Answer the question
In order to leave comments, you need to log in
How to organize access to files on storage outside the domain?
Greetings to all Toaster users. Essence of the question:
There is a small network, now there is no domain there, all the balls and settings are through one place.
I want to do everything right in my free time (this is the main motivator, I haven’t been an admin for a long time and I want to catch up and figure out how to do it right ).
Raised the server with Hyper-V. 2 virtual machines are raised on it: DC and DFS. (Win Server 2012 R2 everywhere) - raised for simplicity of administration by a not very groping admin (possibly) later, I will not work there permanently.
There is no storage as such, it is planned to use host resources. Moreover, the load is not very large, a banal file-garbage + 1s with network access for 2-3 computers.
How it is correct to organize access to this network garbage can to users of the domain?
1. Enter the host into the domain and then everything is clear. I don't really like this option.
2. Leave the host outside the domain and somehow play with permissions. I don’t understand yet how, how to bind group policies here is also a question.
3. Issue a virtual hard disk from the host capacity to the DFS virtual machine, and then everything is clear. But the implementation of such a solution is confusing. A large load on the virtual machine, it will grow to cosmic dimensions on its own, how can I transfer and deploy it later, if necessary. In general, there are some pitfalls.
P.S.
Of course, I would like to have a separate storage system, a highly available cluster and other joys of life, but there are no resources for this.
In the future there will be another light-weak server again with a hypervisor: DC2 and maybe with DFS2 for replication (it's still questionable, it depends on the desires and capabilities of the hardware on this server).
Thank you all in advance for the answers and criticism, but for now I went to Google :)
Answer the question
In order to leave comments, you need to log in
You either expand the domain, or completely remove it, what kind of semi-domain configuration is this?
In general, if without a domain and in a simple way - start 1 user on the server with access rights to the necessary balls, then on the user workstations, register this user in "Windows Account Administration", it is also "Credential Manager". If different users need different rights, then you need to create several users with the appropriate rights.
To use all the charms of DFS p. 1, but you refuse it. There will be no end-to-end authentication without step 1, you can look for utilities (I saw a couple of pieces) that encrypt the executable file, and through the ifmember utility, mount the shared resources for everyone using a specific login and password that you will store in encrypted form. Script in NetLogon and users in the account.
In general, without paragraph 1, it’s to shoot sparrows from a cannon.
About an organization without a domain and in a simple way, I seem to be aware. From such heresy, I am taking this company away.
I just thought that there are some other classic solutions to this issue, without entering the host into the domain and at the same time using AD and DFS to the fullest.
Well, I'll probably do it as in paragraph 1, let's see what jambs come out with this network architecture.
Thanks everyone.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question