IT tutorials
 
Applications Server
 

Active Directory Lightweight Directory Services : Configuring and Using AD LDS (part 2) - Working with AD LDS Instances

3/1/2013 12:03:03 PM
- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019

3. Working with AD LDS Instances

Table 1, presented earlier, lists all the tools you can use to work with AD LDS instances. Of these, the most useful are the graphical tools such as ADSI Edit, LDP.exe, the Schema snap-in, and Active Directory Sites And Services. They control how you view and edit content in your instances. Command-line tools are more useful for automating processes and data input for AD LDS instances.

Using ADSI Edit to Work with Instances

ADSI Edit is a general administration tool for AD LDS instances. Each time you want to work with an instance, you must first connect and bind to the instance. Remember that you must be an administrator of the instance to perform administrative operations on them. Use the following procedure:

  1. Launch ADSI Edit from the Administrative Tools program group.

  2. In the tree pane, right-click ADSI Edit, and then select Connect To. This opens the Connection Settings dialog box. Enter the following values as shown in Figure 1:

    • Name: This should be the name of the instance to which you want to connect.

    • Connection Point: Choose Select Or Type A Distinguished Name Or Naming Context, and type the distinguished name of the instance.

    • Computer: Choose Select Or Type A Domain Or Server, and type the server name with the port number—for example, SERVER03:50000.

    • Computer: Select the Use SSL-Based Encryption check box if you are using a Secure LDAP port.

  3. Click OK.

    This connects you to the instance. Expand all entries to view the instance contents. Explore the shortcut menus to understand the operations you can perform with ADSI Edit on AD LDS instances.

Connecting to an AD LDS instance with ADSI Edit

Figure 1. Connecting to an AD LDS instance with ADSI Edit

Now that you are bound to the instance, you can create and manage objects within the instance. Use the following procedure:

  1. Right-click the application partition distinguished name, point to New, and click Object. This opens the Create Object dialog box, which lists all the available object classes in the instance’s schema.

  2. Begin by creating a user group. Scroll to the Group object, select it, and then click Next.

  3. Type the name of the group, such as AD LDS Users, and click Next.

  4. On the next screen of the dialog box, you can click More Attributes to assign more values to this new object. For example, you can assign a description to the group. From the Select A Property To View drop-down list, select AdminDescription. Type a description in the Edit Attribute field, such as Group to contain AD LDS users, click Set, and then click OK.

  5. Click Finish to create the group. By default, this creates a security group.

  6. Create a user: Right-click the application partition distinguished name, point to New, and then click Object.

  7. Scroll to the User object, select it, and then click Next.

  8. Type the name of the user and click Next.

  9. Once again, you can click More Attributes to assign more values to this new object.

  10. Click Finish to create the user.

  11. Add the user to the group: Select the partition in the tree pane, locate the group in the details pane, right-click it, and then click Properties.

  12. In the Properties dialog box, locate the member property and click Edit.

  13. In the Multi-Valued Distinguished Name With Security Principal Editor dialog box, click Add DN.

  14. In the Add Distinguished Name dialog box, type the distinguished name of the user you created. For example, type cn=John Kane,cn=Instance1,dc=contoso,dc=com. Click OK. The user is now listed in the members list.

  15. Click OK to complete the operation.

If you view the properties of the group again, you see that your user has been added to the group. It is quite cumbersome to add users and groups to an instance in this manner, but you can use it for single modifications. Ideally, you should create user and group lists and then use either CSVDE.exe or LDIFDE.exe to add them in batches. 

Using LDP.exe to Work with Instances

Similarly, the LDP.exe console allows you to view and edit instance contents. As with the ADSI Edit tool, you must connect and then bind to the instance you need to work with. Remember that you must be an administrator of the instance to perform administrative operations on it. Use the following procedure:

  1. Launch LDP.exe from the command line or from Server Manager under the Active Directory Lightweight Directory Service, Advanced Tools section.

  2. On the Connection menu, click Connect.

  3. Type the name of the server you want to connect to and the port number to use. Select SSL if you are using a Secure LDAP port. Click OK.

  4. On the Connection menu, click Bind.

  5. If your account has the required permissions, select Bind As Currently Logged On User. If not, select Bind With Credentials and type the appropriate credentials. Click OK.

  6. On the View menu, click Tree to fill the tree pane.

  7. In the BaseDN dialog box, click the down arrow to view the list of distinguished names, and select the name of your instance. Click OK.

    From this point, you can use the tree pane to identify where you want to work inside the instance. Explore the various menus to see which operations you can perform with LDP.exe, and then close LDP.exe.

Using the Schema Snap-in to Work with Instances

You can also use the Active Directory Schema snap-in to create custom consoles to manage AD LDS instance schemas. Remember that to use this snap-in, you must first register it on the server. Use the following command in an elevated command prompt:

regsvr32 schmmgmt.dll

You’re now ready to load the Schema snap-in and view the schema of your instances. Remember to use administrative credentials for the instance.

  1. Click Start, and then type mmc in the Search box. Press Enter.

  2. In the empty MMC, click Add/Remove Snap-in on the File menu.

  3. Locate the Active Directory Schema snap-in in the Available Snap-ins list, click Add, and then click OK.

  4. Save the console with an appropriate name. Make sure you save it in an appropriate location.

  5. The Schema snap-in binds to the Active Directory Domain Services directory by default. To bind to an AD LDS instance, right-click Active Directory Schema in the tree pane and click Change Active Directory Domain Controller.

  6. In the Change Directory Server dialog box, select This Domain Controller Or AD LDS Instance, click <Type A Directory Server Name[:Port] Here>, type the server name with the port number separated by a colon, and then press Enter. Click OK.

  7. In the warning dialog box, click Yes to change servers.

    You can now view the schema for this instance. Save this console again to save these settings. Note the similarities between the schema of an AD LDS instance and the one for an AD DS directory.

Note

CREATING A MULTI-AD LDS CONSOLE

If you want to create one console with multiple AD LDS instance schemas, just add additional Schema snap-ins to your console. Use one snap-in for each instance you want to connect to. When you reopen the console it links to each instance, saving you time.

Using Active Directory Sites And Services to Work with Instances

As with the other Active Directory tools, you can manage AD LDS instances with the Active Directory Sites And Services console. However, before you can do so, you must import the MS-ADLDS-DisplaySpecifiers.ldf file to update the instance’s schema to support the appropriate objects. This must be done for each instance you want to manage with this console. To do so, perform the following steps:

  1. Begin by adding the LDIF file to your instance if it hasn’t already been done. To do so, start by opening an elevated command prompt.

  2. Move to the %SystemRoot%\ADAM folder. For example, type cd \windows\adam.

  3. Import the LDIF file into the instance:

    ldifde -i -f MS-ADLDS-DisplaySpecifiers.ldf -s servername:portnumber
   -b username domainname password

  4. Close the command prompt.

  5. Launch Active Directory Sites And Services from the Administrative Tools program group.

  6. The console binds to the Active Directory Domain Services directory by default. To bind to an AD LDS instance, right-click Active Directory Sites And Services in the tree pane and click Change Domain Controller.

  7. In the Change Directory Server dialog box, select This Domain Controller Or AD LDS Instance and click <Type A Directory Server Name[:Port] Here>. Type the server name with the port number separated by a colon, and then press Enter. Click OK.

  8. In the warning dialog box, click Yes to change servers.

    You can now work with the replication parameters for the instance. Note that the server name uses the Servername$InstanceName format to illustrate that it is not a domain controller.

Working with AD LDS instances requires care and attention, because almost every activity is performed either through the command line or by using distinguished names. As you probably have seen when working with AD DS, typographical errors are the bane of any administrator working with these tools. The same applies to AD LDS. Be sure to double-check all your entries before you run any command or create and manage any object by using its distinguished name.

Using Active Directory Module for Windows PowerShell to Work with Instances

You can also use Windows PowerShell to interact with or automate AD LDS administration. AD LDS administration with PowerShell is very much like the administration of AD DS through the same tool. Many of the same cmdlets are available. To administer AD LDS with PowerShell, perform the following steps:

  1. Launch Windows PowerShell. To do so, open Active Directory Module For Windows PowerShell from the Administrative Tools program group.

  2. You are ready to work with an AD LDS instance. You can perform several activities. For example:

    • Get information from an AD LDS instance:

      Get-ADGroupMember -identity 'distinguishedname of the group' -server
   'servername:port' -partition 'distinguishedname of the partition' |
   FT Name,DistinguishedName -A

      This provides a list of the members of a specific group within the instance. Remember that you need to provide the name of the group, the server name, and the port for the AD LDS instance, as well as the name of the partition where the group is located. Also remember that all names are distinguished names.

    • Create objects within an AD LDS instance:

      New-ADUser -name 'username' -DisplayName 'display name'
   -server 'servername:port'
   -path 'distinguishedname of the path where the user will be located'

      This creates a new user in a specific location within an AD LDS instance. Remember that you need to provide the name of the user, the display name for the user, the server name, and the port for the AD LDS instance, as well as the name of the location for the user. All names are distinguished names.

    • Remove objects within an AD LDS instance:

      Remove-ADUser -identity 'username' -server 'servername:port'
   -partition 'distinguishedname of the instance partition'

      This removes a user from a specific location within an AD LDS instance. Remember that you need to provide the name of the user, the server name, and the port for the AD LDS instance, as well as the name of the location for the user. All names are distinguished names.

      As you can see, you can use many of the AD DS PowerShell cmdlets to work with AD LDS instances. The major difference is that you need to provide the path to the instance—server name and port number—to access it with PowerShell.

Practice Working with AD LDS Instances

In this practice, you create your first AD LDS instance, as well as a replica. Then you manage replication between the two instances. 

EXERCISE 1 Create an AD LDS Instance

In this exercise, you create your first AD LDS instance. Use the values in Table 3 to perform this exercise.

Table 3. Instance Creation Values

ITEM

VALUE

Instance Name

ADLDSInstance

Ports

50,004 for LDAP

50,005 for Secure LDAP

Application Partition Name

CN=ADLDSInstance,dc=contoso,dc=com

Data Paths

D:\ADLDS\ADLDSInstance\Data

Service Account

Network Service

Administration Account

Contoso\Administrator

LDIF Files for Import

MS-AdamSyncMetadata.ldf

MS-ADLDS-DisplaySpecifiers.ldf

MS-AZMan.ldf

MS-InetOrgPerson.ldf

MS-User.ldf

MS-UserProxy.ldf

MS-UserProxyFull.ldf

Make a practice of filling out a table similar to Table 3 each time you create a new instance of AD LDS. Because a server can host a multitude of AD LDS instances, it is a very good practice to document each one.

  1. Begin by making sure your domain controller, SERVER01.contoso.com, and your member servers, SERVER03.contoso.com and SERVER04.contoso.com, are running.

  2. Log on to SERVER03.contoso.com with the domain Administrator account.

    Remember that, in production, you need only local administrative rights for operations with AD LDS.

  3. Launch the Active Directory Lightweight Directory Services Setup Wizard from the Administrative Tools program group.

  4. Review the information on the Welcome page and click Next.

  5. On the Setup Options page, select A Unique Instance and click Next.

  6. On the Instance Name page, type ADLDSInstance and click Next.

    When you name the instance, you also name the service that will run that instance. Note that the service name will be ADAM_instancename, but the name listed in the Services console will be instancename alone.

  7. On the Ports page, provide the ports to use to communicate with this instance. Use 50,004 for LDAP and 50,005 for the SSL port number. Click Next.

  8. On the Application Directory Partition page, click Yes, Create An Application Directory Partition. Provide the application partition name, in this case CN=ADLDSInstance,dc=contoso,dc=com, and click Next.

    You must always supply a distinguished name.

  9. On the File Locations page, change the paths to D:\ADLDS\ADLDSInstance\Data and click Next.

    Because this is a directory store, it should be placed on a disk that is separate from the operating system, such as the D drive. You can also use separate subfolders for the data files and the data recovery files.

  10. On the Service Account Selection page, select Network Service Account and click Next.

    Microsoft Windows selects the Network Service account by default. This account has limited local access rights and is a protected account. You should usually use a proper service account, but Network Service suffices for the purpose of the exercise.

  11. On the AD LDS Administrators page, select Currently Logged On User and click Next.

    You should usually use a predefined group, but the Administrator account suffices for the purpose of this exercise.

  12. On the Importing LDIF Files page, select all the listed LDIF files and click Next.

  13. On the Ready To Install page, review your selections and click Next.

    AD LDS installs the new instance.

  14. Click Finish.

    Your first instance has been created. Open Server Manager and expand the Roles\Active Directory Lightweight Directory Services node to view the results of your operation.

    AD LDS creates log files during the creation of the instance. These files are located in the %SystemRoot%\Debug folder and are named ADAMSetup.log and ADAMSetup_loader.log. You can review them if you find issues during the creation of the instance. Also, creating an instance creates a service for the instance. You can launch the Services console from the Administrative Tools program group to verify the existence of this service.

EXERCISE 2 Create an AD LDS Replica Instance

In this exercise, you create your first AD LDS replica instance, on the second member server you created.

  1. Make sure your domain controller, SERVER01.contoso.com, and your member servers, SERVER03.contoso.com and SERVER04.contoso.com, are running.

  2. Log on to SERVER04.contoso.com with the domain Administrator account.

  3. Launch the Active Directory Lightweight Directory Services Setup Wizard from the Administrative Tools program group.

  4. Review the information on the Welcome page and click Next.

  5. Under Setup Options, select A Replica Of An Existing Instance and click Next.

  6. On the Instance Name page, type ADLDSInstance and click Next.

  7. On the Ports page, provide the ports to communicate with this instance. Use 50,004 for LDAP and 50,005 for the SSL port number. Click Next.

  8. On the Joining A Configuration Set page, under Server, click Browse to locate SERVER03. Type SERVER03, and then click Check Names. Click OK, and then type 50004 in the LDAP Port field. Click Next.

  9. On the Administrative Credentials For The Configuration Set page, select Currently Logged On User and click Next.

    You should usually use a group, but the Administrator account suffices for the purpose of this exercise.

  10. On the Copying Application Directory Partitions page, select the CN=ADLDSInstance,dc=contoso,dc=com partition and click Next.

  11. On the File Locations page, change the paths to D:\ADLDS\ADLDSInstance\Data and click Next.

  12. On the Service Account Selection page, select Network Service Account and click Next.

    You should usually use a proper service account, but Network Service suffices for the purpose of the exercise.

  13. On the AD LDS Administrators page, select Currently Logged On User and click Next.

    You should usually use a group, but the Administrator account suffices for the purpose of this exercise.

  14. On the Ready to Install page, review your selections and click Next.

    AD LDS installs the new instance.

  15. Click Finish.

    Your replica has been created.

EXERCISE 3 Manage Replication Between AD LDS Replicas

In this exercise, you view the replication parameters between your two instances. You do not need to update the instances to support Active Directory Sites And Services objects because you imported all LDIF files in Exercise 1 when you created the source instance.

  1. Begin by making sure your domain controller, SERVER01.contoso.com, and your member servers, SERVER03.contoso.com and SERVER04.contoso.com, are running.

  2. Log on to SERVER04.contoso.com with the domain Administrator account.

  3. Launch Active Directory Sites And Services from the Administrative Tools program group.

    The console binds to the Active Directory Domain Services directory by default.

  4. To bind to the AD LDS instance, right-click Active Directory Sites And Services in the tree pane and click Change Domain Controller.

  5. In the Change Directory Server dialog box, select This Domain Controller Or AD LDS Instance and click <Type A Directory Server Name[:Port] Here>. Type SERVER03:50004 and press Enter. Click OK.

  6. In the warning dialog box, click Yes to change servers.

  7. Expand the Active Directory Sites And Services tree completely. You can do so by pressing the asterisk key (*) on your numerical keypad several times. This displays the replication structure for this instance.

    Next you create a new site and move one of the instance objects into this site.

  8. Right-click Sites in the tree pane and click New Site.

  9. Name the site Replication01, select the DEFAULTIPSITELINK object and click OK.

    Your new site link is created, and Active Directory Sites And Services outlines the next steps you must perform. (See Figure 2.)

  10. Click OK to close the dialog box.

    In this case, you do not perform all activities. You only move SERVER04 to the new site.

  11. Expand Replication01.

  12. Click SERVER04$ADLDSInstance, located under Default-First-Site-Name, and drag it to the Servers container under Replication01.

  13. In the Moving Objects warning box, click Yes to move the object. The object now appears under the Replication01 site.

This exercise shows you how to work with instances and control replication. In the real world, you must perform all the tasks listed in Figure 2 to create proper replication partnerships.

Required tasks to complete a replication partnership

Figure 2. Required tasks to complete a replication partnership
 
Others
 
- Active Directory Lightweight Directory Services : Configuring and Using AD LDS (part 1) - Working with AD LDS Tools, Creating AD LDS Instances
- Active Directory Lightweight Directory Services : Understanding and Installing AD LDS
- Microsoft Lync Server 2010 : Using Reverse Proxies with Lync Server (part 2) - Configuring TMG to Support Lync Server
- Microsoft Lync Server 2010 : Using Reverse Proxies with Lync Server (part 1) - Configuring ISA 2006 SP1 to Support Lync Server
- Microsoft Dynamics Ax 2009 : Programming Enterprise Portal Controls (part 4) - ViewState, Page Life Cycle, Proxy Classes
- Microsoft Dynamics Ax 2009 : Programming Enterprise Portal Controls (part 3) - Labels, Formatting, Error Handling
- Microsoft Dynamics Ax 2009 : Programming Enterprise Portal Controls (part 2) - Data, Metadata
- Microsoft Dynamics Ax 2009 : Programming Enterprise Portal Controls (part 1) - AJAX, Session, Context
- Microsoft Dynamics GP 2010 : Speeding up month-end processing with Reconcile to GL functionality
- Microsoft Dynamics GP 2010 : Getting control of printing with Named Printers
 
 
Top 10
 
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
Technology FAQ
- Is possible to just to use a wireless router to extend wireless access to wireless access points?
- Ruby - Insert Struct to MySql
- how to find my Symantec pcAnywhere serial number
- About direct X / Open GL issue
- How to determine eclipse version?
- What SAN cert Exchange 2010 for UM, OA?
- How do I populate a SQL Express table from Excel file?
- code for express check out with Paypal.
- Problem with Templated User Control
- ShellExecute SW_HIDE
programming4us programming4us