# Create a FreeBSD SBS ( Small Business Server )



## vat0qn (Sep 19, 2018)

Hello community!

I thank this forum for all the info I had.

For several months, I think about the idea of migrating the whole Windows architecture under FreeBSD, currently we have:

*ISP Modem / Router*
-Wireless

*Server Windows Server 2008R2 1*
- File Sharing (1,7TB DATA)
- Domain Controller (25 Users)
- VPN
- DHCP, DNS
- Sage Accounting  (Windows app) + TSE (one user)
- Windows Backup on a hard disk.
- SQLExpress
- Print Server

*Windows Server 2008R2 EXCHANGE Server*
- Exchange 25 Users

I would like to replace everything with:

*Pfsense or OpnSense*
- VPN (opnvpn)
- Squid
- Firewall
- Wireless Private / Public with Portal

*FreeBSD 11.2 (Hypervisor?) ZFS RAIDZ*
_jail1_
- Samba4 domain controller
- DHCP, DNS (maybe other jail for Bind?)
- Cups
- Radius

_jail2_
- Samba4 Share

_jail3_
- Amanda backup _( local and cloud )_
- Zabbix

_bhyve / or xen_ _(I would like to give a chance to bhyve if not Xen )_
- Windows 10 with Sage Accounting + RDP + SQLExpress

If Xen dom0 not work with Freebsd, I think I would use debian or centos for dom0 ..

*Freebsd 11.2 Mailserver* _or Office 365 I do not know for the moment .. maybe postfix and devcot with roundcube .._

We plan to stop with Sage Accounting within 2 years and move to a SAAS version, so I think we don't really need Windows Server

The main idea is to recreate the Windows SBS Small Business Server 2011 universe with the FreeBSD environment.

What do you think ? A not serious geek's project or a project that can be used in production without problem?

Thanks for your help !
Regards,
A Frenchman who did not listen to his English teacher.


----------



## SirDice (Sep 19, 2018)

vat0qn said:


> If Xen dom0 not work with Freebsd, I think I would use debian or centos for dom0 ..


Xen on FreeBSD is highly experimental. Definitely not safe for production systems.


----------



## vat0qn (Sep 19, 2018)

SirDice said:


> Xen on FreeBSD is highly experimental. Definitely not safe for production systems.


I plan to use ZFS, do you think bhyve is safe for production ?


----------



## SirDice (Sep 19, 2018)

bhyve(8) should work fine on a single machine. It works nice in combination with sysutils/vm-bhyve for example. But beware it doesn't have features like VMWare's vMotion, so you cannot "live migrate" a VM from one host to another. 

If you're looking for a nice alternative to VMWare vCenter/vSphere you may want to take a look at Citrix Hypervisor (previously known as XenServer).


----------



## abishai (Sep 19, 2018)

vat0qn said:


> _ail1_
> - Samba4 domain controller


This is a bad idea to run samba in DC mode on ZFS in jail.


----------



## iSiek (Sep 19, 2018)

Yes, this is really interesting and challenging action.
I have always wanted to run small to medium company and replace as many Windows with FreeBSD as possible 
_To be clear, I am Windows guy (an Active DIrectory Engineer) and this OS is my daily job _

However, fingers crossed for your success and now go to the point... I am not much experienced with FreeBSD yet, so please correct me when I am wrong. Let's start good discussion about this request...

I will start with hypervisor. As we are speaking about production, I would strongly recommend using something stable and with failover capability. I do not know much about `bhyve` yet not Citrix XenServer/Hypervisor.
I would go with Windows Hyper-V Server, it is completely free and supports all these features. FreeBSD 11.2 is working really fine on it. However, as it is stated in documentation, Hyper-V guest tools are natively in use, I could not set up i.e. dynamic memory usage. For me this is not big deal and I prefer running FreeBSD OS with static memory allocation.

*Active Directory Domain Controller*
Based on SAMBA it is really ok, but I strongly recommend using it on UFS. Less issues in PROD 
Additionally, to have less administrative work, good option is to use dynamic DNS (DLZ - dynamically loadable zone) for SAMBA DC. To be able to implement this way, you need to have BIND on the same box with SAMBA and it cannot be jailed!
Another limitation for BIND DLZ support with SAMBA is that last supported version is/was BIND 9.11 (checked last time about 3 weeks ago).
When you deploy DC, please be aware of Microsoft best practices for Domain Controller. Its AD database should be fully stored in memory to avoid flapping. So, in your case 8GB RAM would be enough and 16GB more than enough 
I will also mention redundancy. To sleep well, you should have additional Domain Controller, this setup is also supported but for SYSVOL replication, you need to implement cron task with rsync to synchronize SYSVOL across other DCs.

You need to be aware that SAMBA DC supports at this point in time Windows Server 2008R2 Forest Functional Level and Exchange 2010 support.

*File Server/File Sharing*
SAMBA is also good option here for data sharing. I do not know (I have to admin I haven't checked it yet) if DFS Namespaces (DFS-N) are supported with SAMBA, but configuration is stored within AD database, so might be possible. Need to figure this out.
Another option for file sharing might be *Nextcloud*. It is good replacement of Microsoft OneDrive and even with additional plugins (from version 14) it can support files versioning or video conferences (good replacement for Lync / Skype for Business) 

*Print Server*
Not much experience here but I think *CUPS *will be good option.

*DHCP Server*
ISC DHCP is good option. I have no issues with running dynamic address with it and it is not much difficult in configuration.

*SQL Databases*
Here you have a lot of possibilities MySQL, MariaDB or PostgreSQL but to be honest I do not know if all applications (especially those from MS world) would support them as well as native MS version.

*Exchange Server*
Not much experience with messaging from my side but in my labs I am using iRedMail of course free version but for your company, you can consider paid one with support and more features. It is simple in configuration as there is dedicated script installer.
iRedMail covers: postfix + dovecot + spamAssassin + round cube mail interface
You can give it a try.

For other requirements I could not give you a hint because I do not know that yet 

Just one more thing, I would strongly suggest to have at least one Windows Pro client with Remote Server Administrative Tools (RSAT) installed for easier AD management. There are plenty consoles for management. Without them it is much more difficult to manage AD from shell or even impossible like Group Policy Objects (GPO) management.

I hope I could shed some light from my side and you would successfully replace SBS in your company!

Regards,
Krzysztof


----------



## jbo (Sep 19, 2018)

SirDice said:


> If you're looking for a nice alternative to VMWare vCenter/vSphere you may want to take a look at Citrix Hypervisor (previously known as XenServer).


If I may add another alternative: Have a look at Proxmox. I've just moved a multi-node setup from vSphere to Proxmox. There are of course a couple of drawbacks but if you don't need most of the advanced, fancy features offered by vSphere you might be just right with Proxmox. I am currently running about 20 FreeBSD guests on a small cluster.


----------



## diizzy (Sep 19, 2018)

I would honestly not recommend you to run this on one machine as everything will die if the machine goes down which most likely isn't desirable.

I would at least split router/firewall and storage on two physical separate boxes, keep in mind that the firewall doesn't need to be all the beefy unless you want to run Suricata or similar which needs quite a bit of memory and some horsepower. Unless you need IPv6 functionality you can probably settle for the OpenBSD's dhcpd (https://www.freshports.org/net/dhcpd/) which uses the same syntax and is a lot smaller.

I did briefly look into using Samba AD and ran into issues during provisioning as ZFS doesn't support extended attributes (UFS works fine).

As far as mail goes I would highly suggest that you outsource it and use Office365 (Exchange Online), it'll save you a lot of headache and works really well in general.

If you decide to go this route, please document all steps as would be very nice and valuable to have a tutorial available esp for Samba AD DC.


----------



## Purkuapas (Sep 20, 2018)

SirDice said:


> Xen on FreeBSD is highly experimental. Definitely not safe for production systems.


I think that the same can be said about the bhyve. For example, I am now switching from bhyve to XEN, because it is impossible to start virtual machines in the legacy mode (not UEFI). In addition, the bhyve uefi firmware does not support UEFI NVRAM. Thus, even this aspect does not inspire confidence in the use of bhyve - of course, if we are talking about production, and not about a virtual machine "only for games" on the localhost. In addition, it should be noted that the support of XEN in FreeBSD is made by people from *Citrix*. I recently had problems using the new Xen 4.11. And my problem was fixed fairly quickly


SirDice said:


> bhyve(8) should work fine on a single machine. It works nice in combination with sysutils/vm-bhyve for example. But beware it doesn't have features like VMWare's vMotion, so you cannot "live migrate" a VM from one host to another.



perhaps it will be a surprise for you


----------



## diizzy (Sep 20, 2018)

I've used bhyve quite extensively on FreeBSD 11 and I can honestly say that it's works great for my usage (running a few buildboxes on Linux) but it doesn't cover all scenarios.


----------



## Purkuapas (Sep 20, 2018)

diizzy said:


> I've used bhyve quite extensively on FreeBSD 11 and I can honestly say that it's works great for my usage (running a few buildboxes on Linux) but it doesn't cover all scenarios.



That's why I think that the phrase "*XXX* technology in FreeBSD is very experimental" is not entirely correct. It all depends on your needs and your business.

For example, if someone says that *XEN* is very experimental and better to use *bhyve*, then I can argue about the current possibilities of bhyve in production:

there is no boot in legacy MBR;
UEFI does not support NVRAM (some Linux can not be started after installation in automatic mode);
there are no nested VT-x (you can not start the virtual machine inside a bhyve);
there is no support for Spice protocol;
bhyve can not act as a virtio backend, there is no compression or deduplication of memory;
USB support is missing (and USB pass-thru)
there is no sound support (there are patches in the phabricator)
there are no passthru devices (except for PCI with MSI-X support)
there is no live migration (available in a third-party branch)
lack of CPUID modification support
there is no support for QCOW(1,2), VMDK or any other formats, only RAW
no OVF support
vCPU number still limited by 16 (it's fine for workstations with bhyve but bad in large installations, where standard servers are 32-core and more)
...


..I can continue. But even with this list it's hard for me to say that *XEN* is not the best and stable choice for production, but bhyve is the best.
All these functions work in XEN and work well. XEN is developed and officially supported in FreeBSD by vendor unlike bhyve, which lost a single developer in the form of Peter Grehan (as far as I know, he moved away from FreeBSD bhyve work).

It's very difficult for me to name technologies in FreeBSD that are not "very experimental". For example *VIMAGE* has been in this state for 15 years (the first VIMAGE implementation was available for FreeBSD 4), and it is still not very stable. Just take and test for your tasks, maybe it's suitable for you.


----------



## fishfox (Sep 28, 2018)

With all due respect this is a terrible idea.

Replacing a single integrated solution with a host of free software utilities just for the sake of it itself isn't good practice.  At worst you can be working against the company's interest.

Microsoft Active Directory (with Group Policy, etc.) is the BEST part of the Windows ecosystem and there just isn't a reasonable free equivalent at this point in time.

Windows isn't still around because it does everything poorly -- directory services and workstation management just so happen to be areas that Windows justly dominates.

Trying to cram FreeBSD into a place where it doesn't belong just makes all free software (and frankly free software zealots) look bad.


----------



## kpedersen (Sep 28, 2018)

If you have the freedom to experiment, it is worth seeing if it is possible. Mostly to stay light, agile and not rely on a single vendor (especially not ones like Microsoft).

But yes, if you cannot make an acceptible solution with open-source, it is best *not* to shoehorn it upon users. It could break their "workflow" which is the important part of the company.
Just wait it out until the missing piece comes and then try again. It will happen one day. It is only a matter of time... 

Why so much talk about Bhyve though? If you need it to virtualize Windows, just run Windows (or virtualize Windows on Windows Hyper-V). If you don't need Windows, you probably don't need Bhyve and Jails might be more than adequate and have less overhead and run faster.

I see Bhyve as a development tool at the moment rather than something I would want in production.


----------



## 2fun0 (Nov 7, 2018)

My approach would be always the one to serve the back-end services with FreeBSD and front-end ones with Windows since I agree with fishfox. My configuration would be:

*Router*
- keep your ISP modem/router

*Firewall (OPNsense)*
- VPN
- DHCP, DNS 

*Virtual host (VMware ESXi)*

*(Virtualized) Windows Server 2008R2 (Physical to virtual migration)*
- File Sharing (1,7TB DATA)
- Domain Controller (25 Users)
- Sage Accounting  (Windows app) + TSE (one user)
- Windows Backup on a hard disk. (not needed anymode since you can backup your VMs on ESXi)
- SQLExpress (you can migrate this to a dedicate FreeBSD VM with MySQL/MariaDB if compatible with your apps)
- Print Server

*Migrate Windows Server 2008R2 EXCHANGE Server -> Office 365*


----------



## ShelLuser (Nov 7, 2018)

For the record: I didn't really keep up with the Windows developments (other than checking up on Windows 10 because I'll also be moving towards that platform eventually). So I don't really have a good understanding of what a Small Business Server is supposed to be. Well... I can definitely come up with a good idea, but that doesn't always match that of Microsoft 



vat0qn said:


> For several months, I think about the idea of migrating the whole Windows architecture under FreeBSD, currently we have:
> 
> *Server Windows Server 2008R2 1*
> - File Sharing (1,7TB DATA)
> ...


A late response but I felt like venting a little bit. This should definitely be doable. Samba is quite capable to act as a domain controller, though I have no hands on experience with that myself (this is from hear-say). I guess it all boils down to what your users expect of the environment. If you can provide the same experience for them then I think there should be no problem at all.

My (small) company did this before; when news got out that Microsoft was planning to whack TechNet subscriptions we were already looking at a replacement (upgrade) for our Win2k3 environments and the idea was to check out Win2k8. However, due to TechNet collapsing there wasn't enough budget to get what we really needed: 2 servers + 1 backup / testing environment. The latter was handled by a TechNet license. And 3 licenses simply didn't fit the budget.

So we made a very clear inventory and a plan of action and then replaced the whole kaboodle with 4 physical FreeBSD servers. Basically moving away from IIS + MS SQL backend to Apache + Mono with a PostgreSQL backend. Sendmail + LDAP handles our Exchange (clients had to move to Thunderbird which at that time also provided a calendaring service), Samba provided the regular Windows network access (no domains) and that was roughly it. Never looked back to be honest.

Visual Studio 2012 had no issues to publish onto our BSD servers so development pretty much continues as normal.

Anyway, things changed over time though even now I still heavily favor ASP.NET (with help from mod-mono). But because it still is FreeBSD which provides tons of extras we now also have a Tomcat + TomEE backend running and are even using small bits of Java again.

Keep one thing in mind though... There is a good chance that what you save in licensing costs will still be paid through manhours which had to be spent on setting it all up and (if needed) converting parts of the existing infrastructure. FreeBSD is free as in beer, but your man hours should also be accounted as a form of cost.

Still, looking back, it can be seriously worth it. Because the worst upgrade we'd have to face now would be a hardware replacement but we don't have to worry about another round of licensing renewals.


----------



## scottro (Nov 8, 2018)

As far as calendar doesn't lightning fit the bill? I see there's still an enable calendar in the Makefile.


----------



## zader (Feb 24, 2020)

is funny..

I was asking myself this same question a while back .. and my solution was ..

all my production workstations are freebsd on metal with zfs and and all the goodness of configuration, networking and access control.. those bsd machines all exist on a 192.168.1.0/24 network..  and have dual network cards with up to 4 drives  configured with various zpools.

each workstation runs bhyve with w10 and hardware passthrough for stuff like usb and the 2nd lan card.. each machine has its own windows vm on a 192.168.2.0/24 network with its own zvol.

then I went through the pain of figuring out how to get each machine to boot directly into windows...

why?

simple .. I can administer all of the machines on the 1.0/24 network. including deployments, web filtering, logging and filtering .. as well as zfs send/receive...  dr of a workstation is as simple as rolling back a daily snapshot.. deploying new machines can be done via replication.. then the normal windows setup.

you could do the same thing on your windows servers (like exchange) and gain all of the pros with no cons.. other than you still have to pay ms..

from the windows perspective on the 2.0/24 network .. the users have no idea they are running vm on top of freebsd .. with the exception that windows seems to boot up differently.  as far as they are concerned everything they know and understand happens on the 2.0/24 network..

DR, replication deployment and monitoring is amazing ..   you also have the option of adding proxies between networks .. ie web filtering with squid, or monitoring with bro .. or advanced logging of traffic far beyond windows.

now do I think you should do the same?  .. probably not .. is it easy?  HECK NO!.. does it work ... HECK YES! .. and is it awesome?? 100% YES!  prod ready?  Ha! on my tiny network with my understanding?  YUP ..   is it ready for main stream .. Heck NO! its a VERY radical approach..

then just make your file server on freebsd with zfs, cron task all of the workstations and servers to zfs/send daily..   I went 1 step further and also created a simple script to allow users to roll back their workstations by 15 mins .. that way they don't call me when they break stuff..   skys the limit ..

anyways..MS has basically said W10 will be the last release of windows .. considering the 1709 update with the linux sub system .  is MS heading in this direction?  I think so ... will it be underlying unix with windows?  probably not...  will it be windows hosting unix .. probably ..

Will it work??  here is my guess...

ms dos --> awesome
windows 95 -- > terrible
windows 98 --> awesome
windows ME --> terrible
windows 2000/xp --> awesome
windows vista --> terrible
windows 7 --> awesome
windows 8 --> terrible
windows 10 --> awesome
windows ?  --> guess whats next!


----------

