Solved

Difference in ldap functionality between native and mixed AD modes

Posted on 2011-03-03
7
1,181 Views
Last Modified: 2012-08-13
This may seem like an odd question, and it may be a non-issue.  We currently have an AD environment that is still running in mixed mode due to some very old Linux/Samba servers which required it.  We have recently taken all of those old servers out of service, so we can now upgrade to native mode in AD.  This has the benefit of finally allowing us to start using Windows 2008 DCs.  (2008 doesn't support mixed mode, so we're currently still stuck with 2003 DCs.)

What's stopping me is that we have many applications and devices (firewalls, routers, etc) which are extensively using Active Directory's ldap functionality for authentication and authorization.  Since an AD mode upgrade is a one-way operation (can't be undone), I need to be absolutely sure there is no change in ldap functionality between mixed and native modes in AD.  Can any confirm or deny any differences in ldap between the two AD functional modes?
0
Comment
Question by:NetAdSubs
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 41

Accepted Solution

by:
Adam Brown earned 250 total points
ID: 35032453
The Funtional Mode level basically activates a number of features in the schema of Active Directory and doesn't affect the methods used to communicate with it. LDAP is LDAP.
0
 

Author Comment

by:NetAdSubs
ID: 35032542
That was exactly my thought, as well.  Upgrading from a lower to a higher Native mode simply adds features; it doesn't remove others.  However, we're switching from Mixed Mode to Native mode, and that *does* remove some functionality as far as old NT4 style clients are concerned.  I'm with you that ldap functionality should not be affected at all, but I'm just trying to be 100% positive since this is an irreversible change.

Some of the paranoid thoughts that got into my head were that some ldap attributes might disappear or change when switching from mixed to native mode, although I can't find any documentation stating such.  We've got a number of different domains in use at my company, all of which are native except for the one in question, and looking at the ldap attributes in objects in the various domains show the exact same set of attributes as our mixed mode domain.  That's a good sign.  Just trying to cover all the bases.
0
 
LVL 41

Expert Comment

by:Adam Brown
ID: 35032572
Well, the attributes that are going to be used by your network devices are going to stay the same. I'm as close to 100% certain as I can be without testing that those devices shouldn't be using the NT4 features that are changed in a switch to Native mode. And if they are, they're probably so old that they should be replaced :D
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 

Author Comment

by:NetAdSubs
ID: 35032641
Agreed.  :)  The only "legacy" attribute used by just about all of our ldap clients is the samAccountName attribute, and that sticks around in native mode.
0
 
LVL 41

Expert Comment

by:Adam Brown
ID: 35033240
heh. samaccountname is probably going to stick around for a long time yet. It's only ever going to go away when the UPN attribute takes over for user account naming.
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 35041242
I'd suggest image it with vmWare Converter and then go ahead and change it to native mode.

PS: points should go to acbrown2010 - I am just tweeting here..
0
 

Author Comment

by:NetAdSubs
ID: 35059545
We have actually considered the virtualization option.  Almost all of our DCs in all of our sites across the country are already virtual (aside from a few physicals for redundancy), so we were tossing around the idea of restoring vm snapshots if the conversion to native mode causes an unfixable problem.  But I have to tell you, that's the last thing we want to have to deal with during our brief maintenance window.  It's no small task to accomplish that given how many DCs we have in so many sites around the country.  :)

I'll go ahead and close this topic.  I think we are all nearly 100% certain that ldap should not be affected by the conversion.  Thanks for you all your input.
0

Featured Post

10 Questions to Ask when Buying Backup Software

Choosing the right backup solution for your organization can be a daunting task. To make the selection process easier, ask solution providers these 10 key questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question