How to authentication windows clients without Active Directory

Posted on 2011-05-02
Last Modified: 2012-05-11
Short history for completeness:

I have an environment where I'm using Windows 2003 servers to create a Windows Active Directory domain that users authenticate to for access to servers/file server resources, etc. The domain is "unregistered", meaning it is not a publicly known domain (at least not mine).

I also use Windows IAS (RADIUS) to authenticate users who wish to access Remote Access VPN tunnels I create via a CIsco PIX firewall.

I am in the process of converting the environment to a publicly known domain (I've already registered the domain and have set up a DNS server). I am considering using open source alternatives to windows authentication/authorization and am considering using LDAP/FreeRADIUS.

I wanted to get feedback from the experts as to whether it's worth the switch and if so, what components I need to use.

I need windows machines to authenticate to a common source (e.g. SSO; Single Sign-On), controlled access to fileshares via Samba and NAS file servers (e.g. Snapserver and NetApp) and Remote Access VPN authentication.

So far it appears I need LDAP and FreeRADIUS bnut I'm still at the early stages of investigate.

Any detailed guidance would be greatly appreciated.


John  88{Q
Question by:tcengineer
    LVL 8

    Assisted Solution

    Why are you changing the namespace of the Active Directory domain? Best practices is to use DNS namespace that does not exist on the Internet, only internally (external domain is, internally all your systems use and isn't externally published). Stay with your unregistered domain, it's more secure that way. What would using external DNS space accomplish anyway? You shouldn't be connecting into normal workstations by domain name & for a server you can have a real world DNS name resolve to a system & a different internal DNS name for it.

    Samba can emulate a domain controller. However I would highly recommend against using something other than Windows for a domain controller in any kind of production environment. It's not well supported, a bit buggy at times & missing features like GPO's.

    I'm actually going the other way, getting rid of a Solaris LDAP server for our Solaris/Linux boxes & just authenticating Windows & *nix with Active Directory, much simpler.

    Author Comment

    A situation came up that required consistent name resolution/access to a server both internally and externally.

    The requirements for our "production" environment are far less stringent than normal (e.g. GPO isn't needed). Also we will be providing more externally accessible services so decided to set up our own DNS server using views to support multiple network segments.

    John  88{Q
    LVL 8

    Expert Comment

    If you do share the namespace, be vary careful. You can leak some sensitive AD info through DNS, and as such should never have your AD DNS info accessible from the Internet.

    You can use external DNS namespace internally to get the consistent namespace access.
    LVL 5

    Expert Comment

    I have similar situation as your reuirement. W ehave same domain name internally and externally.
    Both are maintained separately, I mean, external DNS is placed on publicly available systems and contains certain host names with appropriate public IP addresses and internal DNS is AD-integrated.

    As platform to interact we used Microsoft Forefront UAG through which we are publishing content located on Sharepoint. That gives us ability to use same URL for external and internal people, however consequence of that is 2 places to maintain DNS (which is not that difficult afterall).

    Also, one important point speaking for hosting public DNS outside and do not replicate whole content from internal DNS is security. We do have only required hostnames registered, nothing more nothing less, which prevents any data leak about internal infrastructure, IP schematics, etc.

    I would still leave computers connected to AD as this is much simpler from administration perspective to have those in domain.

    You should also consider to use some kind of presentation layer like Forefront UAG or similar, if possible (of course if possible - I don't know what exactly you need to publish).

    Author Comment

    I'm currently using a linux box to host the DNS server and use "views" to separate which hosts are served to which  networks (e.g. all hosts are served to the LAN with LAN IP addresses and only those machines that I want accessible from the Internet are served to the WAN with public IP addresses).

    I do like the idea of using 2 DNS servers, 1 for external and one for internal and understand the need to manage names on 2 servers. but the external DNS server would be touch far less than the internal one.

    I use a Cisco PIX firewall as my VPN endpoint so Forefront isn't needed.

    The other interest I'd like feedback on is the A/D replacement/alternative. What are the pros and cons of moving away from A/D, what pieces would I need to replace it with (e.g. LDAP, RADIUS, etc.) considering the original requirements above?

    Thanks for the feedback,

    John  88{Q
    LVL 5

    Accepted Solution

    As a replacement for AD I would say, simplest way will be to go for Samba with OpenLDAP.
    That will provide AD-like environment as well as flexibility to add more services around that.
    for example easy FreeRADIUS integration as you have OpenLDAP as central database.

    In that situation:
     - Computers joined to Samba/OpenLDAP "domain"
     - Samba provides communication with Windows computers and allows users to logon to network
     - OpenLDAP provides directory service and database to consolidate, store and manage all objects (users, computers, etc...)
     - FreeRADIUS provides RADIUS service for VPN access. It is integrated with OpenLDAP as Samba, so allows same username and password as to access network

    Having OpenLDAP you have also easy integration with potential database platform (PostgreSQL or MySQL) and web platform (Apache2).

    So, I guess we have SSO achieved as we will operate on same directory database.

    Author Closing Comment

    Thanks for the feed back folks. You brought up some good points that need consideration.

    Having 2 separate DNS servers is a point I had not considered but think is good idea.

    Whether it's MS A/D or Samba/OpenLDAP,FreeRADIUS, I'll need to create that separate server and move servers/systems into that new infrastructure.

    Thanks for the help!

    John  88{Q

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    Companies that have implemented Microsoft’s Active Directory need to ensure that the Active Directory is configured and operating properly. If there are issues found and not resolved, it eventually leads the components to fail or stop working and fi…
    Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now