Configuring and Using AD LDS

Now that you have installed AD LDS, you can begin to work with it to store directory related data for various applications.

The first thing you should do is become familiar with the AD LDS tool set. After you understand which tools you can use to manage AD LDS, you can begin to create your first instances.

Use the buttons below to navigate through the lesson

After you’ve created your instances, you can secure them to ensure that they are properly protected.
You’ll then move on to the creation of replicas for these instances so that you can install them on various other systems and control replication so that instances located on different computers can be updated through multimaster replication.

AD LS Tools

Tool Name Usage Location
Active Directory Schema Snap-in Modify the schema for AD LDS instances. You must use the Regsvr32.exe command to register the Schmmgnt.dll first. Custom MMC
Active Directory Sites and Services Configure and manage replication scopes for AD LDS instances. AD LDS instances must be updated to support replication objects first. Administrative Tools program group
AD LDS Setup Create AD LDS instances. Administrative Tools program group
ADAMInstall.exe Command-line tool for the creation of AD LDS instances. %SystemRoot% \ADAM folder
ADAMSync.exe Command-line tool for synchronizing data from AD DS forest to AD LDS instance. AD LDS instance must be updated to AD DS schema first. %SystemRoot% \ADAM folder
ADAMUninstall.exe Command-line tool for the removal of AD LDS instances. %SystemRoot% \ADAM folder
ADSchemaAnalyzer.exe Command-line tool for copying schema contents from AD DS to AD LDS or from one AD LDS instance to another. Supports third-party LDAP directory schema copies. %SystemRoot% \ADAM folder
ADSI Edit Interactively manage AD LDS content through ADSI. Administrative Tools program group
CSVDE.exe Import data into AD LDS instances. Command line
DSACLS.exe Control access control lists on AD LDS objects. Command line
DSAMain.exe Mount Active Directory store (.dit) backups or snapshots to identify their contents. Command line
DSDBUtil.exe Perform database maintenance, configure AD LDS ports, and view existing instances. Also, create one-step installations for transporting AD LDS instances through the Install from Media (IFM) generation process. Command line
Dcdiag.exe Diagnose AD LDS instances. Must use the /n:NamingContext switch to name the instance to diagnose. Command line
DSMgmt.exe Supports application partition and AD LDS policy Command line
Event Viewer To audit AD LDS changes and log old and new values for both objects and attributes Administrative Tools
LDAP Data Interchange Format (LDIF) Files AD LDS installations can dynamically import LDIF files (.ldp) during instance creation, auto-matically configuring the instance. %SystemRoot%\ADAM folder
LDIFDE.exe Import data into AD LDS instances. Command line
LDP.exe Interactively modify content or AD LDS instances Command line
DSAMain.exe through LDAP. Command line
Ntdsutil.exe Manage AD LDS instances but only if AD DS is also installed Command line
RepAdmin.exe Analyze replication to view potential issues. Command line
Server Manager Manage existing AD LDS instances. Administrative Tools program group
Windows Server Backup Back up or restore AD LDS instances and their contents. Administrative Tools program group

 Creating AD LDS Instances

The AD LDS role installation process is very similar to the AD DS installation process. You begin by installing the AD LDS binaries, and then, after they are installed, you create AD LDS instances to use the service. In the same way, when you deploy AD DS, you begin by installing the binaries, and then you use the Active Directory Domain Services Installation Wizard to create the AD DS instance you will use. Because of their same roots, many of the tools you use to manage them are the same.

Preparing for AD LDS Instance Creation
You create AD LDS instances by using the Active Directory Lightweight Directory Services Setup Wizard. However, you need to prepare several items before you create the instance. These items include:

  • A data drive created for your server.
    Because this server will be hosting directory stores, place these stores on a drive that is separate from the operating system.
  • The name you will use to create the instance.
    Use meaningful names, for example, the name of the application that will be tied to this instance, to identify instances. This name will be used to identify the instance on the local computer as well as to name the files that make up the instance and the service that supports it.

The ports you intend to use to communicate with the instance. Both AD LDS and AD DS use the same ports for communication. These ports are the default LDAP (389) and LDAP over the Secure Sockets Layer (SSL), or Secure LDAP (636), ports. AD DS uses two additional ports, 3268, which uses LDAP to access the global catalog, and 3269, which uses Secure LDAP to access the global catalog. Because AD DS and AD LDS use the same ports, this is another good reason for not running both roles on the same server. However, when the wizard detects that ports 389 and 636 are already in use, it proposes 50,000 and 50,001 for each port and then uses other ports in the 50,000 range for additional instances.

Take note of the default ports you will need to know these for exam purposes.

In addition you may require an Active Directory application partition name you intend to use for the instance. You must use a distinguished name (DN) to create the partition. For example, you could use
CN=AppPartition1,DC=es-net,DC=co,DC=uk
A service account to run the instance. You can use the Network Service account, but if you intend to run multiple instances, it might be best to use named service accounts for each instance.

A group that will contain the user accounts that will administer the instance. The best practice for permission assignments is always to use groups even if only one account is a member of the group.

Any additional LDIF files you need for the instance. Place these files into the %SystemRoot% \ADAM folder. These files will be imported during the creation of the instance. Importing LDIF files extends the schema of the instance you are creating to support additional operations.

AD LDS LDIF Files

Default AD LDS LDIF Files

File Name Purpose
MS-adamschemaw2k8.ldf Required as a prerequisite for synchronizing an instance with Active Directory in Windows Server
2008.
MS-AdamSyncMetadata.ldf Required to synchronize data between an AD DS forest and an AD LDS instance through ADAMSync.
MS-ADLDS-DisplaySpecifiers.ldf Required for the Active Directory Sites and Services snap-in operation.
MS-AZMan.ldf Required to support the Windows Authorization Manager.
MS-InetOrgPerson.ldf Required to create inetOrgPerson user classes and attributes.
MS-User.ldf Required to create user classes and attributes.
MS-UserProxy.ldf Required to create a simple userProxy class.
MS-UserProxyFull.ldf Required to create a full userProxy class. MS-UserProxy.ldf must be imported first.

There are two ways to create instances. The first is through the Active Directory Lightweight Services Setup Wizard, and the second is through the command line. You will use the wizard during the practice in this lesson. Using the command line is explained later.
You can also perform unattended AD LDS instance creations. For example, to create instances on Server Core installations, you must use an unattended instance creation process because there is no graphical interface to run the wizard. Unattended instance creations are also useful when you need to create an instance for a distributed application on multiple servers.
The %SystemRoot%\ADAM folder includes an additional command, AdamInstall.exe, which can be run to perform unattended instance setups. As with the Dcpromo.exe command, this command requires a text file as input for the creation of the instance. You can run AdamInstall.exe on either a full installation or Server Core. Begin by creating this text file.

Answer file

[ADAMInstall]
; The following line specifies to install a unique ADAM instance.
InstallType=Unique
; The following line specifies the name to be assigned to the new instance.
InstanceName=MyFirstInstance
; The following line specifies the communications port to use for LDAP.
LocalLDAPPortToListenOn=389
; The following line specifies an application partition to create
NewApplicationPartitionToCreate=”o=es-net,c=uk”
; The following line specifies the directory to use for ADAM data files.
DataFilesPath=D:\ADAMInstances\InstanceName\Data;
The following line specifies the directory to use for ADAM log files.
LogFilesPath=D:\ADAMInstances\InstanceName\Data
; The following line specifies the .ldf files to import into the ADAM schema.
ImportLDIFFiles=”ms-inetorgperson.ldf” “ms-user.ldf“
Save the file in the %SystemRoot%\ADAM folder, and name it with the name of the instance you want to create.

Now to create your instance. Remember that you need local administrative rights.

  1. Open an elevated command prompt from the Start menu by right-clicking Command Prompt and selecting Run As Administrator.
  2. In the command prompt window, move to the %SystemRoot%\ADAM folder. Type the following command, and then press Enter.
    cd windows\adam
  3. Type the following command. Use quotation marks for the file name if it includes spaces.
    adaminstall /answer:filename.txt
  4. Close the command prompt window.
    Your instance is ready. You can verify that the instance files have been created by going to the target folder and viewing its contents.

Migrating a Previous LDAP Instance to AD LDS

You can also migrate existing LDAP directories to AD LDS or upgrade instances of ADAM to AD LDS. You can do this by importing the contents of the older instances into a new instance of AD LDS. Importing data can be done either when you create the instance or after the instance is created. Both processes use the same approach because both rely on LDIF files or files with the .ldf extension. If you choose to import data after the instance is created, you will need to use the LDIFDE.exe command.

Keep in mind that you must first export the data from the previous instance and place it into a file in LDIF format before you can import the data. You can use LDIFDE to export contents from legacy instances. Remember that you need local administrative rights as well as administrative rights to the instance to perform these operations. Also make sure you run the command prompt with elevated credentials. Use the following command structure:
ldifde -f filename -s servername:portnumber -m -b username domainname password

In this command structure, filename is the name of the file to create (use quotation marks if the path includes spaces); servername is the name of the server hosting the instance; portnumber is the communications port; username, domainname, and password are the credentials of an instance administrator.

Use a similar command to import the data into the new instance:
ldifde -i -f filename -s servername:portnumber -m -b username domainname password
Note that to import passwords from the legacy instance, you must use the –h switch. This switch will encrypt all passwords, using simple authentication and security layer (SASL).

Create an AD LDS Instance

Click AD LDS Setup Wizard. Click Next. Select A Unique Instance and Click Next. Type the name of the instance and click Next. Change the default port numbers and Click Next. Select Yes create an application directory partition. Type the partition name example CN=esnetlds,DC=es-net,DC=co,DC=uk. Click Next. Select file locations and click Next. Select service account and click Next. Select Administrators account and Click Next. Select files to import Click Next. Review selections and Click Next. Click Finish. The new AD LDS instance has been created.

Create an AD LDS Replica Instance

On SRV2 we will now create a replica of the first instance. Launch AD LDS Setup Wizard. Click Next. Select A Replica of an existing instance and Click Next. Type the Instance name and Click Next. Type the port numbers (as previously assigned) and Click Next. Type the server name (or browse) and LDAP port number and Click Next. Specify Administrators account Click Next. Select to copy the Application partition and Click Next. Select file locations and Click Next. Select Service account and Click Next. Specify Administrators account Click Next. Review selections and Click Next. Click Finish. The new AD LDS replica instance has been created.


Comments

Configuring and Using AD LDS — 4 Comments

  1. Hello there, just became alert to your blog through Google, and
    found that it’s really informative. I am gonna watch out for brussels.
    I will appreciate if you continue this in future. A lot of people will
    be benefited from your writing. Cheers!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>