AD LDS, AD FS, RODC, LDAP access for 3rd party vendors?

Posted on 2016-08-03
Last Modified: 2016-08-09

We have had a request to allow LDAP lookups from a couple of external applications to our network. Moving forward with this what would be the best scenario? I have scaled the "google" and getting mix things come up and tbh got a bit lost with it all.

So the solution I am thinking of going down:

AD LDS - for LDAP lookup
AD FS   -  for single sign on services (future proof for office 365)

These systems..........

Can I install both systems on the same server?

Do I put a server in the DMZ and then open the ports required back to the network through firewall A.

Then allow this server firewall B access to the outside world?

Or is it a NAT passthrough to the server on the internal network?

there doesn't seem to be a clear guide on a good solution, and what I found is going back to server 2003.

I might be looking in the wrong place but I definitely need some advice from the pros on this one.

Question by:Colchester_Institute
LVL 38

Assisted Solution

by:Adam Brown
Adam Brown earned 125 total points
ID: 41741532
I would not recommend putting ADFS and AD LDS on the same system. Best practice for AD LDS is to put it on a non-domain server, and ADFS won't work if it's not on the domain.

The way you would allow access to an AD LDS instance is to place it in a location that is accessible by the third party, preferably over Secure LDAP, which uses port 636. You would then grant that server the ability to read AD over port 636. By default, Secure LDAP isn't enabled on AD, but all you have to do to enable it is install a certificate on your DCs. It doesn't have to be a valid certificate, so you can use a self-signed cert on the DCs, but it's more secure if you have a CA Server in your environment issue the certs.

The reason for setting this up to use Secure LDAP is because LDAP sends data more or less in the clear, so it's pretty important to make sure that data is encrypted, which requires Secure LDAP to accomplish.

Once you have communication between AD LDS and AD allowed, will tell you how to set up the AD LDS instance to sync data out of AD. You should be able to limit the attributes the third party vendor has access to.

Author Comment

ID: 41742218
Hi Adam,

Thanks for the reply!

I have installed AD LDS on a server in the DMZ.  

I have also installed AD LDS on a domain controller and setup an instance for it to talk to. What I did notice is that the DC already has an NTDS instance running on 389 and 636.

I added the ldap ports to TMG and when replicating the AD LDS to the DMZ server it says the port already in use so I cannot use the NTDS instance

So I created the TCP ports 6389 & 6636, created a new instance, the dmz server can see the instance but I cannot get the service started on it.

I have a wildcart certificate for the company could I use this for secure SSL.

thanks so far.
LVL 36

Assisted Solution

ArneLovius earned 125 total points
ID: 41744616
Wildcard certificates work well for HTTPS, but not for STARTTLS on SMTP, or LDAPS

AD LDS is great for adding a layer of isolation, but it can sometime be simpler to just allow LDAPS (only port 636, not LDAP on 389) from a 3rd party (tied down by specific address, or over a VPN tunnel) to a RoDC, or in a small environment, direct to a DC.

It's all about trust, if its a hosted provider of Financial/HR software, then you might have a higher level of trust than a a hosted WiKi provider...

ADFS is a completely different beast
LVL 36

Accepted Solution

Jian An Lim earned 250 total points
ID: 41745937
I would not complex your issue.

I will enable LDAPS on DC then, just NAT it via firewall and protected with known IP address.
you should never expose LDAPS to any source.

With known IP address, you can even go with LDAP.

Technically, you can complex it with AD LDS or something else, but i always ask what is your purpose, because technology keep changing, today it might be ADFS but in future, you might port all of these functions to Azure AD. who knows.

Author Closing Comment

ID: 41748341
Thanks for you help much appreciated.

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now