I had it running in a genuine small office environment with 8 employees, who all need to run Windows due to some software constraints.

Policy management and user account controls are great for security, and remote management via rdp is also neat.

I ran it previously because I came from that world and I just thought that’s what you did. I was less Linux-y then. It’s really overkill for such a small network but if you want to learn AD then it might be worth it. Personally I hope to never look at AD again but alas I need moneyz.

If you do decide to run it make sure you enable profile caching in group policy, it will prevent you from being locked out when your DC is down. Also if you have laptops you can safely bring them outside your network and they will still be able to log in.

You could look at freeIPA or something similar to stay on Linux.

I’m an AD specialist, starting when it came out with server 2000, and can tell you it’s a waste of time for a home network unless you are doing this just because you want to learn it.

It will definitly not make your life any easier, and will increase attack vectors, especially if you don’t know how to secure and protect it.

Not AD proper but a compatible controller Linux distro to tie the desktops to, plus common credentials across several services. Just simplifies things not having a dozen different logins.

I set up FreeIPA at home. Similar in principle to AD.

I do, for a multitude of reasons

• Easier management of family computers
• an authoritative source for Authentik SSO
• Learning experience, I’m also heavy Linux, but I try to maintain an OS agnostic philosophy with my skill set so I can have options in my career
• I was bored
• Again, since I like to maintain an OS agnostic philosophy I have a healthy mix of Windows, Linux and MacOS devices, and you CAN in fact join Linux (w/ SSSD) and MacOS to a domain too

In addition to what others have said with roaming profiles and such:

DO NOT SET YOUR AD DOMAIN AS THE SAME DOMAIN OF A WEB ADDRESS YOU USE

I…er…someone… Found themselves in this situation and have been in a mess since lmao

I do. 4 or 5 users and several computers plus virtual server members. I still use Linux for DNS which works surprisingly well after the initial setup.

I did it half for practice and half for fun, but having the authentication backend makes it good enough to keep around.

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

Fewer Letters More Letters DNS Domain Name Service/System SSO Single Sign-On VPN Virtual Private Network

[Thread #507 for this sub, first seen 13th Feb 2024, 02:55] [FAQ] [Full list] [Contact] [Source code]

Personally I use FreeIPA for my LDAP. I like that I can create sudoers rules from one centralized place and manage ssh keys across all clients. Granted I could just use Ansible I suppose, which is how I update multiple distributions in my network and online but I like that I can just change SSH keys and sudoers from one place easily instead of changing tasks/roles. I also usually run cockpit even on my non-Red Hat distros with SSH keys just so I don't have to log into everything though it is somewhat limited outside of the Red Hat sphere.

If you don't want to use ProxMox or some other specialized HyperVisor ecosystem, you can also use Cockpit to manager your VMs along with your Pods. I wish there'd be more attention to it for features because it feels like it could do a lot more.

I also don't really worry about locking myself out for two reasons:

I use SSH keys.

I also have a break-glass local account on every system...with SSH keys. If its on your local network, you can use VNC/VM console/Remote Desktop with a local account while only allowing SSH with keys if you'd like. Just make sure if you're going to allow remote access outside of your network that you never forward the VNC/RDP ports. For SSH when I do this I always pick some random port -- never default and never common ones like 2222 to at least keep my logs less noisy from the botnet auto attacks.

For my online VPS' I use a firewall with geoIP from Maxmind and drop all ports but 443 from the world, except for whatever country I'm in. I drop all packets from certain countries that seem to auto-attack more often than others. I try to drop packets from all known (to me) Shodan scanners. If I'm not traveling I just restrict all other ports to my public IP's subnet though my IP hasn't changed for years. For status checking services like StatusCake, I use the "push" method instead using a simple cron job with curl instead of relying on servers around the world checking my ports. In this case, the services just check that my server has successfully hit them within X minutes to be "up".

If you do go for samba ad dc

You’re overlooking a very common reason that people setup a homelab - practice for their careers. Many colleges offer a more legitimate setup for the same purpose, and a similar design. But if you’re choosing to learn AD from a free/cheap book instead of a multi-thousand dollar course, you still need a lab to absorb the information and really understand it.

Granted, AD is of limited value to learn these days, but it’s still a backbone for countless other tools that are highly relevant.

Im out of the loop here. What’s an AD? 🤔

Keep in mind that AD, Office, and Exchange is he holy trinity of getting hacked in the last years.

Uh, why use a Microsoft product that doesn’t even tie into the rest of the selfhosted services very well? There are easier and way better solutions for SSO and web services. And I don’t have a pool of 30 windows laptops that’d need to share a set of login credentials and software rollout.

I’m running truenas scale with truecharts and I manage all users and groups with the LLDAP chart, which is an stripped down version of ldap. I’m considering deploying another server and running 389ds with replication to increase the features and to learn more about ldap, but overall lldap covers all my necessities regarding user and group managment in all my homelab apps

I think I’m the most ridiculous, but for the same career reasons as the rest:

Active directory, yes, plus: Azure cloud sync with entra active directory Hybrid exchange on prem and office/exchange online.

For better or worse, large enterprise isn’t going away from M$.

Also, I have transparent proxy sophos IPS, security Onion IDS, Trellix ePO, and other security products all being integrated for info security testing.

Not suggesting this is normal, just my test/dev playground I don’t have to worry about breaking.

I am, and I’m using Neth Server. I use it only for an AD, TrueNAS for file storage and a few VMs, portainer for applications. It was for practice, but Neth makes it so easy, why not? And it can help with some LDAP applications (but I haven’t set them up yet)

I in fact run a AD domain controller *and *a rhel IDM controller. For me other then it is fun to play with, makes it a load more simple to manage the user accounts of my famalie. Also auto mounting network shares and setting a few policys for updates and security is great to from a central location. having SSO for many if my services also makes it more easy to use for the fam. The rhel IDM controller I use to manage a few user accounts. I also use it to manage the ssh keys and set sudo rules on all my servers.