What risks should I be aware of that we're facing by not using SSL
Requests by domain members will use SASL (see: LDAP Security Model section in this doc)
Requests not from a domain member or client able to use SALS can be intercepted. Internally, this may not be that big of a deal since you probably have a switched network, and good control of your physical infrastructure.
If I follow one of the million guides on the internet to enable SSL, will it interrupt current service? Or will I be able to do it and the client machines will some how be informed to use SSL automatically?
It should not interrupt current service. Some clients (like your Dell LOM) will need configuration to use the SSL port, if the are currently working, and you want to enable SSL. You shouldn't have to do anything on your Windows servers/workstations.
I have two DCs running a single domain as domain.local. Since it's an "internal" TLD, I'm guessing I'll need to set this up using an internal CA and not a third party?
You can do either, you can even use a self-signed certificate. Some clients won't like this a self signed certificate, but your Drac probably would be fine with a self-signed certificate.
Setting up an enterprise CA is relatively easy, but it should really be on a box/vm just for this purpose. Can you afford a spare Windows license?
You could also run an OpenSSL CA, you could run one from a USB flash drive pretty easily. If you are familiar with Linux, then setting up an Ubuntu box/vm/usb device running tinyca should only take a couple hours.
Based off the answer of #1, would you say it's safe to stay off of SSL? What would you feel is the ratio of benefit to effort involved in getting converted to ssl?
- If you don't trust your physical infrastructure, then you should probably enable SSL.
- If you have a very small number of servers, then it may not be worth the effort.
- You may be able to mitigate the risk using ipsec or some VPN to encrypt the LDAP.
- As Evan mentioned in a comment, the DRAC LOM, is basically providing physical access, so you should strongly consider setting up SSL to protect you from a MITM.
Best Answer
Active Directory will continue to listen on port 389. When an appropriate certificate is found during startup it will begin to listen for LDAPS but the non-secure LDAP behavior remains intact.
I'm having a problem finding documentation that indicates what the Active Directory client built-in to Windows clients will be. Its unclear to me whether the client will automatically attempt to perform LDAPS operations in place of LDAP operations. I'd be interested to see if somebody else can find a documentation link that explains the client behavior.
In lieu of documentation from Microsoft confirming the client behavior, I'd recommend using something like Wireshark to monitor the "before and after" network traffic.