Active Directory Application Mode (ADAM) was released in November 2003 on the Microsoft website. With the release of Windows Server 2008, along with several other technologies, Microsoft renamed ADAM. The new name for ADAM is Active Directory Lightweight Directory Service (AD LDS). AD LDS is a lightweight LDAP platform that allows developers and administrators to work with AD objects such as users, groups, and organizational units, without worrying about the overhead of running a full-blown copy of the Active Directory Domain Services. AD LDS can run on Windows Server 2012 and Windows 8 computers, and you can run multiple instances of AD LDS on a single machine. Because AD LDS runs as a standalone service, you can start, stop, install, or remove AD LDS instances without affecting or interfering with any underlying AD infrastructure. AD LDS can leverage domain authentication, local machine users, and groups, or it can authenticate users based on security principals that you’ve created within AD LDS itself. (It’s important to note that these are separate from Active Directory security principals, which cannot be created within an AD LDS instance.)
AD LDS includes the following features:
- Server Core support
AD LDS can be installed on computers that are running Server Core, the reduced-footprint installation option that was introduced with Windows Server 2008.
- Auditing for AD LDS changes
The Directory Services Changes audit policy subcategory allows you to view old and new values when changes are made to AD LDS objects.
- Database Mounting Tool (Dsamain.exe)
Similar to Active Directory Domain Services, you can use dsamain to mount snapshots of AD LDS partitions to view and compare information from previous points in time.
- Support for Active Directory Sites and Services
You can now use the AD Sites and Services MMC to manage replication between AD LDS instances.
To install AD LDS on a Windows Server 2012 server, do the following:
Launch Server Manager.
Click Manage and then click Add Roles and Features.
Click Next three times.
Place a checkmark next to Active Directory Lightweight Directory Services.
Click Add Features and then click Next three times.
Click Install.
At its most basic level, an AD LDS installation will simply copy the necessary program files and DLLs to the machine in question without creating an AD LDS instance or performing any other configuration steps. This can be useful if you want to include AD LDS as part of a base image that you deploy to your application developers, while allowing them to create their own instances and configuration sets as they see fit.
Note
If the installation process encounters any errors, these will be logged in the %windir%Debugadamsetup.log file.
From Administrative Tools, launch the Active Directory Lightweight Directory Services Setup Wizard and then click Next.
Select the radio button next to “A unique instance” and click Next.
Enter the name of the instance and click Next.
Enter the LDAP and SSL port numbers that will be used to access this instance; these default to
50000and50001on a domain controller or any computer that is already listening on the default LDAP port. Otherwise, the LDAP and SSL ports that AD LDS chooses during the installation will be389and636.Note
If you’ve already installed an AD LDS instance on ports 50000 and 50001, the AD LDS installer will choose the next two ports available; the second AD LDS instance would choose ports 50002 and 50003, then 50004 and 50005, and so on.
Click Next to continue.
Specify whether you want to create an Application Directory partition for this instance. You can use any partition name that isn’t already being used, such as
cn=IntranetApplication,dc=adatum,dc=com. Click Next to continue.Specify the directory that will house the instance data as well as its data recovery files. These will both default to c:Program FilesMicrosoft ADAM<instance name>data. Click Next.
On the Service Account Selection screen, configure the account under whose security context this instance will run. By default,
Network Service Accountis selected, or you can click the radio button next to “This account” and specify a different account.On the AD LDS administrator’s screen, specify the user or group account that will have administrative rights to this AD LDS instance. This defaults to the currently logged-on user, or you can click the radio button next to “This account” and specify a different user or group. Click Next.
Specify whether you want to import additional LDIF files into this instance. See Extending the AD LDS Schema for more information.
Click Next twice and then click Finish to create the new instance.
Create an answer file similar to the one listed here. Save it as adlds_install.txt:
[ADAMInstall] Install a unique AD LDS instance InstallType=Unique Specify the name of the new instance InstanceName=IntranetApplication Specify the ports to be used by LDAP. LocalLDAPPortToListenOn=50000 LocalSSLPortToListenOn=50001 Create a new application partition NewApplicationPartitionToCreate="cn=IntranetApplication,dc=adatum,dc=com" The following line specifies the directory to use for ADAM data files. DataFilesPath=C:Program FilesMicrosoft ADAMIntranetApplicationdata The following line specifies the directory to use for ADAM log files. LogFilesPath=C:ADAM Log FilesIntranetApplicationlogs The following line specifies the .ldf files to import into the ADAM schema. ImportLDIFFiles="ms-inetorgperson.ldf" "ms-user.ldf"
Then enter the following command at the Run line or from the Windows command prompt:
> adaminstall.exe /answer:<driveletter>:<pathname><answerfile.txt>
Note
The default location of adaminstall.exe is <driveletter>:WindowsADAM. You must run this command from this location in the command prompt.
An AD LDS instance refers to a single installation of AD LDS on a particular server or workstation. A single Windows computer can host multiple instances of AD LDS simultaneously; they are all independently managed and use different LDAP and LDAPS ports to communicate. Just as you can have multiple web servers operating on the same computer, with one using TCP port 80 and one using TCP port 8081, you can also have multiple AD LDS instances running simultaneously on different ports.
When you create an AD LDS instance, you also have the option to create an application directory partition to associate with the instance. An AD LDS instance can have zero, one, or multiple application partitions associated with it that will be used to store application data such as security principals as well as user and group information.
Extending the AD LDS Schema; MSDN: Binding to an Instance [ADAM]; “Create a New AD LDS Instance”; Active Directory, Fifth Edition, by Brian Desmond et al. (O’Reilly)
From Administrative Tools, launch the Active Directory Lightweight Directory Services Setup and then click Next.
Select the radio button next to “A replica of an existing instance” and click Next.
Enter the name of the instance that you want to create and click Next.
Enter the LDAP and SSL port numbers that will be used to access this instance; these default to 50000 and 50001 on a domain controller or any computer that is already listening on the default LDAP port. Otherwise, the LDAP and SSL ports that AD LDS chooses during the installation will be 389 and 636.
Note
If you’ve already installed an ADAM instance on ports 50000 and 50001, the ADAM installer will choose the next two ports available; the second ADAM instance would choose ports 50002 and 50003, then 50004 and 50005, and so on.
On the Join a Configuration Set screen, enter the name of a server hosting an existing replica of this instance, and the port number used to connect to it. Click Next to continue.
On the Administrative Credentials for the Configuration Set screen, specify a user or group account that has administrative rights to this AD LDS instance. This defaults to the currently logged-on user, or you can click the radio button next to “This account” and specify a different user or group. Click Next.
On the Copy Application Partitions screen, select the application directory partitions that you would like to replicate to the local server. Use the Add, Remove, Select All, and Remove All buttons to select the appropriate partitions. Click Next to continue.
Specify the directory that will house the instance data as well as its data recovery files. These will both default to c:Program FilesMicrosoft ADAM<instance name>data. Click Next.
On the Service Account Selection screen, configure the account under whose security context this instance will run. By default,
Network Service Accountis selected, or you can click the radio button next to “This account” and specify a different account.On the AD LDS Administrators screen, specify the user or group account that will have administrative rights to this instance. This defaults to the currently logged-on user, or you can click the radio button next to “This account” and specify a different user or group. Click Next.
Click Next and then Finish to create the new AD LDS replica.
Create an answer file similar to the one listed here. Save it as new_replica_install.txt.
[ADAMInstall] [ADAMInstall] Install a replica of an existing AD LDS instance. InstallType=Replica Specify the name of the new replica. InstanceName=IntranetApplication Specify the ports used for LDAP and SSL. LocalLDAPPortToListenOn=50000 LocalSSLPortToListenOn=50001 The following line specifies the directory to use for ADAM data files. DataFilesPath=C:Program FilesMicrosoft ADAMIntranetApplicationdata The following line specifies the directory to use for ADAM log files. LogFilesPath=C:ADAM Log FilesIntranetApplicationlogs Specify the name of the a computer hosting an existing replica SourceServer=servername SourceLDAPPort=389
Then enter the following command at the Run line or from the Windows command prompt:
> adaminstall.exe /answer:<driveletter>:<pathname><answerfile.txt>
Note
The default location of adaminstall.exe is <driveletter>:WindowsADAM. You must run this command from this location in the command prompt.
Similar to Active Directory itself, AD LDS use multimaster replication that allows multiple computers to host, read, and make updates to one or more configuration sets. An AD LDS replica is a computer that is hosting one instance of a particular configuration set. Unlike Active Directory, you can host replica instances on computers that run any version of Windows since Windows XP (including client operating systems and server operating systems). You are not restricted to replicating data to all of your AD LDS servers unnecessarily; this can be quite useful in the case of data that is locally interesting but that doesn’t need to be replicated throughout your entire environment.
Creating a New AD LDS Instance for creating a new AD LDS instance; “Create a Replica AD LDS Instance”
When you install an AD LDS instance on a computer (regardless of
whether it is a new or replica instance), the instance will advertise
itself as a typical Windows service. The service name naming convention
is ADAM_<InstanceName>,
where <InstanceName> is the name you
specified when you installed the instance. The display name of the
service will be just the
<InstanceName>, where
<InstanceName> is the name you
specified when you installed the instance. If you need to modify the
display name of the service after you’ve installed the AD LDS instance,
you can use the built-in sc utility
as follows:
> sc \<servername>config<servicename>displayname = "<display name>"
Listing the AD LDS Instances Installed on a Computer for listing the AD LDS instances installed on a computer; “Start, Stop, or Restart an AD LDS Instance”
You want to change the LDAP or LDAP over SSL ports that are being used by a particular AD LDS instance.
If you need to change the LDAP and/or LDAP over SSL port that an instance is using to communicate, you must first stop the instance using one of the methods specified in Stopping and Starting an AD LDS Instance. Once the instance has stopped, use dsdbutil as shown in this recipe’s solution.
Stopping and Starting an AD LDS Instance for more on starting and stopping AD LDS instances; “Modify the Communication Ports Used by an AD LDS Instance”
As we discussed in Stopping and Starting an AD LDS Instance, a single computer
can host multiple AD LDS instances running on different ports, each of
which will advertise itself as a typical Windows service. These services
will have a service name naming convention of ADAM_<InstanceName>,
where <InstanceName> is the name that
you specified when you installed the instance. The name of the service
will remain the same even if you change the display name or description
of the service at a later time, which can make the
services.msc snap-in a less-than-desirable option
for stopping and starting AD LDS instances if you make a habit of
renaming them. By querying for service names that include the string
“ADAM” using something like '%ADAM_%'
in the WQL query, you can return the AD LDS instances that are installed
on a local or remote computer. The method discussed in this recipe will
not help you, however, if someone has modified the Registry key
containing the name of the AD LDS instance. Locating AD LDS services can
be a difficult task if someone in your organization is trying to hide
their AD LDS instance(s). One possible solution, if you are having
difficulty with this type of information gathering, would be to perform
a port scan on one or more target computers; once you’ve obtained a list
of listening ports, you can connect to each one in turn and look for an
LDAP response.
In Windows Server 2008 and later, the "ADAM_" prefix was dropped from the service
display name, which makes the dsbutil
option the most appropriate option for listing AD LDS instances on a
Windows Server 2008 instance.
Stopping and Starting an AD LDS Instance; MSDN: Querying with WQL [WMI]; MSDN: WQL Operators [WMI]; “List the AD LDS Instances Installed on a Computer”
To extend the AD LDS Schema from the command line, you’ll need to create an LDIF file containing the necessary schema extensions and then import it using the LDIFDE command, or use a tool like AdMod to perform the changes. AD LDS comes with a number of such LDIF files preinstalled that you can import during the AD LDS installation process. If you did not import these files during installation, you can do so after the fact using the following syntax:
> ldifde -i -f<driveletter>:<pathname><Name of LDIF (.ldf) file>-s<servername>:<portnumber>-k -j . -c "<Schema DN>" #schemaNamingContext
The schema that you receive when you install AD LDS contains a subset of the classes and attributes that exist in the Active Directory Schema. You have the same ability to extend the schema in AD LDS as you do in AD, which means that you can expand and modify the schema to be the same as the AD Schema, or to match any changes made by your third-party or home-grown applications. Because of this, AD LDS is a great place to test potential schema modifications that you want to make in Active Directory. Because the schema extension process works the same in both AD and AD LDS, and because you can easily install, uninstall, and reinstall AD LDS instances, you can use AD LDS to quickly test new extensions, tweaking the definitions until you get exactly what you want.
Every instance of AD LDS will have at least two partitions: the
Configuration partition and the Schema partition; you can create
additional application partitions during or after installation, as
described in Active
Directory, Fifth Edition, by Brian Desmond et al.
(O’Reilly). Similar to the Active Directory Schema NC, the AD LDS Schema
partition contains definitions of classes and attributes that can be
used to create objects within a particular AD LDS instance. An AD LDS
Schema is unique to an individual AD LDS instance or configuration set;
changes to the schema in one instance or configuration set will not
affect the schema in other, separate instances or configuration sets. AD
LDS comes with a number of preconfigured LDIF files that you can import
to create common object types such as user, contact, and inetOrgPerson objects. You can import these
LDIF files during the initial creation of an AD LDS instance as well as
after the instance has been created.
Creating a New AD LDS Instance; MSDN: Adding User Classes [ADAM]; MSDN: Adding Contact Classes [ADAM]; MSDN: Extending the Active Directory Application Mode Schema [ADAM];“Create an Application Directory Partition”; “Delete an Application Directory Partition”; Active Directory, Fifth Edition, by Brian Desmond et al. (O’Reilly)
To add an application partition, do the following:
From the run prompt, open ldp.exe.
Click Connection→Connect to connect to the desired instance.
Click Connection→Bind to provide credentials to bind to the instance.
Click on Browse→Add child.
For DN, enter a distinguished name for the application partition.
Under “Edit entry”, enter
ObjectClassin the Attribute box andcontainerin the Values box and then click Enter.Under “Edit entry”, enter
instanceTypefor the Attribute and5in the Values box, and then click Enter.Click Run.
To remove an application partition, do the following:
Open ADSI Edit. If necessary, create and bind to a connection of your AD LDS instance.
Browse to the
Partitionscontainer (cn=Partitions). Right-click on the application directory partition that you want to delete and then click Delete.Click Yes to confirm.
Use the following sequence of commands to create an AD LDS application partition:
> dsmgmt
> Partition Management
> create nc <ApplicationPartitionDN> container <ComputerName>:<PortNumber>
> quit
> quitUse the following command to delete an application partition:
> dsmgmt
> Partition Management
> delete nc <ApplicationPartitionDN>
> quit
> quitAn AD LDS installation creates up to three partitions by default: Configuration, Schema, and an application. The Configuration and Schema partitions get created automatically during the creation of a new AD LDS instance; you can create application partitions during the initial installation or after the instance has been created. If you’re installing a replica of an existing configuration set, the existing Schema and Configuration partitions are automatically replicated to the new instance. The Configuration partition stores information about AD LDS replication and partitions, while the Schema partition contains definitions for the types of objects that you can create within the instance. Note that these partitions correspond quite closely to the Configuration and Schema naming contexts within Active Directory.
When you create a new application directory partition, you need to specify a distinguished name for the partition; this name needs to be unique within your environment.
MSDN: Using Application Directory Partitions [ADAM]; MSDN: Creating an Application Directory Partition [ADAM]; MSDN: Deleting an Application Directory Partition [ADAM]; Chapter 20 of Active Directory, Fifth Edition, by Brian Desmond et al. (O’Reilly)
Open ADSI Edit. If necessary, create and bind to a connection of your instance.
Right-click on the instance and select New→Object.
Under “Select a class”, click on
organizationalUnitand click Next.For the value of the
ouattribute, typeADLDSUsersand click Next.Click Finish.
To delete an OU, right-click on the object in question and select Delete.
To create an ADAM OU from the command line, use the following syntax:
> admod -h<ComputerName>:<PortNumber>-b<OU DN>objectClass::organizationalUnit -add
To delete an OU, replace the –add switch with –del in the previous statement.
Note
A useful option in AdFind and AdMod for working with AD LDS is
the ability to create environment variables to specify long or
often-used switches. In this example, it would be quite useful to
define an environment variable of adam-h that has a value of
<ComputerName>:<PortNumber>
and then that portion of the command can be shortened to -e adam. See the AdFind usage screens for
more information. If you work with multiple instances, you can
specify multiple environment variables, such as adam1-h, adam2-h, and adam3-h, and then specify -e adam1, -e
adam2, or -e adam3 to
access the different instances. You can even specify adamx-u and adamx-up environment variables to specify
alternate credentials to connect to the various instances.
To create an organizational unit using Windows PowerShell, use the following syntax:
New-ADObject -Name"<OUName>"-Type OrganizationalUnit -Server"<ComputerName>:<PortNumber>"-Path "<ParentContainerDN>"
To remove an organizational unit using Windows PowerShell, use the following syntax:
Remove-ADObject"<ObjectDN>"-Server"<ComputerName>:<PortNumber>"-Confirm:$false
Creating OUs in AD LDS is identical to creating them within Active Directory. Just like in AD, AD LDS OUs are containers that can contain other objects such as users, groups, contacts, or other OUs. You can also delegate permissions to an OU, allowing a user or group to have rights to the OU itself and to objects within that OU.
Managing AD LDS Permissions for more on managing AD LDS permissions; Chapter 5 for more on managing Active Directory OUs; “Add an Organizational Unit to the Directory”
To create an AD LDS user with PowerShell, use the following syntax:
New-ADUser -Name "John Doe" -Server"<ComputerName>:<Port Number>"-Path"<Application/Parent DN>"-AccountPassword (ConvertTo-SecureString -AsPlainText "<PlainTextPassword>" -Force)
To remove an AD LDS user with PowerShell, use the following syntax:
Remove-ADUser"<User DN>"-Server"<ComputerName>:<Port Number>"-Confirm:$false
Creating users in AD LDS is quite similar to creating users in
Active Directory. The most significant difference is that AD LDS users
do not have the sAMAccountName
attribute. You could conceivably define such an attribute within AD LDS
and associate it with the user class,
but it will not have the same properties that it does in Active
Directory, particularly the AD constraint in which sAMAccountName uniqueness is enforced across a
domain. AD LDS also would not be able to use a manually created
attribute like that for user logons the way that sAMAccountName is used in AD.
Note
If you create an AD LDS user without creating a password for it, the object will be disabled until you enable it.
Changing the Password for an AD LDS User to configure the password for an AD LDS user; MSDN: Managing Users [ADAM]; MSDN: Set or Modify the Password of an ADAM User [ADAM]; “Add an AD LDS User to the Directory”
To create user objects within an AD LDS instance, you first need
to import the optional LDIF files that are provided with the AD LDS
installer into the AD LDS schema, including ms-User.ldf, ms-InetOrgPerson.ldf, and ms-UserProxy.ldf. The ms-user.ldf file allows you to create
Person, organizational-Person, and User objects. Any AD LDS user objects that you
create will adhere to whatever local or domain password and account
lockout policies are in place on the server that’s hosting the instance.
You can use the procedures listed here to change the password for an AD
LDS user, or to set a password for an AD LDS user that was created
without specifying an initial password.
You can also use ldifde to set or change an ADAM or AD LDS user’s password, but it requires a 128-bit SSL connection with a certificate installed on the computer that’s running the instance.
You can also perform this using the -kerbenc switch in admod, as follows:
> admod -h . -b cn=jsmith,o=test userpassword::mypasswordQ1 -kerbenc
MSDN: Setting User Passwords [ADAM]; “Modify the Password of an AD LDS User”
Open ADSI Edit. If necessary, create and bind to a connection of your AD LDS instance.
Navigate to the user in question, right-click, and select Properties.
Scroll to the
msDS-UserAccountDisabledattribute and click Edit.Click True and then click OK.
To reenable the AD LDS user account, modify the
msDS-UserAccountDisabledattribute to have a value ofFalse.
To disable an AD LDS user from the command line, enter the following syntax:
> admod -h<ComputerName>:<PortNumber>-b<User DN>msDS-UserAccountDisabled::TRUE
To enable or reenable a user account, change TRUE to FALSE in the previous command.
Warning
When configuring this attribute, TRUE and FALSE are case-sensitive and must be
specified using all uppercase letters.
To enable an AD LDS user account, use the following syntax:
Set-ADUser<User DN>-Replace @{"msDS-UserAccountDisabled"=$false} -Server"<ComputerName>:<Port Number>"
To disable an AD LDS user account, use the following syntax:
Set-ADUser<User DN>-Replace @{"msDS-UserAccountDisabled"=$true} -Server"<ComputerName>:<Port Number>"
AD LDS users can be enabled or disabled by modifying the msDS-UserAccountDisabled property. A new user
will be enabled by default when you first create it, unless the password
you’ve assigned for it doesn’t meet the requirements of the password
policy, which is in effect on the machine.
Changing the Password for an AD LDS User for more on setting the password of an AD LDS user; MSDN: ms-DS-User-Account-Disabled Attribute [AD Schema]; “Disable or Enable an AD LDS User”
Open ADSI Edit. If necessary, create and bind to a connection of your AD LDS instance.
Right-click on the instance and select New→Object.
Under “Select a class,” click on
groupand click Next.For the value of the
cnattribute, typeADLDSGroupand click Next.For the
sAMAccountNameattribute, enterADLDSGroupand then click Next.Click Finish.
To delete a
groupobject, right-click on the object in question and select Delete.
To create a group object
using Windows PowerShell, use the following syntax:
New-ADGroup -Name"<Name>"-GroupScope"<Scope>"-Path"<Parent DN>"-Server"<ComputerName>:<PortNumber>"
To remove a group object
using Windows PowerShell, use the following syntax:
Remove-ADGroup -Identity"<Object DN>"-Server"<ComputerName>:<PortNumber>"-Confirm:$false
Group objects in AD LDS are greatly simplified compared to their
Active Directory counterparts, since the notion of security and
distribution groups as two separate entities does not exist. In
addition, all AD LDS groups have the same scope: a group that has been
created within an application partition can only be used within that
partition, whereas a security principal that’s been created in the
Configuration NC can be used in all naming contexts in that instance.
This means that a group or user that was created in Instance1 cannot be used to assign permissions
on objects in Instance2 or be added
to a group in Instance2 (unless
Instance1 and Instance2 are members of the same
configuration set). Windows security principals can be assigned
permissions in any application partition. And just like AD LDS user
objects, AD LDS group objects do not
contain the sAMAccountName
attribute.
Note
When you first install an AD LDS instance, you have three
default groups that are installed in the cn=Roles container:
Administrators, Readers, and
Users.
MSDN: Enumerating Users and Groups [ADAM]; MSDN: Creating Groups [ADAM]; “Add an AD LDS Group to the Directory”; MSDN: Deleting Groups [MSDN]; Active Directory, Fifth Edition, by Brian Desmond et al. (O’Reilly)
Open ADSI Edit. Connect and bind to the instance you want to manage.
Navigate to the group in question, right-click, and select Properties.
Scroll to the member attribute and click Edit.
To add a Windows user to the group, click Add Windows Account and enter the name of the Windows account. To add an AD LDS user, click Add DN and then enter the DN of the user that you want to add. Repeat this to add additional users.
To remove members, click on the CN of the object you wish to remove and then click Remove. Repeat this to remove additional users from the group.
To add a Windows user to a group from the command line, enter the following syntax:
> admod -h<ComputerName>:<PortNumber>-b<GroupDN>member:+:<UserDN>
To add multiple users at one time, change + to ++
in the previous command and separate the User DNs with a
semicolon.
To remove a single user, change + to – in
the previous command.
To remove multiple users, change + to ––
in the previous command and separate the User DNs with a
semicolon.
To add users to AD LDS groups using PowerShell, use the following syntax:
Add-ADGroupMember -Identity"<GroupDN>"-Members"<UserDN>"-Server"<ComputerName>:<PortNumber>"-Partition"<PartitionDN>"
To remove users from AD LDS groups using PowerShell, use the following syntax:
Remove-ADGroupMember -Identity"<GroupDN>"-Members"<UserDN>"-Server"<ComputerName>:<PortNumber>"-Partition"<PartitionDN>"-Confirm:$false
AD LDS group objects can
contain both AD LDS users and Windows security principals, which allows
you to assign permissions to data stored in AD LDS instances using a
consistent method. In the case of groups that were created within a
specific application partition, they can only be assigned permissions
within that partition; groups that were created within the Configuration
partition can be assigned permissions to objects in any partition within
the instance.
MSDN: Adding a User to a Group [ADAM]; MSDN: Removing Members from Groups [ADAM]; “Add or Remove Members to or from an AD LDS Group”
Open ADSI Edit. If necessary, connect and bind to a connection of your AD LDS instance.
Navigate to the object in question, right-click, and select Properties. To view only the mandatory attributes for an object, click Filter and then remove the checkmark next to Optional. To view only the optional attributes for an object, place a checkmark next to Optional and remove the checkmark next to Mandatory.
Scroll through the object’s properties. To modify a particular property, select the property and select Edit.
To insert a value into a single-valued attribute, enter the value and click OK. To remove a value from a single-valued attribute, click Clear.
To insert one or more values into a multivalued attribute, enter each value and click Add. To remove one or more values from a multivalued attribute, select the value and click Remove.
To view the attributes of an object, enter the following:
> adfind -h<ComputerName>:<PortNumber>-b<ObjectDN>-s base
Note
To restrict the AdFind output to only a few attributes,
specify the name of each attribute you want to view after the
ObjectDN; to view multiple
attributes, separate each one with spaces in between. You can also
use the -excl switch to display
all but one or two attributes.
To insert a value into a single-valued attribute, enter the following syntax:
> admod -h<ComputerName>:<PortNumber>-b<ObjectDN><AttributeName>::<Value>
To insert multiple values into a multivalued attribute, change
<AttributeName>:: to "<AttributeName>:++:<Value>;<Value>" in the previous command.
To clear an attribute’s value (whether a single- or a multivalued attribute), enter the following:
> admod -h<ComputerName>:<PortNumber>-b<ObjectDN> <AttributeName>:-
To remove a single value from a multivalued attribute, change
- to -- in the previous command and then add the
value that you want to remove.
To view an AD LDS object’s properties using Windows PowerShell, use the following syntax:
Get-ADObject -Identity"<Object DN>"-Server"<ComputerName>:<Port Number>"-Properties *
To modify an AD LDS object’s properties using Windows PowerShell, use the following syntax:
Set-ADObject -Identity"<Object DN>"-Server"<ComputerName>:<Port Number>"-Add @{"<Attribute"="<Value>"}
Just like in Active Directory, each AD LDS instance possesses a schema that defines what types of objects you can create and what sorts of attributes those objects possess. One of the major advantages of working with AD LDS is that you can make changes to the schema of an AD LDS instance without affecting the AD schema, thus allowing for more flexible application development that doesn’t run the risk of making permanent or far-reaching changes to an entire Active Directory forest. Similar to AD, object classes can have both mandatory and optional attributes that you can view.
To import objects using the ldifde utility, you must first create an LDIF file with the objects to add, modify, or delete. Here is an example LDIF file that adds three users to an AD LDS application partition:
dn: cn=Joe Smith,cn=users,ou=AdamUsers,o=adatum,c=us changetype: add objectClass: user cn: Joe Smith name: Joe Smith dn: cn=Richard Mahler,cn=users,ou=AdamUsers,o=adatum,c=us changetype: add objectClass: user cn: Richard Mahler name: Richard Mahler dn: cn=Doug Martin,cn=users,ou= AdamUsers,o=adatum,c=us changetype: add objectClass: user cn: Doug Martin name: Doug Martin
Once you’ve created the LDIF file, you just need to run ldifde to import the new objects:
> ldifde -i -f c:import.ldf -s <servername>:<portnumber> -kNote
Be sure to use the most current version of ldifde available.
For more information on the LDIF format, check RFC 2849.
To import with ldifde, simply specify the
-i switch to turn on import mode
and -f
<filename> for the file. It can also
be beneficial to use the -v switch
to turn on verbose mode to get more information in case of errors. The
–j switch can be used to specify
the path of the logfile location.
Importing Objects Using an LDIF File for information on importing data using LDIF files; RFC 2849 (The LDAP Data Interchange Format [LDIF]—Technical Specification); “Import or Export Directory Objects Using Ldifde”
You want to create a replication schedule for an AD LDS application partition that is hosted on multiple computers within a single site.
Open Active Directory Sites and Services (dssite.msc). If necessary, connect and bind to a connection of your AD LDS instance.
Navigate to the
Sitescontainer and click the name of the site you need to modify.Right-click
cn=NTDS Site Settingsand then click Properties.Click Change Schedule. Select the block of time that should be available for replication. For every available block of time, you can configure the replication frequency to None, Once per Hour, Twice per Hour, or Four Times per Hour. Click OK when you’re finished.
Like Active Directory, AD LDS uses multimaster replication to copy
information between replicas of each member of a configuration set. By
default, all AD LDS instances that you create will be placed within a
single site, Default-First-Site-Name.
Similar to AD, AD LDS’s intra-site replication takes place through
update notifications, where replication partners
are notified as changes occur.
MSDN: Active Directory Application Mode Schema [ADAM]; MSDN: Using Application Directory Partitions [ADAM]; “Configure Replication Frequency Within a Site”
Open Active Directory Sites and Services (dssite.msc). If necessary, connect and bind to a connection of your AD LDS instance.
Navigate to the
Sitecontainer and then expand theServerscontainer. Expand the server name and click NTDS Settings.Right-click the connection and click Replicate Now. Click OK.
The repadmin command-line tool that comes
with both AD and AD LDS is primarily used to display and manage the
replication topology of multiple directory servers. But
repadmin can do much more, such as allowing you to
view object metadata, update Service Principal Names (SPNs), and display
information on trust relationships. You can see all of the basic options
that are available by typing repadmin
/? at a command prompt. Once you’ve familiarized yourself with
these switches, you can then start learning about the more advanced
features available by typing repadmin
/experthelp. repadmin is one of those
indispensable tools for an AD or AD LDS administrator; it’s well worth
the time to learn its ins and outs to help you monitor and troubleshoot
your network.
Open ADSI Edit. Connect and bind to the
Configurationcontainer of the AD LDS instance that you wish to manage.Double-click on
Configuration[<ComputerName>:<PortNumber>].Right-click on
cn=Configuration,cn=<GUID>and click Properties.Scroll to
msDS-ReplAuthenticationMode. Double-click on the attribute and enter one of the following values:
To ensure replication security, AD LDS will authenticate
replication partners within a configuration set before replication
begins. The method used for replication authentication will depend on
the value of the msDS-ReplAuthenticationMode attribute on the
configuration directory partition. After replication partners have
successfully authenticated, all replication traffic between the two
partners is encrypted. AD LDS uses Security Support Provider Interface
(SSPI) to establish the appropriate authentication security level
between replication partners, and replication authentication always
occurs over a secure channel.
Table 18-1 lists
the security levels for replication authentication in Windows Server
2008, Windows Server 2008 R2, and Windows Server 2012. The default
replication security level for a new, unique AD LDS instance is 1, unless a local workstation user account is
specified as the AD LDS service account, in which case the replication
security level is set to 0.
Table 18-1. Description of the msDS-ReplAuthenticationMode values
Value | Description |
|---|---|
| All AD LDS instances in the configuration set use an identical account name and password as the AD LDS service account. Using this replication authentication value, a configuration set can include computers that are joined to one or more workgroups and/or computers that are joined to one or more untrusted domains or forests. This is the default value if a local user account is specified as the AD LDS service account for the configuration set. |
| Kerberos authentication (using SPNs) is attempted first. If Kerberos fails, NTLM authentication is attempted. If NTLM fails, the AD LDS instances will not replicate. This is the default value for a configuration set, unless it is configured with a local account as the AD LDS service account. |
| Kerberos authentication, using service principal names (SPNs), is required. If Kerberos authentication fails, the AD LDS instances will not replicate. If this value is selected, the configuration set must be fully contained within an AD DS domain or within computers belonging to trusted domains or forests. |
MSDN: Active Directory Application Mode Schema [ADAM]; MSDN: Using Application Directory Partitions [ADAM]; “Modify the Replication Security Level of a Configuration Set”
Launch LDP.exe. Connect and bind to the object or container that you wish to modify.
Right-click on the object or container and select Advanced→Security Descriptor.
To display and edit auditing information in addition to the Discretionary Access Lists (DACLs) associated with the object, place a checkmark next to SACL. Click OK.
To delete an Access Control Entry (ACE), highlight the entry and click Delete.
To add an entry, click Add.
In the Trustee text box, enter the name of the
userorgroupobject that you wish to apply permissions to. In the ACE mask section, select whether you are creating Allow ACE or Deny ACE.In the Access mask section, place checkmarks next to the permissions that you are allowing or denying.
Click OK when you are finished.
To view the effective permissions on an AD LDS object, use the following syntax:
> dsacls \<servername>:<port><ObjectDN>
To grant permissions on an AD LDS object, use the following:
> dsacls "\<servername>:<port><ObjectDN>" /G<User or Group ReceivingPermissions>:<Permission Statement>
To deny permissions on an AD LDS object, use the following:
> dsacls "\<servername>:<port><ObjectDN>" /D<User or Group ReceivingPermissions>:<Permission Statement>
The LDP utility provides you the ability to modify both DACL and SACL entries at an extremely granular level. You also have the familiar dsacls utility that will allow you to delegate permissions from the command line. When delegating permissions, you must first determine whether you are delegating permission over an entire container and all objects contained therein, or whether you are only going to delegate control over specific child objects. (For example, you can delegate control over all AD LDS user objects within an OU.) Once you’ve made this determination, you’ll then designate the specific permissions that you’re delegating; you can delegate anything from full control of the entire object down to granting read permissions on a single attribute.
dsacls requires a specific syntax for the permission statement used to grant or deny permissions, formatted in this manner:
[PermissionBits];[{Object|Property}];[InheritedObjectType][PermissionBits] here refers
to any of the values listed in Table 18-2; you can specify
one or more together with no spaces between them.
Table 18-2. Description of the PermissionBits values
Value | Description |
|---|---|
| Generic read |
| Generic execute |
| Generic write |
| Generic all (FULL CONTROL) |
| Delete |
| Delete an object and all its child objects (DELETE TREE) |
| Read security information |
| Change security information |
| Change owner information |
| List child objects |
| Create child objects |
| Delete child objects |
| Write to self |
| Read property |
| Write property |
| Control access |
| List object access |
The [Object | Property]
option allows you to delegate permissions for an entire object, or for
only specific properties of that object. For example, you can delegate
the Write Property permission for all properties of an object, or only
one or two specific properties.
You want to enable auditing of directory access and modifications. Audit events are logged to the Security event log.
Open the Group Policy Object (GPO) that is linked to the computer(s) hosting the AD LDS instance that you wish to audit.
In the left pane, expand Windows Settings→Security Settings→Local Policies and click on Audit Policy.
In the right pane, double-click “Audit directory service access”.
Check the box beside Success and/or Failure.
Click OK.
Since Windows Server 2008, additional auditing functionality is
enabled, which allows auditing of Directory Services events, including
capturing "before" and "after" values on changes and deletions to
Active Directory objects. You can enable this functionality using the
auditpol.exe tool discussed earlier, using syntax
similar to the following:
auditpol /set /subcategory:"directory service changes"
Here is a sample event that was logged after the
Administrator account created a user object called JSmith in the Sales OU:
Log Name: Security
Source: Microsoft Windows security auditing
Date: 11/13/2012 3:50:58 AM
Event ID: 5137
Task Category: Directory Service Changes
Level: Information
Keywords: Audit Success
User: N/A
Computer: dc01.adatum.us
Description:
A user account was created.
Subject:
Security ID: ADATUMAdministrator
Account Name: Administrator
Account Domain: ADATUM
Logon ID: 0xb3405
Directory Service:
Name: ADAM_Partition1
Type: Active Directory Lightweight Directory Services
Object:
DN: cn=JSmith,cn=Container1,cn={61E04C68-5582-494D-9F0A-1E0B970Db2D3}
GUID: {7c427193-64f6-476f-9cf4-748d850f02f8}
Class: User
Operation:
Correlation ID: {dbae9153-eae6-49cd-b641-fbef24d19cee}
Application Correlation ID: -