Yes, I like that setup.
As long as the windows server is joined to the zentyal-created "AD" domain controller, you'll be able to control permissions of files and folder by simply right-clicking as normal and setting both sharing and ntfs permissions. Any users you've added in the Zentyal web interface will be available for you to associate them with particular files and folders, just as you'd expect if a windows server was doing AD.
I'm actually using Zentyal for a file server too, but I like your set up better due to that issue I had upgrading from Zentual 3.0 to 3.2
. Samba 4 was still unsettled at that time, so future upgrades may not break file sharing, but as they say: once bitten twice shy. So, I'd play it safe and use something else for a file server. In my experience, Zentyal is good at domain controllers, firewall, openVPN, DNS, DHCP, web proxy, traffic shaping.
My suggested set up requires 3 servers:
1) Gateway - For this I installed Zentyal onto a lenovo q-190
. The computer is dedicated to Firewall, VPN, Web Proxy, Traffic Shaping, port-forwarding, blocking certain websites
2) Domain Controller 1 - I've got this in a virtual machine, so that I can perform a snapshot before performing an upgrade. This way I can restore back in the event of a failed upgrade. You don't want to lose your domain controller no matter what. If you do you'll spend a lot of time rebuilding it and joining workstation to a new domain. This server has 2GB of ram dedicated to it, and it does: AD, DNS, DHCP Pool 1 (192.168.0.10 - 192.168.0.100 for example).
3) Domain Controller 2 - Zentyal's web interface calls this an "additional domain controller". It syncs with the primary domain controller. You can add a user in either one of these domain controllers and go look in the other one and it will already be there. So, it works well. You want to have a 2nd one in case you have to take the primary down for some reason. You can set your dhcp service so that each workstation is informed that it has two choices for domain controllers. This way, if one goes down, users can still login to the windows workstations and servers; authentication still gets performed. This server does: AD2, DNS, and DHCP Pool 2 (192.168.0.101 - 192.168.0.190 for example). This second dhcp pool (on this server) ensures workstations will still get issued an IP in case the other server is down.