Configuring and Using AD LDS
Now that you have installed AD LDS, you can begin to work with it to store directory related data for various applications.
The first thing you should do is become familiar with the AD LDS tool set. After you understand which tools you can use to manage AD LDS, you can begin to create your first instances.
Use the buttons below to navigate through the lesson
After you’ve created your instances, you can secure them to ensure that they are properly protected.
You’ll then move on to the creation of replicas for these instances so that you can install them on various other systems and control replication so that instances located on different computers can be updated through multimaster replication.
AD LS Tools
|Active Directory Schema Snap-in||Modify the schema for AD LDS instances. You must use the Regsvr32.exe command to register the Schmmgnt.dll first.||Custom MMC|
|Active Directory Sites and Services||Configure and manage replication scopes for AD LDS instances. AD LDS instances must be updated to support replication objects first.||Administrative Tools program group|
|AD LDS Setup||Create AD LDS instances.||Administrative Tools program group|
|ADAMInstall.exe||Command-line tool for the creation of AD LDS instances.||%SystemRoot% \ADAM folder|
|ADAMSync.exe||Command-line tool for synchronizing data from AD DS forest to AD LDS instance. AD LDS instance must be updated to AD DS schema first.||%SystemRoot% \ADAM folder|
|ADAMUninstall.exe||Command-line tool for the removal of AD LDS instances.||%SystemRoot% \ADAM folder|
|ADSchemaAnalyzer.exe||Command-line tool for copying schema contents from AD DS to AD LDS or from one AD LDS instance to another. Supports third-party LDAP directory schema copies.||%SystemRoot% \ADAM folder|
|ADSI Edit||Interactively manage AD LDS content through ADSI.||Administrative Tools program group|
|CSVDE.exe||Import data into AD LDS instances.||Command line|
|DSACLS.exe||Control access control lists on AD LDS objects.||Command line|
|DSAMain.exe||Mount Active Directory store (.dit) backups or snapshots to identify their contents.||Command line|
|DSDBUtil.exe||Perform database maintenance, configure AD LDS ports, and view existing instances. Also, create one-step installations for transporting AD LDS instances through the Install from Media (IFM) generation process.||Command line|
|Dcdiag.exe||Diagnose AD LDS instances. Must use the /n:NamingContext switch to name the instance to diagnose.||Command line|
|DSMgmt.exe||Supports application partition and AD LDS policy||Command line|
|Event Viewer||To audit AD LDS changes and log old and new values for both objects and attributes||Administrative Tools|
|LDAP Data Interchange Format (LDIF) Files||AD LDS installations can dynamically import LDIF files (.ldp) during instance creation, auto-matically configuring the instance.||%SystemRoot%\ADAM folder|
|LDIFDE.exe||Import data into AD LDS instances.||Command line|
|LDP.exe||Interactively modify content or AD LDS instances||Command line|
|DSAMain.exe||through LDAP.||Command line|
|Ntdsutil.exe||Manage AD LDS instances but only if AD DS is also installed||Command line|
|RepAdmin.exe||Analyze replication to view potential issues.||Command line|
|Server Manager||Manage existing AD LDS instances.||Administrative Tools program group|
|Windows Server Backup||Back up or restore AD LDS instances and their contents.||Administrative Tools program group|
Creating AD LDS Instances
The AD LDS role installation process is very similar to the AD DS installation process. You begin by installing the AD LDS binaries, and then, after they are installed, you create AD LDS instances to use the service. In the same way, when you deploy AD DS, you begin by installing the binaries, and then you use the Active Directory Domain Services Installation Wizard to create the AD DS instance you will use. Because of their same roots, many of the tools you use to manage them are the same.
Preparing for AD LDS Instance Creation
You create AD LDS instances by using the Active Directory Lightweight Directory Services Setup Wizard. However, you need to prepare several items before you create the instance. These items include:
- A data drive created for your server.
Because this server will be hosting directory stores, place these stores on a drive that is separate from the operating system.
- The name you will use to create the instance.
Use meaningful names, for example, the name of the application that will be tied to this instance, to identify instances. This name will be used to identify the instance on the local computer as well as to name the files that make up the instance and the service that supports it.
The ports you intend to use to communicate with the instance. Both AD LDS and AD DS use the same ports for communication. These ports are the default LDAP (389) and LDAP over the Secure Sockets Layer (SSL), or Secure LDAP (636), ports. AD DS uses two additional ports, 3268, which uses LDAP to access the global catalog, and 3269, which uses Secure LDAP to access the global catalog. Because AD DS and AD LDS use the same ports, this is another good reason for not running both roles on the same server. However, when the wizard detects that ports 389 and 636 are already in use, it proposes 50,000 and 50,001 for each port and then uses other ports in the 50,000 range for additional instances.
Take note of the default ports you will need to know these for exam purposes.
In addition you may require an Active Directory application partition name you intend to use for the instance. You must use a distinguished name (DN) to create the partition. For example, you could use
A service account to run the instance. You can use the Network Service account, but if you intend to run multiple instances, it might be best to use named service accounts for each instance.
A group that will contain the user accounts that will administer the instance. The best practice for permission assignments is always to use groups even if only one account is a member of the group.
Any additional LDIF files you need for the instance. Place these files into the %SystemRoot% \ADAM folder. These files will be imported during the creation of the instance. Importing LDIF files extends the schema of the instance you are creating to support additional operations.
AD LDS LDIF Files
Default AD LDS LDIF Files
|MS-adamschemaw2k8.ldf||Required as a prerequisite for synchronizing an instance with Active Directory in Windows Server
|MS-AdamSyncMetadata.ldf||Required to synchronize data between an AD DS forest and an AD LDS instance through ADAMSync.|
|MS-ADLDS-DisplaySpecifiers.ldf||Required for the Active Directory Sites and Services snap-in operation.|
|MS-AZMan.ldf||Required to support the Windows Authorization Manager.|
|MS-InetOrgPerson.ldf||Required to create inetOrgPerson user classes and attributes.|
|MS-User.ldf||Required to create user classes and attributes.|
|MS-UserProxy.ldf||Required to create a simple userProxy class.|
|MS-UserProxyFull.ldf||Required to create a full userProxy class. MS-UserProxy.ldf must be imported first.|
There are two ways to create instances. The first is through the Active Directory Lightweight Services Setup Wizard, and the second is through the command line. You will use the wizard during the practice in this lesson. Using the command line is explained later.
You can also perform unattended AD LDS instance creations. For example, to create instances on Server Core installations, you must use an unattended instance creation process because there is no graphical interface to run the wizard. Unattended instance creations are also useful when you need to create an instance for a distributed application on multiple servers.
The %SystemRoot%\ADAM folder includes an additional command, AdamInstall.exe, which can be run to perform unattended instance setups. As with the Dcpromo.exe command, this command requires a text file as input for the creation of the instance. You can run AdamInstall.exe on either a full installation or Server Core. Begin by creating this text file.
; The following line specifies to install a unique ADAM instance.
; The following line specifies the name to be assigned to the new instance.
; The following line specifies the communications port to use for LDAP.
; The following line specifies an application partition to create
; The following line specifies the directory to use for ADAM data files.
The following line specifies the directory to use for ADAM log files.
; The following line specifies the .ldf files to import into the ADAM schema.
Save the file in the %SystemRoot%\ADAM folder, and name it with the name of the instance you want to create.
Now to create your instance. Remember that you need local administrative rights.
- Open an elevated command prompt from the Start menu by right-clicking Command Prompt and selecting Run As Administrator.
- In the command prompt window, move to the %SystemRoot%\ADAM folder. Type the following command, and then press Enter.
- Type the following command. Use quotation marks for the file name if it includes spaces.
- Close the command prompt window.
Your instance is ready. You can verify that the instance files have been created by going to the target folder and viewing its contents.
Migrating a Previous LDAP Instance to AD LDS
You can also migrate existing LDAP directories to AD LDS or upgrade instances of ADAM to AD LDS. You can do this by importing the contents of the older instances into a new instance of AD LDS. Importing data can be done either when you create the instance or after the instance is created. Both processes use the same approach because both rely on LDIF files or files with the .ldf extension. If you choose to import data after the instance is created, you will need to use the LDIFDE.exe command.
Keep in mind that you must first export the data from the previous instance and place it into a file in LDIF format before you can import the data. You can use LDIFDE to export contents from legacy instances. Remember that you need local administrative rights as well as administrative rights to the instance to perform these operations. Also make sure you run the command prompt with elevated credentials. Use the following command structure:
ldifde -f filename -s servername:portnumber -m -b username domainname password
In this command structure, filename is the name of the file to create (use quotation marks if the path includes spaces); servername is the name of the server hosting the instance; portnumber is the communications port; username, domainname, and password are the credentials of an instance administrator.
Use a similar command to import the data into the new instance:
ldifde -i -f filename -s servername:portnumber -m -b username domainname password
Note that to import passwords from the legacy instance, you must use the –h switch. This switch will encrypt all passwords, using simple authentication and security layer (SASL).
Create an AD LDS Instance
Click AD LDS Setup Wizard. Click Next. Select A Unique Instance and Click Next. Type the name of the instance and click Next. Change the default port numbers and Click Next. Select Yes create an application directory partition. Type the partition name example CN=esnetlds,DC=es-net,DC=co,DC=uk. Click Next. Select file locations and click Next. Select service account and click Next. Select Administrators account and Click Next. Select files to import Click Next. Review selections and Click Next. Click Finish. The new AD LDS instance has been created.
Create an AD LDS Replica Instance
On SRV2 we will now create a replica of the first instance. Launch AD LDS Setup Wizard. Click Next. Select A Replica of an existing instance and Click Next. Type the Instance name and Click Next. Type the port numbers (as previously assigned) and Click Next. Type the server name (or browse) and LDAP port number and Click Next. Specify Administrators account Click Next. Select to copy the Application partition and Click Next. Select file locations and Click Next. Select Service account and Click Next. Specify Administrators account Click Next. Review selections and Click Next. Click Finish. The new AD LDS replica instance has been created.