Problem solve Get help with specific problems with your technologies, process and projects.

How can we have users in the ADS, but keep them in the LDAP only?

We have already decentralized UNIX authentication based on LDAP Servers. We want to extend this functionality by integrating Windows 2000 authentication on the LDAP Servers too. I've heard it's possible to "replicate" LDAP data into ADS, but I'd like to know if it's possible to keep the authentication out of the Win2000, just like we do in the UNIX world. In summary, we want not to have users in the ADS, but keep them in the LDAP only.
The ease of this interoperation depends on whether you are authenticating users with LDAP or with Kerberos. You won't be able to authenticate the Windows 2000 desktop simply with LDAP. You can look for ways to keep the local desktop password in sync with the LDAP password, but then you have a fleet of standalone machines rather than a unified management domain.

If you use Kerberos along with LDAP, you can configure the desktops to use MITv5 Kerberos from a UNIX-based realm. Again, you still lose the advantages of a domain. You need Active Directory for group policies, for instance, and for a central store of groups. Also, setting up cross-realm trusts can be a challenge in MITv5 where it's a breeze in Active Directory.

If you end up deciding to synchronize between your UNIX-based LDAP service and Active Directory, you'll need to invest in a utility that keeps the two databases in sync. This can be a challenge if you have many AD-based domains, or if users can create ad hoc domains, such as on a college campus. Microsoft makes a product called Microsoft Metadirectory Service (MMS) that can do this.

Dig Deeper on Windows Server storage management

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.