Samba AD for Cloud and Office

Thinking to create an AD for a server with proxmox in the cloud but with the strong probability to manage also windows client with domain and samba shares in an office. I suppose that the remote server could handle the samba shares and the domain but for speed and availability I ask myself if I should not have locally a NethServer in the office for the samba shares.

Hence if I have two NethServer where will be the AD, in the cloud or in the office ?

If the AD is in the Cloud does it is (more) difficult to add a computer to the windows domain, of course I will have a VPN tunnel between the cloud and the office.

Don’t know if you have some feedbacks

@stephdl

Salut Stéphane

See this:

This is a client of mine in Switzerland, running NethServer on Proxmox - like you plan to…

In ZH (Zurich) There are 35 Users, in GE (Genève) 10 Users and in (LU) Lugano another 3 users…

All sites are interconnected with VPNs, all Backups are at all three sites. (Offste Backups always at two other sites).

The interesting part:

There is only one site with a Proxmox and NethServer: ZH. GE and LU only have a local NAS, but the Users and their PCs are registered in NethServers AD.

Even if the VPN to Zurich is down, all users at the other sites can still login - even if the AD is temporarily not available… (Using cached Authentification, a standard part of MS).

Note: We do not use roving profiles in Windows… (Too slow over WAN…)

If we’re not talking about 50 users, place the AD where you want. If you have a lot of users, place the AD where the most users are!

I think this should answer your basic questions - and shows that NethServer CAN support 50-60 Users partly over WAN!

Note: To make use of the AD as LDAP authentification, you will need to make sure your AD uses valid LE SSL certs.
Copy procedure needed with renew “hook”, as per here:

Search for this: “The next step will make sure that java and other more strict apps can connect to the AD and use it”…

This is especially valid for Java, and some PHP Apps…

:slight_smile:

My 2 cents
Andy

PS: AD should NOT be open to the full Internet! You can, if needed, open it up to another server with static IP (Use firewall / Trusted networks!), but best is only internal and VPN access…

3 Likes

You may split AD and shares too but in this case I’d put both to the office.
This way you speed up user logins on clients and working with files.

1 Like

Do you know how long / how many times the clients still can login to Windows 10 when the AD is not available?

1 Like

OK, I think I found the Info: - cached-domain-logon-information

2 Likes

@fausp

But with Proxmox, PBS Backups NethServer itself is well available (Last 4 years!).
Only issue is if the Internet itself is down, but it’s a business subscription, and the largest provider in Switzerland… So it generally works…

My 2 cents
Andy

I have a customer who travels a lot and I wish I could set the limit from 50 to unlimited.
I guess I have to use local accounts on his notebook…

@fausp

Hi

Provide your customer with the best of both worlds:

  • An AD User as primary local user.
  • A local user, with an (almost) identical user-profile
  • OpenVPN with Viscosity

You can eg use these tools ( https://www.forensit.com/downloads.html ) to copy over the profile with all settings (make a clone of the users profile, as local user)…
There are “free” versions of the tools.

The User normally uses the AD profile. If that doesn’t work, the local profile is always available.
The advantage “behind the scenes”? - The Notebook is still an AD member!

My 2 cents
Andy

Hi Andy,

Cool, thank you for the hint. I will test the tool next week… :sunglasses:

1 Like

the issue is to forbid people to use local account with administrative permission, moreover the GPO can help a lot to create the settings I needs, map network share, forbid usb key, block user self installation exe, …

Just playing yesterday with RSAT and that was fun :smiley:

by the way, is it possible to convert a local user to a domain user, I can only clone the settings of a local user to a domain user

@stephdl

Salut Stéphane

As said, these Windows Profiles tools can help you backup / restore / create a “master” profile (like linux /etc/profile)…

https://www.forensit.com/downloads.html

You can use them to “copy” a user-profile. AFAIK, due to the differing SIDs, a user can NOT be converted from Domain to Local or vica-versa…

Microsoft Windows combines the SID and UID to a “global” SID:
Machine-Security-ID & User-ID = “global” SID
or
AD-Security-ID & User-ID = “global” SID

This results in different Users for the system. The “shown” username is not really used, the SID is relevant, as in Linux the UID…

My 2 cents
Andy

Yep that was I thought first but the project is to start by some cloud application however when we started to speak about roaming profile my first thoughts was to get shares locally. In the office for now there is only synology that handle smb share IIUC.