I’m curious as to why someone would need to do that short of having a bunch of users and a small office at home. Or maybe managing the family’s computers is easier that way?
I was considering a domain controller (biased towards linux since most servers/VMs are linux) but right now, for the homelab, it just seems like a shiny new toy to play with rather than something that can make life easier/more secure. There’s also the problem of HA and being locked out of your computer if the DC is down.
Tell me why you’re running it and the setup you’ve got that makes having a DC worth it.
Thanks!
AD is heavily reliant on the DNS protocol, so heavily in fact that a large component of an AD deployment is a DNS server.
So basically, when the AD DNS server takes over on your network It’ll do DNS things as you’d expect, when it gets a DNS call with the AD domain it will answer with the AD server every time
If your AD domain and your web address domain are domain.com then whenever the AD DNS server gets theh call it won’t answer with the IP address of the web server, it’ll answer with the AD server, even when you are trying to access a web service like domain.com/Plex or something.
You can change the DNS server used on the host, but then you’ll be borkin domain functionality in weird ways
Yea, you’d want an entirely different domain or an internal like domain.lan or in my case what I should have done is made it a subdomain like ad.domain.com
And also it’s a bitch to change the AD domain once you get it all setup hence I’ve been procrastinating with hosts file workarounds lmfao
That is the correct answer.
If I remember correctly that is best practise, no? It was something.local or *.intern for years, until TLDs could be whatever you wanted them to be.
Do not use made up domains for anything these days. It will make it a pain if you ever need a certificate for that domain that isn’t self-signed.
.local is reserved for mDNS responses, don’t use that.
It’s more than best practice. Your active directory controllers want to be the resolvers for their members, separate from other zones such as external MX records or the like. Your AD domain should always be a separate zone, aka a subdomain. “ad.example.com”.
If your DCs are controlling members at the top level, you’ll eventually run into problems with Internet facing services and public NS records.
Also per below. You can’t get commercially signed certificates for fake domains. Self hosting certificate authorities is a massive pain in the ass. Don’t try unless you have a real need, like work-related learning.
Yeah, a subdomain is perfectly fine. I’ve been running it that way myself for quite a while.
If you do end up running your AD domain as contoso.com, and a public website also at contoso.com, there are ways around it. For example, you could use www.contoso.com for the website (just like the old days!) and either forward that zone to the external DNS servers, or create a local copy (not recommended).