Assign local IP range to L2TP client connections?

[jlficken]

No one uses AD? You're saying not a single person logs into a Windows or domain connected piece of equipment ever?

I just looked and there is 1 machine that is part of the domain currently out of 3+ dozen machines on the network (mostly lab machines). The issue has always been that the DC machine winds up just being an old box (or a new desktop PC) and when it would go down it was down for days or weeks so you couldn't really trust it. For awhile it was my old development PC that was 7 years old when it was put in place (not my idea) after the even older machine died that was running as the DC before that.


With 10 employees though I don't know that we really need a DC.

[sky-knight]

Centralized password management is always helpful, having to nuke and pave a machine because someone reset the local admin password, and you have no other means to get in... not fun. Sure there are hacks, but the old means of using the accessibility wizard on the home screen after booting to a linux or something no longer work with 1809 / 1903. So no DC means be ready to pave...

That being said, if you're using O365 properly, and the machines are running 1803 or younger, as soon as any O365 login happens the unit is part of AAD, which can fill most of that void but lacks device management. Making up for that via an RMM tool is simple enough, but it still generates additional tickets because the automation provided from Group Policy is no longer an option.

But if your client isn't going to invest in proper infrastructure, the only way you're getting real AD into that place is to put it on a VPS somewhere and connect a VPN to it. I'd run without it myself in those circumstances.

But with so little infrastructure I'm wondering what you need a VPN for now, there's nothing there to connect to.

[jlficken]

I can't recall having anyone forget the local Administrator password but I wouldn't doubt it has happened. If they do and don't have something backed up that they should then I guess that's their problem to deal with as I'm not their boss.

We don't use Office 365 either and still just have standalone Office installed locally (2007, 2013, 2017).

Tickets.....lol. I (or another guy) get a phone call, e-mail, or text (sometimes all 3) when something goes haywire as we are the defacto IT support staff here.

Mainly the client VPN is used for the following:
1) Most people don't have laptops (including me) so we VPN into our work machines if we are working from home or out of the office say on a work trip.
2) Gaining access to lab machines when out of the office.

Site-to-Site is used for backups and camera access to the remote office and so that the remote office can access the lab systems if they need to.

It's not at all ideal but it is usable. It'd help to have an IT budget for machine replacement and infrastructure upgrades but we don't so we work with what we have.

[sky-knight]

Most of my clients work the same way you do, how the ticket comes in is irrelevant, it's still a ticket. Is someone asking for help on something? TICKET!

These things generate tickets... Professional IT people have a job of eliminating ticket sources, basically constantly trying to put themselves out of work.

Now you don't have a ticket tracking system, I don't really either... but still, that's how things are done.