Announcement

Collapse
No announcement yet.

How can I verify LDAP client usesage prior to decommisioning a server?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • How can I verify LDAP client usesage prior to decommisioning a server?

    Hello,

    I have been tasked with decommissioning numerous 2003 AD servers now that our new 2008 infrastructure is up and running. I need to confirm that not clients have manually configured indivual DC's for LDAP queries. How can I determine if clients are making LDAP queries against a particular box?

    One solution I have been kicking around is to perform an LDAP query from my local machine and then seeing what is logged in event viewer, then looking for similar logs. Is there any way I can make such queries?

    I assumed that using AD Users and Computers to connect to a particular server should register some kind of event while I viewing AD, but I can't see any events being created.

    Thanks.

  • #2
    Re: How can I verify LDAP client usesage prior to decommisioning a server?

    Any other ideas? Maybe it'd be worthwhile monitoring the servers ports in order to verify that no other services are being used... Can anyone recommend some good port monitoring software that would assist with this task?

    Comment


    • #3
      Re: How can I verify LDAP client usesage prior to decommisioning a server?

      Sounds like you're making it too complicated. How would a client (user) manually configure LDAP communications? Do you think that the users have the knowledge and skill to do that? My suggestion would be to shut down the 2003 servers for a week and wait for any support calls that come in and then address them.

      Comment


      • #4
        Re: How can I verify LDAP client usesage prior to decommisioning a server?

        Originally posted by joeqwerty View Post
        Sounds like you're making it too complicated. How would a client (user) manually configure LDAP communications? Do you think that the users have the knowledge and skill to do that? My suggestion would be to shut down the 2003 servers for a week and wait for any support calls that come in and then address them.
        I fully agree actually. The concern is that there is an LDAP depandant software app somewhere out on my network (which is a fairly large enterprise) that is using one of these boxes, but to be honest this concern is secondary.

        What I would really like to do is an audit of all services and all connnections that are being made to the server, thereby ensuring there are no obvious required services prior to turning it off, just a cursory glance really to hopefully avoid someone shouting that I should have known before I turn it off.

        No matter what I doubt I'll be able to be 100% sure and I'm going to just have to turn the box off and see what happens at some point, but I'd like to at least be fairly certain first.

        Comment


        • #5
          Re: How can I verify LDAP client usesage prior to decommisioning a server?

          You could always use the netstat command to see iport connections to your server.

          Just to be aware, if it's a DC it's going to be authenticated to. If you have multiple DC's in a subnet/site they all really do get used at one point or another. If it's just a DC then you really don't have anything more to worry about than AD and DNS being on it, and possibly DHCP.

          As long as all your DNS configurations are pointed to the new server I don't think you have much to worry about. And if there's a piece of software that needs a specific domain controller then that really should have been documented when it was deployed.

          Also, don't just turn the box off. DCPromo it out of the domain cleanly.
          GoogleFu is strong with this one ^

          Comment


          • #6
            Re: How can I verify LDAP client usesage prior to decommisioning a server?

            Originally posted by stamandster View Post
            Also, don't just turn the box off. DCPromo it out of the domain cleanly.
            Would you recommend turning it off for a week or so prior to running the DCPROMO just to make triple sure nobody's connecting into it or is it better to DCPROMO a decommsioned DC immediately?

            Comment


            • #7
              Re: How can I verify LDAP client usesage prior to decommisioning a server?

              Turn it off for a couple of days to be sure.
              Gareth Howells

              BSc (Hons), MBCS, MCP, MCDST, ICCE

              Any advice is given in good faith and without warranty.

              Please give reputation points if somebody has helped you.

              "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

              "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

              Comment


              • #8
                Re: How can I verify LDAP client usesage prior to decommisioning a server?

                Originally posted by gforceindustries View Post
                Turn it off for a couple of days to be sure.

                Cool, thanks for all the advice so far. One last question. Does anyone have any experience using wireshark to capture LDAP traffic? I'd like to analyse some of the packets coming through and check the sources but I've never used the product previously, any tips would be appreciated.

                Comment


                • #9
                  Re: How can I verify LDAP client usesage prior to decommisioning a server?

                  Originally posted by stamandster View Post
                  Just to be aware, if it's a DC it's going to be authenticated to. If you have multiple DC's in a subnet/site they all really do get used at one point or another. If it's just a DC then you really don't have anything more to worry about than AD and DNS being on it, and possibly DHCP.
                  I have a question about this point. Since the serve's are being decommisioned and numerious clients are statically configured to use them for DNS I will need to manually go to each client with a static configuration and change it to point to the new server.

                  However... Wouldn't it be much much easier just to add the static DNS IP address as a secondary IP address on one of the new 2008 servers? Wouldn't that immediately redirect all DNS requests to the new box and save me having to go to each client and making manual changes?

                  Comment


                  • #10
                    Re: How can I verify LDAP client usesage prior to decommisioning a server?

                    You should be able to use perfmon to monitor LDAP reads and writes. It's under NTDS.

                    Comment


                    • #11
                      Re: How can I verify LDAP client usesage prior to decommisioning a server?

                      Originally posted by dbutch1976 View Post
                      I have a question about this point. Since the serve's are being decommisioned and numerious clients are statically configured to use them for DNS I will need to manually go to each client with a static configuration and change it to point to the new server.

                      However... Wouldn't it be much much easier just to add the static DNS IP address as a secondary IP address on one of the new 2008 servers? Wouldn't that immediately redirect all DNS requests to the new box and save me having to go to each client and making manual changes?
                      The preferred solution would be to use DHCP to allocate ip addresses to the client machines and define the DNS servers in your DHCP scope.

                      Comment


                      • #12
                        Re: How can I verify LDAP client usesage prior to decommisioning a server?

                        Originally posted by joeqwerty View Post
                        The preferred solution would be to use DHCP to allocate ip addresses to the client machines and define the DNS servers in your DHCP scope.

                        To my knowledge this is how the vast majority of machines are configured within the network, but undoubtedly we're going to miss a couple of static configs. I guess there's not much that can be done about that.

                        Comment


                        • #13
                          Re: How can I verify LDAP client usesage prior to decommisioning a server?

                          Originally posted by dbutch1976 View Post
                          To my knowledge this is how the vast majority of machines are configured within the network, but undoubtedly we're going to miss a couple of static configs. I guess there's not much that can be done about that.
                          Yeah not really. That's why it's so important to document everything. We just had to go through this in a way. I ended up going through and finding all the statically assigned addresses and documenting them. I ended up assigning the static addresses through DHCP by MAC address.
                          GoogleFu is strong with this one ^

                          Comment


                          • #14
                            Re: How can I verify LDAP client usesage prior to decommisioning a server?

                            Originally posted by ScottMcD View Post
                            You should be able to use perfmon to monitor LDAP reads and writes. It's under NTDS.

                            I've found the counters you were mentioning nad added every LDAP related counter to the list. Most of the counters flatline at 0, however one counter is of interest to me:

                            LDAP Client Sessions <-- This counter remains constant at 4 connections

                            ** Does this mean that that there are 4 persistent LDAP connections to this server? If so, that would be ideal because I would just need to identify who is connecting into it and bam I could arrange the client to point to another server.

                            Could you clarify what the about counters are saying?
                            The MS explaination is: LDAP Client Sessions is the number of connected LDAP client sessions - However this does not mention if the connections are persistent.


                            Thanks!
                            Last edited by dbutch1976; 6th October 2009, 20:21.

                            Comment


                            • #15
                              Re: How can I verify LDAP client usesage prior to decommisioning a server?

                              Originally posted by dbutch1976 View Post
                              However... Wouldn't it be much much easier just to add the static DNS IP address as a secondary IP address on one of the new 2008 servers? Wouldn't that immediately redirect all DNS requests to the new box and save me having to go to each client and making manual changes?
                              This will break authentication for LDAP clients that are using Kerberos authentication and have hard-coded DNS name of the DC
                              Guy Teverovsky
                              "Smith & Wesson - the original point and click interface"

                              Comment

                              Working...
                              X