this post was submitted on 13 Feb 2024
70 points (91.7% liked)

Selfhosted

40154 readers
597 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

I'm curious as to why someone would need to do that short of having a bunch of users and a small office at home. Or maybe managing the family's computers is easier that way?

I was considering a domain controller (biased towards linux since most servers/VMs are linux) but right now, for the homelab, it just seems like a shiny new toy to play with rather than something that can make life easier/more secure. There's also the problem of HA and being locked out of your computer if the DC is down.

Tell me why you're running it and the setup you've got that makes having a DC worth it.

Thanks!

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 10 points 9 months ago (2 children)

You could look at freeIPA or something similar to stay on Linux.

I'm an AD specialist, starting when it came out with server 2000, and can tell you it's a waste of time for a home network unless you are doing this just because you want to learn it.

It will definitly not make your life any easier, and will increase attack vectors, especially if you don't know how to secure and protect it.

[–] [email protected] 3 points 9 months ago (1 children)

I agree that for this size of network AD is definitely not something you want to deal with unless you want to learn how it works.

However, I'm not sure it really increases attack vectors to have it running, outside of the fact that it's a new network service on the LAN. The out of the box default configuration is not bad these days, security-wise

[–] [email protected] 4 points 9 months ago (2 children)

The attack vectors I'm thinking of just come from the inherent complexity and centralization. I'm just considering the amount of damage that can be done with a compromised DA account for example vs a non directory environment.

It's complicated. Done right it can be more secure, not done right it's less secure.

I also only get brought in for problems for the last however many years, so I'm probaby a bit biased at this point haha.

I have had to tell companies they are going to have to rebuild thier AD from scratch because they didn't know what thier DSRM password was (usually after a ransomware attack). These are the sort of hassles I think about vs non AD.

[–] [email protected] 2 points 9 months ago

For the rest of us: DSRM

[–] [email protected] 1 points 9 months ago

I'll keep that in mind, thank you

[–] [email protected] 1 points 9 months ago

Thank you. I was planning to keep my domain controller offline (not connected to the internet) and run a WSUS to update it, but I'll keep that in mind. Indeed, I could use FreeIPA too, and I'll probably need to consider if it's even worth it to run a DC at all. It just seemed like a really solid idea for learning more about DCs, but indeed, now that I think about it, it doesn't have much use in a homelab other than the people running mini datacenters in their labs.

Thanks!