You should be aware of the following methods of AD LDS instance configuration:
|Move an instance||An AD LDS replica instance can be moved into a site object by using the Active Directory Sites and Services. Membership in the Administrators group or equivalent is required to complete this procedure.
|Import data into an instance||Data can be imported into an AD LDS instance in the following ways:
Prior to importing the data, use the Ldifde tool to export the data from an existing LDAP directory.
|Create a replication schedule||A replication schedule for an AD LDS instance can be created using ADSI edit.
|Synchronize data||Use the Adamsync /sync command to synchronize data from an AD DS forest to the configuration set of an AD LDS instance.
AD LDS must verify the user’s credentials or bind users into the directory through successful authentication before they can request directory data. Binding to an AD LDS instance takes place in the following ways:
- The user account resides directly in AD LDS. You can bind as an AD LDS security principal using Ldp.exe in Server Manager.
- The user account resides on a local computer or in an Active Directory Domain Services domain. You can bind as a Windows Security principal using the ADSI Edit snap-in.
- The user is bound through an AD LDS proxy object using redirection. This allows AD LDS to accept and process bind requests to an AD LDS proxy object that has the Security Identifier (SID) from an AD DS security principal as one of its attributes. A user who binds to an AD LDS instance through a proxy object receives membership in the Users group on each naming context that is held by the AD LDS instance.
Bind redirection provides the following benefits:
- Binding provides AD DS users with access to both AD LDS data and AD DS data using AD DS domain credentials for Single Sign-On (SSO).
- AD LDS proxy objects can be used to store user data that is specific to a particular application in AD LDS, while using AD DS to store more widely used directory data.
- Unlike other types of binding, bind redirection enables a user to bind to AD LDS by means of a simple bind while still using AD DS credentials.
You should know the following about configuring security principles and binding:
- Passwords can be set for security principals either by using ADSI Edit or by using Ldp.exe over an encrypted, non-SSL connection.
- You can set or modify a password for an AD LDS security principal using the ADSI Edit snap-in.
- AD LDS allows the use of Windows security principals for authentication and access control.
- Windows users can be members of AD LDS groups.
- A Windows user binding to an AD LDS instance receives membership only in the AD LDS groups to which that user has been explicitly added as a member.