DC Demotion Question
-
@Dashrender said in DC Demotion Question:
FYI, Don't think you can sync this to Azure AD though if you wanted single sign on with O365... but then again, neither would you be able to use your 2003 servers, you'd have to upgrade to Win Server 2012(R2).
Never looked into that, it might work. The sync tool would need a place to run though.
-
For some reason i though that cached credentials expire, which is obviously not the case. Don't know where i picked that up from.
-
@tiagom said in DC Demotion Question:
For some reason i though that cached credentials expire, which is obviously not the case. Don't know where i picked that up from.
They do, or can, but it isn't fast. Certainly not in the weeks category. It's configurable on each workstation via GPO. But by default, they are designed to let you work offline for a very, very long time. Remember that workers who go out of the office need to be able to keep working on laptops without network access for potentially months by default.
-
@tiagom said in DC Demotion Question:
For some reason i though that cached credentials expire, which is obviously not the case. Don't know where i picked that up from.
I don't think, by default, cached credentials expire.
-
@coliver said in DC Demotion Question:
@tiagom said in DC Demotion Question:
For some reason i though that cached credentials expire, which is obviously not the case. Don't know where i picked that up from.
I don't think, by default, cached credentials expire.
Maybe they never do. I've got one system that's been off of AD for years and still works on cached creds, but it is 2003.
-
I looked it up before i posted and it doesn't seem possible to make cached credentials expire. That's why i found it so odd that i thought the did expire.
-
@tiagom said in DC Demotion Question:
I looked it up before i posted and it doesn't seem possible to make cached credentials expire. That's why i found it so odd that i thought the did expire.
Well I thought that there was a way to expire them, too. That is very weird.
-
Yup, looks like once you get a machine off of AD physically, you can attack it forever.
-
@scottalanmiller said in DC Demotion Question:
Yup, looks like once you get a machine off of AD physically, you can attack it forever.
Wow, just, wow.
-
Theres some built in safety from my understanding. The cached credentials are hashed twice, so at best they would only have access to that computer, it does not comprise the security of AD.
-
@travisdh1 yeah, I don't like that.
-
@dafyre said in DC Demotion Question:
As far as I can tell, you can use the Windows RSAT stuff to manage the SAMBA4 domain controllers, GPOs should work... Dang.. I need to spin one up now, lol.
Let us know how that goes.
-
@dafyre said in DC Demotion Question:
As far as I can tell, you can use the Windows RSAT stuff to manage the SAMBA4 domain controllers, GPOs should work... Dang.. I need to spin one up now, lol.
Interested in seeing this
-
@wirestyle22 said
Interested in seeing this
@scottalanmiller said he is going to do a writeup someday (soon?) on this process. (Replacing AD with Samba.)
I'll probably give it a go. We're down to less than 20 employees, so if it burns, it burns.
-
@BRRABill said in DC Demotion Question:
@wirestyle22 said
Interested in seeing this
@scottalanmiller said he is going to do a writeup someday (soon?) on this process. (Replacing AD with Samba.)
I'll probably give it a go. We're down to less than 20 employees, so if it burns, it burns.
Is SAMBA4 better in a windows only environment or is it simply the best solution for hybrid environments?
-
@wirestyle22 said in DC Demotion Question:
@BRRABill said in DC Demotion Question:
@wirestyle22 said
Interested in seeing this
@scottalanmiller said he is going to do a writeup someday (soon?) on this process. (Replacing AD with Samba.)
I'll probably give it a go. We're down to less than 20 employees, so if it burns, it burns.
Is SAMBA4 better in a windows only environment or is it simply the best solution for hybrid environments?
In a Windows only environment, I don't know if it really makes sense. Assuming you have the license in place already, why not use the native platform? Doesn't mean a SAMBA DC doesn't make all kinds of sense when you don't have the licensing in place already.
-
@travisdh1 said in DC Demotion Question:
@wirestyle22 said in DC Demotion Question:
@BRRABill said in DC Demotion Question:
@wirestyle22 said
Interested in seeing this
@scottalanmiller said he is going to do a writeup someday (soon?) on this process. (Replacing AD with Samba.)
I'll probably give it a go. We're down to less than 20 employees, so if it burns, it burns.
Is SAMBA4 better in a windows only environment or is it simply the best solution for hybrid environments?
In a Windows only environment, I don't know if it really makes sense. Assuming you have the license in place already, why not use the native platform? Doesn't mean a SAMBA DC doesn't make all kinds of sense when you don't have the licensing in place already.
Well, you need to maintain said licensing (ie refreshes etc). I'd rather move to SAMBA and use the licensing for other stuff or spend less if possible
-
@travisdh1 said in DC Demotion Question:
@wirestyle22 said in DC Demotion Question:
@BRRABill said in DC Demotion Question:
@wirestyle22 said
Interested in seeing this
@scottalanmiller said he is going to do a writeup someday (soon?) on this process. (Replacing AD with Samba.)
I'll probably give it a go. We're down to less than 20 employees, so if it burns, it burns.
Is SAMBA4 better in a windows only environment or is it simply the best solution for hybrid environments?
In a Windows only environment, I don't know if it really makes sense. Assuming you have the license in place already, why not use the native platform? Doesn't mean a SAMBA DC doesn't make all kinds of sense when you don't have the licensing in place already.
They have licensing for 2003. This is a free update.
-
-
@BRRABill said in DC Demotion Question:
@scottalanmiller said
They have licensing for 2003. This is a free update.
Huh?
He means I'm always going to have licensing in place
