After putting in a fair amount of effort in order to move from Windows Server to Samba and from Exchange to Kopano, I've decided to roll all that back (kind of). Why, you might ask? Ultimately, it ends up with the mail server:
- For redundancy, especially since I'm not being paid to be a full-time system administrator. It's much harder to guarantee uptime when I'm not monitoring my systems constantly, so if I want a reliable mail server, I would need to set up something like a secondary MX... which, quite frankly, is a PITA, especially once you factor in needing another domain controller to feed information to the mail server, along with whatever that Kopano would want. Doing it properly? Not so simple.
- Kopano hasn't been as straightforward as I was expecting. I've already mentioned the ActiveSync issue, but Z-Push has also been remarkably flaky as well.
So I'm actually switching over to Microsoft 365 (formerly known as Office 365) Business, which addresses these issues (although, as with everything, comes with others).
Windows Server
Setting up a newer Windows Server with a new domain generally means setting up a domain controller with Server Core, which is a different beast than setting up a minimal interface installation. Fortunately, there are pages out there that explain the PowerShell commands needed to get everything up and running once the initial installation is complete:
> Get-Command -Module ADDSDeployment
> Install-ADDSDomainController -InstallDns -DomainName <domain>
> Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools
> Install-ADDSForest -DomainName <domain> -DomainNetbiosName <netbios>
After this is a matter of installing the certificate authority root certificate (assuming that you're not using Windows Server as your CA). This is handled via certutil -dsPublish (after you copy the root certificate to your server). Installing a matching server certificate with private key via certutil -importPFX, then restarting the server lets the LDAP service start the LDAPS variant (there isn't an explicit service that can be restarted to start up LDAPS).
Azure AD Connect
... Oh my god, dealing with this piece of software was horrible. Poorly documented, "security" fighting me the whole time, bugs all over the place... suffice it to say that it wasn't a pleasant experience.
- This is documented, but it needs to run on Server GUI and not Server Core for... Reasons.
- The documentation blithely assumes that you've already turned IE Enhanced Security off... which isn't the default.
- Reconfiguring Azure AD Connect often requires uninstall and reinstalling it.
- After several attempts, I found that that the Express mode was unable to detect my domain and would just fail mysteriously instead.
- Once I did get it installed, I found that it installed Azure AD Connect Health Sync. And would, under certain circumstances, fail that installation, but wouldn't be clear anyways that it was an optional part of the installation (especially since you need to pay for a higher level of Azure AD before that functionality even works).
- And, of course, if you don't have Azure AD Connect Health Sync working, if the sync ever gets into a weird state, it'll never tell you. Fun.
I did try to see whether it would be possible to run Azure AD Connect against Samba. My conclusion is that it was possible at some point in time, but with the current version of Azure AD Connect, it's not (it runs some queries that the current version of Samba doesn't support).
Microsoft 365
All in all, so far, the experience hasn't been all too bad, even though there is some functionality that iOS has never supported (and likely never will): shared mailboxes. Instead, I'm using the workaround of paying for another account and logging in with that account as well. On the bright side, I suppose, it gives me additional OneDrive space for backups. On top of that:
- It's possible to set up e-mail sub-addressing on Office 365 with a bit of work, with one major benefit over services like Gmail or consumer Outlook: the ability to use a symbol other than + for subaddressing, which is great since there are lots of services out there which don't handle + very well.
- It takes quite a bit of wrangling, but it's also possible to send e-mail using aliases on the same domain while treating everything as a single mailbox.