Adding LDAP role to domain controller
-
Remember a few key points...
- AD is an LDAP server. Without LDAP, you can't have AD. So all AD uses LDAP.
- LDAP is just a general purpose query protocol. Can be used for many things.
- AD DS is LDAP but set up in an extremely specific way, with a lot of security, tight organization, features, etc.
- LDAP is a lot like SQL. Generic, can be used for almost anything.
- LDS is a another way to use the same underlying LDAP as AD DS uses, but for a totally different purpose.
-
@scottalanmiller said in Adding LDAP role to domain controller:
AD DS uses LDAP. At its core AD is an LDAP server. LDAP and Kerberos are partners, not competitors. You cant have AD without LDAP.
LDAP is a protocol, Kerberos is cryptographic authentication method.
-
@Obsolesce said in Adding LDAP role to domain controller:
@scottalanmiller said in Adding LDAP role to domain controller:
AD DS uses LDAP. At its core AD is an LDAP server. LDAP and Kerberos are partners, not competitors. You cant have AD without LDAP.
LDAP is a protocol, Kerberos is cryptographic authentication method.
Well, both are protocols. A better wording is...
LDAP is a database query protocol; Kerberos is an authentication protocol.
-
@scottalanmiller said in Adding LDAP role to domain controller:
Remember a few key points...
- AD is an LDAP server. Without LDAP, you can't have AD. So all AD uses LDAP.
- LDAP is just a general purpose query protocol. Can be used for many things.
- AD DS is LDAP but set up in an extremely specific way, with a lot of security, tight organization, features, etc.
- LDAP is a lot like SQL. Generic, can be used for almost anything.
- LDS is a another way to use the same underlying LDAP as AD DS uses, but for a totally different purpose.
Thanks for this helpful info. I realize that I really need to dig a bit deeper and make sure I understand the fundamentals of Windows AD and general administration
-
@scottalanmiller said in Adding LDAP role to domain controller:
@Obsolesce said in Adding LDAP role to domain controller:
@scottalanmiller said in Adding LDAP role to domain controller:
AD DS uses LDAP. At its core AD is an LDAP server. LDAP and Kerberos are partners, not competitors. You cant have AD without LDAP.
LDAP is a protocol, Kerberos is cryptographic authentication method.
Well, both are protocols. A better wording is...
LDAP is a database query protocol; Kerberos is an authentication protocol.
Yeah better said, both protocols.
-
@dbeato So what affect will this new Windows update have in March 2020 if it's in installed on an AD server that is still using the default non secure LDAP? Basically, what will it break? I do know clients who authenticate through their mobile ssl vpn via LDAP (ad user account & pw) so I can see how that will affect them and I'm guessing they will be unable to authenticate and therefore not be able to connect to their vpn?
-
@Fredtx said in Adding LDAP role to domain controller:
@dbeato So what affect will this new Windows update have in March 2020 if it's in installed on an AD server that is still using the default non secure LDAP? Basically, what will it break? I do know clients who authenticate through their mobile ssl vpn via LDAP (ad user account & pw) so I can see how that will affect them and I'm guessing they will be unable to authenticate and therefore not be able to connect to their vpn?
I don't think it does anything for normal users. Because LDAP protocol is not used on the outside normally.
-
@Fredtx said in Adding LDAP role to domain controller:
@dbeato So what affect will this new Windows update have in March 2020 if it's in installed on an AD server that is still using the default non secure LDAP? Basically, what will it break? I do know clients who authenticate through their mobile ssl vpn via LDAP (ad user account & pw) so I can see how that will affect them and I'm guessing they will be unable to authenticate and therefore not be able to connect to their vpn?
The LDAP connection between the SSL VPN and your AD Server is the one affected.
-
@Fredtx said in Adding LDAP role to domain controller:
@dbeato So what affect will this new Windows update have in March 2020 if it's in installed on an AD server that is still using the default non secure LDAP? Basically, what will it break? I do know clients who authenticate through their mobile ssl vpn via LDAP (ad user account & pw) so I can see how that will affect them and I'm guessing they will be unable to authenticate and therefore not be able to connect to their vpn?
We have a couple of applications (internal and external) that rely on LDAP for user/group sync so it will break any of those connections that aren't using LDAPS over port 389.
-
@dbeato said in Adding LDAP role to domain controller:
@Fredtx said in Adding LDAP role to domain controller:
@dbeato So what affect will this new Windows update have in March 2020 if it's in installed on an AD server that is still using the default non secure LDAP? Basically, what will it break? I do know clients who authenticate through their mobile ssl vpn via LDAP (ad user account & pw) so I can see how that will affect them and I'm guessing they will be unable to authenticate and therefore not be able to connect to their vpn?
The LDAP connection between the SSL VPN and your AD Server is the one affected.
In this instance, The SSL-VPN (with AD connection) would need LDAPS setup which, at minimum, would require a internal Windows CA to be setup correct?
-
@pmoncho said in Adding LDAP role to domain controller:
@dbeato said in Adding LDAP role to domain controller:
@Fredtx said in Adding LDAP role to domain controller:
@dbeato So what affect will this new Windows update have in March 2020 if it's in installed on an AD server that is still using the default non secure LDAP? Basically, what will it break? I do know clients who authenticate through their mobile ssl vpn via LDAP (ad user account & pw) so I can see how that will affect them and I'm guessing they will be unable to authenticate and therefore not be able to connect to their vpn?
The LDAP connection between the SSL VPN and your AD Server is the one affected.
In this instance, The SSL-VPN (with AD connection) would need LDAPS setup which, at minimum, would require a internal Windows CA to be setup correct?
Yes, that is correct. We have one set up which was easy enough but there is still some overhead there.. probably easier to just buy a public cert
-
@dave247 said in Adding LDAP role to domain controller:
@pmoncho said in Adding LDAP role to domain controller:
@dbeato said in Adding LDAP role to domain controller:
@Fredtx said in Adding LDAP role to domain controller:
@dbeato So what affect will this new Windows update have in March 2020 if it's in installed on an AD server that is still using the default non secure LDAP? Basically, what will it break? I do know clients who authenticate through their mobile ssl vpn via LDAP (ad user account & pw) so I can see how that will affect them and I'm guessing they will be unable to authenticate and therefore not be able to connect to their vpn?
The LDAP connection between the SSL VPN and your AD Server is the one affected.
In this instance, The SSL-VPN (with AD connection) would need LDAPS setup which, at minimum, would require a internal Windows CA to be setup correct?
Yes, that is correct. We have one set up which was easy enough but there is still some overhead there.. probably easier to just buy a public cert
Currently we are on a .local domain and I believe we would need a cert for the DC itself, thus I don't believe I am able to get a public cert. Please correct me if I am wrong of if there is a way around this.
I am not looking forward to creating my own internal CA but I will if needed.
-
@pmoncho said in Adding LDAP role to domain controller:
@dave247 said in Adding LDAP role to domain controller:
@pmoncho said in Adding LDAP role to domain controller:
@dbeato said in Adding LDAP role to domain controller:
@Fredtx said in Adding LDAP role to domain controller:
@dbeato So what affect will this new Windows update have in March 2020 if it's in installed on an AD server that is still using the default non secure LDAP? Basically, what will it break? I do know clients who authenticate through their mobile ssl vpn via LDAP (ad user account & pw) so I can see how that will affect them and I'm guessing they will be unable to authenticate and therefore not be able to connect to their vpn?
The LDAP connection between the SSL VPN and your AD Server is the one affected.
In this instance, The SSL-VPN (with AD connection) would need LDAPS setup which, at minimum, would require a internal Windows CA to be setup correct?
Yes, that is correct. We have one set up which was easy enough but there is still some overhead there.. probably easier to just buy a public cert
Currently we are on a .local domain and I believe we would need a cert for the DC itself, thus I don't believe I am able to get a public cert. Please correct me if I am wrong of if there is a way around this.
I am not looking forward to creating my own internal CA but I will if needed.
You are correct. internal CA should not be complicated.
-
@dbeato said in Adding LDAP role to domain controller:
@pmoncho said in Adding LDAP role to domain controller:
@dave247 said in Adding LDAP role to domain controller:
@pmoncho said in Adding LDAP role to domain controller:
@dbeato said in Adding LDAP role to domain controller:
@Fredtx said in Adding LDAP role to domain controller:
@dbeato So what affect will this new Windows update have in March 2020 if it's in installed on an AD server that is still using the default non secure LDAP? Basically, what will it break? I do know clients who authenticate through their mobile ssl vpn via LDAP (ad user account & pw) so I can see how that will affect them and I'm guessing they will be unable to authenticate and therefore not be able to connect to their vpn?
The LDAP connection between the SSL VPN and your AD Server is the one affected.
In this instance, The SSL-VPN (with AD connection) would need LDAPS setup which, at minimum, would require a internal Windows CA to be setup correct?
Yes, that is correct. We have one set up which was easy enough but there is still some overhead there.. probably easier to just buy a public cert
Currently we are on a .local domain and I believe we would need a cert for the DC itself, thus I don't believe I am able to get a public cert. Please correct me if I am wrong of if there is a way around this.
I am not looking forward to creating my own internal CA but I will if needed.
You are correct. internal CA should not be complicated.
And I believe someone posted about that here a couple years ago.
-
@JaredBusch said in Adding LDAP role to domain controller:
@dbeato said in Adding LDAP role to domain controller:
@pmoncho said in Adding LDAP role to domain controller:
@dave247 said in Adding LDAP role to domain controller:
@pmoncho said in Adding LDAP role to domain controller:
@dbeato said in Adding LDAP role to domain controller:
@Fredtx said in Adding LDAP role to domain controller:
@dbeato So what affect will this new Windows update have in March 2020 if it's in installed on an AD server that is still using the default non secure LDAP? Basically, what will it break? I do know clients who authenticate through their mobile ssl vpn via LDAP (ad user account & pw) so I can see how that will affect them and I'm guessing they will be unable to authenticate and therefore not be able to connect to their vpn?
The LDAP connection between the SSL VPN and your AD Server is the one affected.
In this instance, The SSL-VPN (with AD connection) would need LDAPS setup which, at minimum, would require a internal Windows CA to be setup correct?
Yes, that is correct. We have one set up which was easy enough but there is still some overhead there.. probably easier to just buy a public cert
Currently we are on a .local domain and I believe we would need a cert for the DC itself, thus I don't believe I am able to get a public cert. Please correct me if I am wrong of if there is a way around this.
I am not looking forward to creating my own internal CA but I will if needed.
You are correct. internal CA should not be complicated.
And I believe someone posted about that here a couple years ago.
Thanks. I will do some searching.
-
@dbeato said in Adding LDAP role to domain controller:
@Fredtx said in Adding LDAP role to domain controller:
@dbeato So what affect will this new Windows update have in March 2020 if it's in installed on an AD server that is still using the default non secure LDAP? Basically, what will it break? I do know clients who authenticate through their mobile ssl vpn via LDAP (ad user account & pw) so I can see how that will affect them and I'm guessing they will be unable to authenticate and therefore not be able to connect to their vpn?
The LDAP connection between the SSL VPN and your AD Server is the one affected.
What about:
- LDAP connection between site to site VPN due to the office not having an on-premise AD server?
*Exchange 2016 that is on-premise and in the same LAN as AD server?
- LDAP connection between site to site VPN due to the office not having an on-premise AD server?
-
@Fredtx said in Adding LDAP role to domain controller:
@dbeato said in Adding LDAP role to domain controller:
@Fredtx said in Adding LDAP role to domain controller:
@dbeato So what affect will this new Windows update have in March 2020 if it's in installed on an AD server that is still using the default non secure LDAP? Basically, what will it break? I do know clients who authenticate through their mobile ssl vpn via LDAP (ad user account & pw) so I can see how that will affect them and I'm guessing they will be unable to authenticate and therefore not be able to connect to their vpn?
The LDAP connection between the SSL VPN and your AD Server is the one affected.
What about:
- LDAP connection between site to site VPN due to the office not having an on-premise AD server?
*Exchange 2016 that is on-premise and in the same LAN as AD server?
What is supporting the site to site VPN? does it somehow tie into AD?
My site to site VPN has no idea about AD, The Exchange/AD traffic is just that - traffic that flows over the VPN. To AD, VPN is just another router, it doesn't care.
- LDAP connection between site to site VPN due to the office not having an on-premise AD server?
-
@Dashrender said in Adding LDAP role to domain controller:
@Fredtx said in Adding LDAP role to domain controller:
@dbeato said in Adding LDAP role to domain controller:
@Fredtx said in Adding LDAP role to domain controller:
@dbeato So what affect will this new Windows update have in March 2020 if it's in installed on an AD server that is still using the default non secure LDAP? Basically, what will it break? I do know clients who authenticate through their mobile ssl vpn via LDAP (ad user account & pw) so I can see how that will affect them and I'm guessing they will be unable to authenticate and therefore not be able to connect to their vpn?
The LDAP connection between the SSL VPN and your AD Server is the one affected.
What about:
- LDAP connection between site to site VPN due to the office not having an on-premise AD server?
*Exchange 2016 that is on-premise and in the same LAN as AD server?
What is supporting the site to site VPN? does it somehow tie into AD?
My site to site VPN has no idea about AD, The Exchange/AD traffic is just that - traffic that flows over the VPN. To AD, VPN is just another router, it doesn't care.
There is nothing supporting it. It's just a simple site to site using a PSK with AES 256 encryption, etc. Nothing with AD. I guess I was thinking about the LDAP traffic going through the tunnel that would be of concern, but based on your response I can see there is nothing to be concerned about.
Now, I do know customers who have Synology and Qnap NAS that rely on AD for file shares and such. I would think these would be affected?
- LDAP connection between site to site VPN due to the office not having an on-premise AD server?
-
@Fredtx said in Adding LDAP role to domain controller : >
Now, I do know customers who have Synology and Qnap NAS that rely on AD for file shares and such. I would think these would be affected?
I would agree with you.
-
@Fredtx said in Adding LDAP role to domain controller:
Now, I do know customers who have Synology and Qnap NAS that rely on AD for file shares and such. I would think these would be affected?
Why would they be affected? Those are AD, AD isn't affected. LDAP is. Anything using AD should not be affected. Because it is Kerberos, not LDAP.