Solved

Difference in ldap functionality between native and mixed AD modes

Posted on 2011-03-03
7
1,170 Views
Last Modified: 2012-08-13
This may seem like an odd question, and it may be a non-issue.  We currently have an AD environment that is still running in mixed mode due to some very old Linux/Samba servers which required it.  We have recently taken all of those old servers out of service, so we can now upgrade to native mode in AD.  This has the benefit of finally allowing us to start using Windows 2008 DCs.  (2008 doesn't support mixed mode, so we're currently still stuck with 2003 DCs.)

What's stopping me is that we have many applications and devices (firewalls, routers, etc) which are extensively using Active Directory's ldap functionality for authentication and authorization.  Since an AD mode upgrade is a one-way operation (can't be undone), I need to be absolutely sure there is no change in ldap functionality between mixed and native modes in AD.  Can any confirm or deny any differences in ldap between the two AD functional modes?
0
Comment
Question by:NetAdSubs
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 40

Accepted Solution

by:
Adam Brown earned 250 total points
ID: 35032453
The Funtional Mode level basically activates a number of features in the schema of Active Directory and doesn't affect the methods used to communicate with it. LDAP is LDAP.
0
 

Author Comment

by:NetAdSubs
ID: 35032542
That was exactly my thought, as well.  Upgrading from a lower to a higher Native mode simply adds features; it doesn't remove others.  However, we're switching from Mixed Mode to Native mode, and that *does* remove some functionality as far as old NT4 style clients are concerned.  I'm with you that ldap functionality should not be affected at all, but I'm just trying to be 100% positive since this is an irreversible change.

Some of the paranoid thoughts that got into my head were that some ldap attributes might disappear or change when switching from mixed to native mode, although I can't find any documentation stating such.  We've got a number of different domains in use at my company, all of which are native except for the one in question, and looking at the ldap attributes in objects in the various domains show the exact same set of attributes as our mixed mode domain.  That's a good sign.  Just trying to cover all the bases.
0
 
LVL 40

Expert Comment

by:Adam Brown
ID: 35032572
Well, the attributes that are going to be used by your network devices are going to stay the same. I'm as close to 100% certain as I can be without testing that those devices shouldn't be using the NT4 features that are changed in a switch to Native mode. And if they are, they're probably so old that they should be replaced :D
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 

Author Comment

by:NetAdSubs
ID: 35032641
Agreed.  :)  The only "legacy" attribute used by just about all of our ldap clients is the samAccountName attribute, and that sticks around in native mode.
0
 
LVL 40

Expert Comment

by:Adam Brown
ID: 35033240
heh. samaccountname is probably going to stick around for a long time yet. It's only ever going to go away when the UPN attribute takes over for user account naming.
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 35041242
I'd suggest image it with vmWare Converter and then go ahead and change it to native mode.

PS: points should go to acbrown2010 - I am just tweeting here..
0
 

Author Comment

by:NetAdSubs
ID: 35059545
We have actually considered the virtualization option.  Almost all of our DCs in all of our sites across the country are already virtual (aside from a few physicals for redundancy), so we were tossing around the idea of restoring vm snapshots if the conversion to native mode causes an unfixable problem.  But I have to tell you, that's the last thing we want to have to deal with during our brief maintenance window.  It's no small task to accomplish that given how many DCs we have in so many sites around the country.  :)

I'll go ahead and close this topic.  I think we are all nearly 100% certain that ldap should not be affected by the conversion.  Thanks for you all your input.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question