0

I'm planning to create an Active Directory domain using Samba. Tentatively, it is to be within a private LAN.

I practically have no experience in administrating AD Domains, as such I want to know how they will behave outside the network, as there's going be member laptops permitted to be taken off the premises.

  • Are the data encrypted by default or do I have to GPO it to be so?
  • Will it need access to the DC every time a user needs to login? Does a DC have to be accessible over a public IP?

Please mention anything of interest relating to the topic at hand.

Oxwivi
  • 204
  • 3
  • 12
  • What clients will be connected to the Domain? – CharlesH Sep 15 '15 at 12:38
  • @CharlesH Windows 8 and up (new devices, employees used personal devices before one stole data and quit). There are Macs, but no no point in joining them without being able to enforce GPO-like security policies. – Oxwivi Sep 15 '15 at 13:04

1 Answers1

-1

Sorry this became too long for a comment...

Thanks for the further information.

Your Microsoft encryption option is BitLocker so two things;

Firstly you NEED to be able to recover from BitLocker so do not turn it on until you have a way to recover keys and decrypt the HDs in emergencies, I find the best way is enable BitLocker keys in AD so they are tied to AD objects to allow easy recovery.

Secondly you can deploy on a large scale using GPO but you must use the Microsoft VBS script and push this out in a Computer Policy. You can download the VBS script from Microsoft.

In terms of DC authentication this is only required at first login*, Windows desktop will then cache the credentials and use them if it cannot see the DC.

*Please remember that password expiration, etc. will be cached and when that password expires the machine will require DC authentication again to enable login so do not think you can take the machine off the network forevermore!

Oxwivi
  • 204
  • 3
  • 12
CharlesH
  • 344
  • 2
  • 13
  • Microsoft data encryption for hard drives at rest is bitlocker. Encryption for data in use or at rest regardless of location is RMS. (and for honorable mention EFS I encryption at rest in a multi user system) – Jim B Sep 15 '15 at 14:26
  • IMO EFS is not relevant in this question, it is used for individual folders not as a global rollout policy. RMS is not a bad shout but very complicated and hard to implement for what sounds like a very small environment. – CharlesH Sep 15 '15 at 14:39
  • rms is very easy to implement it should take less than an hour (not including a new server install if required) or 0 setup if it's small enough for the free cloud RMS, EFS is only there as a side note – Jim B Sep 15 '15 at 16:06
  • Just to clarify, why do I need a VBS script to deploy in large-scale? Do I need it in a domain with only 15~20 members? Lastly, can you link it in your answer? – Oxwivi Sep 16 '15 at 08:28
  • We don't normally use links as they can become redundant which means the site will be full of dead links. You don't have to push bitlocker via GPO and use the script you can just turn it on manually on each machine it is purely your choice. To help you out here is probably the best guide out there for deploying bitlocker via GPO https://4sysops.com/archives/set-up-active-directory-for-bitlocker-part-1-introduction/ – CharlesH Sep 16 '15 at 08:34