Adding LDAP role to domain controller
-
@dave247 said in Adding LDAP role to domain controller:
@dbeato said in Adding LDAP role to domain controller:
What will be the purpose of setting up LDAP here? AD uses the LDAP protocol. Since you have a Microsoft AD then look at this
https://astrix.co.uk/news/2020/1/31/how-to-set-up-secure-ldap-for-active-directoryThat looks like a really good guide! I will read through that asap once my house settles down. Thanks!
Agreed! This is the best guide I've seen. Thank you @dbeato!
-
@dave247 said in Adding LDAP role to domain controller:
Yeah see that's what I thought but then when I go into Add Roles and Features, why isn't the LDAP role added?
LDS is LDS, not LDAP. AD DS is LDAP already. LDS is AD LDAP without other things. AD LDS is specifically LDAP set up for applications, as it says in the description. Nothing that it says suggests that it is installing LDAP or that AD DS isn't LDAP. It simply says that this is LDS: a different LDAP for a different purpose than the LDAP that you already have.
-
Remember a few key points...
- AD is an LDAP server. Without LDAP, you can't have AD. So all AD uses LDAP.
- LDAP is just a general purpose query protocol. Can be used for many things.
- AD DS is LDAP but set up in an extremely specific way, with a lot of security, tight organization, features, etc.
- LDAP is a lot like SQL. Generic, can be used for almost anything.
- LDS is a another way to use the same underlying LDAP as AD DS uses, but for a totally different purpose.
-
@scottalanmiller said in Adding LDAP role to domain controller:
AD DS uses LDAP. At its core AD is an LDAP server. LDAP and Kerberos are partners, not competitors. You cant have AD without LDAP.
LDAP is a protocol, Kerberos is cryptographic authentication method.
-
@Obsolesce said in Adding LDAP role to domain controller:
@scottalanmiller said in Adding LDAP role to domain controller:
AD DS uses LDAP. At its core AD is an LDAP server. LDAP and Kerberos are partners, not competitors. You cant have AD without LDAP.
LDAP is a protocol, Kerberos is cryptographic authentication method.
Well, both are protocols. A better wording is...
LDAP is a database query protocol; Kerberos is an authentication protocol.
-
@scottalanmiller said in Adding LDAP role to domain controller:
Remember a few key points...
- AD is an LDAP server. Without LDAP, you can't have AD. So all AD uses LDAP.
- LDAP is just a general purpose query protocol. Can be used for many things.
- AD DS is LDAP but set up in an extremely specific way, with a lot of security, tight organization, features, etc.
- LDAP is a lot like SQL. Generic, can be used for almost anything.
- LDS is a another way to use the same underlying LDAP as AD DS uses, but for a totally different purpose.
Thanks for this helpful info. I realize that I really need to dig a bit deeper and make sure I understand the fundamentals of Windows AD and general administration
-
@scottalanmiller said in Adding LDAP role to domain controller:
@Obsolesce said in Adding LDAP role to domain controller:
@scottalanmiller said in Adding LDAP role to domain controller:
AD DS uses LDAP. At its core AD is an LDAP server. LDAP and Kerberos are partners, not competitors. You cant have AD without LDAP.
LDAP is a protocol, Kerberos is cryptographic authentication method.
Well, both are protocols. A better wording is...
LDAP is a database query protocol; Kerberos is an authentication protocol.
Yeah better said, both protocols.
-
@dbeato So what affect will this new Windows update have in March 2020 if it's in installed on an AD server that is still using the default non secure LDAP? Basically, what will it break? I do know clients who authenticate through their mobile ssl vpn via LDAP (ad user account & pw) so I can see how that will affect them and I'm guessing they will be unable to authenticate and therefore not be able to connect to their vpn?
-
@Fredtx said in Adding LDAP role to domain controller:
@dbeato So what affect will this new Windows update have in March 2020 if it's in installed on an AD server that is still using the default non secure LDAP? Basically, what will it break? I do know clients who authenticate through their mobile ssl vpn via LDAP (ad user account & pw) so I can see how that will affect them and I'm guessing they will be unable to authenticate and therefore not be able to connect to their vpn?
I don't think it does anything for normal users. Because LDAP protocol is not used on the outside normally.
-
@Fredtx said in Adding LDAP role to domain controller:
@dbeato So what affect will this new Windows update have in March 2020 if it's in installed on an AD server that is still using the default non secure LDAP? Basically, what will it break? I do know clients who authenticate through their mobile ssl vpn via LDAP (ad user account & pw) so I can see how that will affect them and I'm guessing they will be unable to authenticate and therefore not be able to connect to their vpn?
The LDAP connection between the SSL VPN and your AD Server is the one affected.
-
@Fredtx said in Adding LDAP role to domain controller:
@dbeato So what affect will this new Windows update have in March 2020 if it's in installed on an AD server that is still using the default non secure LDAP? Basically, what will it break? I do know clients who authenticate through their mobile ssl vpn via LDAP (ad user account & pw) so I can see how that will affect them and I'm guessing they will be unable to authenticate and therefore not be able to connect to their vpn?
We have a couple of applications (internal and external) that rely on LDAP for user/group sync so it will break any of those connections that aren't using LDAPS over port 389.
-
@dbeato said in Adding LDAP role to domain controller:
@Fredtx said in Adding LDAP role to domain controller:
@dbeato So what affect will this new Windows update have in March 2020 if it's in installed on an AD server that is still using the default non secure LDAP? Basically, what will it break? I do know clients who authenticate through their mobile ssl vpn via LDAP (ad user account & pw) so I can see how that will affect them and I'm guessing they will be unable to authenticate and therefore not be able to connect to their vpn?
The LDAP connection between the SSL VPN and your AD Server is the one affected.
In this instance, The SSL-VPN (with AD connection) would need LDAPS setup which, at minimum, would require a internal Windows CA to be setup correct?
-
@pmoncho said in Adding LDAP role to domain controller:
@dbeato said in Adding LDAP role to domain controller:
@Fredtx said in Adding LDAP role to domain controller:
@dbeato So what affect will this new Windows update have in March 2020 if it's in installed on an AD server that is still using the default non secure LDAP? Basically, what will it break? I do know clients who authenticate through their mobile ssl vpn via LDAP (ad user account & pw) so I can see how that will affect them and I'm guessing they will be unable to authenticate and therefore not be able to connect to their vpn?
The LDAP connection between the SSL VPN and your AD Server is the one affected.
In this instance, The SSL-VPN (with AD connection) would need LDAPS setup which, at minimum, would require a internal Windows CA to be setup correct?
Yes, that is correct. We have one set up which was easy enough but there is still some overhead there.. probably easier to just buy a public cert
-
@dave247 said in Adding LDAP role to domain controller:
@pmoncho said in Adding LDAP role to domain controller:
@dbeato said in Adding LDAP role to domain controller:
@Fredtx said in Adding LDAP role to domain controller:
@dbeato So what affect will this new Windows update have in March 2020 if it's in installed on an AD server that is still using the default non secure LDAP? Basically, what will it break? I do know clients who authenticate through their mobile ssl vpn via LDAP (ad user account & pw) so I can see how that will affect them and I'm guessing they will be unable to authenticate and therefore not be able to connect to their vpn?
The LDAP connection between the SSL VPN and your AD Server is the one affected.
In this instance, The SSL-VPN (with AD connection) would need LDAPS setup which, at minimum, would require a internal Windows CA to be setup correct?
Yes, that is correct. We have one set up which was easy enough but there is still some overhead there.. probably easier to just buy a public cert
Currently we are on a .local domain and I believe we would need a cert for the DC itself, thus I don't believe I am able to get a public cert. Please correct me if I am wrong of if there is a way around this.
I am not looking forward to creating my own internal CA but I will if needed.
-
@pmoncho said in Adding LDAP role to domain controller:
@dave247 said in Adding LDAP role to domain controller:
@pmoncho said in Adding LDAP role to domain controller:
@dbeato said in Adding LDAP role to domain controller:
@Fredtx said in Adding LDAP role to domain controller:
@dbeato So what affect will this new Windows update have in March 2020 if it's in installed on an AD server that is still using the default non secure LDAP? Basically, what will it break? I do know clients who authenticate through their mobile ssl vpn via LDAP (ad user account & pw) so I can see how that will affect them and I'm guessing they will be unable to authenticate and therefore not be able to connect to their vpn?
The LDAP connection between the SSL VPN and your AD Server is the one affected.
In this instance, The SSL-VPN (with AD connection) would need LDAPS setup which, at minimum, would require a internal Windows CA to be setup correct?
Yes, that is correct. We have one set up which was easy enough but there is still some overhead there.. probably easier to just buy a public cert
Currently we are on a .local domain and I believe we would need a cert for the DC itself, thus I don't believe I am able to get a public cert. Please correct me if I am wrong of if there is a way around this.
I am not looking forward to creating my own internal CA but I will if needed.
You are correct. internal CA should not be complicated.
-
@dbeato said in Adding LDAP role to domain controller:
@pmoncho said in Adding LDAP role to domain controller:
@dave247 said in Adding LDAP role to domain controller:
@pmoncho said in Adding LDAP role to domain controller:
@dbeato said in Adding LDAP role to domain controller:
@Fredtx said in Adding LDAP role to domain controller:
@dbeato So what affect will this new Windows update have in March 2020 if it's in installed on an AD server that is still using the default non secure LDAP? Basically, what will it break? I do know clients who authenticate through their mobile ssl vpn via LDAP (ad user account & pw) so I can see how that will affect them and I'm guessing they will be unable to authenticate and therefore not be able to connect to their vpn?
The LDAP connection between the SSL VPN and your AD Server is the one affected.
In this instance, The SSL-VPN (with AD connection) would need LDAPS setup which, at minimum, would require a internal Windows CA to be setup correct?
Yes, that is correct. We have one set up which was easy enough but there is still some overhead there.. probably easier to just buy a public cert
Currently we are on a .local domain and I believe we would need a cert for the DC itself, thus I don't believe I am able to get a public cert. Please correct me if I am wrong of if there is a way around this.
I am not looking forward to creating my own internal CA but I will if needed.
You are correct. internal CA should not be complicated.
And I believe someone posted about that here a couple years ago.
-
@JaredBusch said in Adding LDAP role to domain controller:
@dbeato said in Adding LDAP role to domain controller:
@pmoncho said in Adding LDAP role to domain controller:
@dave247 said in Adding LDAP role to domain controller:
@pmoncho said in Adding LDAP role to domain controller:
@dbeato said in Adding LDAP role to domain controller:
@Fredtx said in Adding LDAP role to domain controller:
@dbeato So what affect will this new Windows update have in March 2020 if it's in installed on an AD server that is still using the default non secure LDAP? Basically, what will it break? I do know clients who authenticate through their mobile ssl vpn via LDAP (ad user account & pw) so I can see how that will affect them and I'm guessing they will be unable to authenticate and therefore not be able to connect to their vpn?
The LDAP connection between the SSL VPN and your AD Server is the one affected.
In this instance, The SSL-VPN (with AD connection) would need LDAPS setup which, at minimum, would require a internal Windows CA to be setup correct?
Yes, that is correct. We have one set up which was easy enough but there is still some overhead there.. probably easier to just buy a public cert
Currently we are on a .local domain and I believe we would need a cert for the DC itself, thus I don't believe I am able to get a public cert. Please correct me if I am wrong of if there is a way around this.
I am not looking forward to creating my own internal CA but I will if needed.
You are correct. internal CA should not be complicated.
And I believe someone posted about that here a couple years ago.
Thanks. I will do some searching.
-
@dbeato said in Adding LDAP role to domain controller:
@Fredtx said in Adding LDAP role to domain controller:
@dbeato So what affect will this new Windows update have in March 2020 if it's in installed on an AD server that is still using the default non secure LDAP? Basically, what will it break? I do know clients who authenticate through their mobile ssl vpn via LDAP (ad user account & pw) so I can see how that will affect them and I'm guessing they will be unable to authenticate and therefore not be able to connect to their vpn?
The LDAP connection between the SSL VPN and your AD Server is the one affected.
What about:
- LDAP connection between site to site VPN due to the office not having an on-premise AD server?
*Exchange 2016 that is on-premise and in the same LAN as AD server?
- LDAP connection between site to site VPN due to the office not having an on-premise AD server?
-
@Fredtx said in Adding LDAP role to domain controller:
@dbeato said in Adding LDAP role to domain controller:
@Fredtx said in Adding LDAP role to domain controller:
@dbeato So what affect will this new Windows update have in March 2020 if it's in installed on an AD server that is still using the default non secure LDAP? Basically, what will it break? I do know clients who authenticate through their mobile ssl vpn via LDAP (ad user account & pw) so I can see how that will affect them and I'm guessing they will be unable to authenticate and therefore not be able to connect to their vpn?
The LDAP connection between the SSL VPN and your AD Server is the one affected.
What about:
- LDAP connection between site to site VPN due to the office not having an on-premise AD server?
*Exchange 2016 that is on-premise and in the same LAN as AD server?
What is supporting the site to site VPN? does it somehow tie into AD?
My site to site VPN has no idea about AD, The Exchange/AD traffic is just that - traffic that flows over the VPN. To AD, VPN is just another router, it doesn't care.
- LDAP connection between site to site VPN due to the office not having an on-premise AD server?
-
@Dashrender said in Adding LDAP role to domain controller:
@Fredtx said in Adding LDAP role to domain controller:
@dbeato said in Adding LDAP role to domain controller:
@Fredtx said in Adding LDAP role to domain controller:
@dbeato So what affect will this new Windows update have in March 2020 if it's in installed on an AD server that is still using the default non secure LDAP? Basically, what will it break? I do know clients who authenticate through their mobile ssl vpn via LDAP (ad user account & pw) so I can see how that will affect them and I'm guessing they will be unable to authenticate and therefore not be able to connect to their vpn?
The LDAP connection between the SSL VPN and your AD Server is the one affected.
What about:
- LDAP connection between site to site VPN due to the office not having an on-premise AD server?
*Exchange 2016 that is on-premise and in the same LAN as AD server?
What is supporting the site to site VPN? does it somehow tie into AD?
My site to site VPN has no idea about AD, The Exchange/AD traffic is just that - traffic that flows over the VPN. To AD, VPN is just another router, it doesn't care.
There is nothing supporting it. It's just a simple site to site using a PSK with AES 256 encryption, etc. Nothing with AD. I guess I was thinking about the LDAP traffic going through the tunnel that would be of concern, but based on your response I can see there is nothing to be concerned about.
Now, I do know customers who have Synology and Qnap NAS that rely on AD for file shares and such. I would think these would be affected?
- LDAP connection between site to site VPN due to the office not having an on-premise AD server?