Selfhosted

39893 readers

358 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago

MODERATORS

[email protected]

Anybody here running AD on-prem in your homelab? (lemmy.world)

submitted 8 months ago by [email protected] to c/[email protected]

76 comments fedilink hide all child comments

I'm curious as to why someone would need to do that short of having a bunch of users and a small office at home. Or maybe managing the family's computers is easier that way?

I was considering a domain controller (biased towards linux since most servers/VMs are linux) but right now, for the homelab, it just seems like a shiny new toy to play with rather than something that can make life easier/more secure. There's also the problem of HA and being locked out of your computer if the DC is down.

Tell me why you're running it and the setup you've got that makes having a DC worth it.

Thanks!

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 15 points 8 months ago (1 children)

made it a subdomain

That is the correct answer.

[–] [email protected] 2 points 8 months ago (2 children)

If I remember correctly that is best practise, no? It was something.local or *.intern for years, until TLDs could be whatever you wanted them to be.

[–] [email protected] 1 points 8 months ago

Do not use made up domains for anything these days. It will make it a pain if you ever need a certificate for that domain that isn't self-signed.

[–] [email protected] 1 points 8 months ago* (last edited 8 months ago)

.local is reserved for mDNS responses, don't use that.

It's more than best practice. Your active directory controllers want to be the resolvers for their members, separate from other zones such as external MX records or the like. Your AD domain should always be a separate zone, aka a subdomain. "ad.example.com".

If your DCs are controlling members at the top level, you'll eventually run into problems with Internet facing services and public NS records.

Also per below. You can't get commercially signed certificates for fake domains. Self hosting certificate authorities is a massive pain in the ass. Don't try unless you have a real need, like work-related learning.