Using Linux as a domain controller for a W2K3 domain.
 

Hi All,

At my office, we have a small Windows 2003 domain. Locally, we use very few network services. The domain master is also the file, DHCP, and DNS servers.
We also have a second server, running Redhat and hosted offsite, that holds our website, email, and some other things. I would like to find a way to unify the user accounts on these machines, so users have a single username and password across all of our network services.
I imagine there would be significant security concerns related to actually doing the authentication on our remote server?
Related to that, we have a third, local Redhat server, and I was thinking perhaps if we could synchronize our users between the local and remote linux servers, then we could use the local linux as a domain controller.

This is all very abstract right now, and I imagine is a fairly large undertaking. Any advice or pointers would be appreciated.

Thanks.

I'm a little unsure on how many locations you are talking about. Are "at my office" and "locally" the same place or are they 2 separate locations?

If "locally" is a different location than "at my office", how are the machines at "locally" connecting to "at my office"? Do they authenticate to the domain controller?

What kind of connection, if any, do you have between the location where the offsite Red Hat server hosting web/e-mail and the office?

At the office and locally are the same place.

Currently, all authentication(for local network services) is done by a Win2K3 domain controller.

The offsite server is accessed over the internet.

A Samba server can not function as a domain controller in a Win2k3 AD domain.

Since the 3rd local Red Hat server is at the same location as the AD domain controller, the best thing to do is to make it a member server of the AD domain. You can then use winbind so that there is no need to create any local user accounts on the Red Hat server. All authentication to the Red Hat server would be done by the AD domain controller.

Here's some links on how to do that:

http://www.justlinux.com/forum/showt...hreadid=118920

http://www.justlinux.com/forum/showt...hreadid=118288

http://www.justlinux.com/forum/showt...hreadid=118512

If you can do it, using the ADS security mode would be the most secure.

Unless you have a secure VPN connection to your off site Web server, I wouldn't recommend trying to make it a member of your AD domain. You would have to open up the authentication ports to the Internet which would create a severe security risk.