Anybody here running AD on-prem in your homelab? - eviltoast

I’m curious as to why someone would need to do that short of having a bunch of users and a small office at home. Or maybe managing the family’s computers is easier that way?

I was considering a domain controller (biased towards linux since most servers/VMs are linux) but right now, for the homelab, it just seems like a shiny new toy to play with rather than something that can make life easier/more secure. There’s also the problem of HA and being locked out of your computer if the DC is down.

Tell me why you’re running it and the setup you’ve got that makes having a DC worth it.

Thanks!

  • MigratingtoLemmy@lemmy.worldOP
    link
    fedilink
    English
    arrow-up
    2
    ·
    9 months ago

    Thank you for your experience using FreeIPA, your comment really got me re-thinking about AD, about trust setups and if I really needed a Windows domain controller other than for learning. Being able to manage Sudoers centrally is fantastic!

    I plan to use XCP-ng as my hypervisor.

    Unfortunately, I didn’t quite catch how using SSH keys will keep you from getting locked out if your domain controller goes down. That sounds exactly like what I want, and great idea having a spare account on each machine!

    Thanks for your comment, very informative!

    • Kid_Thunder@kbin.social
      link
      fedilink
      arrow-up
      2
      ·
      edit-2
      9 months ago

      The SSH keys don’t help me if I get locked out of a Domain Controller unless you’re using OpenSSH (which is now a native feature you can turn on). In that case you can actually still log into the DC via command line because it authenticates based on authorized_keys and not the LDAP of the DC. I actually do this on the enterprise, not because I may get locked out but because it is just convenient. Granted you’ll have to execute powershell on the command line once in to use the AD cmdlets.

      On the other hand when you create a DC now-a-days (Server 2019…I don’t remember if this is asked in the wizard when in Server 2016) you can create a “Directory Services Restore Mode” password which is basically a local admin account on the DC that you can log into only when the DC is booted into safe mode. You’ll be asked to create it when you promote your DC.