Comment on Anybody here running AD on-prem in your homelab?
MigratingtoLemmy@lemmy.world 9 months agoThank you for your experience using FreeIPA, your comment really got me re-thinking about AD, about trust setups and if I really needed a Windows domain controller other than for learning. Being able to manage Sudoers centrally is fantastic!
I plan to use XCP-ng as my hypervisor.
Unfortunately, I didn’t quite catch how using SSH keys will keep you from getting locked out if your domain controller goes down. That sounds exactly like what I want, and great idea having a spare account on each machine!
Thanks for your comment, very informative!
Kid_Thunder@kbin.social 9 months ago
The SSH keys don't help me if I get locked out of a Domain Controller unless you're using OpenSSH (which is now a native feature you can turn on). In that case you can actually still log into the DC via command line because it authenticates based on authorized_keys and not the LDAP of the DC. I actually do this on the enterprise, not because I may get locked out but because it is just convenient. Granted you'll have to execute powershell on the command line once in to use the AD cmdlets.
On the other hand when you create a DC now-a-days (Server 2019...I don't remember if this is asked in the wizard when in Server 2016) you can create a "Directory Services Restore Mode" which is basically a local admin account on the DC that you can log into only when the DC is booted into safe mode. You'll be asked to create it when you promote your DC.
MigratingtoLemmy@lemmy.world 9 months ago
Thanks, great to know about Restore Mode.