Adding LDAP role to domain controller

scottalanmiller

AD DS uses LDAP. At its core AD is an LDAP server. LDAP and Kerberos are partners, not competitors. You cant have AD without LDAP.

scottalanmiller

What most people add is a Kereros-less LDAP system to use with other apps that cant handle the full AD stack.

dbeato

What will be the purpose of setting up LDAP here? AD uses the LDAP protocol. Since you have a Microsoft AD then look at this
https://astrix.co.uk/news/2020/1/31/how-to-set-up-secure-ldap-for-active-directory

dave247

@scottalanmiller said in Adding LDAP role to domain controller:

AD DS uses LDAP. At its core AD is an LDAP server. LDAP and Kerberos are partners, not competitors. You cant have AD without LDAP.

Yeah see that's what I thought but then when I go into Add Roles and Features, why isn't the LDAP role added?

ok after looking at that screenshot and actually reading it... that is "Active Directory Lightweight Directory Services" which initially sounded like Lightweight Directory Access Protocol to me... but I guess it's not? This guide also had me thinking that was the LDAP role as well: https://docs.microsoft.com/en-us/archive/blogs/microsoftrservertigerteam/step-by-step-guide-to-setup-ldaps-on-windows-server

still reading though...

dave247

@dbeato said in Adding LDAP role to domain controller:

What will be the purpose of setting up LDAP here? AD uses the LDAP protocol. Since you have a Microsoft AD then look at this
https://astrix.co.uk/news/2020/1/31/how-to-set-up-secure-ldap-for-active-directory

That looks like a really good guide! I will read through that asap once my house settles down. Thanks!

magicmarker

@dave247 said in Adding LDAP role to domain controller:

@dbeato said in Adding LDAP role to domain controller:

What will be the purpose of setting up LDAP here? AD uses the LDAP protocol. Since you have a Microsoft AD then look at this
https://astrix.co.uk/news/2020/1/31/how-to-set-up-secure-ldap-for-active-directory

That looks like a really good guide! I will read through that asap once my house settles down. Thanks!

Agreed! This is the best guide I've seen. Thank you @dbeato!

scottalanmiller

@dave247 said in Adding LDAP role to domain controller:

Yeah see that's what I thought but then when I go into Add Roles and Features, why isn't the LDAP role added?

LDS is LDS, not LDAP. AD DS is LDAP already. LDS is AD LDAP without other things. AD LDS is specifically LDAP set up for applications, as it says in the description. Nothing that it says suggests that it is installing LDAP or that AD DS isn't LDAP. It simply says that this is LDS: a different LDAP for a different purpose than the LDAP that you already have.

scottalanmiller

Remember a few key points...

1. AD is an LDAP server. Without LDAP, you can't have AD. So all AD uses LDAP.
2. LDAP is just a general purpose query protocol. Can be used for many things.
3. AD DS is LDAP but set up in an extremely specific way, with a lot of security, tight organization, features, etc.
4. LDAP is a lot like SQL. Generic, can be used for almost anything.
5. LDS is a another way to use the same underlying LDAP as AD DS uses, but for a totally different purpose.

Obsolesce

@scottalanmiller said in Adding LDAP role to domain controller:

AD DS uses LDAP. At its core AD is an LDAP server. LDAP and Kerberos are partners, not competitors. You cant have AD without LDAP.

LDAP is a protocol, Kerberos is cryptographic authentication method.

scottalanmiller

@Obsolesce said in Adding LDAP role to domain controller:

@scottalanmiller said in Adding LDAP role to domain controller:

AD DS uses LDAP. At its core AD is an LDAP server. LDAP and Kerberos are partners, not competitors. You cant have AD without LDAP.

LDAP is a protocol, Kerberos is cryptographic authentication method.

Well, both are protocols. A better wording is...

LDAP is a database query protocol; Kerberos is an authentication protocol.

dave247

@scottalanmiller said in Adding LDAP role to domain controller:

Remember a few key points...

1. AD is an LDAP server. Without LDAP, you can't have AD. So all AD uses LDAP.
2. LDAP is just a general purpose query protocol. Can be used for many things.
3. AD DS is LDAP but set up in an extremely specific way, with a lot of security, tight organization, features, etc.
4. LDAP is a lot like SQL. Generic, can be used for almost anything.
5. LDS is a another way to use the same underlying LDAP as AD DS uses, but for a totally different purpose.

Thanks for this helpful info. I realize that I really need to dig a bit deeper and make sure I understand the fundamentals of Windows AD and general administration

Obsolesce

@scottalanmiller said in Adding LDAP role to domain controller:

@Obsolesce said in Adding LDAP role to domain controller:

@scottalanmiller said in Adding LDAP role to domain controller:

AD DS uses LDAP. At its core AD is an LDAP server. LDAP and Kerberos are partners, not competitors. You cant have AD without LDAP.

LDAP is a protocol, Kerberos is cryptographic authentication method.

Well, both are protocols. A better wording is...

LDAP is a database query protocol; Kerberos is an authentication protocol.

Yeah better said, both protocols.

Fredtx

@dbeato So what affect will this new Windows update have in March 2020 if it's in installed on an AD server that is still using the default non secure LDAP? Basically, what will it break? I do know clients who authenticate through their mobile ssl vpn via LDAP (ad user account & pw) so I can see how that will affect them and I'm guessing they will be unable to authenticate and therefore not be able to connect to their vpn?

scottalanmiller

@Fredtx said in Adding LDAP role to domain controller:

@dbeato So what affect will this new Windows update have in March 2020 if it's in installed on an AD server that is still using the default non secure LDAP? Basically, what will it break? I do know clients who authenticate through their mobile ssl vpn via LDAP (ad user account & pw) so I can see how that will affect them and I'm guessing they will be unable to authenticate and therefore not be able to connect to their vpn?

I don't think it does anything for normal users. Because LDAP protocol is not used on the outside normally.

dbeato

@Fredtx said in Adding LDAP role to domain controller:

@dbeato So what affect will this new Windows update have in March 2020 if it's in installed on an AD server that is still using the default non secure LDAP? Basically, what will it break? I do know clients who authenticate through their mobile ssl vpn via LDAP (ad user account & pw) so I can see how that will affect them and I'm guessing they will be unable to authenticate and therefore not be able to connect to their vpn?

The LDAP connection between the SSL VPN and your AD Server is the one affected.

dave247

@Fredtx said in Adding LDAP role to domain controller:

@dbeato So what affect will this new Windows update have in March 2020 if it's in installed on an AD server that is still using the default non secure LDAP? Basically, what will it break? I do know clients who authenticate through their mobile ssl vpn via LDAP (ad user account & pw) so I can see how that will affect them and I'm guessing they will be unable to authenticate and therefore not be able to connect to their vpn?

We have a couple of applications (internal and external) that rely on LDAP for user/group sync so it will break any of those connections that aren't using LDAPS over port 389.

pmoncho

@dbeato said in Adding LDAP role to domain controller:

@Fredtx said in Adding LDAP role to domain controller:

@dbeato So what affect will this new Windows update have in March 2020 if it's in installed on an AD server that is still using the default non secure LDAP? Basically, what will it break? I do know clients who authenticate through their mobile ssl vpn via LDAP (ad user account & pw) so I can see how that will affect them and I'm guessing they will be unable to authenticate and therefore not be able to connect to their vpn?

The LDAP connection between the SSL VPN and your AD Server is the one affected.

In this instance, The SSL-VPN (with AD connection) would need LDAPS setup which, at minimum, would require a internal Windows CA to be setup correct?

dave247

@pmoncho said in Adding LDAP role to domain controller:

@dbeato said in Adding LDAP role to domain controller:

@Fredtx said in Adding LDAP role to domain controller:

@dbeato So what affect will this new Windows update have in March 2020 if it's in installed on an AD server that is still using the default non secure LDAP? Basically, what will it break? I do know clients who authenticate through their mobile ssl vpn via LDAP (ad user account & pw) so I can see how that will affect them and I'm guessing they will be unable to authenticate and therefore not be able to connect to their vpn?

The LDAP connection between the SSL VPN and your AD Server is the one affected.

In this instance, The SSL-VPN (with AD connection) would need LDAPS setup which, at minimum, would require a internal Windows CA to be setup correct?

Yes, that is correct. We have one set up which was easy enough but there is still some overhead there.. probably easier to just buy a public cert

pmoncho

@dave247 said in Adding LDAP role to domain controller:

@pmoncho said in Adding LDAP role to domain controller:

@dbeato said in Adding LDAP role to domain controller:

@Fredtx said in Adding LDAP role to domain controller:

@dbeato So what affect will this new Windows update have in March 2020 if it's in installed on an AD server that is still using the default non secure LDAP? Basically, what will it break? I do know clients who authenticate through their mobile ssl vpn via LDAP (ad user account & pw) so I can see how that will affect them and I'm guessing they will be unable to authenticate and therefore not be able to connect to their vpn?

The LDAP connection between the SSL VPN and your AD Server is the one affected.

In this instance, The SSL-VPN (with AD connection) would need LDAPS setup which, at minimum, would require a internal Windows CA to be setup correct?

Yes, that is correct. We have one set up which was easy enough but there is still some overhead there.. probably easier to just buy a public cert

Currently we are on a .local domain and I believe we would need a cert for the DC itself, thus I don't believe I am able to get a public cert. Please correct me if I am wrong of if there is a way around this.

I am not looking forward to creating my own internal CA but I will if needed.

dbeato

@pmoncho said in Adding LDAP role to domain controller:

@dave247 said in Adding LDAP role to domain controller:

@pmoncho said in Adding LDAP role to domain controller:

@dbeato said in Adding LDAP role to domain controller:

@Fredtx said in Adding LDAP role to domain controller:

@dbeato So what affect will this new Windows update have in March 2020 if it's in installed on an AD server that is still using the default non secure LDAP? Basically, what will it break? I do know clients who authenticate through their mobile ssl vpn via LDAP (ad user account & pw) so I can see how that will affect them and I'm guessing they will be unable to authenticate and therefore not be able to connect to their vpn?

The LDAP connection between the SSL VPN and your AD Server is the one affected.

In this instance, The SSL-VPN (with AD connection) would need LDAPS setup which, at minimum, would require a internal Windows CA to be setup correct?

Yes, that is correct. We have one set up which was easy enough but there is still some overhead there.. probably easier to just buy a public cert

Currently we are on a .local domain and I believe we would need a cert for the DC itself, thus I don't believe I am able to get a public cert. Please correct me if I am wrong of if there is a way around this.

I am not looking forward to creating my own internal CA but I will if needed.

You are correct. internal CA should not be complicated.