Solved

Difference in ldap functionality between native and mixed AD modes

Posted on 2011-03-03
7
1,145 Views
Last Modified: 2012-08-13
This may seem like an odd question, and it may be a non-issue.  We currently have an AD environment that is still running in mixed mode due to some very old Linux/Samba servers which required it.  We have recently taken all of those old servers out of service, so we can now upgrade to native mode in AD.  This has the benefit of finally allowing us to start using Windows 2008 DCs.  (2008 doesn't support mixed mode, so we're currently still stuck with 2003 DCs.)

What's stopping me is that we have many applications and devices (firewalls, routers, etc) which are extensively using Active Directory's ldap functionality for authentication and authorization.  Since an AD mode upgrade is a one-way operation (can't be undone), I need to be absolutely sure there is no change in ldap functionality between mixed and native modes in AD.  Can any confirm or deny any differences in ldap between the two AD functional modes?
0
Comment
Question by:NetAdSubs
  • 3
  • 3
7 Comments
 
LVL 39

Accepted Solution

by:
Adam Brown earned 250 total points
ID: 35032453
The Funtional Mode level basically activates a number of features in the schema of Active Directory and doesn't affect the methods used to communicate with it. LDAP is LDAP.
0
 

Author Comment

by:NetAdSubs
ID: 35032542
That was exactly my thought, as well.  Upgrading from a lower to a higher Native mode simply adds features; it doesn't remove others.  However, we're switching from Mixed Mode to Native mode, and that *does* remove some functionality as far as old NT4 style clients are concerned.  I'm with you that ldap functionality should not be affected at all, but I'm just trying to be 100% positive since this is an irreversible change.

Some of the paranoid thoughts that got into my head were that some ldap attributes might disappear or change when switching from mixed to native mode, although I can't find any documentation stating such.  We've got a number of different domains in use at my company, all of which are native except for the one in question, and looking at the ldap attributes in objects in the various domains show the exact same set of attributes as our mixed mode domain.  That's a good sign.  Just trying to cover all the bases.
0
 
LVL 39

Expert Comment

by:Adam Brown
ID: 35032572
Well, the attributes that are going to be used by your network devices are going to stay the same. I'm as close to 100% certain as I can be without testing that those devices shouldn't be using the NT4 features that are changed in a switch to Native mode. And if they are, they're probably so old that they should be replaced :D
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:NetAdSubs
ID: 35032641
Agreed.  :)  The only "legacy" attribute used by just about all of our ldap clients is the samAccountName attribute, and that sticks around in native mode.
0
 
LVL 39

Expert Comment

by:Adam Brown
ID: 35033240
heh. samaccountname is probably going to stick around for a long time yet. It's only ever going to go away when the UPN attribute takes over for user account naming.
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 35041242
I'd suggest image it with vmWare Converter and then go ahead and change it to native mode.

PS: points should go to acbrown2010 - I am just tweeting here..
0
 

Author Comment

by:NetAdSubs
ID: 35059545
We have actually considered the virtualization option.  Almost all of our DCs in all of our sites across the country are already virtual (aside from a few physicals for redundancy), so we were tossing around the idea of restoring vm snapshots if the conversion to native mode causes an unfixable problem.  But I have to tell you, that's the last thing we want to have to deal with during our brief maintenance window.  It's no small task to accomplish that given how many DCs we have in so many sites around the country.  :)

I'll go ahead and close this topic.  I think we are all nearly 100% certain that ldap should not be affected by the conversion.  Thanks for you all your input.
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
GPO Central Store 3 25
add group policy for windows 10 users 3 29
get bulk group members list in CSV 15 25
Forest Functionality Level 3 18
Learn about cloud computing and its benefits for small business owners.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question