Can FreeNAS Core replace Windows Server 2012 for AD (or LDAP) ..?

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

TrumanHW

Active Member
Sep 16, 2018
253
34
28
Just completed recovering a failed HP (P410i, total PITA) RAID-5 array.
It had an Offset, a startup delay, was Right Sync (if I recall). Truly brutal without access to the SAS SA.

The office uses an OLD DL380 with a "RAID-5 for fault tolerance" with either LDAP or AD. I believe the server may have or does host a Hyper-V, all of which I think TrueNAS Core does equally or better, faster or cheaper, with convenient integrated off-site backup, incremental & differential backup & ransomware protection.

If TrueNAS Core can't replace all services Windows Server now provides (still required)...?
LMK, as this series of questions likely becomes moot if TrueNAS can't completely replace it.


For which, the minimum likely cost will be the office's continued use of conventional RAID vs RAIDz.


I'm NOT a "SysAdmin."
I've setup >5 FN / TN machines...
Just never in a live server env. & never w AD / LDAP.


However.

Their off-site SysAdmin? Is very proficient at Windows Server, LDAP
(and AD and certainly many things we've had no reason to discuss.)

He's just never setup FreeNAS / TrueNAS nor AD | LDAP on a TN server.
Though, in reading the instructions? They don't look intimidating.
My guess is his fluency in AD will easily transfer to TrueNAS as he's already versed in it.

True? / False?

No Windows Server or CALs required? (True / False) ?


AFAIK, The current HP Server's use :

• AD (Active Directory) or LDAP
• Limited (if any) Hyper-V usage.​
• Hosting Files / Folders (NAS)​
(has possibly ran Hyper-V's, but I've never been to their office)
ALL of which I believe TrueNAS Core not only does, but performs better on equal hardware (for less).


• In ~3y when his Win Server 2012 expires it'll be addressed as an emergency / surprise.
• Office suffered a RansomWare attack ~3 weeks prior to the RAID-5's 2nd HD failing.​
• The 600 GB 10k rpm drives had 42,000 hours on them. Suggested replacing with SATA SSD.​
• TrueNAS would avoid loss of updates in 3y & all Win Server + CAL costs (for ≤ 8 users).​


Goal: Simple, Cheap, Reliable (Double Parity (RAIDz2) w scrubbing / checksumed-Bit-Rot protection).


Any SysAdmin willing to GRADE the comparative-services & performance between TrueNAS & Windows-S
(obviously TN has superior RAIDz & built-in backups unless he gets ZFS on Windows Running ?)

TrueNAS Core
Graded Categories (5 = Best)
Windows-S 2012
Score: 1 - 5​
RAID Perf / Reliability​
Score: 1 - 5
Score: 1 - 5
Networking Reliability​
Score: 1 - 5
Score: 1 - 5
LDAP / AD​
Score: 1 - 5
Score: 1 - 5
Hyper-V usage​
Score: 1 - 5
Score: 1 - 5
Hosting Files / Folders (NAS)​
Score: 1 - 5
Score: 1 - 5
Performance (speed) per spec​
Score: 1 - 5
Score: 1 - 5
Reliability​
Score: 1 - 5
Score: 1 - 5
RansomWare, Malware, Virus​
Score: 1 - 5
Score: 1 - 5
Ease of Keeping Backed up​
Score: 1 - 5
Score: 1 - 5
Difficulty setting up AD / LDAP if Familiar on either OS the FIRST TIME setting it up on the other OS
Score: 1 - 5
 

LodeRunner

Active Member
Apr 27, 2019
540
227
43
If you're actually using AD properly, and your clients are all (or even mostly) Windows, keep using AD. Aside from cases where DNS gets broken, AD pretty much just works.

For that number of users, budget for Server 2019 Standard and the correct number of CALs. No, it's not free. Does it all work really well? Yup. I do AD + DNS + failover DHCP from my servers so no dealing with hinky dynamic DNS updates either. AD DNS forwards to DNS filtering which then forwards to a public DNS provider.

I'm not going to give you numbers, those are meaningless because what I consider easy since I've done it a few dozen times may not be easy for someone else.

I'm running an environment for ~150 users. That said:

RAID reliability: apples and oranges, you're comparing a storage OS and software redundancy strategy to whatever random RAID card is in use; this has nothing to do with Windows. Assuming, say 8 drives of 4 TB or less for bulk storage, a RAID-6 will provide ~20 TB of storage with enough fault tolerance to finish a rebuild before a second failure is statistically likely, if the RAID card isn't an utter piece of trash (I know my PERC H710 is capable of handling an array that size and rebuilding it in an acceptable time frame).

AD vs LDAP: AD is way more than just LDAP. And the tools for managing it are generally excellent. I'm sure you can replicate a lot of the functionality with an LDAP server or Samba pretending to be a DC. But if you're doing things with AD like using Group Policies, then AD and the tools to manage it are really hard to beat.

Reliability: I haven't had much in the way of issues with servers that were just being DCs, serving DNS and DHCP. An AD-DC is kinda special, don't install apps on it; being a DC does things to local security that aren't done to member servers. Best part: as long as you have 2 DC's, if one of them acts up, you can either choose to troubleshoot it, or just nuke it and rejoin, depending on the nature of the issue. Can't comment on TN, never used it.

Ransomware, etc: the larger risk is your workstations, and by extension the users, so this comes down to your backup strategy. Windows Defender is actually quite good for the most part. For more exotic threats, you're going to be looking at a paid solution for a NGAV like SentinelOne or CloudStrike.

Hyper-V: vs what? TN jails or whatever it does for virtualization? Hyper-V's a decent hypervisor; I run Windows and Linux (Ubuntu, RedHat, Debian) VMs on it with no issues. We had enough Windows servers that getting Datacenter level licensing made sense, so I did not feel compelled to drop another $30k+ per year on something like ESXi, nor did I feel like building a DIY cluster with KVM or ProxMox, etc.

Performance: depends on what you're doing. Assuming decent hardware, Windows will max out a gigabit pipe for file sharing, no problem. And it will handle 10Gb well enough with a little tuning. Decent = anything from the last 5 years and Intel, Broadcom, or Mellanox NICs.

Ease of backup: not sure what you use to backup TN. For Windows, Veeam Community Edition, or hand them a reasonable amount of money for the Small Business edition or whatever it's called. I think we paid like $3600 for 3 years of 25 VMs? And then bought 25 TB of reserved commit storage on Wasabi S3 to push off-site. We have an on-site repo server with 55TB of storage and a couple months of retention. Wasabi is configured as immutable, so ransomware can't nuke it.

Hosting files: well, with the caveat of "don't use your AD DC as a file server" for best practices purposes, sharing files in Windows isn't that hard. The one gotcha is the difference between the filesystem ACL and the share ACL. This may be slightly elitist sounding, but any competent sysadmin should be well aware of the differences and how to manage it.

Licensing-wise, if you have a Windows Server Standard license, you can install the base OS and Hyper-V role on the hardware, and legally use the same license to run two Windows VMs, so long as Hyper-V is the ONLY thing the hardware is doing.

Nothing I've said should be taken as criticism against TrueNAS, as I have never deployed it. I am however a longtime Windows & Linux sysadmin with a fair bit of experience with Hyper-V and ESXi clusters.

In the end, it will come down to budget and what your friend is comfortable supporting, as well as what the company management requires. I have worked with people who will readily acknowledge certain advantages of free/open-source software, but balk because of no readily available support contract. I know that's an option with TrueNAS, is it tied to a hardware purchase or can it be acquired separately?

Also, if you haven't deployed or benchmarked Windows Server on equivalent hardware, what supports your belief the TN will be better, faster, or easier to use? Cheaper I'll grant, it's hard to argue with free.
 

TrumanHW

Active Member
Sep 16, 2018
253
34
28
So sorry for the confusion (and I'm sure it's my wording's fault).

I want to know if I can REPLACE Windows Server 2008 or 2012 doing the aforementioned tasks


  • AD (Active Directory)
  • Possibly Hyper-V ... VMs
  • NAS: Files & Folder repo

    ALL of which I believe TrueNAS Core can do ...
    And, may perform better on equal hardware than Win Server.
    (I've never been to their office when this was working)

He owns a real-estate business (boom & bust), going through difficult times right now.
Only has only a few users right now, but obviously he hopes the market changes.
(I think he has about 8 CALs on either Server 2008 or 2012: Either expired or on the verge of expiry.
I assume Server 2008, bc I believe it was this office which experienced RansomWare 3 weeks ago.


Can TrueNAS Core replace Windows Server for AD with similar performance & equal or better reliability.

Approximate specs:

- HP DL380 G7
- Maybe 2x X5650 (v. old 12c Xeon)
- ECC-1333
- had: 6x 600GB 10k RPM SAS with a SHIT RAID controller

His existing pool of 8x 10K 600GB have 42K hours
To replace with NEW 600GB 10K will run out of space soon... and, costs = per TB as Evo 870 SSDs I found.

He just paid for an 8 HD RAID recovery -- which I did him a solid on.


Isn't BSD ( TrueNAS Core ) more secure than Windows Server...?
• Ransomware
• Viruses
• Malware, etc...



I want to REPLACE all his current Win Server uses via TN to avoid BUYING Win Server Standard (~$1000 + CALs).
Windows has SHIT for RAID when compared to ZFS / TrueNAS storage reliability / flexibility.
His spinning rust has 42k hours, & is being replaced @ less per TB per SSD than the 10k drives would be.
The question?? Could TrueNAS be slower at AD than the 870 Evo SSDs are better..? Negating their superiority??
Ideally, with an OS that's neither EOL or 3y from it ... and that doesn't cost money. Bc it's finite.

He MAY have Server 2008, because I believe it was this client that got ransomware 3-4w ago; EOL (aka, no updates)?

But if it takes his SysAdmin 15-h to figure out AD in TrueNAS..? I saved him nothing.
And then maybe his SysAdmin is less adept at administrating his server ..?

I want to REPLICATE all his Windows Server currently does for him with performance loss on TrueNAS ...
As TrueNAS has many advantages not present on Windows.

Me? 2 family members died recently (including my mom) so I have to move 2500mi away to help with family things.

And even after this is deployed, I don't want him abandoned with a solution no one administrates.

If TrueNAS Core can't replace all services Win Server provides this client, all is MOOT anyway.
If for any reason he still requires Windows Server, done. He just has to buy it.

Technically, Windows has ReFS..? Which I guess is supposedly 'self-healing' at the file level...


I've setup >5 FreeNAS / TrueNAS but I've NEVER set up Active Directory.

Their current SysAdmin is very proficient with Windows Server including AD
He's just never set up FreeNAS or TrueNAS (so obviously has never setup AD on TN of FN).
But the AD instructions for TrueNAS looked pretty easy / straight forward.
And I'm assuming someone who understands the principles of AD can figure it out in another GUI pretty easily.

Questions I'd still appreciate help with:
- Once AD is setup in TrueNAS to the TN storage pool, there's no further need to purchase CALs I assume..?
- And obviously, once configured on TrueNAS, it obviates any need to buy Windows Server, also !?
- And then gets all the ROBUST DATA PROTECTION OF TRUENAS, right..?

AFAIK, The current HP Server's use :

• AD (Active Directory)
• Limited if any Hyper-V use.
• Hosting Files / Folders (NAS)
(has possibly ran Hyper-V's, but I've never been to their office)
ALL of which I believe TrueNAS Core not only do,
but may performs equal hardware with some explicit advantages.
 

TrumanHW

Active Member
Sep 16, 2018
253
34
28
Took me a while to see the problem (miscommunication).

As you said, an AD is totally different than an LDAP.
New solution while I start realizing I'm dumb: Joining an AD is nothing like being a Domain Controller.
(Obviously no protocol is gonna sync to an existing Windows DC's AD (eg., LDAP) & customers can't tell you what they use to tell you what they don't need.)

Maybe ESXi solves this (gotta check pricing):
- ESXi VM of Windows Server
- TrueNAS VM to create the zPool

- or -

Install / Boot TrueNAS from a Thumb Drive
- Install Windows Server on a Mirrored if possible
- Back up Windows to the main (6-7 HD) ZFS Pool (they'll be accessible via Hyper-V or Thumb Drive)
- The "tricks"
- getting the ZFS drives shared back to Windows Server without going through the network.
- getting this guy a windows server license that gets updates
 

BlueFox

Legendary Member Spam Hunter Extraordinaire
Oct 26, 2015
2,059
1,478
113
You should consider whether or not the individual tasked with supporting whichever solution you propose is capable of it. If they're not very strong with Linux/BSD then it's just a disaster waiting to happen when (not if) it breaks.
 

LodeRunner

Active Member
Apr 27, 2019
540
227
43
It comes down to budget and potentially how open they are to leasing/credit terms. Dell is usually a solid choice IF you have a well defined specification and budget. I'm having trouble finding a date, but I think the DL380 G7 went EoL in 2013, meaning it was probably released in 2008. That's old.

So the comparison will be what IX Systems has to offer vs. Dell vs. HP (eww, Dell support is way better these days). I am generally hesitant to recommend a build-your-own solution for actual business use; warranty support from individual component companies is a hassle and time sink compared to dealing with Dell or HP when you have on-site support.

You can join Windows systems to a domain hosted by Samba or whatever DC replacement TN offers. But again, if they're leveraging any of the advanced AD features like Group Policies, that's much harder to replace. AD is LDAP, but with a bunch of extras bolted on top.

Depending on the data set, it might be worth looking at Microsoft 365 pricing (Azure AD, OneDrive, Office 365, Intune). Then you stop worrying about licensing CALs and dealing on-prem hardware. In that case you'd still want some sort of cloud backup solution. Veeam has options for this, I'm sure other providers do as well.
 
  • Like
Reactions: Amrhn

nabsltd

Active Member
Jan 26, 2022
337
207
43
AD DNS forwards to DNS filtering which then forwards to a public DNS provider.
I found that this really slowed down my name resolution. I send everything to my pfSense, which forwards all requests for my local domain to AD, while everything else gets resolved/filtered by pfSense and add-ins.
 
  • Like
Reactions: Amrhn and TrumanHW

LodeRunner

Active Member
Apr 27, 2019
540
227
43
I found that this really slowed down my name resolution. I send everything to my pfSense, which forwards all requests for my local domain to AD, while everything else gets resolved/filtered by pfSense and add-ins.
Fair, but I'll take an occasional slow query vs. breaking AD if the forwarder screws up. This is admittedly rare. I've seen people make the mistake of having a DC attempt to resolve DNS from a non-AD DC. Since I'm also using forward and reverse dynamic DNS via AD integrated DHCP, it's just massively easier to centralize it all and then forward out the non local requests. In my case, the forward is to a pair of PiHole VMs that then resolve using CloudFlare quad 1.
 

TrumanHW

Active Member
Sep 16, 2018
253
34
28
I found that this really slowed down my name resolution. I send everything to my pfSense, which forwards all requests for my local domain to AD, while everything else gets resolved/filtered by pfSense and add-ins.
pfSense is a good contextual reminder where we left off yesterday, but, apparently it was another client that I helped him out with on Ransomware.

I was able to line him up with a friend of mine who charged him under a grand for what the hacker wanted $20k for. :)

That said, I think that means his Server license isn't expired yet ... (but pfSense is still something I intended to setup for myself to get acclimated)
 

nabsltd

Active Member
Jan 26, 2022
337
207
43
Since I'm also using forward and reverse dynamic DNS via AD integrated DHCP
I do exactly the same thing.

Fair, but I'll take an occasional slow query
When I said "really slowed down", I meant "could not resolve google.com without timing out". There were numerous times when I had to refresh the browser because it was sitting on the "not found" page. This happened 100% of the time the first query for any external domain once the TTL ran out and it fell out of the cache of the AD domain controller's DNS.

Changing the default DNS server from AD which did full recursive resolution and was authoritative for my local domain to using pfSense as the default fully recursive resolver with a forward rule for my local domain solved the issue.
 

LodeRunner

Active Member
Apr 27, 2019
540
227
43
I do exactly the same thing.


When I said "really slowed down", I meant "could not resolve google.com without timing out". There were numerous times when I had to refresh the browser because it was sitting on the "not found" page. This happened 100% of the time the first query for any external domain once the TTL ran out and it fell out of the cache of the AD domain controller's DNS.

Changing the default DNS server from AD which did full recursive resolution and was authoritative for my local domain to using pfSense as the default fully recursive resolver with a forward rule for my local domain solved the issue.
That is not an issue I've encountered at home or in the corporate network(s) I manage (have managed). The people around here would complain instantly if that were happening. Haven't had that happen with a cold cache (manually cleared) either.

That said, I think that means his Server license isn't expired yet ... (but pfSense is still something I intended to setup for myself to get acclimated)
Windows Server licenses don't expire. MS may end of sale/life/support a product, but it will in fact keep running. It just becomes more at risk as time goes by with no updates.

Again, depending on the amount of data and what applications are involved, I recommend looking at Microsoft 365 pricing and removing the need for on-prem equipment. The environment sounds small enough for that to be an easy transition.
 
  • Like
Reactions: Amrhn