Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Difference in ldap functionality between native and mixed AD modes

Posted on 2011-03-03
7
Medium Priority
?
1,199 Views
Last Modified: 2012-08-13
This may seem like an odd question, and it may be a non-issue.  We currently have an AD environment that is still running in mixed mode due to some very old Linux/Samba servers which required it.  We have recently taken all of those old servers out of service, so we can now upgrade to native mode in AD.  This has the benefit of finally allowing us to start using Windows 2008 DCs.  (2008 doesn't support mixed mode, so we're currently still stuck with 2003 DCs.)

What's stopping me is that we have many applications and devices (firewalls, routers, etc) which are extensively using Active Directory's ldap functionality for authentication and authorization.  Since an AD mode upgrade is a one-way operation (can't be undone), I need to be absolutely sure there is no change in ldap functionality between mixed and native modes in AD.  Can any confirm or deny any differences in ldap between the two AD functional modes?
0
Comment
Question by:NetAdSubs
  • 3
  • 3
7 Comments
 
LVL 43

Accepted Solution

by:
Adam Brown earned 1000 total points
ID: 35032453
The Funtional Mode level basically activates a number of features in the schema of Active Directory and doesn't affect the methods used to communicate with it. LDAP is LDAP.
0
 

Author Comment

by:NetAdSubs
ID: 35032542
That was exactly my thought, as well.  Upgrading from a lower to a higher Native mode simply adds features; it doesn't remove others.  However, we're switching from Mixed Mode to Native mode, and that *does* remove some functionality as far as old NT4 style clients are concerned.  I'm with you that ldap functionality should not be affected at all, but I'm just trying to be 100% positive since this is an irreversible change.

Some of the paranoid thoughts that got into my head were that some ldap attributes might disappear or change when switching from mixed to native mode, although I can't find any documentation stating such.  We've got a number of different domains in use at my company, all of which are native except for the one in question, and looking at the ldap attributes in objects in the various domains show the exact same set of attributes as our mixed mode domain.  That's a good sign.  Just trying to cover all the bases.
0
 
LVL 43

Expert Comment

by:Adam Brown
ID: 35032572
Well, the attributes that are going to be used by your network devices are going to stay the same. I'm as close to 100% certain as I can be without testing that those devices shouldn't be using the NT4 features that are changed in a switch to Native mode. And if they are, they're probably so old that they should be replaced :D
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 

Author Comment

by:NetAdSubs
ID: 35032641
Agreed.  :)  The only "legacy" attribute used by just about all of our ldap clients is the samAccountName attribute, and that sticks around in native mode.
0
 
LVL 43

Expert Comment

by:Adam Brown
ID: 35033240
heh. samaccountname is probably going to stick around for a long time yet. It's only ever going to go away when the UPN attribute takes over for user account naming.
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 35041242
I'd suggest image it with vmWare Converter and then go ahead and change it to native mode.

PS: points should go to acbrown2010 - I am just tweeting here..
0
 

Author Comment

by:NetAdSubs
ID: 35059545
We have actually considered the virtualization option.  Almost all of our DCs in all of our sites across the country are already virtual (aside from a few physicals for redundancy), so we were tossing around the idea of restoring vm snapshots if the conversion to native mode causes an unfixable problem.  But I have to tell you, that's the last thing we want to have to deal with during our brief maintenance window.  It's no small task to accomplish that given how many DCs we have in so many sites around the country.  :)

I'll go ahead and close this topic.  I think we are all nearly 100% certain that ldap should not be affected by the conversion.  Thanks for you all your input.
0

Featured Post

[Webinar] Cloud Security

In this webinar you will learn:

-Why existing firewall and DMZ architectures are not suited for securing cloud applications
-How to make your enterprise “Cloud Ready”, and fix your aging DMZ architecture
-How to transform your enterprise and become a Cloud Enabler

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question