Step 3: Practice Using AD LDS Administration Tools

  • Article

Applies To: Windows Server 2008

Active Directory Lightweight Directory Services (AD LDS) in Windows Server 2008 contains several administration tools for general administration tasks. These tasks include the following:

  • Start, stop, and restart an AD LDS instance

  • Use the ADSI Edit administration tool

  • Use the Ldp.exe administration tool

  • Use the Schema snap-in as an AD LDS administration tool

  • Use the Active Directory Sites and Services snap-in as an AD LDS administration tool

  • Create an LDIF file with ADSchemaAnalyzer

  • Synchronize with AD DS

Start, stop, and restart an AD LDS instance

An AD LDS instance runs as a service. Therefore, you can start, stop, and restart an AD LDS instance using the same methods as you use for other services running on Windows Server 2008.

Membership in Administrators, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To start, stop, or restart an AD LDS instance using the Windows interface

  1. Click Start, and then click Server Manager.

  2. In the console tree, double-click Roles, and then click Active Directory Lightweight Directory Services.

  3. In the details pane, in the System Services list, click the AD LDS instance that you want to manage.

  4. Click Start, Stop, or Restart.

Note

By default, an AD LDS instance is configured to start automatically.

Use the ADSI Edit administration tool

ADSI Edit is a Microsoft Management Console (MMC) snap-in for general administration of AD LDS. It is installed as part of the AD LDS and Active Directory Domain Services (AD DS) server roles. To use ADSI Edit to administer an AD LDS instance, you must first connect and bind to the instance. You can administer containers and objects in the instance by browsing to the containers or objects and then right-clicking them.

Membership in Administrators, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To manage an AD LDS instance using ADSI Edit

  1. Click Start, point to Administrative Tools, and then click ADSI Edit.

  2. In the console tree, click ADSI Edit.

  3. On the Action menu, click Connect to. The Connection Settings dialog box appears.

  4. In Name, you can type a label under which this connection will appear in the console tree of ADSI Edit. For this connection, type: AD LDS Demo

  5. Under Connection point, you can click Select or type a Distinguished Name or Naming Context, and then specify the distinguished name to which you want to connect, or you can click Select a well-known naming context, and then click Configuration, RootDSE, or Schema.

    For this exercise, click Select or type a Distinguished Name or Naming Context, type o=Microsoft,c=US, and then click OK.

  6. In Select or type a domain or server: (Server | Domain[:port], type the Domain Name System (DNS) name, NetBIOS name, or IP address of the computer on which the AD LDS instance is running, followed by a colon (:) and the Lightweight Directory Access Protocol (LDAP) communication port that the AD LDS instance to which you want to connect is using.

    In this exercise, AD LDS is running on the local computer; therefore, you can type localhost:389.

  7. In the console tree of the ADSI Edit snap-in, double-click AD LDS demo, and then double-click O=Microsoft,c=US. The ADSI Edit snap-in now shows the application directory partition.

  8. In the console tree, click any container to view the objects in that container.

  9. To close ADSI Edit, on the File menu, click Exit.

Use the Ldp.exe administration tool

Ldp.exe is a graphical user interface (GUI) tool for general administration of a Lightweight Directory Access Protocol (LDAP) directory service. To use Ldp.exe to administer an Active Directory Lightweight Directory Services (AD LDS) instance, you must connect and bind to the instance and then display the hierarchy (tree) of a distinguished name of the instance. You can then browse to an object in the tree and right-click the object to administer it.

Membership in Administrators, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To manage an AD LDS instance using Ldp.exe

  1. Click Start, and then click Server Manager.

  2. In the console tree, double-click Roles, and then click Active Directory Lightweight Directory Services.

  3. In the details pane, under the Advanced Tools, click Ldp.exe.

  4. On the Connection menu, click Connect.

  5. In Server, type the DNS name, NetBIOS name, or IP address of the computer on which the AD LDS instance is running.

    In this exercise, the AD LDS instance is running on the local computer; therefore, type localhost as the server name.

  6. In Port, type the LDAP or Secure Sockets Layer (SSL) communication port number that the AD LDS instance to which you want to connect is using, and then click OK.

Note

The default communication port for LDAP is 389. The default communication port for SSL is 636.

  1. On the Connection menu, click Bind.

  2. Do one of the following:

    • To bind using the credentials that you logged on with, click Bind as currently logged on user.

    • To bind using a domain user account, click Bind with credentials; type the user name, password, and domain name (or the computer name, if you are using a local workstation account) of the account that you are using; and then click OK.

    • To bind using just a user name and password, click Simple bind, type the user name and password of the account that you are using, and then click OK.

    • To bind using an advanced method (NTLM, Distributed Password Authentication (DPA), negotiate, or digest), click Advanced (method), click Advanced, in Method select the desired method, set other options as needed, and then click OK.

    For this exercise, click Bind as currently logged on user.

  3. When you are finished specifying the bind options, click OK.

  4. On the View menu, click Tree.

  5. Expand the BaseDN drop-down list, and then click the distinguished name of the object to use as the base object in the navigation pane. For this exercise, click O=Microsoft,c=US, and then click OK.

  6. In the console tree, click any container to view the objects in that container.

  7. To close Ldp.exe, on the Connection menu, click Exit.

Use the Schema snap-in as an AD LDS administration tool

You can also use the Active Directory Schema snap-in to view and manage Active Directory Lightweight Directory Services (AD LDS) schema objects.

Note

If the Schema snap-in is already installed on your computer, skip steps 1 through 7 and begin the following procedure with step 8.

Membership in the Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To connect to an AD LDS instance with the Active Directory Schema snap-in

  1. Click Start, right-click Command Prompt, and then click Run as administrator.

  2. Type the following command, and then press ENTER:

    regsvr32 schmmgmt.dll

  3. Click Start, click Run, type mmc, and then click OK.

  4. On the File menu, click Add/Remove Snap-in.

  5. Under Available snap-ins, click Active Directory Schema, click Add, and then click OK.

  6. To save this console, on the File menu, click Save.

  7. In the Save As dialog box, do one of the following:

    • To place the snap-in on the Administrative Tools menu, in File name, type a name for the snap-in, and then click Save.

    • To save the snap-in in a location other than the Administrative Tools folder, in Save in, navigate to a location for the snap-in. In File name, type a name for the snap-in, and then click Save.

  8. Open the Schema snap-in.

  9. In the console tree, right-click Active Directory Schema, and then click Change Active Directory Domain Controller.

  10. In the Change Directory Server dialog box, click <Type a Directory Server name[:port]here>, and type the DNS name, NetBIOS name, or IP address of the computer on which the AD LDS instance is running.

    In this exercise, AD LDS instance running on the local computer; therefore, type localhost:389.

  11. Click localhost:389, and then click OK.

  12. In the console tree, click any container to view the objects in that container.

For more information about managing schema objects using the Schema snap-in, you can view the Help on your server. To display Help, open the Schema snap-in, and then press F1.

Use the Active Directory Sites and Services snap-in as an AD LDS administration tool

You can use Active Directory Sites and Services snap-in to connect to your AD LDS instance and administer the replication of directory data among all sites in an AD LDS configuration set.

Membership in Administrators, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To connect to an AD LDS instance with Active Directory Sites and Services snap-in

  1. Click Start, point to Administrative Tools, and then click Active Directory Sites and Services.

  2. In the console tree, right-click Active Directory Sites and Services, and then click Change Domain Controller.

  3. In the Change Directory Server dialog box, click <Type a Directory Server name[:port]here>, and then type the DNS name, NetBIOS name, or IP address of the computer on which the AD LDS instance is running.

    In this exercise, the AD LDS instance is running on the local computer; therefore, type localhost:389.

  4. Select localhost:389, and then click OK.

  5. In the console tree, click any container to view the objects in that container.

Note

The MS-ADLDS-DisplaySpecifiers.ldf is required for Active Directory Sites and Services operations. If you are planning to connect to and manage your AD LDS instance with Active Directory Sites and Services, import this .ldf file with the Active Directory Lightweight Directory Services Setup Wizard. For more information, see the procedure "To create a new AD LDS instance by using the Active Directory Lightweight Directory Services Setup Wizard" in Step 2: Practice Working with AD LDS Instances.

For more information about the Active Directory Sites and Services snap-in, you can view the Help on your server. To display Help, open the Schema snap-in, and then press F1.

Create an LDIF file with ADSchemaAnalyzer

If you are building a custom application, you can easily build your schema using custom LDIF files. However, if you need to copy data from an existing AD DS deployment into the new AD LDS instance, it is difficult to build the schema file.

AD LDS administrators can use ADSchemaAnalyzer to quickly copy the schema from AD DS and then import it into AD LDS. You can use ADSchemaAnalyzer to help migrate the AD DS schema to AD LDS, from one AD LDS instance to another, or from any LDAP-compliant directory to an AD LDS instance. You can use ADSchemaAnalyzer to load a target (source) schema, mark the elements that you want to migrate, and then export them to the base AD LDS schema.

Important

When you use ADSchemaAnalyzer to create an LDIF file, load both a target schema and a base schema. Otherwise, the resulting LDIF file might not be usable by the ldifde tool.

Membership in Administrators, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To create an LDIF file with AD DS/LDS Schema Analyzer

  1. To open AD DS/LDS Schema Analyzer, at the command prompt, change the directory to %windir%\ADAM, type the following command, and then press ENTER:

    adschemaanalyzer

  2. To load a target schema, click File, and then click Load target schema, and then do one of the following:

    • To load the domain Active Directory schema as the target schema, in the dialog box, type your user name, password, and domain, and then click OK.

    • To load a different schema (such as the schema of an Active Directory forest or an another LDAP-compliant directory), in the dialog box, type the server name and port of the directory containing the target schema, type your user name, password, and domain as needed, and then click OK.

  3. To load the schema of your AD LDS instance as the base schema, click File, click Load base schema, and then in Server[:port], type the server name and port of the AD LDS instance.

  4. In the dialog box, click OK.

  5. Click Tools, click Options, and on the LDIF generation tab, click Update with references to new and present elements.

Important

If this option is not selected and you proceed to create an LDIF file with the default option of Update with references to new elements only, the resultant LDIF file will not contain all the differences between the schemas. For example, the User class in you AD DS schema might have Optional Attributes that are not included in the User class in your AD LDS schema. If the LDIF file that was created through AD DS/LDS Schema Analyzer does not contain these Optional Attributes and later you attempt to synchronize data in your AD DS forest and the AD LDS configuration set into which this LDIF file has been imported, adamsync will fail with an object violation error.

  1. Since later you plan to synchronize data by using adamsync, click Schema, and then click Mark all non-present elements as included.

  2. To create the LDIF file, click File, and then click Create LDIF file. To save the created LDIF file, type in the file name and save it at an appropriate location. For example, C:\Windows\ADAM\Differences.LDIF

  3. To import the LDIF file into the AD LDS instance in order to update the AD LDS schema to match the AD DS schema, open the created LDIF file, copy the ldifde command created by the AD DS/LDS Schema Analyzer, (for example, ldifde –i –u –f differences.ldf –s server:port –b username domain password –j . –c “cn=Configuration, dc=X” #configurationNamingContext) and paste it into the command prompt. Edit the ldifde command to reflect your AD LDS server name and port, and then press ENTER.

Synchronize with AD DS

You can use adamsync command line tool to synchronize data from an Active Directory Domain Services (AD DS) forest to a configuration set of an Active Directory Lightweight Directory Services (AD LDS) instance. There are two prerequisites before you can synchronize data from an AD DS forest to the configuration set of an AD LDS instance:

  1. The schema objects in the AD LDS instance must match the schema objects in the AD DS forest.

    To ensure that your AD LDS schema matches the AD DS schema, use AD DS/LDS Schema Analyzer to create an LDIF file that will contain the target schema elements, and then import this LDIF file into your base AD LDS schema by using the ldifde command. For detailed instructions, see Create an LDIF file with ADSchemaAnalyzer above.

  2. The schema in the AD LDS instance must be extended for schema objects that are required by the adamsync command line tool.

Important

adamsync does not synchronize user passwords between AD DS and AD LDS.

You can use the following procedure to extend the AD LDS schema to include schema objects that are required by the adamsync command line tool.

Membership in the Administrators group of the AD LDS instance is the minimum required to complete this procedure. By default, the security principal that you specify as the AD LDS administrator during AD LDS setup becomes a member of the Administrators group in the configuration partition.

To extend the AD LDS instance schema to include objects that are required by adamsync

  1. At the command prompt, change the directory to %windir%\ADAM, type the following command, and then press ENTER:

    ldifde -i -f MS-AdamSyncMetadata.ldf -s <server>:<port> -c CN=Configuration,DC=X #ConfigurationNamingContext

    For example, to extend the AD LDS schema on a local server, type the following command, and then press ENTER:

    ldifde -i -f MS-AdamSyncMetadata.ldf -s localhost:50000 -c CN=Configuration,DC=X #ConfigurationNamingContext

  2. To open the configuration file MS-AdamSyncConf.xml in a text editor (Notepad.exe) and modify it with the appropriate parameters, type the following command, and then press ENTER:

    notepad MS-AdamSyncConf.xml

  3. In Notepad, make the following changes to the contents of the configuration file:

    • Replace the value of <source-ad-name> with the name of the source AD DS domain controller, for example, <source-ad-name>SeattleDC1</source-ad-name>.

    • Replace the value of <source-ad-partition> with the distinguished name of the source domain, for example, <source-ad-partition>dc=fabrikam,dc=com</source-ad-partition>.

    • Replace the value of <source-ad-account> with the name of an account in the Domain Admins group of the source domain, for example, <source-ad-account>administrator</source-ad-account>.

    • Replace the value of <account-domain> with the fully qualified Domain Name System (DNS) name of the source domain, for example, <account-domain>fabrikam.com</account-domain>.

    • Replace the value of <target-dn> with the name of the partition of the target AD LDS instance, for example, <target-dn>DC=Microsoft,DC=US</target-dn>.

Note

If you are preparing to synchronize an AD LDS instance on a computer running Windows Server 2008, you must specify a naming context head as the value for <target-dn>. If you do not specify a naming context head as the distinguished name of the target AD LDS instance in the configuration file, the following error message appears when you attempt to run adamsync in the next step: "The target partition given was not the head of a partition. AdamSync cannot continue." 

  - Replace the value of \<base-dn\> with the base distinguished name of the container in the source domain where you want the search for synchronizing objects to start, for example, \<base-dn\>ou=users,dc=fabrikam,dc=com\</base-dn).

  - Modify the query filter (the default being \<object-filter\>(objectClass=\*)\</object-filter\>), depending on what objects you want to synchronize.

Important

Do not delete any unused fields from this file.

Note

It is not necessary to synchronize an entire domain naming context. To save disk space and avoid synchronization problems, consider excluding objects and attributes that are not necessary to ADAM (for example, DNS records, FRS subscriptions, and DN-binary values), and edit your MS-AdamSyncConf.xml file appropriately. For more information, see Adamsync Configuration File XML Reference (https://go.microsoft.com/fwlink/?LinkId=119621).

  1. In Notepad, on the File menu, click Save As, type a new name for the file, click Save, and then close Notepad.

  2. To install the modified configuration file, at the command prompt, type the following command, substituting the file name that was used in the procedure above for .xml_file, and then press ENTER:

    adamsync /install <server>:<port> .xml_file

    For example,

    adamsync /install localhost:50000 %windir%\ADAM\MS-AdamSyncConf.xml

You can use the following procedure to synchronize your AD DS data to the AD LDS configuration set.

Membership in the Administrators group of the AD LDS instance is the minimum required to complete this procedure. By default, the security principal that you specify as the AD LDS administrator during AD LDS setup becomes a member of the Administrators group in the configuration partition.

To synchronize AD DS data to an AD LDS configuration set

  1. At a command prompt, type the following command, and then press ENTER:

    adamsync /sync <server>:<port> ADLDS_configuration_dn /log

    Replace ADLDS_configuration_dn with the distinguished name of the AD LDS namespace where you saved the configuration MS-AdamSyncConf.xml file (or the value of target_dn in MS-AdamSyncConf.xml file). For example, adamsync /sync localhost:50000 DC=microsoft,DC=US” /log.