Wednesday, March 16, 2011

What is the need of AD-LDS?

We have the well supported application in Windows to store all users, resources in an organization named Active Directory. It can save the hierarchical data and provides auxiliary services. AD will be helpful in directory-enabled applications. Then we may get the question like what is the need of AD-LDS [Active Directory Lightweight Directory Services]. Take below scenarios:

  • There are requirements like we have to add extra properties to the user and fill them with specific values and use them in our applications.
  • There could be a requirement where we need some user properties which are specific to an application.

So, for the above reasons, we have to modify the Active Directory user schema and need to add all properties required. We have one AD and by adding all properties to it, which can be used by N number of applications. But, to change the schema administrators cannot do directly. They need help from developers to extend the AD schema for user object. The entire process what we have discussed is not secure and it will gives problems to maintain. So, to solve all these problems AD-LDS comes into the picture and it is very easy to create and maintain.


  • For changing schema there is no need of developer and administrators can change the schema directly from UI.
  • If you have n number of applications which are using different schema than what by default comes then you can create any number of instances of AD-LDS in your server and use them in your applications. Indirectly, it can be used application specific.
  • If you want to give access to the only a group or any query based then you can easily configure them in your application.
  • Many more. You will know soon after read completely this paper.

AD-LDS works on LDP protocol and each instance of the AD-LDS is having its own name, port number.

From Microsoft:

Active Directory Lightweight Directory Service (AD LDS), formerly known as Active Directory Application Mode, can be used to provide directory services for directory-enabled applications. Instead of using your organization’s AD DS database to store the directory-enabled application data, AD LDS can be used to store the data. AD LDS can be used in conjunction with AD DS so that you can have a central location for security accounts (AD DS) and another location to support the application configuration and directory data (AD LDS). Using AD LDS, you can reduce the overhead associated with Active Directory replication, you do not have to extend the Active Directory schema to support the application, and you can partition the directory structure so that the AD LDS service is only deployed to the servers that need to support the directory-enabled application.

1 comment: