Now that you have installed AD LDS, you can begin to work with it
to store directory-related data for various applications. The first
thing you should do is become familiar with the AD LDS tool set. After
you understand which tools you can use to manage AD LDS, you can begin
to create your first instances. After you’ve created your instances, you
can secure them to ensure that they are properly protected. You can then
move on to the creation of replicas for these instances so that you can
install them on various other systems and control replication so that
instances located on different computers can be updated through
multimaster replication.
This lesson illustrates the value that AD LDS offers when you
combine it with applications and integrate it with the other Active
Directory technologies contained within Windows Server 2008 R2.
1. Working with AD LDS Tools
You can work with AD LDS through a selection of tools, many of
which will be familiar to you because they are the same tools you use
for AD DS administration. Table 1 describes each of these
tools and the purpose they serve in managing the AD LDS
service.
Table 1. AD LDS Tools and AD DS Tools
|
TOOL NAME |
USAGE |
LOCATION |
|---|
|
Active Directory Schema Snap-in |
Modify the schema for AD LDS instances. You must
use the Regsvr32.exe command to register the Schmmgmt.dll
first. |
Custom MMC |
|
Active Directory Sites And
Services |
Configure and manage replication scopes for AD
LDS instances. AD LDS instances must be updated to support
replication objects first. |
Administrative Tools program group |
|
AD LDS Setup |
Create AD LDS instances. |
Administrative Tools program group |
|
ADAMInstall.exe |
Command-line tool for the creation of AD LDS instances. |
%SystemRoot%\ADAM folder |
|
ADAMSync.exe |
Command-line tool for synchronizing data from AD DS forest to AD LDS instance. AD
LDS instance must be updated to AD DS schema
first. |
%SystemRoot%\ADAM folder |
|
ADAMUninstall.exe |
Command-line tool for the removal of AD LDS
instances. |
%SystemRoot%\ADAM folder |
|
ADSchemaAnalyzer.exe |
Command-line tool for copying schema contents
from AD DS to AD LDS or from one AD LDS instance to another.
Supports third-party LDAP directory schema
copies. |
%SystemRoot%\ADAM folder |
|
ADSI Edit |
Interactively manage AD LDS content through
ADSI. |
Administrative Tools program group |
|
CSVDE.exe |
Import data into AD LDS instances. |
Command line |
|
DSACLS.exe |
Control access control lists on AD LDS
objects. |
Command line |
|
DSAMain.exe |
Mount Active Directory store (.dit) backups or
snapshots to identify their contents. |
Command line |
|
DSDBUtil.exe |
Perform database maintenance, configure AD LDS
ports, and view existing instances. Also, create one-step
installations for transporting AD LDS instances through the
Install from Media (IFM) generation process. |
Command line |
|
Dcdiag.exe |
Diagnose AD LDS instances. Must use the /n:NamingContext
switch to name the instance to diagnose. |
Command line |
|
DSMgmt.exe |
Supports application partition and AD LDS policy
management. |
Command line |
|
Event Viewer |
Audit AD LDS changes and log old and new values
for both objects and attributes. |
Administrative Tools program group |
|
LDAP Data Interchange Format (LDIF)
files |
AD LDS installations can dynamically import LDIF
files (.ldp) during instance creation, automatically
configuring the instance. |
%SystemRoot%\ADAM folder |
|
LDIFDE.exe |
Import data into AD LDS instances. |
Command line |
|
LDP.exe |
Interactively modify content or AD LDS instances
through LDAP. |
Command line |
|
Ntdsutil.exe |
Manage AD LDS instances, but only if AD DS is also
installed. (Not recommended; use DSDBUtil.exe instead.) |
Command line |
|
RepAdmin.exe |
Analyze replication to view potential
issues. |
Command line |
|
Server Manager |
Manage existing AD LDS instances. |
Administrative Tools program group |
|
Windows PowerShell |
Create, manage, and delete AD LDS
instances. |
Administrative Tools program group |
|
Windows Server Backup |
Back up or restore AD LDS instances and their
contents. |
Administrative Tools program group |
You’ll use a variety of the tools listed in Table 1 to perform the configuration
and administration operations required when you run AD LDS
services.
2. Creating AD LDS Instances
The AD LDS role installation process is very similar to the AD
DS installation process. You begin by installing the AD LDS binaries,
and then, after they are installed, you create AD LDS instances to use
the service. In the same way, when you deploy AD DS, you begin by
installing the binaries, and then you use the Active Directory Domain Services Installation Wizard to
create the AD DS instance you will use. Because of their same roots,
many of the tools you use to manage them are the same.
Preparing for AD LDS Instance Creation
You create AD LDS instances by using the Active Directory Lightweight Directory Services Setup
Wizard. However, you need to prepare several items before you create
the instance. Make note of the values you choose as you prepare each
item because you will need these values to create and manage the
instance. These items include:
-
A data drive created for your server. Because this server
will be hosting directory stores, place these stores on a drive
that is separate from the operating system.
-
The name you will use to create the instance. Use
meaningful names, such as the name of the application that will
be tied to an instance, to identify instances. This name is used
to identify the instance on the local computer as well as to
name the files that make up the instance and the service that
supports it.
-
The ports you intend to use to communicate with the
instance. Both AD LDS and AD DS use the same ports for
communication. These ports are the default LDAP (389) and LDAP
over the Secure Sockets Layer (SSL), or Secure LDAP (636),
ports. AD DS uses two additional ports, 3268, which uses LDAP to
access the global catalog, and 3269, which uses Secure LDAP to
access the global catalog. Because AD DS and AD LDS use the same
ports, this is another good reason for not running both roles on
the same server. However, when the wizard detects that ports 389
and 636 are already in use, it proposes 50,000 and 50,001 for
each port and then uses other ports in the 50,000 range for
additional instances.
Warning
IMPORTANT
USING PORTS 389 AND 636
If you are creating AD LDS instances within a domain, do
not use ports 389 or 636 even if you are not creating the
first instance on a domain controller. AD DS uses these ports
by default, and, because of this, some consoles, such as those
using the Active Directory Schema snap-in, will not bind
to local instances because they bind to the AD DS directory by
default. As a best practice, always use ports beyond the
50,000 range for your AD LDS instances.
Tip
EXAM TIP
Make note of the default ports. They are sure to be on
the exam, even though you should avoid them in production
environments.
-
The Active Directory application partition name that
you intend to use for the instance. You must use a distinguished
name (DN) to create the partition. For example, you could use
CN=AppPartition1,DC=Contoso,DC=com. Depending on how you intend
to use the instance, you might or might not need the application
partition. Application partitions control the replication scope
for a directory store. For example, when you integrate DNS data
within the directory, AD DS creates an application partition to
make DNS data available to appropriate DCs. Application
partitions for AD LDS can be created in one of three ways: when
you create the instance, when you install the application that
will be tied to the instance, or when you create the partition
manually through the LDP.exe tool. If your application will not
create application partitions automatically, create them with
the wizard.
-
A service account to run the instance. You can use the
Network Service account, but if you intend to run multiple
instances, it might be best to use named service accounts for
each instance. If you choose not to use a managed service
account and decide to set up your service accounts manually,
remember to follow the service accounts guidelines and
requirements as listed here. Create a domain account if you are
in a domain; otherwise, use a local account (for example, in a
perimeter network).
-
Assign the Generate Security Audits user right in the
Local Security Policy of each computer that will host this
instance to support account auditing.
-
A group that will contain the user accounts that will
administer the instance. The best practice for permission
assignments is always to use groups even if only one account is
a member of the group. If personnel changes, you can always add
or change group members without having to add or change
permissions. Create a domain group if you are in a domain;
otherwise, create a local group. Name the group the same as the
instance. This way, it will be easy to track the group’s
purpose. Add your own account to the group as well as to the
service account you created earlier.
-
Any additional LDIF files you need for the instance. Place these
files in the %SystemRoot%\ADAM folder. These files are imported
during the creation of the instance. Importing LDIF files
extends the schema of the instance you are creating to support additional operations. For
example, to synchronize AD DS with AD LDS, you would import the
MS-AdamSyncMetadata.ldf file. If your application requires
custom schema modifications, create the LDIF file ahead of time
and import it as you create the instance. Note that you can
always import LDIF files after the instance is created. Default
LDIF files are listed in Table 2.
Table 2. Default AD LDS LDIF Files
|
FILE NAME |
PURPOSE |
|---|
|
MS-ADAM-Upgrade-1.ldf |
To upgrade the AD LDS schema to the latest
version. |
|
MS-ADAM-Upgrade-2.ldf |
To upgrade the AD LDS schema to support the AD
Recycle Bin. |
|
MS-adamschemaw2k3.ldf |
Required as a prerequisite for synchronizing an
instance with Active Directory in Windows Server
2003. |
|
MS-adamschemaw2k8.ldf |
Required as a prerequisite for synchronizing an
instance with Active Directory in Windows Server 2008
R2. |
|
MS-AdamSyncMetadata.ldf |
Required to synchronize data between an AD DS
forest and an AD LDS instance through
ADAMSync. |
|
MS-ADLDS-DisplaySpecifiers.ldf |
Required for the Active Directory Sites And
Services snap-in operation. |
|
MS-AZMan.ldf |
Required to support the Windows Authorization
Manager. |
|
MS-InetOrgPerson.ldf |
Required to create
inetOrgPerson user classes and
attributes. |
|
MS-User.ldf |
Required to create user classes and
attributes. |
|
MS-UserProxy.ldf |
Required to create a simple
userProxy class. |
|
MS-UserProxyFull.ldf |
Required to create a full
userProxy class. MS-UserProxy.ldf must
be imported first. |
After you have all these items in hand, you are ready to
create your instance. Make sure the account you use has local
administrative rights. You can create instances in one of two ways. The first is through the
Active Directory Lightweight Services Setup Wizard,
and the second is through the command line. You use the wizard
during the practice in this lesson. Using the command line is
explained in the next section.
Warning
IMPORTANT AD LDS
LOG FILES
AD LDS creates log files during the creation of an instance.
These files are located in the %SystemRoot%\Debug folder and are
named ADAMSetup.log and ADAMSetup_loader.log. You can review the
content of these files to debug instance creation issues.
Performing an Unattended AD LDS Instance Creation
You can also perform unattended AD LDS instance creations. For
example, to create instances on Server Core installations, you must
use an unattended instance creation process because there is no
graphical interface to run the wizard. Unattended instance creations are also useful
when you need to create an instance for a distributed application on
multiple servers.
The %SystemRoot%\ADAM folder includes an additional command,
AdamInstall.exe, which can be run to perform
unattended instance setups. As with the Dcpromo.exe command, this
command requires a text file as input for the creation of the
instance. You can run AdamInstall.exe on either a full installation
or Server Core. Begin by creating an answer file, as follows:
-
Launch Notepad.
-
Type the text for the answer file. Include the following
items:
[ADAMInstall]
InstallType=Unique
InstanceName=InstanceName
LocalLDAPPortToListenOn=PortNumber
LocalSSLPortToListenOn=PortNumber
NewApplicationPartitionToCreate=PartitionName
DataFilesPath=D:\ADAMInstances\InstanceName\Data
LogFilesPath=D:\ADAMInstances\InstanceName\Data
ServiceAccount=DomainOrMachineName\AccountName
ServicePassword=Password
Administrator=DomainOrMachineName\GroupName
ImportLDIFFiles="LDIFFilename1" "LDIFFilename2" "LDIFFilename3"
SourceUserName=DomainorMachineName\AccountName
SourcePassword=Password
Replace all names in italics with appropriate values.
Use
caution with this file because it includes passwords, and these
passwords are displayed in clear text. The passwords are removed
as soon as the file is used by the AD LDS instance creation
tool.
-
Save the file in the %SystemRoot%\ADAM folder, and name it
with the name of the instance you want to create.
-
Close Notepad.
Now you’re ready to create your instance. Remember that you
need local administrative rights.
-
Open an elevated command prompt from the Start menu by
right-clicking Command Prompt and clicking Run As
Administrator.
-
In the command prompt window, move to the
%SystemRoot%\ADAM folder. Type the following command, and then
press Enter.
cd windows\adam
-
Type the following command. Use quotation marks for the
file name if it includes spaces.
adaminstall /answer:filename.txt
-
Close the command prompt window.
Your instance is ready. You can verify that the instance files
have been created by going to the target folder and viewing its
contents.
Migrating a Previous LDAP Instance to AD LDS
You can also migrate existing LDAP directories to AD LDS or
upgrade instances of ADAM to AD LDS. You can do this by
importing the contents of the older instances into a new instance of
AD LDS.
You can import data either when you create the instance or
after the instance is created. Both processes use the same approach
because both rely on LDIF files or files with the .ldf extension. If
you choose to import data after the instance is created, you must
use the LDIFDE.exe command. Remember that you must first export the
data from the previous instance and place it in a file in LDIF
format before you can import the data.
You can use LDIFDE to export contents from legacy instances.
Remember that you need local administrative rights as well as
administrative rights to the instance to perform these operations.
Also make sure you run the command prompt with elevated credentials.
Use the following command syntax:
ldifde -f filename -s servername:portnumber -b username domainname password
where filename is the name of the file to
create (use quotation marks if the path includes spaces);
servername is the name of the server hosting
the instance; portnumber is the communications
port; and username, domainname, and
password are the credentials of an instance
administrator.
Use a similar command to import the data into the new
instance:
ldifde -i -f filename -s servername:portnumber -b username domainname password
Note that to import passwords from the legacy instance, you
must use the –h switch. This switch encrypts
all passwords, using Simple Authentication And Security Layer
(SASL).
Enabling the AD Recycle Bin in AD LDS
By default, the AD Recycle Bin is not enabled in AD LDS instances just as it is not available in AD DS
until it is enabled. Enabling the Recycle Bin in AD LDS requires a
schema update. Use the following command to update the
schema:
ldifde -i -f MS-ADAM-Upgrade-2.kdf -s servername:portnumber -b username
domainname password -j . -$ adamschema.cat
This action is irreversible and cannot be undone. Note that it
is easiest to perform this update after Windows Server 2008 R2 is
installed and the AD LDS role is enabled, because the required LDF and CAT
files are easy to locate (in the %SystemRoot%\ADAM folder). If you
try to update an AD LDS instance before updating the server to
Windows Server 2008 R2, you must locate these files on another
server and copy them to the server where you are performing the
update.
