Getting rid of AD while keeping Domain permission functionality

Question

Here's the go;

We have a server here at work, and its quite a powerful piece of kit. It would be better off being used as a workstation as we need the grunt. It is high-end consumer stuff so it would make this transition nicely.

All it is being used for is NFS and Active Directory in a Hyper-V VM. Hyper-V to me is very memory hungry considering we have an install of WS2008R2 to host it. As we have only 5-8 office employees accessing it at any one time, it seems quite overpowered.

So, I am suggesting we trim down our server to a smaller, quieter, less consuming HP Proliant Microserver which has the redundancy and grunt we need. It will only be running FreeNAS and possibly a slimmed down Ubuntu distro to host a Dropbox sync service 24/7. All this would be on top of the free vSphere single CPU.

Only thing is, it would be nice to retain the domain-based user rights in our windows installs to throttle local admin rights, and retain a central account system.

I had a look at OpenLDAP and couldnt find any obvious pathway. Is there anything that gives these features of AD without using AD?

Answer 1

As far as I know, Windows clients cannot join anything other than a full Active Directory domain. (Central Kerberos authentication to a generic KDC is somewhat possible, but very tricky and requires local accounts anyway, since non-AD KDCs do not send the necessary account information (the PAC, if I remember correctly)).

Instead of Windows Server, however, you could test Samba 4, which can act as an AD domain controller. Although it's far from perfect, the latest release – 4.0 rc3 – should be stable enough for basic operation.