有趣又古怪嘅buildup。
係用嘅benifits 絕對有,自己用Mac係有用VPN同冇,電力耐用明顯有增加.
整體Concept非常簡單。 RDP over SSL,即係可以代表替唔需要VPN.
Microsoft 有三個做法,但係自己覺得用RODC Extend隻AD點都會有用。
Deploy RODC 絕對唔難,
Pre-config 定RODC Machine account 同放夠用嘅Port就一定join到。
但係Member server join就開始奇怪。 自己嘅做法係先係RODC用command gen好file,之後再係target server load返個file.
Provision – File Generation / File Load
djoin /provision /domain <domain_name> /machine <destination computer> /savefile <filename.txt> [/machineou <OU name>] [/dcname <name of domain controller>] [/reuse] [/downlevel] [/defpwd] [/nosearch] [/printblob] [/rootcacerts] [/certtemplate <name>] [/policynames <name(s)>] [/policypaths <Path(s)>]
djoin /requestodj /loadfile <filename.txt> /windowspath <path to the Windows directory of the offline image> /localos
當全部setup好,就剩下Add Role, 非常簡單。 只係allow authorize user group用就完成.
係setup 完成後,再進一步諗再將Trust Network入面所以有機RemoteDesktop Auth 嘅 Self-Signed Cert 轉成internalCA sign
同樣地, Trust Zone轉好易, 但係DMZ入面嘅Member Server亦需要更多procedure, 需要安裝Certificate Enrollment Web Services(Username Password), 新嘅Certificate Template for DMZ,同最後需要command手動轉Remote Desktop Listener Cert
Reference:
Remote Desktop Gateway
RODC Setup
https://technet.microsoft.com/en-us/library/dd728035(WS.10).aspx#run_join_script
Offline Join
https://technet.microsoft.com/en-us/library/offline-domain-join-djoin-step-by-step(WS.10).aspx
Trusted Remote Desktop Auth Certificate
https://www.derekseaman.com/2013/01/creating-custom-remote-desktop-services.html
Certificate Enrollment Web Services
Remote Desktop Listener Certificate
https://support.microsoft.com/en-us/kb/3042780