Comment on Anybody here running AD on-prem in your homelab?
MigratingtoLemmy@lemmy.world 9 months agoThank you for the wonderful comment.
Indeed, I was hoping to have a good SSO setup alongside learning about AD and domain services (also looking at the *nix alternatives like 389DS and FreeIPA).
Could you tell me more about the DNS setup with regards to AD? I’d like to use my own DNS and not have AD be the DNS provider in my network. The idea to put it in its own subdomain is excellent and I’ll remember that.
People here also mention an increase in attack surface and security vulnerabilities in running AD/domain services on a network. Now, I agree that letting free access to the domain server and having rogue accounts causing havoc on the network is not great, but I’d like to know more. What has been your experience?
huskypenguin@sh.itjust.works 9 months ago
Not the original commenter, but I don’t understand how that would increase your attack surface. The AD is inside the network, and if an attacker is already in, you’re compromised. There might be way to refrence a DNS server with a windows server, but then you’re running windows and your life is now much more difficult.
As per DNS, the AD server must be the DNS provider. If you run something like nethserver in a VM you can use it as a dns & ad server.
The domain thing, the AD server is the authorative for its domain. So if you set it as top level, like myhouse.c()m, it will refrence all dns requests to itself, and any subdomains will not appear. The reccomended way to get around this is to use a subdomain, like ad.myhouse.c()m. Or, maybe you have a domain name to burn and you just want to use that?
MigratingtoLemmy@lemmy.world 9 months ago
Thanks, you’re the second person who spoke about Neth server to me. I’ll take a look.
I was planning to create a subdomain for it anyway, it’s just that I was misled that if I didn’t give it control over DNS for the network it wouldn’t function properly. That doesn’t seem to be case (which I’m glad for).
I do not quite understand how the attack surface is increased other than running Windows on my network. I will have to look deeper into it myself.
Thanks
huskypenguin@sh.itjust.works 9 months ago
It may have been me both times. I went down a deep AD hole recently, and was trying to find an easy open source way to do it.
My advice is to put whatever you choose into a vm and snapshot it right before you configure the AD. I think I reconfigured mine 8 times before I was happy.
MigratingtoLemmy@lemmy.world 9 months ago
Will do