Zentyal Server
Zentyal is an all-in-one Linux small-business server that stands in for Microsoft Windows Server — a native Active Directory-compatible domain controller built on Samba 4, plus DNS, DHCP, file sharing, mail, firewall, and VPN, all managed from one web console. Join Windows and Linux clients to the domain, manage users and group policies centrally, and consolidate the services a small office needs onto a single box. This guide walks installation, first configuration, and day-to-day use.
Zentyal packages a stack of server roles as toggleable modules. You install only what you need; Zentyal resolves the dependencies between them. The headline capability is a drop-in Active Directory domain controller, but the same box can be your gateway too.
| Module | Provides |
|---|---|
| Domain Controller & File Sharing | Samba 4 Active Directory: users, groups, GPOs, Kerberos, SMB shares |
| Users and Computers | The LDAP directory management interface (the AD tree) |
| DNS | Authoritative DNS for the domain — AD depends on this heavily |
| DHCP | Lease assignment, and pushing DNS/NTP to clients automatically |
| Firewall | Stateful packet filter with a rules GUI over iptables |
| VPN | OpenVPN (and IPsec) for remote access and site-to-site links |
| SMTP + POP3/IMAP mail server | |
| CA | Certification authority for issuing service and VPN certificates |
Zentyal ships as an installable ISO built on Ubuntu LTS. Grab it from zentyal.com, write it to a USB stick, and boot the target machine (a VM is perfect for evaluation). Recommended minimums: 2 vCPU, 4 GB RAM, 30 GB disk for a domain controller.
| Installer step | Choice |
|---|---|
| Install mode | Standard "Install Zentyal" (erases the disk — use dedicated hardware or a VM) |
| Language / keyboard / timezone | Set to your locale — timezone matters for AD/Kerberos |
| User account | Create the initial admin user — this account logs into the web console |
| Reboot | Eject the media; first boot auto-launches a browser to finish setup |
After reboot, reach the web console from any machine on the network:
Log in with the account you created during install. The setup wizard then offers to install modules — you can accept its role-based selection or skip it and add modules by hand later for finer control.
| Wizard step | What to do |
|---|---|
| Select functionality | Tick the roles you want (e.g. Domain Controller, Firewall). Zentyal adds dependencies |
| Network interfaces | Mark each NIC External (internet-facing) or Internal (LAN) — this drives firewall defaults |
| Interface config | Give internal NICs a static IP; external can use DHCP from your ISP router |
| Server type & domain | Choose Standalone (first DC) and set the domain, e.g. office.lan |
Zentyal separates editing configuration from applying it. You make changes across the GUI, then commit them all at once with the Save Changes button at the top right. Nothing you change takes effect on the running system until you do.
| Concept | Meaning |
|---|---|
| Module Status | Where you enable/disable modules (a checkbox per module) |
| Save Changes | Top-right button — writes staged config to the live services. Highlighted when changes are pending |
| Configure (gear) | Per-module settings pages |
Active Directory is exquisitely dependent on DNS and correct naming, so configure those first, then enable the module. Do these in order.
| Step | Where / What |
|---|---|
| 1. Name the server | System → General: set Hostname (e.g. dc1) and Domain (office.lan). Save Changes, reboot if it prompts |
| 2. Static IP | Network → Interfaces: give the internal NIC a fixed address; set the server's own DNS to point at itself |
| 3. Enable the module | Module Status: tick Domain Controller and File Sharing (pulls in DNS, NTP, Users and Computers) |
| 4. Confirm the mode | Domain tab: Server Role = Domain Controller, check NetBIOS name and Realm (OFFICE / office.lan) |
| 5. Save Changes | This provisions the domain: LDAP tree, Kerberos, DNS zones are all created |
.lan or a subdomain you own (ad.example.com). Never provision AD on a bare public domain you also use externally — the split-horizon DNS clashes cause endless grief. Provisioning can take a minute or two.A domain is an empty shell until it has accounts. Manage the directory under Users and Computers → Manage, which shows the LDAP/AD tree with its default Organizational Units.
| Task | How |
|---|---|
| Add a user | Select the Users OU → Add (+) → set username and a strong password |
| Add a group | Same interface → create a group (e.g. Sales, IT) and add members |
| Make an admin | Add the user to the Domain Admins (and, if needed, Schema Admins) group |
| Edit attributes | Click a user to edit LDAP attributes, group membership, and module plugins on the right |
/home/<username> directory on the server; if that path already exists, remove it first or user creation errors.With the module enabled you can publish SMB shares tied to your domain users. Define them under File Sharing → Shares, then set who can reach them.
| Step | Action |
|---|---|
| 1. Add a share | File Sharing → Shares → Add New: name it (e.g. Shared), path under /home/samba |
| 2. Set access (ACL) | Click the Access Control icon → Add: pick a user or group, set Read / Read-Write / Admin |
| 3. Save Changes | Commit; the share becomes reachable at \\dc1\Shared |
Domain users can now map the share from Windows Explorer or mount it from Linux with their directory credentials — single sign-on via Kerberos means no re-entering passwords once joined.
The payoff: client machines authenticate against Zentyal. The one non-negotiable prerequisite — the client's DNS must point at the Zentyal server, or it can't find the domain.
| Task | Where |
|---|---|
| Add/remove modules later | Software Management → Zentyal Components |
| Apply system updates | Software Management → System Updates |
| Manage GPOs from Windows | Install RSAT on a domain-joined Windows box — use native AD Users & Computers / GPMC / DNS tools against Zentyal |
| Firewall rules | Firewall → Packet Filter (rules per source zone) |
| Remote access VPN | VPN → Servers (OpenVPN); issue client certs from the CA module |
| Backup config | System → Configuration Backup — export before major changes |
| Logs & dashboard | Dashboard widgets; Logs module for per-service query |
