Active Directory Lightweight Directory Services

Previous page
Table of content
Next page

Another feature of Active Directory in Windows Server 2008 is the new built-in Active Directory Lightweight Directory Services (AD LDS) server role. Well, actually it’s not new because this is essentially the same Active Directory Application Mode (ADAM) feature that was available as an out-of-band download for Windows Server 2003 and Windows XP. What’s new is mainly that this directory service is now available as an in-box role that can be added to your Windows Server 2008 server using the Role Manager tool described in Chapter 4, “Managing Windows Server 2008,” instead of it needing to be downloaded from the Microsoft Download Center as in previous versions of Windows.

So AD LDS is basically just ADAM, but what’s ADAM? ADAM (we’ll call it by its new name now, AD LDS) is basically a stripped-down version of AD DS that supports a lot of the features of AD DS (multimaster replication, application directory partitions, LDAP over SSL access, the ADSI API) but doesn’t store Windows security principals (such as domain user and computer accounts), domains, global catalogs, or Group Policy. In other words, AD LDS gives you all the benefits of having a directory but none of the features for managing resources on a network. Instead, AD LDS is designed to support applications that need a directory for storing their configuration and data instead of storing these in a database, flat file, or other form of repository. Examples of directory-enabled LOB apps that could use AD LDS include CRM and HR applications or global address book apps. Because such apps often require schema changes in order to work with AD DS, a big advantage of AD LDS is that you can avoid having to make such changes to your AD DS schema, as making mistakes when you modify your AD DS schema can be costly-think flatten and rebuild everything from scratch! And it’s particularly useful also if your directory-enabled LOB apps will be made available to customers or partners over an extranet or VPN connection because using AD LDS instead of AD DS in this scenario means you don’t have to risk exposing your domain directory to nondomain users and computers.

Once you’ve added the AD LDS role in Server Manager, to use this feature you create an AD LDS instance. An AD LDS instance is an application directory that is independent of your domain-based AD DS and can run on either a member server or a domain controller if desired. (There’s no conflict when running AD DS and AD LDS on the same machine as long as the two directories use a different LDAP path and different LDAP/SSL ports for accessing them. And you can even run multiple AD LDS instances on a single machine-for example, one instance for each LOB app on the machine-without conflict as long as their paths and ports are unique.)

Let’s quickly walk through creating a new AD LDS instance and show how you can manage it:

  1. After installing the AD LDS role on your server, select the Active Directory Lightweight Directory Services Setup Wizard from Administrative Tools on your Start menu. This launches a wizard for creating a new instance of AD LDS on the machine:

    image from book

  2. Select the A Unique Instance option, and click Next. Then specify a name for the new instance (using only alphanumeric characters and the dash in your name):

    image from book

  3. Click Next, and specify LDAP and SSL ports for accessing your instance:

    image from book

  4. Click Next, and either allow the application to create its own directory partition when you install the application or type a unique distinguished name (DN) for the new application partition you are going to create:

    image from book

  5. Click Next, and in the following wizard pages specify the location where data and recovery files for the partition will be stored, the service account under whose context the AD LDS instance will be running, and the user or group who will have administrative privileges for managing your instance. After completing these steps, you’ll be asked to select from a list of default LDIF files you can import to add specific functionality to your instance:

    image from book

  6. Click Next to confirm your selections, and then click Finish to run the wizard and create the instance.

Once you’ve created your new AD LDS instance, you can manage it using ADSI Edit, an MMC snap-in available from Active Directory Lightweight Directory Services under Administrative Tools. To do this, open ADSI Edit, right-click on the root node, and select Connect To. When the Connection Settings dialog opens, specify the DN for the connection point to your instance (which was CN=CRM,DC=CONTOSO,DC=COM in our example) and click the Advanced button to specify the LDAP port (50000 in our example) for connecting to the instance:

image from book

Clicking OK then opens your AD LDS instance in ADSI EDIT. Then you can navigate the directory tree and view and create or modify objects and their attributes in your application directory partition as needed to support the functionality of your directory-enabled LOB app.

image from book



Previous page
Table of content
Next page
Microsoft Windows Server Team - Introducing Windows Server 2008
Introducing Windows Server 2008
ISBN: 0735624216
EAN: 2147483647
Year: 2007
Pages: 138
Authors: Mitch Tulloch, Microsoft Windows Server Team
BUY ON AMAZON
Certified Ethical Hacker Exam Prep
Strategies for Information Technology Governance
Excel Scientific and Engineering Cookbook (Cookbooks (OReilly))
101 Microsoft Visual Basic .NET Applications
Wireless Hacks: Tips & Tools for Building, Extending, and Securing Your Network
After Effects and Photoshop: Animation and Production Effects for DV and Film, Second Edition
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy