Windows Server 2008 R2 : Active Directory lightweight directory services

Active Directory Lightweight Directory Services (AD LDS), formerly known as Active Directory Application Mode (ADAM), provide a subset of full AD features to directory-enabled applications. AD has become the directory service of choice for many organizations. Many applications are now written to access AD for user information. There may be instances where it is not feasible or you may not want specific applications connecting to your production AD forest (especially those requiring significant schema updates). As an alternate solution, you may be able to use AD LDS. AD LDS can also be used as an account store, when user accounts need to reside in a separate database from your production AD domain.

Installing and configuring Active Directory Lightweight Directory Services

In this section, we will walk through installing AD LDS and configuring the ADAMSync to synchronize the AD LDS instance with an AD domain.

To install the AD LDS role, perform the following tasks:

1. Open Server Manager.

2. Select the Roles node, then click the Add Roles link in the middle pane. This will launch the Add Roles Wizard.

3. Click Next to begin.

4. Select the Active Directory Lightweight Directory Services role as seen in Figure 1. If prompted, click the button to Add Required Components. Click Next to continue.

   

   Figure 1. AD LDS Server Role.

5. Click Next on the Introduction page.

6. Click Install.

7. After the installation completes, click Close.

After installing the role for AD LDS, you will need to set up the service. This can be done via the AD LDS management console in Server Manager. To open the AD LDS console, expand the roles node within Server Manager and select the AD LDS console. To set up the AD LDS service, perform the following tasks:

1. Click the Setup AD LDS link inside of the AD LDS management console (see Figure 2). This will launch the AD LDS Setup Wizard. Click Next to continue.

   

   Figure 2. AD LDS Setup Wizard Link.

2. Since this is the first AD LDS instance in your organization, select the option A unique instance and then click Next. This will create a brand new instance of the AD LDS service.

3. Enter a name and description for the new AD LDS instance, then click Next.

4. Enter the port numbers to use for LDAP and Secure LDAP connections. In our example, we will be using 50000 and 50001, respectively (see Figure 3).

   

   Figure 3. LDAP and Secure LDAP port numbers for AD LDS.

5. Optionally, you can now create an Application partition. We will go ahead and create an application partition. Select the option Yes, create an application directory partition. Then enter the distinguished name of the partition (CN=Application, DC=Contoso, DC=com). Then click Next. The application partition is a special directory partition for storing application-specific settings that may use the directory service.

6. Specify the location to store the AD LDS data files and then click Next.

7. Now specify the account that you want to use to run the AD LDS service. If the service will need to access other resources on the network, you will need to run it under an account with appropriate permissions to those resources.

8. Select the account that you want to give initial administrative access to the AD LDS instance and then click Next.

9. Select any optional schema extensions that you want applied to the AD LDS instance. Your selection here will vary depending on how the instance will be used. For example, if you plan on syncing with an AD domain, you will need to install the MS-AdamSyncMetadata.LDF. After selecting the optional LDF files to import, click Next.

10. Verify your settings and click Next to continue. After the setup completes, click Finish.

The AD LDS service is now installed. The next step we want to do is extend the AD LDS schema and set up syncing with the AD domain. To complete these tasks, perform the following procedures:

1. Open a command prompt and change to the directory C:\Windows\Adam

2. To import the Windows Server 2008 schema, run the command ldifde -i -u -f ms-adamschemaw2k8.ldf—s server:port—b username domain password -j. -c “cn=Configuration,dc=X” #configurationNamingContext (see Figure 4).

   

   Figure 4 Import Windows Serve4 2008 Schema Command.

3. Next, we need to modify the XML configuration file that will be used to set up the sync. Browse to the directory C:\Windows\Adam and locate the file MS-AdamSyncConf.xml and make a copy of the file naming the new file AdamSync.xml.

4. Open the new file AdamSync.xml in Notepad.

5. Update all of the fields that point to the Fabrikam domain with the contextual information pointing to yours. Change the <target-DN> field to CN=Application, DC=contoso, DC=com. This will tell everything to sync to the new partition we set up while adding the role. Your AdamSync.xml file should look similar to Figure 5. After updating the file, save and close it.

   

   Figure 5. AdamSync.xml.

6. At the command prompt, enter the command adamsync/i servername:portname configxmlfile. For example, enter adamsync/I labfs1:50000 adamsync.xml. This will install the configuration in the XML file.

7. You are now ready to sync the AD LDS instance with the AD domain. To do this, enter the command adamsync/sync server:port dn of partition. For exadamsync/sync labfs1:50000 “CN=Application, DC=Contoso, DC=Com”

This completes the process to set up the sync between AD and AD LDS. If you wanted the sync to occur on a regular basis, you could save the command in a batch file and set up a scheduled task to run the sync on a regular basis.