I need some help finding a good solution to this problem. I know AD just fine, but admittedly, I'm not an expert. And I know I don't want to expose it to the internet...
I inherited a workforce at my new company (~100 employees, all Mac) that often work remote. Every laptop authenticates to the Active Directory. Works great(ish). However, when users go remote, they sometimes need to leave their laptop with another employee that doesn't have a laptop (for reasons). The problem is that employee 2 can't login to employee 1's laptop because the computer cannot contact the AD. There are no cached creds for employee 2 because its the first time he's logged in to this particular machine.
Normally VPN is the solution, but without being able to login to the computer first, you can't login to the VPN. Are there any solutions that I should look into not involving persistent VPN to help with this? I don't want to expose AD or LDAP to the wider internet, but the bottom line is that I need to be able to authenticate from there without VPN.
Also, just to add a layer of complexity on top of this...the domain I inherited is a "domain.local" Not too big of an issue (I can work around some of the normal mac problems), however I see this causing an issue when trying to contact dc.domain.local from the internet.
Can anyone smarter than me point me in the right direction for a solution (without a lecture on bad practice, etc)?
