Solved

AD LDS, AD FS, RODC, LDAP access for 3rd party vendors?

Posted on 2016-08-03
5
65 Views
Last Modified: 2016-08-09
Hi,

We have had a request to allow LDAP lookups from a couple of external applications to our network. Moving forward with this what would be the best scenario? I have scaled the "google" and getting mix things come up and tbh got a bit lost with it all.

So the solution I am thinking of going down:

AD LDS - for LDAP lookup
AD FS   -  for single sign on services (future proof for office 365)

These systems..........

Can I install both systems on the same server?

Do I put a server in the DMZ and then open the ports required back to the network through firewall A.

Then allow this server firewall B access to the outside world?

Or is it a NAT passthrough to the server on the internal network?

there doesn't seem to be a clear guide on a good solution, and what I found is going back to server 2003.

I might be looking in the wrong place but I definitely need some advice from the pros on this one.

Cheers
0
Comment
Question by:Colchester_Institute
5 Comments
 
LVL 38

Assisted Solution

by:Adam Brown
Adam Brown earned 125 total points
ID: 41741532
I would not recommend putting ADFS and AD LDS on the same system. Best practice for AD LDS is to put it on a non-domain server, and ADFS won't work if it's not on the domain.

The way you would allow access to an AD LDS instance is to place it in a location that is accessible by the third party, preferably over Secure LDAP, which uses port 636. You would then grant that server the ability to read AD over port 636. By default, Secure LDAP isn't enabled on AD, but all you have to do to enable it is install a certificate on your DCs. It doesn't have to be a valid certificate, so you can use a self-signed cert on the DCs, but it's more secure if you have a CA Server in your environment issue the certs.

The reason for setting this up to use Secure LDAP is because LDAP sends data more or less in the clear, so it's pretty important to make sure that data is encrypted, which requires Secure LDAP to accomplish.

Once you have communication between AD LDS and AD allowed, https://windorks.wordpress.com/2014/09/02/syncing-lds-to-ad-ds/ will tell you how to set up the AD LDS instance to sync data out of AD. You should be able to limit the attributes the third party vendor has access to.
0
 
LVL 1

Author Comment

by:Colchester_Institute
ID: 41742218
Hi Adam,

Thanks for the reply!

I have installed AD LDS on a server in the DMZ.  

I have also installed AD LDS on a domain controller and setup an instance for it to talk to. What I did notice is that the DC already has an NTDS instance running on 389 and 636.

I added the ldap ports to TMG and when replicating the AD LDS to the DMZ server it says the port already in use so I cannot use the NTDS instance

So I created the TCP ports 6389 & 6636, created a new instance, the dmz server can see the instance but I cannot get the service started on it.

I have a wildcart certificate for the company could I use this for secure SSL.

thanks so far.
0
 
LVL 36

Assisted Solution

by:ArneLovius
ArneLovius earned 125 total points
ID: 41744616
Wildcard certificates work well for HTTPS, but not for STARTTLS on SMTP, or LDAPS

AD LDS is great for adding a layer of isolation, but it can sometime be simpler to just allow LDAPS (only port 636, not LDAP on 389) from a 3rd party (tied down by specific address, or over a VPN tunnel) to a RoDC, or in a small environment, direct to a DC.

It's all about trust, if its a hosted provider of Financial/HR software, then you might have a higher level of trust than a a hosted WiKi provider...

ADFS is a completely different beast
0
 
LVL 36

Accepted Solution

by:
Jian An Lim earned 250 total points
ID: 41745937
I would not complex your issue.

I will enable LDAPS on DC then, just NAT it via firewall and protected with known IP address.
you should never expose LDAPS to any source.

With known IP address, you can even go with LDAP.

Technically, you can complex it with AD LDS or something else, but i always ask what is your purpose, because technology keep changing, today it might be ADFS but in future, you might port all of these functions to Azure AD. who knows.
0
 
LVL 1

Author Closing Comment

by:Colchester_Institute
ID: 41748341
Thanks for you help much appreciated.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Companies that have implemented Microsoft’s Active Directory need to ensure that the Active Directory is configured and operating properly. If there are issues found and not resolved, it eventually leads the components to fail or stop working and fi…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now