AD LDS, AD FS, RODC, LDAP access for 3rd party vendors?

Posted on 2016-08-03
Medium Priority
Last Modified: 2016-08-09

We have had a request to allow LDAP lookups from a couple of external applications to our network. Moving forward with this what would be the best scenario? I have scaled the "google" and getting mix things come up and tbh got a bit lost with it all.

So the solution I am thinking of going down:

AD LDS - for LDAP lookup
AD FS   -  for single sign on services (future proof for office 365)

These systems..........

Can I install both systems on the same server?

Do I put a server in the DMZ and then open the ports required back to the network through firewall A.

Then allow this server firewall B access to the outside world?

Or is it a NAT passthrough to the server on the internal network?

there doesn't seem to be a clear guide on a good solution, and what I found is going back to server 2003.

I might be looking in the wrong place but I definitely need some advice from the pros on this one.

Question by:Colchester_Institute
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 42

Assisted Solution

by:Adam Brown
Adam Brown earned 500 total points
ID: 41741532
I would not recommend putting ADFS and AD LDS on the same system. Best practice for AD LDS is to put it on a non-domain server, and ADFS won't work if it's not on the domain.

The way you would allow access to an AD LDS instance is to place it in a location that is accessible by the third party, preferably over Secure LDAP, which uses port 636. You would then grant that server the ability to read AD over port 636. By default, Secure LDAP isn't enabled on AD, but all you have to do to enable it is install a certificate on your DCs. It doesn't have to be a valid certificate, so you can use a self-signed cert on the DCs, but it's more secure if you have a CA Server in your environment issue the certs.

The reason for setting this up to use Secure LDAP is because LDAP sends data more or less in the clear, so it's pretty important to make sure that data is encrypted, which requires Secure LDAP to accomplish.

Once you have communication between AD LDS and AD allowed, https://windorks.wordpress.com/2014/09/02/syncing-lds-to-ad-ds/ will tell you how to set up the AD LDS instance to sync data out of AD. You should be able to limit the attributes the third party vendor has access to.

Author Comment

ID: 41742218
Hi Adam,

Thanks for the reply!

I have installed AD LDS on a server in the DMZ.  

I have also installed AD LDS on a domain controller and setup an instance for it to talk to. What I did notice is that the DC already has an NTDS instance running on 389 and 636.

I added the ldap ports to TMG and when replicating the AD LDS to the DMZ server it says the port already in use so I cannot use the NTDS instance

So I created the TCP ports 6389 & 6636, created a new instance, the dmz server can see the instance but I cannot get the service started on it.

I have a wildcart certificate for the company could I use this for secure SSL.

thanks so far.
LVL 37

Assisted Solution

ArneLovius earned 500 total points
ID: 41744616
Wildcard certificates work well for HTTPS, but not for STARTTLS on SMTP, or LDAPS

AD LDS is great for adding a layer of isolation, but it can sometime be simpler to just allow LDAPS (only port 636, not LDAP on 389) from a 3rd party (tied down by specific address, or over a VPN tunnel) to a RoDC, or in a small environment, direct to a DC.

It's all about trust, if its a hosted provider of Financial/HR software, then you might have a higher level of trust than a a hosted WiKi provider...

ADFS is a completely different beast
LVL 37

Accepted Solution

Jian An Lim earned 1000 total points
ID: 41745937
I would not complex your issue.

I will enable LDAPS on DC then, just NAT it via firewall and protected with known IP address.
you should never expose LDAPS to any source.

With known IP address, you can even go with LDAP.

Technically, you can complex it with AD LDS or something else, but i always ask what is your purpose, because technology keep changing, today it might be ADFS but in future, you might port all of these functions to Azure AD. who knows.

Author Closing Comment

ID: 41748341
Thanks for you help much appreciated.

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question