In the Wheelhouse: Active Directory Servers No Longer Need Microsoft Windows!

Analysis of News Events
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

With Samba 4.0, the potential is there to decommission Microsoft Active Directory servers, their associated virtual machines, and more.


Samba 4.0: Control Your Domain Without Microsoft Windows

Just because you have an Active Directory domain on your network doesn't mean you need to have a number of Windows servers as domain controllers. Not anymore. As per the release on the Samba project Web site, Samba 4.0 is the first free, open-source software with the capabilities to replace or work alongside Microsoft Active Directory as a fully functional domain controller: "Samba 4.0 comprises an LDAP directory server, Heimdal Kerberos authentication server, a secure Dynamic DNS server, and implementations of all necessary remote procedure calls for Active Directory. Samba 4.0 provides everything needed to serve as an Active Directory Compatible Domain Controller for all versions of Microsoft Windows clients currently supported by Microsoft, including the recently released Windows 8."


Some other great features include Group Policies, Roaming Profiles, Windows Administration tools, and support for OpenChange, an open-source implementation of Microsoft Exchange Server, allowing complete interoperability with existing Exchange servers and Microsoft Outlook clients. Samba 4.0 also supports direct integration with Microsoft Exchange servers.


Not only can a Samba 4.0 server join an existing set of Active Directory domain controllers, but also existing domain controllers can join a Samba 4 Active Directory Compatible Server's domain.


Integration documentation for Microsoft Active Directory came with the direct help from Microsoft Corporation. "Active Directory is a mainstay of enterprise IT environments, and Microsoft is committed to support for interoperability across platforms," said Thomas Pfenning, director of development, Windows Server. "We are pleased that the documentation and interoperability labs that Microsoft has provided have been key in the development of the Samba 4.0 Active Directory functionality."


"Pleased" may not be the best choice of word, as the collaboration wasn't entirely voluntary on Microsoft's part. Samba won a legal battle with Microsoft in 2007, in which they paid Microsoft a one-time fee of 10,000 euros in return for Microsoft protocol information and a royalty-free license to use them. This resulting agreement between the two parties was largely related to non-disclosure.


So why should you care? How many Linux gurus are reading this? I've used Linux for years, starting with SuSE 8.2, and have been an advocate for "software libre" for a long time. I installed a Linux partition on IBM i back in V5R2 and absolutely loved it. I'm far from a Linux guru, but I'm also not a Windows guru either. I'm rudimentary skilled in both arenas, so the playing field for me is pretty even. What can we gain from going this route?


The biggest reason for my taking a good long look at Samba 4 is that I don't like deploying and operating more servers than necessary. I'll gladly put more workload into a single Power Systems box if I can do it. While Samba 4.0 isn't explicitly supported on any Power Systems OS at this time, a previous version of Samba (2.2.7) is included in the AIX Toolbox for Linux. The Toolbox for Linux readme documentation mentions downloading the latest release from for more serious types of installations. The version mentioned in the Information Center on Power Linux mentions "3.5.x." "Support" for open-source software can be a tricky subject. I'll get back to you on that one when I have more info.


I've seen some unwanted x86-64 growth in many primarily midrange shops, where Windows servers tend to pop up like mushrooms when the Power Systems administrator's back is turned. I want fewer servers! There's less management, less cost, less manpower, and less points of failure. As I recently reported in my mid-December 2012 column, the cost of downtime of Power Systems is a fraction of what it is on x86-64. Also, here's a great whitepaper outlining the performance strengths of PowerVM vs. VMware. Here's another one pitting AIX on Power Systems against Linux and Windows on x86-64. The proof is in the pudding. I want to leverage my existing primary hardware investment: IBM Power Systems.


With that being said, as a Power Systems advocate I see great potential consolidation opportunities with Samba. I have plenty of DNS options; however, we currently use Active Directory for that. For services like domain authentication, LDAP, Lotus Domino Web authentication and Kerberos, we use Active Directory on three different Windows servers distributed geographically. The inability for us to move to another platform like Samba for a true domain controller was always due to the lack of Group Policy features. Samba 4 now allows Group Policy control of workstations running Microsoft Windows, which means we can potentially migrate a number of Windows servers to either AIX or Linux partitions in the future to take over that role.


Since Samba 4 Active Directory Compatible Server is interoperable with Active Directory, you can do the integration in small steps by adding a Samba server to an Active Directory domain and ensuring you have all the bases covered before systematically shutting Windows servers off.


Also, Samba also has a long history as a file and print server. Samba 4.0 now supports version 2.1 of Microsoft's SMB file-serving protocol. SMB3 is also included as an initial implementation; however, according to the release, it "will be further developed in later Samba 4 releases into a fully-featured SMB3 clustered file server implementation." As well, Samba 4.0 offers full clustered file server support along with a "Single Server" view of all clustered file storage.


In my shop, we've migrated much of our Windows file share content to IBM Lotus Quickr places, which offer us many, many more features than traditional file shares, such as change notification, a Web-based interface, and integration with Lotus Notes, MS Office, and Lotus Symphony. But some things just don't make sense to move into Quickr. Large, relatively static files like software images are best served off a file share. Instead of leaving those files on one of our Windows shares, I can leverage existing supported versions of Samba on AIX or Power Linux and use them for file/print sharing. Voila. A few Windows virtual machines turned off.


It's more options. Free options. Samba 4.0 gives you options for a full Microsoft Active Directory consolidation and replacement that you really didn't have until now.


The Samba 4 release also has a great quote from Steve van Maanen, the co-founder of Starsphere LLC, an IT services company in Tokyo, Japan: "Thanks to Samba4, I have two fully replicating Active Directory Domain controllers that boot in under 10 seconds! It is nice to have alternatives, and Samba4 is a great one."


You can download a copy of Samba and view the documentation at


By the way, since we're on the topic of consolidation this week, I'll be co-presenting a session at IBM Connect in a few weeks (formerly Lotusphere) entitled "Business Agility and Efficiency with Consolidation." My half of the session will be focused on the nuts and bolts of server consolidation with IBM Power Systems. If you're at Connect, please drop by to get more details on a number of consolidation examples that I've been a part of in recent years.