I bumped into this (old) question while looking for something else, but I will add an answer for anyone that ends up here actually looking for an answer...
An option you can use (assuming you have a least a 2008 level AD domain) is to apply a password policy with your required "lighter" settings specifically against the server(s) you have hosting ADLDS. While 2003 and below had only domain-wide password policy settings, 2008 and up can support fine-grained password policies configured against certain areas of the domain.
What risks should I be aware of that we're facing by not using SSL
Requests by domain members will use SASL (see: LDAP Security Model section in this doc)
Requests not from a domain member or client able to use SALS can be intercepted. Internally, this may not be that big of a deal since you probably have a switched network, and good control of your physical infrastructure.
If I follow one of the million guides on the internet to enable SSL, will it interrupt current service? Or will I be able to do it and the client machines will some how be informed to use SSL automatically?
It should not interrupt current service. Some clients (like your Dell LOM) will need configuration to use the SSL port, if the are currently working, and you want to enable SSL. You shouldn't have to do anything on your Windows servers/workstations.
I have two DCs running a single domain as domain.local. Since it's an "internal" TLD, I'm guessing I'll need to set this up using an internal CA and not a third party?
You can do either, you can even use a self-signed certificate. Some clients won't like this a self signed certificate, but your Drac probably would be fine with a self-signed certificate.
Setting up an enterprise CA is relatively easy, but it should really be on a box/vm just for this purpose. Can you afford a spare Windows license?
You could also run an OpenSSL CA, you could run one from a USB flash drive pretty easily. If you are familiar with Linux, then setting up an Ubuntu box/vm/usb device running tinyca should only take a couple hours.
Based off the answer of #1, would you say it's safe to stay off of SSL? What would you feel is the ratio of benefit to effort involved in getting converted to ssl?
- If you don't trust your physical infrastructure, then you should probably enable SSL.
- If you have a very small number of servers, then it may not be worth the effort.
- You may be able to mitigate the risk using ipsec or some VPN to encrypt the LDAP.
- As Evan mentioned in a comment, the DRAC LOM, is basically providing physical access, so you should strongly consider setting up SSL to protect you from a MITM.
Best Answer
MS recommends using ADAMsync to sync data with ADLDS. But in the past ADAMsync has had problems with aging see KB927053. So I ended up writing a custom script to do the syncing for me.
I have no idea if the aging issues have been fixed with the switch to ADLDS.
Update:
These where written for ADAM but I assume they still apply.
To filter objects you can use a LDAP query in the object-filter field.