TECH::OMFG! Microsoft is killing IDMU???

Yesterday, I wrote a blog post on LDAP. During that, I was researching links to add to it and I came across this gem. I decided to leave it out of yesterday’s post for two reasons:

  1. Getting clarification on what this actually means
  2. Not to let it fall into the cracks

http://blogs.technet.com/b/activedirectoryua/archive/2015/01/25/identity-management-for-unix-idmu-is-deprecated-in-windows-server.aspx

A few users have asked about this recently so I am posting here to help let everyone know that Identity Management for Unix (IDMU) is deprecated and will not ship in future versions of Windows Server. This is documented in a couple places:

Identity Management for UNIX 

Features Removed or Deprecated in Windows Server 2012 R2

All IDMU-related features will go away, including UNIX Attributes tab. This also applies Network Information Service (NIS) and Remote Server Administration Tools (RSAT). Instead of RSAT, you should use native LDAP, Samba Client, Kerberos, or non-Microsoft options. For Network File System (NFS), there is a Windows PowerShell cmdlet that allows you to update the user account with uid/gid: Set-NfsMappedIdentity.

In the future, if you try upgrade a computer that runs IDMU components, the upgrade will stop and you will be prompted to remove IDMU as explained at Installing or removing Identity Management for UNIX by using a command line.

Reading that, I immediately thought… WTF THEY ARE REMOVING UNIX LDAP???

Source: Playbuzz.com, Home Alone

Naturally, since I push people toward the goodness that is Active Directory LDAP (such as the 240+ page TR-4073), I was a little… concerned. If you look at the comments in that MS blog link, I am Justin P.

However, Justin (from Microsoft) responded and it’s not as bad as I initially thought.

This is what is actually happening:

  • Microsoft, for whatever reason (and here’s hoping they reconsider), is removing the Tools for IDMU.So, no more native GUI to manage attributes, and possibly no more UNIX application support.
  • The schema backend, which is what hosts the UNIX-y attributes, will remain intact.
  • LDAP can still be used on AD, but you will either need to manually manage the schema via ADSI/Attributes Editor or via Powershell. Or, use something like Centrify.

If I recall, when I installed Windows 2012 R2, I didn’t need to extend the schema for UNIX attributes. They were already there – just not populated. But it’s still worth talking about. 🙂