?
Solved

Difference in ldap functionality between native and mixed AD modes

Posted on 2011-03-03
7
Medium Priority
?
1,193 Views
Last Modified: 2012-08-13
This may seem like an odd question, and it may be a non-issue.  We currently have an AD environment that is still running in mixed mode due to some very old Linux/Samba servers which required it.  We have recently taken all of those old servers out of service, so we can now upgrade to native mode in AD.  This has the benefit of finally allowing us to start using Windows 2008 DCs.  (2008 doesn't support mixed mode, so we're currently still stuck with 2003 DCs.)

What's stopping me is that we have many applications and devices (firewalls, routers, etc) which are extensively using Active Directory's ldap functionality for authentication and authorization.  Since an AD mode upgrade is a one-way operation (can't be undone), I need to be absolutely sure there is no change in ldap functionality between mixed and native modes in AD.  Can any confirm or deny any differences in ldap between the two AD functional modes?
0
Comment
Question by:NetAdSubs
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 42

Accepted Solution

by:
Adam Brown earned 1000 total points
ID: 35032453
The Funtional Mode level basically activates a number of features in the schema of Active Directory and doesn't affect the methods used to communicate with it. LDAP is LDAP.
0
 

Author Comment

by:NetAdSubs
ID: 35032542
That was exactly my thought, as well.  Upgrading from a lower to a higher Native mode simply adds features; it doesn't remove others.  However, we're switching from Mixed Mode to Native mode, and that *does* remove some functionality as far as old NT4 style clients are concerned.  I'm with you that ldap functionality should not be affected at all, but I'm just trying to be 100% positive since this is an irreversible change.

Some of the paranoid thoughts that got into my head were that some ldap attributes might disappear or change when switching from mixed to native mode, although I can't find any documentation stating such.  We've got a number of different domains in use at my company, all of which are native except for the one in question, and looking at the ldap attributes in objects in the various domains show the exact same set of attributes as our mixed mode domain.  That's a good sign.  Just trying to cover all the bases.
0
 
LVL 42

Expert Comment

by:Adam Brown
ID: 35032572
Well, the attributes that are going to be used by your network devices are going to stay the same. I'm as close to 100% certain as I can be without testing that those devices shouldn't be using the NT4 features that are changed in a switch to Native mode. And if they are, they're probably so old that they should be replaced :D
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:NetAdSubs
ID: 35032641
Agreed.  :)  The only "legacy" attribute used by just about all of our ldap clients is the samAccountName attribute, and that sticks around in native mode.
0
 
LVL 42

Expert Comment

by:Adam Brown
ID: 35033240
heh. samaccountname is probably going to stick around for a long time yet. It's only ever going to go away when the UPN attribute takes over for user account naming.
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 35041242
I'd suggest image it with vmWare Converter and then go ahead and change it to native mode.

PS: points should go to acbrown2010 - I am just tweeting here..
0
 

Author Comment

by:NetAdSubs
ID: 35059545
We have actually considered the virtualization option.  Almost all of our DCs in all of our sites across the country are already virtual (aside from a few physicals for redundancy), so we were tossing around the idea of restoring vm snapshots if the conversion to native mode causes an unfixable problem.  But I have to tell you, that's the last thing we want to have to deal with during our brief maintenance window.  It's no small task to accomplish that given how many DCs we have in so many sites around the country.  :)

I'll go ahead and close this topic.  I think we are all nearly 100% certain that ldap should not be affected by the conversion.  Thanks for you all your input.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Suggested Courses

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question