DC Demotion Question

scottalanmiller

@tiagom said in DC Demotion Question:

I looked it up before i posted and it doesn't seem possible to make cached credentials expire. That's why i found it so odd that i thought the did expire.

Well I thought that there was a way to expire them, too. That is very weird.

scottalanmiller

https://social.technet.microsoft.com/Forums/sharepoint/en-US/87e84872-c321-4b8c-b13d-0d60a003c3d3/how-long-does-windows-cache-domain-user-passwords?forum=winserversecurity

Yup, looks like once you get a machine off of AD physically, you can attack it forever.

travisdh1

@scottalanmiller said in DC Demotion Question:

https://social.technet.microsoft.com/Forums/sharepoint/en-US/87e84872-c321-4b8c-b13d-0d60a003c3d3/how-long-does-windows-cache-domain-user-passwords?forum=winserversecurity

Yup, looks like once you get a machine off of AD physically, you can attack it forever.

Wow, just, wow.

tiagom

Theres some built in safety from my understanding. The cached credentials are hashed twice, so at best they would only have access to that computer, it does not comprise the security of AD.

scottalanmiller

@travisdh1 yeah, I don't like that.

BRRABill

@dafyre said in DC Demotion Question:

As far as I can tell, you can use the Windows RSAT stuff to manage the SAMBA4 domain controllers, GPOs should work... Dang.. I need to spin one up now, lol.

Let us know how that goes.

wirestyle22

@dafyre said in DC Demotion Question:

As far as I can tell, you can use the Windows RSAT stuff to manage the SAMBA4 domain controllers, GPOs should work... Dang.. I need to spin one up now, lol.

Interested in seeing this

BRRABill

@wirestyle22 said

Interested in seeing this

@scottalanmiller said he is going to do a writeup someday (soon?) on this process. (Replacing AD with Samba.)

I'll probably give it a go. We're down to less than 20 employees, so if it burns, it burns.

wirestyle22

@BRRABill said in DC Demotion Question:

@wirestyle22 said

Interested in seeing this

@scottalanmiller said he is going to do a writeup someday (soon?) on this process. (Replacing AD with Samba.)

I'll probably give it a go. We're down to less than 20 employees, so if it burns, it burns.

Is SAMBA4 better in a windows only environment or is it simply the best solution for hybrid environments?

travisdh1

@wirestyle22 said in DC Demotion Question:

@BRRABill said in DC Demotion Question:

@wirestyle22 said

Interested in seeing this

@scottalanmiller said he is going to do a writeup someday (soon?) on this process. (Replacing AD with Samba.)

I'll probably give it a go. We're down to less than 20 employees, so if it burns, it burns.

Is SAMBA4 better in a windows only environment or is it simply the best solution for hybrid environments?

In a Windows only environment, I don't know if it really makes sense. Assuming you have the license in place already, why not use the native platform? Doesn't mean a SAMBA DC doesn't make all kinds of sense when you don't have the licensing in place already.

wirestyle22

@travisdh1 said in DC Demotion Question:

@wirestyle22 said in DC Demotion Question:

@BRRABill said in DC Demotion Question:

@wirestyle22 said

Interested in seeing this

@scottalanmiller said he is going to do a writeup someday (soon?) on this process. (Replacing AD with Samba.)

I'll probably give it a go. We're down to less than 20 employees, so if it burns, it burns.

Is SAMBA4 better in a windows only environment or is it simply the best solution for hybrid environments?

In a Windows only environment, I don't know if it really makes sense. Assuming you have the license in place already, why not use the native platform? Doesn't mean a SAMBA DC doesn't make all kinds of sense when you don't have the licensing in place already.

Well, you need to maintain said licensing (ie refreshes etc). I'd rather move to SAMBA and use the licensing for other stuff or spend less if possible

scottalanmiller

@travisdh1 said in DC Demotion Question:

@wirestyle22 said in DC Demotion Question:

@BRRABill said in DC Demotion Question:

@wirestyle22 said

Interested in seeing this

@scottalanmiller said he is going to do a writeup someday (soon?) on this process. (Replacing AD with Samba.)

I'll probably give it a go. We're down to less than 20 employees, so if it burns, it burns.

Is SAMBA4 better in a windows only environment or is it simply the best solution for hybrid environments?

In a Windows only environment, I don't know if it really makes sense. Assuming you have the license in place already, why not use the native platform? Doesn't mean a SAMBA DC doesn't make all kinds of sense when you don't have the licensing in place already.

They have licensing for 2003. This is a free update.

BRRABill

@scottalanmiller said

They have licensing for 2003. This is a free update.

Huh?

wirestyle22

@BRRABill said in DC Demotion Question:

@scottalanmiller said

They have licensing for 2003. This is a free update.

Huh?

He means I'm always going to have licensing in place

BRRABill

Well, I DCPROMOed the one physical DC last night. Nothing seems to have burned down.

I was having some DNS issues, but I think it was due to the fact that my machine was pointing to the demoted DC (which obviously had the DNS role installed) and it had been gutted by DCPROMO. I removed the role and everything seems OK thus far.

Though very few users are here. I'll feel better by like 10AM.

JaredBusch

@BRRABill said in DC Demotion Question:

Well, I DCPROMOed the one physical DC last night. Nothing seems to have burned down.

I was having some DNS issues, but I think it was due to the fact that my machine was pointing to the demoted DC (which obviously had the DNS role installed) and it had been gutted by DCPROMO. I removed the role and everything seems OK thus far.

Though very few users are here. I'll feel better by like 10AM.

Did you update DHCP to no longer pass out the old DC as a DNS option?

Did you go through all the static IP devices and remove the old DC DNS info from them?

BRRABill

@JaredBusch said in DC Demotion Question:

@BRRABill said in DC Demotion Question:

Well, I DCPROMOed the one physical DC last night. Nothing seems to have burned down.

I was having some DNS issues, but I think it was due to the fact that my machine was pointing to the demoted DC (which obviously had the DNS role installed) and it had been gutted by DCPROMO. I removed the role and everything seems OK thus far.

Though very few users are here. I'll feel better by like 10AM.

Did you update DHCP to no longer pass out the old DC as a DNS option?

Did you go through all the static IP devices and remove the old DC DNS info from them?

Yes and hopefully.

BRRABill

Everything is still running fine.

Next step will be to P2V this puppy and get it on XS.

Then I'll be even happier!

BRRABill

Did you know...

Apparently it's a PITA to transfer DHCP to an existing DC?

(Countdown to someone saying "just install in on a Linux box" in 5...4...3...)

coliver

@BRRABill said in DC Demotion Question:

Did you know...

Apparently it's a PITA to transfer DHCP to an existing DC?

(Countdown to someone saying "just install in on a Linux box" in 5...4...3...)

It is? How so? You can easily backup the DHCP scopes and restore them to the new DC, decom the old one and turn up the new one. I've done it twice in the past without any issues.