DC Demotion Question
-
@scottalanmiller said in DC Demotion Question:
@tiagom said in DC Demotion Question:
What happens if you are out to lunch, or vacation?
Nothing. Because no clients stop working The glory of AD, it's easy to make redundant and the redundancy isn't even needed for normal usage. Once clients are authenticated, they stay authenticated.
Sure, I suppose this is true for AD itself - but the other services that go along with AD are generally pretty critical.
Personally I've never seen AD fail without a whole box failure.
-
@BRRABill said in DC Demotion Question:
@scottalanmiller said in DC Demotion Question:
@BRRABill said in DC Demotion Question:
Is there some sort of migration tool?
There is no migration. You just add Samba to the domain and remove Windows. You are not migrating to or from anything.
What? That can't be possible.
Scott's actually been posting this info for a few years now.
FYI, Don't think you can sync this to Azure AD though if you wanted single sign on with O365... but then again, neither would you be able to use your 2003 servers, you'd have to upgrade to Win Server 2012(R2).
-
@dafyre said in DC Demotion Question:
As far as I can tell, you can use the Windows RSAT stuff to manage the SAMBA4 domain controllers, GPOs should work... Dang.. I need to spin one up now, lol.
That's correct, because it implements the AD interfaces so all the same tools keep working.
-
@Dashrender said in DC Demotion Question:
I know I'm 17 hours late back to this, but this is amazaing to me. They had AD go down for weeks and didn't notice? What was doing DNS for them? I am guessing they weren't using that AD server for DNS, otherwise they would have noticed ASAP. If they weren't using AD for DNS, then why did they even have AD in the first place?
DNS failed over to public. That's trivial to do. First DNS is AD1, second DNS is AD2, tertiary is Google.
-
@Dashrender said in DC Demotion Question:
I know I'm 17 hours late back to this, but this is amazaing to me. They had AD go down for weeks and didn't notice? What was doing DNS for them? I am guessing they weren't using that AD server for DNS, otherwise they would have noticed ASAP. If they weren't using AD for DNS, then why did they even have AD in the first place? Did they really need it? Perhaps they did need it, but not for the end users, but instead for other services, in which case a claim that it was down and no one noticed for weeks would be like saying that third car you have that you only drive once a month or less was broken, but you didn't realize it until you tried to use it, but when telling the story, you failed to mention that you drive it less than once a month making the situation seem more dire.
AD is only needed for normal computing when someone signs onto a computer for the first time and/or when they do an action like changing a password or if you add on an additional dependency to it. The standard use case for AD has no impact under normal conditions unless your users are regularly moving to new workstations that they have not used anytime recently. So for a normal SMB, AD has no direct impact when down.
AD authentication caches on the workstations. So AD Authentication will easily work for weeks or months should AD be down, it's specifically designed for this resiliency.
Think of AD like DHCP. If your DHCP has really long leases, no one normally notices even if DHCP is down for days, no one is impacted under normal conditions. But it doesn't mean that DHCP isn't really used, it just is a resilient service that doesn't cause disaster just because one component of the infrastructure is off line for an extended period of time.
Under the basic use situations, AD is designed to be able to go offline for an extended period of time with little or no impact. It's how it is designed.
-
@Dashrender said in DC Demotion Question:
FYI, Don't think you can sync this to Azure AD though if you wanted single sign on with O365... but then again, neither would you be able to use your 2003 servers, you'd have to upgrade to Win Server 2012(R2).
Never looked into that, it might work. The sync tool would need a place to run though.
-
For some reason i though that cached credentials expire, which is obviously not the case. Don't know where i picked that up from.
-
@tiagom said in DC Demotion Question:
For some reason i though that cached credentials expire, which is obviously not the case. Don't know where i picked that up from.
They do, or can, but it isn't fast. Certainly not in the weeks category. It's configurable on each workstation via GPO. But by default, they are designed to let you work offline for a very, very long time. Remember that workers who go out of the office need to be able to keep working on laptops without network access for potentially months by default.
-
@tiagom said in DC Demotion Question:
For some reason i though that cached credentials expire, which is obviously not the case. Don't know where i picked that up from.
I don't think, by default, cached credentials expire.
-
@coliver said in DC Demotion Question:
@tiagom said in DC Demotion Question:
For some reason i though that cached credentials expire, which is obviously not the case. Don't know where i picked that up from.
I don't think, by default, cached credentials expire.
Maybe they never do. I've got one system that's been off of AD for years and still works on cached creds, but it is 2003.
-
I looked it up before i posted and it doesn't seem possible to make cached credentials expire. That's why i found it so odd that i thought the did expire.
-
@tiagom said in DC Demotion Question:
I looked it up before i posted and it doesn't seem possible to make cached credentials expire. That's why i found it so odd that i thought the did expire.
Well I thought that there was a way to expire them, too. That is very weird.
-
Yup, looks like once you get a machine off of AD physically, you can attack it forever.
-
@scottalanmiller said in DC Demotion Question:
Yup, looks like once you get a machine off of AD physically, you can attack it forever.
Wow, just, wow.
-
Theres some built in safety from my understanding. The cached credentials are hashed twice, so at best they would only have access to that computer, it does not comprise the security of AD.
-
@travisdh1 yeah, I don't like that.
-
@dafyre said in DC Demotion Question:
As far as I can tell, you can use the Windows RSAT stuff to manage the SAMBA4 domain controllers, GPOs should work... Dang.. I need to spin one up now, lol.
Let us know how that goes.
-
@dafyre said in DC Demotion Question:
As far as I can tell, you can use the Windows RSAT stuff to manage the SAMBA4 domain controllers, GPOs should work... Dang.. I need to spin one up now, lol.
Interested in seeing this
-
@wirestyle22 said
Interested in seeing this
@scottalanmiller said he is going to do a writeup someday (soon?) on this process. (Replacing AD with Samba.)
I'll probably give it a go. We're down to less than 20 employees, so if it burns, it burns.
-
@BRRABill said in DC Demotion Question:
@wirestyle22 said
Interested in seeing this
@scottalanmiller said he is going to do a writeup someday (soon?) on this process. (Replacing AD with Samba.)
I'll probably give it a go. We're down to less than 20 employees, so if it burns, it burns.
Is SAMBA4 better in a windows only environment or is it simply the best solution for hybrid environments?