Results 1 to 8 of 8

Thread: Moving from SBS 2003 / Active Directory Domain Environment

  1. #1
    Join Date
    Aug 2007
    Location
    London, UK
    Posts
    297
    Rep Power
    8

    Question Moving from SBS 2003 / Active Directory Domain Environment

    Hi everyone

    For about 5-6 years now we've been running Exchange.
    More recently SBS 2003 but our server hardware is already down on its knees and will need to be replaced by the middle of next year#

    Apparently this means that we'll have to buy a whole new license for SBS 2003 (or the new windows server if/when it arrives), and 3 new packs of 5 CALs!

    That's according to the local contractors we have that run our Exchange server, so please correct me if I'm wrong on this! I just think that whole concept is wrong. Paying for software, fine. But not software that times out or is tied to the life of your hardware.

    Anyway, I've been tracking Zimbra's progress over 18 months now and it looks like every release gets better and better.
    We're a small business of 10 employees in our Kent, UK office.
    And 4 remote employees working from 2 different locations in the US.

    The RPC over HTTPS feature for Outlook 2003 / Exchange 2003 is great. But the reasons we want to move away is:

    1) We have 5 mac users, who have to suffer Thunderbird/IMAP whilst the rest of us use Outlook (if Microsoft just released Outlook 2003 for OSX!)
    2) Open source, community support, and paid-for Zimbra support is the way forward
    3) So we stop having to pay our local contractors £150 per month because we don't understand Exchange

    I was concerned about the Yahoo buy-out... but I'm hoping it means greater funding/stability for the project, and a business-as-usual approch to Zimbra. I'd be a bit annoyed if we migrated and Zimbra was suddenly re-branded as Yahoo Business Server or something equally as cringeworthy!

    The only pre-migration question that I still don't have an answer to is what we do about AD/Domain controller.
    With only 5 of us ever authing with the domain, and the other 5 being on Macs, we're not really using the power of domain controller/active directory to the full.

    But I was wondering what you guys recommend we do...
    Just go over to a traditional 'workgroup' style network?

    And totally ditch the domain controller... at the moment I really don't see what benefit it gives us. Only 5 win XP Pro users, and 5 on OS X!

    Or are there other network auth products/user management systems out there?
    Be good if there was a cross-platform open-source alternative to Microsoft's active directory/domain controller system! Maybe there is but I don't know about it.

    Be interesting to hear your comments/suggestions.

    Thanks
    Ben

  2. #2
    Join Date
    Oct 2005
    Posts
    46
    Rep Power
    10

    Default

    If you have OEM licensing (like if you bought the server from Dell with SBS installed) its unlikely you will be able to install SBS on another server with the same license. If you bought a retail SBS pack you should be able to reinstall and use the same license keys.

    Sounds like you have about 15 users total and 5 Mac users. Assuming that the 9-10 remaining users are on a PC platform you are much better off sticking with active directory. You CAN get away with just configuring a workgroup, however you will lose the ability to centrally manage permissions and user accounts for the 10 windows PCs. In my opinion, it's not worth the hassle to be in a workgroup.

    (The following is a little advanced) You could also buy a server with Vmware ESX and virtualize the old SBS server to get it off your old hardware, and create a second virtual machine for Zimbra. Then, configure Zimbra to authenticate user accounts through SBS's AD. You will retain the managability of AD for Windows PCs, enjoy using Zimbra, and retire the old server.

    You could also just buy a second server to host Zimbra only and still authenticate against SBS's AD, assuming that the "old" hardware is sustainable if its not used for e-mail.

    Zimbra uses SSL (SSL is an option) for the Outlook Connector so its even easier to maintian then RPC over HTTPS. You will get the same secure connectivity with Zimbra.

    Regarding ditching your contractor - unless you are technical on networks and can support yourself I don't recommend that you consider that in the equation. Although in many ways Zimbra is easier to manage then Exchange, it is more likely that you will need someone to call for support. However, your contractor may not be familiar with Zimbra. Depending on the company, they may want to help you install it, or not. If not, then you should take a look at some of the Zimbra partners to see if there is one near you that can be of assistance in case you need it.
    Sincerely,

    Alex

  3. #3
    Join Date
    Aug 2007
    Location
    London, UK
    Posts
    297
    Rep Power
    8

    Default

    Hi Alex
    Sorry for my late reply - I was away over the holidays and have only just got caught up!

    Our local contractor actually built the server, and bought the SBS 2003 pack and 3 extra packs of 5 CALs. They came in a box saying 'Microsoft System Builder Pack', so is that OEM?

    We have:
    5 Mac users - OS X 10.3-10.4
    4 desktop PCs permanently authenticating with the domain
    3 laptops that are authed during the day, then used remotely in evenings
    2 laptops used remotely all the time that never auth - they're based in the US

    So at the moment that's only 7 users that ever properly auth with the domain controller. The rest are basically just set up as mail accounts.

    So you recommend it's worth sticking with AD.
    We could probably continue to run AD and DNS server tasks on that hardware for a long time, once mail is onto different hardware.
    So that's an option.

    In terms of central permission management:
    We have a shared files NAS system that is set for all users to access (I'll be moving this from a Lacie XP Embedded box, to a Linux with Samba box this year)
    And 4 shared printers that everyone can access.

    All we ever use the Active Directory Users & Computers for is adding/removing mail accounts/changing mail passwords and mail distribution lists.

    The reason I was thinking of moving over to a simple Workgroup based system was because I don't think we're using AD to anything like it's full potential.
    I don't really know what Active Directory does for us other than manage our SBS mail accounts and I'm guessing it acts as a local DNS server as well.

    Could you explain what you mean when you say...
    Quote Originally Posted by alexz
    configure Zimbra to authenticate user accounts through SBS's AD
    You can use Zimbra for mail management and have SBS AD manage all the usernames/passwords?
    Does that mean that if you delete a mail account from Zimbra, their AD account gets deleted as well? Or would you have to delete it on both servers?

    What would be really cool is if we could have a Zimbra box providing account management for our FTP server (will be ProFTPd once I've configured our new NAS) and Samba.
    Is that possible?

    Ditching the contractor:
    This would only be an option if we completely moved away from SBS domain-based network. They've never heard of Zimbra.
    We were thinking of going for the Network Professional Edition which includes telephone/web support.
    I was thinking we could just get used to Zimbra by it breaking/fixing it ourselves.

    The reason for going for the Professional Edition is the Outlook/MAPI Sync, Zimbra Mobile, Rich J2ME Client features from this page:
    http://www.zimbra.com/products/product_editions.html

    Any further comments/suggestions?

    Thanks
    Ben

  4. #4
    Join Date
    Oct 2005
    Posts
    46
    Rep Power
    10

    Default

    Ben,

    The centralized account management also ties into centralized directory permissions. If you are moving file sharing to a NAS device then you can use the NAS device's user permissions, but you would be creating another set of users.

    My point with keeping AD is about keeping user accounts in one place and that is very easy with AD. If you get the NAS device, most of these integrate with AD, so you create one user account in AD, and then that same user account (or group) can be used to manage NAS permissions and also mapped to a Zimbra account. So all the users need to remember one user name and one password, and when you make a change to the password, you don't have to change passwords on multiple systems.

    Again, with 7 users you don't "NEED" AD. However, you already own the Microsoft software so why not just use it and make your life easier? That's my thinking.

    Regarding the quoted question - Let's say you have a new employee. You create an account called John Smith in Zimbra. John also has an account in AD. In Zimbra you can specify that users are authenticated by Active Directory, not Zimbra's internal auth system. Again, the benefit is that you're just creating an e-mail box, but all the authentication logic is in AD.

    I remember there was some talk of auto-provisioning AD accounts when a Zimbra account is created - if a Zimbra employee could comment that would be helpful. To my knowledge it is not possible today. But with 7 users I don't see that being an issue.

    Also, you could consider Zimbra hosting with one of the Zimbra hosting partners. My company is a Zimbra partner as well - we set up servers with Zimbra and ship them to customers for implementation. We don't do hosting, but there are a few companies that are listed on the partner site that specialize in hosting. It would reduce your managament overhead substantially.

    Regarding the system builder version of SBS - I'm pretty sure you can just install that on another server. It's not tied to the hardware like it would if you were purchasing a Dell server with an MS SBS license. I do believe there is some sort of process for transfering the licenses off your current SBS box to the new SBS box. I suggest contacting Microsoft (I found this page: http://support.microsoft.com/oas/def...08&gprid=2807&).

    Hope this helps.
    Sincerely,

    Alex

  5. #5
    Join Date
    Aug 2007
    Location
    London, UK
    Posts
    297
    Rep Power
    8

    Cool

    Hi alexz

    At the moment we do have a NAS device, it's an XP embedded unit from Lacie and we disabled user accounts and permissions... so that all our internal users can access all the files/folders on the NAS.
    Which is what we wanted.

    I will be replacing this with a new RAID array unit that we'll build/configure ourselves and it'll run Samba.

    So I can use AD to control the accounts, and Zimbra to manage the mailboxes. I did not know you could auth other systems with MS Active Directory / domain authentication. I thought that side of MS server was locked.
    That sounds like a possible plan though.

    However I'm still quite keen on moving our servers completely over to Linux.

    My final question on this...
    If I have Zimbra controlling authentication, rather than AD... is it possible to set Samba, a Linux FTP server (proFTPD possibly) and Apache HTTP Authentication?
    Does it just use standard LDAP? I don't know much about that.

    Thanks
    Ben

  6. #6
    Join Date
    Oct 2005
    Posts
    46
    Rep Power
    10

    Default

    Ben,

    Not sure about how you would configure Samba, FTP, and Apache to authenticate against Zimbra's LDAP server. I'm sure there are a few Linux aces on this board who could comment on this. Perhaps you can ask the question in a separate posting. Otherwise, the right people may not find it.

    So if you're getting rid of the XP embedded NAS and moving to Samba then you won't need the AD integration.

    However, you should consider the consequences of having to administer Samba. I'm not sure about your technical skills but Samba could be rather advanced to maintain.

    Since you're such as a small company I advise you to consider simplyfing all this by purchasing a NAS with an operating system already there - doesn't have to be Windows. Most of the major brands support Microsoft AD integration. So you would continue using AD for your accounts - and Zimbra and the NAS device auth against AD. I guarantee that will make your life A LOT easier, especially if don't have advanced Linux skills (or the time to learn them).

    My 2 cents..I'm sure if you ask 10 people here you'll get 10 different answers. But this forum has a lot of talented people so post these Zimbra/Linux questions and see what you get. Good luck!

    Sincerely,
    Alex
    Sincerely,

    Alex

  7. #7
    Join Date
    Jan 2008
    Posts
    21
    Rep Power
    7

    Default

    I think the VMWare solution wouldn't be a bad idea. Get a new server, throw VMWare server (free) on it and then convert your existing SBS 2003 server to a VM. You could use Ubuntu as the VM host and run two VMs: SBS and Zimbra.

    Another option, since your setting up a new NAS with Samba, would be to use Samba for your authentication. Here is a pretty goo how to that should get you started:

    OpenSourceHowTo.org - HOWTo replace AD+Exchange with Samba+Zimbra

    I am all for ditching Windows when you can. With a small group of users, you seem to be the ideal candidate for going windows-free.

  8. #8
    Join Date
    Aug 2007
    Location
    London, UK
    Posts
    297
    Rep Power
    8

    Cool

    That sounds perfect!
    I really wanted there to be a good way which involves ditching Windows server software completely.

    That's definitely something I'll look into.
    Just need to know how this M$ and Yahoo thing shakes out over the next few months first!

    Thanks for the info
    Ben

Similar Threads

  1. centos 5 zimbra 4.5.6 no statistics
    By rutman286 in forum Installation
    Replies: 9
    Last Post: 08-14-2007, 10:30 AM
  2. Replies: 5
    Last Post: 03-01-2007, 03:20 AM
  3. Replies: 1
    Last Post: 02-23-2007, 02:24 PM
  4. Windows 2003 Active directory
    By ahdzf in forum Administrators
    Replies: 1
    Last Post: 11-10-2005, 08:32 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •