Adding LDAP role to domain controller
-
I know this is probably a noob question and I am starting to read MS documentation about LDAP and stuff, but I figured I would also ask here just because my brain always requires some level of sideways prep before learning something new... whatever...
So I have my company's DC (two of them) set up with basic roles: ADDS, DNS, DHCP and a few other services. Nothing fancy. I had assumed LDAP kinda came by default because we have various apps that actually use LDAP to sync users and things. Well turns out it was actually lsass.exe that was handling the LDAP requests and I don't actually have the LDAP or LDAPS roles installed at all. So while LDAP works, I don't actually have LDAP installed.
Now I'm looking into re-educating myself about what LDAP is, how it works and how to install and configure, etc - mainly because of that LDAPS bulletin from MS.
What I am trying to figure out (for those of you who are familiar with this) is if I can install the LDAP/LDAPS roles without interrupting anything like Kerberos or any other services. I just want to avoid breaking something. Again, I am still reading up to educate myself before I make any changes, but a lot of times there is so much reading and I get a bit overwhelmed and miss stuff, etc.
-
-
AD DS uses LDAP. At its core AD is an LDAP server. LDAP and Kerberos are partners, not competitors. You cant have AD without LDAP.
-
What most people add is a Kereros-less LDAP system to use with other apps that cant handle the full AD stack.
-
What will be the purpose of setting up LDAP here? AD uses the LDAP protocol. Since you have a Microsoft AD then look at this
https://astrix.co.uk/news/2020/1/31/how-to-set-up-secure-ldap-for-active-directory -
@scottalanmiller said in Adding LDAP role to domain controller:
AD DS uses LDAP. At its core AD is an LDAP server. LDAP and Kerberos are partners, not competitors. You cant have AD without LDAP.
Yeah see that's what I thought but then when I go into Add Roles and Features, why isn't the LDAP role added?
ok after looking at that screenshot and actually reading it... that is "Active Directory Lightweight Directory Services" which initially sounded like Lightweight Directory Access Protocol to me... but I guess it's not? This guide also had me thinking that was the LDAP role as well: https://docs.microsoft.com/en-us/archive/blogs/microsoftrservertigerteam/step-by-step-guide-to-setup-ldaps-on-windows-server
still reading though...
-
@dbeato said in Adding LDAP role to domain controller:
What will be the purpose of setting up LDAP here? AD uses the LDAP protocol. Since you have a Microsoft AD then look at this
https://astrix.co.uk/news/2020/1/31/how-to-set-up-secure-ldap-for-active-directoryThat looks like a really good guide! I will read through that asap once my house settles down. Thanks!
-
@dave247 said in Adding LDAP role to domain controller:
@dbeato said in Adding LDAP role to domain controller:
What will be the purpose of setting up LDAP here? AD uses the LDAP protocol. Since you have a Microsoft AD then look at this
https://astrix.co.uk/news/2020/1/31/how-to-set-up-secure-ldap-for-active-directoryThat looks like a really good guide! I will read through that asap once my house settles down. Thanks!
Agreed! This is the best guide I've seen. Thank you @dbeato!
-
@dave247 said in Adding LDAP role to domain controller:
Yeah see that's what I thought but then when I go into Add Roles and Features, why isn't the LDAP role added?
LDS is LDS, not LDAP. AD DS is LDAP already. LDS is AD LDAP without other things. AD LDS is specifically LDAP set up for applications, as it says in the description. Nothing that it says suggests that it is installing LDAP or that AD DS isn't LDAP. It simply says that this is LDS: a different LDAP for a different purpose than the LDAP that you already have.
-
Remember a few key points...
- AD is an LDAP server. Without LDAP, you can't have AD. So all AD uses LDAP.
- LDAP is just a general purpose query protocol. Can be used for many things.
- AD DS is LDAP but set up in an extremely specific way, with a lot of security, tight organization, features, etc.
- LDAP is a lot like SQL. Generic, can be used for almost anything.
- LDS is a another way to use the same underlying LDAP as AD DS uses, but for a totally different purpose.
-
@scottalanmiller said in Adding LDAP role to domain controller:
AD DS uses LDAP. At its core AD is an LDAP server. LDAP and Kerberos are partners, not competitors. You cant have AD without LDAP.
LDAP is a protocol, Kerberos is cryptographic authentication method.
-
@Obsolesce said in Adding LDAP role to domain controller:
@scottalanmiller said in Adding LDAP role to domain controller:
AD DS uses LDAP. At its core AD is an LDAP server. LDAP and Kerberos are partners, not competitors. You cant have AD without LDAP.
LDAP is a protocol, Kerberos is cryptographic authentication method.
Well, both are protocols. A better wording is...
LDAP is a database query protocol; Kerberos is an authentication protocol.
-
@scottalanmiller said in Adding LDAP role to domain controller:
Remember a few key points...
- AD is an LDAP server. Without LDAP, you can't have AD. So all AD uses LDAP.
- LDAP is just a general purpose query protocol. Can be used for many things.
- AD DS is LDAP but set up in an extremely specific way, with a lot of security, tight organization, features, etc.
- LDAP is a lot like SQL. Generic, can be used for almost anything.
- LDS is a another way to use the same underlying LDAP as AD DS uses, but for a totally different purpose.
Thanks for this helpful info. I realize that I really need to dig a bit deeper and make sure I understand the fundamentals of Windows AD and general administration
-
@scottalanmiller said in Adding LDAP role to domain controller:
@Obsolesce said in Adding LDAP role to domain controller:
@scottalanmiller said in Adding LDAP role to domain controller:
AD DS uses LDAP. At its core AD is an LDAP server. LDAP and Kerberos are partners, not competitors. You cant have AD without LDAP.
LDAP is a protocol, Kerberos is cryptographic authentication method.
Well, both are protocols. A better wording is...
LDAP is a database query protocol; Kerberos is an authentication protocol.
Yeah better said, both protocols.
-
@dbeato So what affect will this new Windows update have in March 2020 if it's in installed on an AD server that is still using the default non secure LDAP? Basically, what will it break? I do know clients who authenticate through their mobile ssl vpn via LDAP (ad user account & pw) so I can see how that will affect them and I'm guessing they will be unable to authenticate and therefore not be able to connect to their vpn?
-
@Fredtx said in Adding LDAP role to domain controller:
@dbeato So what affect will this new Windows update have in March 2020 if it's in installed on an AD server that is still using the default non secure LDAP? Basically, what will it break? I do know clients who authenticate through their mobile ssl vpn via LDAP (ad user account & pw) so I can see how that will affect them and I'm guessing they will be unable to authenticate and therefore not be able to connect to their vpn?
I don't think it does anything for normal users. Because LDAP protocol is not used on the outside normally.
-
@Fredtx said in Adding LDAP role to domain controller:
@dbeato So what affect will this new Windows update have in March 2020 if it's in installed on an AD server that is still using the default non secure LDAP? Basically, what will it break? I do know clients who authenticate through their mobile ssl vpn via LDAP (ad user account & pw) so I can see how that will affect them and I'm guessing they will be unable to authenticate and therefore not be able to connect to their vpn?
The LDAP connection between the SSL VPN and your AD Server is the one affected.
-
@Fredtx said in Adding LDAP role to domain controller:
@dbeato So what affect will this new Windows update have in March 2020 if it's in installed on an AD server that is still using the default non secure LDAP? Basically, what will it break? I do know clients who authenticate through their mobile ssl vpn via LDAP (ad user account & pw) so I can see how that will affect them and I'm guessing they will be unable to authenticate and therefore not be able to connect to their vpn?
We have a couple of applications (internal and external) that rely on LDAP for user/group sync so it will break any of those connections that aren't using LDAPS over port 389.
-
@dbeato said in Adding LDAP role to domain controller:
@Fredtx said in Adding LDAP role to domain controller:
@dbeato So what affect will this new Windows update have in March 2020 if it's in installed on an AD server that is still using the default non secure LDAP? Basically, what will it break? I do know clients who authenticate through their mobile ssl vpn via LDAP (ad user account & pw) so I can see how that will affect them and I'm guessing they will be unable to authenticate and therefore not be able to connect to their vpn?
The LDAP connection between the SSL VPN and your AD Server is the one affected.
In this instance, The SSL-VPN (with AD connection) would need LDAPS setup which, at minimum, would require a internal Windows CA to be setup correct?
-
@pmoncho said in Adding LDAP role to domain controller:
@dbeato said in Adding LDAP role to domain controller:
@Fredtx said in Adding LDAP role to domain controller:
@dbeato So what affect will this new Windows update have in March 2020 if it's in installed on an AD server that is still using the default non secure LDAP? Basically, what will it break? I do know clients who authenticate through their mobile ssl vpn via LDAP (ad user account & pw) so I can see how that will affect them and I'm guessing they will be unable to authenticate and therefore not be able to connect to their vpn?
The LDAP connection between the SSL VPN and your AD Server is the one affected.
In this instance, The SSL-VPN (with AD connection) would need LDAPS setup which, at minimum, would require a internal Windows CA to be setup correct?
Yes, that is correct. We have one set up which was easy enough but there is still some overhead there.. probably easier to just buy a public cert
