I’m curious as to why someone would need to do that short of having a bunch of users and a small office at home. Or maybe managing the family’s computers is easier that way?
I was considering a domain controller (biased towards linux since most servers/VMs are linux) but right now, for the homelab, it just seems like a shiny new toy to play with rather than something that can make life easier/more secure. There’s also the problem of HA and being locked out of your computer if the DC is down.
Tell me why you’re running it and the setup you’ve got that makes having a DC worth it.
Thanks!
I do, for a multitude of reasons
- Easier management of family computers
- an authoritative source for Authentik SSO
- Learning experience, I’m also heavy Linux, but I try to maintain an OS agnostic philosophy with my skill set so I can have options in my career
- I was bored
- Again, since I like to maintain an OS agnostic philosophy I have a healthy mix of Windows, Linux and MacOS devices, and you CAN in fact join Linux (w/ SSSD) and MacOS to a domain too
In addition to what others have said with roaming profiles and such:
DO NOT SET YOUR AD DOMAIN AS THE SAME DOMAIN OF A WEB ADDRESS YOU USE
I…er…someone… Found themselves in this situation and have been in a mess since lmao
Can you explain your disclaimer? You suggest not setting your AD domain to a web address you use, like one for self hosted sites? So you buy 2 domains, one for AD and one for sites? Or you use an internal domain for AD?
AD is heavily reliant on the DNS protocol, so heavily in fact that a large component of an AD deployment is a DNS server.
So basically, when the AD DNS server takes over on your network It’ll do DNS things as you’d expect, when it gets a DNS call with the AD domain it will answer with the AD server every time
If your AD domain and your web address domain are domain.com then whenever the AD DNS server gets theh call it won’t answer with the IP address of the web server, it’ll answer with the AD server, even when you are trying to access a web service like domain.com/Plex or something.
You can change the DNS server used on the host, but then you’ll be borkin domain functionality in weird ways
Yea, you’d want an entirely different domain or an internal like domain.lan or in my case what I should have done is made it a subdomain like ad.domain.com
And also it’s a bitch to change the AD domain once you get it all setup hence I’ve been procrastinating with hosts file workarounds lmfao
In shorter terms to what the other comment said, your website won’t work in networks that use DNS served by your DC. The website is fine on the Internet, but less so at home or at an office/on a VPN if you’re an enterprise.
“I can’t go to example.com on the VPN!” was a semi common ticket at my last company 🙃
All the descriptions are right and techniques. Microsoft sometimes refers to this is split-brain and their documentation.
Organizations that choose not to do that use an active directory specific subdomain like some of the other comments mentioned. Example: adds. Company.tld.
Computer1.adds.company.tld. Dc1.adds.cimoany.tld.
Others doing split domain are
Adds.company.internal
To deploy AD, that depends.
If you like to sail the high seas AND aren’t trying to use it for a business, then no.
If you don’t want to sail the high seas or need to use it for a business, then yes, you’ll need to buy a Windows Server license
You can have ad dc on samba, without windows. Nice all in one solution is UCS univention, works really well and free: https://www.univention.com/products/ucs/
Even in docker, last time i tried this, it was buggy: https://github.com/Fmstrat/samba-domain
Thank you for the wonderful comment.
Indeed, I was hoping to have a good SSO setup alongside learning about AD and domain services (also looking at the *nix alternatives like FreeIPA).
Could you tell me more about the DNS setup with regards to AD? I’d like to use my own DNS and not have AD be the DNS provider in my network. The idea to put it in its own subdomain is excellent and I’ll remember that.
People here also mention an increase in attack surface and security vulnerabilities in running AD/domain services on a network. Now, I agree that letting free access to the domain server and having rogue accounts causing havoc on the network is not great, but I’d like to know more. What has been your experience?
Not the original commenter, but I don’t understand how that would increase your attack surface. The AD is inside the network, and if an attacker is already in, you’re compromised. There might be way to refrence a DNS server with a windows server, but then you’re running windows and your life is now much more difficult.
As per DNS, the AD server must be the DNS provider. If you run something like nethserver in a VM you can use it as a dns & ad server.
The domain thing, the AD server is the authorative for its domain. So if you set it as top level, like myhouse.c()m, it will refrence all dns requests to itself, and any subdomains will not appear. The reccomended way to get around this is to use a subdomain, like ad.myhouse.c()m. Or, maybe you have a domain name to burn and you just want to use that?
Thanks, you’re the second person who spoke about Neth server to me. I’ll take a look.
I was planning to create a subdomain for it anyway, it’s just that I was misled that if I didn’t give it control over DNS for the network it wouldn’t function properly. That doesn’t seem to be case (which I’m glad for).
I do not quite understand how the attack surface is increased other than running Windows on my network. I will have to look deeper into it myself.
Thanks
You’re overlooking a very common reason that people setup a homelab - practice for their careers. Many colleges offer a more legitimate setup for the same purpose, and a similar design. But if you’re choosing to learn AD from a free/cheap book instead of a multi-thousand dollar course, you still need a lab to absorb the information and really understand it.
Granted, AD is of limited value to learn these days, but it’s still a backbone for countless other tools that are highly relevant.
I ran it previously because I came from that world and I just thought that’s what you did. I was less Linux-y then. It’s really overkill for such a small network but if you want to learn AD then it might be worth it. Personally I hope to never look at AD again but alas I need moneyz.
If you do decide to run it make sure you enable profile caching in group policy, it will prevent you from being locked out when your DC is down. Also if you have laptops you can safely bring them outside your network and they will still be able to log in.
Keep in mind that AD, Office, and Exchange is he holy trinity of getting hacked in the last years.
I run AD at home but it’s because my job is in enterprise software engineering and so running these programs in my home lab requires AD integrations. It’s also needed for HyperV and SCVMM along with things like SQL server auth and GMSA which I can’t get out of testing. Ironically most of my work is in open source/Linux but Windows servers are all over the Enterprise so I don’t have a choice but to run this stuff. No real users on it and just used for the lab.