Zentyal Server

Zentyal is an all-in-one Linux small-business server that stands in for Microsoft Windows Server — a native Active Directory-compatible domain controller built on Samba 4, plus DNS, DHCP, file sharing, mail, firewall, and VPN, all managed from one web console. Join Windows and Linux clients to the domain, manage users and group policies centrally, and consolidate the services a small office needs onto a single box. This guide walks installation, first configuration, and day-to-day use.

Base: Ubuntu LTS · Samba 4 AD  ·  Admin: web console on port 8443  ·  Editions: Development (free) · Commercial
01 — What Zentyal Gives You

Zentyal packages a stack of server roles as toggleable modules. You install only what you need; Zentyal resolves the dependencies between them. The headline capability is a drop-in Active Directory domain controller, but the same box can be your gateway too.

ModuleProvides
Domain Controller & File SharingSamba 4 Active Directory: users, groups, GPOs, Kerberos, SMB shares
Users and ComputersThe LDAP directory management interface (the AD tree)
DNSAuthoritative DNS for the domain — AD depends on this heavily
DHCPLease assignment, and pushing DNS/NTP to clients automatically
FirewallStateful packet filter with a rules GUI over iptables
VPNOpenVPN (and IPsec) for remote access and site-to-site links
MailSMTP + POP3/IMAP mail server
CACertification authority for issuing service and VPN certificates
ℹ  Editions: the Development Edition is free and fully functional — ideal for labs, evaluation, and small deployments. The Commercial Edition adds official support, QA-tested updates, and a few extras (like user profile pictures). Everything in this guide works on the free edition.
02 — Install the Base System

Zentyal ships as an installable ISO built on Ubuntu LTS. Grab it from zentyal.com, write it to a USB stick, and boot the target machine (a VM is perfect for evaluation). Recommended minimums: 2 vCPU, 4 GB RAM, 30 GB disk for a domain controller.

Installer stepChoice
Install modeStandard "Install Zentyal" (erases the disk — use dedicated hardware or a VM)
Language / keyboard / timezoneSet to your locale — timezone matters for AD/Kerberos
User accountCreate the initial admin user — this account logs into the web console
RebootEject the media; first boot auto-launches a browser to finish setup
⚠  The installer wipes the target disk. Only install on a machine or VM you've dedicated to Zentyal. The first boot takes noticeably longer than later ones because it initializes the core modules — let it finish rather than assuming it has hung.
03 — First Login & the Initial Wizard

After reboot, reach the web console from any machine on the network:

Web administration console
https://your-zentyal-ip:8443

Log in with the account you created during install. The setup wizard then offers to install modules — you can accept its role-based selection or skip it and add modules by hand later for finer control.

Wizard stepWhat to do
Select functionalityTick the roles you want (e.g. Domain Controller, Firewall). Zentyal adds dependencies
Network interfacesMark each NIC External (internet-facing) or Internal (LAN) — this drives firewall defaults
Interface configGive internal NICs a static IP; external can use DHCP from your ISP router
Server type & domainChoose Standalone (first DC) and set the domain, e.g. office.lan
⚠  The External vs Internal choice is security-critical: External interfaces get a locked-down default firewall policy and are network-masqueraded, Internal ones are trusted. Mislabel your LAN NIC as External and clients lose access to services; mislabel your WAN as Internal and you expose the server. Double-check before saving.
04 — The Golden Rule: Save Changes

Zentyal separates editing configuration from applying it. You make changes across the GUI, then commit them all at once with the Save Changes button at the top right. Nothing you change takes effect on the running system until you do.

ConceptMeaning
Module StatusWhere you enable/disable modules (a checkbox per module)
Save ChangesTop-right button — writes staged config to the live services. Highlighted when changes are pending
Configure (gear)Per-module settings pages
ℹ  Get in the habit of clicking Save Changes after each logical set of edits. A frequent beginner confusion is "I changed the setting but nothing happened" — almost always it's un-committed config waiting on that button.
⚠  Some changes — notably enabling the Domain Controller module — provision the domain and are hard to reverse cleanly. Get your hostname, domain name, and network settings right before enabling it (next section), because unwinding a provisioned domain is far messier than any other module toggle.
05 — Set Up the Domain Controller

Active Directory is exquisitely dependent on DNS and correct naming, so configure those first, then enable the module. Do these in order.

StepWhere / What
1. Name the serverSystem → General: set Hostname (e.g. dc1) and Domain (office.lan). Save Changes, reboot if it prompts
2. Static IPNetwork → Interfaces: give the internal NIC a fixed address; set the server's own DNS to point at itself
3. Enable the moduleModule Status: tick Domain Controller and File Sharing (pulls in DNS, NTP, Users and Computers)
4. Confirm the modeDomain tab: Server Role = Domain Controller, check NetBIOS name and Realm (OFFICE / office.lan)
5. Save ChangesThis provisions the domain: LDAP tree, Kerberos, DNS zones are all created
ℹ  Use a private, non-public domain suffix like .lan or a subdomain you own (ad.example.com). Never provision AD on a bare public domain you also use externally — the split-horizon DNS clashes cause endless grief. Provisioning can take a minute or two.
06 — Create Users & Groups

A domain is an empty shell until it has accounts. Manage the directory under Users and Computers → Manage, which shows the LDAP/AD tree with its default Organizational Units.

TaskHow
Add a userSelect the Users OU → Add (+) → set username and a strong password
Add a groupSame interface → create a group (e.g. Sales, IT) and add members
Make an adminAdd the user to the Domain Admins (and, if needed, Schema Admins) group
Edit attributesClick a user to edit LDAP attributes, group membership, and module plugins on the right
ℹ  Manage permissions through groups, not individual users — assign a share or resource to "Sales" once, then membership does the rest. Note that creating a user also creates a /home/<username> directory on the server; if that path already exists, remove it first or user creation errors.
07 — File Sharing

With the module enabled you can publish SMB shares tied to your domain users. Define them under File Sharing → Shares, then set who can reach them.

StepAction
1. Add a shareFile Sharing → Shares → Add New: name it (e.g. Shared), path under /home/samba
2. Set access (ACL)Click the Access Control icon → Add: pick a user or group, set Read / Read-Write / Admin
3. Save ChangesCommit; the share becomes reachable at \\dc1\Shared

Domain users can now map the share from Windows Explorer or mount it from Linux with their directory credentials — single sign-on via Kerberos means no re-entering passwords once joined.

ℹ  Assign share permissions to groups for the same reason as everything else — it scales. A "Read-Write for Sales, Read for everyone else" share is two ACL entries, regardless of headcount.
08 — Join Clients to the Domain

The payoff: client machines authenticate against Zentyal. The one non-negotiable prerequisite — the client's DNS must point at the Zentyal server, or it can't find the domain.

Windows
# Set the client's DNS to the Zentyal IP first, then: # Settings -> System -> About -> Domain or workgroup -> # Change -> Member of Domain -> office.lan # Authenticate with a Domain Admins account, reboot, # then log in as OFFICE\username
Linux (Ubuntu/Debian, via realmd)
# Ensure DNS points at Zentyal, then: sudo apt install -y realmd sssd sssd-tools adcli sudo realm join -U administrator office.lan # Log in with domain creds; enable home-dir creation: sudo pam-auth-update --enable mkhomedir
⚠  Clock skew breaks Kerberos. AD authentication fails if client and server clocks differ by more than ~5 minutes. Zentyal runs NTP for exactly this reason — hand it out via DHCP so clients stay in sync. "User or password is wrong" right after joining is very often a time problem, not a credentials one.
09 — Managing & Extending
TaskWhere
Add/remove modules laterSoftware Management → Zentyal Components
Apply system updatesSoftware Management → System Updates
Manage GPOs from WindowsInstall RSAT on a domain-joined Windows box — use native AD Users & Computers / GPMC / DNS tools against Zentyal
Firewall rulesFirewall → Packet Filter (rules per source zone)
Remote access VPNVPN → Servers (OpenVPN); issue client certs from the CA module
Backup configSystem → Configuration Backup — export before major changes
Logs & dashboardDashboard widgets; Logs module for per-service query
✓  Because Zentyal's directory is real Samba 4 AD, Microsoft's RSAT tools manage it natively from Windows — Active Directory Users and Computers, Group Policy Management, and DNS all connect straight to it. Teams comfortable with Windows administration can keep their familiar tooling while the server itself runs on Linux.