DC Demotion Question
-
@tiagom said in DC Demotion Question:
If you are there to restore it.
No, it takes weeks for the cache to time out. Literally, by default, nothing goes down at all. No need to be there to restore. No need to restore right away. Just... whenever you get around to it.
What do you have fail when AD goes down?
-
@tiagom said in DC Demotion Question:
What happens if you are out to lunch, or vacation?
Nothing. Because no clients stop working The glory of AD, it's easy to make redundant and the redundancy isn't even needed for normal usage. Once clients are authenticated, they stay authenticated.
-
Good points.
In my environment I use AD for other services like VPN and version control and if AD goes down those services are also effected.
Its a give and take i guess. I could have the services independent of each other but then im stuck managing multiple accounts databases and that is messy at best.
-
@tiagom said in DC Demotion Question:
In my environment I use AD for other services like VPN and version control and if AD goes down those services are also effected.
You use AD for VPN? We use VPN for AD
-
Original it was using sonicwalls built in user database, but it was messy. On hire and fires we need to go to multiple systems to enable/disable their access. Users would constantly forget their passwords as they had different account/passwords for each service.
Now.. You need vpn, version control, crm, mrp ect.. Just add the user to the appropriate group. When someone leaves or gets fired now i just need to disable their account and boom we are done.
-
@tiagom said in DC Demotion Question:
Good points.
In my environment I use AD for other services like VPN and version control and if AD goes down those services are also effected.
Its a give and take i guess. I could have the services independent of each other but then im stuck managing multiple accounts databases and that is messy at best.
That's a good point. We also authenticate the VPN against AD.
-
But ultimately, it definitely means taking a bit of a risk.
But as a SOHO/SMB, I think it's safe.
You probably are in the same boat as the only IT guy where you are.
-
@tiagom said in DC Demotion Question:
Original it was using sonicwalls built in user database, but it was messy. On hire and fires we need to go to multiple systems to enable/disable their access. Users would constantly forget their passwords as they had different account/passwords for each service.
That's why we use keys, no user interaction, very secure. And it only exposes AD after the connection is secure.
-
@BRRABill Yup same boat. Solo it guy.
-
@scottalanmiller I agree that is a superior but i would still have issues with the other services.
-
@tiagom said in DC Demotion Question:
@scottalanmiller I agree that is a superior but i would still have issues with the other services.
How crippling are those other services? Do they affect everyone, just a few people?
-
Varies on the service. But some of them can have engineers or our manufacturing floor at a stand still.
-
@tiagom said in DC Demotion Question:
Varies on the service. But some of them can have engineers or our manufacturing floor at a stand still.
Can't you replicate those services on other servers and leave AD singular?
-
Why isn't there an open source product that can replicate AD? That would solve all our problems!
-
The services authenticate against AD using LDAP.
-
@BRRABill said in DC Demotion Question:
Why isn't there an open source product that can replicate AD? That would solve all our problems!
There is. Samba4 functions as AD completely. LDAP will replicate it, like FreeIPA.
-
@tiagom said in DC Demotion Question:
The services authenticate against AD using LDAP.
So you have double dependencies, if either AD or LDAP fails everything goes down?
-
I happened to have spare licenses already in house, so it was the "simplest" solution.
-
It is single dependency as i understand it. If AD goes down i cant use a LDAP query again it.
-
@tiagom said in DC Demotion Question:
It is single dependency as i understand it. If AD goes down i cant use a LDAP query again it.
That's one dependency. But you depend on LDAP as well. What if LDAP goes down?
AD needs LDAP, LDAP needs AD. It's an "and" not an "or".