![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Upgrades, TrueNAS and SAMBA4 AD
Apr. 22nd, 2022 12:05 pmI had parts to upgrade my old FreeNAS system from a Core-2 Based Xeon on the Intel S5000PSL board to what I was planning on using as a Proxmox + VFIO box using a Tyan S7012 board based system. However, that plan stalled hard when I found out that the Tyan S7012 board does not have proper IOMMU management in the Bios.
After letting it sit through a busy 2021, and a Reddit post about the LinkReal LRST9608, I decided to just install TrueNAS on the S7012 and see how awkward BHYVE really is. After waiting less time than expected to get the LinkReal card off NewEgg, I ran into another surprise with the S7012 board. As the Linkreal card would just barely squeak by the SGI/Rackable IO panel covering up the external access to the lowest slot on the board, I tried to install it there as the boot device with 2x 250GB SATA M.2 and 2x 2TB 3.5" SATA HDDs attached. But the Boot Rom Wouldn't load. After filing a support ticket with LinkReal and doing another weekend worth of tinkering, it turns out you have to Enable boot support for the optional on-board LSI SAS controller of the S7012 for it to allow boot roms in PCIE Slot 1 to actually load. Once I figured that out, I used Ventoy to set up a boot drive for the TrueNAS installer and installed the OS to the SSD pair.
Into the old S7012 SGI/Rackable based beast, I also installed a SolarFlare 10G SFP+ card, an LSI external HBA and a 4GBps Fibre Channel controller. Off the LSI HBA is an SGI/Rackable DAS that the previous owner had upgraded to a 6Gbps SAS expander. Migrating the disks from the old Core-2 Xeon based Rackable Running FreeNAS led to a minor scare, when the first time I tried importing the 8-drive ZFS array it would only auto-detect half the disks as being part of it. However, after re-importing and re-exporting them from the old machine everything worked as expected the second time. The smaller array of 4x2TB Hitachi's I've had forever now exported and imported without incident.
The FreeNAS box was originally set up to be an AD Domain Controller as well, and a combination of the feature being demoted, TLD rules getting changed and liking the additional granularity that AD based permissions gave me, I decided to build a new domain to go with the new host.
First, on my HP 5406zl Advanced Services Module Proxmox host I set up a Debian Bullseye VM to be my first AD controller following the gist of the server-world.info Debian Buster tutorial.
Next, I set up a Windows 7 VM on the TrueNAS host in BHYVE to act as an RSAT client. That was a bit of a challenge in a couple of regards. Firstly, the Windows 7 installer would only complete if I installed using UEFI, virtio storage and virtio networking. In order to do this, I had to add both the Windows 7 installer and the virtio drivers ISO to the VM during setup. The second issue is the mouse never wanted to work in the noVNC session, but some keyboard gymnastics later I was able to get RDP enabled and start working on the rest of the setup. Third issue was that Microsoft had pulled the Windows 7 RSAT tools off their website. Fortunately, there were people that had mirrored them and I was able to get them installed as well. Finally, I joined the VM to my shiny new domain and made sure everything worked (User and OU creation, etc.)
However, Active Directory is something you don't want running on only one host on your network if at all possible. So, I set about adding a second SAMBA-4 domain controller. This is a bit tricky as the SAMBA team hasn't had the time/resources to get DFS style replication working for everything yet. So I set about getting another Debian Bullseye VM working, this time on BHYVE. However, the installer launched into unusable display corruption on the noVNC session. The work around I ended up using was to install Debian using a serial console only, then complete the basic provisioning via ssh.
Then, the first time I tried to add the second domain controller, the basic synchronization wouldn't run correctly between the two DCs. Well... bollocks. Fortunately, I had made a snapshot of all three VMs ( first DC, Windows 7 RSAT, second DC) before I had tried promoting/joining them to the domain. I rolled everything back, tried again and this time everything worked. After that, I went through the process of getting Unison based Sysvol Replication working and it was off to the races.
Finally, I joined the TrueNAS host to the new, replicating domain. I created a service user in RSAT, went through the TrueNAS wizard and a few moments later life was good. It took some time to purge and re-set up the ACLs on the TrueNAS box from the old domain, but it was certainly less painful than some of the Windows-to-Windows migrations I've done in the past.
Now I just have to finished sorting through files, tweaking the shares permissions and set things up to communicate with it again. But at least the big hardware hurdle of the project has been crossed off the list.
After letting it sit through a busy 2021, and a Reddit post about the LinkReal LRST9608, I decided to just install TrueNAS on the S7012 and see how awkward BHYVE really is. After waiting less time than expected to get the LinkReal card off NewEgg, I ran into another surprise with the S7012 board. As the Linkreal card would just barely squeak by the SGI/Rackable IO panel covering up the external access to the lowest slot on the board, I tried to install it there as the boot device with 2x 250GB SATA M.2 and 2x 2TB 3.5" SATA HDDs attached. But the Boot Rom Wouldn't load. After filing a support ticket with LinkReal and doing another weekend worth of tinkering, it turns out you have to Enable boot support for the optional on-board LSI SAS controller of the S7012 for it to allow boot roms in PCIE Slot 1 to actually load. Once I figured that out, I used Ventoy to set up a boot drive for the TrueNAS installer and installed the OS to the SSD pair.
Into the old S7012 SGI/Rackable based beast, I also installed a SolarFlare 10G SFP+ card, an LSI external HBA and a 4GBps Fibre Channel controller. Off the LSI HBA is an SGI/Rackable DAS that the previous owner had upgraded to a 6Gbps SAS expander. Migrating the disks from the old Core-2 Xeon based Rackable Running FreeNAS led to a minor scare, when the first time I tried importing the 8-drive ZFS array it would only auto-detect half the disks as being part of it. However, after re-importing and re-exporting them from the old machine everything worked as expected the second time. The smaller array of 4x2TB Hitachi's I've had forever now exported and imported without incident.
The FreeNAS box was originally set up to be an AD Domain Controller as well, and a combination of the feature being demoted, TLD rules getting changed and liking the additional granularity that AD based permissions gave me, I decided to build a new domain to go with the new host.
First, on my HP 5406zl Advanced Services Module Proxmox host I set up a Debian Bullseye VM to be my first AD controller following the gist of the server-world.info Debian Buster tutorial.
Next, I set up a Windows 7 VM on the TrueNAS host in BHYVE to act as an RSAT client. That was a bit of a challenge in a couple of regards. Firstly, the Windows 7 installer would only complete if I installed using UEFI, virtio storage and virtio networking. In order to do this, I had to add both the Windows 7 installer and the virtio drivers ISO to the VM during setup. The second issue is the mouse never wanted to work in the noVNC session, but some keyboard gymnastics later I was able to get RDP enabled and start working on the rest of the setup. Third issue was that Microsoft had pulled the Windows 7 RSAT tools off their website. Fortunately, there were people that had mirrored them and I was able to get them installed as well. Finally, I joined the VM to my shiny new domain and made sure everything worked (User and OU creation, etc.)
However, Active Directory is something you don't want running on only one host on your network if at all possible. So, I set about adding a second SAMBA-4 domain controller. This is a bit tricky as the SAMBA team hasn't had the time/resources to get DFS style replication working for everything yet. So I set about getting another Debian Bullseye VM working, this time on BHYVE. However, the installer launched into unusable display corruption on the noVNC session. The work around I ended up using was to install Debian using a serial console only, then complete the basic provisioning via ssh.
Then, the first time I tried to add the second domain controller, the basic synchronization wouldn't run correctly between the two DCs. Well... bollocks. Fortunately, I had made a snapshot of all three VMs ( first DC, Windows 7 RSAT, second DC) before I had tried promoting/joining them to the domain. I rolled everything back, tried again and this time everything worked. After that, I went through the process of getting Unison based Sysvol Replication working and it was off to the races.
Finally, I joined the TrueNAS host to the new, replicating domain. I created a service user in RSAT, went through the TrueNAS wizard and a few moments later life was good. It took some time to purge and re-set up the ACLs on the TrueNAS box from the old domain, but it was certainly less painful than some of the Windows-to-Windows migrations I've done in the past.
Now I just have to finished sorting through files, tweaking the shares permissions and set things up to communicate with it again. But at least the big hardware hurdle of the project has been crossed off the list.
