Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
GerardoGS
Explorer

Question regarding cloning Microsoft_AD profile to limit impact of SupportOldSchema parameter

Hello CheckMates community,

 

I’m currently reviewing the implementation steps described in sk33404 – Configuring Native AD Password Remediation on a Check Point R81.20 environment, and I would appreciate some clarification from the community or Check Point experts who may have encountered a similar scenario.

Based on TAC’s recommendations, prior to applying the configuration changes, we plan to perform:

  • A full mds_backup of the MDS
  • A virtual machine–level backup

As part of the procedure, the following parameter must be configured:

 

Microsoft_AD.Common.SupportOldSchema = 1

 

From TAC’s feedback and our understanding, this parameter is applied at the Microsoft_AD profile level, which is consumed by LDAP Account Unit objects. This implies that any modification to SupportOldSchema will impact all LDAP Account Units using the same Microsoft_AD profile within the same domain.

In our case, the change is required only for a specific LDAP account unit., and we want to avoid any unintended effect on the remaining LDAP Account Units that rely on the same Microsoft_AD profile.

We consulted the vendor regarding the possibility of cloning or duplicating the Microsoft_AD profile and associating only the required LDAP Account Unit to the new profile, in order to scope the change and minimize risk. However, we did not receive a conclusive answer.

Questions to the community:

  1. In R81.20, is it supported and safe to clone or create an additional Microsoft_AD profile for this purpose?
  2. If so, what would be the recommended or supported approach to do this without affecting existing LDAP Account Units?
  3. Has anyone validated the operational or security impact of enabling SupportOldSchema in environments where multiple LDAP Account Units share the same Microsoft_AD profile?
  4. Are there any best practices or alternative designs to limit the scope of this parameter change?
  5. What would exactly change when activating/deactivating the parameter "Microsoft_AD.Common.SupportOldSchema"?

 

Any guidance, real-world experience, or official recommendations would be highly appreciated.

Thank you in advance for your support.

Best regards,

Gerardo G.

Security Analyst

0 Kudos
1 Reply
PhoneBoy
Admin
Admin

Personally, I've never heard of this being necessary.
However, cloning the profile doesn't seem like an unreasonable approach.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events