Active Directory integration and a centralized account management (so-called “multi-site”)

v7
activedirectory

(John Willison) #1

NethServer Version: 7
Module: account providers
So what does this actually mean?“Active Directory integration and a centralized account management (so-called “multi-site”)”

I have 20 sites that all have a vpn connection between each site and a central site. I stood up a NS7 server as an AD Domain controller (isolated environment with minimal workstations that would join the domain) with users.

I have stood up a NS7 server at a remote location. I would like the server to replicate the ad users and groups across the VPN so that location users can authenticate against it instead of going across the wire in the event there are outages, tunnel drops or latency across the tunnel.
I would also like to push group policies from central to the remote locations.
Is there any comprehensive way of achieving this?


(Markus Neuberger) #2

Hello @Citizen_X,

maybe do it with virtualization and replication. So you may clone/replicate/backup the Nethserver DC VM to your remote location. When there is an outage you may just start the backuped VM and adjust DNS settings at the remote location to point to the backuped Nethserver. Just an idea but I didn’t try it…


(Davide Principi) #3

No, at the moment only a single DC can be configured from the web UI. In the future we’d like to support also multiple DCs environments: are you interested on running an experiment?

BTW for multi site we meant connecting NS to a remote accounts DB


(John Willison) #4

Sure! wait, what kind of experiment? LOL! I have found a lot on Samba 4 site and using RSAT tools to configure but seems a bit involved with DNS bind and AD Sites and Services (IP Links and new sites). My RSAT Tools on my domain connected workstation cant even create a new site at all on the server which seems to be my first problem.

I have a few sites I can run these tests and experiments with across the fiber VPN’s. I did pick up another dev. server this weekend I can do another install for any of this testing. Until then, I think I will facilitate the single DC for the 20 existing sites. I dont think it will be a solid solution when we reach the planned 80 sites over the next 5 yrs for a single DC to saddle the workload across VPN’s (Fiber and 100x10 cable connections).

As far as the virtualization- Not a bad idea for a DRP. What I am looking to do is setup the Primary DC as physical server and firewall services and then I should do a P2V of that server on it in the event I need to do a quick recovery and turn up. Paired with the server backups should work great. I would like to run the locals as VM’s on a vmware hypervisor (those sites have decent Firewalls already installed) for quick VM backups.

Let me know what you think- I am game for some experimenting to advance the functionality of this platform.


(Davide Principi) #5

You could configure an additional DC following the procedure documented on our wiki:

https://wiki.nethserver.org/doku.php?id=howto:add_ns7_samba_domain_controller_to_existing_active_directory

I recommend you don’t install any other module because the restore procedure is not consistent for multi DC domains. If the DC node crashes, simply remove it from the domain and replace it with a new one following instructions on the Samba wiki.

As said, we’d like to enhance the restore procedure to support multiple DCs. It’s a sensible point that need to be evaluated carefully and some experience on the field is welcome.

If you feel I answered to your questions, please mark this #support request as solved. We should open a new #feature discussion about it!