Wednesday, March 16, 2011
Installing the Active Directory Lightweight Directory Services [AD-LDS]
This is the replacement of ADAM in previous versions.
Windows Server 2008 or later servers:
If you are using Windows Server 2008 or later versions of the servers then this service included in the Server Roles in Server Manager. To install this service then please follow steps below.
1. Open Server Manager.
2. Click on Roles from the left navigation tree view.
3. On the main panel window you see all the roles installed. And on the right side, you have option to add/remove roles.
4. Click on Add Roles link.
6. From the list of roles, select “Active Directory Lightweight Directory Services”.
7. Click “Next” button and then install.
8. It will take around a minute and completes the installation.
Note: It will be good if you restart your server but, not mandatory.
Windows 7 is not a server and you cannot find “Server Manager” option. So, we have to download add-in from Microsoft which installs AD-LDS components.
· Download the installer from “AD-LDS for Windows 7”.
· Run the download and wait till installation complete.
Configuring the AD-LDS
I am assuming you are successfully installed the AD-LDS on the system you are using either WS 2008/R2 or Windows 7. If successfully installed then you will find an option named “Active Directory Lightweight Directory Services Setup Wizard” under control panel -> administrative tools.
As we discussed earlier, it allows multiple instances in the same server. So, you can create n number of AD-LDS instances on the server. But, when you create an instance what are actually created and what services it enables etc. in later sections. The physical location of this setup wizard is at “%SystemRoot%\ADAM\adaminstall.exe”. OK, now we have to create an instance of the AD-LDS.
· Double click on the “Active Directory Lightweight Directory Services Setup Wizard”.
· It brings up a wizard where we can create a new instance or create a copy of existing instance.
· Chose option “A unique instance” as we are going to create a new AD-LDS instance and click “Next”.
· Give a good name in the “instance name” and type some description. The name should be good because this name will be used in some other places. So, keep giving good names everywhere.
· Click “Next” and from this screen, we have to choose the port numbers. By default it will take 389 for LDAP and for SSL 636. You can change it.
· Click “Next” and select the option “Yes, create an application directory partition” and enter the partition name. I have used “CN=Customers,DC=Northwind,DC=Extranet”.
· Click “Next” and from this screen, we have to give the file locations of where the files will be saved. I left to the default path, but you can give any safe location other than “C:\”
· Click “Next” and chose the service account you want to use. [Under which account the AD-LDS should run.] For testing purpose chose N/S otherwise go for your domain service accounts.
· Click “Next” and select the AD-LDS administrators. If you logged into the server who is an administrator then leave as is, otherwise chose an account.
· Click “Next” and here is the interesting part. What LDIF [Lightweight Directory Interchange Format] files you want to import into this AD-LDS. The physical location of all these LDF files is at “%SystemRoot%\ADAM”. [You can see *.ldf files from Command Prompt]. Select all 4 I selected. It is not mandatory to select all. But, MS-User.LDF is mandatory. All other for adding external properties to user or related classes.
· Click “Next” and this screen gives the complete summary of what we have selected “Ready to install”.
· Click “Next” to install.
· Click Finish. We are completed with installation process.
· If everything configured correct then you will see the service running under Administrative Tools -> Services.
· Go to Control Panel -> Programs and Features -> you will see the AD-LDS instance installed.
Connect to the AD-LDS
OK, we successfully created and validated everything is successful. Now, we have to see the created instances and do some stuff with it. For this we need some sort of tool to connect to the instance and browse through. The familiar tool what we use regularly is “ADSI Edit”. Go to Control Panel -> Administrative Tools and open ADSI Edit.
· Now connect to the AD-LDS instance from the option Actions -> Connect to. Give some name to the connection. And from the Connection point, we will check the schema first. So, select Schema. And from the Computer setting, give your server name. And click OK.
· Now, you will see the complete schema of the available objects. See the schema for user etc...
· Now, we actually need to see data other than schema of the AD-LDS instance. For this we have to connect to the partition of what we have created.
o From Actions -> Connect To. Give some name to the connection and from Connection Point, chose the distinguished name and give the name we have given while creating the instance. And enter the server name and click OK.
o By default only 4 objects. We have to create an object[Container] named Users to place all the users in it. For that right click on the surface and from the menu, chose new and then object.
o Select “Container” from the list of options.
o Enter “Users” in value box.
o Click Finish. Now you see “Users” container.
o Now, expand the “Users” container from left navigation tree and you will see it is empty.
o Create a user in that “Users” container by right clicking on the surface, from Menu, select New -> Object.
o From the “create new object” window select “User”.
o In next screen, give the name of the user.
o Click Finish. User is created in the “Users” container.
o Before use this user we have to set some properties.
§ Right click on user and select “Reset Password”.
§ After than right click on the user and select “Properties”.
§ From the list of properties available to the user, set the property “msDS- UserAccountDisabled” to false.
Giving permissions to the service account:
This is again what we have to consider and never forget. Against any data source whether it could be database, Active Directory, AD-LDS or any, the application in which we tried to connect to these data sources we should allow the service account to grant read access to the data source. So, here also the same thing, we should grant read permissions to the service account of our application where we are using these AD-LDS. For grating permissions,
· From the partition, expand find Roles, and then Readers.
· From properties, you will find a property named “member”.
· Click on “Member” and select “Edit”.
· Add users from this window. If user is windows account user then select the option “Add Windows Account” and choose user and save your changes.
OK. We have completed successfully installing, configuring and creating users in the AD-LDS instance. Now, we can use this AD-LDS in our applications to access user information or authentication. It is very to manage, create or replicate the instances in AD-LDS as like ADAM.
Note: For the AD-LDS the path we have to use in our applications to connect to a specific instance is, LDAP://server-name/partition-name
In our example, if we assume the server name is SP2010-AD then it will be