Windows and Linux living in harmony in Enterprise

Intro

A short essay on the pros and cons of Windows and Linux, and how they can complement each other and compensate for the other's shortfalls.

This post will be aimed mostly at system administrators, corporate monkeys (like me), and possibly even MCSEs.

Throughout this post, I ask anyone who's familiar with Windows licensing and pricing to consider the direct cost savings of what I talk about (the licenses themselves), as well as the indirect (remote access, unlimited connections, etc, etc).

Windows and Linux - their history

Windows started life as a low-end, single-user desktop system. Over the years, networking and multi-user code was tacked on, and with it came the headache of multi-user system management, file-system security for non-admin users, and a host of other stuff that makes it a rather awful server system to try and implement securely.

Linux is the polar opposite. It started it's commercial life in large enterprise on whopping big servers as a UNIX replacement. Built from the ground up as a huge, multi-user system it too followed the UNIX tradition of being network-focussed from day one. As addons came along like the GUI, they stayed true to the "the computer is the network" philosophy, but while maintaining it made life difficult for the end user. Even today despite it's leaps and bounds, Linux as a GUI desktop still has it's shortfalls.

Both OSes have come far, and have a large corporate following. Both have their obvious pros and cons. Luckily they can exist together happily in the same network, and even leverage each other's strengths to reduce their own weaknesses.

Active Directory and Windows Domains

So you want to run Windows on desktops in a corporate network, using Domain log-ons? Not unusual by any stretch of the imagination. Windows desktops are fairly cheap, and have a lot of corporate-focused software.

Windows Servers on the other hand are often an easy target for viruses and worms, as well as cost big bikkies for licensing. For each connecting user, despite already having bought a Windows desktop license, Microsoft charge you yet another license fee. For small business, that can get exy. Consider your average 5-man small business who has to pay $250 per desktop for Windows XP, and $799 for Windows Server. Add another 5 users, and that's another $250 per desktop, and another $600 for a 5-license pack for Windows Server. That ends up costing the business far more in software and licensing than they probably paid in hardware!

Enter Linux.

It surprises me just how few MCSE's understand HOW Windows works. They know WHAT to do, but frequently not WHY they are doing it.

A quick lesson in Windows domains:

Windows Active Directory and NT domains are nothing magic. They are made up of the following components:

LDAP: Lightweight Directory Access Protocol. A lightweight database system that is "tree" like in structure, and contains a parent/child relationship system of users, passwords, and other attributes (groups, contact and email addresses, etc, etc).

LDAP was not invented by Microsoft. LDAP is an open standard implemented by many pieces of software, including OpenLDAP (previously named Slapd): http://www.openldap.org/

Kerberos: An encryption scheme used to wrap LDAP and other data in. Again, an open standard: http://web.mit.edu/Kerberos/

CIFS/SMB/NMB: Common Internet File Services / Server Message Block / Name Message Block. Gobbledygook meaning "how to send files over a network". These are the two primary protocols used by Microsoft networking for file sharing, print sharing, mapped drives, NetBios name resolution, etc. Once again, free (as in freedom) implementations exist in the form of the massively useful and widely used SAMBA: http://au.samba.org/

When a Windows Server isn't a Windows Server

Now here's the kicker: OpenLDAP + Kerberos + SAMBA = A Windows server replacement? Cost for 1 user? $0. Cost for 1,000,000 users? $0. License free. Quite often Kerberos can be removed from the equation to lower complexity also.

Where I work right now, we have 1500 users on Windows desktops who all connect to a "Windows Domain". They share files on a "Windows File Server". The tricky part is, none of it is actually Windows. It's all SAMBA and LDAP backend. Adding users by the truckload costs nothing in licensing, as long as Desktop machines have the correct license installed. Very cheap, and very easy to maintain.

Any Windows server admin worth their salt will tell you backup domain controllers are mandatory: and they are right. No hardware is perfect, and servers do occasionally go boom. Once more, Linux to the rescue. Building a "BDC" costs only the hardware you want to implement it on (less if you use Xen Hypervisor "virtual machines" like we do - more on these later).

Want the best of both worlds? A Linux/SAMBA box can happily act as a BDC to a real world Windows Server box. Great for people who need a backup, but still want to maintain their Windows boxes in operation. Happy co-existence for all.

Furthermore Linux makes backup and restore a piece of cake. Unlike Windows, Linux has no registry or hidden information. All information is stored in logical places (/etc contains system-level configuration, /var/lib contains variable libraries, such as the LDAP database). All of these are plain-text files that can be backed up with a simple copy and zip. Then when it comes time to restore, unzip back to their original location, and restart the service. No reinstalls, no license numbers, no headaches. I can have a domain controller built from the ground up and fully functional in 15 minutes. Less if I script it. There's nothing like telling your CEO that even in the event of a "total destruction" fire/cyclone/flood, you can have a site office converted into a working server room in half an hour or less. Disaster recovery under Linux quickly becomes a very tempting alternative to the hair-pulling experience of Windows restores from tape, or the utter shitfit Windows has when changing underlying hardware (more on that later).

Now a quick "gotcha":

Samba is currently at version 3. This implements a full WindowsNT4 style domain and all associated goodies. Currently this means no group policy. This is a must for quite a few businesses, and writes off Samba as a valid alternative.

But have no fear! Samba 4 is now in testing phase, and implements a full and complete Windows Server 2003 (and upcoming Vista Server) Active Directory, complete with built-in LDAP/Kerberos (no need to install and configure a separate system), and complete Windows Server Group Policy objects and control. Release is due probably mid to late this year, and is an exciting prospect for anyone who wants to look at the possibility of implemented a true and up to date "Windows on the desktop, Linux on the server" network.