasn't able to copy GPs from Windows DC (it is able now, afaik); we must do that by hand (note there are no true "primary" or "backup" domain controllers in the active directory technology, but often there are enough reasons to consider some machines as "more even" than others). Others were due to the fact it didn't supported having cyrillic CNs of records well enough. In general, all problems appeared to be solvable.

In our case we eventually virtualized our Windows DC and start doing whole machine backup, so windows admins concluded no backup DC was necessary anymore (this was an organization with not more than 20 computers).

If you want to learn AD better, if you have enough time to solve problems, you may give Samba4 a try. I'll speak again, it is mature enough to rely on, especially if you do regular backups. But if you don't have a time, a motivation or want something which "just works", there is no replacement to Windows Server here, you have to use it.

AFAIK, even latest Samba 4 is still unable to synchronize the actual GPO files from SYSVOL -- not even from another Samba DC. (That is, it has neither FRS nor DFS-R. We do it using robocopy...) It does replicate all AD (LDAP) directory information just fine, though. — user1686, Feb 13 '21 at 16:24

Massimo · Answer 3 · 2021-02-13T16:49:22.020

7

There are open-source software which can emulate Active Directory, and even reach 90% (maybe even 99%) compatibility with it.

But unless you are a very knowledgeable technical person trying to integrate Linux with Windows for whatever reason, it's definitely a lot easier to just run a Windows server.

If you are in a SMB (Small-Medium Business), there are lots of favorable licensing options too.

TL;DR: just run a Windows server unless you have very good reasons to not do that. It's a lot easier.

edited Feb 13 '21 at 16:49

answered Feb 13 '21 at 01:22

Massimo

68,714
56
196
319

5

If you don't live and breathe Samba and eat Linux for breakfast, it's probably also cheaper to run Windows than have to hire a consultant to dig you out of a hole every couple of months. And I say that as someone who loves tinkering with technology, is compiling his own Linux kernels since Linux 1.2, and has run small business networks based on Linux and Samba. – Jörg W Mittag Feb 13 '21 at 17:06
1

@JörgWMittag yes, also this. If you run into an issue with Windows, you have tons of official documentation and as a last resort you can call Microsoft support. If you run into an issue with Samba (which, let's not forget it, is based on *trying to reverse-engineer Windows*), good luck. – Massimo Feb 13 '21 at 20:44
@Massimo To be fair..... if you run into an issue with Samba you can look at the source code to figure out what it's doing and change the behavior or fix the issue yourself. – Segfault Feb 14 '21 at 19:01
2

I don't think our OP will be submitting bug fixes for Samba. – mfinni Feb 15 '21 at 23:27

Ashley · Answer 4 · 2021-02-16T20:58:10.900

If you're looking at having some management, consistent user accounts and integration with storage, email and other common productivity services without having to spin up on-premises infrastructure along with the initial outlay, maintenance, time and risk of running them: take a look at the following cloud-based solutions:

Azure AD join for Windows 10: equivalent to domain joining to AD DS as it provides Single Sign-On and device controls without any on-prem management
Azure AD cloud identities: provision user accounts in the cloud without any on-premises servers needed
Microsoft Endpoint Manager [aka Microsoft Intune]: equivalent functionality to Group Policies, whilst providing better real-time management and support functions
Office 365: provide storage in SharePoint via Teams or the browser, plus the rest of the standard Office applications and much more

For anyone who thinks "this won't work for me, we have no budget for this stuff " – the total cost of ownership (TCO) of cloud technologies like these can often be much lower than on-premises infrastructure, and empower the business/users to achieve and create more, or be more efficient than the limits of whatever can be provisioned and managed on-premises.

Additionally, as mentioned in another answer: not-for-profits, educational organisations and other similar common good organisations often get free or significantly reduced cost cloud licenses from all the major players, even if Microsoft services aren't for you.

This reads a bit like a Microsoft 365 advert ;-) and it's this product we ended up subscribing to (MS365 Business Premium). All the workstations need to have at least Win 10 Pro, and you need a certain level of control over the web domain and that 's it. So we're AAD cloud-based now. — Ben Opp, Apr 13 '21 at 22:08
Heh, tis just the background I have. Glad it was useful, though! — Ashley, Apr 16 '21 at 15:00

johnsonjp34 · Answer 5 · 2021-02-13T22:02:47.580

2

I recently deployed a setup with Synology to a site with about 15 workstations to replace an aging Windows Server setup.

The key is using the RSAT tools. All you need in addition to the Synology unit is a Windows 10 machine with the RSAT tools.

The Synology can push out the basic group policies etc, but you are better off managing them by setting the rules up with the Windows RSAT available on Windows 10.

You could also use a more open source approach with linux and Samba, but the Synology is a lot easier to setup. Setup the DNS and DHCP on the Synology unit. (Make sure to have a good gateway/firewall like pfsense with Snort etc for intrusion detection). The DNS on the workstations has to be set as the Synology for the policies to correctly push to the Windows workstations.

edited Feb 13 '21 at 22:02

answered Feb 13 '21 at 01:12

johnsonjp34

173
1
1
6

4

`the DNS on the workstations had to be set as the Synology` - it's essentially the same in AD. The workstations have to use the DCs as their DNS servers, in the simple case. More completely, they have to be using DNS servers that have the complete DNS zone for the AD domain, that the DCs can write to, which in most environments is going to be the DCs themselves. – mfinni Feb 13 '21 at 20:15
@mfinni wish I could upvote you more. Active Directory totally relies on DNS, and it's a real pain to see some people (even in 2021!) who still don't get *that*. – Massimo Feb 13 '21 at 20:50

score 2 · Answer 6 · answered Feb 16 '21 at 19:23

As a “small non-profit” you should be able to get Windows Server and Workstation licenses very inexpensively through Tech Soup. https://www.techsoup.org/

I would recommend getting a used server, installing Hyper-V server (not the Hyper-V role), and setting up a virtual Domain Controller. You could also setup a file server (later).

There are many IT people around who would be happy to show you the ropes. Otherwise, I would definitely recommend paying for some help.

In fact, we did get a very good price from them, and the first ten licenses are free. — Ben Opp, Apr 13 '21 at 22:12

score -1 · Answer 7 · edited Feb 14 '21 at 00:59

-1

Sadly AD is a Product based on Windows by MS. So the Answer is no. But... as others already mentioned there a some nice AD like things... Did you checked out UCS == Univention Corporate Server? It is very ad-compatible and can make you do many thing pretty easy! Since its opensource you can you use it for for free. UCS is using ldap/samba but in very great. I'm using it at a local hackerspace to provide not only an user-account directory, but more we love to use its awesome integration w/ many opensource apps like nextcloud or such things.

edited Feb 14 '21 at 00:59

sysadmin1138

131,083
18
173
296

answered Feb 13 '21 at 23:25

TheRojam

111
1

https://en.wikipedia.org/wiki/Univention_Corporate_Server – Criggie Feb 14 '21 at 18:42
Thanks, I don't understand the downvotes here. On the one hand, it's not a viable option for my specific case, but it's definitely a good answer for the questions as it is worded! – Ben Opp Apr 13 '21 at 22:10

Can you run Active Directory on a non-Windows server?

7 Answers7