On Fri, Sep 02, 2005 at 08:33:48PM -0400, Joseph H. Fry wrote: > I am the network administrator for one school of my university and I am > considering migrating our Windows 2000 Server to Debian due to some > stability issues and of course the financial factors. > Good. > We only have one windows server in the network and it is providing nearly > every service offered on our network. It is configured with Active > Directory and DNS, serves student web pages, provides ftp access, acts as a > file server, authenticates logins, and is probably used to send pornographic > spam to the children of th world when I'm not paying attention. > This does not sound like a particularly good setup. You typically want to spread things out a bit. > Being one of Microsofts finest products, it provides ALMOST an entire week > of solid performance before a yet unknown application kills the server > process preventing all logins including logging into or unlocking the > console, meaning it requires a press of the power button to shutdown > windows. The weekly reboots required to keep the server functional are > annoying because they always seem to be required when it is least convienant > for me to make the 30 min ride into work to press the power button twice and > drive home... so its time to start working toward a more stable solution. > I seem to recall on an episode of MacGyver where MacGyver took some duck tape, two quarters, a set of jumper cables and a diesel generator and made himself an arc welder. He was using it to repair the broken rod on a piston from a car engine. However, you can go to the gym, get a number of 25 lb or heavier plates and weld them to the case of the server. Once that is down, go out in a boat to the middle of Lake Erie and drop it. I guarantee that the server won't anywhere and you will no longer experience random lockups once a week. Doesn't get much more stable than that :-) OK. Sorry, it's been a long weekend and I am apparently relapsing. On to more serious responses. > I've been researching this problem for over 6 months trying every far-out > idea I come across to find the cause to no avail... I give up, so either I > rebuild the network with W2K server, or go with linux. Considering I'll > never get the funds to upgrade to a new Windows server version in the > future, likely forcing me to go with linux at that point; I figure I'll just > get ahead of the game and go linux now. > > My questions for all of you very helpful type people are: > > 1. The server is a Dell PowerEdge 2500 dual Xeon, 1GB RAM with a PERC 3/Di > RAID controller, would I have any issues with hardware support? I'm pretty > sure I'll be ok, but I'd love to have someone tell me that it's better than > supported... It's flawless." Or something close! > I don't know anything about this. > 2. Is it possible to build and configure the server on a spare workstation, > then when I am satisfied with the configuration and have tested everything, > migrate the configuration from the workstation to the actual server hardware > (I can't afford the down time it would take my newbie ass to install and > configure everything). If so, how difficult is this and could I get a rough > overview of the process to get my research started? > It is *possible*. The question, however, is, "is it feasible?" The more similar your workstation's configuration to that of the server, the better. A better approach would be to replace the services one at a time by moving them to alternate machines. Once everything is moved off, nuke the OS, resinstall and start configuring new services and migrating them back to the server. > 3. I currently have 3 Debian servers on the network, one LAMP server for > our intranet and two 750 GB file servers (one's a rsnapshot backup of most > of the other) providing data storage, and disk based backups of the windows > server. The file servers currently use winbind to authenticate their Samba > shares to the Active Directory... What will I have to do so that these > servers will still allow access once the Windows Server is gone. Will I > have to create 200+ users on each of my Samba servers, or should I use some > sort of central authentication. Any advice on this issue would be welcome. > OpenLDAP is your friend. You can even teach Samba to authenticate against OpenLDAP so that if you have any *nix machines on the network everyone has one username/password for all the machines. If you are working with Samba, you may want to check out Bruce Perens' Open Source Series: http://phptr.com/perens . There are two books there that are freely downloadable in PDF format that may be of interest to you: "Samba-3 by Example" and "The Official Samba-3 HOWTO and Reference Guide." > 4. Our windows server currently runs Symantec AV daily to try to keep the > spread of viruses via the file server at a minimum... Is there a equally > good free product for linux that I could use to scan the user data. I'm not > worried much about protecting the server from viruses cuz I know there > aren't many for linux... But I'd hate to have my users (who can't seem to > sit at the same computer twice) to spread it around my labs. > I think you want ClamAV. I don't use any AV since all my machines are Debian, but I understand it is very good. There are also proprietary products from companies like BitDefender that are designed for Linux-based mail servers. > 5. Considering that I'm fairly inexperienced with linux I would have to say > that it is likely that my current windows server is more secure than > anything I would put together with linux, apart from the rediculous holes > within the OS itself anyway. Is there an easy way to ensure a resonable > level of security without needing to research too deep into securing linux, > securing apache, securing ftp, securing... I don't have the time to do much > more than keep it patched once it's set up. The server is behind a BSD > router that is managed by someone far more experienced with such things than > I, so other than the few ports I'll have forwarded in the router (SSH, HTTP, > FTP) the server should be relatively safe from outside attacks. > You want to look at the Bastille package. It will walk you through the hardening of your system in a tutorial fashion and explain at each step what it wants to do, why it wants to do it, and reasons why you may or may not want to deviate from the default. Also, read the Securing Debian Manual: http://www.debian.org/doc/manuals/securing-debian-howto/index.en.html It is a bit more general in nature, but has some good information. > 6. Any suggestions about migrating users and their data? > I wouldn't even know where to begin if they are all locked away in the Windows server. Maybe setup a Samba server as a slave (or whatever the Windows term is) and have it replicate the user database, maybe then you can access more easily through Samba. > 7. Finally, other than the Debian GNU/Linux 3.1 Bible, which I understand > is the best resource for all things Debian... Are there any other texts I > shouldn't go without in this quest. > You may want to consider Martin Krafft's book "The Debian System": http://debiansystem.info/ . Martin is a Debian developer and spent a long time researching and putting together information for the book. I have not personally read it (I am currently trying to learn to be a better C++ programmer, since I managed to fake my way through undergrad), but I intend to. > I'm sorry this is such a long post, I just wanted to try and answer all your > potential questions before they were asked. I'm not looking for a detailed > howto, I know how to research and figure things out, I simply have a very > hard time deciding what is the best approach to most things in linux. That > and any pitfalls to watch outfor or issues I'm likely to face if I follow > your suggestions would be great so I don't get discouraged before I'm done. > At least you asked intelligent questions :-) It could have been: "I have this server. I want to migrate it. Can somone give me a step by step detailed HOWTO, including references? No, I don't have any more details about what I am trying to accomplish." Your request was by far more detailed, and your expectations more realistic. > > Once completed, this will be a far more complicated solution than I have > ever implemented with linux, so please try to take it easy. I'm still a > newbie, hopefully I'll feel deserving of a better title once the project is > complete! > The complexity is what makes me recommend the one service at a time approach. If you have some old boxes lying around, scrounge them, up. Start by moving all student wab pages off to another machine and then make the partitions available to the server over the netowrk. Next, move FTP, and so on. > Here's 1/2 ton of thanks in advance, other half on completion of the > project! > I'll send you an invoice :-) > Joe > -Roberto -- Roberto C. Sanchez http://familiasanchez.net/~roberto
Attachment:
pgpnaUQzPTU68.pgp
Description: PGP signature